Well, since the thread I started has calmed down and since there's a lot of
people at HEL [1] with (probably) a lot of spare time in their hands that
would be better spent hacking than in the sauna here's my (revised)
wishlist for Etch.
I've added additional items pointed out in the thread (including who
"claimed" them) as well as some new stuff. This wishlist is not necessarily
(sp?) aligned with the Etch Release Goals [2] it probably has more "pets"
but, if you have spare time to work on any of these items I'm sure that the
whole Debian community will appreciate it!
TODO: Add information from previous (older) discussions at
http://lists.debian.org/debian-devel/2003/08/msg02243.html
or
http://lists.debian.org/debian-devel/2002/05/msg02497.html
TODO: Should this be in http://wiki.debian.net/index.cgi?ReleaseProposals ?
[ Overall improvements ]
- _No_ bugs in base packages (well, at least no old bugs). Base system
should be upgraded to latest upstream (forward patches!) this includes
PAM, modutils...
* Base packages should be co-maintained and maintainers should be
open to help (not always the case currently)
- Review and fix or remove very old bugs: http://master.debian.org/~ajt/oldbugs.html
- Updates to base packages: many base packages are in a bug-fix only cycle,
we are mostly doing a very good job keeping up-to-date with upstream
but some need to be updated and might introduce major changes.
Example:
Package Current Upstream Bug
pam 0.76-22 0.79 #284954
cron 3.0pl1-87 4.1 -
dhcp 2.0pl5-19.1 3.0.2 [None, dhcp3 package available]
[jfs] Will work on cron (co-maintain) and already provided new pam packages to
the Debian maintainer.
- [rfrancoise] Libpcap0.9 transition
- [doko] Toolchain update to gcc/g++ 4.0
- Review patches developed by other distros to base packages. Many of the
bug fixes / improvements there apply to us too.
Note: The fact that Fedora's CVS is now open helps in this quite a lot
Other that should be reviewed include OpenBSD's CVS and Mandrake source RPMs.
[jfs] Doing so for pam and cron
- Implement some package reorganizations that have been postponed over
several releases; example:
#100332: tetex-bin: please move xdvi to its own package
- [rleigh] Transition to UTF-8 locales
Message-ID: <873bru53o3.fsf@hardknott.home.whinlatter.ukfsn.org>
* The locale codeset could be UTF-8 for some new installs by default
(depending on locale?)
* Existing installations should be unaffected, but it might be nice to
offer to generate the equivalent UTF-8 locales for the locales in use.
Also see #99933 and #99324?
- [joss] Drop libpng2/libpng10-0/libpng3 packages
- [adconrad] Drop libmysqlclient10/libmysqlclient12 packages
- [vorlon] Consistent LFS support
- [zobel] IPv6 readiness: make sure all packages support IPv6 completely
- [ballombe] Get rid of circular dependancies
- [jfs] Get rid of useless dummy packages (pending review of the find-dummies
script result)
[ Installation improvements ]
- Firewall configuration during installation (ala Fedora Core or SuSE):
module for d-i. Currently, the system is exposed just during installation
on some systems (empty root password?)
* [joeyh] D-i needs to protect the system
* [joeyh] Firewall task in d-i?
- Reduced standard installation (no gcc or development tools!, see
#301138 or #301273)
* [joeyh] Will happen with a new d-i 'standard' task (selected by default)
- More "tasks" (grouped packages) for installation: automatic detection
of user needs and automatic task selection?
* [joeyh] Will be added to tasksel, help needed0
- Encrypted root/swap on the d-i installation.
- Booting from the d-i and not need a reboot ?
[ Security improvements ]
- Proper signature detection (apt-secure, currently on experimental)
- ExecShield or PaX in stock kernel - buffer overflow protection
- SELinux support - Mandatory Access Control (RSBAC?)
- Possibility to recompile the distro with SPP (apt-build?). New
i386-spp architecture?
- Proper source code audit by maintainers to detect stupid security
bugs (/tmp/XX.?? anyone?) Recurrent things like #306893 appear all
too often. Automatic source code audit ala lintian.debian.org?
- MD5 / SHA-1 listing of files in ftp sites (useful for forensics analysis
see #303961)
- [zobel] Packages should document what should be added to
hosts.{allow,deny} if using tcp-wrappers
- (policy) Only support a subset of our current packages, meaning to support
the full archive when there's so many things is insane, does not scale
and is against us. Better do what *BSD do explicitly (ports are supported
in a "best effort basis") or what others do implicitly (distros with less
packages provide less security support). Maybe introduce a priority between
standard - optional to include non-standard packages that are security
supported ('common'?) or move most packages from optional to extra and
support only priority <= optional.
Note: a common request is "Do not start daemon by default". This is
already possible: see policy-rc.d However not all packages support it currently. ]
[ Admin improvements ]
- Hardware changes detection: system detects after a reboot when
a new SVGA card, new Ethernet card, etc. has been installed and prompts
for new confguration.
Note: Of course, should be possible to disable by sysadmin.
- inetd begone! -> xinetd (better mechanism to control DoS, privilege
separation, etc.)
Note: Or no inetd at all, or openbsd's inetd.
Note2: There's preliminary implementation for the switch but the management tools
(i.e. netbase's update-inetd IIRC) need to be handle xinetd too (see
#8927, #10059 and #25816).
- Checksecurity -> live up to its name and merge changes from other distros
and BSDs
- Security / Update managements of multiple servers from a single point.
There's no single tool to do check the security status of many servers
at once (like done in RedHat's support) network. Use OVAL agents?
