Hi Robert, Welcome back to the Debian sphere, I note you used to be a Debian member :) I would like to welcome yourself and Endless to the Debian derivatives census! Would you like to take this opportunity to introduce yourself and Endless to us all? https://wiki.debian.org/Derivatives/Census/Endless It would be great if you could join our mailing list and IRC channel: https://wiki.debian.org/DerivativesFrontDesk I would encourage you to look at Debian's guidelines for derivatives: https://wiki.debian.org/Derivatives/Guidelines You may want to look at our census QA page, some of the mails from there may apply to Endless. https://wiki.debian.org/Derivatives/CensusQA You don't appear to be subscribed to the Endless census page, I've made a few changes to the Endless census page: https://wiki.debian.org/Derivatives/Census/Endless?action=info I note that Endless is currently based on Ubuntu, good luck with the transition to Debian jessie. The Release file in the apt repository for Endless is missing the Valid-Until header, which allows clients to find out when active network attackers are holding back newer Release files. At minimum, rolling releases and suites containing security updates should have this header. With reprepro you can use the ValidFor config option. Of course since you are using OSTree and read-only images this doesn't apply to Endless users, just people downloading source packages. https://wiki.debian.org/RepositoryFormat#Date.2CValid-Until The Release file in the apt repository for Endless is missing the Label header, which is optional but a good idea to add. https://wiki.debian.org/RepositoryFormat#Label Thanks for following up internally about the dpkg vendor field. It is important that Debian derivatives set this properly on installed systems and mention the value of the field in the derivatives census. https://wiki.debian.org/Derivatives/Guidelines#Vendor There doesn't appear to be a Endless blog or a blog aggregator for Endless developers. If these existed they would be syndicated on Planet Debian derivatives and would help the Debian community find out the things that are happening in Endless. You could also add one of your Facebook pages as the blog if you use any like a blog. http://planet.debian.org/deriv/ Since Endless is based in San Fransisco and Rio de Janeiro some Endless folks might be interested in joining the Bay Area Debian or Brazil groups. The developers might be interested in other groups near them: https://wiki.debian.org/LocalGroups#BAD https://wiki.debian.org/LocalGroups#Brazil https://wiki.debian.org/LocalGroups This year the annual Debian conference is in Cape Town, South Africa. It would be great if developers from Endless could attend DebConf. Unfortunately it is very very very close to the start of DebConf16. If this isn't possible, next year DebConf will be in Montreal, Canada. https://debconf16.debconf.org/ I would encourage Endless Computers (the Endless corporate sponsor) to contribute financially to ensure the continued survival of Debian and the success of the annual Debian conference. https://www.debian.org/donations http://debconf.org/sponsors/ http://media.debconf.org/dc16/fundraising/debconf16_sponsorship_brochure.pdf I would encourage any attendees to volunteer to ensure the continued the success of the annual Debian conference, here are some examples of things that need helpers. https://wiki.debconf.org/wiki/DebConf13/VolunteerCoordination I note that Endless is to be based on Debian stable. The Debian release team semi-recently released a timeline for the freeze for the next Debian stable release. I would encourage you to review it and prepare your plans for rebasing on the next Debian release (stretch). https://lists.debian.org/debian-devel-announce/2016/03/msg00000.html A great way to help ensure that the next Debian release working well is to install and run the how-can-i-help tool and try to work on any issues that come up. http://www.lucas-nussbaum.net/blog/?p=837 https://packages.debian.org/unstable/how-can-i-help https://wiki.debian.org/how-can-i-help If Endless will be using Debian backports, you might also like to contribute your backporting efforts to Debian. https://backports.debian.org/Contribute/ I note that Endless contributes changes to Linux, GNOME etc, I would like to thank you for working upstream. https://endlessm.com/for-developers/ You might want to consider adding DNSSEC and TLSA records to your domains. SSL on the repository will help Endless users to obscure package names and version numbers from global active adversaries. You might also want to add HSTS headers. Please feel free to circulate this mail within the Endless team. -- bye, pabs https://wiki.debian.org/PaulWise
Attachment:
signature.asc
Description: This is a digitally signed message part