31999
Comment: link to some useful security references instead of the websites
|
32412
add new maintainer welcome to the template too
|
Deletions are marked like this. | Additions are marked like this. |
Line 19: | Line 19: |
Subject: Debian derivatives census: $distro: welcome $newmaintainer! | |
Line 27: | Line 28: |
Hi $maintainer, all, $newmaintainer has taken over maintenance of the $distro page in the Debian derivatives census. Thanks and welcome to the census! $newmaint, would you like to take this opportunity to introduce yourself and your role within $distro to us all? https://wiki.debian.org/Derivatives/Census/$distro?action=diff.... |
Like the rest of Debian, the derivatives census needs some QA. This page aims to document common issues and provide templates to be sent when these issues are detected. More specific issues may be found by searching the list archives for mails with "Debian derivatives census" in the subject.
Contents
Issues
Welcome
Words prefixed with a dollar sign are variables, please replace them. Words in square brackets may not apply, please check and remove them. Some items have alternate paragraphs, please choose the appropriate one. Please remove any paragraphs that do not apply.
To: $maintainer Cc: debian-derivatives <debian-derivatives@lists.debian.org> Subject: Debian derivatives census: $distro: welcome! Subject: Debian derivatives census: $distro: welcome $newmaintainer! Hi $maintainer, I would like to welcome yourself and $distro to the Debian derivatives census! Would you like to take this opportunity to introduce yourself and $distro to us all? https://wiki.debian.org/Derivatives/Census/$distro Hi $maintainer, all, $newmaintainer has taken over maintenance of the $distro page in the Debian derivatives census. Thanks and welcome to the census! $newmaint, would you like to take this opportunity to introduce yourself and your role within $distro to us all? https://wiki.debian.org/Derivatives/Census/$distro?action=diff.... It would be great if you could join our mailing list and IRC channel: https://wiki.debian.org/DerivativesFrontDesk I would encourage you to look at Debian's guidelines for derivatives: https://wiki.debian.org/Derivatives/Guidelines You may want to look at our census QA page, some of the mails from there may apply to $distro. https://wiki.debian.org/Derivatives/CensusQA [You don't appear to be subscribed to the $distro census page,] I've made a few changes to the $distro census page: https://wiki.debian.org/Derivatives/Census/$distro?action=info I note that $distro is based on Ubuntu. Are you planning on a transition to being based on Debian? Are you sure you meant to join the Debian derivatives census? The page says that $distro modifies Debian binary packages. It is quite rare that distributions modify Debian binary packages instead of modifying source packages and rebuilding them. Does $distro actually do this? If so could you describe what kind of modifications you are making? If not I guess the page needs to be fixed. Some of the Release files in the apt repository for $distro are missing the Valid-Until header, which allows clients to find out when active network attackers are holding back newer Release files. At minimum, rolling releases and suites containing security updates should have this header. With reprepro you can use the ValidFor config option. https://wiki.debian.org/DebianRepository/Format#Date.2C_Valid-Until The apt repository for $distro does not contain source packages [for the $section section], including for packages licensed under the GNU GPL. This may or may not be a copyright violation depending on whether or not you distribute those elsewhere. In any case, please add source packages to your repository so that Debian can automatically create patches to be presented to Debian package maintainers. https://wiki.debian.org/Derivatives/CensusQA#No_source_packages https://wiki.debian.org/Derivatives/Integration#Patches Would it be possible for you to add the $distro sources.list to the wiki page? This will eventually help feed back patches and new packages to Debian developers. The page is missing a dpkg vendor field. It is important that Debian derivatives set this properly on installed systems and mention the value of the field in the derivatives census. https://wiki.debian.org/Derivatives/Guidelines#Vendor I've added the $distro blog to Planet Debian derivatives which helps the Debian community find out the things that are happening in the world of Debian derivatives. http://planet.debian.org/deriv/ There doesn't appear to be a $distro blog or a blog aggregator for $distro developers. If these existed they would be syndicated on Planet Debian derivatives and would help the Debian community find out the things that are happening in $distro. http://planet.debian.org/deriv/ Since $distro is based in $location you might be interested in joining the Debian $location group. https://wiki.debian.org/LocalGroups#$location Next/This year the annual Debian conference is in $location. [This appears to be relatively close to the $distro location,] it would be great if developers from $distro could attend DebConf. If this isn't possible, next year DebConf will be in $location2. https://debconf$dcyear.debconf.org/ I would encourage $sponsor (the $distro corporate sponsor) to contribute financially to ensure the continued survival of Debian and the success of the annual Debian conference. https://www.debian.org/donations https://debconf.org/sponsors/ https://debconf17.debconf.org/sponsors/become-a-sponsor/ I would encourage any attendees to volunteer to ensure the continued the success of the annual Debian conference, here are some examples of things that need helpers. https://wiki.debconf.org/wiki/DebConf13/VolunteerCoordination I note that $distro is based on Debian stable. The Debian release team recently released a timeline for the freeze for the next Debian stable release. I would encourage you to review it and prepare your plans for rebasing on the next Debian release ($release). https://release.debian.org/#updates I note that $distro is [partly] based on Debian [testing/unstable]. A great way to help ensure that the next Debian release working well is to install and run the how-can-i-help tool and try to work on any issues that come up. https://www.lucas-nussbaum.net/blog/?p=837 https://packages.debian.org/unstable/how-can-i-help https://wiki.debian.org/how-can-i-help I note that $distro also has $oldreleases in the apt repository. The Debian LTS (Long Term Support) team has taken over security maintenance for $oldstable. I would encourage $distro to help out with this effort either financially or with developer time. I would encourage you to drop $deadrelease support too. https://wiki.debian.org/LTS/ https://lists.debian.org/debian-lts-announce/2016/04/msg00000.html I note that $distro uses Debian backports, you might also like to contribute your backporting efforts to Debian. https://backports.debian.org/Contribute/ I note there is another $area related Debian derivative called $otherderivative, have you considered collaborating or merging with them? I note that $distro uses $projects, I would encourage you to provide feedback and fixes to the $teams. $teamurls You might want to consider adding DNSSEC to your domains, TLSA records and SSL to some of your domains. SSL on the repository will help $distro users to obscure package names and version numbers from global active adversaries. You might also want to add HSTS headers. http://dnsviz.net/d/$distrowebsite/ https://wiki.mozilla.org/Security/Guidelines/Web_Security Please feel free to circulate this mail within the $distro team.
General ping
To: debian-derivatives@lists.debian.org Subject: Debian derivatives census: ping Hi all, If you are receiving this email you either added your derivative distribution to the census or volunteered to maintain its census page. The first thing I would like to bring up is contact information. It is preferred that you add the "Debian derivatives census maintainer:" line and set it to the name, email address and OFTC IRC nick of a human being rather than an email list or role alias. If the maintainer is an IRC user it is recommended that they join the #debian-derivatives channel on OFTC so Debian folks can easily ask them questions. You as maintainer will hopefully be prepared to answer any questions that result from my article. In addition you should subscribe to your census page and the CensusTemplate, either via Moin's email notification feature or via the RecentChanges RSS feed so that you are notified of any changes to your distributions census page or any changes that are recommended for it. Many of the pages are incomplete. Each page should have the following at minimum unless there is a good reason to remove them. It is strongly recommended to fill out as much of the CensusTemplate as exists. * an introductory blurb about the goals of your Debian derivative * a logo so your distro is easily recognisable on the page * a website so people can read more info if they want * a email contactable human maintainer so Debian folks can ask you questions about your distribution. * apt repositories (both deb and deb-src) so Debian folks can take a look at your work. Preferably with architecture information. As you may or may not be aware we have drafted some guidelines for Debian derivatives on our wiki. If you have any comments or suggestions about the guidelines we suggest that you bring them up on the debian-derivatives mailing list. https://wiki.debian.org/Derivatives/Guidelines
Activity ping
This mail is to be sent periodically to distros that are inactive or marked as active but with a date from ages ago.
To: debian-derivatives@lists.debian.org Subject: Debian derivatives census: activity ping Hi all, If you are receiving this mail that means you are participating in the Debian derivatives census and that your entry has an issue. https://wiki.debian.org/Derivatives/Census According to your census entry, your distribution is inactive or was last active quite a while ago. If your distribution is now active, please mark it as active and add today as the date your distribution was last active. You may also want to use this opportunity to share your thoughts with us; perhaps your plans for the coming year, plans for integrating your work into Debian or issues you may have come across in collaborating with Debian. It would be great if you could bring your census page into sync with the template and fill in as many of the fields as you have data for. https://wiki.debian.org/Derivatives/CensusTemplate Please direct any questions you have to the derivatives list or IRC channel. We strongly encourage you to join both of these. https://lists.debian.org/debian-derivatives ircs://irc.oftc.net/debian-derivatives
No source packages
To: debian-derivatives@lists.debian.org Subject: Debian derivatives census: potentially violating the GPL or LGPL due to lack of source code Hi all, If you are receiving this mail that means you are participating in the Debian derivatives census and that your entry has an issue. https://wiki.debian.org/Derivatives/Census Please ensure that: 1. You are not violating the GNU GPL or LGPL licences. This may be the case since you do not appear to be shipping the source code for GNU GPL or LGPL software but are definitely shipping binaries for such software. 2. You are shipping Debian source packages alongside your Debian binary packages. 3. Your Debian census entry has working deb-src lines in your apt sources.list snippet for each deb line. In addition please make sure there is a contact point listed in the maintainer field of your census page. While you are editing your page, please fill in as much of the fields as you have data for and sync your page with the census template. https://wiki.debian.org/Derivatives/CensusTemplate Please direct any questions you have to the derivatives list or IRC channel. We strongly encourage you to join both of these. https://lists.debian.org/debian-derivatives ircs://irc.oftc.net/debian-derivatives
General sources.list issues
To: debian-derivatives@lists.debian.org Subject: Debian derivatives census: apt sources.list snippet Hi all, If you are receiving this mail that means you are participating in the Debian derivatives census and that your entry has an issue. https://wiki.debian.org/Derivatives/Census Please ensure that: 1. Your entry contains a sources.list like the one shown in the census template. 2. Your entry's sources.list contains deb-src lines for each deb line. 3. Your entry's sources.list works when running apt-get update. 4. Your APT repositories have SHA-1 hashes for every source and binary package so we can compare with old Debian packages. 5. If you are using SHA-1 hashes in your APT repositories, please ensure that there is such a hash for every single file, especially for all the source package files. 6. SHA-256 hashes are not and will not be used by the census, but Debian strongly encourages the use of hashes stronger than SHA-1. https://wiki.debian.org/Derivatives/CensusTemplate In addition please make sure there is a contact point listed in the maintainer field of your census page. While you are editing your page, please fill in as much of the fields as you have data for and sync your page with the census template. Please direct any questions you have to the derivatives list or IRC channel. We strongly encourage you to join both of these. https://lists.debian.org/debian-derivatives ircs://irc.oftc.net/debian-derivatives
Errors from apt-get update
To: debian-derivatives@lists.debian.org Subject: Debian derivatives census: errors from apt sources.list Hi all, If you are receiving this mail that means you are participating in the Debian derivatives census and that your entry has an issue. https://wiki.debian.org/Derivatives/Census Please ensure that your entry's sources.list does not generate any errors when someone runs apt-get/aptitude update on it. You can test it locally using these commands and watching for any errors or warnings. If you get any GPG warnings, that is fine since our scripts explicitly ignore any such warnings since it is a very long-term project to establish trust paths between Debian and our derivatives. mkdir test cd test mkdir partial edit sources.list # Paste your sources.list here aptitude update -q=0 -y \ -o "Dir::Etc::SourceList=`pwd`/sources.list" \ -o "Dir::Etc::SourceParts=`pwd`" \ -o "Dir::State::Lists=`pwd`" \ -o "Debug::NoLocking=1" -o "Debug::pkgDPkgPM=1" You can find an example of a correct sources.list file in the census template wiki page. https://wiki.debian.org/Derivatives/CensusTemplate While you are editing your page, please fill in as much of the fields as you have data for and sync your page with the census template. Please direct any questions you have to the derivatives list or IRC channel. We strongly encourage you to join both of these. https://lists.debian.org/debian-derivatives ircs://irc.oftc.net/debian-derivatives
Modifying binary packages?
To: debian-derivatives@lists.debian.org Subject: Debian derivatives census: modifying binary packages? Hi all, If you are receiving this mail that means you are participating in the Debian derivatives census and that your entry has an issue. https://wiki.debian.org/Derivatives/Census Your census page indicates that your distribution takes binary packages from Debian and modifies them instead of just modifying the Debian source package and rebuilding it to produce new binary packages. I wonder if that is actually the case or if you actually practice that strange way of doing things? In addition please make sure there is a contact point listed in the maintainer field of your census page. While you are editing your page, please fill in as much of the fields as you have data for and sync your page with the census template. https://wiki.debian.org/Derivatives/CensusTemplate Please direct any questions you have to the derivatives list or IRC channel. We strongly encourage you to join both of these. https://lists.debian.org/debian-derivatives ircs://irc.oftc.net/debian-derivatives
Blogs
To: debian-derivatives@lists.debian.org Subject: Debian derivatives census: blogs Hi all, If you are receiving this mail that means you are participating in the Debian derivatives census and that your entry has an issue. https://wiki.debian.org/Derivatives/Census Please ensure that: 1. If your derivative has a blog or news page, it is listed in your census entry. 2. If your derivative's developers have blogs, you have a feed aggregator for them or have listed the blogs separately in your census entry. 3. All of the blog URLs you add have RSS/Atom feeds that are discoverable using the RSS/Atom autodiscovery mechanisms. Almost every wiki, blog and CMS out there supports feeds and feed autodiscovery mechanisms so you might already have this, please double check though. 4. Your blogs have some content and that you intend to add more. 5. If possible, please list the English versions of your blogs. 6. Your logo image is available over plain HTTP and is not too big. http://www.rssboard.org/rss-autodiscovery If your derivative doesn't have a blog you might consider starting one to help promote your derivative, announce new releases and inform users about any important changes made during development. Any blogs that have discoverable RSS feeds will be added to the new Planet Debian derivatives. http://planet.debian.org/deriv/ In addition please make sure there is a contact point listed in the maintainer field of your census page. While you are editing your page, please fill in as much of the fields as you have data for and sync your page with the census template. https://wiki.debian.org/Derivatives/CensusTemplate Please direct any questions you have to the derivatives list or IRC channel. We strongly encourage you to join both of these. https://lists.debian.org/debian-derivatives ircs://irc.oftc.net/debian-derivatives
Description issues
To: debian-derivatives@lists.debian.org Subject: Debian derivatives census: description issues Hi all, If you are receiving this mail that means you are participating in the Debian derivatives census and that your entry has an issue. https://wiki.debian.org/Derivatives/Census Please ensure that: 1. Your entry has a description of your Debian derivative 2. Your derivative's description is accurate and useful to members and users of Debian members. Don't use your standard marketing language, describe the value that you add to Debian. In addition please make sure there is a contact point listed in the maintainer field of your census page. While you are editing your page, please fill in as much of the fields as you have data for and sync your page with the census template. https://wiki.debian.org/Derivatives/CensusTemplate Please direct any questions you have to the derivatives list or IRC channel. We strongly encourage you to join both of these. https://lists.debian.org/debian-derivatives ircs://irc.oftc.net/debian-derivatives
Logo issues
To: debian-derivatives@lists.debian.org Subject: Debian derivatives census: logo broken or missing Hi all, If you are receiving this mail that means you are participating in the Debian derivatives census and that your entry has an issue. https://wiki.debian.org/Derivatives/Census Please ensure that: 1. Your entry has a logo 2. The logo URL is downloadable 3. The logo URL returns an image, not HTML or anything else In addition please make sure there is a contact point listed in the maintainer field of your census page. While you are editing your page, please fill in as much of the fields as you have data for and sync your page with the census template. https://wiki.debian.org/Derivatives/CensusTemplate Please direct any questions you have to the derivatives list or IRC channel. We strongly encourage you to join both of these. https://lists.debian.org/debian-derivatives ircs://irc.oftc.net/debian-derivatives
dpkg vendor issues
To: debian-derivatives@lists.debian.org Subject: Debian derivatives census: dpkg vendor issues Hi all, If you are receiving this mail that means you are participating in the Debian derivatives census and that your entry has an issue. https://wiki.debian.org/Derivatives/Census Please ensure that: 1. Your entry has a dpkg vendor field 2. The dpkg vendor field is the output of dpkg-vendor --query Vendor 3. The dpkg vendor field is not empty and not Debian The dpkg vendor field is derived from the default dpkg origins file. The default dpkg origins file should be a symlink to your origins file. You can either patch base-files to add these files or add them separately. /etc/dpkg/origins/default -> example /etc/dpkg/origins/example Vendor: Example Vendor-URL: http://www.example.org/ Bugs: debbugs://bugs.example.org Parent: Debian When you are patching base-files, please leave the dpkg origins file for Debian in place. Your dpkg origins file should contain "Parent: Debian", not have Parent be missing, empty or have some other value. The default origin in your distribution should be a symlink to your origins file, change VENDORFILE in base-files debian/rules to ensure that. Please ensure that these commands work and produce the right results: if ! dpkg-vendor --derives-from Debian ; then echo error error ; fi dpkg-vendor --vendor Debian --query Vendor In addition please make sure there is a contact point listed in the maintainer field of your census page. While you are editing your page, please fill in as much of the fields as you have data for and sync your page with the census template. https://wiki.debian.org/Derivatives/CensusTemplate Please direct any questions you have to the derivatives list or IRC channel. We strongly encourage you to join both of these. https://lists.debian.org/debian-derivatives ircs://irc.oftc.net/debian-derivatives
oldstable is now EOL
Subject: Debian derivatives census: Debian $v ($cname) [long-term] security support terminated Hi all, I note that some Debian derivatives are based on Debian $v ($cname). The Debian [security][LTS] team has recently warned about and then announced the termination of support for Debian $v ($cname). https://www.debian.org/News/2016/20160212 https://lists.debian.org/msgid-search/56D57E60.6010607@debian.org This means that you will need to provide your own security support for your users or transition your distribution (and users) to a newer version of Debian such as $v2 ($cname2) [or $v3 ($cname3)], which still receive[s] [security updates][normal security support until $date and then LTS support until $date]. If you have already switched to $cname2 [or $cname3] and stopped supporting $cname-based releases, please update your census page to reflect that. Those of you who are or will be providing security updates for old Debian-based distributions might want to consider pooling your financial and engineering resources in order to provide longer term support for superseded Debian releases. Should your distribution or your distribution's sponsors be willing to help, please take a look at the documentation for Debian's long-term security support efforts. https://wiki.debian.org/LTS Please direct any questions you have to the derivatives list or IRC channel. We strongly encourage you to join both of these. https://lists.debian.org/debian-derivatives ircs://irc.oftc.net/debian-derivatives
testing is now frozen
Subject: Debian derivatives census: Debian $v ($cname) frozen Hi all, I note that some Debian derivatives are based on Debian stable. The Debian release team have recently declared that testing is frozen in preparation for the upcoming release of Debian $v ($cname). https://lists.debian.org/debian-devel-announce/2012/06/msg00009.html This means that if you have not already started, you will need to start the migration of your stable release to be based on Debian $v ($cname) instead the current base of Debian $oldcname. Once you have switched to $cname, please update your census page to reflect that if needed. Those of you who are willing to help finalise the release of $cname are encouraged to commit developer time to fixing the release critical bugs, organise bug squashing parties and to test upgrades from Debian stable in order to find more issues that might need to be fixed. At this time the release team are accepting non-RC fixes where appropriate, based on their policy for freeze exceptions. https://bugs.debian.org/release-critical/other/testing.html https://udd.debian.org/bugs.cgi https://wiki.debian.org/BSP https://release.debian.org/testing/freeze_policy.html Please direct any questions you have to the derivatives list or IRC channel. We strongly encourage you to join both of these. https://lists.debian.org/debian-derivatives ircs://irc.oftc.net/debian-derivatives
new stable is released
Subject: Debian derivatives census: Debian $v ($cname) released! Hi all, I note that some Debian derivatives are based on Debian stable. The Debian release team have recently released Debian $v ($cname). https://lists.debian.org/debian-devel-announce/2013/05/msg00003.html This means that if you have not already started, you will need to start the migration of your stable release to be based on Debian $v ($cname) instead the current base of Debian $oldcname. Once you have switched to $cname, please update your census page to reflect that if needed. Debian releases receive security updates for one year after the release of the next version so you have some time to migrate your users before you will need to provide your own security support. If you have already migrated your distribution to the new version, now is a great time to start work on integrating your changes back into Debian. If your team does not include any Debian developers, please take a look at the mentors and bug reporting web pages. https://mentors.debian.net/intro-maintainers https://www.debian.org/Bugs/Reporting Please direct any questions you have to the derivatives list or IRC channel. We strongly encourage you to join both of these. https://lists.debian.org/debian-derivatives ircs://irc.oftc.net/debian-derivatives
Opportunities
Invitation to
To: someone@example.org CC: debian-derivatives@lists.debian.org Subject: ExampleDerivative: invitation to join the Debian derivatives census Hi, I note that you are producing a software distribution based on Debian. https://www.example.org/ https://www.debian.org/ I would like to invite you to add your distribution to the Debian derivatives census, which attempts to gather detailed information about Debian derivatives that is useful to Debian, for integration of that information into Debian infrastructure and for the development of relationships between Debian and our derivatives. In addition we will be doing some QA on the data that you enter into the census. https://wiki.debian.org/Derivatives/Census https://wiki.debian.org/Derivatives/Integration https://wiki.debian.org/Derivatives/CensusQA Please direct any questions you have to the derivatives list or IRC channel. We strongly encourage you to join both of these. https://lists.debian.org/debian-derivatives ircs://irc.oftc.net/debian-derivatives
Bug links on the wiki
To: debian-derivatives@lists.debian.org Subject: Debian derivatives census: bug links on the Debian wiki Hi all, If you are receiving this mail that means you are participating in the Debian derivatives census and that there is an opportunity for greater integration with Debian infrastructure. https://wiki.debian.org/Derivatives/Census https://wiki.debian.org/Derivatives/Integration The Debian wiki has some JavaScript that checks the status of Debian bugs and changes the CSS to indicate if the bug was closed or not and give the bug a mouse-over title indicating bug title, fixed versions and so on. We would like to extend this support to the bug trackers of Debian derivatives where possible. Your Debian derivatives census entry seems to contain a bug tracker link for your derivative. If you are using the Debian wiki, linking from it to your bug tracker and your bug tracker has some sort of machine-readable API, you might want us to work on adding support for it to the Debian wiki. If you don't want that, please ignore this email and sorry for the noise. If you do want that and have a machine-readable API for your bug tracker, please reply to this email and we will attempt to add support for it. If you don't have a machine-readable API then we are also happy to add support for short interwiki links to your bug pages, check out if so and then edit and you may also want to get your InterWiki shortcuts into the MoinMoin master list. https://wiki.debian.org/InterWiki https://wiki.debian.org/InterWikiMap https://master.moinmo.in/InterWikiMap While you are editing the wiki, please fill in as much of the fields as you have data for and sync your page with the census template. https://wiki.debian.org/Derivatives/CensusTemplate Please direct any questions you have to the derivatives list or IRC channel. We strongly encourage you to join both of these. https://lists.debian.org/debian-derivatives ircs://irc.oftc.net/debian-derivatives
The annual Debian conference
To: debian-derivatives@lists.debian.org Subject: Debian derivatives census: the annual Debian conference Hi all, If you are receiving this mail that means you are participating in the Debian derivatives census and that there is an opportunity for greater participation within the Debian project. https://wiki.debian.org/Derivatives/Census This year the annual Debian conference (DebConf) is to be held in <country> from <start> to <end> and as usual is to be preceded by a week of collaborative development work (DebCamp) from <start> to <end>. https://debconfN.debconf.org/ DebConf is only possible with the help of our generous sponsors, so if your business or your corporate or government sponsors are able to contribute funds, we encourage them to review the sponsorship information for this year and contact the DebConf sponsors team. https://debconfN.debconf.org/become-sponsor.xhtml We also encourage you to send one or more developers to <country> to participate in DebConf and or DebCamp. If you plan to send your developers, there is also the possibility of supporting the conference financially by paying the "corporate" rate. Of course sponsorship and donations by non-profit organisations and individuals are also most welcome. Attendees have the opportunity to interact with Debian participants, find out about the latest developments in Debian and work on Debian-related projects. We also encourage your developers to participate in any derivatives-related events that might be organised during DebConf. Please direct any questions you have to the derivatives list or IRC channel. We strongly encourage you to join both of these. https://lists.debian.org/debian-derivatives ircs://irc.oftc.net/debian-derivatives