Debian Weekly News - April 11th, 2000Apr 12, 2000, 22:59 (0 Talkback[s])
(Other stories by Joey Hess)
Date: Wed, 12 Apr 2000 15:47:36 -0700
Debian Weekly News
Debian Weekly News - April 11th, 2000
Welcome to Debian Weekly News, a newsletter for the Debian developer community.
For a long time everyone has been aware of a basic security problem in Debian: packages can be changed on Debian mirrors and users have no way to verify that the package they download is the same package a developer uploaded. Two ideas have come up again and again as ways to make this more secure. The first idea is to allow for signatures inside the .deb files themselves, which lets one verify that a given developer built a package. The second is to allow for signed Packages.gz files, which lets one verify that the package went through the normal upload process. Neither of these signatures will provide perfect security. There are many holes left; for example, a developer's computer may be cracked and if they do not manage their keys wisely, their key may be compromised. In the past, in typical Debian fashion, we have held off doing anything since there was no known perfect solution.
This issue has resurfaced this week, and there is a growing inclination to implement both types of signatures, though both are imperfect, to allow the security bar to at least be raised a bit higher. After some long discussions on the mailing lists and on irc, more and more people are reaching consensus on this. Now, who will implement it?
5 new mailing lists have been created, for purposes ranging from porting to the PA-RISC and S/390 to Dutch internationalisation.
Direct access to the Incoming directory is now available at http://incoming.debian.org/. The old Incoming mirror network is being shut down.
The IBM Global Services "Linux Support Line" in conjunction with Alcôve will now offer phone support for Debian in several countries. Interestingly, their press release claims that Debian is the current market leader (27%).
New packages in Debian this week include the following, and