---

Debian Weekly News – April 11th, 2000

Date: Wed, 12 Apr 2000 15:47:36 -0700
From: Joey Hess [email protected]
To: [email protected]
Subject: Debian Weekly News – April 11th, 2000


Debian Weekly News
http://www.debian.org/News/weekly/current/issue/

Debian Weekly News – April 11th, 2000


Welcome to Debian Weekly News, a newsletter for the Debian
developer community.

For a [8]long time everyone has been aware of a basic security
problem in Debian: packages can be changed on Debian mirrors and
users have no way to verify that the package they download is the
same package a developer uploaded. Two ideas have come up again and
again as ways to make this more secure. The first idea is to allow
for signatures inside the .deb files themselves, which lets one
verify that a given developer built a package. The second is to
allow for signed Packages.gz files, which lets one verify that the
package went through the normal upload process. Neither of these
signatures will provide perfect security. There are many holes
left; for example, a developer’s computer may be cracked and if
they do not manage their keys wisely, their key may be compromised.
In the past, in typical Debian fashion, we have held off doing
anything since there was no known perfect solution.

This issue has [9]resurfaced this week, and there is a growing
inclination to implement both types of signatures, though both are
imperfect, to allow the security bar to at least be raised a bit
higher. After some [10]long discussions on the [11]mailing lists
and on [12]irc, more and more people are reaching consensus on
this. Now, who will implement it?

5 new mailing lists have been [13]created, for purposes ranging
from porting to the PA-RISC and S/390 to Dutch
internationalisation.

Direct access to the Incoming directory is now available at
[14]http://incoming.debian.org/. The
old Incoming mirror network is being [15]shut down.

The IBM Global Services “Linux Support Line” in conjunction with
Alcôve will now offer phone support for Debian in several
countries. Interestingly, their [16]press release claims that
Debian is the current market leader (27%).

New packages in Debian this week include the following, and
[17]24 more:
* [18]abook: A text-based ncurses address book application.
* [19]bass: Bulk Auditing Security Scanner [non-free]
* [20]debwrap: Wrapper for dpkg/apt-get
* [21]doxygen: Documentation system for C, C++ and IDL.
* [22]dvipdfm: A DVI to PDF translator.
* [23]fujiplay: Interface for Fuji digital cameras
* [24]gob: GTK+ Object Builder


References
8. http://www.debian.org/News/weekly/1999/24/#signdebs

9.
http://www.debian.org/Lists-Archives/debian-devel-0003/msg01283.html

10.
http://www.debian.org/Lists-Archives/debian-devel-0004/msg00013.html

11.
http://www.debian.org/Lists-Archives/debian-devel-0004/msg00188.html

12.
http://www.debian.org/Lists-Archives/debian-devel-0004/msg00245.html

13.
http://www.debian.org/Lists-Archives/debian-devel-0003/msg01812.html

14. http://incoming.debian.org/
15.
http://www.debian.org/Lists-Archives/debian-project-0004/msg00000.html

16. http://linuxpr.com/releases/1596.html

17. http://master.debian.org/~tausq/newpkgs-20000410.html

18. http://www.debian.org/Packages/unstable/mail/abook.html

19. http://www.debian.org/Packages/unstable/admin/bass.html

20. http://www.debian.org/Packages/unstable/admin/debwrap.html

21. http://www.debian.org/Packages/unstable/devel/doxygen.html

22. http://www.debian.org/Packages/unstable/tex/dvipdfm.html

23. http://www.debian.org/Packages/unstable/graphics/fujiplay.html

24. http://www.debian.org/Packages/unstable/devel/gob.html


see shy jo