J'ai ajout� le document original en bas, parce qu'il n'est pas encore apparu sur le site officiel.
Merci pour la relecture.
J�r�me.
-------------------------------
#use wml::debian::weeklynews::header PAGENAME="11 avril 2000" SUMMARY="des paquets sign�s; de nouvelles listes de diffusions; un acc�s direct � Incoming."
<p>
<b>Bienvenue</b> dans la gazette hebdomadaire de Debian, un journal destin� � la
communaut� des d�veloppeurs Debian.
</p>
<p>
Tout le monde est <a href="../../1999/24/#signdebs">depuis longtemps</a>
conscient de l'existance d'un <b>probl�me �l�mentaire de s�curit� dans
Debian</b> : les paquets peuvent �tre modifi�s sur les miroirs Debian
et les utilisateurs n'ont aucun moyen de v�rifier que le paquet qu'ils
rappatrient est le m�me que celui que le d�veloppeur a introduit dans
l'archive. Deux id�es pour accro�tre la s�curit� ont germ� � maintes
reprises. La premi�re consiste � ajouter des signatures au sein m�me des
fichiers .deb, ce qui permet de contr�ler qu'un d�veloppeur
donn� a bien g�n�r� un paquet donn�. La seconde consiste � signer
les fichiers Packages.gz, ce qui permet de v�rifier que le paquet
a �t� convenablement charg�. Aucune de ces solutions n'offre une s�curit�
parfaite. Beaucoup de failles demeurent; par exemple, si la machine
d'un d�veloppeur est pirat�e et que celui-ci n'est pas prudent avec ses cl�s,
ces derni�res peuvent �tre compromises. De part le pass�, traditionnellement
� l'esprit Debian, nous nous sommes gard�s de faire quoi que soit car aucune
solution parfaite ne s'�tait pr�sent�e.
</p>
<p>
Ce probl�me
<a href="../../../../Lists-Archives/debian-devel-0003/msg01283.html">
a refait surface</a> cette semaine, et la tendance serait d'impl�menter
ces deux types de signatures,
tout en sachant qu'elles sont toutes deux trop imparfaites
pour pouvoir placer la barre de la s�curit� un cran plus haut.
� l'issue de
<a href="../../../../Lists-Archives/debian-devel-0004/msg00013.html">longues
discussions</a> sur les
<a href="../../../../Lists-Archives/debian-devel-0004/msg00188.html">
listes de diffusion</a> et sur
<a href="../../../../Lists-Archives/debian-devel-0004/msg00245.html">irc</a>,
<b>une majorit� croissante de personnes semble parvenir � un consencus
sur le sujet</b>. Cependant, qui va l'impl�menter ?
</p>
<p> <b>5 nouvelles listes de diffusion</b> viennent d'�tre <a href="../../../../Lists-Archives/debian-devel-0003/msg01812.html"> cr��es</a>. Elles traitent de divers sujets allant du portage vers les architectures PA-RISC et S/390 � l'internationalisation en Hollandais. </p>
<p>
Il est d�sormais possible d'<b>acc�der directement au r�pertoire Incoming</b>
via <a href="http://incoming.debian.org/";>http://incoming.debian.org/</a>.
L'ancien r�seau de miroirs de Incoming va �tre
<a href="../../../../Lists-Archives/debian-project-0004/msg00000.html">
ferm�</a>.
</p>
<p>
IBM Global Services "Linux Support Line", en partenariat avec Alc�ve,
va offrir un <b>support t�l�phonique pour Debian dans de nombreux pays</b>.
Leur <a href="http://linuxpr.com/releases/1596.html";>communiqu� de presse</a>
affirme de mani�re surprenante que Debian <i>domine actuellement le march� (27%)</i>.
</p>
<p>
<b>Les nouveaux paquets</b> int�gr�s � Debian cette semaine incluent
les paquets suivants plus
<a href="http://master.debian.org/~tausq/newpkgs-20000410.html";>24 autres</a> :
<ul>
<li><a href="../../../../Packages/unstable/mail/abook.html">abook</a>: Un carnet d'adresses en mode texte bas� sur ncurses.
<li><a href="../../../../Packages/unstable/admin/bass.html">bass</a>: Bulk Auditing Security Scanner <b>[non-free]</b>
<li><a href="../../../../Packages/unstable/admin/debwrap.html">debwrap</a>: wrapper (surcouche ?) � dpkg/apt-get
<li><a href="../../../../Packages/unstable/devel/doxygen.html">doxygen</a>: Documentation syst�me pour C, C++ et IDL.
<li><a href="../../../../Packages/unstable/tex/dvipdfm.html">dvipdfm</a>: Un traducteur de DVI en PDF.
<li><a href="../../../../Packages/unstable/graphics/fujiplay.html">fujiplay</a>: une interface pour les appareils photo num�riques Fuji
<li><a href="../../../../Packages/unstable/devel/gob.html">gob</a>: GTK+ Object Builder (g�n�rateur d'interfaces GTK)
</ul>
</p>
#use wml::debian::weeklynews::footer
ORIGINAL ------------------------------------------------------
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML lang="en">
<HEAD>
<TITLE>Debian Weekly News - April 11th, 2000</TITLE>
<LINK REV="made" HREF="mailto:[EMAIL PROTECTED]">
<META http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<META NAME="Description" CONTENT="Debian GNU/Linux is a free distribution of the GNU/Linux operating system. It is maintained and updated through the work of many users who volunteer their time and effort.">
<META NAME="Keywords" CONTENT="debian, GNU, linux, unix, open source, free, DFSG">
<META NAME="Language" CONTENT="English">
<meta name="Author" content="Joey Hess, [EMAIL PROTECTED]">
<meta name="Generator" content="WML 1.7.4 (06-Oct-1999)">
<meta name="Modified" content="11-04-2000 16:08:13">
</HEAD>
<BODY text="#000000" bgcolor="#FFFFFF" link="#0000FF" vlink="#800080" alink="#FF0000">
<TABLE border="0" cellpadding="3" cellspacing="0" width="100%">
<TR>
<TD>
<A HREF="../../../../logos/"><IMG src="../../../../Pics/logo-50.jpg" border="0" hspace="0" vspace="0" alt="" width="50" height="61"></A>
<IMG src="../../../../Pics/debian.jpg" border="0" hspace="0" vspace="0" alt="Debian Project" width="179" height="61">
</TD>
</TR>
<TR>
<TD bgcolor="#DF0451">
<A href="../../../../"><IMG src="../../../../Pics/home.en.gif" border="0" hspace="2" vspace="3" alt="Home" width="55" height="18"></A>
<A href="../../../../intro/about"><IMG src="../../../../Pics/about.en.gif" border="0" hspace="2" vspace="3" alt="About Debian" width="108" height="18"></A>
<A href="../../../../News/"><IMG src="../../../../Pics/news.en.gif" border="0" hspace="2" vspace="3" alt="News" width="53" height="18"></A>
<A href="../../../../distrib/"><IMG src="../../../../Pics/distrib.en.gif" border="0" hspace="2" vspace="3" alt="Distribution" width="95" height="18"></A>
<A href="../../../../support"><IMG src="../../../../Pics/support.en.gif" border="0" hspace="2" vspace="3" alt="Support" width="72" height="18"></A>
<A href="../../../../devel/"><IMG src="../../../../Pics/devel.en.gif" border="0" hspace="2" vspace="3" alt="Developers' Corner" width="105" height="18"></A>
<A href="../../../../search"><IMG src="../../../../Pics/search.en.gif" border="0" hspace="2" vspace="3" alt="Search" width="64" height="18"></A>
</TD>
</TR>
</TABLE>
<H1>Debian Weekly News - April 11th, 2000</H1>
<p>
<b>Welcome</b> to Debian Weekly News, a newsletter for the Debian developer
community.
