Re: Sleeping mode problem ( debian 12 bookworm )
Hello Mansour, Mansour Nasri dijo [Tue, Mar 05, 2024 at 10:27:59AM +0100]: > Hi I'm using debian 12 in Lenovo yoga legion core i5 12th gen with Nvidia > RTX 3050 and i'm facing a serious using debian 12 on this PC, > When the PC is on sleep mode ( suspend ) it's doesn't wake up anymore until > forcing shutting down and this each time the PC turns on suspend mode, ( > fastboot are disabled )of course, the PC wake up but the screen is totally > black nothing displayed on the screen, ( installed Nvidia drivers from the > APT repo ). > > "on my old PC dell i7 10th I never had this kind of issue", please help to > resolve this problem I really don't want to back to windows anymore. Thank > you so much This mailing list is _about_ the Debian project (i.e. organizational discussions about how we work together _as a group of volunteers_). Your question is technical-oriented. I suggest you post your question in the debian-u...@lists.debian.org list. Greetings,
Re: Community renewal and project obsolescence
Mo Zhou dijo [Thu, Dec 28, 2023 at 02:02:18PM -0500]: > > Thanks for the code and the figure. Indeed, the trend is confirmed by > > fitting a linear model count ~ year to the new members list. The > > coefficient is -1.39 member/year, which is significantly different from > > zero (F[1,22] = 11.8, p < 0.01). Even when we take out the data from > > year 2001, that could be interpreted as an outlier, the trend is still > > siginificant, with a drop of 0.98 member/year (F[1,21] = 8.48, p < > > 0.01). > > I thought about to use some models for population statistics, so we can get > the data about DD birth rate and DD retire/leave rate, as well as a > prediction. But since the descendants of DDs are not naturally new DDs, the > typical population models are not likely going to work well. The birth of DD > is more likely mutation, sort of. Five years ago, I got a paper published where we analized and made some forecasts on the curated Web-of-Trust keyrings in Debian: https://jisajournal.springeropen.com/articles/10.1186/s13174-018-0082-7 I did the first part of the article, but the part that better fits what you are describing was done by my coauthor, Víctor González (who understands about statistics way better than me). Anyway, it does not also answer to the exact question you are presenting --- we there studied the lifetime of keys, and left for later analysis a way to link said keys into people, in order to map the life trajectory of an individual in the project. But it might still be interesting or useful for your analysis. > Anyway, we do not need sophisticated math models to draw the conclusion that > Debian is an aging community. And yet, we don't seem to have a good way to > reshape the curve using Debian's funds. -- this is one of the key problems > behind the data. And I think this is hardly an unexpected outcome. There are many social and technological patterns that define us as a 1990s project that continues to liveand thrive, but not necessarily with the best / most up-to-date tooling.
Re: Upcoming EU Legislation (Cyber Resilience Act and Product Liability Directive)
Ilulu dijo [Sun, Nov 12, 2023 at 01:58:42AM +0100]: > Hi Debianites, > > as a result of our discussions on DebConf23 and MiniDebConf Uruguay I > would like to alert a broader audience to some proposed legislation in > the European Union. I think Debian should take a public stand in this > debate. I would like Debian to discuss and decide about making a public > statement, as drafted here below. > > Regards, > Ilu FWIW, in case you are not suscribed --- Santiago Ruano forwarded this proposal to the debian-v...@lists.debian.org mailing list. Please consider seconding it. Of course, I hope the Secretary agrees this should constitute a call for votes and accepts our seconds, and starts the GR process. signature.asc Description: PGP signature
Re: Questionable Package Present in Debian: fortune-mod
Dominik George dijo [Fri, Aug 18, 2023 at 11:43:03PM +0200]: > > So, let's at least be consistent. > > Totally agree with that. > > Debian is not a collection of harmful content, it is an operating system. > > But, unfortunately, there are too many people in the project who think, in the > name of "free speech", protecting racists, nazists, and anarchists is more > important than protecting PoC, jews, or other minorities. As a Jew myself, I often find that quoting bits of Mein Kampf _protects_ Jews. Why? Because it is full of contradictions. (And... Yes, I have a printed copy of the book at home; I was curious to read it. It is an easy read, but I'd never consider it high literature or even instrumental to the third reich's raise to power... but that's a completely different topic)
Re: debian image questions
Bill Miller dijo [Sun, Aug 06, 2023 at 08:42:21AM -0400]: > Just like that; > > When Apple makes a new OS or IOS I do not need to download anything. I go > to update, it will ask me if i am sure i want to install a new OS. it warns > me that all my stuff will be lost if i change my OS. It will then ask me > for my password. Once i put in my password, up comes a box reading "wait" > and in about 20 to 90 minutes later the device resets and comes back on and > the new OS is on, up and, running. No downloading, no cd, no usb drive. I > dont need to know anything about tech or computers to go from one old OS to > another new OS. Besides what others have answered to your question, let me point something out here: I had a couple of Apple computers about 15 years ago. I remember that when we bought one of them, the system was installed, but we got a set of CDs with the update to the new version. It had just been released a week or so ago, and Apple was _so much better_ than Windows because the newer OS release was included for free! But yes, you had to manually start the install process. And I don't remember it, but as you say, it will probably wipe your data, or something might not work afterwards. Debian basically *invented* the worryless, over-the-network updates. My current desktop computer was originally installed in 2005, when I started working at my university. I have upgraded the OS since then. I have even moved the data from one computer to the next. Debian achieves what MacOS and Windows (and many Linux are incapable of dreaming: We can ask the system to update itself _and keep working_. We don't have to worry. It basically just works™.
Re: Re: Consultation on license documents
[ Dropping the Cc: to debian-u...@lists.debian.org - Please don't cross-post if you can avoid it! That is, please don't send the same mail to multiple mailing lists ] 刘涛 dijo [Sat, Mar 18, 2023 at 10:49:34AM +0800]: > Oh my god, I'm so sorry. I originally wanted to say that every > software package in Debian will have a "copyright" document, but the > input method was mistakenly typed as copyleft. Because I found that > every package in Debian will have a "copyright" document, but not > every package has a "license.txt" document. So I want to confirm > that we users want to know the license usage of the software > package, which document should prevail. In addition, when the > license information declared in the two documents is inconsistent, > how should we deal with it, and which document shall prevail. My first answer to this question was "/usr/share/doc/PKGNAME/copyright is authoritative and should prevail", but on a second thought, I must agree with Theodore Ts'o, who rightfully said: I am not a lawyer, and even if I were a lawyer, I am not *your* lawyer, so I am not in a position to give legal advice. If you want an authoratative opinion, you will need to find a lawyer who is willing to give you formal legal advice, and they will very ask to be paid in order to give you that opinion. So... There is no one-size-fits-all answer here. But if you find a /usr/share/doc/PKGNAME/copyright document being inconsistent with a license.txt file (or with any licensing header included as part of any of the files, or whatever like that), please file it as a high-severity bug! Greetings,
Re: Consultation on license documents
Greg Wooledge dijo [Fri, Mar 17, 2023 at 09:36:26AM -0400]: > > 2. I found that each software package has a "Copyleft" document, > > and a lot of license information is also listed in this > > document. Therefore, I would like to ask, when the two documents > > "license.txt" and "Copyleft" exist in the software package at the > > same time, which one should the user take as the basis, and how to > > deal with the situation where the declared license information of > > the two documents is inconsistent, Which shall prevail? > > The term "copyleft" is used by GNU (specifically Richard Stallman, I > believe) to describe the GNU General Public License (GPL). I've never > seen that term used in any other context. It's certainly not the name > of any file present in Debian packages at large. The term might have been _coined_ by Richard Stallman, but is quite used throughout the Free Software communities. Any license which (as the GPL does) requires all further distributions of derivatives of the original work under the same terms (particularly for software, including full sources and the right to modify them) are termed copyleft in general; non-code licenses such as the Creative Commons (share-alike variants) are also copyleft licenses. > > 3. If the software package only contains "Copyleft" documents, can > > users refer to the license information declared in this document? > > Again, the license(s) are in the "copyright" files, one per package. Right. I would add to your initial explanation that, having a /usr/share/doc/PKGNAME/copyright, having any other files installed as part of a binary package with licensing details can be considered a bug, and only /usr/share/doc/PKGNAME/copyright should be considered authoritative in a Debian system.
Support for non-free-firmware in project webpages
Hello, I was asking around in IRC about moving firmware packages to non-free-firmware, and was refered to Cyril Brulebois' message from two days ago¹ — Seems the wheels are finally turning to populate it! ¹ https://lists.debian.org/debian-boot/2023/01/msg00150.html As of right now, we have only one package in that suite, and it's somewhat hard to debug from there ;-) But I think it's time to bring the fact that non-free-firmware has to be enabled in several of our webpages to collective attention. A couple of months ago I opened #1021728 to have the new suite enabled in tracker.debian.org. Raphael Hertzog moved some bits and asked some questions (which I left unanswered :-( Sorry!). But now, checking onwards from there, I find packages.debian.org, buildd.debian.org and qa.debian.org still don't recognize it: https://packages.debian.org/source/unstable/raspi-firmware https://buildd.debian.org/status/package.php?p=raspi-firmware https://qa.debian.org/developer.php?email=pkg-raspi-maintainers%40lists.alioth.debian.org In IRC, Holger also mentioned: - wiki.debian.org has no pages with the term `non-free-firmware' in them - www.debian.org (plus its translations) mentions them, but only for the vote (english/vote/2022/vote_003.wml) and following announcement (english/News/2022/20221217.wml) - tests.reproducible-builds.org/debian does not yet include it - Neither debian-policy nor developers-reference know about it - piuparts in unstable now supports it (although piuparts.debian.org is not yet testing it) So... I'm going to try to push some of those bits, but wanted this to be in the collective eyes as well :-] Please document other omissions, or help fix them! Greetings, -Gunnar signature.asc Description: PGP signature
Re: Fortunes-off - do we need this as a package for Bookworm?
Andrew M.A. Cater dijo [Wed, Dec 14, 2022 at 07:33:53AM +]: > (...) > The utility of a separate package depends on how much work it is to > produce it. That was the renaming bug that jmtd fixed, I think. > I think removing Hitler/Goebbels quotes from an obscure game is worthwhile: > it stops any association / any *Debian encourages Nazism* and means that we > don't have to worry about hosting it anywhere at all. Although during this discussion it was shown via several examples (and not one counterexample TTBOMK) that, while fortunes-off does have nazi-leaders snippets, it's not something that can be read as endorsing those views, but just the opposite -- either ridiculing them, pointing out how flawed the ideas were, or somesuch.
Re: Question about contributing to debian financially.
Hello Zeke, Zeke Williams dijo [Tue, Nov 15, 2022 at 08:36:15AM -0500]: > I'm considering in the future, funding the debian project financially. > More specifically, helping fund hiring package maintainers for > orphaned packages as well as individuals who can maintain the security > patches. How can I help? Or rather, how would I be able to help if I > wanted to help in the future? First and foremost, thanks for your interest in helping Debian! Debian is defined –and proud– to be a volunteer-based project, that is, we don't hire and have never hired people to do our work, technical or otherwise. If you donate funds to Debian, we will most likely use them in hardware for the different project activities, hosting and connectivity, or travels for Debian conferences / miniconferences. If what you want to do is to ensure a given area of the project is well maintained, you can hire Debian Developers or Maintainers, and pay them to improve the areas you feel to be more important. There are many cases of individuals and compaines donating to Debian in both ways; perhaps the most visible is the Freexian's "Long Term Support" for Debian releases. signature.asc Description: PGP signature
Re: salsa accounts
Alberto Salvia Novella dijo [Fri, Nov 04, 2022 at 05:48:50PM +0100]: > Before emailing this list I requested account creation three times, read > the wiki twice, emailed the admins once, and asked on IRC once too. Now > asking on IRC again without response, not counting the emails on this list. > > Either you point me to a reasonably simple way to create an account, or I'm > sorry I'm no longer interested. Nobody will force you to volunteer your time to Debian. You have been given several replies as to why your registration has not succeeded, and ways forward as to how to proceed. If you are already fed up with us and don't want to follow the suggestions given by other Debian volunteers, well... the free software world is quite wide, and I'm sure you will find other groups with whom to collaborate. If you are willing to accomodate to Debian's reasons (that is, the reasons for the people that have to answer to specific requests), you will be able to get your account created.
Re: How do you manage debian mails on your mailbox?
Hello Nilesh, Nilesh Patra dijo [Sun, Aug 28, 2022 at 11:07:07AM +0530]: > I have used my primary email address with folder hooks to sort out mails > according to mailing lists/subjects, using folder hooks and read those folders > every once in a while (depending on how involved I am with each ML/team) > However, despite that I am seeing quite a bit of debian stuff in > my inbox (sometimes there is an insane amount of noise there) > and it distracts me when I want to be doing something else, and end up reading > thread after thread which I _should_ save for later. > (Yeah, maybe you can blame me for it :)) > > So, two questions:- > - - Do you use your primary email address for debian stuff as well, > or is it a different one? > - - Do you have any sensible way to cope up with so many mails from > different mailing lists and not potentially miss out on something important? I have several mail addresses (the main ones are gw...@gwolf.org, gw...@debian.org, gw...@iiec.unam.mx, sis...@gwolf.org), but they are all forwarded to the first one. I have a set of Procmail filters¹ sorting my mails into different folders (I currently have 133 folders). ¹ I know I should be moving away from procmail, https://www.enricozini.org/blog/2022/debian/migrating-from-procmail-to-sieve/ I do sort my mail according to destination mail address; my work mail (@iiec.unam.mx) has a set of sub-folders, as well as my teaching one (sistop@). A long time ago, and for various purposes (mainly detecting where I got from to spam databases, but also for organizing information) I use the '+' local addition (so that I can ask things about a given project to be sent to gwolf+proj...@gwolf.org); I noticed many sites dislike '+' as part of a mail address, so I configured postfix with: recipient_delimiter = +. so I can also use the less "controversial" gwolf.otherst...@gwolf.org. Other than that... well, I used mutt-ng until "regular" mutt got a sidebar showing mailboxes and read/unread counts (attaching a screenshot... Odd thing to do here! ☻ My setup might be far from beautiful, but I've grown very used to it :-)
Re: Working for Linux/Debian
Hello Zayd, > I hope that you are doing well. My name is Zayd. I am currently in > the midst of a career change. A couple of years ago, I discovered > Linux and realize that I have a passion for it. I have already > completed my Bachelors degree. I recently also completed an > Introduction to Linux course through the Linux Foundation. I was > looking at different jobs and realized there are many different > Linux Engineer positions available. I, however, do not have the > necessary experience and qualifications. This is something that I > would like to pursue and was wondering if you can give me > information about pursuing a career in Linux. There are way too many companies that employ Linux for their day-to-day operation; I would not know where to start, and it would be foolish of me to point you at one of them without first knowing what do you enjoy doing with Linux. Are you interested in becoming a programmer? A systems administrator? A network administrator? Aiding the adoption of Linux in the desktop? In documenting software use? etc. Each of them points to a completely different career -- with a completely different entry point. > I enjoy and use Debian but I wasn’t sure who to get in touch with > this. If you do not have the information, can you point me in the > direction of someone either at Debian or elsewhere who could help me > learn how to get into a career with Linux Administration or Software > Development geared towards Linux. Thank you and best wishes! Debian is not a company, and has no employees at all. There are several companies, of course, that employ people to work for Debian in different ways -- but Debian itself cannot be the workplace you are looking for. I see here you do mention "Linux administration or software development" -- OK, I lacked some reading when writing my first paragraph ;-) Try to think what areas you know (and enjoy) most, and build a profile around those specific areas. That will help you narrow down your search!
Re: Keysigning in times of COVID-19
Adrian Bunk dijo [Fri, Aug 07, 2020 at 04:46:18PM +0300]: > Why are you requiring key signing at all when it has no defined semantics? > > Many DDs check only the government issued photo ID for signing a key and > this is also how keysigning parties work, but if this is considered > optional there is do defined meaning to a signature. > > If you as DAM do not have a problem if DDs have own policies that do not > require checking a government issued photo ID, then I do not see why the > key signing requirement exists at all. FWIW, and as I said in my other mail - Each of the three keyring-maint members have different policies. The word "trust" also has many different meanings and values, but we treat it as a binary thing here - Do two people trust the person controlling 0xDEADBEEF to be Gunnar Wolf or not? If so, we accept. If not, we don't. And yes, we have made some exceptions and jumped through some hoops to adapt to reality, but that's the trust level we can impose without our requirements breaking down into chaos. We had quite a hard time in 2015 when we did the <2048b purge. But we managed not to loosen our requirements.
Re: Keysigning in times of COVID-19
Hello Enrico, and thanks for bringing the discussion over here. Enrico Zini dijo [Thu, Aug 06, 2020 at 05:54:21PM +0200]: > Hello, > > we have people approaching Debian with a lack of GPG signatures, and we > generally cannot ask them to travel and meet other developers in person > to get their key signed. > > Technically, we are not requiring that people meet a DD in person, only > that people have their key signed by a DD. > > Technically, every DD has their own policies for signing keys, which > could go from not requiring meeting in person at all, to requiring to > meet in person multiple times. It might require to check a government > issued photo ID, or it might not. > > Practically, I feel like most of the time people's policies match what > are the perceived expectations of the rest of the project. Meeting in > person has always been a good safe bet, if only for the reson that it's > been accepted without question for many years. > > It's time to review those expectations. > (...) Enrico brought up this topic to DPL, DAM, front-desk and keyring-maint about two weeks ago. I will copy over what I answered back then: We have been rehashing many of the (great) arguments you present every now and then since... At least, I remember the point being brought up after the Yuge KSP from HEL at DC5, and the Transnational Republic incident of DC6. Our guidelines have been for many many many years that "everybody is free to set their own policy — but please be sensible and careful". We have never sent out an official announcement, either from DAM or from keyring-maint, about it... but AIUI we have been basically in agreement and explicitly said so at KSP introductions (I have, repeatedly). We have often mentioned positive examples (i.e. pseudonymous community members we completely trust). We have mentioned the ease to acquire forged or plainly fake official-looking IDs. So, where do I stand? I try not to sign keys for people I cannot recognize without looking at their papers. That means, my signing resembles a lot my group of friends, the group of peple we meet year after year in DebConf, plus some others I've bumped into now and then. IDs? Show them to me, I don't really mind, I have done many signings without looking at IDs. I know first-hand¹ that forging them is very easy. I also know some of our friends have a made-up identity. Some of those identities are close to twenty years old, at least. That's worth the same as a birth-given name in my book... And yes, I have often refused to sign people's keys when they approach me at a DebConf if we have not held significative interactions in the past. I usually insist that I do not sign at a first meeting. Although, yes, if meeting somebody at other ocassions, specially given Latin America is a quite PGP-sparse region... I tend to be a bit more flexible, to aid people getting connected and start contributing. And... Well, to the point at hand: Yes, I do think we have to rethink our policies. I don't have an answer right now, and most likely, I won't sign any keys during this DebConf. But as more of our activities are conducted online, we will have to start trusting videoconferences to prove identities. (of course... given deepfakes have been getting better and better... who knows? :-\ ) ¹ If you must know, >25 years ago I paid for a passport I should not have received. My personal data was correct, but back then, my country required a military service "clearance" I didn't have. I am not proud of having paid for an illegal document, and would not do it again. But it's part of what I learnt, and I am sure my experience would not change _too much_ going to other countries. More money to spend, perhaps... signature.asc Description: PGP signature
Re: Request to Mini DebConf Montreal Organizers: Fight Israel not the DC20 Team
Ian Jackson dijo [Thu, Feb 20, 2020 at 11:50:26AM +]:
> Ansgar writes ("Re: Request to Mini DebConf Montreal Organizers: Fight Israel
> not the DC20 Team"):
> > I think the announcement by the organizers framed the conference as
> > being organized specifically to support the BDS movement, a movement
> > that is uncontroversially seen as antisemitic. They could have chosen
> > not to frame the announcement this way, but they did not.
