Slashdot Mirror

Regarding format, though, I still believe DEB's win for flexibility, accessibility, and a simple, straight-forward design. Baroque is hardly the word to describe the "./debian" maintainer scripts directory. What does one find in "./debian"? control, changelog, copyright, README.Debian, rules (the build Makefile), and optionally the prerm, postrm, preinst, postinst scripts. Whatever else a maintainer puts in that directory that is useful for the build process is entirely subjective to the helper tools they might use (like debhelper).

DEB's are simply two tarballs archived together, data.tar.gz, which contains the package files themselves, and control.tar.gz, which contains the maintainer scripts. If you did not have dpkg installed on your system, but wished to extract the files and information from a DEB, you would simply use the tools ar and tar. To do the same with an RPM is to open up a hex editor to find the end of the RPM header, then use dd to cut it off and output the remaining tarball. (RPM format) How many people know or want to know how to do that?

The other flexiblity that DEB's have that RPM's don't (didn't?) is that maintainer scripts can be written in any language the maintainer wishes, as long as the interpretor is installed at the time the script runs. If you're maintaining a Perl package, it's reasonable to assume that Perl can be installed as a (pre-)dependency and used to run the maintainer scripts.

Debconf, for example, is one of those optional helper tools the maintainer is encouraged to use when questions must be asked of the user/administrator at installation time. Gone are the days when DEB's could not be installed unattended. Using Debconf allows the maintainer to provide those questions, and allows the user to view them using one of multiple interfaces, or to ignore them completely. Additionally, po-debconf makes it trivial to add multilingual support for those questions.

There is plenty of documentation, utilities, and helper tools to create a Debian package, and on-line resources such as IRC, email lists, and forums. An interesting thread to read dates back from 1996, titled "Why the .deb format?". Also, take a gander at this FAQ.

Really, comparing RPM's to DEB's is like comparing apples to oranges. RPM maintainers may baulk at the "debian/" directory and maintainer scripts, but I personally baulk at having to learn yet another spec file format for RPM's and being restricted to using librpm or a hex editor to access the data contained within the package.

Regarding format, though, I still believe DEB's win for flexibility, accessibility, and a simple, straight-forward design. Baroque is hardly the word to describe the "./debian" maintainer scripts directory. What does one find in "./debian"? control, changelog, copyright, README.Debian, rules (the build Makefile), and optionally the prerm, postrm, preinst, postinst scripts. Whatever else a maintainer puts in that directory that is useful for the build process is entirely subjective to the helper tools they might use (like debhelper).

DEB's are simply two tarballs archived together, data.tar.gz, which contains the package files themselves, and control.tar.gz, which contains the maintainer scripts. If you did not have dpkg installed on your system, but wished to extract the files and information from a DEB, you would simply use the tools ar and tar. To do the same with an RPM is to open up a hex editor to find the end of the RPM header, then use dd to cut it off and output the remaining tarball. (RPM format) How many people know or want to know how to do that?

The other flexiblity that DEB's have that RPM's don't (didn't?) is that maintainer scripts can be written in any language the maintainer wishes, as long as the interpretor is installed at the time the script runs. If you're maintaining a Perl package, it's reasonable to assume that Perl can be installed as a (pre-)dependency and used to run the maintainer scripts.

Debconf, for example, is one of those optional helper tools the maintainer is encouraged to use when questions must be asked of the user/administrator at installation time. Gone are the days when DEB's could not be installed unattended. Using Debconf allows the maintainer to provide those questions, and allows the user to view them using one of multiple interfaces, or to ignore them completely. Additionally, po-debconf makes it trivial to add multilingual support for those questions.

There is plenty of documentation, utilities, and helper tools to create a Debian package, and on-line resources such as IRC, email lists, and forums. An interesting thread to read dates back from 1996, titled "Why the .deb format?". Also, take a gander at this FAQ.

Really, comparing RPM's to DEB's is like comparing apples to oranges. RPM maintainers may baulk at the "debian/" directory and maintainer scripts, but I personally baulk at having to learn yet another spec file format for RPM's and being restricted to using librpm or a hex editor to access the data contained within the package.

You are correct, I had mistaken Branden for Joey. Two names I see fly by very frequently.

I recalled an email to debian-devel about the security issue, where it was stated that only one member was left active.
Only did I recall the name incorrectly, my apologies for the confusion I may have caused.

Branden is not a member of the Debian Security Team. (and his name is spelt with an 'e' not an 'o').

The current members are listed on the Debian Organizational chart - albeit some are less active than others.

My mail server broke. I run postfix and need TLS to communicate with my upstream ISP. (My own IP is scorched earth it seems.) I didn't notice the bustage until a user complained. The bug appears to be 307780.

Of those many developers only 5 of them where in the Security team. And of those 5 only one (Brandon) has remained active.

Due to the nature of security issues, the team had tough requirements for new members, which kept fresh blood to enter the team.

Now that this problem got the attention it unfortunatly needed, new members have stepped to the plate to strengthen the security team.

You can read more about the handling of this situation in Brandon's Project Leader Report

In related news, Debian's security team announced late last night that their sendmail package is no longer vulnerable to the Robert T. Morris Worm.

Professor Morris had this to say: "You're kidding, right?"

A Debian user, who wished to remain anonymous, was glad to hear that Debian was taking a pro-active approach to package updates. "I've been using Debian for a year now, and I've got to say that it beats my old Windows 3.1 box hands down. It's good to hear that they're taking a pro-active approach to security and package updates."

Although we attempted to contact the Debian team for comment, their response was not available in time for the publishing of this article. A reply is expected sometime before March 2008.

Related Articles:
About the Morris Worm:
http://en.wikipedia.org/wiki/Morris_worm

Problems plague Debian updates:
http://lists.debian.org/debian-user/2000/07/msg030 06.html

History of Windows:
http://www.computerhope.com/history/windows.htm

Real History of Windows:
http://www.imdb.com/title/tt0168122/

(Beware TPB)

I found Branden's Debian Project Leader Report to be more informative. Although, at least zdnet had the courtesy to link to it in their so-called article.

I think that the Debian folks may have an issue with this statement.

Replacement for Microsoft Windows

Oh, OK, you got me dead to rights! I'm pulling the whole thing out of my ass! That's why:

http://www.debianplanet.org/node.php?id=831 this unbiased review points out many of the same issues I had, and why:

http://eol.init1.nl/content/view/47/2/
this guy seemed to have an issue with it, and why: http://corelands.com/blog/?postid=4
this guy sees a problem, and why:

http://www.miketaylor.org.uk/tech/wxinmfpl/debian. html
This guy hits it on the head with why the whole apt system is screwed, and why:

http://www.debian.org/vote/2004/platforms/branden
this page of politics points to strife and
http://ianmurdock.com/?p=153
YOUR OWN FOUNDER EVEN SAYS THERE'S PROBLEMS COMPARED TO UBUNTU.

I especially like how you keep harping on reporting bugs through the proper channels. What, like you think I haven't tried? Then on that last link, Ian Murdock's weblog, I see: "One major difference between Debian and Ubuntu is that Debian users' imput is mostly ignored, whereas Ubuntu users are heard and respected." -quote, typos and all! So, tell me, "stevey", is that you deleting our input so that the PUBLIC NEVER SEES IT?

I'm hoping to God that this lying weasel I've been arguing with is somebody currently high up in the Debian chain of command. Because, to read Ian Murdock's weblog, this man [Ian] sounds like he originally founded a fantastic, kick-ass distro, which he then trusted to a pack of idiots who fouled it up, and he regrets it.

Until today, I thought somebody just must have been scarfing shrooms - how could a Linux Distro *possibly* be *this* *stinking* *bad*?!?!? But thank you, "stevey" for at last providing me with an explanation that approaches sense: Debian is deliberately being sabotaged from within. And it wouldn't surprise me a bit to find out that that sabotuer(s?) was paid by a commercial software company which views itself to be in competition. This isn't the only possible explanation, but by God it makes the most sense. And I was ready to let it go, before I met you. But I love a good mystery! So, yeah, I think I WILL dig deeper until I get to the bottom of this...lol...pile, whenever I get the free time.

People who really want to know every detail of what's going on when you stick Debian Sarge disk #1 in your machine and boot it can view all the complaints this guy claims I'm covering up, along with my aborted effort to write some kind of install guide for the home user (heck, I *did* get it installed, after all!), can find my report HERE:
http://aimlesslifehobbies.blogspot.com/

I get those too, but I don't think that many of them originate from the Debian folks. For example, I did a quick search of their bugs database to get a list of severe security issues. The first link I clicked starts with a URL pointing to a description of the problem posted at gentoo.org. That's not to say that the Debian security team doesn't audit software - I don't know that they do, but they very well might - but they certainly pull in external reports, too.

Side note: I'm not an expert at using the Debian bugtracker, so my search was almost certainly suboptimal. I just went with the first try that gave a few results.

I get those too, but I don't think that many of them originate from the Debian folks. For example, I did a quick search of their bugs database to get a list of severe security issues. The first link I clicked starts with a URL pointing to a description of the problem posted at gentoo.org. That's not to say that the Debian security team doesn't audit software - I don't know that they do, but they very well might - but they certainly pull in external reports, too.

Side note: I'm not an expert at using the Debian bugtracker, so my search was almost certainly suboptimal. I just went with the first try that gave a few results.

What would be the point of posting all 999,999 snivels on Slashdot?

After all with a recent release of Fedora, etc, chances are the same package versions and kernel were installed.

Nope, not correct at all. Fedora has something closer to modern programs written in this century. More so for Slackware, Mandrake, Knoppix, and Mepis, which is what I have currently running on all five hard drives of the three computers I currently run in the home. Other systems release with man pages for their package managers that say something besides "This man page isn't even written yet!" Other systems don't have 5% of their files as softlinks to other files, so you get a ton of dead-ends and tail-chases every time you try to find something! Happy now? It's better when I meticulously list every single gripe, isn't it? To the purpose of giving people who want to argue more things to argue about.

As for the other comments, it's funny how much I hear, "Well of COURSE you hated it, it's not for desktop use! It's a server system for admins only!" and "Well, duh, installing is a nightmare using the disks only on a machine that's not on the internet! You're only supposed to do it online, where apt can update live" or however it goes. You know where the right place would be to tell me all this? HERE:

http://www.debian.org/intro/about

In big capital letters at the top of the page. Quote: "DO NOT WASTE YOUR TIME DOWNLOADING AND BURNING 14 CDS TO INSTALL ON YOUR HOME COMPUTER, NO MATTER HOW MUCH OUR FANS CONVINCE YOU DOING SO IS THE ONLY POSSIBLE PASSAGE TO VALHALLA. THIS DISTRO IS JUST FOR GEORGE, SAM, AND ALICE. IT'S DELIBERATELY AIMED TO BE A FANTASTIC WASTE OF EVERYBODY ELSE'S TIME, AND TO MAKE A BAD NAME FOR LINUX ON THE HOME DESKTOP". Better than the song and dance I find on this page, now.

Pardon me for sounding so sarcastic. But, surely, through all the layers of smart-assery, I must make some token amount of sense? That was one of my chief gripes with Debian: It tells me it's going to kiss me, then kicks my ass over my shoulders, then says, "Of course I was going to kick you, you dumb ass, don't you know anything?" I get that from even the most incidentally-associated anything with Debian, just with Debian, and with nothing and nowhere else. Somehow, I have the feeling that the zillion other distros that include server installs and admin utilities would have *something* to offer, without this behavior?

All of which backs up my initial statement: "I am not surprised that Debian is having problems with security."

This time, BELIEVE ME when I say I could say a hell of a lot worse about Debian than I could already, here. I haven't scratched the surface of the iceburg, yet. I'm not holding back out of hiding something. I'm holding back out of a desire to not do any more harm to the distro than I have to, not to hurt any more feelings than I have to, and most especially because I hate shooting a dead horse.

Parent post is a flamebait and I wonder what moderators are smoking today.
Debian is much more than a distribution. And there is unfortunately nothing better than Debian (as in the distro) to move on to. There is a reason why many distributions are build on Debian.
Please point me to a distro that can manage version upgrades even half as gracefully as Debian.
There was a discussion about Ubuntu on Slashdot and it was argued that if Ubuntu continues to be diverge further from sid and stay incompatible it will eventually dissolve, because the team will never be able to support the huge package base.

I am a desktop Linux user that started out with Debian 2.1 Slink and I also have the feeling that Debian has had some major issues lately.

About the security issue:
Heise security published it first 10 days ago:
http://www.heise.de/newsticker/meldung/61076

As a result of this a discussion on the Debian security mailing list ensued:
http://lists.debian.org/debian-security/2005/06/ms g00142.html

Heise Online then reported on that as a result of that discussion:
http://www.heise.de/newsticker/meldung/61125

For those that can't read German the article says that of the five members that should make up the security team four are not active at the moment if they ever were. The only remain one is Martin Schulze aka Joey. He has been pretty busy with the organisation of the Linuxtag. So he was cut off from the action. Debian people are working on the problem.

Everyone that is not satiesfied with the current state of affairs should get their hand dirty helping instead of complaining. After all Debian forms the bases of "plenty of well-managed, technically sweet linux distributions out there".

Like Knoppis, Ubuntu or Xandros. Full list here:
http://www.debian.org/misc/children-distros

Parent post is a flamebait and I wonder what moderators are smoking today.
Debian is much more than a distribution. And there is unfortunately nothing better than Debian (as in the distro) to move on to. There is a reason why many distributions are build on Debian.
Please point me to a distro that can manage version upgrades even half as gracefully as Debian.
There was a discussion about Ubuntu on Slashdot and it was argued that if Ubuntu continues to be diverge further from sid and stay incompatible it will eventually dissolve, because the team will never be able to support the huge package base.

I am a desktop Linux user that started out with Debian 2.1 Slink and I also have the feeling that Debian has had some major issues lately.

About the security issue:
Heise security published it first 10 days ago:
http://www.heise.de/newsticker/meldung/61076

As a result of this a discussion on the Debian security mailing list ensued:
http://lists.debian.org/debian-security/2005/06/ms g00142.html

Heise Online then reported on that as a result of that discussion:
http://www.heise.de/newsticker/meldung/61125

For those that can't read German the article says that of the five members that should make up the security team four are not active at the moment if they ever were. The only remain one is Martin Schulze aka Joey. He has been pretty busy with the organisation of the Linuxtag. So he was cut off from the action. Debian people are working on the problem.

Everyone that is not satiesfied with the current state of affairs should get their hand dirty helping instead of complaining. After all Debian forms the bases of "plenty of well-managed, technically sweet linux distributions out there".

Like Knoppis, Ubuntu or Xandros. Full list here:
http://www.debian.org/misc/children-distros

No. They're on the web site of the distribution that you used.

Let's stick to debian instead of pretending that all distributiuons are the same (although, AFAIK, no distributions allows what you claim they all do).

So, with debian, you can boot into knoppix. There is no general tool to say "I'm booted into knoppix, please verify /mnt/foo which is a debian installation with wesite bar using gpg key XYZ".

So, what can you do ... you can have a trusted version of debsig-verify, and a trusted version of lftp on the knoppix CD ... you can download what is currently available from the debian repositories NOTE: this isn't necessarily the same as what you had installed, that isn't possible in the general case (again, just talking about debian). It's also not possible to only download just the packages you need ... but you have a trusted lftp, and so you can do an lftp mirror and get all packages (now wait X hours for that to happen).

Now you have all packages, you can setup/run debsig-verify and prove all those packages are correct. Then you have to extract the checksums from the packages, as I said earlier with debian checksums for files aren't part of policy, debsums -l shows "at" as an obvious candidate that doesn't have any debsums. So you'll need to manually unpackage all of the packages that you think you have installed, and then generate checksums for all the files (again, there is no tool to do this -- get your vim/perl out).

So, yes, you've now generated a complete checksum of all files that come directly from packages. And you can now write another tool that will check what is installed on /mnt/foo against that list. You will get a significant number of hits for config. files (both in /etc and those in other places like /var/spool/cron/crontabs), or files you have in /home/, or package generated files like /etc/fstab (not forgetting things like debconf files). The only option is to manually inspect all of these files.

Oh, and remember ... after writing all these custom tools, doing all this work and eventually falling back to inspecting 10s or 100s, or even 1000s of files by hand ... this is all if you are lucky, if you are unlucky you'll have something installed that isn't on the main repositary sites anymore (for instance, you had a security update of package foo that has had another update -- only the latest update will be available).

Or, you could just reinstall the OS and import the data from backups.

No, seriously, how is someone going to sneak something by you in fstab?

For someone asking if I understand what a checksum is you are now acting pretty stupid. fstab is obviously not the only package generated file. For fstab explicitly, I'm not sure you could do something bad that would be stealthy ... but you could certainly do unstealthy things like have loopback mounts with setuid helpers (possibly hiding under other loopback mounts, so nothing will see them until a non-privilaged app. does a umount on the first loopback).

The point is you have to manually audit all of these types of files to _prove_ that you are safe ... as against just reinstalling the OS and importing the data.

#1. Why would I not trust "the OS+libc+package-manager"? It's Knoppix. I booted the system clean.

#2. On Debian, I can check all the files on the whole disk (not just /usr) and it will tell me what files belong to what packages and which do not.

Here's the first step for you.
cd /usr
dpkg -S * > /root/usr.info.txt

You

How are the downstream distributions coping with the upstream problems?

The Debian site, http://www.debian.org/misc/children-distros , itself lists over 30 children distributions.

http://newraff.debian.org/~joeyh/stable-security.h tml is an incomplete list of issues currently affecting stable. It's not 100% correct; in addition to the provisos at the top of the page, it doesn't seem to know about recent updates such as this morning's Gaim update.

http://newraff.debian.org/~joeyh/stable-security.h tml is an incomplete list of issues currently affecting stable. It's not 100% correct; in addition to the provisos at the top of the page, it doesn't seem to know about recent updates such as this morning's Gaim update.

It's just a random thought, but have the Debian people ever contemplated whether their problems in this regard may stem from the fact that they have too many packages? The package list for the latest stable lists an incredible 16834 individual packages, and even though there are many programs which come in different flavours and thus contribute as more than one package, this still is a huge number.

I can certainly see why security management gets a problem here. Maybe the Debian project should cut down on these and see just how many packages are really needed.

Brahm (from TFA) says that "manifesto" was written as a parody, and it's up to you to decide if you want to believe that or not. The sad thing isn't that his words can be used against him, but the fact that his words can be used as the only evidence required to distinguish between a lawful technology invention, and an unlawful one.

Try ssmtp. I use it when running mutt on Win32 under Cygwin.

# .muttrc
set sendmail="/usr/sbin/ssmtp -audUserName@domain -apSecretPassword"

That was hard wasn't it

Actually, yes it was. It was hard because, just like not everyone uses Mac OS or Windows, not everyone uses Debian . (If it's any consolation to the bruise your ego just took, I don't use RPM-based distros.)

arielmt@cleopatra:~$ augur grimoire | grep -i aac
faac
arielmt@cleopatra:~$ augur what faac
Long description for faac:
faac is an implementation of MPEG-2 and NBC/MPEG-4.
faac is an implementation of a part of one or more MPEG-2 NBC/MPEG-4 Audio tools as specified by the MPEG-2 NBC/MPEG-4 Audio standard.
arielmt@cleopatra:~$

Do you see AAC in there? Aside from the terse name, I don't. I use Deb-based distros now, but not at the time. At the time, when I ripped my collection, AAC was more underreported than even Ogg. It was MP3, WMA, Real (which, as an aside, is the least real-sounding of all), or Ogg. AAC was basically nothing until iTunes and the iPod.

So you can see, I hope, how I could've missed your informative correction. Thank you for the correction.

And as for Dutch ISP's, XS4ALL is the ultimate geek ISP. Excellent services (bsd shell, static IP, *encourages* running servers, large experimental binary usenet server), very reliable. And they even sponsor Debian (*points at XS4ALL logo in lower left of Debian site*).

This is only because GNU/Linux incompatibilities have forced their users into a single source for nearly all their software.

There's a nugget of truth to that comment, but it misses both more significant points and differences between the GNU/Linux way and the Microsoft way.

It also misses the point that you can, largely, install binary software on different GNU/Linux systems, so long as core dependencies (usually your glibc version) are satisfied. E.g.: Macromedia Flash, Opera, Oracle, Realplayer, and the like, generally under /usr/local/ or /opt/. Though honestly I have very little proprietary software on my system.

The real reason to go within your distro's package management system for software installation is that it's easier, faster, works better, and minimizes future administration needs -- rather than managing a slew of software packages independently, you do a systemwide update. You've also got a tremendous selection of software -- 15k+ packages in the most recent Debian stable. There's rarely a compelling reason to go outside the archive, though you can and are assured the packaging system won't interfere with your locally installed selections.

The reasons this is possible are largely: sources are available for the software you're installing (most GNU/Linux software is FSF Free Software / OSI Open Source), the distro itself doesn't have a horse in the race (it's not competing with the software developers, unlike the relationship between Microsoft and its ISVs), and systemwide policies can be implemented and enforced with a very high degree of uniformity (particularly in the case of Debian-based distros). There's also three clearly independent parties involved, each with a major voice in the process: the software developer, the distro / software packager, and the users. You get the benefit of review of the application by a users (independent of both the developer and the distro/packager). Microsoft simply doesn't have this degree of remove from the system as a whole -- it's competing with both software developers and its users over features and control.

The result isn't so much that users are forced to go within their distro's package management system for software, but that they choose to do so, and that a healthy distro culture (e.g.: Debian) provides very strong incentives and feedback loops for both developers and users to gain by this.

I've explored this at somewhat greater length in an article discussing malware on Microsoft and GNU/Linux systems respectively, Spyware, Adware, Windows, GNU/Linux, and Software Culture. Manoj Srivastava has a very good Why Linux, Why Debian talk covering the issue from a few other angles (and better technical understanding of the guts of Debian).

Any advice? Solutions?

• JDS
• Sunray
• RHEL
• ClamAV and ClamWin
• Fedora
• Debian
• etc.. etc.. lots of other virus-free OSS solutions out there.

Pick one or more of the above natural remedies for your MS related affliction...

Your argument is utter rubbish, and you're probably a troll, but what the hell. RMS uses Debian, and he applied to be a Debian developer.

Debian largely subscribes to the same ideals as RMS. I have no idea how you can legitimately claim that Debian "wants to inflict harm" on anyone, particularly RMS or the FSF. Debian distributes massive amounts of code from the FSF, Emacs (which was written by Stallmann), and a vast collection of GPL'd packages.

The decision to distribute or not is based on the reading and interpretation of the license, and takes place in the open, on debian-legal. So far as I know, Debian has not refused to ship anything unless there was a license issue or a compelling technical argument not to.

Your argument is utter rubbish, and you're probably a troll, but what the hell. RMS uses Debian, and he applied to be a Debian developer.

Debian largely subscribes to the same ideals as RMS. I have no idea how you can legitimately claim that Debian "wants to inflict harm" on anyone, particularly RMS or the FSF. Debian distributes massive amounts of code from the FSF, Emacs (which was written by Stallmann), and a vast collection of GPL'd packages.

The decision to distribute or not is based on the reading and interpretation of the license, and takes place in the open, on debian-legal. So far as I know, Debian has not refused to ship anything unless there was a license issue or a compelling technical argument not to.

Powermac 12" v. some cheap-o taiwan windows laptop? No comparison.

Yes there is. Linux will run on both. If you use a distro that actually cares about being cross-platform (*cough*Debian*cough*) then you can setup both laptops (or desktops) nearly identically and do a real comparison of the hardware. But I know what you mean. I'd much rather a nice cool G3 or G4 laptop than something that needs a vent on the side. I don't like the idea of wasting a large amount of precious battery life on heating air.

This one is different: it's red, needs no batteries, and you control it with two large knobs at the bottom of the screen.

Yeah, it's called "etch".

http://www.debian.org/releases/testing/

I think he got the order of his debian trees wrong. He had it at stable>>unstable>>testing. It's stable>> testing>> unstable. Testing is to test it before it becomes stable. Unstable is, of course, unstable. Just in case anyone reads this and uses the info. And yes, i'm being pedantic :)

I think he got the order of his debian trees wrong. He had it at stable>>unstable>>testing. It's stable>> testing>> unstable. Testing is to test it before it becomes stable. Unstable is, of course, unstable. Just in case anyone reads this and uses the info. And yes, i'm being pedantic :)

I think he got the order of his debian trees wrong. He had it at stable>>unstable>>testing. It's stable>> testing>> unstable. Testing is to test it before it becomes stable. Unstable is, of course, unstable. Just in case anyone reads this and uses the info. And yes, i'm being pedantic :)

http://lists.debian.org/debian-hurd/2005/06/msg000 56.html

...is fully operational death s^[[3~^[[3~^[[3~ partly working. You can even run GNOME on the top of it:
http://lists.debian.org/debian-hurd/2005/05/msg001 09.html

Debian is a linux distribution that consists of tweaked and patched software fitted together into a coherent system. Their standard practice is to make slight changes (bug fixes, security fixes, et al) to software to make it fit their system and their quality expectations.

Mozilla Firefox's trademark clause does not allow *any* changes (no bug fixes, no security patches, can't fix a single misspelled menu item and still call the result Firefox afterwards).

Accordingly, Debian can then either:
a) not include Firefox
b) call it something else (that users will not be familiar with)
c) submit code to Mozilla Foundation even for utterly trivial things, even for wholly Debian specific things of no interest to anyone else... and *WAIT* until someone at MoFo incorporates their change (or doesn't)
d) accept that on a whim Debian is *for now* granted ad-hoc exception to the rules (which may later be revoked... did BitKeeper teach people anything about revokable rights?)
e) find some way of getting MoFo to change policies

Instead of making dumb comparisons that only a Slashdot moderator could dub insightful; they decided to have a serious discussion on the issue.

e) b) and d) are the favoured solutions thus far in that order or in this order: e) d) and b) depending on who you ask.

Mind you Debian actually has somewhat flexible and clearly document rules regarding their logo (which is "trademark stuff"--is it not?) as opposed to MoFo's "you can use it if we feel like excepting you from our trademark clause" approach: http://www.debian.org/logos/

It certainly seems to be the prevailing mentality among the /. Linux fanboys.

Generally speaking, I am more comfortable with Linux, but if FreeBSD were to ever have a similar packaging style to Debian (all pieces of the system, including kernel as binary packages, backported security updates, etc), I would never touch Linux again. Maybe the Debian GNU/kFreeBSD project will go somewhere.

Where did you get that from?

The package in Debian is still called Mozilla Thunderbird on all three current distributions (stable, testing and unstable).

http://packages.debian.org/mozilla-thunderbird

Regards,

> If you are distributing what Debian distribute you can call it Debian. If you want to do something different, call it something else.

Actually no. If you publish the original Debian, it's an "official release" and you can use the Debian swirl logo together with the "magic lamp". If you make a derived version, it's a "vendor release". You can still use the swirl, but without the "magic lamp".
http://www.debian.org/logos/
http://www.debian.org/CD/vendors/
Please note that on both logos you can use the word "Debian".

The problem here arises because AFAIK the Mozilla Foundation has no such strategy, i.e. there's no name that distributors can take if they change the sources.

> If you are distributing what Debian distribute you can call it Debian. If you want to do something different, call it something else.

Actually no. If you publish the original Debian, it's an "official release" and you can use the Debian swirl logo together with the "magic lamp". If you make a derived version, it's a "vendor release". You can still use the swirl, but without the "magic lamp".
http://www.debian.org/logos/
http://www.debian.org/CD/vendors/
Please note that on both logos you can use the word "Debian".

The problem here arises because AFAIK the Mozilla Foundation has no such strategy, i.e. there's no name that distributors can take if they change the sources.

4. Integrity of The Author's Source Code

The license may restrict source-code from being distributed in modified form _only_ if the license allows the distribution of "patch files" with the source code for the purpose of modifying the program at build time. The license must explicitly permit distribution of software built from modified source code. The license may require derived works to carry a different name or version number from the original software. (This is a compromise. The Debian group encourages all authors not to restrict any files, source or binary, from being modified.)

There are a couple of "bugs" in the GFDL which can be cleared up readily enough, for instance the question of distributing free documentation on DRM'ed media. There are also some more fundamental questions of freedom, centred around the GFDL's "Invariant Sections", which prevent you adapting that part of the document according to your own needs.

You can read a bit more about the issues at
http://people.debian.org/~srivasta/Position_Statem ent.html
Note that this is not an "official" statement, it's a draft which raises the concerns that some, not necessarily all, of the Debian developers have.

Negotiations continue, we hope we can reach the point where the GFDL documents can reside in Debian without protest or argument.

that is odd, you think it would be on "legal". The lates there is in March http://lists.debian.org/debian-legal/2005/03/msg00 010.html/

http://lists.debian.org/debian-devel/2005/06/msg01 160.html

Debian is not after market share, read the Debian Social Contract.It's about freedom.
But then again if you tired of Linux politics don't bother. But you will be sorry when this is the only alternative.

Although I completely agree with the parent that ZDNet articles are worse than useless, there has been recent discussion on the debian mailinglist. Don't know why it's not in google yet (too recent), but the thread on debian-devel starts here.

i think the ubuntu cds only cover main though so theres a lot less of them. (ubuntu put the bulk of stuff from debian into a seperate area called universe and only put a relatively small amount of stuff in the fully supported main section).

also iirc ubuntu has some rich backer who can pay for things like massive distributions of free cds.

if you need debian cds (hint: if you have a decent internet connection you need cd1 at most) there are plenty of vendors who will ship them to you for a reasonable price (it seems many of them don't have sarge yet though).

Get it at: Windows Service Pack 3

Debian on AMD64