Heya,

The Perl5.10 transition has now been completed, with about 400 source
packages in testing getting updates (either by new source versions or
binNMUs). I have removed the upload block for the involved packages and
would like to thank all involved maintainers, bug reporters and the Perl
maintainer team for their help.

In the course of the perl5.10 transition, new versions of heimdal,
clamav and sendmail/libmilter have moved to testing. The release team
has planned several other, considerably less complex updates for
xulrunner, ocaml, ffmpeg, poppler and nautilus over the next weeks.

Please also note that this new perl version is the last major update to
the Debian toolchain for lenny.

Thanks,
Marc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

Hey folks,

Phew, it's been a busy time lately. It's time I gave you an update on
what I've been up to.

Interviews
----------
I've spoken to quite a few journalists in the last
month. You've probably already seen/heard some of these elsewhere, but
just in case you haven't:

* A general interview for ITWire in Australia [1].
* Another general discussion with ComputerWorldUK [2].
* A weird(!) interview with ZDNet where the journalist seemed to care
mostly about how Debian makes money [3].
* I also had a phone interview with a writer from the Register in the
UK - some of it summarised in [4], related to [5].
* I spoke with Patrick Davila on the Linux Link Tech Show, a New York
based Linux radio show [6].

I hope that I'm coming across OK in the press so far; there are a few
more people talking to me about future interviews as well.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Maintainers of packages creating or using keys potentially affected
by the recent openssl vulnerability are encouraged to write up
information, whether their packages are affected and how users
can re-generate cryptographic key material and send it to the
Security Team.

We're working on collecting this information for major packages
already, but we can't do that for the whole archive.
You should contact us in any case, even if only to affirm our
findings.

A lot of information is already being collected on
http://wiki.debian.org/SSLkeys

Once verified or acknowledged by maintainers information will
be moved to http://www.debian.org/security/key-rollover/
which is only writable by the Debian WWW group.

Please get in touch with us at team@security.debian.org.

Hi all,

You may have heard of recent troubles with SSH on Debian machines.
Alioth is handled slightly differently than the other boxes, so here's
the situation.

=2D A new SSH host key has been generated. Its fingerprint is
99:11:ed:30:03:41:ff:9f:f3:74:bd:7d:e1:8f:04:44 and the known_hosts
line reads like this:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxuVlBnTWE9+g5w/uxuk7SmNLEmXPucZz8iE8k=
E02zaBxPFdlEKJUhUkkf11qkHp9eWVRMro75IRtOJjVLQNmlKjIw+IncqGvj7bvHcAuqYAwNOhu=
StPnk/W0jwcs52TkNv7MZprRJOrprJGDMSBhovhBNXYYD8kruhQXJRLV9wBWp9p8VrokBbxl/eK=
XVuvJfyZU20JmKbyLUPdB9vfQQr9o3btwM//A61WL8sFnnu7JfetbFNGmnO+AwIew/QLs/8BOrw=
k1RwrcuKcs1ULMTgmUK8/QCpM3I9BhLYl/ypxpADiJFSbTRqqzg5xU/UkNQ3NEmXL2G2A2UWLEu=
Ud22Q=3D=3D root@alioth

=2D A new SSL key has also been generated for HTTPS. Its SHA1
fingerprint is
FC:89:CF:26:00:5E:EE:BE:54:35:6E:7A:B6:3E:C3:65:EB:17:8F:38. If you
already have the new certificate from SPI, then the Alioth key
should already be trusted.

Hi,

this email contains several important points. Please read all of it
carefully.

Due to the weakness in our openssl's random number generator (see the
Debian Security Advisory #1571 from a few minutes ago[1]) that affects
among other things ssh keys we have disabled public key auth on all
project systems until further notice.

If you operate a service on debian.org machines that requires key based
auth for instance to transfer stuff between hosts or to push rebuilds
please contact DSA[2] after you verified the keys in question are safe,
or have replaced them. We can enable individual accounts' key based
access.

Export of ssh keys from the LDAP to our machines is currently disabled,
and will be enabled only after we have cleared all ssh keys from the
database and put resonable safeguards in place to prevent people from
uploading bad keys. An announcement will be made on the mailinglist
debian-infrastructure-announce[4] at such time. There is no point
in adding new keys to the ldap right now.

Heya,

To finally finish the Perl5.10 transition, I have just used the dak
transitions feature to block uploads for a few packages (~250) involved
with it. A complete list (passed through dd-list) is attached.

I will send another mail when this transition is finished. At the
moment, we are waiting for builds for the sendmail/clamav
mini-transitions.

Thanks for the attention,
Marc