Debian sarge release update [LWN.net]

From:		Andreas Barth <aba-AT-not.so.argh.org>
To:		debian-devel-announce-AT-lists.debian.org
Subject:		Release update: debian-installer, kernels, infrastructure, freeze, etch, arm
Date:		Fri, 1 Apr 2005 15:48:00 +0200
Archive-link:		Article, Thread

Hello world,


Let's take a break from talking about etch plans to talk about sarge
again, shall we?


Debian Installer RC3, kernels
-----------------------------

The RC3 release of the debian-installer has been published.  As Joey
Hess mentions in his announcement[0], this has been the best-tested
Debian Installer release candidate to date and it continues to hold up
under scrutiny, and the release team will be proud to use it as the
installer for sarge.  Thanks to the Debian-Installer team for their
great work.

However, various pending kernel (security) updates have shown us that
the current way of changing debian-installer for a new kernel ABI is
quite painful.  We are about to decide how we will do future kernel
updates in sarge.


The fate of 80386 is in your hands
----------------------------------

Currently, the 80386 sub-architecture for i386 is unmaintained.
Although sarge will include kernels capable of emulating certain 486+
instructions needed by current userspace libraries, this emulation
includes known root security holes; therefore, we cannot offer any
assurances that 80386 is supported in the tradition of Debian stable
releases.

This is a last call for volunteers: if 80386 is to be supported for
sarge, we need someone with knowledge of this architecture to step
forward to provide a secure solution (in kernel or in userspace), test
upgrade paths, and handle various other tasks necessary to get the
subarch in shape for sarge.  If no one steps forward, we will be forced
to drop official support for 80386 in sarge.

If 80386 will not be officially supported for sarge, we will also not
provide an upgrade path for existing 80386 users of woody.


ARM buildd lossage
------------------

As many of you have noticed (and asked about), the ARM autobuilders are
not keeping up with package uploads to unstable right now, because
several of them are currently off-line due to various hardware failures
and software/network configuration difficulties.  By the time you read
this, at least one fast ARM buildd is back on-line and started to catch
up; more buildds are to come.  Even so, given that the build queue for
arm is currently 500 packages deep, it will take some time to catch up
again.  We're working on this issue as quickly as possible, though, so
please, no hardware offers right now!

In the meantime, if you have a release-critical bugfix for sarge that is
being held out of testing *only* by a missing arm build, please contact
the release team so that we can arrange to push the package in if
appropriate.


testing-proposed-updates, testing-security
------------------------------------------

Getting testing-security up has steady progress.  OpenSSH 3.9 was
successfully compiled with woody's toolchain, and the connection reusing
feature from 3.9 is now being used by some buildds to find any remaining
issues.  As soon as this has been thouroughly tested, there should only
be the routine maintenance matter of setting up the wanna-build
databases for these queues and configuring/updating the testing chroots
on the buildds.


Freeze ahead
------------

With these changes done, we are now on the home stretch for the sarge
release.  We are now only waiting on the arm buildds to recover and
catch up to a reasonable extent, and on one last glibc upload -- and
then sarge is FREEZING.  This is, therefore, the last call for uploads
for sarge: if you have any final important changes to your packages
which you think need to make it into sarge, upload them now or never.

On a related note, we are now down to 90 open RC bugs in sarge -- and
many thanks to everyone who has worked so tirelessly to beat these bugs
into submission.  This means that if you have a release critical bug
open on one of your packages that's more than a week old, and you
haven't heard from anyone offering you patches, suggestions, or NMUs,
*assume your package has been removed from testing*.  If you want to
make sure it ships with sarge, a good time to upload it would be, um...
last month.  If you hurry, your package might still make it onto the
ark (the ark of arches?) before the frozen floods come slushing... ok,
this analogy is sunk.  Anyway, if you haven't fixed the RC bugs in your
packages yet, you should do so immediately.


Major changes in etch
---------------------

If you intend to make major changes (like a C++ ABI bump) during the
development of etch, please speak with the release team as soon as
possible, describing the changes you're planning and why.  This way, we
can help you to make your transitions as smooth as possible, ensuring
that packages go quickly into testing/etch, don't hold up other packages
or the release in general, and don't take us by surprise.  We would
appreciate it if you could send these emails before the end of April
to debian-release@lists.debian.org.


Upload targets
--------------

Those changes that are still needed for sarge should continue to be
uploaded according to the following guidelines:

  - If your package is frozen, but the version in unstable contains only
    changes suitable for testing, upload to unstable only and contact
    debian-release@lists.debian.org if changes need to be pushed through
    to testing.

  - If your package is frozen and the version in unstable includes
    changes that should NOT be part of sarge, contact
    debian-release@lists.debian.org with details about the changes you
    plan to upload (diff -u preferred).  If the release team approves of
    these changes, upload to testing-proposed-updates.  Changes should
    be limited to translation updates and fixes for important or RC
    bugs. 

  - If you need to do a bug fix directly in sarge, you will need to
    upload to testing-proposed-updates as well, with the same
    requirements as for frozen packages.

  - All other package updates should be uploaded to unstable only.
    Please use urgency=high for uploads that fix RC bugs for sarge
    unless you believe there is a significant chance of breakage in the
    new package.

If you want to increase the urgency of an already uploaded package,
please speak with the release team; this can be sorted out without the
need for another upload.


Keeping track of RC bugs in testing
-----------------------------------

Since BTS version tracking is a post-sarge feature, we depend on your
help to keep track of RC bugs that have been fixed in unstable but not
testing.  Over the past few months, we've been tracking these bugs
mainly through the use of reopened, sarge-tagged bug reports.  You can
continue to use this method to let the release team know about
release-critical issues, but we would encourage you to use
http://www.wolffelaar.nl/~sarge/ to send us comments on the
importance of particular updates waiting in testing.  This applies not
just to release-critical issues (which should be marked as "critical" on
that page), but also to important ones (and "minor" ones, if you feel
inclined).  For usage information about this site, please see the
previous announcement concerning it[1].


Cheers,
-- 
Andi Barth
Debian Release Team

[0] http://lists.debian.org/debian-boot/2005/03/msg00764.html
[1] http://lists.debian.org/debian-devel-announce/2004/09/msg...

(Log in to post comments)

Debian sarge release update

Posted Apr 1, 2005 16:53 UTC (Fri) by lacostej (guest, #2760) [Link]

that would be a very sick joke...

Otherwise, Debian will join the same software space as "Duke Nukem Forever".

http://www.3drealms.com/duke4/ ...

No, it's not a joke

Posted Apr 1, 2005 18:04 UTC (Fri) by JoeBuck (subscriber, #2330) [Link]

They are talking about dropping support for true 80386 processors, that is, processors so old that they don't support 80486 instructions. If you bought your system in the last decade, you have at least a 486. They aren't joking about dropping the x86 architecture.

IIRC, libstdc++ for x86 architecture will use some 486 instructions for locking even if you set the target to i386, because there wasn't decent support for atomic operations on the i386.

No, it's not a joke

Posted Apr 1, 2005 18:40 UTC (Fri) by dlang (✭ supporter ✭, #313) [Link]

embedded systems still use 80386 equivalents that don't support the 486 instructions

No, it's not a joke

Posted Apr 4, 2005 3:44 UTC (Mon) by barryn (subscriber, #5996) [Link]

FWIW, somebody brought this up on one of the Fedora mailing lists a while back, and IIRC it turned out that x86-based embedded systems actually have (at least) the 486 instruction set these days.

No, it's not a joke

Posted Apr 1, 2005 21:32 UTC (Fri) by ballombe (subscriber, #9523) [Link]

>IIRC, libstdc++ for x86 architecture will use some 486 instructions for locking even if you set the target to i386, because there wasn't decent support for atomic operations on the i386.

You can actually build libstdc++ for i386 but you get a different ABI so you have to recompile every C++ software and you are incompatible with any other distro out there. Not an option for Debian.

Still running Woody

Posted Apr 5, 2005 23:55 UTC (Tue) by andrel (subscriber, #5166) [Link]

I've got about 70 machines still running Woody. Popcon is down due to the RAID crash on Gluck, but as I recall about 1/5 of the responding machines are running Debian Stable. (Because for a while the Sarge installer was encouraging people to install popularity-contest, the percent is biased against Woody.)

It's not too late.

Posted Apr 6, 2005 12:43 UTC (Wed) by wookey (subscriber, #5501) [Link]

All my internet-facing machines still run woody (with a few bits like spamassassin and clamav from backports.org).

A release last year would have been nice, but one this year will do just as well. In fact I'm rather dreading having to update a lot of fancy exim3 config to exim4, and erm, probably load of other stuff. Still - I get a year or so to get round to it.

People are very rude about woody (and that's probably fair enough for desktops - use testing or unstable - I do) but I'm very grateful for a slow release cycle for my servers.

It's not too late.

Posted Apr 7, 2005 17:57 UTC (Thu) by yodermk (subscriber, #3803) [Link]

> but I'm very grateful for a slow release cycle for my servers.

Me too, but let's face it, there is such a thing as too slow, and Sarge has crossed that line.

Linux has improved a lot since 2002, and I want my Debian server to catch up.

IMHO the ideal release cycle for a good solid server platform is maybe every 18-24 months. Debian is at, what, 30 months now?

Woody not just old, it's unsafe

Posted Apr 7, 2005 5:15 UTC (Thu) by ncm (subscriber, #165) [Link]

The Debian policy of only backporting fixes for bugs that have been noticed to have security implications means that internet-facing Woody systems are at serious risk. An attacker need only examine released fixes for bugs from the last three, four, five years that were not backported, and pick out an exploitable one from among them. This is easiest in libraries depended upon by security-critical code.

OpenBSD is the only distribution I know that treats all bugs as potential security holes unless proven otherwise.