Debian Weekly News 2006/39
on 26.09.2006, 00:00
in weekly-news
City of Munich deploys a Debian-based solution for Desktop
on 20.09.2006, 11:25
in news, success-story
Debian Weekly News 2006/38
on 19.09.2006, 00:00
in weekly-news
Come 2 Linux Resume
on 13.09.2006, 08:38
in event-report
Debian Weekly News 2006/37
on 12.09.2006, 00:00
in weekly-news
First Colombian Mini-DebConf
on 08.09.2006, 09:54
in event-report
Come 2 Linux in Essen, Germany
on 06.09.2006, 19:58
in event-announce
Debian Weekly News 2006/36
on 06.09.2006, 05:26
in weekly-news
Debian implements cdrkit
on 05.09.2006, 09:29
Debian GNU/Linux 3.1 Sarge updated
on 01.09.2006, 08:29

Debian Weekly News 2006/39

published on Tue Sep 26 00:00:00 2006 in weekly-news

Welcome to this year's 39th issue of DWN, the weekly newsletter for the Debian community. Jeroen van Wolffelaar announced a bug squashing party to be held in Utrecht, The Netherlands, from September 29th to October 1st. Manoj Srivastava announced that the general resolution on asset handling has passed. As Debian experiments with funding, the editor and main author of DWN is going to experiment with spending less time on Debian. Please understand that due to this there may be no future issues of DWN in the current form or that they will only be released less frequently.

Distributing DVD CSS from ftp.skolelinux.org?

Petter Reinholdtsen wondered if libdvdcss2 could be distributed from ftp.skolelinux.org as there is no DMCA law in Norway. Holger Levsen stated that users in countries other then Norway might get into legal problems if this is done, and asked for legal advice. Alexander Schmehl pointed him to Gregory Pomerantz, the legal advisor of SPI.

Filibustering General Resolutions

Manoj Srivastava reported that due to a loop hole in the constitution, any group of 6 Debian developers can delay any general resolution indefinitely by putting up their own amendment. Due to past accusations he has decided that stopping this could be seen as abuse of his secretary powers and asked the project to determine how it wants to handle filibustering.

City of Munich migrates to Debian

The City of Munich announced (German only) that they have started migrating their desktops to a Debian-based computing platform. As part of the project called LiMux nearly 14,000 computers will be running a distribution based on sarge accompanied by more recent versions of popular productivity tools like KDE, OpenOffice.org and others.

Debian experiments with Funding

Howard Dahdah reported that Debian experiments with funding the release managers to release etch in time as previously announced. However, technically this is not the Debian project but this is how it is publicly received. Several developers are not happy with the Dunc-Tank and have raised concerns before it went public already.

Project Leader to be recalled?

Denis Barbier proposed a general resolution to recall the project leader in order to remove any confusion whether the Debian project leader is involved in Dunc-Tank or not. The Computerworld article reported that Debian is experimenting while Dunc-Tank is officially outside of Debian. So it already failed to be seen as a separate entity.

Procedural Rules about General Resolutions

Manoj Srivastava announced procedural rulings about proposing and sponsoring general resolutions due to the high number of such resolutions and amendments. Every proposal must clearly indicate the bounds of the proposal and every proposal and sponsoring email must be signed with the cryptographic key that lives in the Debian keyrings.

City of Munich deploys a Debian-based solution for Desktop

published on Wed Sep 20 11:25:55 2006 in news, success-story

Today, the City of Munich announced (http://www.muenchen.de/Rathaus/dir/limux/ueberblick/175149/windowsabloesung.html) to have started deploying a Debian-based solution on the employees Desktop that is replacing the existing Microsoft Windows setup.

The Mayor of the City of Munich, Christian Ude has already been using the test version for some time, and has taken a positive summary of his experiences: "Nach notwendigen Konzept- und Entwicklungsphasen beginnt jetzt der Effektiveinsatz mit einer Version, die sich im Piloteinsatz nicht zuletzt bei mir bewährt hat. Der Basisclient ist für München ein Schritt zu mehr Unabhängigkeit von einzelnen Herstellern und freie Software zeigt sich hier als ein probates Mittel dafür. Für den normalen Anwender ändert sich dabei wenig." (rough translation: After concept and development time, we now started to use a version that was successfull tested also by me. The software is step to more independence from single vendors, and free software is a good tool for that. The normal user is not really affected much by the change.)

The software is entirely based on Free Software. The core components are Debian 3.1 (Sarge), http://www.debian.org/, KDE 3.5, http://www.kde.org/ and OpenOffice.org 2, http://de.openoffice.org/. For software distribution and administration, FAI (Fully Automatic Installation), http://www.informatik.uni-koeln.de/fai/ and GOsa (remote management interface), http://gosa.gonicus.de/ are used.

Debian Weekly News 2006/38

published on Tue Sep 19 00:00:00 2006 in weekly-news

Welcome to this year's 38th issue of DWN, the weekly newsletter for the Debian community. David Barker thanked the project for the well developed etch distribution. Joey Schulze contemplated etch to be ready for release already. From Friday to Sunday a bug squashing party will be organised in Berlin, Germany.

Status of GNOME 2.16 in Debian

Frederic Peters announced a status page that helps tracking packages of GNOME 2.16 which has been released recently. Josselin Mouette added that it is planned to push packages for version 2.16 into experimental as soon as possible.

Report from Come 2 Linux

Joey Schulze reported about the Debian presence at the Come 2 Linux event in Essen, Germany. The Debian project maintained a booth in the exhibition area and delivered two talks which were well received. There was enough time and space at the booth to take care of visitors without many people queueing up.

Local DebConf7 Team Meeting

Steve McIntyre reported about several developers having met in Edinburgh, Scotland, to work out the bits that are needed for the Debian conference 7 next year. The team visited Teviot, the student centre that is planned to use, and checked out several of the local hostels and public houses for suitability.

The Hurd with WLAN and PCMCIA

Michael Banck reported that the current GNU Mach upload has brought PCMCIA and WLAN with WEP encryption support to Debian GNU/Hurd. Earlier he stated that the latest gnumach and hurd packages are up-to-date with the developer CVS repository and hence include the work towards Berkeley Packet Filter support.

Debian Steering Committee?

David Nusinov pondered about setting up a distribution steering committee. Ingo Jürgensmann considered this a good idea in general. David added that the bottom-up structure instead of top-down is a defining feature of Debian. Raphaël Hertzog suggested to replace the project leader with a steering board.

Setting up Subversion

Bert Heymans described in detail the required steps to set up a Subversion server including websvn with code colouring for easy repository browsing. This document includes the configuration of Apache 2 for Subversion WebDAV and contains some Subversion test commands.

PostgreSQL Transition Strategy

Peter Eisentraut explained that currently etch users who wish to install the postgresql package will end up with the older version and asked for advice. This situation occurs due to the transition to versioned PostgreSQL packages that can be installed in parallel.

APT Upgrade Problem

Ingo Jürgensmann discovered that when upgrading from sarge to etch, apt-get complains about untrusted source of packages because signatures couldn't be verified. Alexander Schmehl added that aptitude behaves the same and hence opened a release-critical bug report asking for a dependency against debian-archive-keyring.

Debian Installer Stance on non-free Firmware

Frans Pop stated that the installer team will not accept any structural changes to support loading firmware in the installer at this late stage before the release. In the long-term he would also prefer a solution that wouldn't require adding the entire non-free or contrib to the sources.list file.

Using Wikis for Discussions?

Russell Coker suggested to use another mechanism instead of discussions lead via mail. He believes that endless discussions are more an illustration of the failings of mailing list culture than of failings of Debian. If each side had a Wiki page that they could modify then in a small amount of time there would be a set of two main consensus opinions which would each be explained clearly and summarised well.

Debian Boot Dependency Graph

Petter Reinholdtsen created a dependency graph of boot scripts now that a sufficiently large number of init scripts use the LSB convention. There's also a status summary for the packages used in a desktop installation. Nathanael Nerode added that the udev dependency information is not accurate since a lot of packages depend on udev running first.

Final report from the internationalisation team meeting in Extremadura

published on Mon Sep 18 12:06:20 2006

The first Debian internationalisation meeting occurred from September 7th 2006 to September 9th 2006 in Casar de Caceres, Extremadura, Spain.

This meeting has been organised as part of the "Extremadura sessions" entirely sponsored by the government of the Extremadura region in Spain ("Junta de Extremadura") as a commitment and reward to the Debian Project which is the base of the LinEx custom Linux distribution they use for their general IT project entirely based on free software.

23 people from all over the world, representing various different scope in the Debian internationalisation and localisation effort, as well as representative from related projects participated to this meeting. The full list of participants is available on [1].

The meeting was organized with several technical and social goals:

  • making a new step towards a real "i18n Task Force" for the Debian Project
  • draw the final plans for an official "infrastructure server" for all Debian i18n and l10n activities
  • enforce the collaboration with the WordForge free software project, which was decided during sessions in Debconf6 in Mexico and continued into a "Google Summer of Code" project granted to Gintautas Miliauskas about "improvements to the architecture of the Pootle server: separation of backend and frontend"
  • continue the revival of the Debian Packages Description Translation Project (DDTP) and begin to integrate it in a first Debian i18n server
  • have more specialized talks, BOFs and brainstorming sessions about:
    • use of po4a
    • localization-config revival for etch
    • modularization of language handling in D-I
    • "language packs"
    • testing D-I localisation

Building the Debian infrastructure server

The Debian i18n task force and the Junta de Extremadura representatives (namely César Gómez Martín, who organized all the local logistics, travel and related practical items) agreed about dedicating a server for the Debian i18n activities.

This server will be hosted in the Junta de Extremadura datacenter, in Badajoz, Spain. It will be entirely dedicated to the Debian i18n activities, first as a test platform for the future Debian i18n infrastructure and later as part of the official Debian servers network.

During the first phase, this server will be added to the debian.net domain. Felipe Augusto van de Wiel will be the main server administrator, helped by César Gómez Martín as local contact. Felipe will build a system admin team for the testing and setup phase.

The initial server was setup by Felipe during the meeting. We consider this as the first technical achievement towards a Debian i18n infrastructure. The server features a Pootle server and chrooted environments have been setup for installation of alternative or complementary software (for instance, Eddy Petrisor began working on setting up an implementation of transdict).

Initial work began to "feed" the server with data extracted from the Debian packages description translations, with help of Michael Bramer, initiator and leader of the DDTP project, who was present at the meeting. These data will help Wordforge developers to push Pootle off its limit and improve its ability to sustain high loads.

This data will also help testing the integration of Gintautas work, namely the storage backend, in heavy load conditions.

DDTP (Debian packages Descriptions Translation Project) future

Michael Bramer presented the status of the DDTP project. The Debian mirror infrastructure is now ready to host Translate-<lang> files for the use of modified APT versions. A version of APT which can use these translated descriptions has been successfully tested.

The i18n team members agreed to commit themselves to get this modified APT into etch and support the translated descriptions feature and the possible bugs that could come because of it.

A very basic infrastructure exists to allow translation updates. It fits the very simple needs of translating material even if it is very far from the ideal infrastructure.

A first attempt to feed the demo Pootle server with PO files generated from the raw DDTP material has been launched. Though not completely successful, it helped showing that, after some more debugging, we could very soon be able to have our demo server including the DDTP translations. This will serve as a high load test. However, managing translation updates through this method will not be supported and that demo server should not be used for production work. We recommend using the DDTSS interface, written by Martijn van Oosterhout [4].

Packages i18n support improvement and NMU campaign

The basis for more active actions by the Debian i18n task force has been drawn.

We will begin working on a few directions, some before the release, some after:

  • complete the transition to po-debconf (and make the use of it a policy requirement)
  • push the inclusion of translation work in packages
  • help the gettext 0.15 transition

Decision has been taken to request for the addition of a debian-i18n pseudo-package. Most work will be tracked by using metabugs on this package. Metabugs will be used to identify different category of i18n bugs (some ideas were: transition-po-debconf, transition-po4a-manpages, transition-new-gettext, transition-utf8-support, cat-po-debconf, cat-po-native, cat-po4a). The combination of these metabugs, of blockers, and of the existing usertags (for languages) will be helpful for the i18n Task Force. Gerfried Fuchs is responsible for asking for the pseudo-package creation.

A NMU campaign will start to push as many po-debconf translations as possible into packages during the next months. It will use infrastructure and methods put in place by Lucas Wall and Christian Perrier [5] back in Jan. 2005 for a similar campaign to push po-debconf transitions.

Thomas Huriaux and Gerfried Fuchs will initiate the work by identifying pending l10n bugs and sort packages according to the age and number of pending l10n bugs (in various categories if possible). Contact will be made with Lucas for the re-use of his infrastructure for this campaign (Felipe Augusto van de Wiel). The templates will have to be checked (Stefano Canepa), the pre-NMU schedule could also be reviewed.

First results at [6] and [7]

The Debian Developers present at the meeting enforced their commitment to participate in this NMU campaign.

Packages which do not use po-debconf for the interaction with users should not be allowed in Etch+1 (RC). This should be proposed as a release goal.

Localization-config (l-c) revival

Christian Perrier presented the l-c package, which was aimed at completing the system localization on installed systems, in relation with D-I.

l-c is used in the sarge installer to handle various localization/internationalization related parameters, which are not considered to be properly handled in the relevant packages: X serever keyboard settings, GDM localization, dictionaries settings, KDE parameters, etc.

In sarge, l-c is run during the second stage install, in two steps, before and after the packages and tasks installation. Up to now, this has not been re-integrated to D-I. The D-I team is awaiting for this to happen, even though this is not considered as release critical for D-I.

Christian did some early work on that purpose and mentioned that this all needs testing. The new version of the package, which provides a new udeb package, has been processed by the ftpmasters during the week-end.

Several aspects that previously required the use of l-c do now correctly handle l10n, so it's quite likely that the tool's importance will be lowered.

However, some work has now to be done to adapt l-c actions to etch. Gerfried Fuchs agreed to conduct this task, first in relation with Christian Perrier, backup maintainer, then with Konstantinos Margaritis, the main maintainer.

Fonts and Input Methods (Keyboard handling - console and X)

Javier Solá presented the Khmer font. This pointed some assumptions made by latin glyphs users (height of glyphs, hyperlink decoration, shortcut for menus). Friedel Wolff indicated a page started on the translate wiki (http://translate.sourceforge.net/wiki/l10n/displaysettings) to gather this information.

Guntupalli Karunakar talked about input methods (X and Gnome keyboard, SCIM, IME extension for Firefox), Jaldhar Vyas presented SCIM (Smart Common Input Method), and Kenshi Muto talked about the Japanese glyph and input method.

This topic also popped up during the l-c BOF session. That session concluded that an interesting post-etch would would be creating a matrix of all languages we support in D-I and, for each, identify what should be the default keymap in X, then recreate this keymap with console-setup tools, and add it to console-data. These keymaps would then be the only proposed ones in D-I, which would help getting consistency between console and X keymaps. Felipe Augusto van de Wiel volunteered for this work.

Improving Debian i18n/l10n Documentation

One area of activity is improving the i18n/l10n documentation, esp. the i18n guide (http://www.debian.org/doc/manuals/intro-i18n/) and related to areas discussed in this report. Also documentation about some tools like defoma, unicode fonts, input, scim, etc. Also a quick & easy guide to building a CDDD (CDD for Dummies)... Jaldhar & Karunakar volunteered for this.

Modularisation of D-I languages support

There was an extensive discussion on how to improve the way d-i handles translations so that it will be possible, in the future, to provide as many translations as we are provided with.

The current d-i limitations are:

  • initrd size
  • RAM consumption
  • required bandwidth

Alternatives proposed:

  • separate translations from udebs and only download the one selected by users
  • generate different initrds per language families
  • only translate non expert questions
  • reduce localechooser translations (all country names in all languages)
  • move translations in 2 udebs (one for initrd components and another for other components
  • use the 'lowmem' mechanisms to remove unused translations

Language packs

From a side discussion from the D-I modularisation initially, this topic derived into a deep improvised brainstorming session. A first draft summary is present at Self:I18n/TranslationDataDistribution.

A language pack (or language package) is a "complement" for a software package that provides a translation for a given language separately from the main package. It is distributed in a separate way and can either be produced by the upstream developers and extracted from the main package source or they can be produced by independent third parties. For more information see Self:I18n/LanguagePacks

Translations currently distributed in the Debian archive through:

  • Binary packages
  • Architecture independent packages associated with binary software packages

The discussion started focusing on one of the advantages of the language pack approach by Ubuntu: the capability to provide updated translations post-release. Some agreement is reached to try reaching a similar goal for etch+1. Some initial work (pre-etch) could include:

  • Ubuntu's glibc patch to have an alternate location for MO binary files
  • study a mechanism for translation updates for non-gettext data

Testing D-I translations

The need for more tests of the D-I translations was repeated. It is important that many users test the installer in their languages. Lior Kaplan presented how to use qemu to make these tests (how to run qemu, how to test the translations, make changes, and test again efficiently).

Defining the needs of Debian for its infrastructure server

This discussion essentially reaffirmed the needs we mentioned in the Debconf6 i18n sessions. See [8]

These identified needs should be reformalised in a shorter document, probably maintained on the wiki. The Wordforge developers will then be able to mention whether each of these requirements is already supported, planned to be supported...or to be added to Pootle's roadmap.

i18n wiki and IRC channels

The next i18n server will feature a wiki for dedicated i18n activites. We will think about moving thing to the general Debian wiki when it appears to be more appropriate. The i18n wiki should only be a work wiki for meetings, common work, etc.

The i18n Task Force runs a #debian-i18n channel on irc.debian.org. All Debian developers and contributors are welcome to join and contact i18n wizards on that channel.

Videos of the meeting will be available at [9]
(this will be announced separately on debian-i18n)

Meeting conclusion

All meeting attendees would like to express their deep gratitude to the Junta de Extremadura for supporting this meeting organisation by providing lodging and travel funding. We particularly want to thank César Gómez Martín for the incredible ammount of work and energy he did put in this organisation, including booking the famous and hot sun of Extremadura for the whole meeting.

We sincerely hope that this event will give a big push to internationalisation in Debian for the benefit of the entire project as well as derived works such as the LinEx distribution used by the Junta de Extremadura.

[1] http://wiki.debian.org/I18n/Extremadura2006.

[2] http://www.wordforge.org

[3] http://www.wordforge.org/drupal/projects/wordforge/tools/pootle

[4] http://kleptog.org/cgi-bin/ddtss2-cgi/xx

[5] http://people.debian.org/~lwall/i18n/

[6] http://lists.debian.org/debian-i18n/2006/09/msg00055.html

[7] http://haydn.debian.org/~thuriaux-guest/l10n-nmu/nmu_bypackage.html

[8] http://lists.debian.org/debian-i18n/2006/05/msg00135.html

[9] http://meetings-archive.debian.net/pub/debian-meetings/2006/

[10] http://www.linex.org/

Come 2 Linux Resume

published on Wed Sep 13 08:38:46 2006 in event-report

The impression of the Come2Linux (http://www.debian.org/events/2006/0909-come2linux) exhibition and conference is pretty positive. Even though there was some trouble with getting the booth and talks accepted and it wasn't as obvious as thought finding the proper university building in Essen, the event itself went pretty well.

The exhibition areas were quite familial and all projects had similar booths consisting of only tables, chairs and a wall in the back. For such an event that was totally sufficient. In addition to that one woman backed tasty waffles, the organisers sold some coffee and rolls, and in the outside there was a trailer with a mobile kitchen providing hot lunch.

Both of Debian talks were well received. Of course, the introductory talk had a few more people listening than the more detailed talk about Debian packages and stuff. However, 40-50 people are ok for this kind of event.

(Contributed by Joey Schulze, http://www.infodrom.org/~joey/log/?200609122039)

Debian Weekly News 2006/37

published on Tue Sep 12 00:00:00 2006 in weekly-news

Welcome to this year's 37th issue of DWN, the weekly newsletter for the Debian community. Debian will be present at the Wizards of OS conference next weekend in Berlin, Germany. André Luiz Rodrigues Ferreira wondered if there will be special Debian themes available for the desktop environments in etch. Adrian von Bidder discovered a 16 core MIPS server with Debian pre-installed.

Secure APT Key Management

Andreas Barth summarised the discussion about key management for APT from July. The general idea is to have an offline key for signing stable releases per release and a yearly rotating key for unstable. Stable release keys will be revoked by stable+2, so that updates between stable releases still work with the old key.

Alioth Incident Report

Raphaël Hertzog reported that Alioth was abused as IRC proxy. Upon investigation the Alioth team discovered that many projects are running custom-installed web applications and asked the project administrators to review the installed software. Raphaël added that a service like Alioth is of great use for everybody, but its openness is also its weakness.

CD/DVD Creation Report

Steve McIntyre reported about plans to move the CD building and distribution servers to one site in order to minimise transfer delays. Other ideas include a special network installation CD that boots on the top three architectures, an automatic CD checker, and the integration of Carlos Parra Camargo's work as part of Google's Summer of Code.

Constitutional Amendment on Asset Handling

Manoj Srivastava called for votes on a general resolution to address the procedures related to handling assets for the Debian project. Votes must be received by 23:59:59 UTC on Saturday, 23rd September, 2006. This resolution reflects the fact that not only Software in the Public Interest, Inc. is handling assets for the Debian project.

Using the BTS for License Issues

Anthony Towns suggested introducing a special licensing tag for reports in the bug tracking system (BTS) that claim a package is not suitable for distribution due to licensing problems. Don Armstrong stated that it's generally a good idea to start with a usertag. This could point to the debian-legal mailing list.

Status of the Internet Superserver

Roger Leigh investigated the inetd situation in etch. Four of them support the IPv6 protocol but some of them can't be considered as a drop-in replacement for the standard BSD Internet superserver. He added that users who are upgrading from woody or sarge to etch will not be switched to openbsd-inetd, whereas new installs will use it by default.

First Colombian Mini DebConf

Alejandro Ríos Peña reported about the first Colombian Mini DebConf on August 19th and 20th. 14 Debian enthusiasts from all over the country participated in the event and held a keysigning party. The Colombian Debian community is just starting to get into the work and held a workshop on general Debian tasks and package maintenance.

Stable Release Update

Martin Zobel-Helas summarised a stable release manager meeting and concluded that the next stable update is scheduled for mid of October. New kernel packages are said to be in preparation, some packages were forgotten to be removed during the last update, still some files weren't uploaded from the security server. Anthony Towns has agreed to update the archive software to allow updates of the oldstable distribution as well.

Firefox and SeaMonkey

Mike Hommey called for testers of the new Firefox 2.0b2 in experimental. In other news, work has started on SeaMonkey. The developer team hopes to be able to provide a full featured package for etch so that people using Mozilla on sarge will get a correct upgrade path. He has also uploaded a new xulrunner release that allows administrators to handle the certificate databases for Mozilla products.

Removed Packages

11 packages have been removed from the Debian archive during the past week:

First Colombian Mini-DebConf

published on Fri Sep 8 09:54:34 2006 in event-report

As announced on http://lists.debian.org/debian-devel-announce/2006/08/msg00002.html, we had the first Colombian Mini-DebConf on August 19th and 20th 2006, http://wiki.debian.org/DebianColombia/MiniDebconf2006.

14 Debian enthusiasts from all over the country joined the event, and we even got the help from Luciano Bello from Argentina, who was invited to the related event "Jornadas de Software Libre", http://jsl.unicauca.edu.co that was held in parallel.

Colombian Debian community is just starting to get into the work and we couldn't manage to do any BSP, but we did an on-hands workshop on general Debian tasks and package maintainance. At the end, we also had a KSP, organized by Santiago Ruano Rincon, http://afrodita.unicauca.edu.co/~santiago/ksp-jsl2006/. At least 4 of the 14 assistants have continued the work that was started that day.

Santiago was the only DD present, and only Luciano and Alejandro Rios have had any previous and continued experience at the NMP, so the three made the talking and helped the assistants on their work.

A more detailed report can be found in Spanish at http://wiki.debian.org/DebianColombia/MiniDebconf2006/Informe

(Article contributed by Alejandro Ríos Peña)

Come 2 Linux in Essen, Germany

published on Wed Sep 6 19:58:09 2006 in event-announce

The Debian project will participate in this year's Linuxtage in Essen, Germany, nowadays called Come 2 Linux http://www.come2linux.org/psp/, which will take place next weekend at the University of Essen. The event aims at all people from the Ruhr area who are interested in Free Software and GNU/Linux. It features several projects booths and talks in which an overview about Free Software is delivered

Debian associated Developer Server Alioth hacked

published on Wed Sep 6 15:48:54 2006

The Debian Development Server Alioth, a machine running gforge and free for all users doing software development, got hacked and therefor has been taken down by it's admins. It was discovered that some script kiddies were running an IRC proxy. Raphael Hertzog, one of Alioth's admins reported in a mail sent to all Debian Developers, that they discovererd after thorough investigation, an exploited pmwiki security hole was used to deface some web pages and to install some malicious php pages which in turn were used to setup the IRC proxy. For that reason two pmwiki instances have been put offline and the corresponding project administrators had been notified.

Hertzog wrote: This security alert is over, however we have way too many projects running some custom-installed web applications. We're going to review everything that is installed and come up with suggestion to use the packaged (and thus security-supported) version of the web applications when possible. We'll probably ask some projects to stop using some web apps and/or to switch to another supported one.

Hertzog therefore asks all project administrators to check what they have installed and remove whatever they are not using any more.

Debian Weekly News 2006/36

published on Wed Sep 6 05:26:48 2006 in weekly-news

Welcome to this year's 36th issue of DWN, the weekly newsletter for the Debian community. Alexander Sack called for people to test upcoming security updates to the Mozilla packages for sarge. Ben Hutchings has managed to upload the final files for DebConf session videos. Three documentary videos filmed by Biella Coleman fill follow later.

Etch Release Advertisement

Gustavo Franco suggested to ask for donations specific for a release advertisement. Joey Schulze raised some questions to find get a clearer picture. The goal is to publish advertisements in large newspapers and magazines to get a press coverage like the past Firefox campaign.

New Tcl/Tk Team

Chris Waters announced the foundation of the Tcl/Tk team to co-maintain Tcl/Tk and some of it's add-ons. To accomplish this he has created a project on Alioth and set up a mailing list for discussing Debian's Tcl/Tk infrastructure and policy.

Automatic Building of Packages

Matej Cepl suggested to delete all developer-supplied binary packages and recompile the source packages by a build daemon so that potentially build errors caused by a broken environment are avoided. Sven Luther explained that this feature has been disabled because packages had been uploaded that hadn't even been compiled on the developer's machine.

Swiss Bug Squashing Party

Martin Krafft announced a one-day bug squashing party in Zürich, Switzerland on Saturday, September 9th, sponsored by /ch/open, Google, and the Artificial Intelligence Laboratory of the University of Zürich. The second bug squashing party will take place on October 6th to 8th at the same location.

Permission for Quotes

Sebastian Wangnick wondered if citing small portions of text or code is allowed without asking for permission and with ignoring a potential license and presumed that quoting as an illustration or explanation is allowed by German copyright but using foreign code as a mandatory element in the software would not be OK. Michael Poole added that including a section of code containing creative expression for functional purposes rather than teaching, commentary, or similar purposes is not fair practice.

Package Archive Improvements

Anthony Towns explained that future improvements of the archive software will permit packages to be installed directly into the archive. This removes the accepted queue and allows more than one daily archive reorganisation and mirror push. However, this will also remove then chance to delete a package from the queue before it gets installed which was necessary four times during past years.

Bug Squashing Marathon

Martin Zobel-Helas sent a reminder about the bug squashing party in Vienna, Austria at September 8th to 10th and explained the process. The RC bug squashing howto by Steve Langasek gives a good introduction and is probably a must-read for beginners. He also added a lot of tasks everybody could do to help Debian move forward with the release of etch.

New CD Writing Tools

Jörg Jaspert called for testers of the new cdrkit package and the new wodim program. They will be shipped with etch and replace the old cdrtools collection. This fork is the result several nearly endless discussions about incompatible licenses used upstream which not only Debian suffered from. Other vendors are invited to participate in this effort as well.

Removed Packages

1 package has been removed from the Debian archive during the past week:

Debian implements cdrkit

published on Tue Sep 5 09:29:40 2006

Debian started to implement a new tool for burning CD/DVDs, named cdrkit, http://debburn.alioth.debian.org/, which is a fork from the recently used cdrtools. It has been uploaded to unstable. The recently used package cdrtools has been removed already from unstable, and etch will not contain cdrtools anymore. This step has not been taken lightly, as the development and maintainence effort required is high.

The reason for this change is that cdrtools has been relicensed recently in a way that prevents further shipment within Debian. The upstream author has been non-helpful in this regard, and is not considering Debian's concerns.

For our fork we used the last GPL-licensed version of the program code and killed the incompatibly licensed build system. It is now replaced by a cmake system, and the whole source we distribute should be free of other incompatibilities, as to the best of our current knowledge.

Anyone who wants to help with this fork, particularly developers of other distributions, is welcome to join the efforts. You can contact the development team on IRC, server irc.oftc.net, channel #debburn, or via mail at debburn-devel@lists.alioth.debian.org. The svn repository is http://svn.debian.org/wsvn/debburn.

More information can be found on:

Debian GNU/Linux 3.1 Sarge updated

published on Fri Sep 1 08:29:50 2006

The Debian project has updated the stable distribution Debian GNU/Linux 3.1 (codename `sarge'). This update mainly adds security updates to the stable release, along with a few corrections to serious problems. Those who frequently update from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update.

Please note that this update does not constitute a new version of Debian GNU/Linux 3.1 but only updates some of the packages included. There is no need to throw away 3.1 CDs. Instead you only need to update against ftp.debian.org or a mirror after an installation, in order to incorporate those changes. New CD and DVD images are being built right now and will be available soon at the regular locations.

Upgrading to this revision online is usually done by pointing the `apt' package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at: http://www.debian.org/distrib/ftplist

Debian-Installer Update

In order to make available updated Linux kernel packages in the Debian installer it had to be updated as well. To accomplish this the following packages also required an update: base-config, base-installer, debian-installer and preseed. The complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: http://release.debian.org/stable/3.1/3.1r3/.

Miscellaneous Bugfixes

This stable update adds a few important corrections to the following packages.
   evms                   Fixes system lockup on boot
   evolution-webcal       Getting architectures back in sync
   glibc                  Fixes build failures
   grub                   Preparations for etch kernels
   kazehakase             Corrects segmentation faults
   octaviz                Corrects library path
   perl                   Corrects problems with UTF-8/taint fix and Tk
   python-pgsql           Corrects regression due to PostgreSQL update
   vlan                   Corrects interface settings
   wzdftpd                Corrects wrong dependencies
   

