Debian Weekly News - May 26th, 2008
---------------------------------------------------------------------------
Debian Weekly News
http://www.debian.org/News/weekly/2008/03/
Debian Weekly News - May 26th, 2008
---------------------------------------------------------------------------
Welcome to this year's 3rd issue of DPN, the newsletter for the Debian
community. Steve McIntyre sent a new "Bits from the DPL" mail. A
serious issue in Debians OpenSSL package has been fixed recently.
Debian is discussing about an archive strucure for huge packages.
Bits from the Debian Project Leader
-----------------------------------
Steve McIntyre sent a new release of his "Bits from the DPL"[1] reporting
his recent activities as elected Project Leader. He starts by pointing to
several interviews he gave recently[2][3][4][5][6] and continues by
informing about personal changes in core teams. Jonathan McDowell has
been added as keyring maintainer, and is already working together with
James Troup on easier integration of keyring maintenance and our ldap
system for better cooperation with the Debian System Administrators. He
thanks Anthony Towns, who stepped down from the teams he was in.
1: http://lists.debian.org/debian-devel-announce/2008/05/msg00006.html
2: http://www.itwire.com/content/view/17716/1090/
3: http://www.computerworlduk.com/community/blogs/index.cfm?RSS&entryid=741
4: http://news.zdnet.co.uk/software/0,1000000121,39406494,00.htm
5: http://www.regdeveloper.co.uk/2008/04/21/debian_developers_approved/
6: http://www.tllts.org/audio/tllts_244-05-07-08.ogg
Last but not least he talks about the upcoming Debian Conference[7] in
Mar del Plata, Argentina. The organizational efforts are going on pretty
well, with announcements about papers, talk selection and travel
sponsorship soon to be sent out. But as always, the organizers are also
still looking for more companies and individuals to sponsor the
conference -- please contact sponsors@debconf.org[8] if you can help.
7: http://debconf8.debconf.org/
8: mailto:sponsors@debconf.org
OpenSSL weakness in Debian affecting many other packages
--------------------------------------------------------
Luciano Bello discovered[9] that the random number generator in Debian's
openssl package is predictable. This is caused by an incorrect
Debian-specific change to the openssl package (CVE-2008-0166[10]). As a
result, cryptographic key material may be guessable. Affected keys
include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in
X.509 certificates and session keys used in SSL/TLS connections. Keys
generated with GnuPG or GNUTLS are not affected, though. However, other
systems can be indirectly affected if weak keys are imported into them.
9: http://lists.debian.org/debian-security-announce/2008/msg00152.html
10: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0166
Shortly after Luciano's discovery fixed packages[11] were created and -
due to the seriousness of the problem - a new OpenSSH package,
automatically regenerating possibly compromised keys and featuring a
blacklist for possibly affected user keys was released[12]. At the same
time a detector software[13] (]GPG signature[14]) has been written and
constantly improved since then and detailed test and upgrade procedures
for different software packages have been collected[15].
11: http://lists.debian.org/debian-security-announce/2008/msg00152.html
12: http://lists.debian.org/debian-security-announce/2008/msg00153.html
13: http://security.debian.org/project/extra/dowkd/dowkd.pl.gz
14: http://security.debian.org/project/extra/dowkd/dowkd.pl.gz.asc
15: http://www.debian.org/security/key-rollover/
We are sorry for any inconvenience caused by that and would like to thank
everyone who helped getting this issue solved so fast and without any
major consequences.
Discussion on how to prevent such accidents in the future has already
been started on various[16] lists[17].
16: http://lists.debian.org/debian-devel/2008/05/msg00536.html
17: http://lists.debian.org/debian-devel/2008/05/msg00427.html
Perl 5.10 Transition
--------------------
Marc Brockschmidt announced the completion of the recently ongoing
transition to Perl 5.10 as default version for the upcoming stable
release.
18: http://lists.debian.org/debian-devel-announce/2008/05/msg00007.html
He noted that for this transition over 400 packages got updated in
testing, including updates for heimdal, clamav and sendmail/libmilter.
The next scheduled, smaller updates are planed for xulrunner, ocaml,
ffmpeg, poppler and nautilus.
Backports.org unknown?
----------------------
During his triage of older bugs reported against OpenOffice.org, Lior
Kaplan noticed[19], that many users are not aware of backports.org[20],
an unofficial service providing updated packages for users of the stable
version of Debian.
19: http://liorkaplan.wordpress.com/2008/05/25/why-arent-our-users-familiar-with-backportsorg/
20: http://www.backports.org
In the following discussion several proposals for better integration of
that service into Debian were made. Gerfried Fuchs summarized[21] the
current state.
