Re: Debian derivatives census: ev3dev: welcome!
On 09/09/2016 09:50 PM, Paul Wise wrote:
Um... Hi, everyone, I'm David (dlech). I maintain ev3dev, a Debian based
OS for LEGO MINDSTORMS EV3 (and Raspberry Pi and BeagleBone).
I would like to welcome yourself and ev3dev to the Debian derivatives
census! Would you like to take this opportunity to introduce yourself
and ev3dev to us all?
Oops. You are right, we modify source packages and not binary packages.
I will fix that.
It would be great if you could join our mailing list.
Thanks for joining the IRC channel already!
I would encourage you to look at Debian's guidelines for derivatives:
You may want to look at our census QA page, some of the mails from
there may apply to ev3dev.
I've made a few changes to the ev3dev census page:
The page says that ev3dev modifies Debian binary packages. It is quite
rare that distributions modify Debian binary packages instead of
modifying source packages and rebuilding them. Does ev3dev actually do
this? If so could you describe what kind of modifications you are
making? If not I guess the page needs to be fixed.
Some of the Release files in the apt repository for ev3dev are missing
the Valid-Until header, which allows clients to find out when active
network attackers are holding back newer Release files. At minimum,
rolling releases and suites containing security updates should have
this header. With reprepro you can use the ValidFor config option.
The apt repository appears to have some incorrect symlinks or mappings
between suites and codenames. The directory stable points to wheezy but
the Release file for that says oldstable instead of stable. The
directory testing points to jessie but the Release file for that says
stable instead of testing. When you've fixed that, please update the
wiki page to use oldstable/stable/testing since those change less than
codenames like stretch/jessie/wheezy.
Fixed on archive.ev3dev.org.
We do have all of the source code for all of our software publicly
available on GitHub. We have omitted the linux source packages because
they are so large and it is easier to build the kernel from git anyway.
It looks like the other packages are missing the source package because
we have multiple versions of the binary package that may have been
updated for one arch but not another, but reprepro only allows one copy
of the source package because it is shared by all archs.
The apt repository for ev3dev does not contain source packages for some
versions of some binary packages, including for packages licensed under
the GNU GPL. This may or may not be a copyright violation depending on
whether our not you distribute those elsewhere. You can see here which
source package versions appear to be missing. There are also binary
package mismatches too.
Sometimes changes really only affect one arch, so I don't worry about
the mismatches. The EV3 is very slow at upgrading packages, so we don't
want to push to armel unless we really have to.
I've added the ev3dev news page to Planet Debian derivatives which
helps the Debian community find out the things that are happening in
the world of Debian derivatives.
Next year the annual Debian conference is in Montreal, Canada. It would
be great if developers from ev3dev could attend DebConf17. If this
isn't possible, the year after DebConf18 could be in Prague or Taipei.
It would be especially cool to see robots roaming around at DebConf :)
I would encourage any attendees to volunteer to ensure the continued
the success of the annual Debian conference, here are some examples of
things that need helpers.
I note that ev3dev is based on Debian stable. The Debian release team
recently released a timeline for the freeze for the next Debian stable
release. I would encourage you to review it and prepare your plans for
rebasing on the next Debian release (stretch).
We don't support the wheezy stuff. It is just there for
A great way to help ensure that the next Debian release working well is
to install and run the how-can-i-help tool and try to work on any
issues that come up.
I note that ev3dev also has wheezy in the apt repository. The Debian
long-term security team announced a security support effort for wheezy.
I would encourage ev3dev to help out with developer time if you can.
The ev3dev folks might be interested in helping the Debian folks who
are maintaining LEGO and robotics related packages:
Thanks for the info. I didn't know such interest groups existed!
You might want to consider adding DNSSEC to your domains, TLSA records
and SSL to some of your domains. SSL on the repository will help ev3dev
users to obscure package names and version numbers from global active
adversaries. You might also want to add HSTS headers.
Please feel free to circulate this mail within the ev3dev team.