Hi Felix, I would like to welcome yourself and Deepin to the Debian derivatives census! Would you like to take this opportunity to introduce yourself and Deepin to us all? https://wiki.debian.org/Derivatives/Census/Deepin It would be great if you could join our mailing list and IRC channel: https://wiki.debian.org/DerivativesFrontDesk I would encourage you to look at Debian's guidelines for derivatives: https://wiki.debian.org/Derivatives/Guidelines You may want to look at our census QA page, some of the mails from there may apply to Deepin. https://wiki.debian.org/Derivatives/CensusQA You don't appear to be subscribed to the Deepin census page, I've made a few changes to the Deepin census page: https://wiki.debian.org/Derivatives/Census/Deepin?action=info Please correct the "Archive tool" item in the Deepin census page and fill out some more of the tool items. The page says that Deepin modifies Debian binary packages. It is quite rare that distributions modify Debian binary packages instead of modifying source packages and rebuilding them. Does Deepin actually do this? If so could you describe what kind of modifications you are making? If not I guess the page needs to be fixed. Some of the Release files in the apt repository for Deepin are missing the Valid-Until header, which allows clients to find out when active network attackers are holding back newer Release files. At minimum, rolling releases and suites containing security updates should have this header. With reprepro you can use the ValidFor config option. https://wiki.debian.org/DebianRepository/Format#Date.2C_Valid-Until Are you sure that the Deepin sources.list on the wiki page is correct and complete? When I was tracking down Deepin sources, I found these: deb-src http://packages.deepin.com/experimental experimental main deb-src http://packages.deepin.com/loongson unstable main deb-src http://packages.deepin.com/deepin-server kui main contrib non-free deb-src http://packages.deepin.com/deepin-server kui-security main contrib non-free deb-src http://packages.deepin.com/deepin-debian unstable main contrib non-free deb-src http://packages.deepin.com/deepin unstable main contrib non-free I've added the Deepin blog to Planet Debian derivatives which helps the Debian community find out the things that are happening in the world of Debian derivatives. http://planet.debian.org/deriv/ Since Deepin is based in China you might be interested in joining the Debian China group. https://wiki.debian.org/LocalGroups/Debian-CN This year the annual Debian conference is in Montreal, Canada. Unfortunately it is very close to the start of the conference so you probably won't be able to attend this year, but next year is in Hsinchu, Taiwan. This appears to be relatively close to the Deepin location, it would be great if developers from Deepin could attend DebConf18. https://debconf17.debconf.org/ https://wiki.debconf.org/wiki/DebConf18 I would encourage Wuhan Deepin Technology (the Deepin corporate sponsor) to contribute financially to ensure the continued survival of Debian and the success of the annual Debian conference. https://www.debian.org/donations https://debconf.org/sponsors/ https://debconf17.debconf.org/sponsors/become-a-sponsor/ I would encourage any attendees to volunteer to ensure the continued the success of the annual Debian conference, here are some examples of things that need helpers. https://wiki.debconf.org/wiki/DebConf13/VolunteerCoordination I note that Deepin is based on Debian unstable. A great way to help ensure that it is working well is to install and run the how-can-i-help tool and try to work on any issues that come up. https://www.lucas-nussbaum.net/blog/?p=837 https://packages.debian.org/unstable/how-can-i-help https://wiki.debian.org/how-can-i-help You might want to consider adding DNSSEC to your domains, TLSA records and SSL to some of your domains. I note that the SSL certificate on the repository has expired, please update it as SSL on the repository will help Deepin users to obscure package names and version numbers from global active adversaries. You might also want to add HSTS headers. http://dnsviz.net/d/deepin.org/ https://wiki.mozilla.org/Security/Guidelines/Web_Security Please feel free to circulate this mail within the Deepin team. -- bye, pabs https://wiki.debian.org/PaulWise
Attachment:
signature.asc
Description: This is a digitally signed message part