Security Updates

This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates.
   DSA  725    ppxp                  Local root exploit
   DSA  986    gnutls11              Arbitrary code execution
   DSA 1017    Linux Kernel 2.6.8    Several vulnerabilities
   DSA 1018    Linux Kernel 2.4.27   Several vulnerabilities
   DSA 1027    mailman               Denial of service
   DSA 1032    zope-cmfplone         Unprivileged data manipulation
   DSA 1035    fcheck                Insecure temporary file creation
   DSA 1036    bsdgames              Local privilege escalation
   DSA 1037    zgv                   Arbitrary code execution
   DSA 1038    xzgv                  Arbitrary code execution
   DSA 1039    blender               Several vulnerabilities
   DSA 1040    gdm                   Local root exploit
   DSA 1041    abc2ps                Arbitrary code execution
   DSA 1042    cyrus-sasl2           Denial of service
   DSA 1043    abcmidi               Arbitrary code execution
   DSA 1044    mozilla-firefox       Several vulnerabilities
   DSA 1045    openvpn               Arbitrary code execution
   DSA 1046    mozilla               Several vulnerabilities
   DSA 1047    resmgr                Unauthorised access
   DSA 1048    asterisk              Arbitrary code execution
   DSA 1049    ethereal              Several vulnerabilities
   DSA 1050    clamav                Arbitrary code execution
   DSA 1051    mozilla-thunderbird   Several vulnerabilities
   DSA 1052    cgiirc                Arbitrary code execution
   DSA 1053    mozilla               Arbitrary code execution
   DSA 1054    tiff                  Arbitrary code execution
   DSA 1055    mozilla-firefox       Arbitrary code execution
   DSA 1056    webcalendar           Information leak
   DSA 1057    phpldapadmin          Cross-site scripting
   DSA 1058    awstats               Arbitrary command execution
   DSA 1059    quagga                Several vulnerabilities
   DSA 1060    kernel-patch-vserver  Privilege escalation
   DSA 1061    popfile               Denial of service
   DSA 1062    kphone                Insecure file creation
   DSA 1063    phpgroupware          Cross-site scripting
   DSA 1064    cscope                Arbitrary code execution
   DSA 1065    hostapd               Denial of service
   DSA 1066    phpbb2                Cross-site scripting
   DSA 1068    fbi                   Denial of service
   DSA 1072    nagios                Arbitrary code execution
   DSA 1073    mysql-dfsg-4.1        Several vulnerabilities
   DSA 1074    mpg123                Arbitrary code execution
   DSA 1075    awstats               Arbitrary command execution
   DSA 1076    lynx                  Denial of service
   DSA 1078    tiff                  Denial of service
   DSA 1079    mysql-dfsg            Several vulnerabilities
   DSA 1080    dovecot               Directory traversal
   DSA 1081    libextractor          Arbitrary code execution
   DSA 1083    motor                 Arbitrary code execution
   DSA 1084    typespeed             Arbitrary code execution
   DSA 1085    lynx-cur              Several vulnerabilities
   DSA 1086    xmcd                  Denial of service
   DSA 1087    postgresql            Encoding vulnerabilities
   DSA 1088    centericq             Arbitrary code execution
   DSA 1090    spamassassin          Arbitrary command execution
   DSA 1091    tiff                  Arbitrary code execution
   DSA 1092    mysql-dfsg-4.1        SQL injection
   DSA 1093    xine                  Arbitrary code execution
   DSA 1094    gforge                Cross-site scripting
   DSA 1095    freetype              Several vulnerabilities
   DSA 1096    webcalendar           Arbitrary code execution
   DSA 1097    Linux Kernel 2.4.27   Several vulnerabilities
   DSA 1098    horde3                Cross-site scripting
   DSA 1099    horde2                Cross-site scripting
   DSA 1100    wv2                   Integer overflow
   DSA 1101    courier               Denial of service
   DSA 1102    pinball               Privilege escalation
   DSA 1103    Linux Kernel 2.6.8    Several vulnerabilities
   DSA 1104    openoffice.org        Several vulnerabilities
   DSA 1105    xine-lib              Denial of service
   DSA 1106    ppp                   Privilege escalation
   DSA 1107    gnupg                 Denial of service
   DSA 1108    mutt                  Arbitrary code execution
   DSA 1109    rssh                  Privilege escalation
   DSA 1110    samba                 Denial of service
   DSA 1111    Linux Kernel 2.6.8    Privilege escalation
   DSA 1112    mysql-dfsg-4.1        Several vulnerabilities
   DSA 1113    zope2.7               Information disclosure
   DSA 1114    hashcash              Arbitrary code execution
   DSA 1115    gnupg2                Denial of service
   DSA 1116    gimp                  Arbitrary code execution
   DSA 1117    libgd2                Denial of service
   DSA 1118    mozilla               Several vulnerabilities
   DSA 1119    hiki                  Denial of service
   DSA 1120    mozilla-firefox       Several vulnerabilities
   DSA 1121    postgrey              Denial of service
   DSA 1122    libnet-server-perl    Denial of service
   DSA 1123    libdumb               Arbitrary code execution
   DSA 1124    fbi                   Potential deletion of user data
   DSA 1125    drupal                Cross-site scripting
   DSA 1126    asterisk              Denial of service
   DSA 1127    ethereal              Several vulnerabilities
   DSA 1128    heartbeat             Local denial of service
   DSA 1129    osiris                Arbitrary code execution
   DSA 1130    sitebar               Cross-site scripting
   DSA 1131    apache                Arbitrary code execution
   DSA 1132    apache2               Arbitrary code execution
   DSA 1133    mantis                Cross-site scripting
   DSA 1134    mozilla-thunderbird   Several vulnerabilities
   DSA 1135    libtunepimp           Arbitrary code execution
   DSA 1136    gpdf                  Denial of service
   DSA 1137    tiff                  Several vulnerabilities
   DSA 1138    cfs                   Denial of service
   DSA 1139    ruby1.6               Privilege escalation
   DSA 1140    gnupg                 Denial of service
   DSA 1141    gnupg2                Denial of service
   DSA 1142    freeciv               Arbitrary code execution
   DSA 1143    dhcp                  Denial of service
   DSA 1144    chmlib                Denial of service
   DSA 1145    freeradius            Several vulnerabilities
   DSA 1146    krb5                  Privilege escalation
   DSA 1147    drupal                Cross-site scripting
   DSA 1148    gallery               Several vulnerabilities
   DSA 1149    ncompress             Potential code execution
   DSA 1150    shadow                Privilege escalation
   DSA 1151    heartbeat             Denial of service
   DSA 1153    clamav                Arbitrary code execution
   DSA 1154    squirrelmail          Information disclosure
   DSA 1155    sendmail              Denial of service
   DSA 1159    mozilla-thunderbird   Several vulnerabilities