Debian 3.0r2 Released

FrankoBoy writes "As announced on DistroWatch, Debian 3.0r2 has been released this weekend, with some security issues fixed... and Rock 'n Diamonds dropped because of license problems. Here's the official announcement. This release had been slowed by an attack on Debian boxes discussed Friday."

debian is a truly great distribution...

[jms258]

debian rocks. i can't think of any other linux distro that has been around so long and consistently delivered a great base install and the ability to easily update the entire system. i know a lot of people like to complain about how behind the times debian always is, but this is only done to ensure that each release is as stable and bug-free as possible. the debian developers should be commended for all of their hard work that they've put in over the years, especially in the face of adversity such as the recent security breach.

Re:debian is a truly great distribution...

[Joe+Tie.]

i know a lot of people like to complain about how behind the times debian always is

I think a lot of people just don't appreciate how stable Debian Unstable is, and only consider the less up to date stable and testing to be a viable option for every day use. The name scared me off for a long time, but I really havn't found it any more unstable than any other bleeding edge distro. Heck, while this is only my own experience of course, I've actually found it more stable than Mandrake.

Re:debian is a truly great distribution...

[MrLizardo]

The way it works is a named distro such as sid, woody or sarge progresses through different stages of stability: from unstable->testing->stable. So right now sid is considered "unstable", sarge is in the "testing" stage before it becoms stable, and woody is considered "stable." Once sarge is considered stable, woody will be obsolete and sid will be bumped to testing and a new version will become unstable. The Debian maintainers have a _very_ high standard for stability. When you have a Debian stable release you can count on being able to install any package from the stable release without hitting a stability problem. All packages in stable are very thoroughly tested to be sure that there are no problems with them. That being said they tend to be somewhat out of date. I've been using Debian since 1998 and I've used unstable almost exclusively since then on my desktop, but have used stable on any servers/gateways I've built. I would say that "unstable" Debian tends to be more stable than RedHat releases, and more up to date (RedHat 9 did make vast improvements over RedHat 8 in the stability/non-brokeness area though). I suggest if you're installing it on a desktop machine that you should go with unstable(sid). From time to time some packages will have dependency fights with each other but those can be solved by putting those packages on "hold" for a few days and waiting for the dependency issues to work themeselves out, then upgrading as normal. Once you go Debian, you'll never go back to a distro without apt builtin.

As of now:
Unstable->sid (this is probably what you want for a desktop)
testing->sarge (use this if you need something slight more reliable than unstable)
stable->woody (use this on mission critcal systems and servers)

-Mr. Lizard

Re:debian is a truly great distribution...

[swillden]

One correction: unstable is always called sid. When sarge is released, a new name will be chosen for testing.

Re:debian is a truly great distribution...

[Trepalium]

Well, part of the reason Debian has so many old packages has to do with the number of architectures it runs on. If the package can't be compiled and run on Alpha, ARM, IA-32, IA-64, HPPA, M68K, big endian MIPS, little endian MIPS, PPC, s390 and SPARC, it doesn't get in. There are exceptions for things that are really arch specific, but for most cases, if you want it in Debian, it needs to run on every platform Debian is available for.

Another factor is packaging. Debian packages are built in a specific fashion, and in some cases when the upstream developer releases a new version that is binary and source incompatible with the old version, the package developer goes to great pains to make sure both packages can co-exist on the same system.

Then there's version stability. When a security hole is found in a Debian package, Debian doesn't just package up the latest version and ship that like some vendors do. Instead, the security fixes are backported to the previous version, and an update to the old version is released instead. Why would they do this? A new version with new features can have new bugs, or change the behaviour of certain things in various (sometimes subtle) ways. I've had an entire PHP-based website stop working because of a PHP upgrade. Something that was legal and worked fine in a previous version (storing objects in an array stored in the SESSION variable) completely ceased functioning in the new version.

My first debian

[Space+cowboy]

Way to go guys :-)

This is the first-ever Debian I'm going to download and try out. I figure I ought to be able to get to know it as well as I know RH before the RHN support is switched off next year.

It's not that I've decided to ditch RH - I may just cough up for the new RH packages, but I'd like to know what my options are :-)

Simon

Re:My first debian

[OMG]

Good choice ;-)

The stable distri of debian has one problem: Many programs made a lot of progress in the last month and the distro doesn't reflect that so far. So you will need to add some more (unoffical) sources to your apt configuration. Check the manual for details.

One important page for finding the right source for a recent Mozilla, OpenOffice or X11 is:
http://www.apt-get.org/

Have fun! *eg*

Re:My first debian

[Malc]

Use Woody for a server. I haven't used it as a desktop, but it might be bit too old for you. If it isn't, it will be stable. Use the testing/unstable installation CD if you want an easier install, and then upgrade to the latest everything afterwards. If you use KDE, Google as the dependencies for kmultimedia are buggered at the moment. I use unstable on my desktop, and it's pretty good. The only complaints was X took more to setup than Mandrake (it doesn't like the fact that I have two video cards), KDE install took a while to figure out due to the broken deps, and there's a really annoying bug that puts some garbage in the default X window manager file instead of /usr/bin/kdm (or whatever it is). Generally though, it's good and up to date.

Re:My first debian

[Zigg]

XFree86 is certainly not the most recent. However, X Strike Force is working on 4.3.0 and you can get it out of experimental. Add

# Debian experimental
deb http://apt-proxy:9999/debian/ ../project/experimental main contrib non-free
deb-src http://apt-proxy:9999/debian/ ../project/experimental main contrib non-free

to your sources.list and you can select the newer version manually inside aptitude (which I highly recommend for package management anyway, if you're not using it.)

Re:My first debian

[runderwo]

www.backports.org is also a good resource for finding cutting-edge packages backported to the stable release.

Re:New Debian!

[Ilan+Volow]

But the Debian boxes were rooted in a freer, and more community-oriented manner than their Microsoft counterparts.

Now?

[psifishdot]

Why are they releasing 3.0r2 now? Aren't they going to release 3.1 on December 1st? Has sarge been set back?

apt-get update
apt-get upgrade

Re:Now?

[qtp]

Not gonna happen.

Too many of the developers have been failing to address bugs in Sarge (testing) and instead have been waiting for or [packaging new upstream versions. This happens during every release cycle, and many developers just assume that this is common practice.

Eventually, Sid (unstable) will be frozen as well, so the maintainers are unable to upload new versions until the RC bugs in Sarge are fixed.

If the release manager would just accept that this is necessary in order to get a release out the door instead of assuming that reason will rule the day, the time between releases would likely be much more reasonable.

The problem seems to originate in the fact of most maintainers having only one machine at home with Sid installed. It is difficult to replicate (and thus fix) bugs in testing if you are keeping your machine up to date with unstable. Freezing Sid and testing at the same time seems to resolve this problem for most of the maintainers.

IANADPM, but I have been using Debian for 6+ years and observing this series of events occur semi annually Every year, policy and process changes are adjusted to mitigate the various difficulties involved in preparing for release, but the dist is growing at such a rate (I believe that Sarge will fill 10 CDs with packages) that new complications must be addressed every year.

I'm just amazed that they are able to achieve what they do, and that the quality of the release is so much higher than that of thier comercial competitors.

Re:Now?

[qtp]

I also think when you weigh in ease of use and well designed management and setup tools Debian comes up severly lacking.

How long have you been using Linux? And how many times have you had to reinstall in order to upgrade from one release to another?

It's a reasonable tradeoff. Debian may require a bit more knowledge in the basic computing department than most other dists, and the standard configuration interface may have been a bit unattractive, but I know of know other dist that has allowed users to issue two simple comands in order to upgrade from one major release to another.

I had an install that started as Bo in 1997, that survived upgrades through Hamm, Slink, and Potato on it's way to die as a Woody install. That install outlived processors, power supplies, motherboards, and hard drives (That ping-ping-ping noise tells you when it's time to migrate).

The point is, that you shouldn't have to reinstall in order to upgrade your release. THAT is the basic "ease of use issue" that no other distributions seem to address. Everything else is easy, once the install is complete.

By the time Sarge comes out we will all be on kernel 2.6

And Sarge user who wishes to have kernel 2.6 installed will only need to "apt-get install kernel-image-2.6.x-[386|586|686|k6|k7](-smp)" in order to get the 2.6 kernel, pre-compiled for thier particular processor.

Debian may be good to have around, but other distros have passed it in the areas that matter to most people...

Most people want a box that is stable and reliable that enables them to cruise the web, write emails, do IM, chat, etc, and create documents that can be read on Microsoft platforms. Anything else is not "most people", but chances are that it's available in Debian (Woody consists of 8.900 packages, not counting contrib and non-free).

Debian provides a stable distribution that offers the most choices to the user for any task. For users who desire more recent versions of software than is available in "stable", there is the "testing", which includes all of the recent releases that have proven to not break anything and have demonstrated themselves to be reasonably "bug free" for a period of time before they are included. I'm not sure what it is that these mythical "most users" are asking for that Debian doesn't provide. The only feature I can think of that Debian is missing is an EULA, and I doubt that anyone really wants that.

Debian server updates

http://www.wiggy.net/debian/

mah-jong

[Jameth]

There are security vulnerabilities in mah-jong.

I must say, those folks at Debian really do there jobs. I personally can't stand using Debian, it just doesn't agree with me, but if I ever need a damn stable server, I'm glad there are people out there looking at the security of mah-jong.

Re:mah-jong

[stevey]

That wasn't one of mine, but I've been auditing a lot of Debian packages recently.

Games are an easy target as many of them are setgid(games); so that they may access a global high-score file.

Most of the vulnerabilities I've found have been in games - easy to start with the low hanging fruit and work your way up ;)

The Reason - Re:packages.debian.org already

[stu42j]

From the Debian 3.0r2 Changelog:

"Rocks-N-Diamonds contains sound, graphics and level data which
violate section 2.3 of the Debian policy manual. Some of the
game content originates with commercial sources that have not
provided explicit permission for their reuse."

BTW, aspell was also removed due to license reasons.

Removed packages

aspell - license problems
cyrus-sasl2 - minor security and other problems
micq - license problems
rocks-n-diamonds - license problems
tmda - unusable

SCO will be furious cause they forgot
Linux Kernel - license problems

Re:New Debian!

[bersl2]

Actually, the parent makes me wonder.

There have been a string of cracks against open source/free software interests recently: FSF, Linux kernel CVS, now Debian. I wonder if it's the same person/group behind these attacks, or if there's any pattern to the exploits. Has anybody looked into this possibility? If so, what have they found?

Or try SUSE 9.0 via Ftp

[bstadil]

While we wait for the Debian site to recover from the Slashdot effect, head over to SUSE where the latest 9.0 became available via ftp today.

We should be able to take that one down as well.

Question to all Debian Guru's

[FrankConners]

Forgive my ignorance but I have a curious question about debian.. is there an unstable distro of debian out there (iso) that has all the latest packages like gnome 2.4.1, kde 3.1.x, etc. It would be nice to have a weekly iso with all the up to date packages.

Re:Question to all Debian Guru's

there are images of testing/unstable

http://www.debian.org/CD/http-ftp/

however you can always install a minimal stable system and immediately change your sources from stable to unstable and `apt-get dist-upgrade` and continue from there

Re:Question to all Debian Guru's

[damiam]

Try Knoppix. It's a bootable CD with a full Debian-based desktop environment, with packages mostly from testing (but a few added in from unstable). You can install it to the hard disk in just a few minutes (much easier than the standard Debian installer), and you'll have a full Debian system.

However, why do you need a new ISO image every week? Just download a standard ISO and tell it to retrieve packages from Debian's servers. You'll automatically get the newest packages whenver you install.

Re:Question to all Debian Guru's

[Looke]

I'd suggest getting KDE 3.1 from ftp.kde.org, which provides excellent Debian Woody packages. There are also a lot of packages available at backports.org and apt-get.org. (I think there is a pretty good Gnome backport out there as well.)

I use Sid (unstable) on my laptop, but on my new desktop PC I haven't bothered to upgrade from Woody, other than KDE 3.1, OpenOffice.org, Privoxy, and a few home-compiled apps. Actually, I find it refreshing to have a rock-solid and stable system. On my Sid laptop, I get all kinds of weird problems. Not often, but occasionally... Like when the printer stops working, or the USB mouse doesn't work anymore, or when X is no longer 3D accelerated. These are the kinds of issues you have to deal with once in a while when running Debian unstable. Not a big deal, but if I could choose again, I would have chosen Woody (with a few selected upgrades) on the laptop as well.

Re:New Debian!

[Rufus211]

One thing that sticks out: watch your passwords! I think I read that the debian hacks were due to compromised passwords and the kernel hack was due to a compormised password. I guess it's both a good thing (software's secure so you have to social engineer) and a bad thing (social engineering will always work).

Re:Torrent please for the ISO's

[Malc]

What are whittering on about? This is Debian and this bittorrent thingy isn't needed. Use jigdo, or a netinst ISO and apt-get. Kids of today!

Re:The sound you hear.

[isorox]

First of all, Debian has the most out of date software packages of any major mainstream distros. Even in the unstable version, is KDE 2.2 and Gnome 2.0, with Xfree86 4.1 (A version that really sucks).

$ konqueror --version
Qt: 3.1.1
KDE: 3.1.3
Konqueror: 3.1.3

$ xdpyinfo |grep "XFree86 version"
XFree86 version: 4.2.1.1

Secondly, its a pain in the goatse to set up, first of all, you are forced to use Kernel 2.2, which is horribly hacked with "backports" to get any use on any modern machine (Read, made after 1999). Good luck memorizing all the *.ko files in /lib/modules, as you are going to need it.

WTF's a .ko? modconf does all that nasty module stuff

$ uname -r
2.4.20

Configuring XFree86 is hell! If you don't have a Thick X11 orilley book, and a list of your horizontal sync values from your monitor's intruction manual (if you even have one), BOOM! There goes your monitor.

You must have a *really* old monitor if it can't cope with an out of range signal. I admit its been A few years, but xf86config or xf86setup or something was fine when I set up my X.

Even then, good luck getting anything over 640x480@16 colours.

screen #0:
dimensions: 1024x768 pixels (260x195 millimeters)
resolution: 100x100 dots per inch
depths (7): 16, 1, 4, 8, 15, 24, 32

Other distros give you comprehensive PRINTED MANUALS, PHONE SUPPPORT and/or freindly forums where repling RTFM gets you banned!

Yes, pay for the manuals and phone support if you want. For online stuff, I used to go to linuxnewbie.org

Debian has ZERO support for any decent hardware, including USB mice, scanners, Sound cards, heck even Serial devices struggle.

Well, my usb mouse (cordless, mouse # 2 so I can control xine from across the room, but not my main mouse) works fine, as does my USB mp3 player and sound card. My modem was fine too when I used one, but I don't have a scanner. Printer worked too, but I sold it when I emmigrated.


Apt-get has many flaws. First of all it uses a non standard package format (the rest of the world uses RPM, deprecate the DEB format!)

It's a superior format

Debian is falling to pieces, if it is to survive any market share

That's just it, Debian isn't a commercial distro, it'll go As long as people develop it. If it's not for you, fine. TBH If I had time I'd probably migrate my desktop away from Debian. My laptop's too slow to run a modern distro though. Use whatever floats your boat.

Re:PLEASE CALCULATE MD5 SUMS!

[Meat+Blaster]

I wish Debian would do something like the following:

• For each new release of a package, the maintainer must submit a PGP-signed checksum of the package to a central Debian authority.
• The authority creates a MD5 list from all verified packages, and signs it with the authority's PGP key.
• Upon issuing an 'emerge -u world', Debian grabs the MD5 list, verifies the authority's signature on the list, and then uses the MD5 checksums to verify the integrity of the downloaded packages before installing.

I thought a similar sort of mechanism was at least discussed, if not mostly implemented at some point. This model would at least secure the distribution chain, although it of course still leaves users at the mercy of the developer and anybody who's in the developer's system. I think it's been demonstrated that it's time to make this happen.

Re:liscense issues

[adrianbaugh]

Debian has never really limited you by its politics, there are plenty of non-free packages available (in the helpfully named "non-free" section).
If you read the article you would know that this was removed due to containing commercial material for which usage permission had not been granted. Ceasing to distribute the package is completely the right (and legally required) thing for them to do; it doesn't mean you aren't going to be able to use other non-free packages on your machine. In fact, with over 4,000 packages available, Debian is extremely well-supplied with software of all kinds.

Wouldn't it have been wiser...

[An+Anonymous+Hero]

to wait until the servers are up?

$ curl -v http://lists.debian.org
* About to connect() to lists.debian.org:80
^C
$ ping lists.debian.org
PING lists.debian.org (146.82.138.7): 56 data bytes
^C
--- lists.debian.org ping statistics ---
6 packets transmitted, 0 packets received, 100% packet loss

Is there a page somewhere that at least says what servers are supposed to be working at the moment?

Re:Wouldn't it have been wiser...

[Mr.Ned]

Status update:

http://www.wiggy.net/debian/

KDE Unstable

[theantix]

I would suggest following the instructions on the debian/kde wiki for installing 3.1.X on Sid -- you have to install one package manually and then the rest go like clockwork.

casual desktop users may want to try Knoppix

[jab]

If you are a desktop user and want to see a different perspective of Debian, Knoppix may be a better starting point. Debian 3.0r2 is Debian Stable, which is very good if you prize stability and don't really want your OS to change out from under you. Knoppix is basically a closely tracked derivative of Debian Unstable, and therefore has more recent software which is often desirable for desktop users. For example, the most recent Knoppix ISO was cut on November 19th of this year, so it is REALLY current.

The other nice thing about Knoppix is that it is very easy to try out, and it also makes for a very painless Debian installer. I use it all the time to install Debian Unstable onto x86 desktop machines (see knoppix-installer in /usr/local/bin). I've been a Debian Developer for several years now, and I've pretty much switched over to using Knoppix for all my installation needs.

Re:casual desktop users may want to try Knoppix

[Durin_Deathless]

A word of warning though:

Before you decide to always use Knoppix as an installer, realize that it leaves a lot of livecd cruft behind. Scripts and things. Also, it can be hard to get some packages to install, since it is a hybrid of stable, testing, and unstable. You have to be careful.

installing software

[trans_err]

I hadn't realized how incredibly limiting some distros were until I decided to install Fedora on a friend's box. Comfortable with Debian, and knowing about Fedora's apt wannabe yum, I figured installing packages would be sinch. wrong.

Let me clearify installing a package in Fedora via yum is identical to apt-get, but the range of packages is very different. Quickly I realized everyone using the large commercial Linux's are stuck with a very small repository of software.

I really took for granted how great apt-get(ing) all my software really is. Before a few days ago I never would have imagined that to install something has common as Mozilla-Firebird I'd have to go and find some website that offered an rpm, which made me incredibly nervous (one thing about rpm's I did remember was mixing them can cause a lot of dependency issues).

Say what you must about Debian, but you can't ignore that it has one of the slickist methods of installing software and updating the system, furthermore, as all the software comes from a trusted repository I know it's most likely going to work perfectly with all my other packages.

You can help!

[eddy]

Help test apt-secure.

Re:aspell removed for "license problems"?

[mbanck]

"The license incorrectly says that it's LGPL but it is in fact a unique license which is non-DFSG-free."

That's what the Bug-Report resulting in this removal said (according to the Woody ChangeLog). I don't have any other information about this, sorry. Note that GNU aspell is still in unstable, so perhaps it was about a specific version being non-free in the past, which happened to be included in woody.

Michael

The Switch

[chickenwing]

I switched to Debian several years ago after reading a Slashdot article announcing a new Debian release. I had already moved from Slackware to RedHat before that, and was never really impressed with the latter. I fell in love with Debian right away, and was always impressed with the project's desire to do things right.

Debian has its own ways of doing things, and as with any other distribution, you will be more productive if you learn and conform to these conventions rather than fighting them.

I wonder how many people will give Debian a try after reading this article. Hopefully those who do will find the experience as rewarding as I have ;-)

Re:Be careful.

[deek]

• The problem is, by all objective standards, Woody is significantly behind Redhat, SuSE, Mandrake and Yellow Dog (all distributions that I've used extensively) in terms of usability. As others will attest, it's often a nightmare to get Woody installed and configured on a machine where Redhat or Mandrake will Just Work (tm).

Yes, in a way, Debian really does need to you know what you're doing, how a Linux system works, and what certain packages do. But if you're technically adept, I can tell you that a Debian system is nicer to maintain than Redhat or Mandrake. It's not just apt, it's the way the whole system is designed from a technical perspective. And of course, apt makes installing and maintaining great, and you know that apt is on every Debian system you may encounter. It's not an optional package.

By the way, if you want to make things easier, you just have to know the right package. discover will automatically probe and insert modules every time you boot up. webmin handles easy configurations for many system programs and settings.

Really, the main problem with debian is you have to _know_ that these packages exist, and then install them. Debian will not install these packages by default, because its basic install is just that ... basic. Absolutely fantastic for creating a stripped down system, or a custom built system where you know every package that is installed, without the hassle of having to find and download the source code.

Nothing beats the time I visited a client to fix something that they had wrong with their unix server. I discovered it was a Debian machine, but one that didn't have the telnet command installed. A simple apt-get install telnet, and 20 seconds later (it was a modem internet connection :), I was using telnet to check services running on the machine. Fantastic stuff!

Re:Be careful.

[swillden]

Unless you like to do fresh installs to clear out the clutter you've created from time to time,

This isn't an issue with Debian. Want to clear out the clutter? Just use your favorite apt-get interface to remove all but a basic set of packages. Use cruft to find and remove anything else, then use apt-get to install the stuff you want again. This way you clear out the clutter, but don't lose your configuration.

In practice, I don't really even do the above unless my drive is getting full. Unlike other operating systems (cough Windows cough), Linux doesn't really 'degrade' over time. It may get cluttered, but it continues to work just fine.

to try new things and such

If you run unstable, you will always be trying new things. Just upgrade frequently (I upgrade daily, in general) and you'll always be running new stuff. Also, every time I update I get a new list of packages in my "New Packages" section, and I find it very interesting to take five minutes and scan through them, looking for anything intruiguing.

need a system you can setup on a new set of hardware in under an hour pretty much consistantly

Try Knoppix. It's Instant Debian unstable. Getting it running on a clean box takes nothing more than the time to boot. Getting it installed takes just a few minutes more.