Slashdot Mirror

For up-to-date information on Debian, it's a good idea to check out Debian Wekly News (http://www.debian.org/News/weekly/ - there are also e-mail and RSS versions) which recently has had Sarge release reports. In summary, it's been frozen since about the 3rd of May, final release is currently expected about "now"! This is the latest schedule I can find, though if you were to read the mailing lists you'd probably find a more up-to-date one. http://lists.debian.org/debian-devel-announce/2005 /05/msg00001.html

For up-to-date information on Debian, it's a good idea to check out Debian Wekly News (http://www.debian.org/News/weekly/ - there are also e-mail and RSS versions) which recently has had Sarge release reports. In summary, it's been frozen since about the 3rd of May, final release is currently expected about "now"! This is the latest schedule I can find, though if you were to read the mailing lists you'd probably find a more up-to-date one. http://lists.debian.org/debian-devel-announce/2005 /05/msg00001.html

See [1] for a complete list, compliments of the relatively young testing-security team ([2])

[1] http://newraff.debian.org/~joeyh/testing-security. html
[2] http://secure-testing.alioth.debian.org/

See [1] for a complete list, compliments of the relatively young testing-security team ([2])

[1] http://newraff.debian.org/~joeyh/testing-security. html
[2] http://secure-testing.alioth.debian.org/

For those of you that are curious, the actual email that Andi Barth sent out is here.

$ apt-cache policy python2.4
python2.4:
Installed: (none)
Candidate: 2.4.1-2
Version Table:
2.4.1-2 0
500 http://ftp.debian.org/ sarge/main Packages

2.4 is already in sarge

The debate seems a bit similar to the discussion whether the new kernel should be 2.6 or 3.0 . Personally, bumping major version numbers too regularly reminds me of commercial software that has to go from 1.0 to 10.0 in a few years just to keep customers upgrading (and buying). Sarge has some important changes over Woody, but I don't think they're big enough to warrant going to 4.0; maybe Etch (the successor to Sarge) might, with the introduction of SELinux, X.org, etc. .

Hmm 50 is an over-estimate (maybe it wasn't when the story was submitted); according to http://bugs.debian.org/release-critical/ there are only 28.

No, Sarge should have been 4.0, but fixing that now would require too much last-minute effort. Bumping up the version number was simply forgotten, according to the relevant thread.

http://www.debian.org/releases/etch/index

But having a requirement that something work on a large number of platforms slows down the release cycle.

I'm not sure that I agree. To me, the Debain delays seems to be at least as much a political and leadership thing. In particular, consider how quickly Debian went into a freeze for a new release after a change in leadership. Granted that it's a week behind schedule, but the green line is now going down rapidly, and we're expecting a new release within a matter of days. If it was so difficult to support and release on multiple architectures, this likely wouldn't have been able to happen.

I'm not trying to imply that the old Debian leadership was necessarily bad or that the new leadership is particularly good. But a change in attitudes very quickly resulted in a new release. This suggests that support on lots of architectures has little to do with it, whereas leadership attitudes has a lot to do with it.

We'll have to wait and see just how reliable Debian Sarge turns out to be when it's promoted to stable, of course. (Disclaimer: I run debian sarge on my home workstation and laptop.)

There was a minor delay, see this recent debian-devel-announce post.

I've never used Knoppix but either you need to try a different distro or your modem came with a disc or a CD in which you can install the driver for it. Some hardware does actually come with drivers for linux while others are already supported by linux. Make sure there arn't any disks that you left in the box and try to use something like Debian http://www.debian.org/ or Suse http://www.novell.com/linux/suse/, Red Hat http://www.redhat.com/, Ubuntu http://www.ubuntulinux.org/, or maybe even a smaller distro like Ark http://www.arklinux.org/.

Knoppix is not the only Linux out there and by no means is it the best nor most popular. Hell I just gave you the better known ones. You could also try BSD. Just go to google and type in "BSD". Try dragonfly, Free, Net, or open BSD. Don't think that because one distro doesn't work that the others won't either. Each distro is very different.

Hope that helps, cause you don't seem to know about to many distro's.

• To: debian-devel-announce@lists.debian.org
• Subject: Release update: minor delay; no non-RC fixes; upgrade reports
• From: Andreas Barth <aba@not.so.argh.org>
• Date: Fri, 27 May 2005 23:57:52 +0200
• Mail-followup-to: Andreas Barth <aba@not.so.argh.org>,debian-devel-announce@lists. debian.org
• Message-id: <20050527215752.GS1493@mails.so.argh.org>
• Old-return-path: <aba@not.so.argh.org>
• User-agent: Mutt/1.5.6i

Hi,

Well, just in case it wasn't obvious to everyone from looking at the
release-critical bug stats, we should probably come out and say it: the
the count of release critical issues affecting sarge is still going
down, but it's not yet down to zero, which means no release this
weekend.

But we are *very* close, so we're only pushing the schedule back a week
and aiming for a release next weekend.

The only real blocker as of today are the release critical bugs. If you
have any of them in your own package, take care of them now. You
wouldn't want to be known as The Maintainer Who Held Up The Release, and
you probably don't want your package removed from sarge, either. :)
Otherwise, if you want to help us, please continue to squash RC bugs and
help with the preparation of the release notes and processing of upgrade
reports. We're at a point now where more hands are not going to speed
up the release, though, so if you aren't already involved in these
tasks, you might want to just relax for a bit and start your Release
Party preparations.

There has been a great deal of interest from maintainers wanting
to get fixes into sarge. Thank you for helping to make your packages the
best possible for sarge! However, since we are in a freeze, each fix
requires time from a member of the release team to check the package for
regressions. Given the pure number of requests, this is a major time sink,
so please make sure that your request matches our criterias before sending
it in.

This means that, for all packages that still need to be updated for
sarge, the rules are (still) as follows:

- Updates are only possible for RC-bug fixes and translation and
documentation improvements.

- If your package needs to be updated for sarge, and the version in
unstable doesn't contain extraneous changes (e.g, the version is the
same between testing and unstable), please upload your fix to
unstable and contact debian-release@lists.debian.org.

- If the version in unstable already includes significant changes not
related to the bug to be fixed, contact debian-release about
uploading to testing-proposed-updates. Changed dependencies, new
upstream versions, changed library names, and completely rewriting
the packaging are "significant changes". So are lots of other
things.

- If the version in unstable won't reach testing because of new
library dependencies, contact debian-release about uploading to
testing-proposed-updates.

- If in doubt, contact debian-release first.

- In all cases, when preparing an upload please do not make changes to
the package that are not related to fixing the bugs in question.
Doing so makes it more time consuming for the release team to review
and approve such requests, delaying the release. It also delays the
fix for your package, because you will be asked to reupload.

- When contacting the release team, please e

I currently run Debian Sarge, which gave me generic Gnome and KDE desktops I can run. Then I added the http://www.os-works.com/debian/ testing main repositories to Synaptic, which allowed me to install XFLD desktop, which is a slightly modified version of XFCE4. (XFCE4 can also be installed in it's stock form without adding these repositories)

Monday the 30th, is the target date for the official release of Debian Sarge.. so stay tuned in for that. The installer I used installed from the net. Not quite a complicated as installing Suse from the net. When Sarge releases I am sure links will change, but if you want to go for it now you could go to .. http://www.debian.org/devel/debian-installer/

Of course this is me.. you may prefer something else. (I personaly have not tried Fedora) I have tried (some multiple times).. Slackware, Redhat(yrs ago), Mandrake, Vector, Knoppix, Mepis, Ubuntu, Xandros, Libranet, Sam, Cobind, XFLD, Suse, and of course stock Debian Sarge.

Yeah, you're right - they're just like those Debian guys with their logo. And we all know they don't care about openness!

Apple laptops are effectively unusable for unix users.

I am a long-time Unix user. That means I need to have the Ctrl key to the left of the A key. This is a genuine need, not merely a want; it is based upon ergonomics. The Ctrl key is heavily used in unix, and it must be easily accessable. It cannot be off in the lower left corner of the keyboard where it is difficult to get at, and where it distorts the position of your left hand such that you can't easily type other keys while holding the Ctrl key down.

Apple desktop keyboards are now all USB. They are all OK. The CapsLock key can be re-mapped into a Ctrl key.

Unfortunately, even in this modern age, all Apple laptops have built-in ADB keyboards. The ADB keyboard is broken-by-design. It is, in general, not possible to remap the CapsLock key into a Ctrl key.

There are some exceptions, but they are horrible kludges. They are horrible kludges because the original design of the ADB keyboard was a horrible kludge. The correct solution would be for Apple to re-design their laptop motherboards to use built-in USB keyboards. This hasn't happened yet. If you run Linux, use Debian's solution. For Mac OS X users, uControl works. There are no solutions (that I know of) for either NetBSD or OpenBSD. Please note once again that the "solutions" above are in fact kludges, because of the original bad design of the ADB keyboard.

Apple provides a technical note on how to remap the keyboard, but provides no solution to the hardware problems caused by the design of the ADB keyboard. This tech note helps foreign language users, but does nothing for the CapsLock/Ctrl problem.

Apple has now lost three opportunities to sell me hardware. I really wanted an Apple laptop for their superior battery life, and for the PowerPC with Altivec CPU. (The Altivec is vastly superior to the x86 line for DSP.) Because I can't live with the broken-by-design built-in ADB keyboard in all Apple laptops, Sony and IBM sold me laptops instead. If Apple fixes this problem, they will sell me a PowerBook next year; if they don't, I'll still be running OpenBSD on x86 hardware, and wishing I could use a Mac.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=2 90489

I wish that was a joke.

Not every distro relies on a heavily-patched kernel. Slackware use a kernel from kernel.org. Debian apply some kernel patches, but you can take an "ordinary" kernel and compile it and Debian userland will run just fine on it anyway.

Certain distributions {one named after a dog in an orange drink advert springs to mind} have a kernel so full of patches that the userland won't stay up on an "ordinary" kernel.

It's really only a big deal until some hacker figgers out how to graft the patchset for an older kernel onto the newest kernel. I for one would have no objection if software not compiled on my machine would not run there ..... in fact, a kernel/userland mismatch situation pretty much saved my job once.

There's a very short explanation here

1. Where do you live? Iraq?

No, Cuba, why?

2. Export controls apply to Open Source software as well. This isn't Sun's fault, it's the US government.

Yes they do (apply to FOSS). However, they apply to americans, wich means that someone else that is not bound by US laws is free to do as the licence and local laws allows them to (wich, in several countries, includes reexporting the software). In Sun's case, if you live on any third country and you reexport, you are not violating US law, but you are violating your licence agreement with Sun.

I case it wasn't clear enough... Sun's licence is more restrictive that US law (because its used to extend the law to countries where it would be void otherwise). With FOSS (see the DFSG, points 1 and 5), it might be illegal for you to share it with me, but I could, for instance, download from Europe, and no law (US or not) would be violated by any party.

That specific clause might not restrict american's freedom because the law is in place restricting it anyway, but it does restrict everyone else's freedom, wich FOSS licences do not.

• SmartEiffel vs. Free Pascal
• Oberon-2 vs. Free Pascal

• SmartEiffel vs. Free Pascal
• Oberon-2 vs. Free Pascal

• SmartEiffel vs. Free Pascal
• Oberon-2 vs. Free Pascal

You may be thinking of cron-apt. I use it on my system at home, and it does a pretty good job.

the real solution would be to go to a more reliable operating system

You misspelled more reliable operating system.

D is the answer. It's meant to take the good ideas from C++, Java, and C# and make a modernized C-type language which is suitable for systems programming and (relatively) easy to implement.

There's a a GCC frontend) in the works as well. In general, it seems like once this language gets a bit more mindshare it will really take off.

(D is currently #1 on the Great Computer Language Shootout- and while it does help a little that it's the only one with all the tests implemented, its ranking is due to very impressive performance.)

I'd use Python. Java is slow too, slower in practice since it makes much less use of native code.

I'd use Python. Java is slow too, slower in practice since it makes much less use of native code.

I'd use Python. Java is slow too, slower in practice since it makes much less use of native code.

I don't see anywhere in the article that indicates they're using undocumented internal com.sun.* classes. The problem seems to be that some key functionality in OpenOffice is implemented with Java, and that Java itself is not free.

Whether they say it in the article or not, it happens to be the case. Here is a post by the main Kaffe developer about it. I quote:


>import sun.security.provider.*;
>import sun.security.provider.SystemIdentity;
>import sun.security.provider.SystemSigner;

Not implemented and most probably won't be. These are
the JDK 1.1 undocumented (actually sun mentions them
in an example in the java security architecture paper,
but explicitely recommends staying away from it) key
management apis. Sun has deprecated the corresponding
classes in java.security with java 1.2, and uses
different key management facilities. Open office
developers should know better, as they are supposed to
be using java 1.3, right? ;)

[lots of other imports of sun.* and sunw.* classes]

Anyone using sun.* classes doesn't _want_ to be
portable accross VM releases/implementations. Someone
(either the open office developers, or the debian
developers wanting to build open office using free
software) should clean up the sun.* mess. I wouldn't
want to implement sun.* classes just to suit someone
else's bad programming style, and I don't know anyone
who does ;)

Perls many shortcomings were once again exposed yesterday on Slashdot.
Now it's time to review Java's shortcomings:
1) It's slow
2) It's a once overhyped relic of the 90s that's now considered outright violation of usability standards and it's use is deprecated outside of "back end" database work.
3) Sun. ('nuff said)

[ yeah, this a troll, but's it is the truth. try and handle it for once and respond critically without pounding on the mod button ]

Perl, does in fact, run 4x slower than C. If your program requires speed and maintainability, then stick with a real compiled language. Anything else is a scripting language and should be used appropriately.

...therefor the only secure option is to format and reinstall from a known good backup. Otherwise, there's a big unknown whether or not you got rid of the compromising situation. Perhaps now is a good time to consider a platform that doesn't make your problem inevitable.

I just wanted something that worked. I was tired of the endless cycle of upgrades. So I went to Debian and all of my problems were solved.

Except that I still can't use my printer. At least with Linux, you can hold out hope that it might work someday...

Why people does care so much about creating buffer overflows. Just write programs in C/C++, you WILL create buffer overflows. It seems that most of programmers can't avoid them and "buffer-overflow vulnerabilities" are found all the time. Why not care instead about the methods created to fix (most of) them? The ones that many distros are still not shipping despite of being quite obvious that they're need more than the latest KDENOME shit?

Just check the debian security mailing list and look how many buffer overflow security bugs are there: Too many. Too many for something which is know to be (partially) fixable with kernel/compiler tricks. Did GCC 4.0 included finally that FORTIFY thing that includes both compile-time and run-time "buffer overflow protections" BTW? That is interesting, not learning how to create buffer overflows.

From http://www.gnu.org/philosophy/apsl.html:

"The Apple Public Source License (APSL) version 2.0 qualifies as a free software license. Apple's lawyers worked with the FSF to produce a license that would qualify. ... The FSF now considers the APSL to be a free software license with two major practical problems, reminiscent of the NPL:

* It is not a true copyleft, because it allows linking with other
files which may be entirely proprietary.
* It is incompatible with the GPL."

Debian-legal has reviewed the APSL 2.0, in http://lists.debian.org/debian-legal/2003/08/msg00 527.html. It seems that the reason it is incompatible with the GPL, is also the reason it can not be considered DFSG-Free: it requires users of its software to distribute the source code available under certain circumstances.

People tend to go looking for them.

If you're a penetration tester, or work for a security firm, then publishing flaws is how you get "noticed", and how you attract new customers.

Not many people do it for purely altruistic motives - but I guess that doesn't matter if the flaw is found and fixed.

Does the Apache exploit mentioned affect any other platforms that Apache runs on, or is it specific to OSX? Its a pretty severe one. I don't run closed source OSes (like OSX or Windows) but I would like to make sure that my Gentoo apache install is OK.

I believe it's referring to this bug in htdigest that was reported a year ago. If so, it affects linux systems as well.

I wouldn't worry too much about it, it's not a remotely exploitable overflow... it could be exploited by somebody who was allowed to upload a malicious CGI script to your server, but it would have to be somebody who was allowed to deploy CGI scripts to your apache server to begin with.

I was upset to see that KDE 3.4 was being held back from Sid until Sarge released...

YMMV, but I'm using the quasi-official KDE 3.4 repos in Sarge, and everything works great. The only thing you don't get is kdm (which I never used anyway).

http://pkg-kde.alioth.debian.org/docs/install.html

...(I don't DO "open"), but I happen to know of a really good free software detector.

this is part of my /etc/apt/sources.list

deb ftp://ftp.fi.debian.org/debian/ testing main non-free contrib

deb-src ftp://ftp.fi.debian.org/debian/ testing main non-free contrib

I pasted it to show you that testing is not actually part of the url there. First there is the url and then on the same line it's specified which packages to use. So, yes, you should change that "testing" to "Sarge".

this is part of my /etc/apt/sources.list

deb ftp://ftp.fi.debian.org/debian/ testing main non-free contrib

deb-src ftp://ftp.fi.debian.org/debian/ testing main non-free contrib

I pasted it to show you that testing is not actually part of the url there. First there is the url and then on the same line it's specified which packages to use. So, yes, you should change that "testing" to "Sarge".

None of you trolls get it.. Debian Sarge has been waiting for the security infrastructure. Now it's done on all architectures -> this is why debian is slow -they have so many archs. Sarge has been stable for ages with less than 100 release critical bugs. It's still up to date with gnome 2.8.3 and KDE 3.3 -that's good enough. If you are running a server you propably dont want desktops anyway - and if you want to ru debian stable on desktop, there is no reason why you couldn't use apt-pinning to get the desktop from testing or unstable. In less than a month we are going to have a hell of a stable release! I have been using testing ever since got broadband, but now i could even use the stable -atleast if I installed it on someone elses computer. Many people are still happy with windows 2000, so why couln't hey be happy with Sarge for the next 2 to 3 years (that's the worst case scenario of debian releases for me:)? I'm sure Sarge is more stable than most of other distros!
Debian-Installer

Yes it is for some important server-side packages that should be supported by the security team

For example, this one has been stuck in unstable for nearly 150 days and with 0 outstanding bugs:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=2 85361

Anyone trying to run ruby-on-rails or other frameworks on Apache2 that depend on mod_fastcgi can look forward to doing so without the support of Debian's security team.

Pretty stupid given that web application libraries and apache modules should be given considered high priority for security...

Oh well, thank God there Ubuntu and other distros to help us migrate away from Debian if this kind of neglect continues.

The frozen distribution passes through a few months of testing, with intermittent updates and deep freezes called "test cycles".

You can still install and run potato or ham, though it is not on the main debian mirrors and there are no security updates.

I'm currently using Debian Sarge on several server and seriously considering a move to another distro.

My reason for switching has more to do with how Debian drops the ball on important server-side development packages.

For example, the mod_fastcgi package for Apache 2 (libapache2-mod-fastcgi) has had 0 outstanding bugs and it has been 146 days since the maintainer requested help moving it from unstable into testing.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=2 85361

Think about it...146 days since the maintainer asked for help moving a package with 0 outstanding bugs from unstable into testing. And the package is a library required for one of the fastest growing web application frameworks (ruby-on-rails)...

Sheer lunacy. If Ubuntu proves itself to be appropriate for server-side deployment, then I'm moving on and bidding farewell to crap like this.

Pity, Debian used to be the best distro.

Just because there are always people who don't know how this works...

Each generation of Debian is named after a character from Toy Story. Potato, Sarge, Woody (the one I run), Slink, Hamm and Sid. Sid is always "testing", the most unstable places for apps to go. Remember who Sid was in Toy Story? Same thing. After packages get more stable, they get promoted to "testing". For a while, this has been "Sarge". After "testing" proves itself (and they demote packages that can't get more stable), it gets promoted to "stable"-- today that's "woody".

Sarge being frozen means that sometime in the near future, we'll have a new "stable", with more recent packages.

People who run servers but can't afford to qualify them much should probably stick with "stable". "Testing" is for desktop users who don't like much churn, but it's still more stable than Windows, IMHO. "Unstable" is for the bleeding edge who want someone else to do the compiling.

For more information, visit your local library.

For regular Debian stable users, this doesn't mean too much: a simple apt-get upgrade is all it will take to 'upgrade' to Sarge.

For new Debian users, Debian testing images based upon the new installer have long been available here.

My main question is why Debian didn't advertise the above-linked installation images more. Just finding a link to the new installer ISO images is like navigating a maze blind-folded. Yes, I understand that they're not 'release-quality' yet, but it would take just a simple warning on the page to download Debian: "Please try our new installer! Although it's not completely stable, it's faster and easier to use and is definitely worth a try."

Ubuntu's installer is based upon the new installer, and it's not unreasonable to believe that many people use Ubuntu because it's an easier-to-install Debian, in no small part due to the work on Debian's new installer (and the great work of Ubuntu developers).