Re: [Pkg-xfce-devel] Reverting to GNOME for jessie's default desktop
On Mon, 2014-08-11 at 03:20 +0100, Anthony F McInerney wrote: [...] > If people have old CD only machines i would not like to attempt to get > kernel 3.16 +drivers +userland working on that. I've been in that > situation plenty of times, where woody or potato are better simply > because the drivers had been deprecated. Lets not go into the > 256/512MB of ram that the CD only computer has and how much gnome or > xfce is going to chew up and bring the machine to a crawl as soon you > try to do anything and it hits swap. [...] I have a wheezy VM running Xfce comfortably in 256 MB (only a third of which is used at this moment, excluding caches and buffers). I doubt that jessie is going to require vastly more memory. So I think that Xfce and CD media are still going to be useful for people who are stuck with older hardware. If we agree that it's important to support installation from a single CD (rather than 2+ CDs or downloads) then Xfce would probably be the right default DE for that single CD. I do not support making it the default in general, though. Ben. -- Ben Hutchings Humans are not rational beings; they are rationalising beings. signature.asc Description: This is a digitally signed message part
Re: iso disc
This is not the right list to ask; debian-user would be more appropriate in future. But see below. On Wed, 2014-11-05 at 07:58 -0800, Vanessa wrote: > hello, > I've been to 5 different sites, and yours and make 6 total > > > > I can down load any of the dvd current stable images > with the exception of > > 7.7.0/i386/iso-dvd/debian-7.7.0-i386-DVD-2.iso > > > > it keeps cratering at about 3.9 gig on the download > is there something wrong with the download > even the Debian site its self cratered at about the same point > > > tried HTTP and FTP and no difference [...] You will be unable to download files larger than about 4 GiB if either: - The download directory is on a FAT filesystem (which is the usual filesystem on removable flash cards and sticks). - The download program uses 32-bit file sizes. I don't know which common programs still have this problem. (The first DVD image is deliberately limited to be less than 4 GB so that it can be written to a 4 GB flash card. This also happens to avoid problems with 4 GiB limits.) Ben. -- Ben Hutchings The program is absolutely right; therefore, the computer must be wrong. signature.asc Description: This is a digitally signed message part
Re: Download Debian
On Sun, 2015-03-22 at 17:49 +, Luca Guiraldello wrote: > Hello, I am a Brazilian student and just like to congratulate the > Project. > I just had a problem as to find on the server the latest version of > the system, I think it would be more visible to leave only one button > for both x86 and 64bit because of the way in which is it is difficult > to locate them. Where? The download link on the front page is for an installer that supports both 32-bit and 64-bit x86. Ben. -- Ben Hutchings If you seem to know what you are doing, you'll be given more to do. signature.asc Description: This is a digitally signed message part
Re: What it means to be Debian
On Tue, 2015-06-16 at 18:27 +0500, Andrey Rahmatullin wrote: > On Tue, Jun 16, 2015 at 02:46:45PM +0200, Dominik George wrote: > > Mostly, I *personally* do not find those people authentic enough to > > uphold any such community standard. It's somewhat like donating to a > > species conservation organisation, taking the money from a purse made of > > crocodile skin. It's quite impossible to take it seriously. > Debian isn't advertised as a distribution whose main goal is to provide > 100% free something while not providing anything non-free, [...] Yeah it's such a minor goal that it's the first point of the Social Contract. Ben. -- Ben Hutchings Beware of bugs in the above code; I have only proved it correct, not tried it. - Donald Knuth signature.asc Description: This is a digitally signed message part
Re: Repository Link are NOT https://
On Thu, 2015-09-03 at 19:05 +0200, tom wrote: > Hi, > > I have discovered that non of the repository links is https:// . Is it > not safer to use only https:// connections. > > And as well the download of a debian distro is only http:// . > > Sorry to say that but nearly all other distros used for the downlaod > link https:// . But as repository links they all used only http:// > connections like debian. It is not necessary to use HTTP-S for authentication of packages: http://catless.ncl.ac.uk/Risks/28.58.html#subj13.1 If you need to avoid revealing which packages you are downloading, HTTP -S doesn't do that because it is still possible to observe the length of each response. In that case you should perhaps use Tor: http://www.richardhartmann.de/blog/posts/2015/08/25-Tor-enabled_Debian_mirror_part_2/ Ben. -- Ben Hutchings Everything should be made as simple as possible, but not simpler. - Albert Einstein signature.asc Description: This is a digitally signed message part
Re: Any Debian support for CubaConf
On Sat, 2016-02-27 at 09:18 +0100, Daniel Pocock wrote: > > On 27/02/16 04:05, Gunnar Wolf wrote: [...] > > FWIW, I'm *not* implying we should refrain from supporting > > CubaConf. In fact, I was privately contacted by Valessio, as I'm > > among the closest DDs to the island;I denied because the dates are > > impossible to me. > > > > Also worth noting: Back in 2011, I went to PGDay in Cuba, together > > with other three people with a PostgreSQL affiliation. PostgreSQL > > is a SPI-hosted project as well. SPI was, however, unable to > > reimburse our travel due to the US-Cuba embargo. > > > > I know the relations between said nations is on its way to > > renormalization, but AFAICT the embargo is still active, so we > > should better check with lawyers if we are to offer reimbursement > > to anybody to attend. > > > > Debian does not have an exclusive relationship with SPI, the audit > committee wiki page[1] lists several Debian trust organizations in > European countries. The Debian UK Society reimbursed one DD for attending a conference in Cuba, in 2006. (Reported here: https://lists.debian.org/debian-devel-announce/2006/07/msg0.html ) > The lawyer may also need to advise on issues such as: > - can US citizens be involved in discussions about such funding? > - can infrastructure in the US be used to discuss such funding (e.g. > mailing lists, wiki, or the BTS) [...] That's pretty damn meta. The legalities should all have been discussed back then, and given the relaxing of sanctions since then I would hope we could safely follow the same process now. Ben. -- Ben Hutchings Knowledge is power. France is bacon. signature.asc Description: This is a digitally signed message part
Re: Debian 64bit information on website
On Sat, 2016-03-05 at 12:49 +0100, error.hotm...@brushdesign.com wrote: > Dear Sirs, > > A long time Debian user I still have friends asking me where to find > a 64bit distro to run on INTEL processors. When pointing out that the > AMD64 distro is the way to go I always got questions why it is named > AMD64 vs. i386. [...] That's why we generally label them as "64-bit PC" and "32-bit PC" now. If there are specific places on Debian web sites that use the dpkg architecture names where they should use user-friendly names (that would be any page not aimed at developers and experienced Debian users), please report those to the maintainers for that web site (e.g. "reportbug www.debian.org"). Ben. -- Ben Hutchings The two most common things in the universe are hydrogen and stupidity. signature.asc Description: This is a digitally signed message part
Re: shutting down httpredir.debian.org?
On Tue, 2016-04-12 at 13:52 +0200, Raphael Geissert wrote: [...] > - the main code contributors (Simon and yours truly) have been > EBUSY/ENOTIME for a while - Simon, please correct me if I'm wrong [...] I assume this means you don't have spare time. Are either of you (or anyone else with knowledge of the service) available to work on it in the short term on a paid contract? Of course Debian itself will not pay for this, but some users might be willing to sponsor this work. Ben. -- Ben Hutchings This sentence contradicts itself - no actually it doesn't. signature.asc Description: This is a digitally signed message part
Re: Debian Open Use Logo inquiry
[I am not a lawyer, or other expert on 'IP'. But I know a little bit.] On Sun, 2016-04-17 at 15:06 +0800, rafael coronel wrote: > Good day! I don't know where this type of message should be sent to, so I > figured this would go into the general section. > > I am sending this e-mail to inform you that the Debian Open Use Logo is > being used by a professional as a composite of her own logo branding ( > https://s-media-cache-ak0.pinimg.com/564x/8d/55/f4/8d55f465b6ad23f5ecbec8b50b899161.jpg). > This logo has been used in her official contracts, transactions and whatnot. > > I understand that the image has been released under the Creative Commons > Attribution-ShareAlike 3.0 Unported License, but I am unsure if this > licensing still applies if the image is used for branding. This type of > usage may imply that Debian is endorsing or affiliated with the > aforementioned individual. May I ask if the licensing encompasses this? If the other logo is independently created (and apparently it is very easy to create such a swirl using Adobe Photoshop) no copyright licence is required. As for trademarks: if the swirl is not used alone, nor with the word Debian, nor in the same field as the Debian project, I doubt that it would infringe. You didn't say what kind of business she is using the logo for, though - if it does involve software development or IT then there may be the risk of confusion. Ben. -- Ben Hutchings Make three consecutive correct guesses and you will be considered an expert. signature.asc Description: This is a digitally signed message part
Re: Sdk
On Tue, 2017-01-31 at 09:40 -0500, Stanley Jean wrote: > Hello, > > I'm attempting to make an os for my device and I was wondering if I could > use your Debian as reference This my first official project. Can you email > me and tell me what I need and the cost of anything needed? As Debian consists of free software (free as in freedom), you are allowed to create and distribute your own operating system based on it without asking permission or paying a fee. You are required to choose a different name for it, and for many packages you are required to provide your customers with the source code, or provide an offer to do so. This wiki page should be a good starting point: https://wiki.debian.org/Derivatives Ben. -- Ben Hutchings Nothing is ever a complete failure; it can always serve as a bad example. signature.asc Description: This is a digitally signed message part
Re: producing, distributing, storing Debian t-shirts
On Mon, 2017-05-01 at 23:44 -0500, Gunnar Wolf wrote: > Martin Steigerwald dijo [Mon, May 01, 2017 at 10:13:58PM +0200]: > > > Make it fair-trade and printed by people with disabilities, like > > > we did for DC15, and it was somewhere around $8. I'd still buy > > > a shirt for $15 or so every now and then if it was a witty new > > > design and a cut of the proceeds were donated to Debian. > > > > I would not have any issue with paying an extra fee for fair-trade, organic > > T- > > Shirt. That most are not at FLOSS events is a reason why I sometimes do not > > opt for a T-Shirt at all. > > > > The very cheap approach of T-Shirt doesn´t go along well with any kind of > > idealism. Its very nice to hear in retrospect that the DC15 T-Shirts have > > been > > fair trade – I didn´t know that. > > Note that "fair trade" is a quite squishy notion. Speaking as a friend > of the producer, I can assure you that the printing process of our > usual Mexican dirt-cheap shirts are as fair-trade as they can be; I > cannot assure the details for the fibers to be organic, and I won't > claim the shirt maker themselves are overly idealistic, but the > printing process itself is not a "sweat shop", but a small family > business that struggles to survive _and_ help our movement, in which > they believe. [...] It's not only the production of finished clothing that matters here (though I'm glad to be reassured about this producer). It is also important to consider how the raw material is produced. One major cotton-producing country, Uzbekistan, relies on forced labour for harvesting cotton. Ben. -- Ben Hutchings Nothing is ever a complete failure; it can always serve as a bad example. signature.asc Description: This is a digitally signed message part
Re: If Debian support OS certification?
On Wed, 2017-05-03 at 16:55 +0800, Paul Wise wrote: > On Tue, 2017-05-02 at 23:29 +0530, Ritesh Raj Sarraf wrote: [...] > > Like most other Enterprise Linux Distributions, Debian too picks a > > particular kernel (stable- lts) and to some extent also backports > > fixes into it. That makes it a completely unique kernel, against > > which certification needs to be done. > > It is true that we use a unique version of Linux/kFreeBSD/Hurd but I > would advocate a different approach. There is a lot of hardware that > will never run mainline Linux and will never be able to be fully > supported by Debian. These systems should be able to be certified to > work with Debian [...] No, they should not, otherwise this certification becomes meaningless. Basically any system using one of our supported architectures can run a 'Debian' system with some custom components added. But that system is unlikely to get prompt updates to fix kernel security bugs - or maybe any updates at all, depending on how the vendor (mis)configured APT. If the vendor (or their SoC supplier) chooses to fork and not to contribute back to Linux, they must accept the consequences, and we should not endorse that fork. Certification should mean that you can use the Debian installer or an official Debian image on the system. If it actually requires a custom installer or image created by the vendor, that is out of our control and ability to support. (I leave aside the question of whether 'Debian' would include the contrib and non-free sections. I think that realistically we would have to add a second tier of certification for the vast majority of systems that require installation of non-free firmware for important components like the GPU or network interface.) Ben. -- Ben Hutchings friends: People who know you well, but like you anyway. signature.asc Description: This is a digitally signed message part
Re: If Debian support OS certification?
On Thu, 2017-05-04 at 07:56 +0800, Paul Wise wrote: > On Thu, May 4, 2017 at 12:17 AM, Ben Hutchings wrote: > > > No, they should not, otherwise this certification becomes meaningless. > > I see these certifications primarily as a service to Debian users and > not as endorsements of vendors, but as statements of fact. The > consequences to users should stated as part of the certification > output. "This system can run Debian main", "This system is missing > drivers for XYZ", "This system requires non-free firmware", "This > system requires a custom bootloader", "This system requires a custom > kernel", "This system requires a custom kernel and must use sysvinit", > "This system requires an unofficial Debian port", "This system > requires recompiling Debian from scratch" (CPU requirements bumps or > CPU bugs). Basically, a more automated version of InstallingDebianOn. If we require that vendors make those caveats clear in any self- certification, then I agree that this could be useful. > If Debian only certifies systems installed using official d-i images > then we won't be certifying much, since almost everything requires > preinstalled or runtime-loaded non-free firmware for some part of the > system. We would basically only be able to certify RYF devices and may > as well just require FSF RYF certification up-front before a system > can be certified for Debian use. Well I already acknowledged that, didn't I? > Since we already need two tiers of certifications for main vs > non-free, is it really that much of a problem to add some more as long > as our users are informed of the issues they will face? My concern was that the bar you were setting was so low as to be useless for distinguishing systems that are well supported by Debian from those that are not. > Users are > going to buy or acquire those problematic systems anyway, especially > in areas where there are almost zero devices that Debian could be > certified for (for eg mobile devices). If they do and then decide to > run Debian, information about what the consequences are would be > useful. Right. Ben. -- Ben Hutchings If the facts do not conform to your theory, they must be disposed of. signature.asc Description: This is a digitally signed message part
Re: If Debian support OS certification?
On Fri, 2017-05-05 at 16:54 +0200, Thomas Goirand wrote: > On 05/02/2017 02:35 AM, Paul Wise wrote: > > With my DSA hat on, we don't like being guinea pigs for development > > boards and pre-release hardware. This kind of hardware tends to be > > unreliable and require too much hand-holding. That said, we definitely > > welcome hardware sponsorship and partners. > > Absolutely. However, you may know that commercial distros are making > their certification program a non-free (as in: you must pay your beer) > thing. I do believe it'd be a fair way to get free (as in free beer) > hardware for the DSA team. It's up to us to define the terms. Free as in free kittens? Ben. -- Ben Hutchings The program is absolutely right; therefore, the computer must be wrong. signature.asc Description: This is a digitally signed message part
Re: On the Anti Harassment Team
On Sun, 2017-08-13 at 17:11 +0200, Margarita Manterola wrote: [...] > 4) Name: we find that "anti harassment" is not a great name both because > it's negative and because it puts people on edge when we contact them. We > asked people to suggest other names. The current best suggestion that we > have is "Respect & Inclusion team" with resp...@debian.org as the alias > (not created yet). This discussion is still open and we welcome other > suggestions and ideas (contact us via antiharassm...@debian.org ). Emphasising "respect" may be problematic. It's something abusive people often demand when they encounter resistance. You could use "safety" or "welfare" - but that might be claiming too wide a role. Ben. -- Ben Hutchings If you seem to know what you are doing, you'll be given more to do. signature.asc Description: This is a digitally signed message part
Re: mirror
On Sat, 2017-09-16 at 20:18 +0430, Majid Isaloo wrote: > hi > we have a stable link from Iran and we want to take your mirror > we are a hosting and server and colocation service provider in iran > how we can take it? > i cant find a true email for this request You should contact: mirr...@debian.org Ben -- Ben Hutchings Who are all these weirdos? - David Bowie, reading IRC for the first time signature.asc Description: This is a digitally signed message part
Re: Bitcoin donations
On Wed, 2017-10-25 at 16:15 +0200, Adam Borowski wrote:
> On Wed, Oct 25, 2017 at 01:33:09PM +0100, Ian Jackson wrote:
> > Elise Wood writes ("Bitcoin donations"):
> > > Have you considered adding an address for bitcoin donations? Would you?
> >
> > After reading _Attack of the 50-foot blockchain_ by David Gerard, my
> > (previously merely rather sceptical) attitude to Bitcoin has
> > hardenened.
> >
> > IMO Debian should not encourage or support Bitcoin in any way.
>
> I consider Bitcoin to still be far less repulsive than both the mainstream
> banking system and para-banks like Paypal.
>
> And why would you refuse a way to submit donations that's convenient for
> some donors?
[...]
Mozilla tried it and the result was a net negative:
https://fundraising.mozilla.org/bitcoin-donations-to-mozilla-17-days-in/
Ben.
--
Ben Hutchings
The most exhausting thing in life is being insincere. - Anne Morrow
Lindberg
signature.asc
Description: This is a digitally signed message part
Re: Automatic downloading of non-free software by stuff in main
On Wed, 2017-12-06 at 09:09 +0500, Andrey Rahmatullin wrote: > On Tue, Dec 05, 2017 at 12:48:36PM -0800, Diane Trout wrote: > > I would love for files downloaded via a web browser or email client to > > be marked as having come from the Internet. (Major bonus points if a > > sync tool like nextcloud can keep files I generated labeled separate > > from ones my coworkers made) > > > > OS X web browsers do this, and when you try to open them the OS will > > prompt "this came from the internet, do you want to open it". It looks > > like its implemented with a few extended attributes. [1] > > Windows too (implemented with NTFS alternate data streams). > > > Do most of our file systems have extended attributes turned on by now? > > I think (or at least hope) so. Yes, xattrs are supported in most filesystems on Linux and our official kernel packages enable them wherever they're an optional feature. $ grep -rwl xattr_handler fs | grep -o '^fs/[^/]*/' | sort -u fs/9p/ fs/afs/ fs/btrfs/ fs/ceph/ fs/cifs/ fs/ecryptfs/ fs/ext2/ fs/ext4/ fs/f2fs/ fs/fuse/ fs/gfs2/ fs/hfs/ fs/hfsplus/ fs/jffs2/ fs/jfs/ fs/kernfs/ fs/nfs/ fs/ocfs2/ fs/orangefs/ fs/overlayfs/ fs/reiserfs/ fs/squashfs/ fs/ubifs/ fs/xfs/ Ben. -- Ben Hutchings If the facts do not conform to your theory, they must be disposed of. signature.asc Description: This is a digitally signed message part
Re: Automatic downloading of non-free software by stuff in main
On Wed, 2017-12-06 at 21:33 -0200, Henrique de Moraes Holschuh wrote: > On Wed, 06 Dec 2017, Ben Hutchings wrote: > > > > Do most of our file systems have extended attributes turned on > > > > by now? > > > > > > I think (or at least hope) so. > > > > Yes, xattrs are supported in most filesystems on Linux and our official > > kernel packages enable them wherever they're an optional feature. [...] > The most worrisome absence in that list being tmpfs :-( That's only because it lives in mm/shmem.c, not under fs/. It does support xattrs. Ben. -- Ben Hutchings Beware of programmers who carry screwdrivers. - Leonard Brandwein signature.asc Description: This is a digitally signed message part
Re: Automatic downloading of non-free software by stuff in main
On Wed, 2017-12-06 at 19:14 -0500, Michael Stone wrote: > On Thu, Dec 07, 2017 at 12:09:22AM +0000, Ben Hutchings wrote: > > That's only because it lives in mm/shmem.c, not under fs/. It does > > support xattrs. > > Have you tried it? Ah, damnit. It supports *some* xattrs (like the security namespace), but apparently not *user* xattrs. Ben. -- Ben Hutchings Beware of programmers who carry screwdrivers. - Leonard Brandwein signature.asc Description: This is a digitally signed message part
Re: Donation with cryptocurrency
On Fri, 2017-12-15 at 23:41 +0100, francoisduvalcork . wrote: > hi there, > > I was wondering the reasons behind your choice not to make available crypto > currency an efficient way to get financial support. They have been around > for several years now. > I'm sure you are aware of this and you might even use them as individuals > however I'm very surprise Debian hasn't adopted this method long time ago. > What is the reason that you're not using crypto currencies ? > How long before the Debian project will have a donation option in crypto > you reckon? > which crypto currency would you accept ? Bitcoin, Litecoin, Dash ? > > looking forward to read your reply, thank you. I'd also be interested to know why Debian won't take donations in gold, CDOs or tulip bulbs. Ben. -- Ben Hutchings Teamwork is essential - it allows you to blame someone else. signature.asc Description: This is a digitally signed message part
Re: Re: UEFI Secure Boot sprint report
On Mon, 2018-05-14 at 22:05 +0900, Hideki Yamane wrote: > Hi, > > Thanks, your explanation is really helpful. > > > > The signing service is a source package builder. > > It build source package but its source package is based on built binary > package? > As I understand, singing to binary is necessary step. Right. > 1. source package > 2. -> upload to dak > 3. -> passed to buildd > 4. -> binary package built And one of those binary packages is a "template" for the source package. This is documented on the Etherpad, but in short it contains an unpacked source package with everything except the signatures, plus a configuration file specifying which binaries in which packages need to be signed. > 5. -> singing service pull those > 6. -> source package built This is the template source package plus all the (detached) signatures that were specified in the configuration. > 7. -> dak, again > 8. -> buildd, again Here there are build-dependencies on the previously built binaries, and the build process adds the detached signatures to those binaries. > 9. -> dak passes those to repo > > > And in previous report > > > We're still missing (partially or completely): > > - generate a signing template for GRUB2 > > - have DAK accept those generated source-only uploads > > This is 7th step in above, right? The second point (have DAK accept ...) is part of step 7, yes. It seems to have been implemented now. Ben. -- Ben Hutchings For every action, there is an equal and opposite criticism. - Harrison signature.asc Description: This is a digitally signed message part
Re: UEFI Secure Boot sprint report
On Tue, 2018-05-15 at 11:07 +0900, Hideki Yamane wrote: > Hi, > > Thanks for the clarification, Ben. Very helpful. > > On Mon, 14 May 2018 15:35:50 +0100 > Ben Hutchings wrote: > > The second point (have DAK accept ...) is part of step 7, yes. It > > seems to have been implemented now. > > Then, remaining blocker is only template for GRUB2? For testing purposes, I think so. I don't know whether GRUB implements the policy we want at the moment. We'll still need a "flag day" on which the signing service, and all packages that get signed, switch to production signing keys. Ben. -- Ben Hutchings Unix is many things to many people, but it's never been everything to anybody. signature.asc Description: This is a digitally signed message part
Re: UEFI Secure Boot sprint report
On Wed, 2018-05-16 at 10:05 +0200, Philipp Hahn wrote: > Moin, > > Am 15.05.2018 um 11:41 schrieb Steve McIntyre: > > On Tue, May 15, 2018 at 04:16:22AM +0100, Colin Watson wrote: > > > On Tue, May 15, 2018 at 11:46:00AM +0900, Hideki Yamane wrote: > > > > On Tue, 15 May 2018 03:32:26 +0100 Ben Hutchings > > > > wrote: > > > > > > > The second point (have DAK accept ...) is part of step 7, yes. It > > > > > > > seems to have been implemented now. > > > > > > > > > > > > Then, remaining blocker is only template for GRUB2? > > > > > > > > > > For testing purposes, I think so. I don't know whether GRUB > > > > > implements > > > > > the policy we want at the moment. > > @benh: you meat to *only* boot signed stuff and not fall back to > disabling SB before booting an unsigned kernel? > That should be addressed by > <https://salsa.debian.org/pmhahn/grub/commit/fe06193ff5a36ee6aa6a6cab12f4651b6290d91b> I think that's what we agreed, yes. [...] > I haven't yet found time to setup an UEFI-SB test environment to check > that everything works. [...] It's fairly easy to do with OVMF; this blog entry summarises the process: https://www.decadent.org.uk/ben/blog/experiments-with-signed-kernels-and-modules-in-debian.html Ben. -- Ben Hutchings Teamwork is essential - it allows you to blame someone else. signature.asc Description: This is a digitally signed message part
Re: Do we need embargoes for GPL compliance issues?
On Thu, 2018-09-13 at 09:03 -0700, Russ Allbery wrote: [...] > That said, the Linux kernel is of course under GPLv2, which doesn't have > that 30-day provision at all, so it doesn't seem like an embargo would > have helped at all in this specific case (which I think you mentioned in > your original message). [...] As you may know, an individual copyright holder in the Linux kernel is understood to have succesfully sued various infringing companies and claimed significant fees to reinstate their licences. In response to this, there have been efforts to set norms for copyright enforcement and to reduce the risk to distributors that may accidentally infringe. Software Freedom Conservancy and the FSF set out the Principles of Community-Oriented GPL Enforcement, which include applying GPL v3's termination terms to works formally licensed under v2: https://sfconservancy.org/copyleft-compliance/principles.html The Linux Foundation organised another initiative, encouraging copyright holders to agree that they would apply GPL v3's termination terms to the kernel: https://www.kernel.org/doc/html/latest/process/kernel-enforcement-statement.html However this is not currently a requirement for contributing to the kernel upstream. Contributions from the one litigious copyright holder are no longer accepted, and I would expect his code to be gradually replaced over time. Ben. -- Ben Hutchings Computers are not intelligent. They only think they are. signature.asc Description: This is a digitally signed message part
Re: On having and using a Code of Conduct
On Thu, 2019-01-03 at 11:26 -0700, Eldon Koyle wrote: > Hi all, > > On Wed, Jan 2, 2019 at 5:25 AM Steve McIntyre wrote: > > > For those trying to undermine it with statements like "I'm worried > > I'll be thrown out of Debian if I make a single mistake", please give > > it a rest already. These are basic principles on how we want all > > people to interact. > > > I think there are many who are concerned about the process, not the CoC > itself. Here are the main concerns as I see them (at least from the few > who have come forward), and I believe these are the reasons that people > are worrying: > > 1. The process itself is not well documented (it's new, so expected) > > 2. The accused isn't allowed to address the claims against them > > 3. The a-h team is acting as both prosecution and judge/jury (usually > separated to reduce confirmation bias) There is a separation of roles. The Debian Account Managers (DAMs) have the delegated power to decide on expulsions and additions to the project members. (Latest delegation is at <https://lists.debian.org/debian-devel-announce/2018/03/msg1.html>.) The anti-harassment team is the usual contact point for complaints and can recommend actions to the DAMs (or other teams) but doesn't have delegated powers (as I understand it). > 4. The proceedings are closed, so claims of unfairness aren't refuted > > 5. There doesn't appear to be an appeals process (contact DAM?) [...] There is, since any decision by the DPL or a delegate can be overridden by General Resolution. Ben. -- Ben Hutchings Absolutum obsoletum. (If it works, it's out of date.) - Stafford Beer signature.asc Description: This is a digitally signed message part
Re: On demotions to DM status.
On Mon, 2019-01-07 at 12:02 +0500, Andrey Rahmatullin wrote: > On Mon, Jan 07, 2019 at 12:47:34AM +, Richard Hecker wrote: > > Does the project want to say that a DM is less trustworthy than a DD? > Yes, obviously. Just like a DM is more trustworthy than a non-DM. It would be more accurate to say that a DD is more *trusted* than a DM, and a DM is more *trusted* than a contributor who has neither status. We hope that our application processes exclude most of those who are not trustworthy, but we can't be sure. Ben. > > Should a DM becoming a DD be viewed as a promotion? > But it is, isn't it? Or, at least, as a next step. > -- Ben Hutchings Design a system any fool can use, and only a fool will want to use it. signature.asc Description: This is a digitally signed message part
Re: Censorship in Debian
On Wed, 2019-01-09 at 19:20 -0500, Miles Fidelman wrote: > On 1/9/19 5:39 PM, Josh Triplett wrote: > > > Anthony Towns wrote: > > > On Fri, Jan 04, 2019 at 10:47:05AM -0800, Russ Allbery wrote: > > > > People seem to feel they're unreasonably put-upon by having to think > > > > about > > > > what they're saying *at all*, but this is absurd. Everyone else in the > > > > world is doing this all the time. > > > There are times when you don't have to think about what you're saying > > > before you say it; that situation is often called being "among friends", > > > or "in a safe space", or "able to let your guard down". > > If you have to have your "guard up" to avoid hurting people, you have a > > more fundamental problem. > > > > It really *isn't* that hard to just think about the effect of your words > > on others *all the time*. As Russ said, that's a fundamental skill. > > > > Debian is not a locker room. > > On the other hand, when did people get so thin skinned, and offended by > everything? [...] That would be whenever people started complaining about "political correctness" when they were criticised for what they said. Ben. -- Ben Hutchings Once a job is fouled up, anything done to improve it makes it worse. signature.asc Description: This is a digitally signed message part
Re: 2 minute summary of Debian crisis
On Sun, 2019-01-13 at 21:08 +, Martin Steel wrote: > > > On 04/01/2019 21:34, flackjack...@tutanota.com wrote:> > > In September, the Leader started a whispering campaign to undermine > > another highly respected developer, the developer finds out at Christmas, > > he is rightly furious, who wouldn't be? > > Another point of view here... > > The fact that some weeks have passed without the leader denying this direct > allegation suggests there is some truth to it. Retreating to his inner circle > to come up with a story or belated counter-accusations is completely > unacceptable. [...] I don't see the need for Chris to respond to allegations just because they're being repeated by multiple sock-puppet accounts. Even if the latest such account has a real sounding name configured. Ben. -- Ben Hutchings It is easier to change the specification to fit the program than vice versa. signature.asc Description: This is a digitally signed message part
Re: Conflicts with Buster during Stretch-backports upgrade
On Tue, 2019-02-12 at 18:19 +0500, Andrey Rahmatullin wrote: > On Tue, Feb 12, 2019 at 12:45:47PM +, contra...@minehub.de wrote: > > we are currently facing a pretty serious issue regarding the latest kernel > > from stretch backports: > > > > miniops@mumpitz ~ $ sudo apt-cache madison linux-image-amd64 > > linux-image-amd64 | 4.19+102~bpo9+1 | http://ftp.debian.org/debian > > stretch-backports/main amd64 Packages > > > > When doing apt-get dist-upgrade there is either no outcome, or, on a fresh > > installing machine, an error occurs: > > > > The following packages have unmet dependencies: > > linux-image-amd64 : Depends: linux-image-4.19.0-0.bpo.2-amd64 but it is not > > installable > > E: Unable to correct problems, you have held broken packages. > > > > Looking at https://packages.debian.org/stretch-backports/linux-image-amd64 > > (https://packages.debian.org/stretch-backports/linux-image-amd64) this > > package is truly not available, but for apt-get update it seems that there > > is an update. > So this is strictly a stretch-backports problem unrelated to buster. > According to https://backports.debian.org/Instructions/#index6h2 you > should report backports bugs to debian-backpo...@lists.debian.org. There is no need to report this problem, it's known and will be resolved shortly. Ben. -- Ben Hutchings The world is coming to an end. Please log off. signature.asc Description: This is a digitally signed message part
Re: metaphors and feminism
On Fri, 2019-03-29 at 08:42 +0100, Stacey Lee wrote: > Hello everybody > I'm an outsider here but I couldn't ignore what is going > on. [...] Shut up Daniel. Ben. -- Ben Hutchings Design a system any fool can use, and only a fool will want to use it. signature.asc Description: This is a digitally signed message part
Re: Debian Easter shake down
The signature is a bit of a giveaway, Daniel. Ben. On Mon, 2019-04-22 at 14:15 +, Enrico Zini wrote: [...] > Take your mailboxes with you. Free, fast and secure Mail & Cloud: > https://www.eclipso.eu - Time to change! > > -- Ben Hutchings Horngren's Observation: Among economists, the real world is often a special case. signature.asc Description: This is a digitally signed message part
Re: Realizing Good Ideas with Debian Money
On Fri, 2019-05-31 at 21:04 +, Luca Filipozzi wrote: [...] > However, without an HPE donation or discount, we are much more likely to > follow a less expensive approach: pairs of 2U servers with local > storage, etc. Still not cheap but not multiples of 100k. > > If a hardware vendor happens to offer a discounts, then we can stretch > the dollars further. [...] As I understand it, list prices for "enterprise" hardware are set with the assumption that customers will negotiate a 50% or higher discount. If that's right, we should expect and ask for discounts, regardless of whether the vendor is interested in being a sponsor. Ben. -- Ben Hutchings Unix is many things to many people, but it's never been everything to anybody. signature.asc Description: This is a digitally signed message part
Re: debian-private leaked on pastebin
On Sun, 2019-08-04 at 23:20 +, Debi Leaks wrote: > will debian people ever stop throwing rocks at each other? > > > https://pastebin.com/Xm4J1hVd It's basically just you throwing rocks at us, Daniel. Ben. -- Ben Hutchings Beware of programmers who carry screwdrivers. - Leonard Brandwein signature.asc Description: This is a digitally signed message part
Re: Using Debian funds to support a gcc development task
I don't believe anyone is stuck using old m68k hardware that they can't afford to upgrade - the cost of maintaining (or buying) m68k systems that can run Debian is likely to be high, compared to a PC. So the m68k port seems to be only a fun hobby for a small group of existing developers and users. I don't think Debian should subsidise this group, beyond providing the usual ports infrastructure. If I'm mistaken and the m68k port is attracting new contributors to Debian, that contribute in other areas as well, I might be persuaded otherwise. Ben. -- Ben Hutchings Sturgeon's Law: Ninety percent of everything is crap. signature.asc Description: This is a digitally signed message part
Re: Using Debian funds to support a gcc development task
On Sun, 2019-09-29 at 17:00 +0200, Jonas Smedegaard wrote: > Quoting Raphael Hertzog (2019-09-29 16:15:30) [...] > > * Freexian doesn't "use Debian volunteers", nobody is forced to work > > for Freexian, they all asked to join the team of paid contributors. > > But Freexian pays them for the LTS work, that's correct. > > Debian volunteers indeed are asked nicely if they want to spend their > volunteer time on that not-really-Debian-thing-labeled-confusingly. [...] Debian LTS is a really-Debian-thing. Ben. -- Ben Hutchings For every action, there is an equal and opposite criticism. - Harrison signature.asc Description: This is a digitally signed message part
Re: Wrapping up the Salsa as OIDC provider proposal
On Fri, 2020-04-10 at 20:38 +0200, Enrico Zini wrote: [...] > * If we drop the requirement of having "-guest" for non-DD users on > Salsa, how can one tell if a user is a DD? > > Waldi has a prototype ready for showing official membership status > prominently and directly on a user's page, with information synced from > nm.debian.org. [...] This seems to address the only concern I had with your proposal. Thanks for all your work on SSO. Ben. -- Ben Hutchings 73.46% of all statistics are made up. signature.asc Description: This is a digitally signed message part
Re: Linux in Canada, might severely affect all free software projects
On Sat, 2010-07-03 at 17:46 +0200, Toni Mueller wrote: > > Hi, > > I've just been pointed to this: > > http://www.reddit.com/comments/cb3n0/are_you_a_canadian_linux_user_youre_about_to/ > > I'd like the project to assess the impact of this kind of legislation, > and to publicly speak out against it. Is this any worse than the anti-circumvention clauses in the US DMCA, the UK 1988 Copyright Act, and similar legislation in other countries? Ben. -- Ben Hutchings Once a job is fouled up, anything done to improve it makes it worse. signature.asc Description: This is a digitally signed message part
Re: DEP-5 and public domain
On Thu, 2010-08-12 at 10:31 +1000, Ben Finney wrote: > Charles Plessy writes: > > > Le Thu, Aug 12, 2010 at 02:05:42AM +1000, Ben Finney a écrit : > > > To my eye, ‘License: NO’ has exactly the wrong connotation (“the > > > recipient has no copyright license to this work”). The obvious > > > reaction to that would be “okay, then we can't have it in Debian”. > > > > there would still be no ambiguity > > I'm not arguing that there's ambiguity; I'm arguing that the keyword > “no” is poorly chosen because it doesn't clearly connote what we want it > to. [...] I think the bikeshed should be pink. Ben. -- Ben Hutchings Once a job is fouled up, anything done to improve it makes it worse. signature.asc Description: This is a digitally signed message part
Dell PERC H 700
On Thu, 2011-03-31 at 19:53 +0530, mahith...@dell.com wrote: > > Hi Team, > > We just wanted to confirm if , Debian 6 works fine with PERC H 700 > controller cards. > > Kindly provide us the info . I believe these use the MegaSAS 9260 controller, supported by the megaraid_sas driver. They should therefore be supported in Debian 6.0, though you are better placed to test that! Hardware support questions should usually be directed to the debian-kernel or debian-user list. Ben. -- Ben Hutchings Once a job is fouled up, anything done to improve it makes it worse. signature.asc Description: This is a digitally signed message part
Re: making debian for living
On Tue, 2011-04-19 at 01:08 +0200, Maroš Žilka wrote: > Hi, > > does The Debian Project have any employees with salary or there are > only volunteers. The Debian project does not have any employees. A percentage of donations to Debian through SPI are retained by SPI for administration, which may pay for professional services such as accounting. > In other words can i participate to debian for living ? That is a different question. Many people provide consulting services related to Debian, and may contribute to the project in the process of that. Others work on Debian as part of their job at an organisation that uses it. Ben. -- Ben Hutchings Once a job is fouled up, anything done to improve it makes it worse. signature.asc Description: This is a digitally signed message part
Re: Debian hardware certification
On Fri, 2011-06-03 at 11:42 -0400, John Sullivan wrote: > Thomas Goirand writes: > > > The point is to have a system so that manufacturers can write "this > > system supports Debian". If they don't want to do the work, we could, > > and help each other by having a list of hardware that is known to work > > with Debian, and a list of hardware with issues. If they do, it's best, > > and IMHO we should help. Finally, I believe we should have a central > > point on Debian's website so that this can happen. > > > > Maybe a wiki page might be a good start, until we setup something better. > > > > Such a database is being generated now at http://h-node.com. The FSF is > also consolidating its former compatible hardware database there. Since > h-node lists hardware that works without proprietary drivers or > proprietary firmware, it should be a good fit for Debian main from > Squeeze on. Almost every peripheral device today runs some software (firmware) on an embedded processor or microcontroller, which is generally non-free (see http://mjg59.livejournal.com/91123.html for examples). A few people consider that devices are more 'free' if they don't require the host to help them load this firmware. And h-node may be useful for those people, but not for the large majority who realise that downloading non-free firmware won't taint their precious bodily fluids. Ben. -- Ben Hutchings Once a job is fouled up, anything done to improve it makes it worse. signature.asc Description: This is a digitally signed message part
Re: Debian hardware certification
On Fri, 2011-06-03 at 23:36 -0400, John Sullivan wrote: > Ben Hutchings writes: > > > On Fri, 2011-06-03 at 11:42 -0400, John Sullivan wrote: > >> Thomas Goirand writes: > >> > >> > The point is to have a system so that manufacturers can write "this > >> > system supports Debian". If they don't want to do the work, we could, > >> > and help each other by having a list of hardware that is known to work > >> > with Debian, and a list of hardware with issues. If they do, it's best, > >> > and IMHO we should help. Finally, I believe we should have a central > >> > point on Debian's website so that this can happen. > >> > > >> > Maybe a wiki page might be a good start, until we setup something better. > >> > > >> > >> Such a database is being generated now at http://h-node.com. The FSF is > >> also consolidating its former compatible hardware database there. Since > >> h-node lists hardware that works without proprietary drivers or > >> proprietary firmware, it should be a good fit for Debian main from > >> Squeeze on. > > > > Almost every peripheral device today runs some software (firmware) on an > > embedded processor or microcontroller, which is generally non-free (see > > http://mjg59.livejournal.com/91123.html for examples). > > > > A few people consider that devices are more 'free' if they don't require > > the host to help them load this firmware. And h-node may be useful for > > those people, but not for the large majority who realise that > > downloading non-free firmware won't taint their precious bodily fluids. > > > > Debian main uses the same standard as h-node. Yes. Debian users don't. Ben. -- Ben Hutchings Once a job is fouled up, anything done to improve it makes it worse. signature.asc Description: This is a digitally signed message part
Re: I call solution
On Tue, 2011-09-20 at 16:36 +0200, Jorge Luis Pinilla Guzman wrote: > Hello. > I ask please that this link is removed > http://lists.debian.org/debian-project/2007/09/msg00077.html > because noe have given my permission to exhibit ininternet use > personal data as it comes transcends my phone and I'm bothered. [...] The Debian list information pages clearly state that messages sent to the lists will be public. By sending mail to the list address you give permission to reproduce it; that is the whole purpose of a mailing list. But in any case, the people responsible for list maintenance can be reached at . Ben. ________ -- Ben Hutchings Once a job is fouled up, anything done to improve it makes it worse. signature.asc Description: This is a digitally signed message part
Re: Greaat disappointment
On Sat, 2011-10-01 at 01:55 +0200, Qactuar Rogue wrote: > Hi. > > I was planning on installing Debian on a new laptop that had Windows 7 > pre-installed. > I was researching the methods of installation for two weeks > (partitioning etc). > Then right before beginning the disk wipe and later the installation > I had problems deciding on my own for what kind of partition table to > create > and wanted to have feedback from somebody who has a comprehensive > understanding on the subject. > I went on IRC. Firstly I tried #Debian on irc.debian.org then I tried > #Debian at chat.freenode.com > > I would like to express my greatest disappointment regarding the > `helpfulness` of the people on the channel. > On irc.debian.org everyone was a complete dumbass. On both channels I > was told off for asking my questions by PMing someone > who replied to my posting on the channel. That seems quite reasonable. You have no right to expect free one-to-one support. > My nick was Ti-chan. You can research if you please. > I did nothing, just kindly asked for help regarding partitioning. [...] And then, apparently, you started insulting people. > I also considered investing into the Debian project by donating > millions of dollars. [...] If you really have so much money to spare, consider paid support from a consultant as listed under <http://www.debian.org/consultants/>. Ben. -- Ben Hutchings Everything should be made as simple as possible, but not simpler. - Albert Einstein signature.asc Description: This is a digitally signed message part
Re: box for testing
On Wed, 2011-10-05 at 22:42 +0200, Andrew Holway wrote: > Hi all, > > We are just in the process of buying a lot of the new AMD interlargo > boxes and I think my bosses are quite sold on the idea of providing > one to the Debian project for testing. We use Debian extensively and > are seeing that HPC performance, specifically floating point, is not > so great on the newer equipment. In this chip, each pair of cores shares FPU resources. Whenever a core executes a 256-bit floating-point vector operation, it has to borrow resources from its neighbour. I'm no expert, but I would think they aren't the best choice for HPC. > Compared to the last step (magnycours) floating point performance is > roughly half on the new processors. > > Do you think access to a new box would improve this? While we could probably make good use of a new fast machine, I doubt that we could use them to improve floating point performance. That would normally be done by upstream developers working on compilers and numerical libraries. Ben. -- Ben Hutchings Once a job is fouled up, anything done to improve it makes it worse. signature.asc Description: This is a digitally signed message part
Re: trademark licenses and DFSG
On Sun, 2011-10-09 at 20:02 +0200, Stefano Zacchiroli wrote: [...] > The reason of the non-DFSG-freeness of the Debian logo is that its > *copyright* license tries to do some sort of trademark protection as > part of its terms. Reifying trademark protection in a copyright license > is a bad thing per se, and I've been working with SPI lawyers to fix > that. The goal is to release the Debian logo under a common DFSG-free > license and have a separate, new, trademark policy [5]. +1 [...] > Proposal > > > We need to decide together what to do about the presence of software > with trademark restrictions in the Debian archive. It would be nice to > reach consensus through simple discussion, but we can of course also > decide to vote on this matter. > > My own proposal, that I submit to your consideration, is as follows: > > - DFSG applies to copyright license; trademark restrictions should not > make a package DFSG non-free (philosophical part) DFSG item 4 states explicitly that we accept licences that require us to rename software that we modify. A requirement to stop using other trademarks, such as logos, seems to be entirely within the spirit of this. However, copyright licences that attempt to extend trademark law by restricting the descriptive or functional use of trademarks (e.g. the requirement that a fork of Ion 3 could not use that name in file or directory paths) should not be accepted. > - however, trademark restrictions that get in the way of "usual Debian > procedures" should not be accepted in the Debian archive (practical > part) > > What I've in mind here is stuff like having to either rebrand or ask > for permission before adding a security patch or other kind of > restrictions on changing code that has nothing to do with the > "identity" of upstreams that trademarks are supposed to protect. The intent of such restrictions is to maintain the quality of products that use the trademark. This is absolutely the purpose of trademarks. New users of free software, particularly certain animal-themed Internet applications, generally aren't very familiar with the ideas that there can legitimately be forks and customised versions sharing a name, and that the distributor (not upstream) should initially be held responsible for defects. While I think that Debian users can generally be trusted to understand this, I can also see why upstream projects may be wary. > Practically, I think the set of unacceptable restrictions should be > proposed by the people who would actually have to deal with this kind > of issues: security team (that might need to apply impromptu patches), > release team (that might be forced to rename packages in past release > upon change), ftp-masters (same reason as before), etc. [...] Given the disruption that would be caused by renaming in a stable update, maintainers should be aware of the possibility of such restrictions and should address them proactively, by renaming or obtaining a licence from upstream that allows us to make any necessary bug fixes. In cases where Debian obtains a licence to use a trademark in a modified package and where this is not generally allowed, this should probably be noted in the copyright file (admittedly a misnomer in this case). Ben -- Ben Hutchings Reality is just a crutch for people who can't handle science fiction. signature.asc Description: This is a digitally signed message part
Re: trademark licenses and DFSG
On Mon, 2011-10-10 at 18:11 -0700, Steve Langasek wrote: > On Tue, Oct 11, 2011 at 09:11:21AM +0900, Charles Plessy wrote: > > Le Sun, Oct 09, 2011 at 08:02:01PM +0200, Stefano Zacchiroli a écrit : > > > > My own proposal, that I submit to your consideration, is as follows: > > > > - DFSG applies to copyright license; trademark restrictions should not > > > make a package DFSG non-free (philosophical part) > > > > - however, trademark restrictions that get in the way of "usual Debian > > > procedures" should not be accepted in the Debian archive (practical > > > part) > > > The DFSG stem from our Social Contract, where they are introduced as a > > tool to determine if a work is free. We can decide that they apply to > > copyright licenses only, and that would leave on our archive > > administrators the burden of determining if a trademark license is free. > > No, it would not, because *Debian is not in the practice of licensing > trademarks*. > > The controlling principle is that we are not trading on the names of the > upstream works and as a result we have no need of a license - so it doesn't > matter what kind of hare-brained restrictions upstreams include in their > trademark licenses because we don't need a license. > > A trademark license is a license to use a *brand*, not a license on a work > of software. Those brands may appear in: - Desktop or menu items used to start programs - Splash screens and 'About' dialogs - Release announcements and other promotional material listing prominent programs included in Debian So we certainly make claims that Debian contains $brand_x, and that the program a user launches is $brand_y. If the programs in question are unmodified, I think we can reasonably claim that we are using their trademarks in a descriptive way, which is fair use (depending, of course, on jurisdiction). But if they are modified in any significant way, I don't believe we can rely on that. And we want to maintain our freedom to modify programs as we see fit. Ben. -- Ben Hutchings If at first you don't succeed, you're doing about average. signature.asc Description: This is a digitally signed message part
Re: Do I need to load a network driver for an Intel onboard ethernet controller?
On Fri, 2011-10-21 at 15:33 -0700, Patrick Le wrote: > Dear Debian support team, > > > I have a Debian version 5.0.2 DVD, and I'm wondering if I need to > load a network driver for an Intel onboard ethernet controller or the > Debian v5.0.2 DVD will have and load a driver for it! This is the wrong list to ask; you want debian-user. You also need to specify *which* Intel Ethernet controller it is, asthey have made probably over a hundred different network controllers. Ben. -- Ben Hutchings Larkinson's Law: All laws are basically false. signature.asc Description: This is a digitally signed message part
Re: Upcoming stable point release
On Wed, 2012-01-11 at 13:12 +, Adam D. Barratt wrote: > Hi, > > The next point release for "squeeze" (6.0.4) is scheduled for Saturday > January 28th. Stable NEW will be frozen during the preceeding weekend > (21st/22nd). > > As usual, base-files can be uploaded at any point before the freeze. > > If there is a further kernel update planned for inclusion in the point > release, it would be ideal if that could be uploaded over the coming > weekend so that we can look at finalising the installer later next week. There are some more important changes pending, including a fix for a regression in 2.6.32-40 (currently in stable-proposed-updates). I can probably make an upload this weekend, but cannot promise that a further upload will not be needed. We need some testing of the isci driver (added in 2.6.32-40) and more generally regression testing. Ben. -- Ben Hutchings When in doubt, use brute force. - Ken Thompson signature.asc Description: This is a digitally signed message part
Re: OSI affiliation
On Mon, 2012-02-13 at 18:40 +0100, Stefano Zacchiroli wrote: [...] > Although I'd like to hear your comments before deciding, my advice is to > accept the invitation and have Debian join OSI. [...] +1 -- Ben Hutchings Beware of programmers who carry screwdrivers. - Leonard Brandwein signature.asc Description: This is a digitally signed message part
Re: OSI affiliation
On Sat, 2012-02-18 at 09:31 +, Philip Hands wrote: > On Fri, 17 Feb 2012 22:41:10 +, MJ Ray wrote: > > Jose Luis Rivas > > > Just to give context to your email, could you provide a list with the > > > OSI-approved licenses that you call non-free? (Maybe a link) That way > > > every one else knows which licenses are you talking about exactly. > > > > http://people.debian.org/~mjr/legal/fsf-osi-list-diff.txt > > shows the ones where OSI and FSF disagree, but what's the > > point of knowing which are involved? Basically, OSI has > > aided proliferation. [...] > If they've not already done so, they could also have a "Open Source, but > we'd rather you didn't use this drivel" category, with a recommended > equivalent license that is a better choice if you were thinking of using > that one. OSI's proliferation report <http://opensource.org/proliferation-report> and list by category <http://opensource.org/licenses/category> distinguishes their favoured common licences and the pointless licences, though it doesn't say which common licences are recommended as alternatives. Ben. -- Ben Hutchings Beware of programmers who carry screwdrivers. - Leonard Brandwein signature.asc Description: This is a digitally signed message part
Re: trademark licenses and DFSG: a summary
On Tue, 2012-02-21 at 01:12 +0900, Charles Plessy wrote: > Le Mon, Feb 20, 2012 at 03:26:59PM +, Uoti Urpala a écrit : > > > > If you want to allow doing all modifications permitted by the DFSG > > (which includes obnoxious ones) without the effort of rebranding, then > > you must remove all use of trademarks from Debian, including the > > Debian trademark itself. > > I support dropping our trademarks. We have to show the way. We have a strong > tradition of idenfifying ourselves via trusted information networks that are > under our control; mostly our keyring. We can also make a step further and > include links (possibly qrcoded) to specific subpages of www.debian.org in the A brilliant way to ensure no-one ever visits them! > printed material we distribute which would explain how to authentify the > material. This is much saner than guaranteeing authenticity through a social > mechanism that intends to inhibit others from modifying our works. Yes, let's solve this social problem by technical instead of social means. Ben. -- Ben Hutchings If at first you don't succeed, you're doing about average. signature.asc Description: This is a digitally signed message part
Unofficial repositories on 'debian' domains
On Sun, 2012-03-04 at 23:27 +0100, Gergely Nagy wrote: > Sergio Cipolla writes: > > > I'm not sure if you're a Debian Maintainer or not (or worse, Debian > > Developer) but this kind of big mouthing shouldn't be accepted from a > > DM/DD. > > I don't see a problem. Someone has a strong opinon, and perhaps the way > it came across was a bit harsh, but I don't believe in papering over bad > things by trying to dress them up in fancy words. > > As far as I see it, here's how things went: someone installed a package > from a third party repository, that kinda screwed up his system in one > way or the other. So he reported a bug against the Debian package > (despite the recommendation of the 3rd party repository's maintainers, > who clearly stated in the FAQ not to do this), and it got > closed. Perhaps a few strongers words were used than neccessary, but > honestly "crap" is not a word one should be afraid to see. > > Some packages - be them in Debian or in third-party repositories - are > far worse than crap. We should not be afraid to call them out on that. > > But alas, the story goes further! The reporter does not reopen the > original bug, but files another, with an insult. Further down the > thread, we see this someone using a third party repository, without > seemingly being able to tell it from a normal debian mirror. > > I find it strange that someone who edited his own sources.list, would > not take the time to have a look at the site he copied the sources.list > line from, and notice that is by far, not a Debian mirror at all. [...] Looking at the front page of http://www.debian-multimedia.org/ today, I don't see a clear statement that it is unofficial. If you already know the project well, you should know that our official web sites are all under debian.org (though there is still an exception to that: debconf.org). Also, if you look closely, you can infer it from the references to 'official packages', and down at the bottom of the page there is a note not to use the Debian BTS. But for new users and potential users, this distinction probably isn't obvious. There is a reason that Debian has pursued trademark enforcement actions against various debian.xy domains. And to avoid singling out debian-multimedia.org, I think this confusion could just as well happen with repositories on foo.debian.net domains. Perhaps we need some kind of policy for DDs establishing unofficial repositories under 'debian' domains. Nothing too bureaucratic, just a standard disclaimer that these are the responsiblity of the developer that established the repository. Maybe also require redirecting bug reports, if the repository isn't maintained by or which the blessing of the official package maintainer. Ben. -- Ben Hutchings Every program is either trivial or else contains at least one bug signature.asc Description: This is a digitally signed message part