See #253097
- Better OS backup management (use of /var/backups/)
See #12203
- Better tools for system monitoring and review, see #132505
[ jfs ] Preparing a 'cron-standard' package to package all the cron scripts
currently in cron. This would mean taking over the tasks currently
handled by cron and managing them in a separate package, will
also reuse other tools developed for other distributions (like FreeBSD's
periodic).
- Package upgrade rollback?
Note: See http://www.linuxjournal.com/article/7034, would mean supporting
downgrades as well. Might not be possible near-term
- Using dpkg as an audit tool to detect changes in the system, not as
a security mechanism but to detect broken stuff (includes #155799 and #34194)
- [zobel] Packages should use logrotate instead of savelog so that admins
can configure it at will
[ Runlevel / Init.d improvements ]
- Possibility to startup the system in "control" mode: select which init
scripts will run, this provides a way to work-around hardware issues after
d-i has installed the base system (sample: #301112)
* [jesus.climent] Even select which modules from /etc/modules are loaded
Note: This is an improvement over 'linux single' or 'linux emergency' since
it allows debugging of init scripts in a more user-friendly way.
- Add 'Status' in init.d scripts (#291148)
- [liw] Switch to dependency-based init.d handling
Note:
* if this is not done probably parallel init.d handling will break
think: X manager started before authentication daemons are when using
LDAP?
* currently we overuse the 'default' 20 level with not proper dependencies
of who should be first.
See Message-ID: <m3y89bwi63.fsf@shadow.org.uk>
* See Solaris 10 (or Open Solaris) new scheme or
http://www.atnf.csiro.au/people/rgooch/linux/boot-scripts/
- Paralell (faster) init.d execution
Note: probably will not work without dependency-based stuff
http://www-106.ibm.com/developerworks/linux/library/l-boot.html?ca=dgr-lnxw04BootFaster
http://initng.thinktux.net/index.php/Main_Page
http://comas.linux-aktivaattori.org/debconf5/general/proposals/55
http://people.debian.org/~hmh/debconf2/initscripts/
- [filippo] Some functions for consistent output when starting/stopping init.d
scripts (verbose as default and/or simple as [ok]/[notok] (ok, this is
really needed only on a desktop, in production you are supposed to read
and debug error messages yourself))
Note: This is defined in the LSB
Also see #169600 and #208010
- Separate runlevels: 2 for multi no net, 3 for multi, 4=3, 5 = 3+{x,g,k}dm
* some people don't like this (takes away customisation possibility?)
* not required by LSB but most others do this :
http://refspecs.freestandards.org/LSB_2.1.0/LSB-Core-generic/LSB-Core-generic/runlevels.html
* Many users from other distributions expect this too
http://www.slackware.com/config/init.php
* some DDs and users point out that this would allow a way to debug issues
when X freezes the system (bad hw, note that this is not "fixed" by gdm
detecting it since once frozen there is no recovery). Also, init 1 is not
an option for remote managed systems (nor is 'linux single' or 'linux
emergency'
[ End user improvements ]
- Proper User/Sysadmin documentation guides
* Note: Fedora has recently release part of the RH guides with a
(possible) DFSG free license, lots of content can be reused from
guides of other distributions (including Ubuntu)
- Better in-system help/documentation search (better use of doc-base,
dwww sucks, dhelp needs improvement)
Provide a "Debian documentation center" with search functions to
detect information in READMEs, html files, manuals ?
- Provide more translated documentation in CD-ROMs
* Note: Need to handle this outside of byhand files
- Better package search mechanism (tags?) allowing free text search
in package management interfaces: "I want a program that does X"
(i.e. dpkg-iasearch)
For detailed description see Message-ID: <20050607174051.GC7112@dat.etsit.upm.es>
- [avbidder] Better support for displaying as many languages as possible without
having to search for corresponding font packages. From what I can see
gnome is slightly better than KDE in replacing missing characters, but I
think both still can't display the http://www.wikipedia.org titlepage with
all characters. I think a font metapackage that depends on a set of fonts
that cover most of unicode would be a great thing.
- [jesus.climent] Ability to select if the system is multiuser targetted and
allow users to log while a previous user is logged in by default. Single
user systems could have it disabled.
- [liw] Work on getting suspend-to-disk (swsusp or whatever) working properly
with screensavers.
- i18n of packages, both support of this in the package management frontends
(from apt-get to synaptic) and proper infraestructure for package description
translation (see DDTP)
[ Other system improvements ]
- Allow users to exclude a full directory (/usr/share/doc, /usr/share/man)
from being installed, this can be done through apt.conf currently (rm
on postinstall) but it would be best to have dpkg handle this somehow.
[ Infraestructure improvements ]
- Provide a MD5sum /permission listing for all files in the archive for system forensic
analysis (See #268658).
* Note: People should not rely on external stuff like NIST's CRL or
http://www.knowngoods.org/ or http://setuid.org/
- Provide a documentation page search utility on debian.org, allowing searching on
a per distribution basis of manpages, info, and package documentation
(http://manpages.debian.net/cgi-bin/search_man.cgi not useful and people
should not rely on stuff like http://www.fifi.org/cgi-bin/man2html)
[ Release improvements ]
- Prune packages from release based on popularity, packages which are not
used by anyone should not go in!
- Remove _all_ out of date dummy packages! (see #308711 and other bugs!)
Note: Almost done by ftp-masters, some pending and needs to be reviewed
to remove woody->sarge which are not applicable to ->etch
Feel free to add any other wishlists (or discuss any one of them). I'll try
to track the subsequent thread and keep the list current somewhere...
Regards
Javier
[1] http://www.debconf.org/debconf5/
[2] http://lists.debian.org/debian-release/2005/06/msg00241.html
Attachment:
signature.asc
Description: Digital signature