|
|
Log in / Subscribe / Register

Debian Weekly News

[Posted May 17, 2005 by ris]

From:  Martin Schulze <joey-AT-infodrom.org>
To:  Debian News Channel <debian-news-AT-lists.debian.org>
Subject:  Debian Weekly News - May 17th, 2005
Date:  Tue, 17 May 2005 21:07:05 +0200 (CEST)

---------------------------------------------------------------------------
Debian Weekly News
http://www.debian.org/News/weekly/2005/20/
Debian Weekly News - May 17th, 2005
---------------------------------------------------------------------------

Welcome to this year's 20th issue of DWN, the weekly newsletter for
the Debian community. A [1]paper from the MIT talks about the
development process of Free Software, which is the basis for an
[2]article on Groklaw that emphasises on the importance of Free
Software due to its educational potential. Looking at the traffic on
the [3]debian-release list it becomes apparent that Debian sarge will
be released soon.

 1. http://opensource.mit.edu/papers/dafermoslinux.pdf
 2. http://web.archive.org/web/20210921174824/http://www.groklaw.net/article.php?story=20050508021510445
 3. http://lists.debian.org/debian-release/

Inconsistent Password Authentication. Shaul Karl [4]wondered about
the difference between a disabled login and a disabled password. Marc
Haber [5]explained how this works with ssh. Russ Allbery added some
[6]notes about the UsePam option. Brian May [7]reported even more
oddities.

 4. http://lists.debian.org/debian-devel/2005/05/msg00423.html
 5. http://lists.debian.org/debian-devel/2005/05/msg00689.html
 6. http://lists.debian.org/debian-devel/2005/05/msg00693.html
 7. http://lists.debian.org/debian-devel/2005/05/msg00741.html

Mixing GNU GPL and FDL Content. Gueven Bay [8]wondered if he can mix
content licensed under the [9]GNU FDL and the [10]GNU GPL. Anthony
DeRobertis [11]emphasised that both licenses are incompatible. One
would have to get permission from the copyright holders to distribute
their work under a different license.

 8. http://lists.debian.org/debian-legal/2005/04/msg00519.html
 9. http://www.gnu.org/copyleft/fdl.html
 10. http://www.gnu.org/copyleft/gpl.html
 11. http://lists.debian.org/debian-legal/2005/04/msg00520.html

Alioth on the Move. Wichert Akkerman [12]announced that [13]Alioth,
Debian's GForge incarnation, will move to a new server. Now that the
[14]AMD64 archive has been [15]moved to its own server, there will be
sufficient disk space on the new Alioth host. After the move, source
code and web pages will be on the same host again and password changes
won't need a day to take effect.

 12. http://lists.debian.org/debian-devel-announce/2005/05/msg...
 13. http://alioth.debian.org/
 14. http://www.debian.org/pors/amd64/
 15. http://lists.debian.org/debian-devel-announce/2005/05/msg...

Upgrade Tests. Steve Langasek [16]called for upgrade testers. It is
recommended to read the [17]release notes before upgrading, and in
particular Chapter 4, "Upgrades from previous releases". Andreas Barth
has prepared an upgrade report [18]template to help when reporting
problems with the upgrades. If you do run into problems please fill it
out, and email it to submit@bugs.debian.org.

 16. http://lists.debian.org/debian-devel-announce/2005/05/msg...
 17. http://www.debian.org/releases/sarge/releasenotes
 18. http://release.debian.org/upgrade-report.html

Debian is different. Anthony Awtrey took a [19]look at how the Debian
distribution is developed. He noted that the build and distribution
processes of commercial distributions are tightly locked up while the
development in Debian is open and freely accessible. He mentioned that
for some organisations it is vital that the processes is visible,
available and extensible.

 19. http://www.awtrey.com/tony/foss/debianisdifferent.php

Automatic Package Testing. Lars Wirzenius [20]wrote down his thoughts
about automatic testing of Debian packages. These include testing of
upstream functionality with unit tests and the like which should be
added to the upstream source. Testing of Debian packaging
functionality should be done in tools like [21]linda and [22]lintian.
For installation and removal tests a new tool would be needed.

 20. http://liw.iki.fi/liw/log/2005-05.html#20050507b
 21. http://packages.debian.org/linda
 22. http://packages.debian.org/lintian

Call for a Free BIOS. Richard Stallman [23]called for support and help
freeing the computer BIOS. Formerly, it was impossible to replace and
ran from read-only memory, but is stored in non-volatile writable
memory these days. He asked to purchase CPU chips from manufacturers
that support a free BIOS. In light of digital restriction management
it becomes even more important to be able to [24]trust the computer.

 23. http://www.fsf.org/campaigns/free-bios.html
 24. http://www.gnu.org/philosophy/can-you-trust.html

Security Updates. You know the drill. Please make sure that you update
your systems if you have any of these packages installed.

 * DSA 723: [25]xfree86 -- Arbitrary code execution.

 25. http://www.debian.org/security/2005/dsa-723

New or Noteworthy Packages. The following packages were added to the
unstable Debian archive [26]recently or contain important updates.

 26. http://packages.debian.org/unstable/newpkg_main

 * [27]chewmail -- Mail archiver for various mailbox formats.
 * [28]cogito -- Version control system.
 * [29]dbacl -- Digramic Bayesian text classifier.
 * [30]flow-tools-dev -- development files for flow-tools.
 * [31]matrox-tvout -- configure a Matrox G550 for NTSC TV output.
 * [32]mountpy -- Script for quick mounting of removable devices.
 * [33]qtdmm -- GUI for digital multimeter.
 * [34]r-cran-bayesm -- GNU R package for Bayesian inference.
 * [35]typo3 -- Powerful content management framework.
 * [36]vkeybd -- Virtual Keyboard program.
 * [37]xkbset -- Small utility to change the AccessX settings of
   XKEYBOARD.
 * [38]z80asm -- Assembler for the Zilog Z80 microprocessor.

 27. http://packages.debian.org/unstable/mail/chewmail
 28. http://packages.debian.org/unstable/devel/cogito
 29. http://packages.debian.org/unstable/text/dbacl
 30. http://packages.debian.org/unstable/libdevel/flow-tools-dev
 31. http://packages.debian.org/unstable/misc/matrox-tvout
 32. http://packages.debian.org/unstable/utils/mountpy
 33. http://packages.debian.org/unstable/science/qtdmm
 34. http://packages.debian.org/unstable/math/r-cran-bayesm
 35. http://packages.debian.org/unstable/web/typo3
 36. http://packages.debian.org/unstable/sound/vkeybd
 37. http://packages.debian.org/unstable/x11/xkbset
 38. http://packages.debian.org/unstable/devel/z80asm

Removed Packages. 6 packages have been [39]removed from the Debian
archive during the past week:

 39. http://ftp-master.debian.org/removals.txt

 * ibm-jdk1.1-installer -- Installer for IBM Developer Kit for Linux
   [40]Bug#308191: Request of Maintainer; Superseded by java-package
 * libapache-mod-dynvhost -- Apache Dynamic Virtual Hosting
   [41]Bug#308240: Request of Maintainer; Functionality already in
   mod_rewrite
 * perl-transition -- Transitional packages for perl-5.004, 5.005 and
   5.6
   [42]Bug#308697: Request of Maintainer; Obsolete transitional
   package
 * xpdf-i -- Dummy transitional package for xpdf with decryption
   support
   [43]Bug#308753: Request of Maintainer; Obsolete transitional
   package
 * prozilla -- Multi-threaded download accelerator
   [44]Bug#308826: Request of Maintainer; includes non-free code,
   obsolete, orphaned upstream
 * expect-dummy -- Dummy upgrade package for expect 5.24 and 5.31
   [45]Bug#308713: Request of Maintainer; Obsolete transitional
   package

 40. http://bugs.debian.org/308191
 41. http://bugs.debian.org/308240
 42. http://bugs.debian.org/308697
 43. http://bugs.debian.org/308753
 44. http://bugs.debian.org/308826
 45. http://bugs.debian.org/308713

Want to continue reading DWN? Please help us create this newsletter.
We still need more volunteer writers who watch the Debian community
and report about what is going on. Please see the [46]contributing
page to find out how to help. We're looking forward to receiving your
mail at [47]dwn@debian.org.

 46. http://www.debian.org/News/weekly/contributing
 47. mailto:dwn@debian.org


-- 
To UNSUBSCRIBE, email to debian-news-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

to post comments

Debian Weekly News

Posted May 18, 2005 1:17 UTC (Wed) by syndicate (guest, #27535) [Link] (3 responses)

I think the first entry just goes to show you how broken our authentication system is. Althought I don't have any solutions and I am just complaining, it irks me to see that /etc/passwd is still this broken in terms of application support and methods of determining an account status.

Debian Weekly News

Posted May 18, 2005 6:46 UTC (Wed) by jwb (guest, #15467) [Link] (2 responses)

It's even worse than it appears. To many people, "disabling" a login means setting the shell to /bin/ false or some other unobvious act. PAM has never understood the difference between authentication - does the user claim to have an account, and can they prove it? - and authorization - is the authenticated user allowed to do this thing? Suppose you want to add a user, identified by an RSA key, who can send mail via SMTP, retrieve mail via IMAP, send and receive files with FTP, access a private website, but not login via SSH or do any other thing. With your average Linux system this would either be impossible or very inconvenient. There's a lot of room for improvement in the auth/authz department.

Debian Weekly News

Posted May 18, 2005 6:56 UTC (Wed) by khim (subscriber, #9252) [Link]

PAM never difference between authentication and authorization since it's useless (and dangerous!) cruft for PAM. It will not even differentiate between situation when user registered in system and when the same user typed wrong password - this is by design.

And far as for user "identified by an RSA key, who can send mail via SMTP"... this is bigger problem then you can think: pam_listfile will not help here at all. You need some way to deliver that RSA key to PAM! And since most web protocols have no support for this...

Debian Weekly News

Posted May 19, 2005 15:34 UTC (Thu) by mmarsh (subscriber, #17029) [Link]

My understanding was that PAM is exclusively an authentication mechanism. Authorization (and audit, to complete the gold standard) is a separate thing, to be verified once you know *who* a principal is. The authorization mechanism in Linux is generally pretty simplistic, unless you add something like SELinux. I'd bet that SELinux could be used to set up the rights that you mention, though how easy it would be is another matter. For instance, if you allow FTP, does that give the user a way to get a shell?

There's definitely room for improvement, but then isn't there always?


Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds