Debian Weekly News - May 30th, 2000May 31, 2000, 23:51 (1 Talkback[s])
(Other stories by Joey Hess)
Date: Wed, 31 May 2000 16:28:34 -0700
Debian Weekly News
Welcome to Debian Weekly News, a newsletter for the Debian developer community.
"The second test cycle starts now", writes Richard Braakman. No more package uploads will be accepted except those essential to the boot floppies and CD image creation. Richard earlier removed a bunch of packages with release critical bugs. Of the 80 or so RC bugs that remain, Richard says "I hope that we can simply ignore most of them. At this point I don't mind releasing potato with a handful of broken packages, if they are not overly popular ones. The test period will show which of the bugs are truly critical."
The last announced security fix in Debian was in March. We have fixed lots of security holes since then, so why haven't they been announced? There are several reasons, according to Wichert Akkerman. Debian's security team needs to find a few more people they can trust to add to the team. Also, a lot of the recent security holes have affected packages that are not in stable, and the security team does not issue advisories about problems that only exist in frozen and unstable. However, it also looks like significant numbers of security holes have slipped through the cracks, and their fixes have not been backported to stable. One hopes that the security team can improve this track record. If you fix a security hole in a package, please be sure to let the security team know, so they can follow up on it.
With that said, security fixes in frozen this week include a remote shell exploit in qpopper, an archiver security problem in mailman, a SSL certificate security problem in netscape, and two denial of services fixes in X.
And speaking of X, Branden Robinson explained why he has no plans to make .debs for X 4.0.0. He cited instability problems, lack of support for the sparc architecture, and lots of fixes upstream. "Over two hundred distinct patches have been applied to the upstream CVS tree to date." Branden hopes to instead package X 4.0.1 when it is released in mid-June.
Another Debian-based distribution has appeared. TimeSys is a distribution targeted at hard real time applications. Read more in this Upside article. Judging by this page, the actual distribution seems to be a fairly standard Debian plus some additional "TimeSys Linux/RT modules".