Debian Weekly News
Debian Weekly News – August 29th, 2000
Welcome to Debian Weekly News, a newsletter for the Debian
community. This has been a relatively quiet week, with only 400
messages posted to debian-devel.
The “testing” distribution, as discussed last week, may not
become a reality as soon as was hoped. The holdup is Debian’s
mirror network. Anthony Towns has found a problem that will make
testing, as it is implemented now, consume about 50 MB of bandwidth
a day on each Debian mirror. The long term solution to this type of
problem is a package pool system. Of course, we’ve been talking
about package pools for years now. To make testing happen soon, we
need to come up with a good short-term solution, and so far, no one
has done so.
The Debian bug tracking system’s web site is partially down.
All of the static pages on the site are out of date and are not
being updated, due to some issues with the programs that update
them. The plan is to convert the remaining static pages into
dynamically generated pages. Toward that end, dynamically generated
lists of bugs by package maintainer are already available.
Dynamically generated pages, and the underlying email-based bug
tracking system, continue to work fine — in fact, the bug tracking
system recorded bug #70000 this week.
This week’s longest thread concerned the Helix Gnome Debian
packages. While the original issue was quickly resolved, several
other problems in Helix’s packages were discussed, particularly
version number issues. The Helix Gnome packages currently use
“helix” in their debian revision number, which makes them always
appear to be newer than updated packages from Debian itself. Thus,
while apt makes it easy to install Helix Gnome, getting rid of it
is somewhat harder. It’s rumored that future enhancements to apt
will solve the version number problem. But the underlying problem
seems to be one of communication. Debian derivatives need to be
careful to communicate with Debian, and do things the Debian way,
to avoid having these kinds of problems blow up in their faces.
Security fixes this week include an updated version of
netscape that fixes several security holes including the “Brown
Orfice” hole, a fix for a remote root exploit in ntop, a fun URL
vulnerability in xchat, and a remote file access problem in
Meanwhile, SecurityPortal posted an article that is quite
critical of Debian’s security. “The odd thing is that Debian seems
to have gotten the niggly little details right, but there are major
issues they haven’t addressed.” Valid points include the lack of
signed .deb’s, with a few more examples of how this is indeed a
really bad thing, and the lack of a prompt for a lilo password.
There are many criticisms in the article though, that are more
dubious. They’ve already corrected their worst mistakes — see the
sidebar. Also, see the slashdot coverage which includes a
response from developer Ben Collins.
Debian foils computer theft. Read all about it in this
hilarious story in The Register.
Debian finally includes gopher, after all these years. Here are
some of the new packages added to Debian this week:
* gopher: Distributed Hypertext Client, Gopher protocol
* gopherd: Gopher server
* v4l-conf: tool to configure video4linux drivers
see shy jo