Hi,

there was one bit about the handling of the freeze that was not well
communicated in the previous release announcement:

| Packages that are present in unstable the day we freeze will be
| automatically allowed into testing, that is, the freeze date (next
| weekend) does not mean your package should be in testing by then,
| but only in unstable.

I'm sending this in a mail by its own because I think it's very
important we avoid uploads like this:

* Urgency high to meet freeze deadline.
* Urgency medium to try to beat the release.
* Urgency high to reach testing in time before freeze.

Not only these mean they'll get less testing in unstable, but they sound
as if the uploads were prepared in a hurry, which means higher chance of
bugs. Please take the extra few days to **test your uploads well**!!

(If you mistakenly abused urgency as above and would like to, feel free
to send a mail to -release asking for a full 10-day waiting period.)

Thanks,

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi *,

Normally, you'd have a pithy comment about how we're writing to you with
lots of info and things. However, due to the timeline, please accept the
small picture below:
______________________
< We freeze next week! >
----------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||

Hi!

It's been a while since my last bits post, rather longer than it
should have been. Sorry. :-( I blame the idiot who suggested a big
survey of the teams in Debian. Oh, wait...

So, what's been happening?

The teams survey
----------------
I won't bore people with all the details again - I've already
announced them once [1]. Most of our teams seem to be working OK, but
many could do with more help and some have real problems. I'm going to
be working through my list of actions in the coming weeks and
months. Chief amongst them will be to help identify the places where
new people can help; many people have been asking already.

There was a followup to the survey - a brief piece in the Register[2]
unfortunately focussed a great deal on just one part of my write-up,
but I suppose that's probably to be expected sometimes.

I'm waiting on a few more press interviews (about the survey and other
topics) to happen in the upcoming weeks; I'll pass on pointers to them
as they happen.

Emdebian has been developing nicely over the last few months and the
time has come to produce a general status report because we are close to
having a reproducible set of working root filesystems for embedded ARM
devices to run Emdebian using prebuilt packages. Kernels and kernel
modules need to be arranged separately and the installation method will
need to be customised to the particular device at this stage. (I am
hoping to build the root filesystem tarball into the Debian Installer at
some stage.) Only ARM is supported at this time (ARM as in the current
Debian ARM port, not armel).

During DebCamp and DebConf8, I will be working on the issues set out
here as well as the ongoing development of TDebs with Christian Perrier
and the Debian i18n team.
http://www.emdebian.org/emdebian/langupdate.html

Hello All,

As part of the 9th Debian Conference in Mar del Plata, Argentina, there
will be OpenPGP (pgp/gpg) keysignings. If you intend to participate in
the DebConf8 keysignings, please send your ascii armored public key as
explained at [0] not later than 23:59 UTC on Saturday 26th of July,
2008.

More (and up-to-date) information is available at [0], so keep watching
it.

[0] http://people.debian.org/~anibal/ksp-dc8/ksp-dc8.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkh8k3UACgkQgY5NIXPNpFVtvgCfROe+u2ol+UYH2+AXTM9j3YaE
2wQAnAogD1H1vbWn4tc9fe8JlEuYCDeP
=q2tN
-----END PGP SIGNATURE-----

Hi

following our "Bits" mail[1], where we asked for volunteers, we just
added a new member to the team. Everyone, please welcome our new
FTP Assistant Mark Hymers!

[1] http://lists.debian.org/debian-devel-announce/2008/05/msg00012.html

=2D-=20
bye, Joerg

PS: JFTR - there are still two volunteers, so *possibly* two more
candidates.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Joerg Jaspert debian.org>

The news are collected on http://wiki.debian.org/DeveloperNews
Feel free to contribute.

Advice on quilt usage and compatibility with new source format
--------------------------------------------------------------

To prepare a future switch to the "3.0 (quilt)" source package format, I
tried to convert the whole archive and to rebuild the packages
afterwards. This resulted in lots of improvements on dpkg-source as I
adapted the code to make it support many of the existing build setups but
not all problems could be fixed on the dpkg-source side. I filed a bunch
of bugs[1] for packages that need additional changes. To ensure
compatibility with the new source format, please try to follow the
guidelines below.

For packages already using quilt:
* Make sure that all patches apply with -p1 (and not -p0). This is the
default in quilt but some manually imported patches are only applicable
with -p0 (and...

Hey folks,

As you may remember, back before I started the DPL job I promised to
run a survey. Then I pestered a huge number of people to answer a set
of questions and get back to me. I've taken longer than I hoped to
read through all those responses and summarise them, but finally I'm
done. As I said at the time, I'm *not* going to go into great gory
detail about individuals or specific teams here and now. Many of the
surveys include personal information and I promised to protect
that. Instead, this is just a summary of the results. I'll be
following up in more detail with various of the teams in the coming
weeks. If you have any questions in the meantime, please feel free to
contact me.

So, enough of the disclaimers... :-)

The raw numbers
===============

Likely affected: any unstable/testing system that has 'debsums' installed
Possibly affected: any unstable/testing system

Today a Debian Testing Security Announcement [1] was published describing
an issue where files may have gotten world readable/writable/executable
permissions due to a bug in perl 5.10. As not everybody reads DTSAs, it
seems proper to give this issue a bit wider publication.

The issue was first spotted by Joey Hess and myself for terminfo files
from the ncurses-base package [2] and traced to debsums being run by APT
during post-install. From there, Ben Hutchings traced it to a bug in the
function File::Path::rmtree in perl 5.10.

So far the issue has only been confirmed for the use of File::Path::rmtree
in debsums, but in theory any program using that function can result in
files with incorrect permissions.

Although the cause of the bug has now been fixed, many systems may still
have files with incorrect permissions around and thus be vulnerable to
attack. Checking if your systems are affected is strongly recommended.

Please see the DTSA [1] for further details.

Just to be clear: systems running stable (etch) are NOT affected.

Hi,

the New-Maintainer Front-Desk is proud to announce the addition of two
new members to its ranks. Wouter Verhelst debian.org> and
Michael Koch debian.org> have accepted the invitation to join
the team.

Welcome on board!

Christoph,
on behalf of the current FD members
--
cb@df7cb.de | http://www.df7cb.de/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIY7OHxa93SlhRC1oRAtV6AKCv4qG8XhtMI0UXNc9uLrx8AnYFsQCgiJJq
SnSgMRX9lqs7V4n6pws2Ve4=
=YPTb
-----END PGP SIGNATURE-----