21: http://liorkaplan.wordpress.com/2008/05/25/why-arent-our-users-familiar-with-backportsorg/#comment-362
Huge Packages in Debian
-----------------------
After members of the Debian Games Team[22] (and other maintainers of
generic large data packages) wondered about size limitations of the
Debian archive (and its infrastructure) regarding packages. Joerg
Jaspert joined as ftp-master the discussion and summarized[23] the
possibilities to solve the issues. He's favouring to create a new
archive for large packages (containing architecture independent data)
and if possible a change of the Debian Policy allowing packages
depending on such data only available in the new archive to stay in
main.
22: http://lists.debian.org/debian-devel-games/2008/05/msg00165.html
23: http://lists.debian.org/debian-devel/2008/05/msg00970.html
State of SANE
-------------
Since SANE (scanner access now easy, a framework for accessing
scanners) is working on improving its interface, Julien Blache gave an
overview[24] on his plans for the SANE packages for the upcoming
release "Lenny". Sane will need so stay on the current interface, but
Julien plans to backport some important improvements from the
development branch and asks for some feedback.
24: http://blog.technologeek.org/2008/05/07/106
Hints for new Free Software Projects
------------------------------------
Francois Marier gave hints[25] on how to choose a license for free
software projects. He concludes that using a license incompatible with
mainstream licenses like the GNU General Public License is as bad as
writing an own license.
25: http://feeding.cloud.geek.nz/2008/05/choosing-right-license-for-your-new.html
Neil Williams added[26] some more general hints.
26: http://www.linux.codehelp.co.uk/serendipity/index.php?/archives/117-Non-code-code-development-upstream-for-estron.html
Other News
----------
Sven Joachim wondered[27] about the state of translation packages for
enigmail[28], a GnuPG tool for the mail client Icedove[29]. Alexander
Sack replied[30], that he will add them to the main package.
27: http://lists.debian.org/debian-i18n/2008/05/msg00248.html
28: http://packages.debian.org/enigmail
29: http://packages.debian.org/icedove
30: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=473168#35
Joerg Jaspert proposed[31] to standardize headers added to e-mails by
various tools used by Debian.
31: http://lists.debian.org/debian-devel-announce/2008/05/msg00001.html
Enrico Zini gave[32] a small howto on "Conditional partitioning in debian
installer" for unattended installations preserving some partitions. He
already wrote a small howto[33] on creating bootable USB keys with
simple-cdd.
32: http://www.enricozini.org/2008/tips/d-i-conditional-partitioning.html
33: http://www.enricozini.org/2008/tips/simple-cdd-usb.html
Since the database used by packages.debian.org[34] covers only supported
and upcoming releases, Frank Lichtenheld created archive.debian.net[35]
which is capable of searching through archived releases, too. Sadly it
has some caveats[36].
34: http://packages.debian.org
35: http://archive.debian.net
36: http://blog.djpig.de/2008/05/13#archive-debian-net
Martin Kraft started[37] collecting noteworthy additions, changes and
other improvements in the upcoming stable Debian Release "Lenny" in the
wiki[38]. Please help and contribute to that page.
37: http://lists.debian.org/debian-devel/2008/05/msg00422.html
38: http://wiki.debian.org/NewInLenny
Debian Project will be at Linux Tag 2008
----------------------------------------
>From Wednesday the 28th of May 2008 to Saturday the 31st of May 2008,
Berlin, Germany, Debian Project will participate with a booth at Linux
Tag 2008. Please see our events page[39] for further details.
39: http://www.debian.org/events/2008/0528-linuxtag
Work-needing packages
---------------------
Currently 433 packages are orphaned and 104 packages are up for adoption.
Please take a look at the recent[40] reports[41] if there are packages
you are interested in.
40: http://lists.debian.org/debian-devel/2008/05/msg00402.html
41: http://lists.debian.org/debian-devel/2008/05/msg00913.html
Want to continue reading DPN? Please help us create this newsletter. We
still need more volunteer writers who watch the Debian community and
report about what is going on. Please see our "HOWTO contribute"[42] page
to find out how to help. We're looking forward to receiving your mail at
debian-publicity@lists.debian.org[43].
42: http://wiki.debian.org/ProjectNews/HowToContribute
43: mailto:debian-publicity@lists.debian.org
This issue of Debian Weekly News was edited by Luca Bruno, Meike
Reichle and Alexander Schmehl.
Reply to: