Martin Schulze | 18 Feb 21:40 2003

Debian Weekly News - February 18th, 2003

---------------------------------------------------------------------------
Debian Weekly News
http://www.debian.org/News/weekly/2003/07/
Debian Weekly News - February 18th, 2003
---------------------------------------------------------------------------

Welcome to this year's seventh issue of DWN, the weekly newsletter for
the Debian community. In addition to the [1]FLOSS report sponsored by
the European Commission, researchers at Stanford University's
Institute for Economic Policy Research designed another [2]survey and
asked the community for its assistance. If you have ever wondered
whether (GNU/)Linux was the only new and [3]free operating system
recently begun, take a look at [4]ReactOS, which aims to implement a
free version of NT.

 1. http://www.infonomics.nl/FLOSS/report/
 2. http://www.stanford.edu/group/floss-us/
 3. http://www.gnu.org/copyleft/gpl.html
 4. http://www.reactos.com/

Debian Project Leader Elections. Manoj Srivastava [5]announced the
final day of the nomination period. The candidate [6]platforms shall
be published on February 15th and rebuttals shall be published on
February 21th. David B. Harris and Adam Heath have volunteered to
conduct the DPL debate on IRC, probably towards the end of the month.
So far, Moshe Zadka, Bdale Garbee, Martin Michlmayr and Branden
Robinson chose to [7]run.

 5. http://lists.debian.org/debian-vote-0302/msg00037.html
 6. http://www.debian.org/vote/2003/vote_0001
(Continue reading)

Davide Inglima | 18 Feb 23:02 2003
Picon

Doom of Debian Re: Debian Weekly News - February 18th, 2003

Martin Schulze wrote:

> Removing mICQ from Debian? Martin Loschwitz [16]proposed to remove
> [17]mICQ from Debian entirely since the upstream author has placed a
> harmful and [18]obfuscated easter egg in the code, bypassing the
> maintainer's testing. Anthony Towns [19]asked all maintainers to
> review upstream changes before packaging code, Branden Robinson
> already [20]reads every line of diff that gets applied to his XFree86
> packages. Rüdiger Kuhlmann later [21]reported that the problems were
> resolved and that the easter egg was replaced. Martin Loschwitz also
> sent an [22]update.

If it isn't possible to trust free software, then it isn't valuable to bring on 
a project like Debian either. :(

While Anthony's proposal of "Reviewing all upstream changes" makes sense on a 
security standpoint, it will put the necessary strain to Debian to self-destruct 
the distribution. There already are problems to port 6000+ packages on (how 
many? 7? 11?) different architectures, this harmful easter egg could be the drop 
that tops off the distribution. I have already begun to see growing disaffection 
to GNU/Linux by former enthusiast people, and this can simply spell the final 
doom on the credibility of open-source.

This, of course, is my humble opinion, and I may (hopefully) be wrong.

--

-- 
                               Davide Inglima
          "The question of whether computers can think is like the"
        "question of whether submarines can swim." -- Edsgar Dijkstra
                   http://www.educ.di.unito.it/~st970743
(Continue reading)

Peter Mathiasson | 18 Feb 23:43 2003
Picon

Re: Doom of Debian Re: Debian Weekly News - February 18th, 2003

On Tue, Feb 18, 2003 at 11:02:36PM +0100, Davide Inglima wrote:
> While Anthony's proposal of "Reviewing all upstream changes" makes sense on 
> a security standpoint, it will put the necessary strain to Debian to 
> self-destruct the distribution. There already are problems to port 6000+ 
> packages on (how many? 7? 11?) different architectures, this harmful easter 
> egg could be the drop that tops off the distribution. I have already begun 
> to see growing disaffection to GNU/Linux by former enthusiast people, and 
> this can simply spell the final doom on the credibility of open-source.
> 
> This, of course, is my humble opinion, and I may (hopefully) be wrong.

Yeah. It's better to use proprietary databases with hidden back doors.
Open source actually improves the situtation. It's a bit easier to hide
such things inside a binary then it is in the source.

--

-- 
Peter Mathiasson, peter at mathiasson dot nu, http://www.mathiasson.nu
GPG Fingerprint: A9A7 F8F6 9821 F415 B066 77F1 7FF5 C2E6 7BF2 F228

H. S. Teoh | 19 Feb 00:00 2003

Re: Doom of Debian Re: Debian Weekly News - February 18th, 2003

On Tue, Feb 18, 2003 at 11:02:36PM +0100, Davide Inglima wrote:
> Martin Schulze wrote:
[snip micq debacle]
> While Anthony's proposal of "Reviewing all upstream changes" makes sense on 
> a security standpoint, it will put the necessary strain to Debian to 
> self-destruct the distribution.

Umm... and the proof of this is where?

> There already are problems to port 6000+ packages on (how many? 7? 11?)
> different architectures, this harmful easter egg could be the drop that
> tops off the distribution.

Odd. I don't hear DD's expressing disillusionment over Debian or Linux
just because of mICQ, and giving up the project because of it. On the
contrary, we are now aware of another source of potential security issues,
and will watch out for it. I think rather than causing DD's to become
disaffected, this will improve the overall quality of Debian.

> I have already begun to see growing disaffection to GNU/Linux by former
> enthusiast people, and this can simply spell the final doom on the
> credibility of open-source. 
[snip]

I've begun to see a lot of former Windows enthusiast people get
disaffected, too. That doesn't mean very much, IMNSHO.

As for spelling doom on the credibility of open-source... if open-source
were *this* easily doomed, it'd had been over a long time ago, and we
wouldn't even be here today.  If open-source were really so fragile that a
(Continue reading)

Miles Bader | 19 Feb 02:33 2003
Picon
Picon

Re: Doom of Debian Re: Debian Weekly News - February 18th, 2003

Davide Inglima <st970743 <at> educ.di.unito.it> writes:
> I have already begun to see growing disaffection to GNU/Linux by
> former enthusiast people, and this can simply spell the final doom on
> the credibility of open-source.

Ha ha ha... such `enthusiasts' are hardly a loss, I think...

The security advantages of `open source' are simply a nice bonus,
they're hardly the main reason for it's existance.

In any case, this is actually a sterling example of how source-code
availability and modifiability wins big:  note that the easter-egg in
question was installed by the program's _author_ -- and because the
source code was available, the problem could in fact be found and
corrected, even if not immediately.  If it was a proprietary program,
the easter-egg would still be there, and no one would be the wiser.
[Sure, there'd be less bad press, but that's like hiding your head
in the sand and claiming it's safe!]

The real issue is whether you trust the author/maintainer or not, and
whether the program is free-software/open-source/proprietary simply
makes no difference.  Sure, most free-software/open-source software gets
lots of code from outside sources, but the program maintainer is almost
always _much_ more careful about reviewing contributions than debian
package maintainers are about reviewing what comes from the maintainer.

-Miles
--

-- 
Is it true that nothing can be known?  If so how do we know this?  -Woody Allen

(Continue reading)

Davide Inglima | 19 Feb 16:31 2003
Picon

Re: Doom of Debian Re: Debian Weekly News - February 18th, 2003

Miles Bader wrote:
> Davide Inglima <st970743 <at> educ.di.unito.it> writes:

>> I have already begun to see growing disaffection to GNU/Linux by
>> former enthusiast people, and this can simply spell the final doom on
>> the credibility of open-source.

> Ha ha ha... such `enthusiasts' are hardly a loss, I think...

Well... if you think that you can get rid of enthusiasts you are wrong.
This is all IMO but think about it from this point of view: enthusiasts
make good testing ground. They do bug reports, they ask for features, they help 
other people to enter in both the Open Source mindset, and the Free Software
one.

