[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Debian Weekly News - December 9th, 2003

---------------------------------------------------------------------------
Debian Weekly News
http://www.debian.org/News/weekly/2003/49/
Debian Weekly News - December 9th, 2003
---------------------------------------------------------------------------

Welcome to this year's 49th issue of DWN, the weekly newsletter for
the Debian community. Not only Debian servers were the target of
attackers but also one of [1]Gentoo's servers as was the Free Software
Foundation's [2]Savannah system. Wired News [3]explained some of the
background and context of [4]LinEx, the Spanish Debian variant.

 1. http://www.gentoo.org/security/en/glsa/glsa-200312-01.xml
 2. http://savannah.gnu.org/statement.html
 3. http://www.wired.com/wired/archive/11.12/view.html?pg=4
 4. http://www.linex.org/

HP to expand Debian Support. Hewlett-Packard is [5]planning to expand
support offerings to customers who run Debian GNU/Linux. According to
HP Linux Chief Technology Officer and former Debian Project Leader,
Bdale Garbee, "HP Services is working on some projects right now to
increase the number and quality of the support offerings that they can
provide to customers who want to run Debian." Until now HP's Debian
support has only been limited services on request.

 5. http://www.idg.com.sg/idgwww.nsf/unidlookup/BC9AD040646E591D48256DF30024A162

Draft Proposal for new Web Server Policy. Joey Hess prepared a
[6]draft proposal for a new web server policy. Joey identified
various problems with [7]current policy, many of which come down to a
namespace problem. Debian uses the default top-level namespace of the
web server for Debian-provided content, which doesn't give admins
enough control. The nature of Joey's proposed policy means it could be
adopted without requiring immediate changes to everything, but he is
first seeking comments.

 6. http://lists.debian.org/debian-policy-0312/msg00004.html
 7. http://www.debian.org/doc/debian-policy/ch-customized-programs.html#s-web-appl

Recovery Status Update. James Troup sent in an [8]update on the
recovery of Debian hosts after the break-ins. Packages can be uploaded
again into anonymous upload queues and a new [9]key for automatic
signing of Release has been created. Packages won't be compiled for
other architectures since the build daemons need to be checked,
updated, hardened and re-LDAPed.

 8. http://lists.debian.org/debian-devel-announce-0312/msg00001.html
 9. http://ftp-master.debian.org/ziyi_key_2003v2.asc

Sarge Release Progress. Anthony Towns [10]reported about progress made
with the preparation of sarge, but the [11]bug count has been rising
fairly consistently. He admits that we're not in a position to offer a
roadmap for the release and adds that having critical, grave or
serious bugs open for an extended period is simply not acceptable.
Implicitly he asks maintainer to look after their packages and fix the
outstanding bugs so we get closer to releasing the system.

 10. http://lists.debian.org/debian-devel-announce-0312/msg00000.html
 11. http://bugs.debian.org/release-critical/graph.png

Anaconda based CD Images for Sarge. Ian Murdock [12]reported that
unofficial sarge-based iso images using the Anaconda installer are
offered by from [13]Progeny. They included a tool called picax which
builds Anaconda-based installation CDs from a Debian repository.
However, there are [14]features that are not yet working and it is not
recommended for use in a production environment.

 12. http://lists.debian.org/debian-devel-0312/msg00097.html
 13. http://platform.progeny.com/anaconda/
 14. http://platform.progeny.com/anaconda/errata.html

Debian Package Signatures. Goswin von Brederlow [15]suggested using
and distributing digital signatures along with the binary packages
besides the current chain of signed Release file, referenced Packages
file and binary packages. Suggestions include signing binary packages
and distributing signatures separately. Joey Hess [16]added that the
canonical attack would be to re-insert a Debian package with a known
security hole but a valid signature.

 15. http://lists.debian.org/debian-devel-0312/msg00042.html
 16. http://lists.debian.org/debian-devel-0312/msg00130.html

Debian Enterprise Sub-Project. Anders Salomon [17]started plans to
create a new sub-project within Debian. Long term goals include the
possible creation of another branch, security updates on this branch,
etc. Short term goals include an enterprise kernel, security work and
an improved installer.

 17. http://lists.debian.org/debian-devel-0312/msg00070.html

Debian UserLinux Roadmap. Bruce Perens [18]announced the first pass of
a UserLinux [19]white paper. He proposed a non-profit entity in charge
of the operating system with surrounding for-profit companies that are
in the business of providing service and engineering for the UserLinux
distribution. Theodore Ts'o [20]added that it would be important to
also support independent software vendors that produces proprietary
solutions.

 18. http://lists.debian.org/debian-devel-0312/msg00196.html
 19. http://userlinux.com/white_paper.html
 20. http://lists.debian.org/debian-devel-0312/msg00267.html

Rebuilding the Distribution. Steve Kemp has been [21]experimenting
with producing a hardened Debian derivative. This mostly means
compiling things with a stackguard compiler, using format guard, and
enforcing policies, etc. Instead of installing the hardened packages
on top of Debian stable he would like to create a concurrent
distribution and provide CD images as well.

 21. http://lists.debian.org/debian-devel-0312/msg00595.html

Debian Network Installation. Tim Krieglstein [22]reported about his
effort to install a cluster of machines with Debian using PXE, DHCP
and a set of hand-made scripts. The first stage boots, partitions the
hard disk, runs debootstrap and install grub. The second stage runs
after reboot and installs debconf and other packages.

 22. http://lists.debian.org/debian-devel-0312/msg00598.html

Debian CDs for WSIS. Mako Hill [23]reported that [24]CDs will be
handed out at the [25]World Summit on the Information Society (WSIS).
They are based on [26]Morphix and contain GNOME, GNUCash, Gnumeric,
OpenOffice.org, Mozilla, The GIMP, Evolution, XMMS, Bluefish and some
other stuff.

 23. http://lists.debian.org/debian-nonprofit-0311/msg00011.html
 24. http://lists.debian.org/debian-nonprofit-0311/msg00018.html
 25. http://www.geneva2003.org/wsis/indexb01.htm
 26. http://morphix.sourceforge.net/

Debian CD Images updated. Philip Hands [27]announced new CD images
that reflect the most recent [28]update (3.0r2). Some packages had to
be moved since the images ended up being larger than 650 MB initially.
Steve Kemp produced the vast majority of the images.

 27. http://lists.debian.org/debian-cd-0312/msg00057.html
 28. http://www.debian.org/News/2003/20031121a

Debian-Installer Roadmap. Joey Hess [29]announced that the CVS
repository on cvs.debian.org is back, but all pserver accounts have
been disabled. Later Joey added a [30]timeline in which no string
changes should be made after December 21st. On December 28th the
second beta test will start.

 29. http://lists.debian.org/debian-boot-0312/msg00228.html
 30. http://lists.debian.org/debian-boot-0312/msg00222.html

Security Updates. You know the drill. Please make sure that you update
your systems if you have any of these packages installed.

 * [31]rsync -- Remote arbitrary code execution.

 31. http://lists.debian.org/debian-security-announce-03/msg00213.html

Want to continue reading DWN? Please help us create this newsletter.
We still need more volunteer writers who watch the Debian community
and report about what is going on. Please see the [32]contributing
page to find out how to help. We're looking forward to receiving your
mail at [33]dwn@debian.org.

 32. http://www.debian.org/News/weekly/contributing
 33. mailto:dwn@debian.org
Reply to: