[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Debian Weekly News - April 11th, 2000

Debian Weekly News 
Debian Weekly News - April 11th, 2000
Welcome to Debian Weekly News, a newsletter for the Debian developer

For a [8]long time everyone has been aware of a basic security problem
in Debian: packages can be changed on Debian mirrors and users have no
way to verify that the package they download is the same package a
developer uploaded. Two ideas have come up again and again as ways to
make this more secure. The first idea is to allow for signatures
inside the .deb files themselves, which lets one verify that a given
developer built a package. The second is to allow for signed
Packages.gz files, which lets one verify that the package went through
the normal upload process. Neither of these signatures will provide
perfect security. There are many holes left; for example, a
developer's computer may be cracked and if they do not manage their
keys wisely, their key may be compromised. In the past, in typical
Debian fashion, we have held off doing anything since there was no
known perfect solution.

This issue has [9]resurfaced this week, and there is a growing
inclination to implement both types of signatures, though both are
imperfect, to allow the security bar to at least be raised a bit
higher. After some [10]long discussions on the [11]mailing lists and
on [12]irc, more and more people are reaching consensus on this. Now,
who will implement it?

5 new mailing lists have been [13]created, for purposes ranging from
porting to the PA-RISC and S/390 to Dutch internationalisation.

Direct access to the Incoming directory
is now available at [14]http://incoming.debian.org/. The old Incoming
mirror network is being [15]shut down.

The IBM Global Services "Linux Support Line" in conjunction with
Alcôve will now offer phone support for Debian in several countries.
Interestingly, their [16]press release claims that Debian is the
current market leader (27%).

New packages in Debian this week include the following, and [17]24
  * [18]abook: A text-based ncurses address book application.
  * [19]bass: Bulk Auditing Security Scanner [non-free]
  * [20]debwrap: Wrapper for dpkg/apt-get
  * [21]doxygen: Documentation system for C, C++ and IDL.
  * [22]dvipdfm: A DVI to PDF translator.
  * [23]fujiplay: Interface for Fuji digital cameras
  * [24]gob: GTK+ Object Builder

8. http://www.debian.org/News/weekly/1999/24/#signdebs
9. http://www.debian.org/Lists-Archives/debian-devel-0003/msg01283.html
10. http://www.debian.org/Lists-Archives/debian-devel-0004/msg00013.html
11. http://www.debian.org/Lists-Archives/debian-devel-0004/msg00188.html
12. http://www.debian.org/Lists-Archives/debian-devel-0004/msg00245.html
13. http://www.debian.org/Lists-Archives/debian-devel-0003/msg01812.html
14. http://incoming.debian.org/
15. http://www.debian.org/Lists-Archives/debian-project-0004/msg00000.html
16. http://linuxpr.com/releases/1596.html
17. http://master.debian.org/~tausq/newpkgs-20000410.html
18. http://www.debian.org/Packages/unstable/mail/abook.html
19. http://www.debian.org/Packages/unstable/admin/bass.html
20. http://www.debian.org/Packages/unstable/admin/debwrap.html
21. http://www.debian.org/Packages/unstable/devel/doxygen.html
22. http://www.debian.org/Packages/unstable/tex/dvipdfm.html
23. http://www.debian.org/Packages/unstable/graphics/fujiplay.html
24. http://www.debian.org/Packages/unstable/devel/gob.html

see shy jo

Reply to: