By Jonathan Corbet
January 28, 2008
The Debian miniconf is one of the oldest of linux.conf.au traditions. This
year, Martin Krafft was the person who - with short notice - got to lead
off this gathering with the "state of Debian" talk. Debian, as always, is
an active project, and it seems that much is going well.
The Debian security team has grown over the last year. Martin noted that
Debian, for all practical purposes, had no security support for a period
after the Etch Sarge release. Those days are over, though, and Debian's security
support is, once again, solid. There is now good security support for the
testing distribution as well; in fact, testing updates often come out
before those for the stable distribution. That result comes from the fact
that testing updates do not need to support all architectures and there are
fewer embargo issues.
The upcoming Lenny release, it was noted, will have implemented most of the
features called for in the security-hardening specification.
The state of translations is good; Debian supports 58 languages now, and
may support 77 by the Lenny release. The Smith Review
Project has
been working through the package base, ensuring that package descriptions
are, well, descriptive, in proper English, and easily translatable.
On the ports side, the Sparc32 port has been officially retired; to the
dismay of relatively few users. The Lenny release will include a new port:
Debian GNU/kFreeBSD, which is based on the FreeBSD kernel. Martin thought
this port would appeal to those Debian users who have been complaining
about the increasing "multimedia orientation" of the Linux-based
distribution.
Much work is going into making the package repository more searchable. The
debtags project, which is putting a set of standardized tags onto packages,
is relatively advanced. This effort will address a number of longstanding
problems, like the fact that a search for "image editor" does not turn up
GIMP, which is an "image manipulation program." Debtags will also make it
possible to search for packages which are related to other packages. There
is also the apt-xapian-index
project, which is working toward
indexing all package metadata and providing a fast search capability.
Other bits of current status:
- The debian-med
project - building a version of Debian aimed at the
medical industry - is headed toward a 1.0 release.
- The Debian mirror network is growing. There are six new primary
mirrors, and around 100 new secondary mirrors.
- Lenny will use UTF-8 nearly exclusively. Developers are working on
fixing the remaining packages which do not yet support UTF-8.
- The venerable dselect is almost retired. There are still
dselect users out there; Martin suggests that all of those
folks move to aptitude.
- There are a lot of new games coming into the distribution.
- The Etch-and-a-half release will be happening soon. This is a version
of Etch which offers a 2.6.24 kernel - needed to make Etch work on
newer hardware. The original 2.6.18 kernel will remain an option for
Etch users.
Looking forward to 2008, Martin noted that the Lenny release is currently
planned for December. Lots of emphasis on "planned" - given Debian's
history in this regard, few people actually expect the release to happen on
time. Martin did say that things have been getting better in this regard,
with Etch being "only" four months behind schedule. A Lenny release which
is only a couple months late seems feasible.
Something which is just coming into play is the new "Debian maintainer"
status. Unlike full developers, maintainers cannot vote, have no access to
the debian-private list, and do not have much access to the wider Debian
infrastructure. About all they really can do is upload a specific set of
packages. So the "maintainer" designation is good for those who want to
maintain a small set of packages, but who are not looking to be an active
participant in Debian as a whole, and who do not want to run the "new
maintainer" gauntlet.
Martin was asked whether there was any thought of downgrading any existing
developers to maintainers. He said that there was some interest in doing
that. There are currently just over 1000 developers, all of whom have full
access to the repository. Some 400 of those are inactive, but they still
possess a key which lets them make changes to the system; this is a clear
security issue. The MIA project
is looking to identify these
people and, eventually, move them to inactive status. On the issue of
whether the project would be forcibly downgrading active developers who,
for whatever reason, are not entirely welcome in the community, Martin says
that will not be happening. There is just no way to do it without bringing
massive disruption and flame wars, and nobody wants that.
There was also a question on the role of the debian-private list. The
biggest use of debian-private, according to Martin, is vacation
announcements; developers need to let the project know that they will not
be around, but they do not wish to announce their absence to the wider
world. There are some other discussions there too, of course. Current
policy says that debian-private discussions will be disclosed after three
years in the absence of a request to the contrary. There's an effort afoot
to disclose older traffic from before the adoption of that policy, but that
requires the assent of all of the participants.
The debian-women project, unfortunately, is currently stalled; the main
participants have not had the time to push things forward. The
#debian-women channel remains active, though, and is generally a nice and
supportive place to be. There are currently about twelve active female
contributors to Debian. Martin thinks that women are becoming more present
in general, though, and he stated that "the Debian cowboy days are done."
On the packaging front: the packages.qa.debian.org
site has been redone in "beautiful CSS." There are now RSS feeds for those
who want to follow the status of specific packages. A new
"LowThresholdNMU" flag has been added; this is essentially a statement on
the part of the maintainer that he will not get offended if others upload
fixes to the package. Packages can now use bzip2 compression. There has
also been a major rework of the shared library infrastructure, which now
looks at actual symbol use when determining shared library dependencies.
This change should make it possible to install individual packages from
testing into a stable system without having to update all of the libraries
that package uses.
There is a growing trend toward team maintenance, especially for the larger
package sets. This approach increases the robustness of the system and
minimizes problems with MIA maintainers.
Version control systems are working their way into the Debian
infrastructure. Packages can now have a set of Vcs-* headers
which point to the upstream source repository; these can be used, for
example, with the debcheckout command to clone the source
repository without having to know anything about the source management
system used. Version control systems also offer a solution to the current
problem of "hackish packaging tools" being used by many developers. In the
future, source packages might just include a shallow repository which can
be fed straight to git (or some other system). This project is stalled at
the moment, but Martin thinks it will go somewhere; it would be nice if the
distributors could come up with a common scheme that they can all use.
The final topic in this session was a question from the audience on whether
Debian might ever go to a shorter release cycle. The projected 18 months
for Lenny seems like a step in that direction, but 18 months is still quite
a bit longer than the cycles used by many other free distributions. Martin
thinks that going shorter is unlikely. The fact of the matter is that
distribution upgrades are a hassle, requiring a fair amount of
administrative attention. Ubuntu may have made some progress with its use
of upgrade scripts, but the basic problem remains. On top of that, shorter
release cycles would necessarily lead to a shortening of the time for which
security updates are available for any specific release. And that, in
turn, would force users into more frequent updates whether they want to do
that or not. So one should not expect six-month release cycles from Debian
anytime soon.
(
Log in to post comments)