Debian Project News - July 21st, 2008

Welcome to this year's 7th issue of DPN, the newsletter for the Debian community.
Some of the topics covered in this issue:

Updates to the Lenny release process

Luk Claes sent a release update regarding the upcoming stable release Debian 5.0 Lenny. An important part is that starting with next week, the transition of packages from the unstable to the testing branch will be frozen to concentrate on fixing the remaining bugs. He further reports on the various release goals; he considers them in good shape, but is a bit worried about the architecture qualification pages on, which still lack a lot of information. Porters should provide status information on these pages, so it's easier for the release team to keep themselves informed about the status of different hardware architectures.

In related news Ana Guerrero reported about the status of KDE (and especially KDE4) related packages in the upcoming release of Debian.

Debian-installer to support loading of external firmware

Joey Hess announced a new feature of the Debian installer: On demand loading of firmware. Since some drivers need to load such binary blobs to the device before they can operate but the firmware is often non-free according to the Debian Free Software Guidelines, some devices could only be operated after Debian has been successfully installed and network access has been configured by adding Debian's non-free section to the package sources. Which would fail, if the network driver itself needed to load firmware to operate.

With the newly introduced feature, it is now possible to drop the firmware files on separate media, such as a USB stick. The Debian-Installer will then automatically load the necessary files. He also noted that the Debian-CD team builds zip files and tarballs containing all the firmware that Debian ships in non-free.

Best practice for debug packages

Theodore Tso wondered about best practice for debug packages, which contain additional data to ease debugging of programs and libraries. Mike Hommey answered that debug files should be installed at the path of the non-debug files, preceded by /usr/lib/debug/ and (depending on the size of the debug data) split off in a separate package. Joerg Jaspert added that the priority of such debug packages should be extra and that they should be in the same section as the parent package.

DebConf 8 website call for help

Martin Ferrari called for help for the website of the upcoming Debian Conference. A lot of information needed by travelers is missing. He sees identifying missing data as the most important task, since it's difficult to guess what foreigners might need to know when you're a local.

Debian release versioning

Martin Krafft proposed changing the way Debian versions its releases. He proposed increasing the first number with each release and the second one with every point release/r-release of the stable branch only including fixed packages, while new releases of the stable release adding new features (like the upcoming Etch and a half) should get a five as second number to show the half update. Lars Wirzenius reminded people that Debian introduced the current versioning scheme because CD vendors feared old boxes would stay on the shelves after a point release. Others preferred a classic two dot versioning scheme, where the first number gets increased with every new major release, the third one with bug fix releases and the second one with releases adding new features.

Package management unsafe? - No.

A recently published study which described several attack vectors against Linux systems using their package management has recently caused some discussion. While the study was generally judged to be oversensationalized attention-grabbing the consensus was that one weak point does remain: a potential attacker could manipulate the domain name system and redirect, source of security updates for Debian, to an outdated copy of that server. Plans are being drafted to add a signed time stamp to prevent this kind of attack.

Other news

Steve McIntyre sent bits from the DPL. Besides mentioning several personnel changes already reported in past issues of the Debian Project News, he also announced his intention to improve cooperation between Debian and its derivatives. He has already contacted several derivatives, namely Linspire, Xandros and Ubuntu.

Obey Arthur Liu gave another status report on his graphical front end to the package manager aptitude. While he thinks that the basic functionality is already present, he lists several missing features he would like to add.

Neil Williams reported on the status of Emdebian (for the ARM architecture).

Olivier Berger informed us that videos from two French speeches from the 9th Libre Software Meeting by Debian Developer Lucas Nussbaum on the topics Why and how to make a first contribution to Debian and Debian's production process and infrastructure are available.

Martin Borgert asked for updates and new translations of the Debian reference card.

Bastian Venthur released version 1.0 of reportbug-ng, a graphical front end for reporting bugs to the Debian bug tracking system.

Starting with the next release, rsyslog will be the preferred system logging daemon, replacing syslogd and klogd.

Patrick Schoenfeld called for testers of the mantis package.

Christian Perrier kindly asked package maintainers changing debconf templates, which are used to ask questions during the configuration of a package, to coordinate with translators.

Thijs Kinkhorst noted that he has renamed the msttcorefonts package to ttf-mscorefonts-installer. He also noted that they continue to lose relevance, since it's often possible to replace them them with the fonts supplied by the ttf-liberation package.

Important Debian Security Advisories

Debian's Security Team released, among others, advisories for the packages bind9, bind8, glibc (a DNS vulnerability), poppler, Iceweasel, MySQL, Gaim and ruby1.8. Please read them carefully and take the proper measures.

Please note that those are only the most important security advisories of the last two weeks. If you would like to kept up to date about the security advisories released by the Debian Security Team, please subscribe to our mailing list for security announcements.

Work-needing packages

Currently 486 packages are orphaned and 123 packages are up for adoption. Please take a look at the recent reports to see if there are packages you are interested in or view the complete archive of packages requesting help.

Want to continue reading DPN? Please help us create this newsletter. We still need more volunteer writers who watch the Debian community and report about what is going on. Please see our HOWTO contribute page to find out how to help. We're looking forward to receiving your mail at

To receive this newsletter in your mailbox, subscribe to the debian-news mailing list.

Back issues of this newsletter are available.

This issue of Debian Project News was edited by Meike Reichle and Alexander Reichle-Schmehl.