Some of them will begin also to code, helping you providing patches, or at least 
try do do actual bug-hunt finding that comma or bracket that makes the usage of 
a feature impossible in your program (error that you programmer failed to see in 
your long night coding sessions).

Other enthusiast will help doing funding.
If you think that the free software community can do without fandom, you are 
(IMO) wrong. Free Software needs people who believes in it. Otherwise people 
would just become software-apathic and get back to closed-software... because... 
"Who cares? Bad software is Gnu, and Bad software is Windows, but at least I can 
do useful job with Windows, let's give 200$ to microsoft this year as well..."

Note: I am the first to say that the world would be better without linux-zealots 
or other *-zealots (put here any technical acronym, os name, hardware or 
software company or product). I am talking about enthusiast.
(Continue reading)

Colin Watson | 19 Feb 16:52 2003
Picon

Re: Doom of Debian Re: Debian Weekly News - February 18th, 2003

On Wed, Feb 19, 2003 at 04:31:35PM +0100, Davide Inglima wrote:
> Ok, an explosion in this sense, in this kind of abuse of people
> goodwill to trust the other, has yet to happen. This is just an
> example, and I didn't really wanted to talk about it. What I would
> have liked to underline is this: it's true: Debian has to do
> peer-review of the code that distributes. But my question is: wouldn't
> this bring too much strain to the distribution?

What's the point of discussing whether it will or won't? We can only do
our best and see what happens. I'm certainly not going to give up
because somebody starts a thread with a scary subject line.

Cheers,

--

-- 
Colin Watson                                  [cjwatson <at> flatline.org.uk]

H. S. Teoh | 19 Feb 17:27 2003

Re: Doom of Debian Re: Debian Weekly News - February 18th, 2003

On Wed, Feb 19, 2003 at 03:52:42PM +0000, Colin Watson wrote:
> On Wed, Feb 19, 2003 at 04:31:35PM +0100, Davide Inglima wrote:
> > Ok, an explosion in this sense, in this kind of abuse of people
> > goodwill to trust the other, has yet to happen. This is just an
> > example, and I didn't really wanted to talk about it. What I would
> > have liked to underline is this: it's true: Debian has to do
> > peer-review of the code that distributes. But my question is: wouldn't
> > this bring too much strain to the distribution?
> 
> What's the point of discussing whether it will or won't? We can only do
> our best and see what happens. I'm certainly not going to give up
> because somebody starts a thread with a scary subject line.
[snip]

And if any "enthusiast" does give up just because of that, or just because
of a few lines of unscrupulous code in micq, then I question just how
enthusiastic they are.

T

--

-- 
If Java had true garbage collection, most programs would delete themselves
upon execution. -- Robert Sewell

Chad Walstrom | 19 Feb 18:37 2003
Picon

Why not work on a proposal? (was Re: Doom of Debian ...)

On Wed, Feb 19, 2003 at 04:31:35PM +0100, Davide Inglima wrote:
> Debian has to do peer-review of the code that distributes.

With that statement, perhaps you will be one of the first to volunteer
working on adding a peer review framework.  Talk to the QA people with
your ideas and maybe you can work something into our package management
system.  It would be nice to see this as an additional feature for
Debian users as opposed to further requirements to hold up packages from
migrating through the lifecycle of Debian distributions.

--

-- 
Chad Walstrom <chewie <at> wookimus.net>           http://www.wookimus.net/
           assert(expired(knowledge)); /* core dump */

H. S. Teoh | 19 Feb 17:24 2003

Re: Doom of Debian Re: Debian Weekly News - February 18th, 2003

On Wed, Feb 19, 2003 at 04:31:35PM +0100, Davide Inglima wrote:
> Miles Bader wrote:
[snip]
> >Ha ha ha... such `enthusiasts' are hardly a loss, I think...
> 
> Well... if you think that you can get rid of enthusiasts you are wrong.

I think he's talking about supposedly enthusiastic people who give up at
the slightest sign of trouble. Not the real people who stick around and
actually tries to solve the problem instead of running away.

[snip]
> Note: I am the first to say that the world would be better without 
> linux-zealots or other *-zealots (put here any technical acronym, os name, 
> hardware or software company or product). I am talking about enthusiast.
>
> A coding community can't simply live without people that use the code.

Back when free software began, it was the coders themselves that used the
code. (This is the one point that open source beats proprietary source,
IMHO... you'll be shocked to hear how many proprietary developers never
actually use their own code on a regular basis. Inspires a lot of
confidence in what they sell...)

Of course, I'm not saying that we don't care about users and we're happy
as long as we use our own software. But the whole point of asking DD's to
audit every upstream diff is so that we *don't* lose users due to
unscrupulous upstream shenanigans. I think it improves, rather than
jeopardizes, the distribution.

(Continue reading)

Miles Bader | 20 Feb 02:33 2003
Picon
Picon

Re: Doom of Debian Re: Debian Weekly News - February 18th, 2003

Davide Inglima <st970743 <at> educ.di.unito.it> writes:
> Miles Bader wrote:
> > Ha ha ha... such `enthusiasts' are hardly a loss, I think...
> 
> Well... if you think that you can get rid of enthusiasts you are
> wrong.  This is all IMO but think about it from this point of view:
> enthusiasts make good testing ground. They do bug reports, they ask
> for features, they help other people to enter in both the Open Source
> mindset, and the Free Software one.

You misunderstood what I said -- I think enthusiasts in general are fine
and good, it's just these _particular_ enthusiasts that are `hardly a
loss.'

Free software has no problem attracting (and keeping) enthusiasts, so
we should hardly be upset if some of the less thoughtful ones change
their mind for some silly reason.

> > In any case, this is actually a sterling example of how source-code
> > availability and modifiability wins big: ....  If it was a
> > proprietary program, the easter-egg would still be there, and no one
> > would be the wiser.
> 
> Yes, but this does not answer by a mile the problem I was raising.

It certainly does answer what you said in your original message;
however you seem to have changed your argument below:

> If people is already driven off because of the Free Software/Open
> Source community at large inability of getting a common ground and
(Continue reading)

Picon

Re: Doom of Debian Re: Debian Weekly News - February 18th, 2003

On Thu, 2003-02-20 at 02:33, Miles Bader wrote:

> I see no connection between the `micq incident' and the points you
> raised above WRT standardization.  Please elucidate.

Please don't - I have the impression this thread won't get anywhere.

EOT?

cheers
-- vbi

--

-- 
Wiker's Law:
	Government expands to absorb revenue and then some.
Bernd Eckenfels | 19 Feb 03:11 2003
Picon

Re: Doom of Debian Re: Debian Weekly News - February 18th, 2003

On Tue, Feb 18, 2003 at 11:02:36PM +0100, Davide Inglima wrote:
> If it isn't possible to trust free software, then it isn't valuable to 
> bring on a project like Debian either. :(

Trusting Free Software in the First place, only because it is free is not
very clever, eighter.

Greetings
Bernd
--

-- 
  (OO)      -- Bernd_Eckenfels <at> Wendelinusstrasse39.76646Bruchsal.de --
 ( .. )  ecki <at> {inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
  o--o     *plush*  2048/93600EFD  eckes <at> irc  +497257930613  BE5-RIPE
(O____O)  When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!

Sean Hunter | 19 Feb 10:19 2003

Re: Doom of Debian Re: Debian Weekly News - February 18th, 2003

On Tue, Feb 18, 2003 at 11:02:36PM +0100, Davide Inglima wrote:
> Martin Schulze wrote:
> While Anthony's proposal of "Reviewing all upstream changes" makes sense on 
> a security standpoint, it will put the necessary strain to Debian to 
> self-destruct the distribution. 

Right.  There are some who believe that the strength of open source lies
in ubiquitous peer review.  Debian (and open source software in general)
can _only_ benefit from more review, and upstream authors might actually
pull their socks up and improve their code if they knew other's would
read the diffs.

> There already are problems to port 6000+ 
> packages on (how many? 7? 11?) different architectures, this harmful easter 
> egg could be the drop that tops off the distribution. I have already begun 
> to see growing disaffection to GNU/Linux by former enthusiast people, and 
> this can simply spell the final doom on the credibility of open-source.

This is utter nonsense.  The point of Debian is not to have gazillions
of k3wl packages.  The point is to have software that works well.  In
other words Open source gains credibility from quality.  Quality comes
from rigourous peer evaluation.  This is a key difference with closed
source and is one of the unique selling points of open source.  People
review the code.

I personally don't give a shit whether micq is in Debian.  I do care
about the fact that maintainers are simply accepting patches into
packages I do use without reviewing them.  That lowers quality and leads
to lack of credibility.

(Continue reading)

Davide Inglima | 19 Feb 15:58 2003
Picon

Re: Doom of Debian Re: Debian Weekly News - February 18th, 2003

Sean Hunter wrote:
> On Tue, Feb 18, 2003 at 11:02:36PM +0100, Davide Inglima wrote:
>> Martin Schulze wrote:

>> While Anthony's proposal of "Reviewing all upstream changes" makes sense on 
>> a security standpoint, it will put the necessary strain to Debian to 
>> self-destruct the distribution. 

> Right.  There are some who believe that the strength of open source lies
> in ubiquitous peer review.  Debian (and open source software in general)
> can _only_ benefit from more review, and upstream authors might actually
> pull their socks up and improve their code if they knew other's would
> read the diffs.

See later.

>> There already are problems to port 6000+ 
>> packages on (how many? 7? 11?) different architectures, this harmful easter 
>> egg could be the drop that tops off the distribution. I have already begun 
>> to see growing disaffection to GNU/Linux by former enthusiast people, and 
>> this can simply spell the final doom on the credibility of open-source.

> This is utter nonsense.  The point of Debian is not to have gazillions
> of k3wl packages.  The point is to have software that works well.

Ok, that's a good point, but at the moment Debian boasts something like:

"Debian GNU/Linux provides more than a pure OS: it comes with more than 8710 
packages, precompiled software bundled up in a nice format for easy installation 
on your machine."
(Continue reading)

Picon

Re: Doom of Debian Re: Debian Weekly News - February 18th, 2003

On Wed, 2003-02-19 at 15:58, Davide Inglima wrote:

> If I open aptitude or dselect or browse the list of packages, I can see
> gazillions of k3wl packages which are old and many times don't work well, or 
> come without documentation, for gazillions of architectures

and

[other mail]
> 3) either [1] Debian has the guts to cut the number of packages that it ships,
>     or the Debian mantainers become part of the upstream package devteam for
>     any single package they mantain, or, simply put, the distribution will be
>     doomed.

Old/unmaintained packages are bad for Debian, and OSS in general,
agreed. There was a relatively long thread about exactly this some
months ago: should Debian be more aggressive to remove unmaintained
packages? (The not so clear answer was, iirc: probably yes, for the
stable distribution. No for the unstable distribution. To this I agree -
but there should, of course, be a stable distribution more often - but
this is another topic alltogether, and a much has been written on that
already).

Generally, however, I have the impression that packages in Debian work
most of the time (and this is using a quite crazy testing/unstable mix
on my personal workstation), and that maintainers are responsive.
Packages that don't work usually are very specific, and thus don't have
that many people testing it.

[from se oser mail]
(Continue reading)

H. S. Teoh | 19 Feb 17:02 2003

Re: Doom of Debian Re: Debian Weekly News - February 18th, 2003

On Wed, Feb 19, 2003 at 03:58:01PM +0100, Davide Inglima wrote:
[snip]
> I can see something like 11 architectures supported by the current 
> distribution.
> If I open aptitude or dselect or browse the list of packages, I can see
> gazillions of k3wl packages which are old and many times don't work well, 
> or come without documentation, for gazillions of architectures

Have you filed bugs against them?

[snip]
> I was only trying to state that:
> 
> 1) Debian is already a huge project, maybe really bigger than the needed, 
> with
>    many packages with pending bugs from 200+ days, and many other packages
>    that don't fit the (complex) debian policy

Then do something about it. File bugs against non-conforming packages.
Help track down old bugs and fix them. Ping the maintainer and remind him
of old bugs that haven't been fixed yet.

Over the past few months, I've been spending time on and off to hit on old
bugs (see http://master.debian.org/~ajt/oldbugs.html), and help ping old
bugs in base packages like glibc, grep, sed, etc.. You're most welcome to
join my efforts.

[snip]
> 3) either [1] Debian has the guts to cut the number of packages that it 
> ships,
(Continue reading)

Rüdiger Kuhlmann | 19 Feb 18:04 2003
Picon

Re: Doom of Debian Re: Debian Weekly News - February 18th, 2003


> Martin Schulze wrote:

> >Removing mICQ from Debian? Martin Loschwitz [16]proposed to remove
> >[17]mICQ from Debian entirely since the upstream author has placed a
> >harmful and [18]obfuscated easter egg in the code, bypassing the
> >maintainer's testing. Anthony Towns [19]asked all maintainers to
> >review upstream changes before packaging code, Branden Robinson
> >already [20]reads every line of diff that gets applied to his XFree86
> >packages. Rüdiger Kuhlmann later [21]reported that the problems were
> >resolved and that the easter egg was replaced. Martin Loschwitz also
> >sent an [22]update.

Actually, I take offence in this news, since it leaves out large chunks of
relevant facts.

1) The whole trouble started with the mICQ maintainer beeing extremely to
   the upstream author (that's me). He ignored pretty much any request and
   bug report. Also, he removed my name from the copyright file!

   (the issues with him have been sorted out, that's what "the problems were
   resolved" refers to)
   (the package with the wrong copyright file is still in Debian/stable. 
   Debian hasn't reacted properly to this copyright violation in more than
   three months.)

2) The easter egg wasn't harmfull by any stretch. It printed a message where
   to get the upstream .deb and exited. It was also only compiled in by
   someone modifying the packaging agains my multiple times expressed will.

(Continue reading)

Hamish Moffatt | 20 Feb 14:42 2003
Picon

Re: Doom of Debian Re: Debian Weekly News - February 18th, 2003

On Wed, Feb 19, 2003 at 06:04:54PM +0100, Rüdiger Kuhlmann wrote:
> 2) The easter egg wasn't harmfull by any stretch. It printed a message where
>    to get the upstream .deb and exited. It was also only compiled in by
>    someone modifying the packaging agains my multiple times expressed will.

It made the package completely unusable which is considered 'grave' in
Debian bug severities, the second most serious type of bug.

Hamish
--

-- 
Hamish Moffatt VK3SB <hamish <at> debian.org> <hamish <at> cloud.net.au>

Brian T. Sniffen | 20 Feb 21:28 2003
Picon

Re: Doom of Debian Re: Debian Weekly News - February 18th, 2003


> On Wed, Feb 19, 2003 at 06:04:54PM +0100, Rüdiger Kuhlmann wrote:
> > 2) The easter egg wasn't harmfull by any stretch. It printed a
> > message where to get the upstream .deb and exited. It was also
> > only compiled in by someone modifying the packaging agains my
> > multiple times expressed will.

Well, then it's not free software, and that also settles the issue,
right?  mIRC's very nice software, but if it's the will of the author
that people not modify it in certain ways, then it's not free.

-Brian


Gmane