Hi David, I would like to welcome yourself and ev3dev to the Debian derivatives census! Would you like to take this opportunity to introduce yourself and ev3dev to us all? https://wiki.debian.org/Derivatives/Census/ev3dev It would be great if you could join our mailing list. Thanks for joining the IRC channel already! https://wiki.debian.org/DerivativesFrontDesk I would encourage you to look at Debian's guidelines for derivatives: https://wiki.debian.org/Derivatives/Guidelines You may want to look at our census QA page, some of the mails from there may apply to ev3dev. https://wiki.debian.org/Derivatives/CensusQA I've made a few changes to the ev3dev census page: https://wiki.debian.org/Derivatives/Census/ev3dev?action=info The page says that ev3dev modifies Debian binary packages. It is quite rare that distributions modify Debian binary packages instead of modifying source packages and rebuilding them. Does ev3dev actually do this? If so could you describe what kind of modifications you are making? If not I guess the page needs to be fixed. Some of the Release files in the apt repository for ev3dev are missing the Valid-Until header, which allows clients to find out when active network attackers are holding back newer Release files. At minimum, rolling releases and suites containing security updates should have this header. With reprepro you can use the ValidFor config option. https://wiki.debian.org/RepositoryFormat#Date.2CValid-Until The apt repository appears to have some incorrect symlinks or mappings between suites and codenames. The directory stable points to wheezy but the Release file for that says oldstable instead of stable. The directory testing points to jessie but the Release file for that says stable instead of testing. When you've fixed that, please update the wiki page to use oldstable/stable/testing since those change less than codenames like stretch/jessie/wheezy. http://archive.ev3dev.org/debian/dists/stable/Release http://archive.ev3dev.org/debian/dists/testing/Release http://archive.ev3dev.org/debian/dists/wheezy/Release http://archive.ev3dev.org/debian/dists/jessie/Release The apt repository for ev3dev does not contain source packages for some versions of some binary packages, including for packages licensed under the GNU GPL. This may or may not be a copyright violation depending on whether our not you distribute those elsewhere. You can see here which source package versions appear to be missing. There are also binary package mismatches too. http://deriv.debian.net/ev3dev/diff_source_packages I've added the ev3dev news page to Planet Debian derivatives which helps the Debian community find out the things that are happening in the world of Debian derivatives. http://planet.debian.org/deriv/ Next year the annual Debian conference is in Montreal, Canada. It would be great if developers from ev3dev could attend DebConf17. If this isn't possible, the year after DebConf18 could be in Prague or Taipei. It would be especially cool to see robots roaming around at DebConf :) http://debconf17.debconf.org/ https://wiki.debconf.org/wiki/DebConf18 I would encourage any attendees to volunteer to ensure the continued the success of the annual Debian conference, here are some examples of things that need helpers. https://wiki.debconf.org/wiki/DebConf13/VolunteerCoordination I note that ev3dev is based on Debian stable. The Debian release team recently released a timeline for the freeze for the next Debian stable release. I would encourage you to review it and prepare your plans for rebasing on the next Debian release (stretch). https://lists.debian.org/debian-devel-announce/2016/07/msg00002.html A great way to help ensure that the next Debian release working well is to install and run the how-can-i-help tool and try to work on any issues that come up. http://www.lucas-nussbaum.net/blog/?p=837 https://packages.debian.org/unstable/how-can-i-help https://wiki.debian.org/how-can-i-help I note that ev3dev also has wheezy in the apt repository. The Debian long-term security team announced a security support effort for wheezy. I would encourage ev3dev to help out with developer time if you can. https://wiki.debian.org/LTS The ev3dev folks might be interested in helping the Debian folks who are maintaining LEGO and robotics related packages: https://wiki.debian.org/LegoDesigners https://wiki.debian.org/DebianScience/Robotics/ROS https://blends.debian.org/science/tasks/robotics You might want to consider adding DNSSEC to your domains, TLSA records and SSL to some of your domains. SSL on the repository will help ev3dev users to obscure package names and version numbers from global active adversaries. You might also want to add HSTS headers. Please feel free to circulate this mail within the ev3dev team. -- bye, pabs https://wiki.debian.org/PaulWise
Attachment:
signature.asc
Description: This is a digitally signed message part