</p>
<p>
For a <a href="../../1999/24/#signdebs">long time</a> everyone has been aware
of a <b>basic security problem in Debian</b>: packages can be changed on
Debian mirrors and users have no way to verify that the package they download
is the same package a developer uploaded. Two ideas have come up again and
again as ways to make this more secure. The first idea is to allow for
signatures inside the .deb files themselves, which lets one verify that a
given developer built a package. The second is to allow for signed Packages.gz
files, which lets one verify that the package went through the normal
upload process. Neither of these signatures will provide perfect security.
There are many holes left; for example, a developer's computer may be
cracked and if they do not manage their keys wisely, their key may be
compromised. In the past, in typical Debian fashion, we have held off doing
anything since there was no known perfect solution.
</p>
<p>
This issue has
<a href="../../../../Lists-Archives/debian-devel-0003/msg01283.html">
resurfaced</a> this week, and there is a growing inclination to implement
both types of signatures, though both are imperfect, to allow the
security bar to at least be raised a bit higher. After some
<a href="../../../../Lists-Archives/debian-devel-0004/msg00013.html">long
discussions</a> on the
<a href="../../../../Lists-Archives/debian-devel-0004/msg00188.html">mailing
lists</a> and on
<a href="../../../../Lists-Archives/debian-devel-0004/msg00245.html">irc</a>,
more and more <b>people are reaching consensus on this</b>. Now, who will
implement it?
</p>
<p>
<b>5 new mailing lists</b> have been
<a href="../../../../Lists-Archives/debian-devel-0003/msg01812.html">
created</a>, for purposes ranging from porting to the PA-RISC and S/390 to
Dutch internationalisation.
</p>
<p>
<b>Direct access</a> to the Incoming directory</b> is now available at
<a href="http://incoming.debian.org/";>http://incoming.debian.org/</a>. The
old Incoming mirror network is being
<a href="../../../../Lists-Archives/debian-project-0004/msg00000.html">shut
down</a>.
</p>
<p>
The IBM Global Services "Linux Support Line" in conjunction with Alc�ve
will now offer <b>phone support for Debian in several countries</b>.
Interestingly, their <a href="http://linuxpr.com/releases/1596.html";>press
release</a> claims that Debian is <i>the current market leader (27%)</i>.
</p>
<p>
<b>New packages</b> in Debian this week include the following, and
<a href="http://master.debian.org/~tausq/newpkgs-20000410.html";>24 more</a>:
<ul>
<li><a href="../../../../Packages/unstable/mail/abook.html">abook</a>: A text-based ncurses address book application.
<li><a href="../../../../Packages/unstable/admin/bass.html">bass</a>: Bulk Auditing Security Scanner <b>[non-free]</b>
<li><a href="../../../../Packages/unstable/admin/debwrap.html">debwrap</a>: Wrapper for dpkg/apt-get
<li><a href="../../../../Packages/unstable/devel/doxygen.html">doxygen</a>: Documentation system for C, C++ and IDL.
<li><a href="../../../../Packages/unstable/tex/dvipdfm.html">dvipdfm</a>: A DVI to PDF translator.
<li><a href="../../../../Packages/unstable/graphics/fujiplay.html">fujiplay</a>: Interface for Fuji digital cameras
<li><a href="../../../../Packages/unstable/devel/gob.html">gob</a>: GTK+ Object Builder
</ul>
</p>
<hr>
<p>
To receive this newsletter weekly in your mailbox,
<a href="/MailingLists/subscribe">subscribe</a>
to the debian-news mailing list.
<p> <p><a href="../../">Back issues</a> of this newsletter are available.
</p> Debian Weekly News is edited by <a href="mailto:[EMAIL PROTECTED]">Joey Hess</a>.
<HR>
<SMALL>Last Modified: Tue, Apr 11 23:08:13 UTC 2000<BR>
Copyright © 1997-2000 <A href="http://www.spi-inc.org/";>SPI</A>; See <A href="../../../../license">license terms</A>
</SMALL> </BODY> </HTML>
______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