>
> The BDS movement is not antisemitic.
*sigh*
I would love to invoke Godwin here. But, after coming back to the
issue (no, I do not think this content shouis relevant to
debian-project... And yes, I started writing this mail twice and
decided not to send it... But it still itches quite wrong... And I
have to reply, sorry)...
BDS is not antisemitic, but stirs antisemitism. Not by design. Not
because it is meant to. But as an unescapable side consequence.
Many among us (us == people with Jewish origins) have felt it. Many
people recognize Israel to be not-exactly-the-same-as-Jewish. But many
people don't. And I have seen BDS being (wrongly) applied to
businesses run by non-Israeli Jews in countries other than Israel.
Many Jews throughout the world and many Israelis stand firmly against
the many injustices the Israeli government carries out. But many
people does not understand the great distance between one thing and
the other — Why should they? Really, defining our nationality is a
difficult and thorny topic. It took me at least 25 years to come to
terms with who I am and not take strong distance against parts of it
(and I don't participate in any religious nor communitary aspects of
judaism in my country).
I won't chase my own tail anymore in this post. Let me just repeat
something that's as incontrovertible as can be, given that I have felt
it.
BDS is not antisemitic, but stirs antisemitism.
signature.asc
Description: PGP signature
Re: Announcing miniDebConf Montreal 2020 -- August 6th to August 9th 2020
Holger Levsen dijo [Wed, Feb 19, 2020 at 11:02:06PM +]: > (...) > > Agreed to those (as I also said at the time). I think it was obvious to > > us early on in the DC20 decision process that we'd want to do this > > privately. We should have announced that. > > absolutly. I still dont think it was right to have this decission in private, > but at least announcing it earlier would have been better. > > (I do think having the decission in private was neccessary because else the > decission would not have been made that way. But I might be wrong on that.) As I said in some other mail... I was part of the deciding team several times. We have often had non-official side channels to discuss bits we see, even to do the casual wry comments to the close friends we interactede with in the process we would not make in the open. There has always been some level of private communication around the decision. > even if they were not ready at the 2nd review meeting, I dont understand why > you > dont have a 3rd review meeting and instead now think it's need to decide this > in private again. > > can you explain? Because after the 2nd review, we asked all the teams to update some bits. They pushed forwards. Now the decision is nearly final (it burns my fingers and I'd love to announce it, I guess we will communicate it in this week). But we have to write it as a joint thing, taking care of several bits in the process. There is no point anymore in having a round 3. It would just waste everybody's time. signature.asc Description: PGP signature
Re: Announcing miniDebConf Montreal 2020 -- August 6th to August 9th 2020
Hello Lucas, Lucas Nussbaum dijo [Wed, Feb 19, 2020 at 11:45:43AM +0100]: > > Most probably, the results will be announced by mail (and not > > communicated during a meeting), because the bid review process has led > > us to need to decide in this way. I cannot speak for the previously > > appointed DebConf Committee¹, but for the iteration I have been > > delegated for, I can promise you we will not hide problems™ — That is, > > once we choose, I can commit that we will not hide the reasoning > > behind our choice. Some of it will not be full-public, as -of course- > > it includes important human interaction bits, but all important points > > will be made public. > > You kind-of make it sound like what you promise was not done by the > previous DC Committee. I'd like to point that details about the decision > process and the rationale were provided after the DC20 decision. Yes. I think I can promise that, because I think the situation to be different to what it was a year ago. And I know I'm getting ahead of things; I do not want in any way to put pressure on the rest of the DCC on this account — But I think we will decide by consensus, not by voting. And that we can share the reasoning we are following. > See the threads in > https://lists.debian.org/debconf-team/2019/03/threads.html > (...) I acknowledge the decision and communication of it was quite harder last year than what we are facing now. > On 18/02/20 at 23:54 -0600, Gunnar Wolf wrote: > > ¹ The fact that one of the Committee members left it, and is quite > > vocal on his opposition to the choice made by it, makes it clear to > > me that, even if the Committee had intended to keep quiet, the truth > > will come out. I'm sure Jonathan can comment on the decision process > > as he lived it. We don't have NDAs. > > I must say that I'm a bit shocked by this paragraph. If I summarize: > - you are a member of the current DebConf Committee. > - you take the moral high ground and promise transparency, while the > transparency you promise is no better than the transparency of the > DC20 decision process > - you allude that the Committee that made the DC20 decision intends to > keep something quiet, and that there's a truth that needs to come out. > > Lucas > > (For context, I was a member of the Committee at the time of the DC20 > decision, and resigned on 2019-09-17, see > <20190917135320.ga29...@xanadu.blop.info>) FWIW, I was refering to the "other" Committee Member who left (and I named Jonathan in the paragraph you quote). I have talked with him, and know (at least, part of) his reasoning both for the vote and for the resignation. I didn't talk with you, so I didn't feel it fair to lump you together with him in "is quite vocal on his opposition" and "making it clear to me". No, I didn't target you with my aseveration. I am a current DebConf Committee member, as you state. I can try to offer as much transparency as needed; I truly hope we will not need to go to a flame _again_ to explain and understand the reasons for our decision. I don't say that DC20's decision was "intended to keep something quiet" nor that "there's a truth that needs to come out". I can only comment on what I saw as an close-but-still-outsider. I know that the DC20 decision crosses many personal issues, and that explaining it thoroughly will likely hurt. What I tried to say, and probably failed to communicate, is that I hope we show our next decision is *not* loaded with personal issues and sore feelings. Of course, not everybody will end up happy, but I think everybody will be able to understand and hopefully accept our decision as correct. signature.asc Description: PGP signature
Re: Announcing miniDebConf Montreal 2020 -- August 6th to August 9th 2020
gregor herrmann dijo [Tue, Feb 18, 2020 at 09:00:33PM +0100]: > > That's good, the desire to have it public does not equate to a desire or > > need for me to be there. IMO it's just important that this doesn't > > happen behind closed doors again like last time. > > AFAICS the process for DC20 and DC21 seems to be the same: > - public review meetings for the bids > - a private decision meeting of the committee > > I'd be happy to learn that my impression about the planned procedure > for the DC21 decision is wrong, I might easily have missed something. > > Personally I much prefer public decisions. FWIW, we are still pending to come to a conclusion regarding DC21. This has been a tough process, and we will soon come to a conclusion. Yes, I have been part of several prior DebConf bid-choosing teams, and yes, sometimes the decisions are easier to get to. Private (side-channel?) communication between committee/choosing team members _always_ happens, but we have always tried to make the reasoning available to the Debian community; this time it will not be different. Most probably, the results will be announced by mail (and not communicated during a meeting), because the bid review process has led us to need to decide in this way. I cannot speak for the previously appointed DebConf Committee¹, but for the iteration I have been delegated for, I can promise you we will not hide problems™ — That is, once we choose, I can commit that we will not hide the reasoning behind our choice. Some of it will not be full-public, as -of course- it includes important human interaction bits, but all important points will be made public. ¹ The fact that one of the Committee members left it, and is quite vocal on his opposition to the choice made by it, makes it clear to me that, even if the Committee had intended to keep quiet, the truth will come out. I'm sure Jonathan can comment on the decision process as he lived it. We don't have NDAs. signature.asc Description: PGP signature
Re: Some thoughts about Diversity and the CoC
Martina Ferrari dijo [Fri, Dec 20, 2019 at 07:40:41PM -0300]: > (...) I am always sad and disheartened when this kind of threads erupt. And I can only imagine how this hurts people that cannot just sympathize with you, but suffer instead in their own bodies and lifes the discrimination. I am a believer of social change towards inclusiveness and acceptance, but it's a long and very gradual process. > It looks like that transphobia is countered with slaps in the wrist, not > the universal rejection abhorrent views deserve. A single transphobe > makes a community a dangerous place for trans people. Trans people are > disproportionally affected by hate crimes: we are attacked, abused, and > killed every day. We can't take risks: this is not a stupid debate about > English Grammar[2] FFS, we are talking about peoples' lives and health! I agree that the message that started this thread is abhorent, and am happy our community didn't leave it unanswered. I am in [VAC], so am answering to lists quite seldom. Now, I do _not_ share your views that "transphobia is countered with slaps in the wrist". We have seen some important answers and sanctions against people acting in transphobic ways. Yes, we can only react to hurting messages _after_ the fact they were posted and cannot withdraw them by the mere nature of our system. But other than that, the community response to said mail (and some +1's) was quite strong and clear. And, as I said, I believe in change. But the change must go through many steps. Many of us have been in social settings and grew in family environments that eased our understanding and acceptance; some come from different backgrounds. I hope that even the most conservative people accept the deep humanity in the very hard decisions you and countless others have taken regarding your identities. Even if this talk does not convince the original poster, I hope it does slowly lead others to understand the processes. Of course, I agree that biting the bait and going to discuss grammar was not the best course of action. But this particular community is quite prone to end up discussing technicalities and minor points. Please forgive the chain of posts that led to grammar being brought to the table :-| Big, warm, sincere, loving hugs. signature.asc Description: PGP signature
Re: Bug Driver NC523SFP
[ Explaining to the requester this is not a support list; redirecting him to debian-user-spanish ] Hola, Usted envió el correo que cito a una lista de correo en idioma inglés, para discutir respecto al desarrollo no-técnico del proyecto. Le invito a que envíe esta pregunta a la lista de ayuda a usuarios de habla hispana: debian-user-span...@lists.debian.org Saludos, Sistemas Duran dijo [Sat, Sep 21, 2019 at 10:40:09AM +0200]: > Buenas; > > > Me pongo en contacto con ustedes por que hay una tarjeta modelo HP NC523SFP > con chipset Qlogic 82XX a 10Gb que debian no reconoce ni hay drivers para la > misma para Debian, > > > Los servidores la reconocen, el sistemas la reconoce y lee su mac pero no la > arranca, (La mantiene siempre DOWN) > > Modelo de tarjeta HP NC523SFP 10GbE 593742-001 593715-001 PCIe > > > ¿Como podría resolver es problema? > > > Gracias > --
Re: Realizing Good Ideas with Debian Money
Philip Hands dijo [Tue, Jun 04, 2019 at 10:51:10AM +0200]: > It occurs to me that we could establish some sort of hardship fund to > make sure that someone who's current situation falls below some minimum > that we could define, they would be able to apply for funding. > > For example, I recently bought some refurbished Lenovo X230 laptops for > GBP 85.00 each, mostly because that seemed cheap enough that I'd be > annoyed if my own X230 breaks and I'd not taken advantage of that deal. > Also, my daughters clearly need laptops. > > If there's any DD/DM who's current hardware is more ancient than that, > then if they'd like to upgrade, but cannot afford to, it seems to me > that for a small outlay from Debian they might well be enabled to be > much more productive. That's something I would clearly agree to. And it's a very different issue from paying to perform a given task - It's reaching out and helping those that can better contribute with the project. Besides, in the example you present, they would be quite smaller expenses for the project than what I would expect for a finish-a-hard-task gig. > We've also occasionally had people who've been part of the project fall > on hard times, and I think that having the ability to quickly provide > benevolent funding to someone who's e.g. been rendered homeless somehow, > would also be something that we should try to make possible. > > Obviously, this might well bump into rules about what non-profit > organisations can do, so the details would need to be carefully worked > out. This could also work, provided it's done on an equitative basis and not based on current/recent performance - having it as a kind-of-safety-net. With some care so that's not a mechanism that can be abused. And, yes, making sure it's a legal way to spend our money (but I don't see why wouldn't it). signature.asc Description: PGP signature
Re: Realizing Good Ideas with Debian Money
Sam Hartman dijo [Sat, Jun 01, 2019 at 09:02:54AM -0400]: > (...) > > With regard to Russ's concerns, > I think that making short-term grants to work on specific projects might > be much more achievable for us than salaries. It reduces the factors > he's worried about. > I think there would still be significant risk, but not nearly as much as > if we were actually paying salaries on an ongoing basis. > (...) > I actually think that Debian could possibly hire people to do our website on > a > contract without it being a huge problem. We'd explicitly want the www > team (or hopefully no one in our community) not to bid. We'd want the > www team to be guiding the process and for the contract to be about > doing the things they don't want to or never get around to doing. > We'd want it to be something we'd be willing to do again in similar > circumstances, so that if it did actually change what people were > willing to work on that would be OK. > In that model, the www team would be more about deciding overall > structure, making the decisions than actually going and implementing > them. Reading this discussion, my main thought was following the line of finding _what_ to fund as a first point. And, of course, you and others have touched the points. It should be about funding stuff that would otherwise not be carried out well enough. I am aware your example is just an example - But don't you think that following through with this would have a sad effect on the www team: It would be equivalent to tell them, "thanks for your work for so many years, but we have decided it's a weak spot in the project, and we'd be much better off if somebody else were to do it".
Re: Practicas Profesionales
Paul Wise dijo [Sat, Jan 19, 2019 at 07:43:08AM +0800]: > > [ Mexican student asking for how to do professional practices for his > > university studies in some way related to Debian. Debian cannot > > offer much, but I can possibly coach him, as I work in a different > > university...? ] > > Sounds like a perfect candidate for a GSoC (or possibly Outreachy) internship. You are right - And I almost completely lack any insight on what that means ☹ In case he contacts me, I will forward this suggestion and put him in touch with the program admins. Greetings,
Re: Practicas Profesionales
[ Mexican student asking for how to do professional practices for his university studies in some way related to Debian. Debian cannot offer much, but I can possibly coach him, as I work in a different university...? ] Azaid dijo [Fri, Jan 18, 2019 at 08:22:43PM +]: > Buen día. Soy Alberto Zayas, soy de el estado de Puebla, > México. Estudio Desarrollo de Software, me gustaría realizar mis > practicas profesionales con ustedes, ¿con quién debo dirigirme? Hola Alberto, La lista a la que escribiste se maneja en inglés; te pido que manejemos el resto de comunicación por correo personal únicamente. El proyecto Debian no es una entidad legal; es un proyecto de participación voluntaria, en el que participamos diferentes personas en todo el mundo. Cuéntame un poco más qué requisitos te pone tu universidad para realizar tus prácticas profesionales, posiblemente yo podría ayudarte si te interesa hacer algo relacionado con Debian. Soy Desarrollador de Debian (DD) y académico de la UNAM. Quedo a tus órdenes. ¡Saludos!
Re: Appeal procedure for DAM actions
Joerg Jaspert dijo [Mon, Jan 07, 2019 at 11:27:35PM +0100]: > Hello everyone, > > One of the things that emerged from the recent discussions around DAM > actions is that we are missing a way to review or appeal DAM's decision. > Currently the only way to do this is running a full-featured GR, with all > the negative side effects such a process has. > (...) Thank you very much, Joerg (and DAM team) for coming up with this proposal. I have just returned to work after a month off, and my brain isn't yet 100% wired to be productive again (WAY off 100%, I'd say), but this really looks like a good (although perfectible - but what isn't?) answer to our current situation. I hope this helps the current tensions (to name them mildly) to be relaxed and lets us sort out of the issue without further harm to the project. signature.asc Description: PGP signature
Re: Censorship in Debian
Paul R. Tagliamonte dijo [Wed, Dec 26, 2018 at 10:36:08AM -0500]: > > So where is the difference to a closed military court or gulag general? > > I strongly encourage you to read about Gulags and understand for both > mlitary tribunal and prison camp, the result is often death. Debian can not > kill you. Debian can't silence you. > (...) > To all on this thread: stop marginalizing those who actually face death and > life in prison for speaking their mind. The comparison cheapens their life. > Stand up for those who have fought for our rights by not drawing such petty > comparisons. Of course, I don't think Norbert was literal characterizing the situation as a gulag. I don't think anybody here thought he was. I don't think Norbert expected anybody to have an image of him starving to death or chilled in the steppe... Norbert rightly mentioned several aspects he considers unfair about the way this process went. He considered he didn't get a right to be heard, nor notified about the process as it was progressing towards a decision, but only notified about a final decision. I completely agree with him. and I don't think DAM's view, "he can reapply in six months, what's unfair about it?", is fair. signature.asc Description: PGP signature
Re: Censorship in Debian
Daniel Pocock dijo [Thu, Dec 20, 2018 at 09:31:46PM +]: > Hi all, Hello Daniel, I have to chime in here fully in support of what Russ, Steve and Paul have said. Your message starts as inflammatory and as far as possible from any attempt to cool down issues. It starts by accusing, by likening incomparable issues. > At that very same moment, the anti-harassment team were censoring[2] a > Debian Developer's blog from Planet Debian. Chilling. Censorship is prohibiting you to speak your mind. Norbert is able to speak his mind - Only not using Debian's name for it. Why was his blog removed? Was it the post you link to? Or the several posts where he discusses games? (are they free?) Or something completely different? I do not know - But in any case, you should have started by *knowing* what set off the a-h team for this decision. > I actually looked at Planet shortly after attending that panel > discussion and immediately noticed that Norbert Preining[3] had been > censored. Disappearances of Khashoggi[4] and Kamphuis[5] came to mind. An assassination committed in a diplomatic legation with possible involvement of the highest possible authority in a nation, or even the murder of a person by unknown people and a country refusing to further pursue the investigation on the issue, are in any way comparable to kicking a blog out from an aggregator? Please take a couple of deep breaths. Inflating the issue so much is not helping the cause you are trying to push. Just the opposite. signature.asc Description: PGP signature
Re: Conflict escalation and discipline
Lars Wirzenius dijo [Wed, Apr 18, 2018 at 04:08:24PM +0300]: > On Wed, 2018-04-18 at 13:41 +0100, Martín Ferrari wrote: > > I believe that a-h is the natural starting point for dealing with these > > issues. > > Most of the problems being discussed right now, and in general, seem > to be of the sort where feelings are hurt, but harassment isn't > happening. The situations seem to be "A did something, and B was > offended, how do we get A and B to understand each other, and resolve > any conflict, and get A and B to collaborate in the future?". > > This implies to me that, at the least, "anti-harassment" is the wrong > name for a team that deals with this. This topic was brought up at the A-H BoF in Montreal. Everybody thinks A-H's name is wrong for many reasons, but no better-suited name has yet been suggested; in my view, A-H is far from being a team only to deal with harassment (which would make it mostly, although not purely, a sexism-prevention-oriented group), but should be able to work in "hard" social interactions such as what sparked this set of threads. But my critique to Ian's original point stands: As long as the people involved in said "hard" social interactions post their messages to debian-devel or debian-whatever, no conflict-prevention-body will ever prevent that friction. signature.asc Description: PGP signature
Re: Conflict escalation and discipline
Chris Lamb dijo [Tue, Apr 17, 2018 at 07:12:26PM +0100]: > > FSVO desperate. I agree we need it, but based on the project's current > > level of discussions, I don't think it's a "desperate" situation. > (...) > This is made even more tragic in that I do not believe this is > representative of what being a Debian Developer actually entails or > requires. FWIW, I agree with this. Said discussions are really nocive and far from what we need. > > > An effective, reliable and unified disciplinary mechanism > [..] > > Thing is, I believe we have several bodies / mechanisms that partially > > cover the case. > > I also am reluctant to speak for Ian (!) but I believe he is making > the point that it is this very diversity of contact points that > could be part of the problem. But that's my point: Do you want to solve that by adding... Yet another contact point? signature.asc Description: PGP signature
Re: Conflict escalation and discipline
Ian Jackson dijo [Tue, Apr 17, 2018 at 01:39:07PM +0100]: > We desperately need: FSVO desperate. I agree we need it, but based on the project's current level of discussions, I don't think it's a "desperate" situation. > * Somewhere people can escalate a dispute involving ill-feeling, >that isn't debian-devel[0] or the DPL[1]. > > * An effective, reliable and unified[2] disciplinary mechanism that >(i) promotes healing, apology and reconciliation where that is >feasible (ii) failing that, limits the damage done by difficult >people (iii) when inappropriate behaviour appears in public is able >to authoritatively declare and demonstrate that it is not how we do >things here. Thing is, I believe we have several bodies / mechanisms that partially cover the case. You mention in your footnotes a body that makes recommendations that would be followed by DAM, TC or whoever. It depends on the case at hand, but I'd say this is covered by the TC, DAM, the anti-harassment team, the DPL (who is not burdened by this as a single individual but as one of the potential points of contact), specific teams that cover the different aspects of the project (say, the ftpmasters, or the DebConf committee, or whatnot). I believe the problem that sparked your message are the recent threads (in d-devel, in d-private) that show conflict between Debian contributors. However, part of the problem might be they are threads started off... Mails. We could have said to any of those, "please shut up here, solve your interaction issue by talking with __" - But the threads have already started. People would keep replying to them even if mediation was "abducted" to a specialized group. signature.asc Description: PGP signature
Re: Emeritus status, and email forwarding
Enrico Zini dijo [Wed, Nov 15, 2017 at 05:46:52PM +0100]: > I would be ok with saying that emeritus people who have a valid gpg key > can still have email forwarding, exporting the emeritus keyring > alongside the other keyrings, and handling email forwarding > configuration changes via chan...@db.debian.org, and key replacements as > usual. > > It would exclude people who don't have a viable gpg key anymore in the > keyring, or who are not interested in maintaining one, but that is > already the case mostly anywhere in Debian, and I don't see it as a > blocker for keeping forwarding working as long as someone is emeritus > and has a key in the emeritus keyring. > > I would also be ok saying that people whose keys in the emeritus keyring > become invalid over time, because they expire or because they are not > replaced when needed, move to "removed" status after a while. FWIW some other people have expressed procedure concerns on this topic, I am not repeating them. We (keyring-maint) do keep an Emeritus keyring. Given it is not really _used_, I had not checked its real status in a long time, but now I must really take off my hat towards Jonathan - It is quite well maintained. It used to be a very large directory: https://anonscm.debian.org/cgit/keyring/keyring.git/tree/emeritus-keyring-gpg?id=f6293ba7d7c4e775b3b83185e66da41f4765721f But since Jonathan removed short keys in it (as they are keys we will never use again and should no longer consider trusted), it became way smaller. Current view: https://anonscm.debian.org/cgit/keyring/keyring.git/tree/emeritus-keyring-gpg Anyway, we could continue to receive updates for and process the Emeritus' keyring, if any person in it was interested in doing so... I doubt it would be the case. We can also produce that keyring together with our updates if any infrastructure were to use it. I have a feeling it would mostly be over-engineering, though. Keeping the mail alias working "forever" sounds right, but I expect that any mail update requests would still end up in a human to implement. signature.asc Description: PGP signature
Re: Let's Stop Getting Torn Apart by Disagreement: Concerns about the Technical Committee
Sam Hartman dijo [Fri, Oct 27, 2017 at 08:18:48PM -0400]: > > As a member of the technical committee, I've grown increasingly alarmed > as I think about the impact of the issues that come to us. > Yes, we're giving answers. However, I think we are doing a lot of harm > to the members of our community in the process, and I would like to > explore whether we can do better. > > I've written a blog entry describing my concerns. It's on Planet, and > you can see it at https://hartmans.livejournal.com/97174.html I read your blog post earlier today, and it left me wanting to come back to it. I'll take this as the cue to do so :-] > I've reached a point where I'd like to share my concerns and ask "anyone > else feel similar? Anyone else want to work on solving this?" The problem you point out is (surprise, surprise) a hard and recurring one. I cannot look at it from the TC perspective, as even though I am now trying to follow the public discussions in the ctte list, it would be silly if I didn't admit to occasionally (hey, it's you who mentioned the init system discussion!) kill whole threads when they go over the level of detail I am comfortable in dealing with. I understand your frustration stems from the much more recent (and swift) issue with modemmanager. I was also surprised with the time it took to be resolved, but the seeming uneasiness that still comes out of this. Other than this point, from my (again: Incomplete) perspective, the CTTE today works amazingly well and frictionless. I am sure that Debian as a project is way more mature than when I joined, almost 15 years ago. Makes sense: A good portion of us are still around, and we have surely matured individually! Newcomers who join us no longer have to grow thick skins, because that is no longer the project's identity. Thankfully. You mention, "our community is more important than technical correctness". This might be, if any, the recurring lemma for the period I have been involved in Debian. I feel we are getting much, much better at it - But human issues are just harder. And, as a CTTE member, you are subject to be the receiver of much of that attention. It's easy to reach a technically sound decision, but it's hard to uphold it without someone somehow getting sore about it. I don't know how inevitable this is, but I recognize it happens in many different areas. And a few sore people "hurt" more than a silently sympathetic big crowd. I know the domains we work at within the project are quite orthogonal, and that's why I'm drawing a parallel with what we have done (OK, bad joke... Anyway...) We did the keyring migration, pushing towards it in late 2014. We had many people questioning procedures and requirements, but IIRC only *two* felt we were pushing them aside. The decision was unequivocally sound technically, but it hurt socially (mainly to those that were socially or physically disconnected from the "core"). This year, we had a sort-of-rehash with the set of DD retirement notices (and corresponding DM retirement actions) we saw since late August. We saw some interesting, constructive criticism in d-private; DDs can refer to late September and early October for the related discussion in debian-private. And, yes, one or two sore cases will suck a lot of energy and bandwidth. And will leave a *great* process with few but very resounding unhappy tones clinging to it. Anyway — If this serves in any way as motivation, I do hold the CTTE as a *great* team in the project, and I do look up to you and others who have volunteered and been selected to be a part of it. I am very glad it outgrew being "just" a technical decision body and assumed its social place, as your post shows: Technical and social go hand in hand, we cannot expect to hold a technical decision without hurting or empowering some of the involved parties. So... don't know what else to say. Of course, there are no recipes. We are just people, we are a bunch of individuals working together on something we all think is worth our time (and that's as far as "doing consensually things together" goes). I hope this mail (or whatever other mails sum up in this thread) helps you feel better a sense of togetherness and shared purpose again. signature.asc Description: PGP signature
For those who care about semantics retiring, disappearing and missing
Hi all, For a couple of weeks already, we have been having a steady trickle in debian-private of notices of retiring DDs (around 25, IIRC). After a bit of this, an interesting thread broke out there. Holger said today: Holger Levsen dijo [Tue, Oct 03, 2017 at 08:53:41PM +]: > hi, > > it occured to me that maybe retiring should indeed be that, DDs could become > non-uploading DDs as a result from those WAT runs too. If they respond and > state so. (So removal from the project is still an option too, maybe still > the default, maybe not even that.) And this would indeed be something new > in Debian's culture. > > It also occurred to me that this whole discussion should be on -project, so > please reply there. or maybe some other list? anyhow, anybody is free to reply > to this mail in public. So, yes, I also think this kind of discussion should be moved to a public space. For the record, there were some private, personally-identifying information being mentioned, so the d-private thread might still be kept active. Anyway - The reason for this activity is that during DebConf17 members from the MIA Team, NM Front Desk, keyring-maint and DAM sat to talk and streamline the process for following the WaT (Where Art Thou?) mails that have long been pending. We have several developers with long years of inactivity. This process, that IMO should be seen as most natural, has itched some people. So, I'm basically pushing this discussion to a public space. I must disappear right now, but expect to chime in to the discussion later on, provided it gains any traction and not everything that should be said has been said. signature.asc Description: PGP signature
Re: producing, distributing, storing Debian t-shirts
Martin Steigerwald dijo [Mon, May 01, 2017 at 10:13:58PM +0200]: > > Make it fair-trade and printed by people with disabilities, like > > we did for DC15, and it was somewhere around $8. I'd still buy > > a shirt for $15 or so every now and then if it was a witty new > > design and a cut of the proceeds were donated to Debian. > > I would not have any issue with paying an extra fee for fair-trade, organic T- > Shirt. That most are not at FLOSS events is a reason why I sometimes do not > opt for a T-Shirt at all. > > The very cheap approach of T-Shirt doesn´t go along well with any kind of > idealism. Its very nice to hear in retrospect that the DC15 T-Shirts have > been > fair trade – I didn´t know that. Note that "fair trade" is a quite squishy notion. Speaking as a friend of the producer, I can assure you that the printing process of our usual Mexican dirt-cheap shirts are as fair-trade as they can be; I cannot assure the details for the fibers to be organic, and I won't claim the shirt maker themselves are overly idealistic, but the printing process itself is not a "sweat shop", but a small family business that struggles to survive _and_ help our movement, in which they believe. Of course, it helps that our country's economy is way cheaper than Europe. I make a quite decent living and earn surely quite a bit over average (several stddevs in fact), but I am still quite close to the USA minimum wage. So, yes, a $3 shirt provides good value to their printers in our reality.
Re: producing, distributing, storing Debian t-shirts
Daniel Pocock dijo [Mon, May 01, 2017 at 09:00:34AM +0200]: > Can you give an example of shipping costs from Mexico to the US and > Mexico to Brussels (for FOSDEM)? Bufff... It's a matter of checking the weight and asking DHL, Fedex, and all of their kin :-| > I assume that if they were sent to a European country there would be > VAT charges on arrival, between 8% and 23% depending on the country. IIRC, it's covered within the various free trade agreements our country has. Maybe somebody remembers better than me in European DebConfs (I've always ran away from handling monetary issues). > I did a quick search for information on the polo shirts, I have one > with a logo in red and the other one has the logo in red and "debian" > in white. Both are embroidered onto the shirt and they last a long > time. Here is an example[1] from China: > > 500 polo shirts x $1.90 = $950 > 1500 polo shirts x $0.60 = $900 > > So it is cheaper to make 1500 than 500. I wonder if they would allow > different coloured shirts (e.g. 500 black, 500 white, 500 blue) in a > single batch. Those producers are best suited for high-volume production, I'm giving you the numbers for a small, family-owned, family-worked workshop where a DebConf run (~500 shirts among all variations) is usually the largest work in the year. There is little economic difference per item between printing 50 and 500.
Re: producing, distributing, storing Debian t-shirts
Daniel Pocock dijo [Sun, Apr 30, 2017 at 01:53:49PM +0200]: > > Hi all, > > On several occasions people have asked me about Debian t-shirts and the > polo shirts when I'm going to an event or after seeing a video where I > am wearing the polo shirt. > > At some events there are opportunities to mass-produce things in > collaboration with the event team, lowering costs and avoiding the cost > of shipping into the event. For example, the FOSSASIA team produced a > lot of roll-up banners and three Debian banners were included in the > batch. Similar deals can lower the cost of t-shirt production, > especially when the event takes place in a location where costs are lower. > > A few people have expressed concern about the production of t-shirts though: > (...) Just my experience here: Many years ago, my then-couple and me ran a textile printing small-scale workshop. She still runs it, and she will print DebConf's shirts this year (as she has repeatedly done - DebConf 6, 7, 9, 10, 13, 14, 15 and 17 shirts all went through her hands :) ). Of course, back in the day, we printed many shirts related to Free Software projects. We even made some minor trademark violations which I openly acknowledge as such (i.e. we printed IIRC 50 shirts with the Firefox and the Mozilla logos for the Firefox 1.0 release party... Only to find out later they did have a trademark policy... Oh, we were young and innocent :-] ) Anyway, beyond the memory trip... T-shirts are *awesome* for promotion. Good material T-shirts much more so - I still have in very good condition most of my home-printed shirts... With our production starting in 2004. I did take a bag of shirts to several conferences (several local ones, and at least I took a case with probably 50 to DebConf5 in Helsinki). Thing is, sadly, I hate manning the sales booth. Selling shirts is a quick way to make money. If you print in "cheapish" countries such as mine (Mexico), a very good quality shirt+print would cost around US$3 if my numbers are right. I am *stumped* to find ~US$30 shirts for sale in the USA; I have bought a couple of debian.ch shirts (which are great!), but it's hard for me to understand where the price comes from. Of course, then I remember what is said about .ch... Anyway, if any of you is interested: We have found for DebConf that if most often makes a lot of economic sense to print shirts in Mexico and ship them via the usual courier services; if any of you is interested, even in relatively short runs of products, I'm sure Gaby will be happy to provide good work and material (and, of course, I can provide the contact if needed). You mention "economies of scale" - It does not really matter. I am not up to date with prices, but they should have not moved much... The cost for making one silk-screen original (for a workshop that does _not_ have their own development lab) is about US$5 per color. Shirt prices go down at around the 10, 25 and 50-items, but beyond there, you won't gain much. It usually makes no sense, so, to make big print runs and lug / move around stock. It's best to just print as you go, and that way even just take "current" designs to each event (plus some bits of stock you have left over)... If I were to offer you, for very cheap, our shirts for Sarge or Etch, I don't think you'd be very interested! That would become lost money. Greetings, signature.asc Description: Digital signature
Re: Inappropriate content on planet.debian.org and need of evolution of documentation and CoC
alberto fuentes dijo [Thu, Apr 06, 2017 at 01:30:19PM +0200]: > (...) > It comes down to know if planet is about debian or about debian developers > > My personal opinion is that it should be about debian, not about debian > developers. Random rants, specially cathartic ones slightly related to the > debian philosophy of life, should be curbed. And therefore, post about your > holidays or book reviews should be out of the question. Rants about debian > should be okay tho :) > > Luckily only a handful of people step out of this line, so in practice is > not a problem. Specially by a beloved developer as Russ, which many people > like and which opinion in matters is important for many as well Humh... Well, we did have this discussion a long time ago. Of course, discussions can be brought back to life; reality changes, actors in a given place change, and all that. Back in the day, many of us argued that our Planet should not just be a view into what we Debian-affiliated people are doing WRT Debian, but... I'll phrase it as a window into what each of us _is_ as a person. That helps us know our fellow posters, and helps externals get a feeling of what they will find if they step closer to the project. About this thread in particular: I enjoy Shirish's posts, and have told so to him privately. I did think some people would complain regarding this last post, but -besides the large, probably needless photo- I don't think there's anything in it that violates our CoC. It's a nice narration about a series of thoughts that came to him a very long time ago, doing something that while socially not very accepted, is very common in people his age (at the time of what happened). Terribly Debian-relevant? Nope. But neither is about half of what I've posted over the years (maybe more than half). And, still, I often get helpful or inquisitive comments on what I post from fellow Debianers via different media. > (...) > For many, debian is full of friends, so sharing with planet debian feels > like sharing with friends. But the reality is that there are many people > reading the feed. Many more than your inner circle of friends in debian > > Luckily, most people realize this and only share their posts tagged with > debian Out of the current upper stories of Planet Debian, I can see some people talking about their life in general, some people talking about their free software projects or technical tips (not directly related to Debian), some people talking about Debian "properly". I don't really agree with your assessment: Some people do use this just as a window into their Debian-related life, but some others just share our thoughts as they come by. There are people who often write many non-Debian posts which I enjoy. I hope the current consensus allows them to stay there. > (...) > I have a small blog as well with a couple of posts about debian, but I > still dont think it is useful enough to waste so many peoples time by > aggregating it to the planet I would invite you to add it to the Planet. signature.asc Description: Digital signature
Re: Team analysis graphs
Andreas Tille dijo [Wed, Feb 08, 2017 at 10:03:30AM +0100]: > Hi, > > this is my yearly hint to the teammetrics graphs you can find for your > team at > > http://blends.debian.net/liststats/ Very interesting! I will share this link with a student who is working with me and doing time-related analysis of Debian; he started by working with the keyring data, but this will surely be interesting to him. The sheer number of files you are presenting is overwhelming as it is, but, if this person is interested in this data, could you share your dataset at a finer resolution? (say, monthly instead of yearly) Or, if you don't keep the source data with you, the scripts that produce them? Thanks a lot! signature.asc Description: Digital signature
Re: Gobby notes from diversity/inclusion BOF/workshop, Cambridge
Thanks, Ian and Sean, first for publishing this Gobby notes, and then
for the interesting idea exchange that resulted. I wanted to answer to
Ian's mail on this same topic, but then Sean started writing things
that I resonate with... So, the original text posted by Ian (to which
Ian claims no authorship, of course) said:
> We are not doing well at attracting younger developers into the
> community. It can be very difficult to get younger people to attend
> because of the tendancy for younger people to be very
> self-conscious.
But... Most of us joined when we were perfectly classifiable as
"young". So, something has clearly changed in a project that attracted
twenty-somethingers twenty years ago...?
So, Sean says something quite similar to what I was thinking:
> Firstly, I intended to say more in my previous message about why we're
> having difficulty attracting younger developers. The reason I wrote
> that d-mentors is very different to d-devel was to make the point that
> self-consciousness probably isn't the reason we're having difficulty
> with younger developers. The kind of venues where new contributors
> engage are places where it /is/ comfortable to be wrong about something,
> so that's probably not why we're struggling.
>
> Secondly, let me suggest why I think we're having difficulty attracting
> younger developers. The issue is that patience is probably the number
> one virtue required for enjoying working in Debian, and young people are
> often impatient. I suspect that things like GitHub have made this
> worse. People get used to getting excited feedback on their pull
> requests made against fly-by-night JavaScript projects. Then they
> package something for Debian, and it takes two months before someone
> reviews it.
Yes. The Debian culture is cast around older tools. We work mostly via
(plain-text!) email and IRC. And yes, I will argue (and even prove, as
we did for an online conference ~10 years ago, where IRC was proven
better than any other alternatives because of many small details) that
they are much better suited to our work than that newfangled,
mobile-friendly, over-AJAXy technologies that lure youngsters
nowadays. I really doubt we will change our use of tools, but that is
an important hurdle to attract newcomers: Our way of communication
smells like it's 1995. And we like it to be uphill both ways.
The examples you give on d-mentors are quite interesting; I wouldn't
be able to tell, as I haven't been on that {list,channel} since I
don't have enough free time to do it (many years alreaedy).
There have been several attempts to bring a fresher interface to how
we coordinate and how users approach us; I can only think about
initiatives such as ask.debian.net, which is used and valuable, but
has IMO failed to gather critical mass; I have never seen my search
engine direct me to ask.d.n for any question, and it's only in the
back of my mind as a place I should someday try to look at...
When many of us joined (in my case, early 2000s), Free Software was a
strongly counter-cultural way to do something creative and challenge
the system. When I started getting involved with it (mid 1990s), it
was something our teachers never even imagined. That's a great way to
lure young people in... But nowadays, we are the teachers and, to a
given extent, we are the system — Free software has been there since
always. Free software runs the biggest enterprises in the world. What
is there that attracts young minds to us? Our superior package
management, or our beautiful policies?
So... Well, I also don't intend to present a solution, just a brain
dump (hopefully not following by the full core and a segfault) :)
signature.asc
Description: Digital signature
Re: GR: Declassifying debian-private: second call for votes
Ian Jackson dijo [Mon, Oct 17, 2016 at 02:16:15PM +0100]:
> Charles Plessy writes ("Re: GR: Declassifying debian-private: second call for
> votes"):
> > out of context, it is hard to chose between the options that each of you are
> > presenting in this GR.
> >
> > Could you briefly rebut each other's options ? I think that it would help
> > a
> > lot.
Hi Charles, and thanks for this question. I'm answering to Ian's
message, as I mostly agree with him, but there are several points
where we have different points of view.
First and foremost, let me be clear: I do *not* believe my option is
the best. But I stated my preference to have it *available on the
ballot* instead of replacing its text altogether, as happened in the
August GR.
I helped Nicolas draft the original text, and while it is ambiguous,
it has a strong virtue over the status quo: It saves us from lying, it
cleans our face by saying "we would love to, but we failed".
> I support both Option 2 ("Acknowledge difficulty", my proposal) and
> Option 3 ("Remain private", Iain's proposal). I firmly oppose
> Option 1 ("Repeal previous GR", Gunnar's).
>
> I think Option 1 is quite bad. I will rank option 1 below the FD (ie
> the status quo). I recommend everyone else do so.
I voted 312-, that means, I prefer Ian's option, then Iain's, then
mine, then FD. I really hope this will be aligned with the rest of the
project — but I strongly prefer the gray area where declassification
is not-strictly-but-kindof-authorized-or-maybe-not to the listmasters
to staying firm by a promise we don't intend on keeping.
I do not think that the existence of d-private breaks our SC's promise
not to hide our problems, and as many others have stated, I recognize
there will always be the possibility of private communication between
groups of individuals. So, repealing the 2005 GR basically
acknowledges that there might a group of individuals, a strict subset
of the DDs, that have a common place to talk to each other (while they
try to refrain from doing so whenever possible).
> I doubt that listmaster will be pleased to enter this fray. Our
> listmasters are sensible people who will not want to act in such a
> controversial area, when their authority is doubtful.
Let me embrace this half-paragraph. When coming to a vote decision, I
*hope* we can all remember the good work done by our listmasters, and
stop pretending they will breach the project's trust and confidence,
even if they were able to.
> So this question will drag on with occasional rumblings, perhaps
> for years. The dispute might finally be ended only by a second GR.
Second? Fourth, rather.
> Please vote Option 1 below Further Discussion, or at least below
> both Option 2 and Option 3.
That's our main disagreement. I see value in "just" repealing the 2005
GR. I think the reason the August GR failed is because it replaced a
"decently good" text with a "better but worse" one — By listing
declassification actions, some people felt threatened by the wording
of the proposed status-quo, or felt it could threaten privacy in the
future given a set of conditions. Not having an
imperfect-but-better-than-FD option such as the original propoal,
slightly over a majority of DDs voted against the GR. I honestly hope
options 2 or 3 win, but would be content if the one I proposed does.
> If you feel that benefits of possible improvements to the transparency
> of -private are negligible, or that they are outweighed by the risk of
> madness on the part of listmaster, or even by the necessary
> discussions (arguments) about the shape of such a scheme, then you
> should rank 3 ahead of 2.
>
> For you, then, Option 1 is very bad. If you don't have confidence in
> our current and future listmasters, not do do something bad, then
> leaving listamster with a wide but disputed authority is precisely the
> risk you would want to avoid.
Right. As I do trust the people in the project, and I trust
listmasters not to snap and start publishing d-private "just because",
I don't see this risk as particularly compelling.
Greetings,
signature.asc
Description: Digital signature
Re: Assistance Requested: History and Patching
Clarke, Daniel (US - Arlington) dijo [Wed, Jul 27, 2016 at 07:23:23PM +]: > Good Afternoon, > > My name is Dan and I have been given the following task by my > client: What is the history of Debian, and, specifically, whether > there is a central authority that publishes patches and what is > their credibility? > > Please let me know if you have any questions. > > I greatly appreciate your time and assistance with this effort. I will add to the information already replied by Martin: We had at some point a patch tracker in Debian (was called patch-tracker.debian.org), but it sadly was decomissioned some time ago. There are, however, many ways to find the relevant patchs for packages you might need. You can: - If you know which project/package you are interested in, the package tracker¹ can give you detailed status information on it. On the right side, click on "browse source code". Many (note that not all) packages have all of their patches to the upstream project in the debian/patches directory. - If you want to compare the packaging between Debian and its derivatives, you can look at the Debian derivatives patches.² - Not Debian-specific, but you can be interested in the per-vendor patch-finding information³ page by oss-security. ¹ https://tracker.debian.org ² http://deriv.debian.net/patches/ ³ http://oss-security.openwall.org/wiki/distro-patches > This message (including any attachments) contains confidential > information intended for a specific individual and purpose, and is > protected by law. If you are not the intended recipient, you should > delete this message and any disclosure, copying, or distribution of > this message, or the taking of any action based on it, by you is > strictly prohibited. U... You do realize that sending this text to a publicly-archived mailing list, at a message directed to just about anybody who might reply, is a contradition in terms, right?
Re: Any Debian support for CubaConf
Daniel Pocock dijo [Thu, Feb 25, 2016 at 11:10:15AM +0100]: > Maybe it is worthwhile for the DPL to simply assign a sum of money for > travel grants every 3 - 6 months and then people could shortlist all the > opportunities like this, identify if there are volunteers who want to go > and find some way to divide the money up fairly between them? > > The MiniDebConfs in Brazil and Singapore have already been mentioned in > a thread last week, there is also a MiniDebConf in Vienna soon and all > of these appear interesting. With the important difference that it's not the same to have Debian presence at an external, general conference than holding a Debian-specific miniconf. FWIW, I'm *not* implying we should refrain from supporting CubaConf. In fact, I was privately contacted by Valessio, as I'm among the closest DDs to the island;I denied because the dates are impossible to me. Also worth noting: Back in 2011, I went to PGDay in Cuba, together with other three people with a PostgreSQL affiliation. PostgreSQL is a SPI-hosted project as well. SPI was, however, unable to reimburse our travel due to the US-Cuba embargo. I know the relations between said nations is on its way to renormalization, but AFAICT the embargo is still active, so we should better check with lawyers if we are to offer reimbursement to anybody to attend. signature.asc Description: Digital signature
Re: Re: Would you agree - Debian is for the tech savvy
Stephan Foley dijo [Thu, Feb 04, 2016 at 08:37:52PM -0500]: > Very true, I agree with all of your points. Going back to my original > purpose of posting this question, I wanted to do a sort of "sales > pitch" to encourage Debian to offer Fluxbox as a task in the > installer. I actually wrote up a spec which you can find here: > (...) > So, I thought this might be a good angle for my pitch...hey, Debian is > for the technically savvy, so why not offer a technically savvy > windows manager in addition to the others. As for the others (Gnome, > KDE, etc), I might add that they are mostly just aping the Windows > paradigm, but that might be my chauvinist Fluxbox attitude :-) Adding to what Wouter rightfully said here about Debian not needing a sales pitch, I would add that a tech-savvy user is extremely picky on what they like, and targetting them would not be an easy task. Lets exemplify, exaggerating my own worldview. In this very simple example you bring up, I also believe that Fluxbox is basically based on what you call "the Windows paradigm". I mean, who needs a desktop? A background? Overlapping windows? We the *real* tech-savvy people only need a tiling window manager, such as i3: https://screenshots.debian.net/package/i3 http://i3wm.org/ I mean, just look at its manifesto! It has "tech savvy" written all over it. Besides, it is more beautiful, in a simplicity sense. Small is beautiful. Best of all, we don't need to make no stinkin' list of recommended programs. Just install i3-wm, rxvt-unicode-256color, and... That's all a tech-savvy user needs. Oh, and don't get me started as to why rxvt-unicode-256color and not xterm, lxterminal, roxterm, or (sigh) terminator, terminal.app, gnome-terminal, or a long etcætera ad nauseam of lesser terminal programs.
Re: Debian Project Leader Election 2015 Results
Kurt Roeckx dijo [Fri, Apr 17, 2015 at 12:45:37AM +0200]: On Thu, Apr 16, 2015 at 10:41:52PM +0100, Jonathan McDowell wrote: Sadly this list is trivially proved inaccurate So I have no source at all that is can tell me the number of DDs? You can fetch the number of active DD keys [1,2], and add to it the number of removed 1024D keys [3]. When a person who had their key removed due to being too short presents a new key, we take the old one out of the removed-1024 tree as well. People with 1024D keys cannot vote, but don't lose their DD status. Of course, the only authoritative number should be in the hands of DAM. But we have something, uh, quite close to it. [1] http://anonscm.debian.org/cgit/keyring/keyring.git/tree/debian-keyring-gpg [2] http://anonscm.debian.org/cgit/keyring/keyring.git/tree/debian-nonupload-gpg [3] http://anonscm.debian.org/cgit/keyring/keyring.git/tree/removed-1024-gpg -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150417022834.gc126...@gwolf.org
Re: Why are in-person meetings required for the debian keyring?
Christian Kastner dijo [Thu, Feb 12, 2015 at 10:30:16PM +0100]: In my opinion, exactly the same applies for someone you've met. I think it's a lot easier to get a forged id than to establish a history of valuable contributions. Well, it depends. A forged passport[1], if one even knows where to get it, will cost you thousands of dollars or euros, and would furthermore constitute a serious criminal offense. I wouldn't call that easy. Hundreds of dollars here (depending on the degree of forgedness). Passports good enough for international travel. Why? Lets say that... I just happen to know ;-) That's one of the reasons I don't care too much for government-issued IDs. That's why I didn't ask you to provide me with one. But at the same time, that's the reason why I (that happen to be a terrible physionomist and often don't recognize people) cared enough to pay attention to who is who, remember where we had lunch and what we talked about, and can reasonably describe your face. Of course, that's the reason I signed your key. That's also, however, why I didn't sign some people's keys: If I don't recall enough details about a person to satisfy my personal validation, I won't sign. Of course, given the example Paul said about Santa Claus: I *do* sign based on pseudonyms. Of course, on well-established and well-recognized pseudonyms. I don't know nor care about the real names of several of the people I have cross-signed with. [1] A passport is the only form of identification some people were willing to accept from me. I myself have only accepted these save for a few exceptions, where I accepted a US driver's license but was otherwise certain of the person's identity. When somebody asks for my govt-issued IDs, I take care to explain the inconsistencies they usually have. Like my driving license having permanent validity, or my voter ID card stating I'm 35 years old (the previous one said I was 29 until I lost it in France; the previous one, 20). -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150216180015.gh77...@gwolf.org
Re: About the recent DD retirements
Anthony Towns dijo [Fri, Jan 23, 2015 at 10:57:55AM +]: On Thu, Jan 22, 2015 at 07:02:51PM +0800, Paul Wise wrote: On Thu, Jan 22, 2015 at 6:28 PM, Anthony Towns wrote: - there are archive networks for most programming languages these days: CPAN, CRAN, Hackage, PyPI, RubyGems, NPM, CCAN, etc. Installing software from these sources is often necessary for Debian users, but doesn't mesh well with packaged software (unlss you're a DD and can package it yourself). Since it's all free software, I don't really see why Debian doesn't have a set of automatic tools to repackage all that software, so it's all just an apt-get away. We do: dh-make-perl, npm2deb, gem2deb, stdeb, cabal-debian etc which are intended to be wrapped by debdry to eliminate much of the initial packaging process. Sure, that works great if your model is there are a few thousand pieces of interesting software, and a few hundred packagers, each of whom can maintain tens of them. But CPAN has 30k modules (~3k in Debian), CRAN has about 6k (~250 in Debian), Hackage has 7k (~700 packaged), PyPI has about 54k (2500 packaged), RubyGems has about 95k (~6000 packaged?), npm has about 120k (266 packaged?). [0] There's obviously a seriously long tail of stuff that's not very interesting to many people in those numbers, but Debian's still at least an order of magnitude short of any of them. (...) In an ideal world, users would just be able to say apt-get install lib-whatever-perl and have it. At worst, they might have to modify their apt sources explicitly to say yes, I know there's a lot of crap on CPAN that doesn't necessarily receive good security updates, I know what I'm doing. We have talked about this problem since long ago. I'm presently not involved in the (great!) pkg-perl group, but back in 2007 I wrote an article and presented this talk at the Vienna YAPC: http://gwolf.org/files/integrating_perl_in_distro.pdf http://gwolf.org/files/integrating_perl_in_distro_-_presentation.pdf Around that time there was talk in the pkg-perl group about packaging *all* of the CPAN. One of the factors that made us decide against it is that in Debian we care about quality, not just quantity. And not all of the available Perl modules have the same maintenance level (and Perl is quite an exemplary community WRT their quality levels). Having all modules packaged would mean we DDs would have to answer through the BTS for any shortcomings in the different Perl (or Ruby, or R, or TeX, or Hackage, or Python, or Node.js, or Drupal, or Whatnot) modules. Hardly feasible. - having automated scripts pull everything from CPAN (et al), package it as debs, and publish it (...) But if the answer is oh, you want to use some random nodejs package? just npm it into /opt. if you want there's some tools to help start you off in packaging it too (Yes, I really think Debian should have 300k+ packages, including everything in all the language archives, no matter how special purposes (compare against the chiark* packages eg). My answer to this is that... A distribution should mostly cater to users. That means, we should target applications, not libraries. Yes, most of us are programmers, and we are a special kind of users — But programmers often prefer anyway working with either a particular library version they are comfortable with, or with the bleeding edge, or whatnot. Programmers will often look outside of the distribution, because they will want specific bits at different points in time. I believe it is the programmers' products (the applications) are closer to what we should aim to package. If an application requires a given set of dependencies we don't have yet fulfilled, we should work on them. And yes, that might mean tweaking it so it works with the versions of the libraries we have on the distribution — As we need to provide an always-coherent, always-coinstallable set of packages. By limiting our scope to what is actually wanted (i.e. by applications that have been ITPed or RFPed, or for the *relatively few* specific librares deemed as worth having on their own because there's an obvious need for them, or whatnot), we can expect to keep excelling in overall quality. If we were to open the scope to just-about-everything, our distribution's quality would surely drop. - perhaps it's all been fixed since I last looked, but web apps still don't seem to be a solved problem to me. If you install, say, libreoffice, you run apt-get (or whatever), then you run libreoffice, and you're done. But if you want to install wordpress, you have a whole bunch of additional steps to go through [1]. We have a web app policy but it is fairly abandoned. Isn't that statement alone a pretty clear indication that Debian's not addressing the packaging problems of today? Yes. Web apps are a subject that requires help, thought and action. And it's one of the primary
About the recent DD retirements
Hello world, There is a thread that started today in debian-private. Don't worry, it's not an earth-shattering thread, nor is it complaining about huge masses of retiring DDs. However... Yes, in the last few months we have got used to seeing many more retirement messages than what we used to in that mailing list. The rules of engagement dictate that I shall not disclose here anything but my own message. However, the original poster made a very interesting, long mail, with some questions to which the answers might be interesting for the general public to read. I will take the freedom to quote the questions along with my answers. Mr. Original Poster, if you care to identify yourself and forward your full message, I'll be happy. First of all: Yes, this is the right forum. At least, this is *the* forum we currently keep an eye on and start acting on account retirement notices. Usually, account retirements posted here get processed first by keyring-maint (Jonathan McDowell, Daniel Kahn Gillmor and myself). We then either transfer or open a relevant ticket to DSA. Second, yes, the retirement trend is public: We talked about its inavoidability back in DC14, and I posted several times on my blog about it. The last one is at: http://gwolf.org/node/4022 So, we are not posting Mr. Foobar, maintainer of packages foo and quux, has retired, but we do have: The graph above shows the sharp change between tags 2014.12.31 and 2015.01.01. But my definition of success is that we managed to get the number down to just 252+35=287 from what we had back in August, when we did our DebConf presentation and started the aggressive push: 490 DD keys and 49 DM keys. Since then, 34 DDs requested their retirement, becoming emeritus, and practically all of the rest managed to get their key transition done! And, of course, you do have a public Git repository detailing the changes: https://anonscm.debian.org/gitweb/?p=keyring/keyring.git So, yes, it is public with quite full detail. And yes, we knew quite well us retiring 1024D keys would bring a load of retirements. And to some degree, it is a *good* thing. Yes, being a socially-active DD for long, and having been a DebConf organizer for most of my Debian involvement, I do know many of the retirees personally. It is, as I have posted here, animically(?) hard to prompt so much people for action and get all those retirement messages. We lost 34 people in the last six months! But then again, by far most of the retirees state the fact they are leaving just acknowledges they had already left long ago. Which is also sad — But it is, after all, just a fact of life in a volunteer-run project. And yes, we have at least a lesser size distortion on the project. We have many more orphaned packages — Some months ago they were as orphan as they are today, but we weren't paying enough attention.¹ And... Sure, Debian's attractiveness has also morphed. Those of us who joined a long time ago (I'm younger than you on the project, only since 2003, but it's still a very long time) have changed our life circumstances, possibly our interests, maybe even our ideological viewpoints. And yes, maybe (but that'd fuel a different discussion) Debian is less attractive in general to the young developer population to what it was in the past — I don't remember where I read that the median birth year of DDs has remained almost constant, which means that (yes) we might be attracting more senior developers (after all, Linux is no longer just a toy), but also... That we are failing to attract young talent. ¹ *Please* do not read this as an attack on MIA-team work. They do very hard, heuristic-based work. It will never precisely match reality, though, IMO. The questions I want to open up with this email are: OK, you make specific questions. I skipped most of your mail's content with my rant, but lets go to this point! * do you have the impression that Debian wants only contributors that consistently spend many hours for Debian each month? I really hope not. My time allocation from Debian varies wildly, and it often reaches zero. * is there something that can be changed to make it less time consuming to be a good citizen (like better ways to keep up with relevant discussions)? I try to do that, at least. It's a very passive way of participating, but at least I lurk (and post very seldom) on ~10 mailing lists (including -devel, -project and -private) and idle on a couple of IRC channels. That allows me to feel the pulse of the project and catch many of the erupting topics. * does the concept of the package maintainer assign too much responsibility, putting too many eggs in a single basket? (Freezing a package if $maintainer goes MIA, stopping other contributors from moving Debian forward)? I think we have collectively done a great job of slowly moving over to shared
Re: Reminder: Removing 2048 bit keys from the Debian keyrings
Brian Nelson dijo [Thu, Nov 13, 2014 at 02:27:59PM -0500]: Well I have a new key but it doesn't have any signatures on it other than my own, and I haven't encountered another developer in years to have it signed. I've been listed on https://wiki.debian.org/Keysigning/Offers for years (two locations in two different U.S. states, even) but have never been contacted for a keysigning. I'm not overly far from other developers--Boston is about a 2 hour drive away--but with general busyness from having a family, I haven't found a chance to try to meet people in Boston. The boston-debian-soc mailing list being down for years doesn't help, either. It's not a very interesting story. It's more about being inconvenient than insurmountable. I've just been hoping some opportunity would present itself for an easy keysigning, but that hasn't happen yet. Right :) I didn't want to out you as a guy who has a minor problem getting his key signed. But you asked us to ask you why. And it boils down to being motivated to do it. I hope this thread motivates you. In the worst case, I hope most people whose keys are retired from the active keyring next January will be motivated by the need (or desire?) to do Debian work without requiring a sponsor. But each person has their own story. If you didn't explain your situation earlier on as a hard case (and we do have some), it's not up to us to get into personal details. Only to let you know that actions will be taken! -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141113211533.ga91...@gwolf.org
Re: Being part of a community and behaving
Ian Jackson dijo [Thu, Nov 13, 2014 at 04:53:30PM +]: The correct reaction to people not adopting your software is to make your software better, not to conduct an aggressive marketing campaign aimed at persuading upstreams to built it in as a dependency, nor to overrun distro mailing lists with advocacy messages. Ian, You are one of the people I most respect and admire in this project. And that, believe me, is no small feat. Your contributions, socially and technically, are tremendous. But the style of communication you have taken on this debate is very toxic and very not constructive. Please, *please* consider not sending messages that have as their only goal to state again what has been stated so many times. Repeating them will not make them more palatable. I don't know (nor really care) whether this could be put formally as a complaint regarding CoC abuse. But please, human to human: You have made your point. We are halfway through a GR on the topic. Let it rest. We don't need more poison in the lists. signature.asc Description: Digital signature
Re: Reminder: Removing 2048 bit keys from the Debian keyrings
Brian Nelson dijo [Wed, Nov 12, 2014 at 05:09:02PM -0500]: Wouldn't it make more sense to ask these people privately what is getting in the way of a switch to a stronger key? They have been asked. Repeatedly. I haven't been asked. I've received a few reminders that I need a new key with signatures, but I haven't been asked why I haven't submitted a new key yet. Right. Precise definitions. You are right — Although we have been slowly but steadily insisting (at least since 2010, when we announced at DebConf10 we had removed the last 17 remaining PGPv3 keys) that 1024D keys were no longer considered long-term trusty and urged everybody to start updating to a =2K key. But, as you are asking, you got me curious :) Why haven't you started migrating to a new key? Greetings, -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141113052056.gc87...@gwolf.org
Re: Reminder: Removing 2048 bit keys from the Debian keyrings
Henrique de Moraes Holschuh dijo [Sat, Nov 08, 2014 at 07:11:14PM -0200]: On Sat, 08 Nov 2014, Richard Hartmann wrote: Interpretation is in the eye of the bee holder, but I am considering to attach this list to my weekly bug report; mainly because I can. Wouldn't it make more sense to ask these people privately what is getting in the way of a switch to a stronger key? They have been asked. Repeatedly. -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/2014203555.ga78...@gwolf.org
Re: Time for compassion and the Init GR
Sam Hartman dijo [Thu, Nov 06, 2014 at 09:58:29AM +]: Early morning, Wednesday, November 19, the results of the GR on init system coupling will be announced. No result will make everyone happy. In fact, that morning, some of our developers, users and contributors will be really unhappy. I would be dishonest if I said I didn't hope to be happy and reassured that morning. I suspect we all hope that the project will agree with our position on this complex and emotionally intense issue and reassure us that our values are close to those of the project; reassure us that this is a place where we can safely work together. (...) Thanks, Sam, for this well-worded, well-thought and throughout mail that summarizes perfectly what I'd love to be able to state. The social component of Debian is core to the project. Not only to the project's identity, but it also explains its functioning, and to a certain degree, its permanence for over twenty years. At several points in time, we have passed through periods of harsh discussions such as this one (I don't remember any being as bitter or long-lasting), and we must take care not to see it become greater than ourselves. signature.asc Description: Digital signature
Re: On a policy for non-debian foss content in a mini debconf
Pirate Praveen dijo [Mon, Sep 08, 2014 at 05:13:49PM +0530]: Hi, Praveen and Shirish (and Indian Debian Users), Well, a DebConf is about Debian, and I mostly agree with Steve's answer: Not just any Linux conference should be called a DebConf or MiniDebConf. There has to be a Debian slant to the conference as a whole. The slant here is that it is organized by the debian community, with the intention of getting more participation in debian. The contention here is giving the local community a chance to share their free software contribution on this platform. OK. That sounds somewhat similar to the example I gave you in Panama. Thanks for your comments. But it seems some random DDs are more equal than other random DDs. I took a short dive in the last days of the debian-dug-in archives. The flames do not seem fun :-( I am not going into your internal politics, of course, and will not read it all. (...) I propose we call it Debian Utsav(am) (it is festival in many Indian languages). Free Software festival by Debian. Having a general free software conference and having a debian track doesn't reflect this tilt correctly. I don't see, no one ever done this before or it is silly because all debconfs have been this way, is a valid justification to stopping us from trying this under debconf. I know the value of symbolism and of names (and yes, I read Shirish's mail about symbolism). But, if this appeases your community better, go for it. A name is just a name. If the aim of the conference is to get more people involved in using Debian and getting involved in free software, probably the best name is not DebConf. If the aim is to get people involved in making Debian better, maybe gathering volunteers to present a DebConf bid, talk about how development is made in Debian, and so on — Then DebConf *is* the right name. But, of course, even agreeing on the goals of an activity is not easy. All of the organizers and invited people have *slightly* different interests and understand things *slightly* different. That's just human nature. I am surprised fedora community is more open in this respect, I had given a talk on diaspora at fudcon 2011, which was organized in Pune. [1] You can see many free software talks not directly related to fedora there [2]. Now if the argument is, we have always done debconf this way and any change in content would be opposed tooth and nail, I rest my case. I can clearly see the benefit to fedora in such a format and I believe debian would also benefit from such a format. There is an important difference starting in the name and definition themselves: FUDCon is the Fedora Users and Developers Conference¹. DebConf is the Annual Debian Development Conference. DebConf is about developing Debian, not about finding use cases for it. ¹ https://fedoraproject.org/wiki/FUDCon ² http://debconf.org/ And you might lack context here: We had this discussion a long time ago. When we were discussing where to host DebConf7, the two competing countries were Scotland and Bosnia. One of the points in favor of going to Bosnia was helping a much-less-developed community get involved in Debian (while a corresponding point in favor of Scotland was that it was much easier to reach for developers everywhere). We had a tough discussion, and came to the conclusion that a criteria for DebConf should be what's better for *Debian development*. Helping local communities grow is a worthy goal, but secondary for this conference. So, FUDCon and DebConf have clearly different goals, and that explains your surprise. The point of me bringing the discussion to -project is to have an official policy on the issue, so we don't have to evaluate which random DD is more equal. OK. I don't like the way this was done. It leads to this discussion starting as confrontational, and that's not somewhere I'm going into. If DDs already working with you for this feel alienated by this, it's not up to me (or to -project) to correct their opinions. It is a social issue in your group, and I don't believe the project as a whole should be dragged into this. I also would like to hear from the DPL and DebConf chairs on this issue. A clear indication on this would help us make the correct choices soon as the event date is coming very close (October 17th). Right. But some considerations: • The DebConf chairs are chairs for *DebConf* (I know this sounds obvious). The chairs have often been involved in MiniDebConfs, but not always (and never all of them — During the ~three years I was a chair, I only got involved in Panamá. And I'm not sure the delegation was already officially in place). The chairs' delegated authority³ is *mainly* about handling Debian assets and as a last-resort tie-breaking decision body. • Given the discussion is about a Debian-related name, the DPL should IMO at least give his opinion. However, DebConf is *not* a Debian trademark. FWIW you could make a sushi-eating
Re: On a policy for non-debian foss content in a mini debconf
Hi, Praveen and Shirish (and Indian Debian Users), The event is being organized in an engineering college with a good track record of free software contributions [3]. I proposed a mini debconf in the hope of getting more contributions to debian. Since we did not get many debian contributors to attend the event and encouraging the student who already contributed to give talks on their Free Software contributions. But many in the community felt mini debconfs and debconfs have been primarily about debian and having other talks would confuse attendees. Some suggested 1/3 of the talks could be about debian as debconfs have a debian day where local community can join. I would like us to define the requirements of calling an event mini debconf as a policy so we don't have to have this debate every time we organize a mini debconf. Well, a DebConf is about Debian, and I mostly agree with Steve's answer: Not just any Linux conference should be called a DebConf or MiniDebConf. There has to be a Debian slant to the conference as a whole. My suggestion would be to leave that to the local organizers based on the strength of local communities to decide how much debian content would qualify for calling it a debconf. I will not give such a strong line as Steve did (50%+1), but will point to a MiniDebConf that you could relate to: The Panamá MiniDebConf (2010), which I helped organize but sadly was unable to attend: http://meetings-archive.debian.net/pub/debian-meetings/2010/minidebconf-panama/ You will see that from the nine recorded talks, five are not *directly* related to Debian, but can be easily linked to it. Oh, and I'll point out: You can see the Panamá MiniDebConf was not large in attendance: http://teotihua.org/wp/2010/03/28/mini-debconf-panama-despues-de-un-rato/ However, we organized it with the clear (and successful!) goal of celebrating DebConf in Central America — Which we did, in Nicaragua, 2012. I understand that both Debian, debconf and minidebconfs have a certain reputation to protect. Now forgive me, but most of the debconfs have been in some of the more developed economies (it might be a fallacy and would love to be proven wrong) where there are more than enough Debian contributors and if not, funds are there to fly people in and out which is all nice. Well, DebConf has been held in France (2000), France (2001), Canada (2002), Norway (2003), Brazil (2004), Finland (2005), Mexico (2006), Scotland (2007), Argentina (2008), Spain (2009), United States (2010), Bosnia and Herzegovina (2011), Nicaragua (2012), Switzerland (2013) and United States (2014). So, of course it depends on how do you count a developed economy to be. But I would say, five from those fourteen were in developing countries, and the remaining nine in first-world economies. But in places like India, Pakistan, Burma, Bangladesh or Africa there might not be many Debian contributors even if they are Debian enthusiasts. And while we want to turn Debian enthusiasts into Debian contributors, we can't do that under a gun (either real or imagined). So what we would like to do is make it possible to have events where people could use the name Debian and have some other word added to it irrespective of the talks/demos in it. In my opinion, it would be very good for you to hold a MiniDebConf with the clear goals of attracting people to Debian, getting them involved, getting more to become involved. Either technically or socially. But then again, I'm just one more random DD :) Talk among yourselves, talk with our DPL (Lucas Nussbaum), talk with the DebConf Chairs (Moray Allan, Tássia Camões, Martín Ferrari), and... Get the ball rolling :) -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140908031754.gb124...@gwolf.org
Re: Reverting to GNOME for jessie's default desktop
Jens Schüßler dijo [Fri, Aug 08, 2014 at 10:37:33AM +0200]: ...And I'd like us to consider this point as well: How important are CD images nowadays? Who has a CD that cannot read a DVD? You may visit some poorer people in the world. But hey, if they want CD-bread, why don't they just eat DVD-cake. Both Jens and Jonas answer with this assertion. Yes, I don't know most of the developing world — But I do live in a developing country (Mexico), and know quite well several countries in Latin America (including, say, Bolivia, Ecuador and Central America, where I have been to several times, and follow their communities' work). Yes, we do have quite a bit of outdated computers. But again, I said, half-jokingly, that computers with CD readers and without a DVD reader will not have enough power for a full desktop environment, such as i3 or fvwm. The last computer I had with a CD-but-not-DVD unit was in the 2003-2005 period. And yes, many such computers are currently in use. And it would be a disservice not to provide CDs anymore. But that criteria should not be what guides our default for installation; a CD might not be able to have the full GNOME environment, but the computer using the CD would not be able to use it anyway. -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140808130035.ga108...@gwolf.org
Re: Possible Two Color Debian Logo White Vinyl Sticker Group Buy
Steve Langasek dijo [Tue, May 06, 2014 at 01:36:00PM -0700]: What would really be nice would be if someone would make another run of the shaped swirl vinyl stickers. I think I last saw these for sale back in ~2006, and I've gone through enough hardware since then that my current laptop is bare. :( Any chance of someone making some of these, rather than just the square white ones? Gaby, our historic DebConf shirts provider, also has a vinil cutting machine. I am sure she can add some stickers to the DebConf14 shirts, with whatever design you fancy and she can get them to you at a very good price. Ask her :) -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140507185930.ga85...@gwolf.org
Re: 20140407 keyring report
Kurt Roeckx dijo [Sun, Apr 20, 2014 at 12:51:45AM +0200]: On Sat, Apr 19, 2014 at 09:41:40PM +, Clint Adams wrote: Upon request. Made with an unpackaged set of keyrings[0]. Thanks for the update. (...) So we seem to making some progress, and I hope the rest will follow soon. Yes. March and April were happy and busy months for keyring-maint. Late-April has lost quite a bit of speed. I hope we can get traction again! IIRC, we have ~6 pending requests right now (I haven't done any keyring work this past week). Specially the DMs don't seem to make any progress. Yes, sadly. And given that DMs are typically much least connected to Debian than DDs, it seems it's up to us (keyring-maint) to reach out and contact them individually. -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140420041244.ga6...@gwolf.org
Re: keybase.io
Luca Filipozzi dijo [Fri, Apr 04, 2014 at 02:02:09PM +]: FWIU, the client-side encryption is javascript provided by the service so modifiable by the service at will and able to capture/transmit passphrase. DDs interested in this experimenting with this service are encouraged to NOT upload the PGP private key that is registered in the Debian Keyring. If you sign up for the beta and receive an invitation, please consider generating a new, independent PGP keypair for use with this service. Right, I strongly agree with Luca here. To be clear, if I spot any key that's both in any of the Debian keyrings and in keybase.io, I will proceed as if the key had been lost or compromised and immediately remove it from our keyring. Not that I will be checking for it (for now, at least). Not that I have even talked about it within the team. But I strongly think it's one of the duties of us as keyring maintainers. (Cc:ing for a reality check ;-) ) signature.asc Description: Digital signature
Re: keybase.io
Jonathan Dowland dijo [Fri, Apr 04, 2014 at 02:50:01PM +0100]: keybase.io is a thing. This thing lets you, amongst other things, upload a copy of your PGP private key to their servers. This is client-side encrypted. Discuss. As this thread was started at debian-private, I sent some of my replies there. But given Jonathan has moved this (thanks!) to a public list, I'll just copy my mail answering to him (along with his quoted text): Jonathan Dowland dijo [Thu, Apr 03, 2014 at 05:23:31PM +0100]: Sure! I'll try. Thanks a lot for your lengthy and interesting explanation! I think, what they are trying to do, is widen the base of people using PGP by providing tools to do so in browsers. I.e. lowering the barrier of entry. Right. This very first point is what makes me curious. I have been interested in finding user-friendly tools to manage encryption (and its different properties). Sadly, as the tools get better, I get further away from understanding what does a regular user want as a user experience. So my input on the field is less and less relevant ;-) (...) You can also associate yourself with twitter, github and your own personal website. For each method, you use the keybase client to generate some kind of challenge that proves you hold the PGP key that is associated with your keybase.io account, and post that challenge on the site: (...) Within keybase, you can 'track' people, which is a bit like following in a social network, but establishes a cryptographic relationship. I've followed a few folks so far. Right. So I'll now exhibit my ignorance on current day social habits. I understand people following each other on message-posting services, such as Twitter — If you are interested in what I say, you follow me. Or some models (FB) require relations to be bidirectional. But what is following in the context of jmtd.net? (I even struggle to understand social media on Github... I am interested in projects, not in people!) Being me a non-social-networkee, how would I interact with keybase, without caring for the people I supposedly follow? Or, OTOH, I understand this idenitifed your Twitter personna. Now, do you encrypt your tweets? Sign them? How much longer are your Twitter messages when you append a GPG-like signature to them? There's a keybase command-line client with which you can perform all of the above operations. There is also a bunch of stuff in their website, which I can't really use because I haven't uploaded my private key. (When I have time I will generate a new test key and upload that, replacing my real one - and breaking the auth of the twitter,github etc.) Right. What I like so far about this client is that it is *way* more natural (again, for users) than gnupg. And, of course, I expect different GUIs to follow. That can be interesting. Now, maybe this tool could be augmented with intelligence on how to relay a message in the best route possible. I mean, I see you can keybase encrypt jmtd -m 'a secret msg'. What does this give you? A message ready to cut+paste in your favorite form? Or does it get sent via the best possible route to jmtd? Say, maybe I can only establish a trusted path to your account via Twitter, then 'a secret msg' gets posted as three public jibberishy messages on Twitter (and only jmtd can decrypt them). Or does this tool just give you a gpg-signed text to cut+paste to your mail? The keybase web client supports signing, verifying, encrypting and decrypting messages to each other, via your PGP key. The process is done client side, and the key is crypted client side (aat least they say so. I haven't investigated properly), but the encrypted privkey is stored server side. Right. It is all done client side, but... Why does it have to store your private key server-side? signature.asc Description: Digital signature
Re: keybase.io
Jonathan McDowell dijo [Fri, Apr 04, 2014 at 10:35:41PM +0100]: To be clear, if I spot any key that's both in any of the Debian keyrings and in keybase.io, I will proceed as if the key had been lost or compromised and immediately remove it from our keyring. No, sorry. Don't do that. My key is on keybase, but *not the private half* Likewise. I have signed up to keybase.io largely to kick the tires and see what I make of it. I will absolutely not be trusting any third party with the private half of my key on their servers, even if it's passphrase protected and the crypto carried out at the client side. Urgh... Well, please enlighten me here: Without fully auditing the Javascript code you are using to do the crypto client-side, can you *really* be certain your private half has not travelled to Keybase? -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140404231813.gf85...@gwolf.org
Re: keybase.io
Russ Allbery dijo [Fri, Apr 04, 2014 at 04:23:03PM -0700]: Well, please enlighten me here: Without fully auditing the Javascript code you are using to do the crypto client-side, can you *really* be certain your private half has not travelled to Keybase? If Javascript running in a browser has access to your GPG secret key without you explicitly pasting it into the browser, I think you have larger problems Right. However, I guess that most uses of the app (other than sending a message saying yes I'm here, this is me) will require pasting the key. Or not? Keybase users, please enlighten me: What do you do with it besides just existing on teh graph? -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140405025649.gb86...@gwolf.org
Re: State of the debian keyring
Ian Jackson dijo [Mon, Feb 24, 2014 at 05:53:58PM +]:
Are we now at the stage where it is more important to retire these
shortish keys, than to insist on this cross-signatures ?
I.e., perhaps it would be better to invite key rollover from a short
key to a long one despite the lack of 2 other DD signatures; or
perhaps even despite the lack of _any_ other DD signatures.
Instead, the keyholder could perhaps present a signed key transition
document.
A downside is that we would probably have to keep the rolled-over
short keys somewhere, at least to maintain the integrity of our
records of why a key is in the keyring.
Which we do anyway - All retired keys are still in our tree, in the
removed-keys-{pgp,gpg} directories (plus the
emeritys-keyring-{gpg,pgp}). Of course, they are not installed when
you get the generated package (you only get the active keyrings). But
they are all there.
--
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140225184458.gh40...@gwolf.org
Re: State of the debian keyring
Ian Jackson dijo [Mon, Feb 24, 2014 at 05:57:57PM +]: I think this is a bug. It can increase security because it can make operations more convenient at the same level of security, and because people trade off convenience for security. For example, it would be possible to have one key for email encryption and a different (more secure) key for package uploads. Debian tools don't care which key you use for email encryption. The extent of actions you interact with debian is easily modeled with a single key; for some time I used to upload with 1024D and sign mails with 4096R because I had not yet pushed my 4096R into the keyring, waiting to get more signatures (yes, also being keyring-maint it took me some time to push it, even if I had all power to do so myself!) -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140225184724.gi40...@gwolf.org
Re: State of the debian keyring
Jakub Wilk dijo [Sun, Feb 23, 2014 at 02:29:22AM +0100]: It would clearly be unacceptable for us to decide to lock out 61.5% of Debian because of their old key. Also, removing those keys would most probably make our WoT much more fragile. I'd like to ask the project as a whole for input on how we should push towards this migration. A few of 1024 keys have been expired for more than a year. I bet more of them are unused. Perhaps a WAT run would help a bit? Important data point we should not let go. I'm opening a RT ticket so we as keyring-maint look more into this and take action. Thanks! -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140223144054.ga32...@gwolf.org
Re: State of the debian keyring
Marco d'Itri dijo [Sun, Feb 23, 2014 at 07:57:43AM +]: gw...@gwolf.org wrote: So, what do you suggest? Persuade developers that they should sign the new key of people whose old key they have already signed, with no need to meet them in person. I'm open to that if and only if the new keys have proper transition statements. And if the original signatures were *really* done carefully - Case in point, I took part of (too?) many massive key signing parties with my old 8BB527AF (1024D) key. Particularly, the DC5 to DC7 parties were mind-numbingly long, and the DC6 one was where Martin Krafft lit an interesting and important flame by *proving* most of use were not careful enough when checking identity papers. Since my key transition to 4096R, I only sign to people I can personally identify. And even so, I am certain several of the keys I signed in 2009/2010 were to people I would probably not recognize today (my face-to-name retention is quite deffective). So, no, I don't usually sign keys even where transition documents ask me to do so. (Also, my keyring update request has been waiting for 3 weeks now to be processed.) Right. We (keyring-maint) usually work by batching requests and spending some consecutive time on them. Our usual timeframe is once a month, and it is due this next week. So, don't feel forgotten, we will act on your request. signature.asc Description: Digital signature
Re: State of the debian keyring
Matthias Urlichs dijo [Sun, Feb 23, 2014 at 10:23:47AM +0100]: That's somewhat true for now given a sufficiently-motivated attacker, but if *afterwards* some nefarious $CENSORED gets the idea that $DD would be a nice target for hacking their key, they'd be out of luck. They'd also be out of luck if the DD's new key happens to already exist (which the DD who's asked to sign the new key should obviously check). Thus I would add the new key provisionally; if it doesn't get any new signatures from DDs with non-provisional strong keys during, say, the rest of this year, then delete it from the keyring. Our tools (and I don't only mean keyring-maint, but our projectwide tools) support only one key per person. And frankly, I do not see a case where adding a second one would increase security. Yes, it could make the transition a little bit easier, but I don't think it is a change we should push. (Or maybe I misunderstood your suggestion). However, I see another problem. http://keyring.debian.org/replacing_keys.html states that, if Alice wants to get her key X replaced with key Y, Alice must get a Debian developer […] to sign a message requesting the replacement of key X with key Y on behalf of Alice … which IMHO is an unnecessary burden if Alice's old and new key are valid and sufficiently DD-signed. Well, it is a hurdle, but not an insurmountable one. If you have an active, valid key, you can just sign with your own key and get a new one in the keyring, as long as it has at least two DD signatures. That assures us your computer was not h4x0red in order to steal your identity and lock you out. Say, in this (usual) case, you and Alice can be the same party. Now, if you lost control of your key (say, stolen computer), as soon as we get notice, we will retire your key (and that's not subject to our usual one month cycle as I told Marco for a *regular* key replacement). In order to get your key signed, we need an already-authenticated Alice (an Alice with her key in the keyring) to produce the request. The new key must, of course, meet our standards — Must have two DD signatures on it. Note that it does *not* require Alice's signature to be on it. signature.asc Description: Digital signature
Re: State of the debian keyring
Kurt Roeckx dijo [Sun, Feb 23, 2014 at 12:28:58PM +0100]: (...) I would also find it acceptable that the keyring maintainers accept a signature from a single DD to replace the key, with that single DD being the DD's old key. If they old key doesn't get revoked there is still a (weak) web of trust. But I would like to see a signature from at least one other person with a stronger key that has a reasonable connection to the web of trust, preferably a DD. The more then better of course. We have done this as an exception at some particular cases. But clearly treating it as an exception, not as the usual way to work. signature.asc Description: Digital signature
Re: State of the debian keyring
Kurt Roeckx dijo [Sun, Feb 23, 2014 at 12:46:41AM +0100]: For those people who are not aware of this yet, this is really a problem. This provides less security than an 80 bit symmetric cipher. A brute force for this is possible. It's considered to have very short time protection against agencies, short time against medium organisations. That's still 61.5% that's at 1024 bit. CAs are doing better than this, with only 0.8% of the certificates that are still active being 1024 bit. Can I suggest that everyone that is still using a 1024 bit pgp key generates a new key *now*? The recommended minimum size is at least 2048 bit, but I suggest you go for 4096 bit. ...And now hat you mention this here on the list, we have been discussing how to deal with this for keyring-maint¹. It would clearly be unacceptable for us to decide to lock out 61.5% of Debian because of their old key. Also, removing those keys would most probably make our WoT much more fragile. I'd like to ask the project as a whole for input on how we should push towards this migration. I guess that most of the socially-connected Debian Developers already have 4096R keys. How can we reach those who don't? How can we incentivate them to change? Remember that, in order to get a new key accepted, a big hurdle is sometimes the need for meeting two people with active keys. Several people have started the process to update their keys, but after months (and no real possibility to meet a DD in person) have let it stay as it is. This hurdle is, of course, very important to maintain in order to avoid loosening our identity requirements... So, what do you suggest? -- ¹ Explicitly adding copies to Jonathan and Daniel; Daniel is formally a keyring trainee as per the last delegation mail, and I'm sorry we haven't followed up on his apprenticeship. Daniel, *please* bug us more! :) -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140223003506.ge30...@gwolf.org
Re: State of the debian keyring
Kurt Roeckx dijo [Sun, Feb 23, 2014 at 01:51:32AM +0100]: I'd like to ask the project as a whole for input on how we should push towards this migration. I guess that most of the socially-connected Debian Developers already have 4096R keys. How can we reach those who don't? How can we incentivate them to change? I've looked at the debconf 2013 keysigning list. 13 people in it had a 1024 bit key, but all of them also had a stronger one. It's clear that the socially-connected DD already moved to a stronger key, and that the problem would then be the others. A few people have already suggested to set a timeline. You also published this policy in 2010: https://lists.debian.org/debian-devel-announce/2010/09/msg3.html Right, and we have kept that policy: We no longer accept 1024D keys. However, we didn't anticipate the uptake of stronger keys to be so slow. -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140223005515.gf30...@gwolf.org
Re: mailing list auto subscriptions
Jakub Wilk dijo [Wed, Feb 05, 2014 at 10:52:35PM +0100]: * Holger Levsen hol...@layer-acht.org, 2014-02-05, 22:31: I believe every new DD or DM should be auto subscribed to -devel, -project and -devel-announce (and -private for DDs), Eww, no, thanks. Those 3-4 lists should be read by anyone (as in DD/DM) anyway. Not if you want to retain your sanity. I expect your sanity to be long gone by the time you apply to be a DM/DD. No, really: I am mostly a lurker in those lists, as well as in most other lists I subscribe to. But I try to at least keep pace and lurk them fine. After all, we are supposed to have a feel of the pulse of the project. And even if most of the discussions there are not of real, direct use to some of us... Being part of it *is* important. And it allows us to chime in where our area of expertise/interest is touched. -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140207000140.ga91...@gwolf.org
Re: Google contacting (harassing?) new DDs
Tiago Bortoletto Vaz dijo [Thu, Dec 12, 2013 at 12:19:32AM -0500]: Actually they have tried many times even before I became DD. I know other non-DD maintainers who have been bothered by them too. I don't see a general solution for this, since some may like it. In my case I've told all recruiters that I'd never ever work for Google, and that I was a bad coder and a messy as sysadmin, which is pretty true. So they stopped for real. Maybe they believed you because they have not yet worked with you. I could perfectly advocate you were you to go through NM again ;-) But, hey, lets not give them any further insight into reality. It's not like they know what goes in the dark realms of our mailing lists! -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131212125512.ga47...@gwolf.org
Re: Google contacting (harassing?) new DDs
Enrico Zini dijo [Tue, Dec 10, 2013 at 06:02:27PM +0100]: Hello, it looks like as soon as one becomes DD, an email arrives from Google recruiters. I understand that some people may find it interesting, and some people find it annoying. My experience with just ignoring their email was that I was contacted again. (...) That's my experience as well. But once I told them I'm not interested in changing my current laboral situation, it stopped. I get recruiters mailing me every now and then, but a fairly tolerable rate (say, one every 3-4 months). -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131210172406.gb39...@gwolf.org
Re: Google contacting (harassing?) new DDs
Gunnar Wolf dijo [Tue, Dec 10, 2013 at 11:24:07AM -0600]: That's my experience as well. But once I told them I'm not interested in changing my current laboral situation, it stopped. I get recruiters mailing me every now and then, but a fairly tolerable rate (say, one every 3-4 months). (...of course, that might also mean I'm not that interesting for recruiters ;-) ) -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131210172625.gc39...@gwolf.org
Re: Need your help!: Starting a Linux website
Kelvin Rivera dijo [Fri, Dec 06, 2013 at 12:32:55AM -0500]: Hello, I am creating a website like distrowatch except that it will be a forum. I want to feature Debian on the website, but would like your permission to do so first. Debian's feature on the site will consist of links to your main, download, and support pages as well as a screen-shot and general description. Hi, You are completely welcome to do this. You will not find an official statement from Debian to this purpose, but our Social Contract assures you you are free to do that — and tons more :) signature.asc Description: Digital signature
Re: Code of Conduct: picking up
Tollef Fog Heen dijo [Fri, Nov 29, 2013 at 11:12:25AM +0100]: You mean you were using Debian resources to spread malware, and it seems You’re ridiculous. That’s not malware and cannot spread either «Malware, short for malicious software, is software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.» There's a reason why I wrote malware rather than virus. Malware doesn't have to have any way of spreading by itself. Right. I'll adhere to the opinion expressed here by Tollef and Enrico. Knowingly sending mails with a code known to crash on display any Apple device displaying it might be fun (for some definition of fun) when sending to your friends, but it is far from acceptable in Debian lists, which are read by thousands of people, mirrored in sites independent from us. It is clearly damaging. People might look in the mailing lists for support. It is a hostile behaviour, and I also see it as a DMUP violation. signature.asc Description: Digital signature
Re: Code of Conduct: picking up
Thanks, Steve (and Wouter, of course). A very minor observation regarding ordering. # Debian Code of Conduct ## Be respectful In a project the size of Debian, inevitably there will be people with whom you may disagree, or find it difficult to cooperate. Accept that, but even so, remain respectful. Disagreement is no excuse for poor behaviour or personal attacks, and a community in which people feel threatened is not a healthy community. ## Assume good faith Debian Contributors have many ways of reaching our common goal of a [free](http://www.debian.org/intro/free) operating system which may differ from your ways. Assume that other people are working towards this goal. Note that many of our Contributors are not native english speakers or may have different cultural backgrounds; see also our [diversity statement](http://www.debian.org/intro/diversity) I think this last paragraph of the Assume good faith section would belong better in the Be respectful section. Keeping in mind not all of us have even the same mental structure when knitting phrases can, yes, explain misunderstandings regarding the good faith of our participations, but is much farther reaching (and should thus be a more general statement), and the mention of the Diversity Statement does not really IMO fit into this second section. -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131126134050.ga81...@gwolf.org
Re: Should mailing list bans be published?
Ingo Jürgensmann dijo [Sat, Oct 26, 2013 at 08:56:59PM +0200]: This led to a philosophical debate about whether bans should be made public. Alexander expressed concern that having them published could be harmful to a person's reputation, since employers will google your name and see that you've been banned from a large project such as Debian. I agree with Alexanders concern here. Publishing other peoples personal data without prior allowance might even violate privacy legislation in some countries. I side with Steve's view here. Now, we *could* obscure the personal data in a way that it won't show on general web searches — Say, something as trivial as omitting the person's name, and publishing the file with just sha256sum(email). This still allows us to make an easy querying interface (even allowing for historical information on a given mail address). Of course, this would omit the fact we are dealing with people and not with mail addresses. Am I gw...@gwolf.org or gw...@debian.org? (But OTOH, am I Gunnar Wolf, Gunnar Eyal Wolf Iszaevich or Big Bearded Troll?) signature.asc Description: Digital signature
Re: Moving to stronger keys than 1024D
Russ Allbery dijo [Fri, Oct 04, 2013 at 08:57:26PM -0700]: I suspect that some of the problem is people feeling like they need to go through an in-person key signing to get their new key certified, which can be quite awkward depending on where one lives and how much day-to-day contact one has with other DDs. Perhaps we should make more public the idea that a key transition document signed with both keys and posted publicly is probably sufficient to warrant signing the new key if one has signed the old key? (Assuming that's actually true.) Right. We were discussing this between Ansgar Burchardt, Jonathan McDowell and myself (prompted by Ansgar, as he noticed the same numbers Paul Wise has just posted, giving a reference that it was mentioned in #d-security), and we do agree it is a high priority issue. In addition to Paul's numbers, we have also the DM keyring, which is in a much better shape quite probably because it's much newer. 115 4096R 54 1024D 11 2048R 1 8192R 1 3072R 1 1280R We have not yet pushed this further because both Jonathan and me are currently under a very high workload (well, I don't want to talk for Jonathan, but I have come to know his work patterns somewhat ;-) ) We made a big push during ~2009 to get people to migrate away from (even) weaker PGP keys, and IIRC completed the move by 2010. And we have invited people to move to 4096R, with some insistence back then, but we have really slowed down the pressure (real-life issues maybe?) During a brief interchange of mails, several ideas were floated: - Give a suitable time window for the key migration and disable old keys. Jonathan gave a first suggestion of 6 months. - Actually reach out to people and make explicit that 1024D is *no longer enough*. We guess that some of them never paid too much attention to the issue, and those are the most likely to be Debian outliers, not people inside the core group who meet year-to-year with the community and play the get more signatures game. - An idea to help said outliers is to use the data in LDAP to tell them who lives closest to them so they can get signatures more quickly. Of course, this has the disadvantage on relying on our (known-bogus and known-incomplete) LDAP geolocation data. - If we were to retire all 1024D keys today, we would lock out approx. two thirds of Debian. That's clearly unacceptable. I don't think it's feasible to attempt it until we are closer to the one third mark — And I'm still not very comfortable with it. But OTOH, it can help us pinpoint those keys that are not regularly used - People who have done MIA-tracking, do our tools report when was the last activity we saw in connection with a given key? I'd guess they do... - Yes, Ansgar points out that it's still probably easier to steal a GPG key than to break it. Not all of us follow the safest computing techniques, do we? - Ansgar says, and it's in line with Russ' suggestion «A compromise for people in remote locations would be to allow them requesting key replacement with a stronger key that is only signed by themselves. The price would be a weaker WoT, but maybe that would be okay for a few keys». This one makes me somewhat uneasy: Not requiring signatures leads to a very easy (for some definition of easy) way to steal a dormant account's personna. I'd really like to keep the two signatures needed rule. Yes, our WoT has naturally weakened due to bitrot (i.e. cross-signatures made with keys which are later retired might have created WoT islands), but we do have at least identity assurance history. We could accept (although I don't know how practical it'd be) a possibility to equate, say, two signatures by well-connected people in the Free Software ecosystem to equate one DD signature? (yes, sure, but what does well-connected mean‽) Anyway, some random thoughts. I should really head to bed now. Thanks to Pabs for kicking me into writing this mail! :) signature.asc Description: Digital signature
Re: USA Science and Engineering Festival
Danielle Rubio dijo [Wed, Jul 31, 2013 at 11:56:39AM -0700]: Hello, I'm with the USA Science and Engineering Festival in Washington DC. We are reaching out to Debian Women to see if your organization would like to be involved in our upcoming festival in April. Could you please send me a direct contact to whom I could send the relevant information? Hi, I'm forwarding your mail to the Debian Women mailing list — Although I'm sure several people involved in it also follow the debian-project mailing list, pointing at the right place won't hurt. (Keeping both you and the -project lists cc:ed) signature.asc Description: Digital signature
Re: Proposal #3: Upstream/Debian Project donations (was: PaySwarm-based donations)
Scott Howard dijo [Wed, Jun 19, 2013 at 11:01:27AM -0400]: The donate mechanism probably could be extended to increase donation awareness of important libraries/tools since apt knows what is really needed for each package even if end users may not. Maybe something can be done like: $ donate --build-depends $5 libreoffice to donate to libreoffice and everything that allows it to exist $ donate debian-infrastructure $ donate debian-qa could check metadata for some pseudo-package and donate accordingly $ donate --build-depends $100 world-peace Yeah, right. Sorry, I cannot look at this donations proposal but as a deep failure waiting to happen. -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130619173535.ga66...@gwolf.org
Re: Doing something about should remain private forever emails
Mohammed Adnène Trojette dijo [Wed, Jun 19, 2013 at 12:02:39AM +0200]: [I don't read d-projet] On Tue, Jun 18, 2013, Raphael Geissert wrote: Comments? The spirit of the GR was to open more (even before OpenData became trendy, cf. today's G8's declaration). I fear that your proposal will ease the opposite. Right. and let me think a bit further: I think that, given the GR, your proposal goes directly against it (further closing down access to something that should be open, although nobody has taken any steps to make it so). I *think* (but have no real knowledge to say this) that, were you to implement this idea, it would have first to undergo a GR allowing to further close down all history. But yes, given the extremely deficient way in which this GR was implemented (which is to say, it was never implemented), maybe a GR reverting it would not be out of place. -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130618224104.ga61...@gwolf.org
Re: PaySwarm-based Debian donations
Manu Sporny dijo [Sun, Jun 16, 2013 at 08:53:35PM -0400]: Thanks to everyone that has participated in the discussion thus far. :) I think there have been a number of solid concerns and issues raised, which I'm going to try and wrap into a proposal below. and then you continue to ignore these concerns and continue with your agenda Could you outline exactly which concerns weren't addressed? The concern that many of us share here is that, while the Debian project as an entity does not oppose people getting paid for their Debian work, Debian does not *care* on how it is done. If maintainer $foo wants to put a donations link (as some have done, for example, using Tumblr), she can do it. If a user wants to donate to the project, he can do it as it is now. If another user wants to donate to the maintainer of a specific package, he can also do it by contacting pkgname@packages.debian.org. Even if a developer chooses to donate everything he receives back to Debian, or to the upstream project, or to whatever, by having personalized donate buttons / APIs everywhere, Debian would start looking as a ShareWare site requesting user's charity. Many of us would hate that. Many of us don't want PaySwarm or anything like that, I'm sorry - no matter what changes in the form of your proposal, it's not compatible with our ethos, with what has shaped our project for many years already. -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130618000338.gp54...@gwolf.org
Re: KickStarter for Debian packages - crowdfunding/donations for development
Paul Wise dijo [Fri, Jun 14, 2013 at 10:33:58AM +0800]: (...) Tying donations to one payment processor doesn't sound like a good idea to me. I am very concerned about motivations of Debian project volunteers being distorted by money so I would suggest only allowing donations to Debian as a whole or directly to individual upstream projects. I am also concerned about the distortions that monetisation has had on the web and worry about the consequences of embedding this into browsers. Both the modern web and modern web browsers are very concerning in general though. FWIW, I agree with Paul here. Some Debian people have requested (individually) for public sponsorship to their free software-related work. That's all fine. We have a mechanism in place to help people donate money to Debian as a whole. That's also fine. But I'd very much rather keep both things separate — Not instate mechanisms in Debian to get funds to individual developer. We have never needed it, and from the discussions I have taken part in or witnessed, I really doubt we would need it now. Of course, I cannot decline the offer in the name of the whole project. I just state my opinion. -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130614040336.gb41...@gwolf.org
Re: Answers to questions raised about registering the Debian Logo as our trademark
MJ Ray dijo [Wed, Jun 12, 2013 at 11:49:09AM +0100]: I finally had a chance to discuss with our legal counsel, and have some answers to the questions raised in the discussion. Thanks for this. It covers all I remember. One small question: 3) Should we register in the US only or register internationally? A: Being as US registration is mandatory to extend internationally start with the US, and then later Debian can make a decision on international registration. What's the source on that? I thought I'd seen trademarks start in other places and then extend internationally. From an online intellectual property course I took with WIPO (translated from Spanish by me, so probably plagued by errors): How is a trademark registered? First of all, a registration request must be presented at the corresponding national or regional trademark office. The request must be filed together with a clear reproduction of the symbol(s) to be registered, indicating colors, shapes or 3D characteristics. The request must state also the list of products or services that the symbol is intended to be applied to (...) What reach does the trademark protection have? Practically all countries in the world register and protect trademarks. National and regional offices maintain a Trademark Registry where all the registration request's data are held, facilitating the examination, search and eventual opposition processes. Now, the effects for this registration are limited to the country (or in the case of the regional registration, countries) it deals with. In order to avoid the need of registering on each national or regional office, WIPO administers an international trademark registration system. This system is based on two treaties, the Madrid arrangement relative to the International Trademark Registration, and the Madrid Protocol. People with relation (due to nationality, residence or establishment) with a member State in one or both of those instruments can, on thebase of a request on this country's trademark office, obtain an international registration effective in all or some of the Madrid Union countries. The key is in the last lines: The procedure to obtain an international registration requires to reference the request for a national registration as a first step. I could not find it on my notes, but I am almost sure we were mentioned a minimum time for a trademark to exist nationally before it could be granted internationally. I still feel that this seems like a waste of project money (are many infringers in the US anyway?) and potentially a blank cheque ($3347 plus maintenance and costs of enforcement necessary to prevent it becoming generic), but I'd prefer those who are based and trading significantly with the debian logo in the US to make the decision. There is the precedent of the Linux trademark, which was obtained in 1997. For further details, please check: http://www.linuxjournal.com/article/2559 -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130612161941.gb34...@gwolf.org
Re: Young people and computers
Moray Allan dijo [Sat, Jan 26, 2013 at 02:40:36PM +]: There's been some discussion elsewhere about how young people's experience of computers has changed over the years, and how this might interact with our success in recruiting young people into Debian. I would estimate that the conversation focused on 16-20 year-olds, as it started after someone pointed to the graph of developers' claimed ages at http://people.debian.org/~spaillard/developers-age-histogramm/devs-age-histo.2013-01-01.png And the discussion (both what was already discussed and what can surely be added to it) is most interesting. As an extra data point, it's not only us: In magazines such as ACM's Communications the fact that matriculation for Computer Science (and, in general, computer-related studies) is shrinking is a recurring topic, and finding how to motivate kids to get interested in computing is a hot topic. I would say industry-wide, but no, industry does not look so far ahead :) But at least in the academy. - The conversation wondered how much the number of younger people coming to Debian might have reduced due to changes in wider computer use/culture. Certainly, programming languages used to be an advertised part of the system, where now they are typically an optional add-on, hidden, or effectively unavailable to the users of certain types of device. Right, but... What was the last computer (or operating system) that was sold with a list of compilers as a selling point? That argument is IMO at least 20 years stale. - It was also pointed out that we have several groups of Debian contributors who came from successful local projects, e.g. university computer groups. It seems that many such university groups themselves recruit fewer new members than they used to, so the change may not only be that Debian gets fewer of the people trained in them. (One factor mentioned for their own recruitment trouble was that many students have less reason than a few years ago to spend time around computer labs.) Right, this was one of the points a now-fellow teacher greeted me with when welcoming me to teaching some days ago: The Engineering Faculty of our university used to have a very active Free Software Research and Development Laboratory. Yes, the name is a bit too grandiloquent WRT the group's real tasks, but it was anyway an important group for passing the word on free software, and there were even some interesting projects. They tell me the group is currently empty, although we still have a cubicule for it. I hope we can revive the group - and maybe get some future developers from it. - Another factor that makes a difference to how young people spend their time on computers may be the availability of always-on internet access. I know that, once I had a computer at home, but before I had any kind of internet connection there, I started to do programming projects to fill in my school holidays; perhaps nowadays I would have spent the time chatting online, or using the computer to collaborate on something productive other than programming. And your home computer surely gave you better ways of engaging than a dumbphone does nowadays. Getting connected basically means consuming information or sharing lolcatz, or chatting. It is much harder (in my perception, which is anti-phone skewed) to jump from the wow, I wonder how this is done to peeking at the piece of code in a phone, even if it runs mostly free software, than on a traditional desktop. - A change mentioned that might be more positive is that it's now much easier to get programs distributed to people who will find them useful. While we might not like app stores etc. and the typical lack of source code, this still gives people a greater motivation to create software (including a greater chance that it will reach others who need something to solve the same problem) than existed for most amateur programmers before. Humh, somewhat, yes and no... Before app-stores were the norm, getting non-free software was much more a PITA. Finding the right dealer with the right evaluation copy of the required program, trying it on the computer and so on... Made me laugh quite a number of times. For me it's been many years that apt-get solves 99% of my program needs. And for the missing 1%, there were always a good number of sites (i.e. Freshmeat, Sourceforge) to search in. -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130129225824.gp39...@gwolf.org
Re: [Debconf-discuss] Anonymous donation to Debconf 13
Russ Allbery dijo [Tue, Dec 04, 2012 at 10:42:47AM -0800]: (... big snip ...) What remedy or action are you looking for here? I don't think breaking the anonymity of a donation that never happened really makes sense. Are you looking for site selection to be re-opened? Further reassurance that the selection of the site was not influenced by the donation that didn't happen? Right now, this is only bringing in unneeded (and much to the contrary, much counterproductive) noise in a very hard to reach agreement that AIUI had mostly been reached by the people involved. Yes, we might have to come to this general discussion later on. As Paul said, we might have to set guidelines on maximum anonymous amounts later on — I guess they had not been set because we just didn't envision this possibility. We might now have to discuss whether or not we accept pressure (and how much of it) from green little men coming out from flying saucers demanding us to take them to our leader, just because there is a possibility that in the future we might experience an alien invasion during DebConf, and then people will start bickering on why did we choose DebConf to be held at an alien landing site. This was an unforseen event, that was dealt with the best way we could (note that by we I mean the group — I keep out every year of the sponsor team, as I know it's not where my energies are most effective). The Huge Anonymous Donation^WLoan didn't take place. Can further details be made available? I have no idea. But having this discussion right now is really harming. Not only us as a project, but the mental health of the people most involved in the bid and the organization, that have invested long time in it. You are all welcome to be a part of the DebConf team, but please, work in it for a while before making life miserable for the rest. Please note: as difficult as this sort of discussion is, I actually agree with Ian that this sort of discussion is valuable and helps keep a volunteer organization healthy. Ethics are hard. They're tricky and complicated, and they can always, *always*, be handled better. There's no perfect way of handling situations, and always possible improvements, and the way that one works out those improvements is through public discussion. Having this sort of public discussion of one's decisions is really painful, since it can feel personal and feel like an attack on one's honor, but I really don't think it is. Rather, it's an acknowledgement that this stuff is really hard, and lots of brains together are sometimes required to find the best ways of handling various situations, particularly unprecedented ones. Right. We have had very hard decision processes over the years. And after all, we have come out with better policies. So, yes, we should have a talk about this kind of topics. Maybe as a DebConf session, maybe as a mail thread during a quieter period. Maybe something more ample (i.e. not just regarding DebConf but as handling funds in Debian in general). But, please, this is a very hard circumstance to bring up the point. signature.asc Description: Digital signature
Re: [Debconf-discuss-discuss-discuss-and-keep-discussing] ...
TL;DR ⇒ I'm sick of this discussion. I'm calling the DebConf chairs to vote _NOW_ to sign or repeal the contract. I'm voting to sign. (Do we need consensus between the three? Can we vote?) I will probably do some netiquette breaches in this post... So, apologies to all, but I think we are reaching a low record in the quality of the discussion, and I don't want to risk this going even worse. And yes, I'm keeping the quite offtopic d-project list in. Holger Levsen dijo [Tue, Dec 04, 2012 at 07:11:19PM +0100]: Hi, I'm sick and saddened to read these mails and will not participate in any further of this. In IRC, Holger asked me what did I think of this mail in the light of the current mood of the whole team. And yes, since the shit-slinging began (anew) some days ago, you might find it shocking that relatively so few messages have been written by the people involved in the organization and in the (so much attacked) LeCamp bid. People, (most of) the Swiss team is pissed with the lack of trust and lack of respect we have been showing for months already, and that now some very vocal outsiders (i.e. Debian people who are not involved in this year's DebConf organization) are showing. Holger is not the first person that sends an I'm sick and saddened...will not participate in any further... message. Several people have done it, with varying levels of meaning in the will not participate part (from I'm quitting this thread to fuck off, organizing DebConf is for retards). A while ago, my main argument for supporting to hold DebConf at LeCamp instead of the several alternative venues that have been offered is the social one. The level of mistrust of a very committed group of long-term Debian developers, who have come up with a great proposal for having a *different* venue, is really saddening. And then comes this nonsense about the veto. Were there an explicit veto or not by the local team, I think the effect is obvious. Would you expect any of them to work their asses off for organizing DebConf for the next 8 months (plus the cleanup phase, preparing the report, and a big etcetera) if we decide to discard the proposals they initially pushed, since the very presentation of the Swiss bid? Of course not. And we cannot commit to having a DebConf organized by a half-assed local team complaining that things would have been better if we had listened to them all over. There is people contributing lots of information that can lead to a different venue/organization/setting. At first, we thanked them. And yes, that information led to getting some things better WRT what we are to get. But right now, just sending quotes of some random places that might be OK for us to work in are no longer helping — to the contrary, they are hurting. A lot. We have got the LeCamp owners a good extension of time to sign a contract. We have achieved several important modifications to the contract. Most of the organizers agree we reached a decent compromise and we were quite happy about this achievement during our last meeting (or non-meeting, or whatever you want to call it), just before the shit-slinging. What else do we need? We have only until this Friday to hand in a signed contract. And I'm more than happy to approve it. Many things are not as perfect as we would like. No DebConf will ever be perfect. It is what it is, and sorry, if you don't like the setting the Swiss team is proposing, maybe this is a good DebConf for you to watch over the very nice video stream. The DebConf chairs delegation was (much correctly IMO) split over three people precisely to give more chance to arguments to be weighed and more viewpoints to be listened to. And I think my two co-chairs (and very good friends on a personal level) are great for the task (and I'm also very happy I was chosen, and hope I am as good for DebConf as they are). Moray has been very busy with non-DebConf stuff during the past days, which is completely understandable... But we cannot hold this much longer. So, to reach a decision, we sometimes have to resort to voting. I am very happy that in the Debian culture voting is given very low precedence and consensus building is always prefered. But I think we have reached that point. So, lets stop hearing nonsense. My vote is an unambiguous and full yes to signing the contract as it is now. We don't need any more noise regarding alternative venues. I know another point we have not decided as clearly as we should (as the secret non-donation thing) is how should the chairs vote. Does 66% mean we can sign? Moray, I know you have some opposition, but I feel it's not a general, all-out opposition. Please respond to this — I don't want this to continue snowballing (thus keeping the insult to the involved people). Many things still deserve our attention and can be made better. But IMO if we choose not to sign, it will amount to not having a DebConf this year. Or, at least, losing some very important, very
Re: ditching the official use logo?
Stefano Zacchiroli dijo [Sat, Oct 13, 2012 at 04:21:07PM +0200]: But let's assume for the sake of the argument we want to keep both logos. (Maybe nowadays we're not yet convinced it's pointless to keep the restricted one, but maybe we'll be in a few years from now if our pattern of usage for it won't change *g*.) How about the attached patch? In hindsight, it doesn't change the logos, but just improve our communications about them. It clarifies that our preferred logo is the open use one, and call the other for what it is, a restricted logo for basically internal use only. It also explicitly encourages people to use the open use logo, when referring to Debian. Would such a patch constitute an acceptable compromise? The patch you propose clearly reflects the real situation, so, thanks a lot, it makes me happy :-D signature.asc Description: Digital signature
Re: Quiero crear mi propio SO me recomienda que comienze de cero? o que tome una distro ya existente como lo hizo ubuntu? y tengo otras preguntas?
[ Armando wants to start creating his own OS from scratch, and has quite a bit of questions regarding Debian. I'm suggesting him to try via local groups, and... well, the mail grew large on me ;-) ] Hola Armando, La lista a la cual escribiste es una lista en inglés, aquí es poco probable que obtengas respuesta. ¿De qué país eres? Creo que, para responder a tu (verdaderamente) amplio conjunto de dudas, lo más recomendable es que te acerques a un grupo local de usuarios. En todo caso, podrías preguntar aspectos específicos en la lista debian-user-span...@lists.debian.org Respondiendo muy por encimita al hilo conductor de tu pregunta: Debian es usado por todo tipo de gente, para todo tipo de necesidades, precisamente porque no hay una compañía o una sola visión que le dé forma. Debian somos todos los que participamos en su desarrollo, y cada uno de nosotros lo vamos puliendo para el uso particular que le requerimos. Y eso es lo que lo hace una de las distribuciones de Linux más longevas - Y a entender de muchos de nosotros, con mayor seguridad de desarrollo futuro. Porque incluso si cien, doscientos de nostoros se hartara y dejara de contribuir, siempre habrá otras personas que quieran comenzar a hacerlo. Estamos en este momento a punto de terminar nuestra reunión anual, el DebConf. Este año fue en Nicaragua, y hay un gran entusiasmo en la comunidad local de usuarios por sumarse al desarrollo que me hace terminar con optimismo y certeza de que vamos por buen camino. Y no te lo digo con el lenguaje mercadológico, sino con la convicción que me requiere participar en la organización de un congreso tan diverso y tan complejo como este. Por último, respecto a tu solicitud de recomendación de lenguajes para aprender: La razón por la que existen tantos lenguajes es precisamente que no hay una recomendación universl. Cada uno es mejor para otros objetivos. Mucha gente recomienda Python como primer lenguaje; a mí Ruby me gusta mucho. C es un lenguaje importantísimo, pero las implicaciones que requiere escribir algo _correctamente_ son bastante más complejas. Respecto a la comparación para tu negocio: La mejor respuesta es que tú mismo lo compares. OpenOffice/LibreOffice implementa lo que muchos denominan una suite de oficina, al igual que Microsoft Office (al que citas). En ambos casos, los programas tendrán ventajas y desventajas. Unos son mejores en un área, los otros en otra. No hay una sóla manera de medir qué es mejor. -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120714192003.gd7...@gwolf.org
Re: Planned changes to Debian Maintainer uploads
Ansgar Burchardt dijo [Sun, Jun 10, 2012 at 01:57:49PM +0200]: Hi, (Please send followup messages to -project.) The ftp team wants to change how allowing Debian Maintainers to upload packages works. The current approach with the DM-Upload-Allowed field has a few issues we would like to address: (...) Hi, Hmm, this looks interesting, and useful. I'd like to add a bit as a wishlist item: Having this DB easily queriable (i.e. a webpage where you can query by key to see all the packages uploadable by a given key). And just thinking about possible complications: I *hope* we don't see any such behaviour, but this format would allow a DD to censor a given DM's activity. If I send Deny actions with somebody's key, it ends up blocking that person until somebody else is convinced to send corresponding Allow commands. Of course, if we see any such behaviour (repeatedly?), I might be reprehended and maybe even locked out of sending requests to this subsystem. Thoughts on this? Finally, it's interesting to me (as keyring-maint) that you are specifying the fingerprint. Of course, it makes sense. But it can make key migration (i.e. a DM moving from a 1024D to a 4096R key, or reacting to a key being compromised) as a more difficult thing, as the new key would first have to be inserted by us into the live keyring and only then the old key denied and the new one allowed. I guess we could automate this procedure when performing the keyring push... Anyway, and modulo the time it takes to implement all the needed bits (and discussion), thanks for a nice new idea, and hope to see it go forward! signature.asc Description: Digital signature
Re: solicitud de informacion
[ Alexis asks whether Debian is really virus-free. I'm putting him in touch with the Costa Rica LUG and mentioning him we will have DebConf in the neighbouring country. I'm quoting a paragraph of his, which _is_ meant for all of the project: I have a one-employee microenterprise in Costa Rica, and managed to install Debian Squeeze. I found it great, and I congratulate you as it allows us to count with excellent programs for our work. Congratulations. ] araya alexis dijo [Wed, Mar 14, 2012 at 01:57:39AM +]: Buenas... Hola Alexis, Esta lista es internacional, y los mensajes enviados a ella deben ser escritos en inglés. No pasa nada, respondo a tu mensaje, pero por favor responde en inglés si quieres hacerlo a la lista. Estimados desarrolladores de DEBIAN mi con sulta es que si a la plataforma de Debian, y Ubuntu son afectadas con virus o si no se debe preocupar uno por esta problematica. Así es, por muchas razones (algunas técnicas, otras sociales) en Debian y en otras distribuciones de Linux no hay virus. ¿Estás completamente libre de riesgos? No, hay muchas formas de atacar un equipo de cómputo, y se han encontrado gusanos para versiones específicas de algunas distribuciones de Linux en el pasado. Sin embargo, los números son claros — Yo recuerdo dos gusanos que tuvieron amplia difusión... Y soy usuario de sistemas Linux desde hace más de 15 años. tengo una microempresa en Costa Rica una microempresa es de un empleado, y logre instalar la version de Debian Squeeze y me resulto grandiosa por lo que los felicito ya que esto nos permiten poder contar con un excelente programa para realizar nuestros trabajos. los felicito. Muchas gracias - Traduje tu felicitación para quienes leen esta lista :) de antemano le agradezco la atencion prestada al presente correo, y sin mas por el momento se despide de ustedes muy atentamente, Puede interesarte estar en contacto con la Red Costarricense de Software Libre: http://www.softwarelibrecr.org/ http://libreplanet.org/wiki/Costa_*_Rica,_Republic_of https://es.wikipedia.org/wiki/Red_Costarricense_de_Software_Libre Tengo varios buenos amigos en tu país, activistas comprometidos con el desarrollo y difusión del software libre, y en la RCSL seguramente encontrarás recursos para ayudarte en caso de necesitarlo. Además, este año el DebConf (la reunión mundial anual de desarrollo de Debian) será bastante cerca, en Managua, el mes de julio. Si te interesa, asómate a: http://debconf12.debconf.org -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120314141449.ga15...@gwolf.org
Re: OSI affiliation
Stefano Zacchiroli dijo [Mon, Feb 13, 2012 at 06:40:08PM +0100]: Dear project members, as you might have heard post-FOSDEM, the Open Source Initiative (OSI) is opening up to an affiliate membership structure [1,2]. As I've already mentioned in [3], representatives of OSI have approached me to know if Debian is interested into joining. I'd like to discuss with you such a possibility. (...) I think it's a great idea and opportunity. I agree with the rest of what you mention here - And although many of us don't identify with OSI's name or (part of) its historical behaviour, I think the coincidences are greater than the differences. OSI's name is widely recognized, and it is a very worthy organization with which we can surely push important points. As for what you mention on the DFSG and the OSD: There are many attempts at defining free software/open source. Each group has a slightly (or very?) different mindset. And although I'd love to be able to re-align our various definitions, I think it's not worth the energy it will require: We are similar enough for the world-facing activities, and know how to deal with each other on the inside-facing ones. We have had important disagreements so far in the project history (eg. the FSF: GFDL freeness / Debian's non-free taints us all). Neither them nor us is completely right - And we work together in the bigger order, although we bitch loudly towards the inside. signature.asc Description: Digital signature
Re: FYI: Creative Commons 4.0 process starts
Stefano Zacchiroli dijo [Tue, Dec 13, 2011 at 12:26:09AM +0100]: I hope Debian folks (especially ftpmasters) will be willing to subscribe to the cc-licenses list and help ensure that the CC 4.0 licenses will be suitable for Debian. (...) So, to turn this into something even more useful: is there anyone willing to keep an eye on the CC process on behalf of Debian? The ideal candidate should be a license geek in agreement with the current position of the Debian Project on which licenses are DFSG-free and which are not. We would all love if such a person will take care of reporting what is going on in the CC process, looking from a Debian angle, on a regular basis. I am interested and willing to follow up on the discussion. I'll subscribe to the list - Although I'm currently on a soft-vacation and won't be able to pay too much attention until the beginning of January. signature.asc Description: Digital signature
Re: Summary of scientific research on Debian (was: DD age histogram)
Paul Wise dijo [Thu, Jul 14, 2011 at 04:47:52PM +0200]: What about collecting the actual document and attaching them to this page (license permitting), or a DOI link? What about merging the separate publication list into this page (actually there was a discussion on a canonical reference file for Debian related work on debian-science some time ago)? I doubt many of them have an acceptable license for distributing, links would be great. Merging seems reasonable. Well, if you are the author, even though the final print-copy files are not freely distributable (as they include layout that's usually property of the publishing journal/editorial), you can always decide to share publicly the final version you sent for them to form. Having that, together with full publication information, should be enough. Also, thankfully, every day there are more Open Access-friendly academic publications. FWIW, my University (not a particularly liberal one, and a very large one) is pushing all of its Institutes and Faculties to set up public repositories with Open Access (yes, not necessarily DFSG-free, but a huge difference from the completely closed model used until recently). The publication itself can be considered feedback -- it is just that you need to know that it is there in order to be able to read it in order to form a personal opinion. Yeah, especially if the research is presented at DebConf. That said it is one thing to publish some research and present it at DebConf but entirely another to use those conclusions to actively push Debian in new/better directions. Please keep in mind that if you presented a preliminary work at a previous DebConf, you can still edit the event and attach the published (or updated) material. -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110810171546.gf11...@gwolf.org
Re: [Debconf-team] Getting DebConf attendees reimbursed quickly for travel costs
Marcelo Gutierrez dijo [Tue, Jun 28, 2011 at 07:25:00PM -0600]: I've been in both categories depending on the occasion. But when I've been in the latter category (i.e. able to afford anticipating ticket costs); it didn't matter much to me whether the delay was 1, 2, or 3 months. This is, of course, just personal experience, not necessarily representative of the needs of others. But *if* it is representative, I'm not sure this part of your proposal is worth pursuing (while I think the other one, collecting receipts earlier/more easily, is totally worth pursuing). Hi there! IMHO: If someone knowstaht he/she cannot affford the ticket cost and there is a possibility of getting money before the event, first of all this person will be able to attend the event. Everyday you wait to buy a ticket it gets more expensive, if a person receives money early and buys a cheaper ticket more money is saved and can be allocated faster. This is overstressed a bit — While buying _just_ before the flight can get very expensive, the savings you can get for beyond three months anticipation are not really sensible. It can even be counterproductive (it has been for me in some cases), as many airlines offer promotions with around three months anticipation. And, of course, given that we will often buy non-cancellable, non-refundable tickets... Once you buy it's better not even to look at advertisements, as they lead to certain bang-head-on-wall situations. -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110709044033.ga15...@gwolf.org
Re: Debian Project Leader Election 2011 Results
Debian Project Secretary - Kurt Roeckx dijo [Sat, Apr 16, 2011 at 05:31:39PM +0200]: Hi, The winner of the election is Stefano Zacchiroli. (...) Stats for the DPL votes: |--+--++---++-++---| | | Num || Valid | Unique | Rejects | % | Multiple | | Year | DDs | Quorum | Votes | Voters | | Voting | of Quorum | |--+--++---++-++---| (...) | 2006 | 972 | 46.765 | 436 |421 | 41 | 43.313 | 9.00246 | | 2007 | 1036 | 48.280 | 521 |482 | 267 | 46.525 | 9.98343 | | 2008 | 1075 | 49.181 | 425 |401 | 35 | 37.302 | 8.15356 | | 2009 | 1013 | 47.741 | 366 |361 | 43 | 35.636 | 7.56155 | | 2010 | 886 | 44.648 | 459 |436 | 88 | 49.210 | 9.76513 | | 2011 | 911 | 45.274 | 402 |392 | 93 | 43.030 | 8.65836 | |--+--++---++-++---| As Joachim said, it's too quiet in here, as we don't have any uncertainty here. First, I'll also congratulate Stefano for his work so far, and encourage him to keep the pace in his second year as a DPL. Second, I'm happy to se that, even having an obvious result, we reached a number of unique voters comparable to past years (and in the case of 2009, even superior), and even more than that: Compared to the list of active DDs (which had its share of debugging of inactive people during the past years), we have even a higher percentage of voters than 2008 and 2009, and almost the same as 2006. I see this as a clear positive sign of our community's identification and commitment. Zack didn't win his second term by 15 votes against NotA, he did by 380. A very clear win. signature.asc Description: Digital signature
Re: Call for help with DebConf12 decision (was Reminder: DebConf12 decision meeting, Tuesday 22 March)
Hi Jeremiah, Jeremiah Foster dijo [Tue, Mar 22, 2011 at 10:59:36AM +0100]: As an additional point, the recently delegated DebConf chairs are looking for one or two people from outside those currently most involved in DebConf organisation to help out if we can't get a DebConf12 venue decision by consensus. (We prefer consensus, but if there's a need to break a tie, we'd like some advice from people with more of an 'attendee' viewpoint.) (...) I would be willing to help here. I attended DebConf10 and had a great time, I have already booked DebConf11 on my calendar and hope to attend DebConf12 as well. I'm willing to help with DebConf11 organizing, but I cannot commit to a heavy workload though I imagine my work with the Debian Publicity team might overlap nicely. :-) In any case, if you don't have two volunteers yet, I am happy to be one. Thank you very much for this! As Moray said, we want to have the viewpoint of a non-core-DebConf but Debian-active person, and you perfectly fill the bill :-) So, we will be having the meeting today, in ~3hr. The committee for taking this decision consists of: - Moray Allan (DebConf chair) - Holger Levsen (DebConf chair) - Marga Manterola (DebConf orga team) - Andrew Mcmillan (DebConf orga team) - Jeremiah Foster (Debian contributor) Greetings, signature.asc Description: Digital signature
Re: Why so many install DVD's ?
dos4ever dijo [Fri, Mar 04, 2011 at 08:46:11AM -0800]: Hello I checked the FAQ and did not find the answer to this question: Why 7 install iso files at 4.4G 1 at 842M =31Gb. I would hope that disk 1 is all that is needed to install the OS and the rest are programs? If they are all needed to install the OS that would make Debian more bloatware then Win 7. I hope that is not the case. thanks Remember that the Debian system is more than just the operating system - Our work is centered around making over 20,000 independent software packages properly work together, installable following a clear logic outlined in our policies, in the best possible way for our users. I doubt there is anybody who has installed all of the coinstallable¹ packages. The size of an average desktop install is well below 5GB², including the whole desktop suite (with the most often used programs for a regular workstation). -- ¹ Some packages are not coinstallable, so installing _all_ of Debian is just impossible ² http://www.debian.org/releases/stable/i386/ch03s04.html.en -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110304180353.gb26...@gwolf.org
Upcoming Cherokee webserver providing a webapp-market - Opinions please?
Hi, I have been packaging the Cherokee webserver¹ since around 2005, and it has shipped with Debian since Sarge, IIRC. Even though its popularity does not (yet?) come close to Apache (or even to several of the minimalist webservers), it is a high-performance, very reliable contender. Starting with the 0.7 series, it started also focusing (and AFAICT it is where it excels) on being the friendliest for system administrators. You can check at our sample screenshots² what the webserver configuration interface looks like. Cherokee has just released its 1.2.0 version - And this version is the first to include a webapp market integration: the Cherokee Marketplace³, an applications market designed for administrators to easily install and pre-configure (free and propietary - Although AFAICT right now they are all free) webapps on their Cherokee server, and for authors to publish them. Although I must state I am ambivalent towards the Marketplace idea, I completely understand it is an important offering by Octality, the company that has been built around Cherokee, and it plays an important part of their offering. Now, Álvaro López –lead Cherokee developer, Cc:d on this mail– contacted me a couple of days ago, informing me they planned on kickstarting the Marketplace on today's 1.2.0 release. We talked a bit about it, as I am not sure how it would fit in a Debian system. The main points (both for and against): • Important portions of what the Marketplace is offering is already offered by Debian. • Counterargument: Webapps in Debian are usually not ready to be installed and used when running anything other than Apache • How does this fit in the FHS? Marketplace apps are downloaded into /var/lib/cherokee/ows/root; they use the OS provided applications, languages and libraries (i.e. PHP, MySQL, etc). Their installer will give the user the precise apt-get command to issue to satisfy the dependencies. • Although the Marketplace should be active by default, it is not usable until the user registers and provides the adequate credentials to cherokee-admin. That is, the user must be aware he is getting outside of Debian-land when installing their apps. • The interface for managing applications installed through the Marketplace includes a link for bug reporting (and devolutions/cancellations). Users _should_ not end up reporting bugs on third-party apps through our BTS. ...So we agreed I would present the problem here on debian-project, requesting your input, and we can decide how to act based on it. Please give me any pointers on how to go on with this - I must say this in the open, I have told the Cherokee team in several ocassions I am unsure whether Cherokee should be made available through Debian (i.e. as they insist on supporting the latest version and not a two-year-old one, or in managing their configuration through a Web interface and not in a more Unixy way), and so far, they have convinced me to keep doing so... But I feel I need your input before packaging this functionality. Do you have any examples of other applications offering this kind of functionality that are now part of Debian? Or that have been kept outside? Greetings, -- ¹ http://www.cherokee-project.com/ ² http://screenshots.debian.net/package/cherokee - I should upload updated versions :-P ³ http://cherokee-market.com/about signature.asc Description: Digital signature
