[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian derivatives census: OpenNetLinux: welcome!

Hi Paul,

Thank you for your input, its highly useful as I attempt to revamp the apt repository.  Responses inline.

April 4, 2016 at 11:01 PM
Hi Steve,

I would like to welcome yourself and Open Network Linux to the Debian
derivatives census! Would you like to take this opportunity to
introduce yourself and Open Network Linux to us all?
My name is Steven Noble and I have been in Networking since about 1988, starting with multi-node BBSes (FidoNet 1:203/7666), moving to large internet providers (Exodus Communications), Network hardware vendors (Procket, Cisco) and eventually into the Open Networking space.  I have historically been a very open person, sharing information about how I run systems, an early example is the work I did with OS/2 in the early 90's and my "DOS Sysops in an OS/2 World" publication.  I am also the President of a non-profit (https://www.netdef.org) that funds work on Quagga and other open networking projects.

Open Network Linux (ONL) is a project that started in late 2013 to provide a base network operating system for bare metal switches.  The goal of ONL is to provide a functional linux distribution providing system level functionality (fans, leds, etc) and a path for the community to build their own forwarding agents.  At this time we support ~25 different switches from multiple hardware vendors.  ONL also provides binary only closed source drivers for certain Broadcom chips and systems due to licensing restrictions.

The page says that Open Network Linux modifies Debian binary packages.
It is quite rare that distributions modify Debian binary packages
instead of modifying source packages and rebuilding them. Does Open
Network Linux actually do this? If so could you describe what kind of
modifications you are making? If not I guess the page needs fixing.
My mistake, filling out the form required a lot of information and I chose the wrong one, I have updated it.  We build using a generic Debian image using buildroot.
The apt repository for Open Network Linux doesn't appear to contain a
Release file, which is how apt usually provides secure updates. I would
encourage you to switch to a tool that creates these files by default,
such as reprepro or aptly.

I have been working on revamping the apt repository to conform to the Debian standards. I do have to admit that it is not completely clear how things should be laid out and that I have taken a lot of information from looking at other repositories.  We have our system that builds the repository data and I will look into how we can add a Release file.

As far as I can tell the apt repository for Open Network Linux does not
contain source packages, including for packages licensed under the GNU
GPL. This may or may not be a copyright violation depending on whether
our not you distribute those elsewhere. In any case, please add source
packages to your repository so that Debian can automatically create
patches to be presented to Debian package maintainers.

I take pride in being as open and compliant as possible when it comes to licenses.  While we do have limited disk space on the apt server, I will look into pulling the sources in for any packages that we have mirrored the binaries for.

I noticed the armel Packages file in the apt repository is empty, you
might want to check what happened there.

armel is very, very new (the main pull was yesterday) and has not been announced yet.  We have not pushed any packages to the repo yet, but will do soon.

The page is missing a dpkg vendor field. It is important that Debian
derivatives set this properly on installed systems and mention the
value of the field in the derivatives census.

I am looking into this, once I understand how to generate it I will put it into the build system.

I note that Open Network Linux is also based on Debian wheezy. Normal
Debian security/release team support for Debian wheezy will soon end
and the Debian long term security team will take over. I would
encourage Open Network Linux to help out with this effort either
financially or with developer time.

We are migrating to Jessie, but stability is the most important thing to us and we need to be sure that we have all of the same tests that we do on wheezy working on jessie (no small task).


I note there is are a couple of other networking related Debian
derivatives (VyOS, Cumulus Linux), have you considered collaborating or
merging with them?
Historically and now, we have always worked with other NOS vendors including Cumulus, Pica8 and others.  Our software has been available for many years and is used for quite a few projects.


You might want to consider adding DNSSEC to your domains, TLSA records
and SSL to some of your domains. SSL on the repository will help Open
Network Linux users to obscure package names and version numbers from
global active adversaries. You might also want to add HSTS headers.

Please feel free to circulate this mail within the ONL team.

We have SSL available on the repository but due to issues with ONIE not supporting SSL, we default to non-ssl.

Thank you for all the feedback, I will be working through each of the things you brought up, starting with the repository.

Reply to: