[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

"How to recognise different ETCH wishlists from quite a long way away" (revised)

Well, since the thread I started has calmed down and since there's a lot of 
people at HEL [1] with (probably) a lot of spare time in their hands that 
would be better spent hacking than in the sauna here's my (revised) 
wishlist for Etch.

I've added additional items pointed out in the thread (including who 
"claimed" them) as well as some new stuff. This wishlist is not necessarily 
(sp?) aligned with the Etch Release Goals [2] it probably has more "pets" 
but, if you have spare time to work on any of these items I'm sure that the 
whole Debian community will appreciate it!

TODO: Add information from previous (older)  discussions at
TODO: Should this be in   http://wiki.debian.net/index.cgi?ReleaseProposals ?

[ Overall improvements ]

- _No_ bugs in base packages (well, at least no old bugs). Base system
  should be upgraded to latest upstream (forward patches!) this includes
  PAM, modutils...
     * Base packages should be co-maintained and maintainers should be
     open to help (not always the case currently)

- Review and fix or remove very old bugs: http://master.debian.org/~ajt/oldbugs.html

- Updates to base packages: many base packages are in a bug-fix only cycle,
  we are mostly doing a very good job keeping up-to-date with upstream
  but some need to be updated and might introduce major changes. 
  	Package      Current     Upstream  Bug
	pam          0.76-22     0.79      #284954
	cron         3.0pl1-87   4.1       -
	dhcp	     2.0pl5-19.1 3.0.2     [None, dhcp3 package available]
  [jfs] Will work on cron (co-maintain) and already provided new pam packages to 
  the Debian maintainer.

- [rfrancoise] Libpcap0.9 transition
- [doko] Toolchain update to gcc/g++ 4.0 

- Review patches developed by other distros to base packages. Many of the
  bug fixes / improvements there apply to us too.
  Note: The fact that Fedora's CVS is now open helps in this quite a lot
  Other that should be reviewed include OpenBSD's CVS and Mandrake source RPMs.
  [jfs] Doing so for pam and cron

- Implement some package reorganizations that have been postponed over
  several releases; example:
  #100332: tetex-bin: please move xdvi to its own package

- [rleigh] Transition to UTF-8 locales
  Message-ID: <873bru53o3.fsf@hardknott.home.whinlatter.ukfsn.org>
    * The locale codeset could be UTF-8 for some new installs by default
      (depending on locale?)
    * Existing installations should be unaffected, but it might be nice to
      offer to generate the equivalent UTF-8 locales for the locales in use.
  Also see #99933 and #99324?

- [joss] Drop libpng2/libpng10-0/libpng3 packages 
- [adconrad] Drop libmysqlclient10/libmysqlclient12 packages 
- [vorlon] Consistent LFS support
- [zobel] IPv6 readiness: make sure all packages support IPv6 completely
- [ballombe] Get rid of circular dependancies
- [jfs] Get rid of useless dummy packages (pending review of the find-dummies
  script result)

[ Installation improvements ] 

- Firewall configuration during installation (ala Fedora Core or SuSE):
  module for d-i. Currently, the system is exposed just during installation
  on some systems (empty root password?)
    * [joeyh] D-i needs to protect the system
    * [joeyh] Firewall task in d-i?

- Reduced standard installation (no gcc or development tools!, see 
  #301138 or #301273)
    * [joeyh] Will happen with a new d-i 'standard' task (selected by default)

- More "tasks" (grouped packages) for installation: automatic detection
  of user needs and automatic task selection?
    * [joeyh] Will be added to tasksel, help needed0

- Encrypted root/swap on the d-i installation.
- Booting from the d-i and not need a reboot ?

[ Security improvements ] 

- Proper signature detection (apt-secure, currently on experimental)
- ExecShield or PaX in stock kernel - buffer overflow protection
- SELinux support - Mandatory Access Control (RSBAC?)
- Possibility to recompile the distro with SPP (apt-build?). New
  i386-spp architecture?
- Proper source code audit by maintainers to detect stupid security
  bugs (/tmp/XX.?? anyone?) Recurrent things like #306893 appear all
  too often. Automatic source code audit ala lintian.debian.org? 
- MD5 / SHA-1 listing of files in ftp sites (useful for forensics analysis
  see #303961)
- [zobel] Packages should document what should be added to
  hosts.{allow,deny} if using tcp-wrappers

- (policy) Only support a subset of our current packages, meaning to support
  the full archive when there's so many things is insane, does not scale
  and is against us. Better do what *BSD do explicitly (ports are supported
  in a "best effort basis") or what others do implicitly (distros with less
  packages provide less security support). Maybe introduce a priority between
  standard - optional to include non-standard packages that are security
  supported ('common'?) or move most packages from optional to extra and
  support only priority <= optional.

  Note: a common request is "Do not start daemon by default". This is
  already possible: see policy-rc.d However not all packages support it currently. ]

[ Admin improvements ]

- Hardware changes detection: system detects after a reboot when
  a new SVGA card, new Ethernet card, etc. has been installed and prompts
  for new confguration.
  Note: Of course, should be possible to disable by sysadmin.

- inetd begone! -> xinetd (better mechanism to control DoS, privilege
  separation, etc.)
  Note: Or no inetd at all, or openbsd's inetd.
  Note2: There's preliminary implementation for the switch but the management tools
  (i.e. netbase's update-inetd IIRC) need to be handle xinetd too (see
  #8927, #10059 and #25816).

- Checksecurity -> live up to its name and merge changes from other distros
  and BSDs

- Security / Update managements of multiple servers from a single point.
  There's no single tool to do check the security status of many servers
  at once (like done in RedHat's support) network. Use OVAL agents?
  See #253097

- Better OS backup management (use of /var/backups/)
  See #12203

- Better tools for system monitoring and review, see #132505
  [ jfs ] Preparing a 'cron-standard' package to package all the cron scripts
  currently in cron. This would mean taking over the tasks currently
  handled by cron and managing them in a separate package, will
  also reuse other tools developed for other distributions (like FreeBSD's

- Package upgrade rollback?
  Note: See http://www.linuxjournal.com/article/7034, would mean supporting
  downgrades as well. Might not be possible near-term

- Using dpkg as an audit tool to detect changes in the system, not as 
  a security mechanism but to detect broken stuff (includes #155799 and #34194)

- [zobel] Packages should use logrotate instead of savelog so that admins
  can configure it at will

[ Runlevel / Init.d improvements ]

- Possibility to startup the system in "control" mode: select which init
  scripts will run, this provides a way to work-around hardware issues after
  d-i has installed the base system (sample: #301112)
  * [jesus.climent] Even select which modules from /etc/modules are loaded 
  Note: This is an improvement over 'linux single' or 'linux emergency' since
  it allows debugging of init scripts in a more user-friendly way.

- Add 'Status' in init.d scripts (#291148)

- [liw] Switch to dependency-based init.d handling
   * if this is not done probably parallel init.d handling will break
     think: X manager started before authentication daemons are when using
   * currently we overuse the 'default' 20 level with not proper dependencies
     of who should be first.
     See Message-ID: <m3y89bwi63.fsf@shadow.org.uk>
   * See Solaris 10 (or Open Solaris) new scheme  or 

- Paralell (faster) init.d execution
  Note: probably will not work without dependency-based stuff

- [filippo] Some functions for consistent output when starting/stopping init.d
  scripts (verbose as default and/or simple as [ok]/[notok] (ok, this is
  really needed only on a desktop, in production you are supposed to read
  and debug error messages yourself))
  Note: This is defined in the LSB
  Also see #169600 and #208010

- Separate runlevels: 2 for multi no net, 3 for multi, 4=3, 5 = 3+{x,g,k}dm
   * some people don't like this (takes away customisation possibility?)
   * not required by LSB but most others do this :
   * Many users from other distributions expect this too
   * some DDs and users point out that this would allow a way to debug issues
     when X freezes the system (bad hw, note that this is not "fixed" by gdm
     detecting it since once frozen there is no recovery). Also, init 1 is not
     an option for remote managed systems (nor is 'linux single' or 'linux

[ End user improvements ] 

- Proper User/Sysadmin documentation guides
  * Note: Fedora has recently release part of the RH guides with a
  (possible) DFSG free license, lots of content can be reused from 
  guides of other distributions (including Ubuntu)

- Better in-system help/documentation search (better use of doc-base,
  dwww sucks, dhelp needs improvement)
  Provide a "Debian documentation center" with search functions to
  detect information in READMEs, html files, manuals ?

- Provide more translated documentation in CD-ROMs 
  * Note: Need to handle this outside of byhand files

- Better package search mechanism (tags?) allowing free text search
  in package management interfaces: "I want a program that does X"
  (i.e. dpkg-iasearch)
  For detailed description see Message-ID: <20050607174051.GC7112@dat.etsit.upm.es>
- [avbidder] Better support for displaying as many languages as possible without
  having to search for corresponding font packages.  From what I can see
  gnome is slightly better than KDE in replacing missing characters, but I
  think both still can't display the http://www.wikipedia.org titlepage with
  all characters.  I think a font metapackage that depends on a set of fonts
  that cover most of unicode would be a great thing.

- [jesus.climent] Ability to select if the system is multiuser targetted and 
  allow users to log while a previous user is logged in by default. Single 
  user systems could have it disabled.

- [liw] Work on getting suspend-to-disk (swsusp or whatever) working properly
  with screensavers.

- i18n of packages, both support of this in the package management frontends
  (from apt-get to synaptic) and proper infraestructure for package description
  translation (see DDTP)

[ Other system improvements ] 

- Allow users to exclude a full directory (/usr/share/doc, /usr/share/man)
  from being installed, this can be done through apt.conf currently (rm
  on postinstall) but it would be best to have dpkg handle this somehow.

[ Infraestructure improvements ] 

- Provide a MD5sum /permission listing for all files in the archive for system forensic 
  analysis (See #268658).
  * Note: People should not rely on external stuff like NIST's CRL or
  http://www.knowngoods.org/ or http://setuid.org/

- Provide a documentation page search utility on debian.org, allowing searching on
  a per distribution basis of manpages, info, and package documentation
  (http://manpages.debian.net/cgi-bin/search_man.cgi not useful and people
  should not rely on stuff like http://www.fifi.org/cgi-bin/man2html)

[ Release improvements ] 

- Prune packages from release based on popularity, packages which are not
  used by anyone should not go in!

- Remove _all_ out of date dummy packages! (see #308711 and other bugs!)
  Note: Almost done by ftp-masters, some pending and needs to be reviewed
  to remove woody->sarge which are not applicable to ->etch

Feel free to add any other wishlists (or discuss any one of them). I'll try 
to track the subsequent thread and keep the list current somewhere...



[1] http://www.debconf.org/debconf5/
[2] http://lists.debian.org/debian-release/2005/06/msg00241.html

Attachment: signature.asc
Description: Digital signature

Reply to: