[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian derivatives census: Zevenet: welcome!



On Wed, Jun 28, 2017 at 12:49 PM, Paul Wise <pabs@debian.org> wrote:
> Hi Laura,
>
> I would like to welcome yourself and Zevenet to the Debian derivatives
> census! Would you like to take this opportunity to introduce yourself
> and Zevenet to us all?
>
> https://wiki.debian.org/Derivatives/Census/Zevenet
>

Thank you for the welcoming Paul, we're glad to contribute with
Debian Derivatives. Zevenet (formerly Zen Load Balancer) uses
Debian base to create a specific Application Delivery distribution.

> It would be great if you could join our mailing list and IRC channel:
>
> https://wiki.debian.org/DerivativesFrontDesk
>

Just subscribed to the mailing list.

> I would encourage you to look at Debian's guidelines for derivatives:
>
> https://wiki.debian.org/Derivatives/Guidelines
>

Thank you, we'll check it out.

> You may want to look at our census QA page, some of the mails from
> there may apply to Zevenet.
>
> https://wiki.debian.org/Derivatives/CensusQA
>
> You don't appear to be subscribed to the Zevenet census page,
> I've made a few changes to the Zevenet census page:
>
> https://wiki.debian.org/Derivatives/Census/Zevenet?action=info

Just subscribed, thanks.

>
> The page says that Zevenet modifies Debian binary packages. It is quite
> rare that distributions modify Debian binary packages instead of
> modifying source packages and rebuilding them. Does Zevenet actually do
> this? If so could you describe what kind of modifications you are
> making? If not I guess the page needs to be fixed.

No, just install some perl modules that are not included currently
in Debian.

>
> Some of the Release files in the apt repository for Zevenet are missing
> the Valid-Until header, which allows clients to find out when active
> network attackers are holding back newer Release files. At minimum,
> rolling releases and suites containing security updates should have
> this header. With reprepro you can use the ValidFor config option.
>
> https://wiki.debian.org/DebianRepository/Format#Date.2C_Valid-Until
>

Ok, we'll check that.

> The apt repository for Zevenet does not contain source packages. If you
> were to add source packages, Debian would be able to automatically
> create patches to be presented to Debian package maintainers.
>
> https://wiki.debian.org/Derivatives/Integration#Patches

The source code is shared through a git platform and the files are
mainly perl and configuration files, not compiled ones.

>
> The page is missing a dpkg vendor field. It is important that Debian
> derivatives set this properly on installed systems and mention the
> value of the field in the derivatives census.
>
> https://wiki.debian.org/Derivatives/Guidelines#Vendor

We've to check it because there is no such command in the distro.

>
> The Zevenet blog doesn't appear to have an RSS or Atom feed. If these
> existed they would be syndicated on Planet Debian derivatives and would
> help Debian find out the things that are happening in Zevenet.
>
> http://planet.debian.org/deriv/

Ok, we'll check it out.

>
> I note that Zevenet is sponsoring DebConf17, much appreciated!
>
> https://www.debian.org/donations
> https://debconf.org/sponsors/
> https://debconf17.debconf.org/sponsors/
>
> This year the annual Debian conference is in Montreal, Canada. It would
> be great if developers from Zevenet could attend DebConf. If this isn't
> possible, next year DebConf will be in Hsinchu, Taiwan.
>
> https://debconf17.debconf.org/
>
> I would encourage any attendees to volunteer to ensure the continued
> the success of the annual Debian conference, here are some examples of
> things that need helpers.
>
> https://wiki.debconf.org/wiki/DebConf13/VolunteerCoordination
>

Ok!

> I note that Zevenet is based on Debian jessie. The Debian release team
> recently released Debian stretch. I would encourage you to review it
> and prepare your plans for rebasing on the Debian stretch.
>
> https://release.debian.org/#updates
>
> At some point the Debian LTS (Long Term Support) team has taken over
> security maintenance for Debian jessie. If Zevenet is still using
> jessie by then, I would encourage you to help out with this effort
> either financially or with developer time.
>
> https://wiki.debian.org/LTS
>

Yes, it's a task that we're working on right now.

> I note that Zevenet packages some Perl modules, I would encourage your
> developers to join the Debian Perl team.
>
> https://wiki.debian.org/Teams/DebianPerlGroup
>

Sure, there are some perl modules not included in Debian
and they'll be quite useful to integrate.

> You might want to consider adding DNSSEC to your domains, TLSA records
> and SSL to some of your domains. SSL on the repository will help
> Zevenet users to obscure package names and version numbers from global
> active adversaries. You might also want to add HSTS headers.
>
> http://dnsviz.net/d/zevenet.com/dnssec/
> https://wiki.mozilla.org/Security/Guidelines/Web_Security
> https://securityheaders.io/?q=https%3A%2F%2Fwww.zevenet.com%2F
>

Yes, we've recently obtained a Premium SSL Wildcard for our domain
so we're in the process to set it to all of our subdomains.

> Please feel free to circulate this mail within the Zevenet team.
>

They're in copy,

Thank you Paul!

> --
> bye,
> pabs
>
> https://wiki.debian.org/PaulWise


Reply to: