[:DebianWiki/EditorGuide#translation:Translation(s)]: none

(!) [:/Discussion:Discussion]

Welcome to this year's 3rd issue of DPN, the newsletter for the Debian community. (Place her an "opener"; several tiny news with one sentence each; the headlines of the following news written as full sentences, or similar.)

Bits from the Debian Project Leader

Steve ?McIntyre sent a new release of his [http://lists.debian.org/debian-devel-announce/2008/05/msg00006.html "Bits from the DPL"] reporting his recent activities as elected Project Leader. He starts by pointing to several interviews he gave recently http://www.itwire.com/content/view/17716/1090/ http://www.computerworlduk.com/community/blogs/index.cfm?RSS&entryid=741 http://news.zdnet.co.uk/software/0,1000000121,39406494,00.htm http://www.regdeveloper.co.uk/2008/04/21/debian_developers_approved/ http://www.tllts.org/audio/tllts_244-05-07-08.ogg

and continues by informing about personal changes in core teams. Jonathan ?McDowell has been added as keyring maintainer, and is already working together with James Troup on easier integration of keyring maintenance and our ldap system for better cooperation with the Debian System Administrators. He thanks Anthony Towns, who stepped down from the teams he was in.

Last but not least he talks about the upcoming [http://debconf8.debconf.org/ Debian Conference] in Mar del Plata, Argentina. The organizational efforts are going on pretty well, with announcements about papers, talk selection and travel sponsorship soon to be sent out. But as always, the organizers are also still looking for more companies and individuals to sponsor the conference - please contact sponsors@debconf.org if you can help.

OpenSSL weakness in Debian affecting many other packages

Luciano Bello [http://lists.debian.org/debian-security-announce/2008/msg00152.html discovered] that the random number generator in Debian's openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package ([http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0166 CVE-2008-0166]). As a result, cryptographic key material may be guessable. Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections. Keys generated with GnuPG or GNUTLS are not affected, though. However, other systems can be indirectly affected if weak keys are imported into them.

Shortly after Luciano's discovery [http://lists.debian.org/debian-security-announce/2008/msg00152.html fixed packages] were created and - due to the seriousness of the problem - a new OpenSSH package, automatically regenerating possibly compromised keys and featuring a blacklist for possibly affected user keys [http://lists.debian.org/debian-security-announce/2008/msg00153.html was released]. At the same time a [http://security.debian.org/project/extra/dowkd/dowkd.pl.gz detector] software ([http://security.debian.org/project/extra/dowkd/dowkd.pl.gz.asc GPG signature]) has been written and constantly improved since then and detailed test and upgrade procedures for different software packages [http://www.debian.org/security/key-rollover/ have been collected].

We are sorry for any inconvenience caused by that and would like to thank everyone who helped getting this issue solved so fast and without any major side effects.

Discussion on how to prevent such accidents in the future has already been started on [http://lists.debian.org/debian-devel/2008/05/msg00536.html various] [http://lists.debian.org/debian-devel/2008/05/msg00427.html lists].

Perl 5.10 Transition

Marc Brockschmidt [announced http://lists.debian.org/debian-devel-announce/2008/05/msg00007.html] the completion of the recently ongoing transition to Perl 5.10 as default version for the upcoming stable release.

He noted that for this transition over 400 packages got updated in testing, including updates for heimdal, clamav and sendmail/libmilter. The next scheduled, smaller updates are planed for xulrunner, ocaml, ffmpeg, poppler and nautilus.

Backports.org unknown?

During his triage of older bugs reported against OpenOffice.org, [http://liorkaplan.wordpress.com/2008/05/25/why-arent-our-users-familiar-with-backportsorg/ Lior Kaplan] noticed, that many users are not aware of [http://www.backports.org backports.org], an unofficial service providing updated packages for users of the stable version of Debian.

In the following discussion several proposals for better integration of that service into Debian were made. Gerfried Fuchs [http://liorkaplan.wordpress.com/2008/05/25/why-arent-our-users-familiar-with-backportsorg/#comment-362 summarized] the current state.

Huge Packages in Debian

After members of the [http://lists.debian.org/debian-devel-games/2008/05/msg00165.html Debian Games Team] (and other maintainers of generic large data packages) wondered about size limitations of the Debian archive (and its infrastructure) regarding packages. Jörg Jaspert joined as ftp-master the discussion and [http://lists.debian.org/debian-devel/2008/05/msg00970.html summarized] the possibilities to solve the issues. He's favouring to create a new archive for large packages (containing architecture independent data) and if possible a change of the Debian Policy allowing packages depending on such data only available in the new archive to stay in main.

State of SANE

Since SANE (scanner access now easy, a framework for accessing scanners) is working on improving its interface, Julien Blache gave an [http://blog.technologeek.org/2008/05/07/106 overview] on his plans for the SANE packages for the upcoming release "Lenny". Sane will need so stay on the current interface, but Julien plans to backport some important improvements from the development branch and asks for some feedback.

Hints for new Free Software Projects

Francois Marier [gave hints http://feeding.cloud.geek.nz/2008/05/choosing-right-license-for-your-new.html] on how to choose a license for free software projects. He concludes that using a license incompatible with mainstream licenses like the GNU General Public License is as bad as writing an own license.

Neil Williams [added http://www.linux.codehelp.co.uk/serendipity/index.php?/archives/117-Non-code-code-development-upstream-for-estron.html] some more general hints.

Other News

Sven Joachim [http://lists.debian.org/debian-i18n/2008/05/msg00248.html wondered] about the state of translation packages for [http://packages.debian.org/enigmail enigmail], a GnuPG tool for the mail client [http://packages.debian.org/icedove Icedove]. Alexander Sack [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=473168#35 replied], that he will add them to the main package.

Jörg Jaspert [proposed http://lists.debian.org/debian-devel-announce/2008/05/msg00001.html] to standardize headers added to e-mails by various tools used by Debian.

Enrico Zini [gave http://www.enricozini.org/2008/tips/d-i-conditional-partitioning.html] a small howto on "Conditional partitioning in debian installer" for unattended installations preserving some partitions. He already [wrote a small howto http://www.enricozini.org/2008/tips/simple-cdd-usb.html] on creating bootable USB keys with simple-cdd.

Since the database used by [http://packages.debian.org packages.debian.org] covers only supported and upcoming releases, Frank Lichtenheld created [http://archive.debian.net archive.debian.net] which is capable of searching through archived releases, too. Sadly it has some [http://blog.djpig.de/2008/05/13#archive-debian-net caveats].

Martin Kraft [http://lists.debian.org/debian-devel/2008/05/msg00422.html started collecting] noteworthy additions, changes and other improvements in the upcoming stable Debian Release 'Lenny' in the [http://wiki.debian.org/NewInLenny wiki]. Please help and contribute to that page.

Debian Project will be at Linux Tag 2008

From Wednesday the 28th of May 2008 to Saturday the 31st of May 2008, Berlin, Germany, Debian Project will participate with a booth at Linux Tag 2008. Please see our [http://www.debian.org/events/2008/0528-linuxtag events page] for further details.

Work-needing packages

Currently 433 packages are orphaned and 104 packages are up for adoption. Please take a look at the [http://lists.debian.org/debian-devel/2008/05/msg00402.html recent] [http://lists.debian.org/debian-devel/2008/05/msg00913.html reports] if there are packages you are interested in.

Mention who has contributed here Luca Bruno, Meike Reichle and Alexander Schmehl contributed to this issue of the Debian Project News.

Want to continue reading DPN? Please help us create this newsletter. We still need more volunteer writers who watch the Debian community and report about what is going on. Please see the [:ProjectNews/HowToContribute:contributing page] to find out how to help. We're looking forward to receiving your mail at debian-publicity@lists.debian.org.