Debian Weekly News - February 13th, 2001
---------------------------------------------------------------------------
Debian Weekly News
http://www.debian.org/News/weekly/2001/5/
Debian Weekly News - February 13th, 2001
---------------------------------------------------------------------------
Welcome to Debian Weekly News, a newsletter for the Debian community.
The DPL campaign is heating up. [1]Anand Kumria, [2]Bdale Garbee, and
[3]Branden Robinson each joined Ben Collins in announcing that they
will run for DPL. The timeline for the elections was [4]pushed back
since things got off to a late start. The nomination period ends
today, and then campaigning will begin in earnest.
A major change has been made to the new maintainer process.
Prospective developers must now get a recommendation from a current
Debian developer before they can go through the new maintainer
process. It is hoped that this will cut down on the number of
applicants who are not serious about becoming developers, and speed up
the process for everyone else. In a [5]mail explaining the new
requirement, Martin Michlmayr predicts that "for anyone seriously
interested in Debian, getting recommended won't be a problem at all --
if he has a package in Debian already, his sponsor can recommend him;
if he has done work on a Debian port, the web pages or boot-floppies
then he will know Debian developers to recommend him."
Some problems with testing have come to light over the past couple of
weeks. A broken version of lilo slipped into testing by accident, and
we had another round of the same lilo problems unstable users have
endured. Then a new version of console-tools entered testing, but it
turned out it had an [6]undeclared dependency on unstable's version
of debconf. Many other packages that are broken for one reason or
another have been [7]removed from testing until they are fixed. These
problems just show that maintenance of testing cannot be entirely
automated; it needs some manual attention just like other branches of
Debian. Testing is meant to be somewhere in between stable and
unstable in up-to-dateness and usability, and it is meeting that goal,
though it has required a bit more maintenance effort than we might
have expected. But a more worrying problem with testing has also
emerged.
Security fixes [8]trickle into testing just as slowly as do any other
updated packages from unstable. While stable has security.debian.org
to provide timely security fixes, and unstable gets most fixes
immediately, security fixes will not enter testing until they have
been built on all architectures, and until all their dependencies have
also entered testing. Unrelated release critical bugs can keep
security fixes out of testing too. So while testing is reasonably
current, and not too prone to breakage, security fixes can be delayed
for an uncomfortably long time. One fix for this problem would be to
add a testing section to security.debian.org, but there has not been
any enthusiasm voiced in the thread so far about this option, probably
because it would involve a lot more work.
Unstable news. ifconfig was broken yesterday, to the point where
machines were unable to get up on the net. A fix will probably be in
the archive by the time you read this, and in the meanwhile there is a
[9]workaround. A [10]regex memory leak in libc was accidentally
introduced yesterday; symptoms include apt [11]eating up all memory.
And a [12]large perl reorganization is in the works: new perl packages
in Incoming incorporate many package name changes and other changes
that will require a recompile of all perl module packages.
Four security updates have came out recently. [13]Openssh has a remote
buffer overflow bug which can lead to remote root access. The non-free
ssh is also vulnerable to the ssh holes, and as a fixed package is not
available, upgrading to openssh is recommended. An [14]omnibus
security update for the version of xfree86 in stable was released. It
corrects denial of service attacks, numerous buffer overflows, and
numerous temporary files problems. [15]man-db has a format string bug
that allows local attackers to run code as user 'man'. Several denial
of service attacks against [16]proftpd were also fixed.
Experimental and proposed-updates, long two warts on the side of the
Debian archive, have moved into the package pool. The new setup should
be much cleaner. James Troup explained [17]the details.
---------------------------------------------------------------------------
References
1. http://lists.debian.org/debian-vote-0102/msg00000.html
2. http://lists.debian.org/debian-vote-0102/msg00001.html
3. http://lists.debian.org/debian-vote-0102/msg00002.html
4. http://lists.debian.org/debian-vote-0102/msg00004.html
5. http://lists.debian.org/debian-devel-announce-0102/msg00004.html
6. http://bugs.debian.org/84741
7. http://lists.debian.org/debian-devel-0102/msg00530.html
8. http://lists.debian.org/debian-devel-0102/msg00629.html
9. http://lists.debian.org/debian-devel-announce-0102/msg00011.html
10. http://bugs.debian.org/85788
11. http://bugs.debian.org/85820
12. http://www.debian.org/News/weekly/2001/5/mail#1
13. http://www.debian.org/security/2001/dsa-027
14. http://lists.debian.org/debian-security-announce-01/msg00023.html
15. http://www.debian.org/security/2001/dsa-028
16. http://lists.debian.org/debian-security-announce-01/msg00022.html
17. http://lists.debian.org/debian-devel-announce-0102/msg00009.html
--
see shy jo
Reply to: