Weekly Edition
Return to the Distributions page
| |||||||||||||
Debian GNU/Linux 3.0r4 released
------------------------------------------------------------------------ The Debian Project http://www.debian.org/ Debian GNU/Linux 3.0 updated (r4) press@debian.org January 1st, 2005 http://www.debian.org/News/2005/20050101 ------------------------------------------------------------------------ Debian GNU/Linux 3.0 updated (r4) This is the fourth update of Debian GNU/Linux 3.0 (codename `woody') which mainly adds security updates to the stable release, along with a few corrections to serious problems. Those who frequently update from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update. Please note that this update does not produce a new version of Debian GNU/Linux 3.0 but only adds a few updated packages to it. There is no need to throw away 3.0 CDs but only to update against ftp.debian.org after an installation, in order to incorporate those late changes. Upgrading to this revision online is usually done by pointing the `apt' package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at: <http://www.debian.org/distrib/ftplist>> Please note that packages from non-US.debian.org are currently only available on its mirrors due to the problems the project has encountered on the host klecker. Security Updates ---------------- This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates. Debian Security Advisory ID Package(s) DSA 307 gps DSA 310 xaos DSA 335 mantis DSA 359 atari800 DSA 391 freesweep DSA 417 linux-kernel-2.4.18 DSA 426 netpbm-free DSA 438 linux-kernel-2.4.18 DSA 442 linux-kernel-2.4.17 DSA 472 fte DSA 473 oftpd DSA 479 linux-kernel-2.4.18 DSA 482 linux-kernel-2.4.17 DSA 524 rlpr DSA 530 l2tpd DSA 547 imagemagick DSA 567 tiff DSA 574 cabextract DSA 575 catdoc DSA 576 squid DSA 577 postgresql DSA 578 mpg123 DSA 579 abiword DSA 580 iptables DSA 581 xpdf DSA 582 libxml1 DSA 582 libxml2 DSA 583 lvm10 DSA 584 dhcp DSA 585 shadow DSA 586 ruby DSA 587 freeamp DSA 588 gzip DSA 590 gnats DSA 591 libgd2 DSA 592 ez-ipupdate DSA 593 imagemagick DSA 594 apache DSA 595 bnc DSA 596 sudo DSA 597 cyrus-imapd DSA 598 yardradius DSA 599 tetex-bin DSA 602 libgd2 DSA 603 openssl DSA 604 hpsockd DSA 605 viewcvs DSA 606 nfs-utils DSA 607 xfree86 DSA 608 zgv DSA 609 atari800 DSA 610 cscope DSA 611 htget DSA 612 a2ps DSA 613 ethereal DSA 614 xzgv DSA 615 debmake DSA 616 netkit-telnet-ssl DSA 617 tiff DSA 618 imlib Miscellaneous Bugfixes ---------------------- This revision adds important corrections to the following packages. Most of them don't affect the security of the system, but may affect data integrity. libcrypt-passwdmd5-perl Dependency correction The complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: <http://people.debian.org/~joey/3.0r4/>> URLs ---- The complete lists of packages that have changed with this revision: <http://http.us.debian.org/debian/dists/Debian3.0r4/ChangeLog>> <http://non-us.debian.org/debian-non-US/dists/Debian3.0r4/...> The current stable distribution: <ftp://ftp.debian.org/debian/dists/stable>> <ftp://non-us.debian.org/debian-non-US/dists/stable>> Proposed updates to the stable distribution: <ftp://ftp.debian.org/debian/dists/proposed-updates>> <ftp://non-us.debian.org/debian-non-US/dists/proposed-updates>> Stable distribution information (release notes, errata etc.): <http://www.debian.org/releases/stable/>> Security announcements and information: <http://www.debian.org/security/>> About Debian ------------ The Debian Project is an organization of free software developers who volunteer their time and effort in order to produce the completely free operating systems Debian GNU/Linux and Debian GNU/Hurd. Contact Information ------------------- For further information, please visit the Debian web pages at <http://www.debian.org/>> or send mail to <press@debian.org>. -- To UNSUBSCRIBE, email to debian-announce-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org (Log in to post comments)
Debian GNU/Linux 3.0r4 released Posted Jan 2, 2005 13:01 UTC (Sun) by Shulai (guest, #26939) [Link] Are these guys aware that what people wants is Sarge stable?Woody is _ancient_, meanwhile mantaining it is good, waiting until everybody feels forced to run Sarge for production is NOT a good way to manage releases.
Debian GNU/Linux 3.0r4 released Posted Jan 2, 2005 20:27 UTC (Sun) by jwb (subscriber, #15467) [Link] Have some perspective. Windows XP is a year older than Debian 3.0 Woody.
Debian GNU/Linux 3.0r4 released Posted Jan 2, 2005 22:25 UTC (Sun) by evgeny (subscriber, #774) [Link] > Have some perspective. Windows XP is a year older than Debian 3.0 Woody.
This is a wrong analogy. Debian is much more than an OS. Almost nobody complains about the Debian-3.0's 2.4.* kernel or libc-2.2.*. It's the applications which become hopelessly outdated in 3-4 years.
an out-of-date core is a real problem Posted Jan 3, 2005 1:26 UTC (Mon) by stevenj (subscriber, #421) [Link] I would argue exactly the opposite — the real problem is not out-of-date applications, but the out-of-date kernel and X11. The latter make Debian inordinately difficult to install on newer hardware. (Once I get it installed, I usually update to testing in order to get newer applications.)
an out-of-date core is a real problem Posted Jan 3, 2005 7:35 UTC (Mon) by glenalec (guest, #26113) [Link] Debian/stable is really intended for mission critical stuff that HAS to beVERY stable. Not really the sort of situation where you would be using the latest hardware for the same reason you don't want the latest software. Debian/testing was (IIRC) created explicitly for people who don't mind a (very minor) sacrifice in stability to have reasonably up-to-date software, but don't want the (low but not negligible) risks of Debian/unstable. When thinking about Debian/testing, general desktop systems and non-critical servers should come to mind. Debian/stable is more critical-infrastructure/network-backbone type stuff to my mind. Obviously the user has to make the final choice, but there is the magic word - choice. No-one should let the fact that it is called 'testing' alone put them off (that it is a little slower to get security patches and it updates in little bits and pieces rather than as a block, are more valid reasons to consider -- though I feel the latter is generally an advantage).
an out-of-date core is a real problem Posted Jan 3, 2005 10:54 UTC (Mon) by sveinrn (subscriber, #2827) [Link] I have tried Debian 3 times during the years. It always ended up the same way:
1. I needed version X of component Y. "Stable" did not have that.
From Debian's home page:
>"sid" is subject to massive changes and in-place library updates. This can result in a very "unstable" system which contains packages that cannot be installed due to missing libraries, dependencies that cannot be fulfilled etc. Use it at your own risk!
So my own experience says that the risks with "unstable" are high.
"Testing" has one big problem: There are no security updates. The same is also true for "unstable", but the packages here are updated frequently enough that in practice this should not be a big problem. The problem is that it often takes many montsh before the updated package finds its way down to "testing".
an out-of-date core is a real problem Posted Jan 3, 2005 13:31 UTC (Mon) by amacater (subscriber, #790) [Link] Stable == unconditionally stable. Changes rarely (see also my comments elsewhere in thread). Virtually no changes.
Testing - Release testing for the next stable release. Normally relatively few changes - but needs to be kept up to date. Fixes are promulgated promptly, including security fixes where appropriate (though there is not
Unstable: large amounts of package churn. Daily updates advisable. Some breakage occasionally expected. Serious breakage fixed within 20 minutes - 24
Unstable is not ideal for critical servers. It also helps to be subscribed to Debian mailing lists and to read Debian Weekly news. But the choice is there.
daily updates to sid are *not* advisable Posted Jan 6, 2005 14:06 UTC (Thu) by hummassa (subscriber, #307) [Link] I have a sid laptop and a sid desktop. update fortnightly *after* reading relevant bugreports (apt-listbugs is your friend) and with caution. watch security reports and upgrade only broken stuff. it works.
an out-of-date core is a real problem Posted Jan 3, 2005 14:51 UTC (Mon) by zooko (subscriber, #2589) [Link] It seems like you could have stopped after step 2 and been happy.
That's what I do, although I use "testing" instead of "unstable".
Sometimes, of course, I give in to the urge to waste a lot of my time by upgrading when I don't need to. But I can hardly blame Debian for that. If I follow your recipe but stop after step 2 -- that is I upgrade only what I need to in order to make things work -- then using Debian testing in this way poses no problems.
Regards,
Zooko
an out-of-date core is a real problem Posted Jan 3, 2005 15:15 UTC (Mon) by evgeny (subscriber, #774) [Link] > If I follow your recipe but stop after step 2 -- that is I upgrade only what I need to in order to make things work -- then using Debian testing in this way poses no problems.
Except of a tiny one - being left without security updates as well.
an out-of-date core is a real problem Posted Jan 13, 2005 13:43 UTC (Thu) by dash2 (guest, #11869) [Link] I believe this is going to change in the near future - testing/security will be created. In fact IIRC this is a showstopper for Sarge. See:
an out-of-date core is a real problem Posted Jan 13, 2005 13:44 UTC (Thu) by dash2 (guest, #11869) [Link] oops - wrong url, I meant
an out-of-date core is a real problem Posted Jan 3, 2005 16:06 UTC (Mon) by arafel (subscriber, #18557) [Link] Whereas my experience with unstable is that it's actually very stable. I think that in four years I've only experienced one package breakage (as opposed to bugs in applications, which are always going to be there), and it was fixed when I updated the next morning.
an out-of-date core is a real problem Posted Jan 4, 2005 3:36 UTC (Tue) by piman (subscriber, #8957) [Link] The problem is not so much bugs in applications, as the fact that the bugs in the applications change. When you're running a critical server, you expect to deal with bugs. The difference is, you only expect to deal with them once.
an out-of-date core is a real problem Posted Jan 3, 2005 18:51 UTC (Mon) by tjc (subscriber, #137) [Link] I have tried Debian 3 times during the years. It always ended up the same way: 1. I needed version X of component Y. "Stable" did not have that. 2. Upgraded to "unstable". System seems to work. 3. One week or two later I installed the latest updates to "unstable". 4. Some component (usually perl) did not upgrade as expected, and I was left with a system that was practically useless. I've been running Debian Unstable as my main "desktop" distribution for several years and have had a somewhat better experience. I keep a more stable distribution on another partition in case something goes terribly wrong, but I've only had to use it once. I have occasionally had to use dpkg to downgrade a package for a day or so. I did have to start from scratch on one occasion when the dpkg database became corrupted. It's a good idea to keep a backup of /var/lib/dpkg/ around. RE the Perl problems you mentioned: are you referring to a bad script in /var/lib/dpkg/info/? I've had a couple of those. One of them I was able to fix, but I gave up and uninstalled the package on the other.
an out-of-date core is a real problem Posted Jan 4, 2005 19:15 UTC (Tue) by stevenj (subscriber, #421) [Link] I think you're missing the point. Even to install testing, you generally need to install stable first since that is what Debian provides official installer disks for...so even if I want to use testing, I still need to deal with getting stable's out-of-date kernel to recognize my hardware.(I also don't really buy your argument that no one wants to run a stable server on new hardware. When you purchase a new server, it's major and pointless hassle not to be able to use one of your vendor's standard, reasonably current configurations.) I use and like Debian (stable on our servers and testing for personal machines), and I know how create floppies with supplemental backported kernel modules etc. Still, every time I've had to install it on a new machine these days it has been incredibly painful. After the next release, they desperately need to figure a way to update core components like the kernel and X11 without having a full release.
an out-of-date core is a real problem Posted Jan 6, 2005 4:20 UTC (Thu) by hmh (subscriber, #3838) [Link] You're correct. That's why we have a new installer. It should be trivial to plug a new kernel on it (unlike doing so with the older one).
One can easily envision a constantly evolving net-install image available for download, to support new hardware (as long as someone stops to do the work, instead of just complaining about it...).
Trouble would come from a kernel that needs new userbase tools. But backports can deal with it, and maybe point releases could, too (depends on the release manager team posture on additional packages getting in).
Debian GNU/Linux 3.0r4 released Posted Jan 3, 2005 13:15 UTC (Mon) by hmh (subscriber, #3838) [Link] Yes, obviously we are. Yours is the sort of comment that LWN could do without.
Anyway, here's some information so that this comment is worth posting:
New Debian Stable point releases do not take much effort from the project itself. They do consume large ammounts of time and effort from the Debian Stable release manager or release management team.
The release management team for Woody and Sarge are composed of different people, so the impact of new Woody updates on the Sarge work is negligible.
There is also a voluntary Sarge security team. Anyone complaining about Sarge security, please consider helping instead.
Debian GNU/Linux 3.0r4 released Posted Jan 3, 2005 16:56 UTC (Mon) by sbergman27 (subscriber, #10767) [Link] Or consider using another distro with more current packages *and* timely security updates, both in the *same* branch. It's time that Debian started competing in the same arena as other Linux distros, and started getting judged by the same criteria, instead of playing the three branch "shell game" that it has been playing so far.
Debian GNU/Linux 3.0r4 released Posted Jan 6, 2005 4:42 UTC (Thu) by hmh (subscriber, #3838) [Link] Hmm... indeed. If you are not going to help, or you are not in a position to do so (but do remember that there is a volunteer-based "testing" security team which is in no way restricted to debian developers), you are better off using something else. But then, why are you complaining?
But really, Debian *is* judged by the same criteria: It is impossible for Debian to tell anyone which criteria they should use to judge the distro. The difference is that the only judges that are of any importance to Debian are those who, directly or indirectly, are going to help fix the issues they found wanting. We are not the only distro in that position, but we are probably the biggest one.
As for the arena, well, should Debian orphan an old architecture, chances are no other GNU/Linux system will remain that supports that one, because Debian is likely the only one that still did. Should we drop about 7 architectures, as well as reduce our package count on one order of magnitude, so that we can play in the same arena of most of the other distros?
As far as I am concerned, Debian should do that when hell freezes over. We are trying to find a good, technically sound way around this problem, instead of just taking the easy, inferior way out. This is the Debian way.
It is taking an alwfully long time to do it, though (which is also the Debian way, unfortunately).
Anyone willing to really help is welcome.
Debian GNU/Linux 3.0r4 released Posted Jan 2, 2005 13:23 UTC (Sun) by imp (guest, #14466) [Link] Oh my, it's sooo retro!
Debian GNU/Linux 3.0r4 released Posted Jan 2, 2005 14:20 UTC (Sun) by amacater (subscriber, #790) [Link] Debian Stable a.k.a Woody is intended to be unconditionally stable and notto change unnecessarily. If you look at the previous Debian stable, it had updates up until about a couple of weeks before the change to Woody [it reached seven point releases IIRC]. This is the same for Woody: if you want latest and greatest, you may not want to run Debian Stable but if you want reliability/stability for a server its OK. It is important, however, to keep it up to date with security fixes and errata - hence the point releases. HTH, Andy
Debian GNU/Linux 3.0r4 released Posted Jan 3, 2005 14:43 UTC (Mon) by imp (guest, #14466) [Link] "This is the same for Woody: if you want latest and greatest, you may not want to run Debian Stable but if you want reliability/stability for a server its OK. It is important, however, to keep it up to date with security fixes and errata - hence the point releases."And there you have it, the most emphasized stable characteristic gets a little bleak: you sacrifice the features for stability and still have the bugs that need to be fixed. Stability? No more stable than bleeding-edge distros like Gentoo. I really don't see the point in Debian "stable" and, for the record, I'm not thinking about bleeding edge alpha/beta software on the other end, rather the reasonable new stuff, like 2.6 kernels, which are still considered "unstable" on Debian?! Geez. Live in the *now*.
Debian GNU/Linux 3.0r4 released Posted Jan 3, 2005 18:23 UTC (Mon) by TwoTimeGrime (guest, #11688) [Link] > Stability? No more stable than bleeding-edge distros like Gentoo. I really> don't see the point in Debian "stable" and, for the record, I'm not thinking > about bleeding edge alpha/beta software on the other end, rather the > reasonable new stuff, like 2.6 kernels, which are still considered > "unstable" on Debian?! Geez. Live in the *now*.
Debian stable is more stable than Gentoo and other bleeding-edge distros. While those distros may allow you to upgrade to the latest version, that version might contain incompatabilities with other software, or configuration changes that could cause you to have to re-test components of your system. For example, you might have a shell or perl script that depends on a certain format of a file which has now changed because you upgraded to a new version of a program just to get security fixes.
The Debian security team only makes changes to packages to fix security issues. They won't introduce any changes that would change the functionality or configuration of a package. This ensures that your program will continue to work as it always has. The security team will backport the fixes to the version that is in the stable release to achieve this. For many people this level of stability is important.
That's what stable means. If you don't need that level of rock-solid stability then testing, unstable, or even another distro such as Gentoo might be a better choice for your needs.
Debian GNU/Linux 3.0r4 released Posted Jan 3, 2005 21:34 UTC (Mon) by jonth (subscriber, #4008) [Link] My own use case at home is a server, a firewall, a desktop PC and a laptop:
The server runs Debian Woody, and has never crashed in the 3 years I've had it running. It's been rebooted about 10 times, for one of three reasons: 1. a power cut, 2. a physical reloctation and 3. A kernel security update. In that time, it's had a nightly cron job running "apt-get update; apt-get dist-upgrade" to pick up security updates. This has never failed, either. The server provides NFS, IMAP, NIS, HTTP and NTP services, none of which have failed since they were started. In short, it's stable and I'm damn glad it's there. When sarge turns up, I'll upgrade, but until then, the server does exactly what it's supposed to do and that's fine by me. It does annoy me that the Debian project has such a slow release cycle, but it's the biggest distribution around and it's difficult to underestimate how hard it is to get a collection of 10000 packages in a state where every single one has no critical bugs outstanding on it on any of 10 ports.
The desktop and laptop PCs both use unstable. Every few days I update these manually, but only if all the dependencies resolve correctly - this simple precaution seems to avoid irreversible installation errors. These systems do get occasional bugs, but I've never had anything completely unusable - just the sort of bugs you'd expect in bleeding edge packages. Maybe once a month something like this happens.
Finally, the firewall. Here I use IPCop as I like the "one button" approach. I've never needed a particularly flexible firewall, so the off the shelf solution suits my needs.
What's my point? Well, there are a number of them.
1. "stable" really does serve a need: if you want a server that you know will be secure and rock-solid which provides a standard, basic set of services, then this is the thing for you.
Debian GNU/Linux 3.0r4 released Posted Jan 3, 2005 17:27 UTC (Mon) by khim (subscriber, #9252) [Link] I do want reliability/stability for a server. This includes bootability. Support for some hardware I'm using in 2.4 is so unstable I can not even boot "Debian stable" here. This is end of story - I'm using Gentoo.
Debian GNU/Linux 3.0r4 released Posted Jan 3, 2005 20:24 UTC (Mon) by maceto (guest, #16498) [Link] Well here we go agian:Debian users ( use it my self on a server- testing that is cause sarge will soon be finished- think that was last year) saying stability etc is why it`s old.
The reason why it`s old and no new version is out the door:
1.The new installer not done
It`s looks like debian is beeing leaded by 13 year old`s cause EVERYONE have a saying on the Sarge issue, on EVERYTHING about EVERYTHING and NOTHING is beeing done since time is going on to debate/argue since no already rules!
Debian installer- VLM2 was that a must for Sarge, could have been for next debian.
Read over and you`ll se rules+roadmap can get you somewhere.. and don`t give me links to debian info- cause it might be there in reading form but not implemented.
I can also say this:
KDE/Gnome/x/kernel should try to get togetter- it takes just an e-mail to
Debian GNU/Linux 3.0r4 released Posted Jan 6, 2005 19:21 UTC (Thu) by kleptog (subscriber, #1183) [Link] Actually, I think the real reason why Mandrake/Suse/Fedora don't have of these problems is because someone in management can come down to the developers and say "We're paying you $xK per year and we want you to fix this *now*".
Debian may have more developers total but I'd bet most of them have a day job.
Me, I'm waiting for Sarge to be released so I can do a complete upgrade. I havn't really done that in a few years and it's always an interesting experience to have new versions of everything yet everything still works as smoothly as before...
Debian GNU/Linux 3.0r4 is not secure Posted Jan 4, 2005 16:45 UTC (Tue) by hazelsct (subscriber, #3659) [Link] I know, a bold claim, but well justified.
The mozilla version in Debian woody (1.0) has had dozens of known security holes for years. The security team refuses to admit 1.2 with security patches, because of fear of instability and incompatibility with what's there. The usual "patch the existing version" has failed miserably, because most of the security patches depend on code in 1.2 and not in 1.0.
This in spite of the testing by millions of mozilla/Netscape users the world over, not to mention (tens/hundreds of?) thousands of Debian users who use stable-proposed-updates and have not complained one bit.
Apparently, the Debian security team feels that it is worth leaving all of the Debian stable users with a buggy insecure product, rather than upgrading to a now-ancient and more stable secure product. Shame on Debian for their myopia regarding such an important issue.
-Adam (a Debian developer)
Debian GNU/Linux 3.0r4 is not secure Posted Jan 4, 2005 22:19 UTC (Tue) by syntaxis (subscriber, #18897) [Link] A solution may not be too far off; http://volatile.debian.net/ has the potential to address such issues in the future.
"Shame on Debian for their myopia regarding such an important issue.
-Adam (a Debian developer)"
If we're going to play the blame game, it should be noted that as a Debian developer you have it in your power to propose a GR to overrule the stable RM and security team, under section 4.1.3 of the Constitution.
So: shame on you, as well.
Debian GNU/Linux 3.0r4 released Posted Jan 25, 2005 18:41 UTC (Tue) by grouch (subscriber, #27289) [Link] What a collection of posts! Looks like quite a few people really have no clue what "stable", "testing", "unstable", "volunteer", "Linux", and "choice" mean.
Stable - roll it out across an entire network and let it work. Use it where you want the system to cause the least disruption over the long haul. Customize specific parts for specific needs on specific servers or workstations. This is not the release for pimply-faced gamers dual-booting with some band-aid covered disaster incubator.
Testing - fits best for the majority of desktop and modern workstation users. Most individuals and businesses do not run the latest gee-whiz hardware that just hit the market. Those who would install Debian on such hardware should be capable of actually reading and learning to use such things as "apt-cache search" to find a kernel image package or just compile their own.
Unstable - for the adventurous and the developer. I've tried Sid; he's crazy sometimes. A lot of people seem to enjoy Sid's mischievous nature.
Volunteer - you don't get paid to do the work. It's what you do when you see a problem for which you think you can find a solution, can find the time, and want the solution more than payment for the time.
Linux - the kernel you can build to suit yourself. Also, the OS you can customize to suit yourself.
Choice - yours. Nobody spends hundreds of millions of dollars a year to try to force you to use the distribution of Linux (or as Debian chooses to name it, GNU/Linux) that I choose.
I have high admiration and respect for the Debian volunteer gang. Of all the distributions I've used since about 1997, Debian GNU/Linux has consistently required the least maintenance and fewest surprises. I maintain working boxes using both "stable" and "testing". All the home boxes, except the firewall, are running "testing" and handle such things as USB scanner, printer, camera, DVD dual layer burner, CDRWs, mpeg2 hardware encoder/tv card, nVidia, Matrox, built-in and ATI cards, CF card readers, a WAP, Doom3, Return to Castle Wolfenstein, Quake3, Freecraft and Stratagus, and all the usual goodies you do with Linux boxes such as a home LAN webserver, db server, etc. These boxes all have "sarge" where "testing" used to be in /etc/sources.list. The firewall has "stable" in sources.list and has been so since "stable" was named Slink, with little or no disruption as the name changed.
|
|||||||||||||