Debian Project News - February 16th, 2015
Welcome to this year's first issue of DPN, the newsletter for the Debian community. Topics covered in this issue include:
- A brief history of the arm64 port
- First release candidate of Jessie Debian Installer
- Debian Mirrors new and old
- Debian Long Term Support
- Debian members vote to limit Technical Committee Term
- Call for projects and mentors for Debian GSoC 2015
- Progress on reproducible builds
- Bug Squashing Parties
- Recap of the 2015 mini-DebConf in Mumbai
- 2048-bit key removal from Debian keyrings
- Other news
- New Debian Contributors
- Release-Critical bugs statistics for the upcoming release
- Important Debian Security Advisories
- New and noteworthy packages
- Work-needing packages
- Want to continue reading DPN?
Steve McIntyre walks us through a brief history of the Debian ARM port.
Now an official release architecture for Jessie, arm64 took many years and a lot of CPU time considering the over 21,000 source packages available. From the inception of the port, developers struggled for accessible hardware and were only able to work on it using ARM's AArch64 software models, until the folks running the Tianhe-2 supercomputer project in China contacted the team to offer access to their arm64 hardware.
Later as ARM started producing its
Juno development boards, Debian
Developers were able to acquire some for use as official Debian build
machines. The Juno buildds ran well and with them a large portion of the
Debian archive was built; however, suitability issues begin to arise with
using them all over the world and with many developers using them for debugging
the new architecture. Things progressed as best they could until Linaro, with a
goal of helping to improve FOSS on ARM, came to the aid of the project with a
servers made available for software developers to use to get early
access to ARMv8 hardware.
Debian was able to negotiate dedicated access to three of the machines from the cluster in October of 2014, with two of the machines serving as build machines and the other as a porter box. Developers now had the necessary hardware in place to race against the small amount of time left before the freeze of Jessie.
They did just that at the Cambridge mini-DebConf in November of 2014 where ARM was officially added to the list of release architectures. Since that time Steve has managed to obtain another arm64 machine on loan from AMD to Debian to use for further porting and building. He expects that as more vendors move from prototype to production, more hardware will become available, and hopes to see ARM running not just in your server rooms, but on your desktops and laptops. Running Jessie of course.
The Debian Installer Jessie RC1 release has been announced. Changes include checks for missing firmware, the official artwork for Jessie, the renaming of 486 to 586, and an updated mirror listing. Other items of note are language support for 75 languages, a PXE-bootable grub.efi, imx6 support and netcfg interface.d support. The Debian Installer team extends a Thank You to all the people who contributed towards this release. The team also extends a call for help for testers to help find bugs in all media available.
Yasuhiro Araki, who has provided cdn.debian.net since February of 2008, is planning on orphaning the project in light of the more recent http.debian.net. As he begins the process DNS for cdn.debian.net will eventually point to http.debian.net. Thank you Yasuhiro for the many years of service.
The Debian Project is pleased to announce a new security.debian.org mirror with hardware and hosting provided by SAKURA Internet, Inc. The new host is located in and serves content from Japan and will service users in Asia.
Freexian's fifth report about Debian Long Term Support showed that in the month of December 46 work hours were split among four paid LTS contributors. Compared to the month of November the number of paid hours has not increased from the allotted 48 hours per month. Starting this year, 2015, with more sponsors the team hopes to have an increase in available funding, towards the goal of funding the equivalent of a half-time position. Security updates in LTS held close to the same numbers are last month with 30 packages awaiting an update affecting around 56 packages in total.
Thorsten Alteholz updated his LTS status for December for which he was assigned 20.5 hours towards LTS. He used the time to upload new security updates to 14 packages including flac, tcpdump, jasper, unzip, and many others. Thorsten sponsored the upload of an ettercap security update, which may be the first non-Debian Developer patch for LTS, for which he thanks Nguyen Cong and Toshiba.
Raphaël Hertzog blogged about his December 2014 LTS work: he was assigned 20 hours of LTS work which was spent on CVE triage with 47 commits to the security tracker, two fixes for wishlist bugs and several releases of which the biggest was DLA-120-1 on xorg-server which took over 6 hours to backport, but fixed 12 CVEs. Raphaël created a dedicated funding subpage on the LTS wiki, which now gives more information to interested parties and opens up the project for more companies to get involved in and to contribute to. The new page fixes what may have been an erroneously implied relationship between Freexian as an LTS sponsor and the Debian project.
Ben Hutchings posted his LTS summary with 11.5 hours of support on LTS and an update to the kernel package linux-2.6, version 2.6.32-48squeeze9. The LTS team had been working with and using an older kernel with applied security and critical fixes until a recent shift to rebase packages on the 2014 220.127.116.11 release. Ben reviewed and applied fixes and security flaws for the kernel for upstream inclusion into 18.104.22.168.
Holger Levsen reported on 11 LTS hours working on the linux-2.6 security update, bind9, and ntp.
Debian members were called by Kurt Roeckx, Debian secretary, to vote on a general resolution to change the Debian Constitution, and create term limits for Technical Committee members. Both proposals aimed at creating a regular turnover of Technical Committee members, by enforcing a term limit of about four years. The proposals differed in the way they respond to resignations or removals of TC members for reasons other than the term limit. The first option, which could result in more than two TC members leaving the TC during the same year, won the vote. More details about the results of this vote can be found on the page of the website dedicated to this general resolution.
Nicolas Dandrimont asked all Debian contributors for
to help Debian participate in the eleventh year of the
Google Summer of Code.
Everyone (member of the Debian project or not, student or not) is welcome to
submit their ideas, and to try and find people willing to mentor the projects,
explained Nicolas in his mail.
If you have an idea, please publish it on the
and send an email to the
coordination mailing list.
You can also contact Nicolas and the other GSoC administrators for Debian on
their mailing list or on their IRC channel, #debian-soc on irc.debian.org.
The reproducible builds team sent a report about their work, which enables anyone to independently confirm that a given Debian binary package was indeed built from some specified source package. Currently, more than 83% of all the source packages in the main archive of the unstable distribution can be built reproducibly. The team developed the tool debbindiff to provide in-depth detailed diffs of binary packages. Packages are then built twice on jenkins.debian.net, and reproducibility results are reported on the Debian Package Tracker. The team is considering submitting a proposal to make reproducible builds a release goal for Stretch, the next stable release after Jessie.
Bernd Zeimetz announced a Debian Bug Squashing Party, which will be held on April 17-19 2015. Registration can be completed through the BSP wiki page. The BSP will be located close to Salzburg Airport W.A. Mozart, at the office of Conova Communications Gmbh. Besides registration, the wiki page covers hotel accommodations, sightseeing possibilities, meal planning, and leisure activities. Bernd welcomes team meetings or sprints, but warns travellers to email him in advance to ensure accommodation.
In a series of quick blog posts, Jonathan Wiltshire reported on three days of the Alcester Bug Squashing Party (BSP) which closed and worked on a large number of bugs, downgrades, removals, and patches.
A mini-DebConf took place at the Indian Institute of Technology Bombay (IIT Bombay). The conference was opened by Professor Kumar Appaiah from the Electrical Engineering department. Other notable speakers included Kannan Moudgalya, head of the Free and Open Source Software for Education (FOSSEE) project. Among the topics discussed were open source software security, Debian on ARM by Siji Sunny, and Raspbian (Debian on Raspberry Pi). A total recap of topics and discussions can be found on linuxveda. Jaldhar H. Vyas attended the mini-DebConf, and completed a lengthy blog summary. Organisers of the conference were pleased with the turn-out, and plan another mini-DebConf next year.
The keyring-maint team is proud to announce that, after almost five years of actively requesting stronger keys to be used for the project, and after a four months intensive campaign to speed up the key migration, as of January 1 we have disabled all PGP keys weaker than 2048 bits.
A full list of affected keys together with the requisites and instructions on how to submit a new key for Debian is available. A statistical roundup of the keyrings' evolution can be found in a blog post by Gunnar Wolf.
Jingjie Jiang, our OPW (Outreach Program for Women) intern, posted a progress report on her work on debsources. Several bugs were fixed and are to be merged into the codebase, such as allowing symbolic links within the same version, and override detection. She has also been working towards making debsources available on sor.debian.org, and provided some thoughts on the benefits of OPW internship.
Niels Thykier gave an update on the status of Jessie as of December of 2014. Currently there is no set release date and there is still much work to be done. He reminded users and developers of the automatic removal clause that was about to go into effect; any package with a dependency on a threatened package may itself be at risk. Work on the release notes still needs more time and hands. While the number of bugs is declining there are still a few problematic bugs to be solved.
At this time only RC bug fixes are being accepted. Help is requested! Users can file bugs against the release notes concerning missing or outdated documentation, fix the known RC bugs that are blocking Jessie, and report on tests of upgrade paths and installation media.
Steve McIntyre's work on UEFI support in Jessie continued with a series of posts on getting an i386-only UEFI net install up and running (and made available with test images to download), then a mixed 32- and 64-bit UEFI net install (available for testing and download), and later work on integration of 32-bit grub-efi with patches to the Linux kernel, grub2 for /sys and a grub-installer patch. Steve's last update was in mid-January of 2015, when he also announced a pause in development in favour of a few other items that need work such as RC bugs, sorting Mac-only 32-bit images, and debian-live images.
Raphaël Hertzog posted his Free Software Activities for January 2015, including 12 hours of paid work on Debian LTS which had work done on libnokogiri-ruby and on pound-related SSL issues. He also submitted bugs reports for the Tryton application platform, created three Salt formulas for Saltstack, packaging for upstream releases of Django in experimental along with a pre-approval, and an unblock request for Dolibarr with input from the security team. Raphaël also worked on soliciting candidates for Debian France's election for a third board member.
Thomas Goirand gave an update on OpenStack image availability letting us know that it is now generated at the same time as the official Debian CD ISO images. He suggests cloud users and public cloud operators should download the now available weekly build. Presently the only arch available is arm64, which historically has not been a problem for operators. Goirand adds a few suggestions and comments for the image generation and included sources.tar.gz file. Contributors and testers are welcomed.
Roland Fehrenbacher wrote on his blog a report on the DebianMed Sprint 2015, which took place in Saint-Malo, France, from January 30 to February 2. He gave a brief review of the various presentations and discussions that occurred during this meeting as well as the packaging and mentoring activities. In related news, Andreas Tille announced a Debian Med wiki page dedicated to the initiative for more details.
The eighth update of the stable distribution of Debian (codename
was released on January 10.
Christian Perrier asked on his blog who was going to report bug #777777 in the Debian bug tracking system. Matthias Klose answered that question a few hours later, by opening a bug against the package aqsis.
Lucas Nussbaum announced that he will not seek re-election in his position as the Debian Project Leader (DPL), and shares some insight and thoughts about the transition to the next DPL while reflecting on some of the events of his term. With a new election slated to start in the upcoming months, he suggests that we in the community champion a lively campaign by reaching out to our dream candidates and encouraging them to run, or perhaps running for the position ourselves. On the project mailing list a separate thread asks,
The Debian France association is organising a mini-DebConf on April 11 and 12, in Lyon, France, hosted by the Maison Pour Tous-Salle des Rancy. If you're planning to attend, please add your name to the list on the dedicated wiki page.
Lucas Nussbaum updated the delegation for the Debian System Administrators team, which counts now two new official members: Paul Wise and Julien Cristau. Kurt Roeckx has been reappointed as Project Secretary for one more year.
This Debian News Project issue just beats the length record previously held by the 2006/28 issue, and becomes for now the longest DPN ever.
3 applicants have been accepted as Debian Developers, 8 applicants have been accepted as Debian Maintainer, and 11 people have started to maintain packages since the previous issue of the Debian Project News. Please welcome Nattie Mayer-Hutchings, Sebastiaan Couwenberg, Johannes Schauer, Alexander Alemayhu, Daniel Stender, Nigel Kukard, Sebastian Andrzej Siewior, Helge Kreutzmann, Etienne Millon, Steven Chamberlain, Timothy Potter, Dmitry Bogatov, Edward Betts, Aggelos Avgerinos, Florian Pelgrim, Alessio Di Mauro, Michael R. Crusoe, Mario Stephan, Christopher Hoskin, Antonio Cardoso Martins, Patrick Huck, and Peter Spiess-Knafl into our project!
According to the Bugs Search interface of the Ultimate Debian Database, the upcoming release, Debian
Jessie, is currently affected by 147 Release-Critical bugs. Ignoring bugs which are easily solved or on the way to being solved, roughly speaking, about 77 Release-Critical bugs remain to be solved for the release to happen.
Debian's Security Team recently released advisories for these packages (among others): pyyaml, polarssl, php5, strongswan, libevent, mantis, file, curl, binutils, otrs2, openssl, php5, iceweasel, linux, rpm, lsyncd, xdg-utils, icedove, privoxy, sympa, mysql-5.5, polarssl, websvn, jasper, squid, xen, wireshark, eglibc, virtualbox, openjdk-7, privoxy, requests, openjdk-6, chromium-browser, condor, vlc, python-django, unzip, krb5, ntp, postgresql-9.1, ruby1.9.1, unrtf, ruby1.8, xorg-server, and dbus. Please read them carefully and take the proper measures.
The Debian team in charge of Squeeze Long Term Support released security update announcements for these packages: mime-support, ettercap, ettercap, pyyaml, polarssl, sox, firebird2.1, file, openssl, unrtf, curl, ia32-libs, tomcat6, websvn, libevent, eglibc, rpm, jasper, libksba, privoxy, python-django, polarssl, php5, wpasupplicant, sympa, krb5, unzip, ntp, libxml2, and postgresql-8.4. Please read them carefully and take the proper measures.
Please note that these are a selection of the more important security advisories of the last weeks. If you need to be kept up to date about security advisories released by the Debian Security Team, please subscribe to the security mailing list (and the separate backports list, stable updates list, and long term support security updates list) for announcements.
158 packages were added to the unstable Debian archive recently. Among many others are:
- dex — tool to generate and execute Application type .desktop files
- sluice — rate limiting data piping tool
- apt-config-auto-update — Apt configuration for automatic cache updates
- git-big-picture — visualization tool for Git repositories
- u2f-host — command line tool to do Universal 2nd Factor (U2F) operations
- mrtdreader — reader for machine-readable travel documents (MRTDs / passports)
- php5-facedetect — faces detection with PHP
- sjaakii — Sjaak II - computer player for many Chess variants, including Shogi and XiangQi
- guidedog — NAT/masquerading/port-forwarding configuration tool in Qt5
- rna-star — ultrafast universal RNA-seq aligner
Please help us create this newsletter. We still need more volunteer writers to watch the Debian community and report about what is going on. Please see the contributing page to find out how to help. We're looking forward to receiving your mail at email@example.com.
To receive this newsletter in your mailbox, subscribe to the debian-news mailing list.
Back issues of this newsletter are available.
This issue of Debian Project News was edited by Cédric Boutillier, Jean-Pierre Giraud, Carl J Mannino, Donald Norwood, Justin B Rye and Paul Wise.