Date: Wed, 31 May 2000 16:28:34 -0700
From: Joey Hess joeyh@debian.org
To: debian-news@lists.debian.org
Subject: Debian Weekly News – May 30th, 2000
Debian Weekly News
http://www.debian.org/News/weekly/current/issue/
Debian Weekly News – May 30th, 2000
Welcome to Debian Weekly News, a newsletter for the Debian
developer community.
“The second test cycle starts now”, [8]writes Richard Braakman.
No more package uploads will be accepted except those essential to
the boot floppies and CD image creation. Richard earlier removed a
[9]bunch of packages with release critical bugs. Of the 80 or so RC
bugs that remain, Richard says “I hope that we can simply ignore
most of them. At this point I don’t mind releasing potato with a
handful of broken packages, if they are not overly popular ones.
The test period will show which of the bugs are truly
critical.”
The last announced security fix in Debian was in March. We have
fixed lots of security holes since then, so why haven’t they been
announced? There are [10]several reasons, according to Wichert
Akkerman. Debian’s security team needs to find a few more people
they can trust to add to the team. Also, a lot of the recent
security holes have affected packages that are not in stable, and
the security team does not issue advisories about problems that
only exist in frozen and unstable. However, it also looks like
significant numbers of security holes have [11]slipped through the
cracks, and their fixes have not been backported to stable. One
hopes that the security team can improve this track record. If you
fix a security hole in a package, please be sure to let the
security team know, so they can follow up on it.
With that said, security fixes in frozen this week include a
remote shell exploit in [12]qpopper, an archiver security problem
in [13]mailman, a SSL certificate security problem in [14]netscape,
and two denial of services fixes in [15]X.
And speaking of X, Branden Robinson [16]explained why he has no
plans to make .debs for X 4.0.0. He cited instability problems,
lack of support for the sparc architecture, and lots of fixes
upstream. “Over two hundred distinct patches have been applied to
the upstream CVS tree to date.” Branden hopes to instead package X
4.0.1 when it is released in mid-June.
Another Debian-based distribution has appeared. [17]TimeSys is a
distribution targeted at hard real time applications. Read more in
[18]this Upside article. Judging by [19]this page, the actual
distribution seems to be a fairly standard Debian plus some
additional “TimeSys Linux/RT modules”.
References
8. http://www.debian.org/News/weekly/current/issue/mail#2
9.
http://www.debian.org/Lists-Archives/debian-devel-announce-0005/msg00012.html
10.
http://www.debian.org/Lists-Archives/debian-devel-0005/msg01889.html
11.
http://www.debian.org/Lists-Archives/debian-devel-0005/msg01856.html
12. http://bugs.debian.org/64649
13. http://bugs.debian.org/64841
14. http://bugs.debian.org/64650
15. http://www.debian.org/News/weekly/current/issue/mail#1
16.
http://www.debian.org/Lists-Archives/debian-devel-0005/msg01828.html
17. http://timesys.com/products/linux.html
18. http://www.upside.com/texis/mvm/story?id=3922f93b0
19. http://www.timesys.com/products/linuxoptions.html
—
see shy jo