Debian Weekly News – February 13th, 2001

Date: Tue, 13 Feb 2001 12:37:41 -0800
From: Joey Hess joeyh@debian.org
To: debian-news@lists.debian.org
Subject: Debian Weekly News – February 13th, 2001

---

Debian Weekly News
http://www.debian.org/News/weekly/2001/5/ 
Debian Weekly News - February 13th, 2001

---

Welcome to Debian Weekly News, a newsletter for the Debian
community.

The DPL campaign is heating up. [1]Anand Kumria, [2]Bdale
Garbee, and [3]Branden Robinson each joined Ben Collins in
announcing that they will run for DPL. The timeline for the
elections was [4]pushed back since things got off to a late start.
The nomination period ends today, and then campaigning will begin
in earnest.

A major change has been made to the new maintainer process.
Prospective developers must now get a recommendation from a current
Debian developer before they can go through the new maintainer
process. It is hoped that this will cut down on the number of
applicants who are not serious about becoming developers, and speed
up the process for everyone else. In a [5]mail explaining the new
requirement, Martin Michlmayr predicts that “for anyone seriously
interested in Debian, getting recommended won’t be a problem at all
— if he has a package in Debian already, his sponsor can recommend
him; if he has done work on a Debian port, the web pages or
boot-floppies then he will know Debian developers to recommend
him.”

Some problems with testing have come to light over the past
couple of weeks. A broken version of lilo slipped into testing by
accident, and we had another round of the same lilo problems
unstable users have endured. Then a new version of console-tools
entered testing, but it turned out it had an [6]undeclared
dependency on unstable’s version of debconf. Many other packages
that are broken for one reason or another have been [7]removed from
testing until they are fixed. These problems just show that
maintenance of testing cannot be entirely automated; it needs some
manual attention just like other branches of Debian. Testing is
meant to be somewhere in between stable and unstable in
up-to-dateness and usability, and it is meeting that goal, though
it has required a bit more maintenance effort than we might have
expected. But a more worrying problem with testing has also
emerged.

Security fixes [8]trickle into testing just as slowly as do any
other updated packages from unstable. While stable has
security.debian.org to provide timely security fixes, and unstable
gets most fixes immediately, security fixes will not enter testing
until they have been built on all architectures, and until all
their dependencies have also entered testing. Unrelated release
critical bugs can keep security fixes out of testing too. So while
testing is reasonably current, and not too prone to breakage,
security fixes can be delayed for an uncomfortably long time. One
fix for this problem would be to add a testing section to
security.debian.org, but there has not been any enthusiasm voiced
in the thread so far about this option, probably because it would
involve a lot more work.

Unstable news. ifconfig was broken yesterday, to the point where
machines were unable to get up on the net. A fix will probably be
in the archive by the time you read this, and in the meanwhile
there is a [9]workaround. A [10]regex memory leak in libc was
accidentally introduced yesterday; symptoms include apt [11]eating
up all memory. And a [12]large perl reorganization is in the works:
new perl packages in Incoming incorporate many package name changes
and other changes that will require a recompile of all perl module
packages.

Four security updates have came out recently. [13]Openssh has a
remote buffer overflow bug which can lead to remote root access.
The non-free ssh is also vulnerable to the ssh holes, and as a
fixed package is not available, upgrading to openssh is
recommended. An [14]omnibus security update for the version of
xfree86 in stable was released. It corrects denial of service
attacks, numerous buffer overflows, and numerous temporary files
problems. [15]man-db has a format string bug that allows local
attackers to run code as user ‘man’. Several denial of service
attacks against [16]proftpd were also fixed.

Experimental and proposed-updates, long two warts on the side of
the Debian archive, have moved into the package pool. The new setup
should be much cleaner. James Troup explained [17]the details.

---

References
1. http://lists.debian.org/debian-vote-0102/msg00000.html

2. http://lists.debian.org/debian-vote-0102/msg00001.html

3. http://lists.debian.org/debian-vote-0102/msg00002.html

4. http://lists.debian.org/debian-vote-0102/msg00004.html

5. http://lists.debian.org/debian-devel-announce-0102/msg00004.html

6. http://bugs.debian.org/84741
7. http://lists.debian.org/debian-devel-0102/msg00530.html

8. http://lists.debian.org/debian-devel-0102/msg00629.html

9. http://lists.debian.org/debian-devel-announce-0102/msg00011.html

10. http://bugs.debian.org/85788
11. http://bugs.debian.org/85820
12. http://www.debian.org/News/weekly/2001/5/mail#1

13. http://www.debian.org/security/2001/dsa-027

14.
http://lists.debian.org/debian-security-announce-01/msg00023.html

15. http://www.debian.org/security/2001/dsa-028

16.
http://lists.debian.org/debian-security-announce-01/msg00022.html

17. http://lists.debian.org/debian-devel-announce-0102/msg00009.html

—
see shy jo