Hi Laura, I would like to welcome yourself and Zevenet to the Debian derivatives census! Would you like to take this opportunity to introduce yourself and Zevenet to us all? https://wiki.debian.org/Derivatives/Census/Zevenet It would be great if you could join our mailing list and IRC channel: https://wiki.debian.org/DerivativesFrontDesk I would encourage you to look at Debian's guidelines for derivatives: https://wiki.debian.org/Derivatives/Guidelines You may want to look at our census QA page, some of the mails from there may apply to Zevenet. https://wiki.debian.org/Derivatives/CensusQA You don't appear to be subscribed to the Zevenet census page, I've made a few changes to the Zevenet census page: https://wiki.debian.org/Derivatives/Census/Zevenet?action=info The page says that Zevenet modifies Debian binary packages. It is quite rare that distributions modify Debian binary packages instead of modifying source packages and rebuilding them. Does Zevenet actually do this? If so could you describe what kind of modifications you are making? If not I guess the page needs to be fixed. Some of the Release files in the apt repository for Zevenet are missing the Valid-Until header, which allows clients to find out when active network attackers are holding back newer Release files. At minimum, rolling releases and suites containing security updates should have this header. With reprepro you can use the ValidFor config option. https://wiki.debian.org/DebianRepository/Format#Date.2C_Valid-Until The apt repository for Zevenet does not contain source packages. If you were to add source packages, Debian would be able to automatically create patches to be presented to Debian package maintainers. https://wiki.debian.org/Derivatives/Integration#Patches The page is missing a dpkg vendor field. It is important that Debian derivatives set this properly on installed systems and mention the value of the field in the derivatives census. https://wiki.debian.org/Derivatives/Guidelines#Vendor The Zevenet blog doesn't appear to have an RSS or Atom feed. If these existed they would be syndicated on Planet Debian derivatives and would help Debian find out the things that are happening in Zevenet. http://planet.debian.org/deriv/ I note that Zevenet is sponsoring DebConf17, much appreciated! https://www.debian.org/donations https://debconf.org/sponsors/ https://debconf17.debconf.org/sponsors/ This year the annual Debian conference is in Montreal, Canada. It would be great if developers from Zevenet could attend DebConf. If this isn't possible, next year DebConf will be in Hsinchu, Taiwan. https://debconf17.debconf.org/ I would encourage any attendees to volunteer to ensure the continued the success of the annual Debian conference, here are some examples of things that need helpers. https://wiki.debconf.org/wiki/DebConf13/VolunteerCoordination I note that Zevenet is based on Debian jessie. The Debian release team recently released Debian stretch. I would encourage you to review it and prepare your plans for rebasing on the Debian stretch. https://release.debian.org/#updates At some point the Debian LTS (Long Term Support) team has taken over security maintenance for Debian jessie. If Zevenet is still using jessie by then, I would encourage you to help out with this effort either financially or with developer time. https://wiki.debian.org/LTS I note that Zevenet packages some Perl modules, I would encourage your developers to join the Debian Perl team. https://wiki.debian.org/Teams/DebianPerlGroup You might want to consider adding DNSSEC to your domains, TLSA records and SSL to some of your domains. SSL on the repository will help Zevenet users to obscure package names and version numbers from global active adversaries. You might also want to add HSTS headers. http://dnsviz.net/d/zevenet.com/dnssec/ https://wiki.mozilla.org/Security/Guidelines/Web_Security https://securityheaders.io/?q=https%3A%2F%2Fwww.zevenet.com%2F Please feel free to circulate this mail within the Zevenet team. -- bye, pabs https://wiki.debian.org/PaulWise
Attachment:
signature.asc
Description: This is a digitally signed message part