Re: Diversity statement for the Debian Project
On Thu, 2012-03-29 at 14:10 +1100, Ben Finney wrote: > Francesca Ciceri writes: > > > On Tue, Mar 27, 2012 at 08:42:28AM +1100, Ben Finney wrote: > > > We should not commit to respecting opinions, but instead commit to > > > respecting all people. > > > > How do you suggest to express it in the statement? > > That depends on the context of the statement; I'm in favour of making it > rather minimal as some others in this thread have described. > > For distinguishing the respect for opinion versus respect for the people > who hold them, perhaps this: > > We value healthy discussion and debate of all opinions, no matter > who holds them. Ideas are always a valid target of criticism, and we > welcome anyone who wants to respectfully join the discussion. I still think we need to specify that we don't discriminate on grounds of preferred bikeshed colour. Ben. -- Ben Hutchings Horngren's Observation: Among economists, the real world is often a special case. signature.asc Description: This is a digitally signed message part
Re: Debian "Position" on Software Patents
On Thu, 2012-04-12 at 19:59 +0530, dE . wrote: > On 04/12/12 19:53, Josselin Mouette wrote: > > Le jeudi 12 avril 2012 à 19:07 +0530, dE . a écrit : [...] > >> As a result I suggest, restricting the download and hosting of such > >> software in the US.. since software patents practically only apply to > >> the US, and until such laws are removed (which's basically a > >> restriction of what you write in a text editor), the people of the US > >> should be faced with such inconvenience. > > And for at least the 15th too, this is not a US-only problem (although > > the US patent office is known to do a much worse job than others at > > checking for validity of submitted patents). [...] > And what're you going to do if some MS geek comes up notifying you about > some patent infringement in the the Linux kernel code? I'm talking about > disaster management here. We don't have to carry on such a conversation, or take what they say on face value. Ben. -- Ben Hutchings It is easier to change the specification to fit the program than vice versa. signature.asc Description: This is a digitally signed message part
Re: Bug#686481: Clarification:
On Thu, 2012-09-06 at 02:32 +0900, Osamu Aoki wrote: > Hi, > > On Mon, Sep 03, 2012 at 10:24:30AM -0700, Grant H. wrote: [...] > > Problem: In 9.7.6. "Non-free hardware drivers" states as follows: > > == > > Although most of hardware drivers are available as free software and as > > a part of the Debian system, you may need to load some non-free external > > drivers to support some hardwares, such as Winmodem, on your system. > > > > Tip > > Check available firmware packages with "aptitude search ^firmware" while > > enabling the non-free repository. > > > > Tip > > The NDISwrapper can use Windows XP network drivers natively on Linux. > > Check "aptitude search ^ndis". > > == > > As I see this problem, this is one of the issue for "separation". [...] There is another problem with the abovetext - it mixes up non-free drivers and firmware. I realise they're both software and we would like them both to be free software; that's not what I'm arguing. My point is that it may lead users to confuse drivers and firmware (which leads to misfiled bug reports, etc.). The specific references to NDISWrapper and Winmodem also seem rather outdated now. Ben. -- Ben Hutchings Make three consecutive correct guesses and you will be considered an expert. signature.asc Description: This is a digitally signed message part
Re: Bug#686481: Clarification:
On Mon, 2012-09-10 at 21:43 +0900, Osamu Aoki wrote: > Hi, > > On Mon, Sep 10, 2012 at 02:54:12AM +0100, Ben Hutchings wrote: > > On Thu, 2012-09-06 at 02:32 +0900, Osamu Aoki wrote: > > > Hi, > > > > > > On Mon, Sep 03, 2012 at 10:24:30AM -0700, Grant H. wrote: > > [...] > > > > Problem: In 9.7.6. "Non-free hardware drivers" states as follows: > > > > == > > > > Although most of hardware drivers are available as free software and as > > > > a part of the Debian system, you may need to load some non-free external > > > > drivers to support some hardwares, such as Winmodem, on your system. > > > > > > > > Tip > > > > Check available firmware packages with "aptitude search ^firmware" while > > > > enabling the non-free repository. > > > > > > > > Tip > > > > The NDISwrapper can use Windows XP network drivers natively on Linux. > > > > Check "aptitude search ^ndis". > > > > == > > > > > > As I see this problem, this is one of the issue for "separation". > > [...] > > > > There is another problem with the abovetext - it mixes up non-free > > drivers and firmware. I realise they're both software and we would like > > them both to be free software; that's not what I'm arguing. My point is > > that it may lead users to confuse drivers and firmware (which leads to > > misfiled bug reports, etc.). > > Are you suggesting for me to replace > s/hardware drivers/drivers and firmwares of peripheral devices/ > s/external drivers/external drivers and firmwares/ Something like that. Only, 'firmware' is a mass noun, which means it doesn't have a plural form - you just say 'firmware', not 'firmwares', no matter how much of it you are talking about. > My text may have been a bit sloppy but my intent was to use "hardware > driver" in the broader sense including firmware loading driver code and > its data (i.e., firmware). I understand in stricter sense, these words > are used as: > > * driver: code running on the target architecture. > binary windows XP driver following NDIS is non-free driver > binary GPU driver offered as kernel module is non-free driver > > * firmware: code or data loaded on the peripheral device > (These could be rendering code running on GPU, > or FPGA/PLD netlist data, ...) Right. > I understand that the current official Debian position is all these are > non-free if they do not come with the SOURCE. Right. > (I personally think > requiring the source for FPGA/PLD netlist data is a bit awkward but I am not > here to argue for this point.) > > > The specific references to NDISWrapper and Winmodem also seem rather > > outdated now. > > Outdated in what sense. I understand recent focus of NON-FREE driver is > GPU. My understanding of GPU driver is: > > * Intel GPU (including ones coming in the same chip as CPU): > FREE driver supported by the vender > * ATI(AMD) and NVIDIA GPU: > NON-FREE driver supported by the vender > FREE driver (Tends to be less featureful than NON-FREE driver) The free driver for AMD GPUs (radeon) also needs to load non-free firmware. > Or outdated because NDIS and Winmodem situation has changed? Both, really - firstly I think NDISwrapper and soft-modem drivers are not commonly needed, and secondly the non-free GPU drivers are more widely used (but less important, as there are free alternatives available). [...] > For modem, I never bought Winmodem nor I use POTS MODEM these days. > So this is carried over for last 5-8 years. It seems that many PCs still come with POTS modems (all my laptops have had them) and I imagine they would need a non-free soft-modem driver - if I ever needed to use them. But I suppose POTS modems are still widely used in some rural areas. Ben. -- Ben Hutchings Make three consecutive correct guesses and you will be considered an expert. signature.asc Description: This is a digitally signed message part
Re: kernel not found
On Sat, 2013-01-05 at 13:59 +0100, gabry wrote: > Hi, I am going to install debian on amd k6 166 mhz. I've downloaded the > net version i386, but the system installation break and tell that no > kernel is not available . > > Why? This is the wrong list for such questions; try debian-u...@lists.debian.org or debian-ital...@lists.debian.org Ben. -- Ben Hutchings Always try to do things in chronological order; it's less confusing that way. signature.asc Description: This is a digitally signed message part
Re: KDE desktop
On Mon, 2013-03-11 at 22:01 +0800, Julius Buma-at wrote: > Hi, > > > I would like to ask if what is the future "Desktop Environment" for > the next stable version of your distro since your using the old GNOME > 2.x DE? In my humble opinion I prefer KDE better than GNOME or Unity > DE. Xfce is fine but it's too basic with less customizability. > > > I hope you can give me some insights regarding the next version of > this great distro "Debian." > > More power! The default desktop is GNOME 3, but KDE, Xfce and LXDE are also packaged. Ben. -- Ben Hutchings The obvious mathematical breakthrough [to break modern encryption] would be development of an easy way to factor large prime numbers. - Bill Gates signature.asc Description: This is a digitally signed message part
Re: Kernel Header?
On Fri, 2013-03-15 at 21:37 -0400, Nathaniel Biser wrote: > Hello, > I'm looking for Kernel Headers 3.7-trunk-amd64. I have searched the > net and debian and haven't been able to find any matches. I need it to > run vmware player on kali linux. Any suggestions on where I can get > this? Kali is not Debian. You should be able to install the package for your distribution using 'apt-get install linux-image-3.7-trunk-amd64'. Ben. -- Ben Hutchings It is easier to change the specification to fit the program than vice versa. signature.asc Description: This is a digitally signed message part
Re: Kernel Header?
On Sat, 2013-03-16 at 05:13 +, Ben Hutchings wrote: > On Fri, 2013-03-15 at 21:37 -0400, Nathaniel Biser wrote: > > Hello, > > I'm looking for Kernel Headers 3.7-trunk-amd64. I have searched the > > net and debian and haven't been able to find any matches. I need it to > > run vmware player on kali linux. Any suggestions on where I can get > > this? > > Kali is not Debian. > > You should be able to install the package for your distribution using > 'apt-get install linux-image-3.7-trunk-amd64'. Of course, I mean 'apt-get install linux-headers-3.7-trunk-amd64' ... Ben. -- Ben Hutchings It is easier to change the specification to fit the program than vice versa. signature.asc Description: This is a digitally signed message part
Re: linux-libre - are we collaborating with them?
On Tue, Mar 26, 2013 at 02:52:37PM -0400, Kẏra wrote: > I think it would be great for Debian to put together a plan to eventually > use the linux-libre kernel by default. In an ideal world, we could run our computers using only free firmware. In the world as it is, all our computers run non-free firmware[*], and there is rarely any commercial incentive for hardware vendors to change that. Where firmware is not installed in non-volatile memory it must be loaded via the kernel. * See <http://mjg59.livejournal.com/91123.html> > If i understand correctly, the > linux-libre kernel doesn't just remove proprietary blobs from the kernel, > but also attempts to reverse-engineer them so that functionality isn't > always just lost. Really, could you point to an example of this? > If Debian were to join the efforts of keeping linux-libre > up to date, it seems like it would result in a more functional Debian > before adding the proprietary bits. The only reason to not just make the > switch is that I think Debian should help bring (and keep) the linux-libre > kernel up to date with the mainline kernel. linux-libre is fundamentally in disagreement with the Debian Social Contract. Debian respects the rights of users to choose non-free software. linux-libre does not. Ben. -- Ben Hutchings We get into the habit of living before acquiring the habit of thinking. - Albert Camus -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130326213450.gp9...@decadent.org.uk
Re: Revising the Code of Conduct
On Tue, 2013-05-21 at 10:32 +0200, Wouter Verhelst wrote: [...] > The Debian mailinglists exist to foster the development and use of > Debian. This Code of Conduct exists to help towards that goal. > > In particular, the following rules should be adhered to by participants > to discussion on Debian mailinglists: > > 1. Do not flame, use foul language, or in general be abusive or 'flame' is slang and I suspect it is not that widely understood among those who are unused to mailing lists. Try to find a standard English term instead. >disrespectful towards other people on the mailinglists or elsewhere >in Debian. That type of behaviour is not constructive and can quickly >lead to a degradation of the quality of a discussion. [...] > 4. [...] You should preferably also use a >mailer which respects the Mail-Followup-To: header, or make a >best-effort attempt at respecting it manually if you don't. I think we should give up on M-F-T; it has never been standardised and is not widely supported. The most annoying reply behaviour I see is people replying to one list rather than the multiple lists I sent the original message to. We should encourage use of Reply-to-all instead, as erring on the side of inclusion is safer than erring on the side of exclusion. [...] > 6. You should avoid sending attachments; this generates a lot of >unnecessary bandwidth on our listservers. Instead, put the file you >would like to attach online somewhere and post a link. It may be worth clarifying that this applies only to the mailing lists, not the BTS. [...] > Thoughts? I think it should incorporate the appropriate parts of the Debian Community Guidelines. Ben. -- Ben Hutchings friends: People who know you well, but like you anyway. signature.asc Description: This is a digitally signed message part
Re: 2nd draft (was: Re: Revising the Code of Conduct)
On Wed, 2013-05-22 at 10:52 +0200, Wouter Verhelst wrote: [...] > > > 6. You should avoid sending attachments; this generates a lot of > > >unnecessary bandwidth on our listservers. Instead, put the file you > > >would like to attach online somewhere and post a link. > > > > It may be worth clarifying that this applies only to the mailing lists, > > not the BTS. > > The document would be called the "mailinglist code of conduct", and > would be posted on lists.debian.org; I think that should be clear > enough. Do you disagree? Of course the title will say that, but most of it *is* also applicable to interaction with the BTS (and bug reports can be subscribed to like mailing lists). So I think it is worth being explicit about that. [...] > > > Thoughts? > > > > I think it should incorporate the appropriate parts of the Debian > > Community Guidelines. > > I've added a "further reading" section that contains a link to the dcg; > however, I am reluctant to turn guidelines into rules, especially over > that document's author's explicit objections > (<20130521121958.ga8...@enricozini.org>) [...] You're quite right. Ben. -- Ben Hutchings friends: People who know you well, but like you anyway. signature.asc Description: This is a digitally signed message part
Re: KickStarter for Debian packages - crowdfunding/donations for development
On Sat, 2013-06-15 at 00:25 -0400, Joey Hess wrote: > Charles Plessy wrote: > > In the case of Debian, I share with others the concern of having the > > packages > > as a source of revenue > > How about making fixed bugs a source of revenue? http://dilbert.com/strips/comic/1995-11-13/ Ben. -- Ben Hutchings If the facts do not conform to your theory, they must be disposed of. signature.asc Description: This is a digitally signed message part
Re: PaySwarm-based Debian donations
On Mon, 2013-06-17 at 22:31 -0400, Martin Owens wrote: > On Mon, 2013-06-17 at 19:03 -0500, Gunnar Wolf wrote: > > site requesting user's charity > > You mean user's involvement. You don't want users to be invited to > participate in Debian. Debian isn't elitist and it shouldn't care that > the tool being deployed is money rather than time. But donations are a gift, not a tool. You can't choose what the recipient does with a donation, and I doubt there are many donors willing to pay a few hundred £/$/€ per day for a DD or DM to work on whatever the developer thinks needs doing. (I could be wrong, of course.) Many DDs and DMs work as consultants or contractors. If a user wants to use their money as a tool for Debian development, they should hire one or more of these developers to work on the specific things the user is interested in. > Your argument invites exclusion and you've not made a good case for why > out-of-band unknown-to-everyone transactions are better. Only that it is > technically possible to do so *kind of*. And that existing Debian > members have said they find in-band transactions distasteful. > > Although we don't even invite users to participate with their time. So > we're not even good at advertising Debian to Debian users anyway, even > if it would be interesting and good for them to do so. We already invite bug reports, participation in mailing lists and forums, and donations to Debian's various fund-holders. I dare say I use quite a lot of bug reporters' time with some testing requests... Ben. -- Ben Hutchings Humans are not rational beings; they are rationalising beings. signature.asc Description: This is a digitally signed message part
Re: Slowdown problem of a Debian package
On Wed, 2013-06-19 at 07:58 +0900, Shigio YAMAGUCHI wrote: > Hello all, > I have a serious problem which is concerned with a Debian > package. It is also a problem for Debian, I believe. > > If this mail is out of place, I will apologize. Although I > looked at all mailing lists of Debian, I could not find > any other list than here for this issue. Would you please > tell me where I should tell it? I think you chose the right list. [...] > The problem above is not a mere trouble between two programmers, > but a serious obstacle for Free Software. Because Debian users > are forced to use old software without any explanation. > I guess that there are such other cases. > > Debian Social Contract says: > > "2. We will give back to the free software community" > > However, what was "given back to" us from Debian was a gloomy > thing. Could you please recognize the problem and take appropriate > measures? [...] The only way to override a maintainer's decision is through the Technical Committee <http://www.debian.org/devel/tech-ctte>. Ben. -- Ben Hutchings Lowery's Law: If it jams, force it. If it breaks, it needed replacing anyway. signature.asc Description: This is a digitally signed message part
Re: Survey of new contributors -- results
On Fri, 2013-08-09 at 10:10 +0200, Simon Chopin wrote: > Quoting Lucas Nussbaum (2013-08-09 09:53:18) > [snip] > > > > > > > >Actionable items: > > > >[...] > > > >- have a more introductory documentation to BTS usage > > > > > > ...or just ease ITS contributions. > > > > ITS? > > Although I'm not sure what it has to do with the BTS, but could this be > "Intent To Salvage" mentioned in a couple of gigantic threads in the > fall of 2012? BTS, but with I standing for Issue. Filipus likes to use different terminology. Ben. -- Ben Hutchings I say we take off; nuke the site from orbit. It's the only way to be sure. -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1376038209.14810.3.ca...@deadeye.wl.decadent.org.uk
Re: Buying hardware with Debian money
On Sun, 2013-10-20 at 09:11 -0700, Russ Allbery wrote: > Lucas Nussbaum writes: > > > C. Laptop for developer (expected cost: 1k-1.5k EUR?) > > = > > I have no particular comment on the merits of this specific request, but > that cost jumped out at me. I don't know if systems are more expensive in > Euros, but a System76 laptop that's more than adequate for Debian > packaging (the Gazelle Professional, on which I'm writing this mail > message and on which I do a bunch of my development) is only 750 USD. You > could probably get the cost down further with some more effort, although > the System76 laptops are nice in that they'll work properly with Debian > without any significant mucking about. I've long used second-hand Thinkpads, bought at about 1 year old for £300-£400 (roughly same number of EUR) either from a friend or via eBay. Unless this developer is maintaining a monster package like chromium or libreoffice, such a second-hand machine should be fine for Debian development. And I would expect that to be within the budget of a 'first world middle-class student', though perhaps that covers a wider range of means than I think. Ben. -- Ben Hutchings Tomorrow will be cancelled due to lack of interest. signature.asc Description: This is a digitally signed message part
Re: Should mailing list bans be published?
On Sat, 2013-10-26 at 19:33 +, Bart Martens wrote: > On Sat, Oct 26, 2013 at 10:46:41AM -0700, Steve Langasek wrote: > > This led to a philosophical debate about whether bans should be made public. > > Alexander expressed concern that having them published could be harmful to a > > person's reputation, since employers will google your name and see that > > you've been banned from a large project such as Debian. > > I join Alexander on the above. > > > What do the rest of you think? > > I suggest we keep things civil, with respect for the persons involved. It's > really not up to Debian to harm someone's reputation, and that could reflect > bad on Debian's reputation. [...] This is the same argument used to cover up all kinds of abuses. Maybe in the case of mailing list bans the infraction is minor enough that we should not make a public record of it, but I am very sceptical of the argument in general. Ben. -- Ben Hutchings Editing code like this is akin to sticking plasters on the bleeding stump of a severed limb. - me, 29 June 1999 signature.asc Description: This is a digitally signed message part
Re: Should mailing list bans be published?
On Sat, 2013-10-26 at 10:46 -0700, Steve Langasek wrote: > Hi folks, > > Was discussing with one of the listmasters (Alexander Wirt) on IRC today > about mailing list bans, because it turns out that someone I was just about > to ask the listmasters to ban from debian-devel had just been blocked in > response to a request from someone else. > > This led to a philosophical debate about whether bans should be made public. > Alexander expressed concern that having them published could be harmful to a > person's reputation, since employers will google your name and see that > you've been banned from a large project such as Debian. > > I think we should publish them, for several reasons: [...] I agree with your reasons. Ben. -- Ben Hutchings Editing code like this is akin to sticking plasters on the bleeding stump of a severed limb. - me, 29 June 1999 signature.asc Description: This is a digitally signed message part
Re: Updates in stable releases
Shouldn't this be on debian-release instead/as well? On Sun, 2013-12-29 at 22:04 +0100, Kurt Roeckx wrote: > Hi, > > I think in general we are either too strict in what we allow as > updates to stable or people think it's not going to be allowed and > so don't even try to get updates to stable. > > The last time I asked about this, I got this as reply: > https://lists.debian.org/debian-devel/2013/09/msg00466.html > > I want to start by giving some examples of things that got updated > in stable point releases that I know about: > - linux was 3.2.41-2 in 7.0, 3.2.51-1 in 7.3, 3.2.53-2 in > proposed-updates > - iceweasel was 10.0.12esr-1 in 7.0, is now 17.0.10esr-1~deb7u1 > - postgresql-9.1 was 9.1.9-1, now 9.1.11-0wheezy1 > > Clearly new upstream releases are acceptable under some > conditions. But it's not clear to me what those conditions are. > > The rules seem to suggest that we need a priority important bug > in the Debian BTS. Does that mean that if upstream makes a bugfix > release we need to file bugs in the Debian BTS for each fix that > we consider important and backports just those bugfixes, or would > uploading such bugfix releases be allowed? I think it depends on how well upstream's criteria for such releases match ours for stable updates. For Linux 2.6.32 in squeeze, I was asked to open a bug for each upstream stable update, briefly explaining the importance of the changes in it. I have not been doing the same for 3.2, however. > How about more than just bugfixes? For instance would new > features be allowed, and in what case? It seems that at least for > the linux kernel support gets added for new hardware. Missing hardware support is considered to be an important bug. > One thing I had in mind for an update to apache is to have the > version in stable support ECDHE which the version in stable > currently doesn't do. And I think the general feeling from people > is that this is going to be rejected and so don't even try and > ask. The lack of PFS might be considered an important bug and it is worth having that discussion. Ben. -- Ben Hutchings Klipstein's 4th Law of Prototyping and Production: A fail-safe circuit will destroy others. signature.asc Description: This is a digitally signed message part
Re: Plan of action for Secure Boot support
On Wed, 2014-01-08 at 08:31 +0100, Florian Weimer wrote: > * Ben Hutchings: > > > However, there is now a blog post from Microsoft that supports what > > Matthew Garrett has been saying for a while - they may revoke the > > signature on a boot loader if signature verification is not extended to > > the kernel, including any mechanism to chain-load another kernel: > > > > http://blogs.msdn.com/b/windows_hardware_certification/archive/2013/12/03/microsoft-uefi-ca-signing-policy-updates.aspx > > (specifically point 5(b)) > > > > This implies that when Secure Boot is enabled, only signed kernels and > > modules can be loaded and other features that allow code injection such > > as kexec, hibernation and /dev/mem must be disabled. > > We also need to use an EV certificate in the shim—not just for > submission to Microsoft, but also for the certificate that signs GRUB > and the kernel (item 6 (a)). > > The Terms & Conditions of existing EV code-signing CAs do not permit a > code-signing end-entity certificate to be used for signing another > certificate, so we'd directly have to embed the end-entity certificate > used to sign GRUB and the kernel into the shim—or we'd have to ship > the EV root CA, but that would extend complete trust to that CA. If > we embed the end-entity certificate, we need to submit a new shim to > Microsoft for signing each time the certificate changes (say, because > the previous certificate expired after a year). Presumably actual code signatures never expire (or rather, expiry should not be checked) - as that would mean mandatory upgrades just to keep a machine bootable. CA certificates just need to be updated so they are valid at the point in time they make a signature, right? > Furthermore, we need to store the keys for all EV certificates (both > the certificate used for submission, and the certificate embedded in > the shim) in devices that meet at least FIPS 140 Level 2. Such > devices that are affordable, support secure, remote operation, and are > compatible with free software environments are difficult to find. > (But perhaps we can find a DD who agrees to keep the keys in his or > her home and manually signs our kernels, using Windows if necessary.) > > I'm not sure if we can sign sid kernels because of the requirement to > sign production quality code only. testing/unstable is a rolling beta test for the next stable release; I would have thought that was still 'production' in MS's terms. experimental maybe shouldn't be signed. > With KVM, we can boot another operating system after executing > unauthenticated (userspace) code, so the new policy seems to force us > to disable KVM per item 5 (b) (or extended Secure Boot to qemu-kvm, > which is practically impossible at present because we do not have a > signed userspace). MS can go and stick their collective head in a blender if they expect us to do that. [...] > There is also a significant technical limitation: The current > shim/grub/kernel combination is totally untested as far as revocation > is concerned. Fedora does not blacklist kernels with known > root-to-ring-0 escalation vulnerabilities. Well, that would be almost all of them, right? > This means that you can > just downgrade the kernel to a known-vulnerable version and lose all > protections allegedly provided by Secure Boot (as far as the Linux > side is concerned). On the other hand, no one really wants to fix > this because it would mean that users cannot downgrade kernels anymore > to deal with regressions. I expect MS doesn't blacklist their old kernel versions, for exactly the same reason. Or do they? > In short, I think it is very hard for us to comply with the new > Microsoft guidelines. It is also politically problematic because once > we comply, Microsoft could try to claim that mandatory Secure Boot is > not locking out anyone (because it's not just Fedora anymore). Because there are no Linux distributions made by anyone but RH, SUSE, Canonical and Debian? > We could still do our own thing under a root we control, but then we > have to decide if we want to cross-certify everyone else. > > We should probably continue the discussion on debian-project because > it's not just about the kernel or technical issues. Right. Ben. -- Ben Hutchings Any smoothly functioning technology is indistinguishable from a rigged demo. signature.asc Description: This is a digitally signed message part
Re: GR: Selecting the default init system for Debian
On Sun, 2014-01-19 at 01:01 +0100, Guillem Jover wrote: > [ M-F-T set to debian-vote@l.d.o, not seeking sponsors yet see below. ] > > Hi! > > I think that forcing a decision through the TC at this time was very > premature and inappropriate, because I don't think enough effort had > been made to reach consensus (failing §6.3(6)), What would you consider to be enough effort? > because the TC seems to have been trying to do design work (failing > §6.3(5)), Did you also read the last sentence of that parargraph? > and because even if they do have the power to decide on this (likely > requiring a 3:1 majority in any case if they need to override the > sysvinit maintainers, per §6.1(4)), The main change required to sysvinit would, I assume, be to remove the Essential flag. I do not think that use of the Essential flag is at the discretion of the package maintainer by default. > I feel it's inappropriate for a small group > of individuals to forcibly decide the global direction for the entire > project. Important as the init system is, it does not 'decide the global direction for the entire project'. > Such decisions, on issues that are as much technical as > strategic, political or of a subjective design nature, can have huge > implications for what contributors or other Debian-based projects > might have to work on, or stop working on. On the contrary, I think such decisions are precisely what the Technical Committee is for. [...] > In general, I've been quite unhappy with the excessive invocation of > the TC recently, with developers seeming to view this as a first, > rather than absolute last, resort. [...] Constitutionally, a GR is the last resort in that it can overrule every other decision. A GR can settle a decision finally but does *not* create consensus. So if you honestly think that more time should be allowed for a consensus to arise, perhaps you should propose a GR that says this issue is not ripe for the TC to decide on and sets some minimum delay before it can be brought to the TC again. Ben, -- Ben Hutchings friends: People who know you well, but like you anyway. signature.asc Description: This is a digitally signed message part
Re: GR proposal: code of conduct
On Wed, 2014-02-12 at 11:59 +0100, Wouter Verhelst wrote: [...] > ## Assume good faith > > Debian Contributors have many ways of reaching our common goal of a > [free](http://www.debian.org/intro/free) operating system which may > differ from your ways. Assume that other people are working towards this > goal. > > Note that many of our Contributors are not native English speakers or > may have different cultural backgrounds > ## Be collaborative [...] Is this last paragraph complete? It is at least missing a full stop and following blank line. Ben. -- Ben Hutchings If more than one person is responsible for a bug, no one is at fault. signature.asc Description: This is a digitally signed message part
Re: jessie doubt debian
On Mon, 2014-02-24 at 12:46 -0300, Robson LAURINDO CACHOEIRA wrote: > Well I wonder, why in the Debian testing (jessie), I can not go back > to previous page with Backspace, as it did previously. If you're using Iceweasel/Firefox, see: http://kb.mozillazine.org/Browser.backspace_action > This happened after an upgrade, and the problem is that I can not also > enroll in the debian forum. I think this must be a separate problem. > I thank you, and excuse my english. > > I'm Brazilian. The correct list for questions like this would be debian-user or debian-user-portuguese. Ben. -- Ben Hutchings Beware of bugs in the above code; I have only proved it correct, not tried it. - Donald Knuth signature.asc Description: This is a digitally signed message part
Re: Debian dev-machine best practice? was: keybase.io
On Fri, 2014-04-25 at 11:07 +0200, Thomas Koch wrote: > Hi, > > I'm planning to improve my paranoia once I become a DD. For now I run Debian > stable + backports exclusively on the machine having my private key. > Everything else runs in a virtual machine with xpra[1] for X. I don't use > Skype. > > [1] xpra package in Debian > > I'm longing for linux containers to become usable for noobs like me. Than I > could move untrusted applications from virtual machines into unprivileged > containers (running without root privileges). > > I was about to automate my setup of kvm+xpra when I learned more about > containers and now consider this the best compromise if you don't use a > separate offline machine to sign packages. > > What do you think? I think there are too many local privilege escalation vulnerabilities in Linux, to rely solely on containers as a sandbox mechanism. Ben. -- Ben Hutchings Beware of programmers who carry screwdrivers. - Leonard Brandwein signature.asc Description: This is a digitally signed message part
Re: Can our institute become Debian Certified
On Sat, 2008-03-22 at 10:34 +0530, Abhimanyu Chauhan wrote: > Hi > > Greetings from Jobs4Jaipur.com!!! > > First of we would like to introduce ourselves as a company based in > Jaipur, India and working aggressively in the field software > development. One of under development venture is to start a computer > education training institute, which will be initially launched in Jaipur > and then will be launched all over India. We would really like to get > associated with you and want to start a certification course in > association with you i.e. "Debian Certified Engineer". > > We would like to know whether is it possible and if yes what are the > formalities to initiate the same. Looking for your positive reply and a > very long association. Debian has no such certification program. Developing software to run on Debian is much the same as developing software for any Linux/Unix system. The Debian-specific part is packaging, which is tested by the New Maintainer process; however, this also requires specific contributions to the Debian system. You could use the NM templates <http://alioth.debian.org/projects/nm-templates> as the starting point for a test of packaging. However, since these are public knowledge you would need to take care to detect candidates who are cribbing and not finding their own answers. Ben. -- Ben Hutchings Time is nature's way of making sure that everything doesn't happen at once. signature.asc Description: This is a digitally signed message part
Closed lists as maintainers
I hope we can agree that maintainers should be able to receive mail from any legitimate sender. However, some maintainer addresses point to mailing lists that automatically reject mail from non-subscribers (without the intervention of a moderator). The case I am painfully aware of is grub-de...@lists.alioth.debian.org, listed as the maintainer for grub and grub2. I believe this configuration is unacceptable, but would like to check that there is a consensus on this before pressing the matter with the GRUB maintainers. Ben. -- Ben Hutchings Reality is just a crutch for people who can't handle science fiction. signature.asc Description: Digital signature
Re: Question in respect to GNU/Lnux affiliation
On Sun, 2010-03-14 at 12:20 -0300, The Hickeys wrote: > How come the GNU/Linux site does not have Debian on its free > distribution list, and makes no mention of Debian at all it seems? Is > this because Debian does not adhere to the GNU/Linux "Free Software > Definition"? Probably because of the non-free archive section. Alternately because of non-free firmware in the main section, though that will no longer be an issue in Debian 6.0 'squeeze'. Maybe you should ask them. Ben. -- Ben Hutchings I say we take off; nuke the site from orbit. It's the only way to be sure. signature.asc Description: This is a digitally signed message part
Re: Help the DPL (DPL calling for help?)
On Sun, 2010-04-04 at 06:19 +0200, Michael Goetze wrote: > On 04/02/2010 11:31 PM, Frank Lin PIAT wrote: > > Also, Talking to the press is very important > > Why? If you talk to the press they may misunderstand and misquote you but you should be able to get some points across if you state them simply enough. If you send a press release rather than waiting to hear from them, reporters will often use that as the basis of their story. If you don't talk to the press they'll just use their imagination to fill in the details. The former is preferable. Ben. -- Ben Hutchings Once a job is fouled up, anything done to improve it makes it worse. signature.asc Description: This is a digitally signed message part
Re: Squeeze, firmware and installation
On Sat, 2010-05-15 at 11:24 -0400, Steve Langasek wrote: > On Wed, May 12, 2010 at 04:27:01PM +0200, Martin Schulze wrote: > > I would rather not complicate the CD+DVD building process even more to > > produce non-free images. There are so many images that need to be > > created already. > > > I would like us to provide non-free firmware blobs that may be > > required during installation in tarballs that can be downloaded or - > > if this is not possible - be loaded via USB sticks, floppies or > > cdroms. The installer would need a possibility to include such > > firmware blobs and detect hardware again if required to continue the > > installation process. > > There's a solution that seems obvious to me here, but no one has implemented > it yet, so I must be missing something; but I'll throw it out as a starting > point for discussion. > > Why don't we offer tools - either web-based or commandline - that can append > a prepared firmware blob to an ordinary ISO in order to create an image that > can be burned as a multisession disk? If this is technically possible - and > I believe that it should be - then we don't have to waste mirror space, > build time, etc. on a second set of non-free images. We would just have to > make sure we leave enough extra room on our regular ISOs to allow grafting > on the firmware at the end, and prepare firmware blobs in an appendable > format. > > So what am I missing? This sounds technically plausible, but presumably requires some changes in the debian-cd package. Ben. -- Ben Hutchings Once a job is fouled up, anything done to improve it makes it worse. signature.asc Description: This is a digitally signed message part
Re: [RFC] Extending project standards to services linked through Vcs-*
On Wed, 2023-08-30 at 09:46 -0700, Russ Allbery wrote: [...] > * GitHub allows anonymous Git cloning and anonymous browsing of the > repository without creating an account. [...] Up to a point. It's rather easy to hit a rate limit when browsing anonymously. Ben. -- Ben Hutchings Klipstein's 4th Law of Prototyping and Production: A fail-safe circuit will destroy others. signature.asc Description: This is a digitally signed message part
