History of Debian

6 06 2009

Debian (pronounced /ˈdɛbiən/) is a computer operating system composed of software packages released as free software especially under the GNU General Public License and other open source licenses. The primary form, Debian GNU/Linux, which uses the Linux kernel and GNU OS tools, is a popular and influential Linux distribution. It is distributed with access to repositories containing thousands of software packages ready for installation and use. Debian is known for strict adherence to the Unix and free software philosophies as well as using collaborative software development and testing processes. Debian can be used as a desktop as well as server operating system.

The Debian Project is governed by the Debian Constitution and the Social Contract which set out the governance structure of the project as well as explicitly stating that the goal of the project is the development of a free operating system. Debian is developed by over one thousand volunteers from around the world and supported by donations through several non-profit organizations around the world. Most important of these is Software in the Public Interest , the owner of the Debian trademark and umbrella organization for various other community free software projects.

Thus, the Debian Project is an independent decentralized organization; it is not backed by a company like other Linux distributions such as Ubuntu, openSUSE, Fedora, and Mandriva. The cost of developing Debian 4.0 etch, assuming paid programmers from a single organization and based on source lines of code, has been estimated to be close to US$13 billion As of April 2, 2009, Ohloh estimates that the Debian GNU/Linux project, assuming a $55,000 average salary, would cost $819,274,547 to redevelop from scratch.

Many distributions are based on Debian, including Ubuntu, MEPIS, Dreamlinux, Damn Small Linux, Xandros, Knoppix, BackTrack, Linspire, sidux, Kanotix, Parsix and LinEx, among others.[13]

Debian is known for an abundance of options. The current stable release includes over twenty five thousand software packages for twelve[14] computer architectures. These architectures range from the Intel/AMD 32-bit/64-bit architectures commonly found in personal computers to the ARM architecture commonly found in embedded systems and the IBM eServer zSeries mainframes.[15] Prominent features of Debian are the APT package management system, repositories with large numbers of packages, strict policies regarding packages, and the high quality of releases.[13] These practices allow easy upgrades between releases as well as automated installation and removal of packages.

The Debian standard install makes use of the GNOME desktop environment. It includes popular programs such as OpenOffice.org, Iceweasel (a rebranding of Firefox), Evolution mail, CD/DVD writing programs, music and video players, image viewers and editors, and PDF viewers. There are pre-built CD images for KDE, Xfce and LXDE as well.[16] The remaining discs, which span five DVDs or over thirty CDs, contain all packages currently available and are not necessary for a standard install. Another install method is via a net install CD which is much smaller than a normal install CD/DVD. It contains only the bare essentials needed to start the installer and downloads the packages selected during installation via APT.[17] These CD/DVD images can be freely obtained by web download, BitTorrent, jigdo or buying them from online retailers.

History

1993–2000

Debian was first announced on 16 August 1993 by Ian Murdock.[19] Murdock initially called the system “the Debian Linux Release”.[20] Prior to Debian’s release, the Softlanding Linux System (SLS) had been the first Linux distribution compiled from various software packages, and was a popular basis for other distributions in 1993-1994.[21] The perceived poor maintenance and prevalence of bugs in SLS[22] motivated Murdock to launch a new distribution.

In 1993 Murdock also released the Debian Manifesto,[23] outlining his view for the new operating system. In it he called for the creation of a distribution to be maintained in an open manner, in the spirit of Linux and GNU. He formed the name “Debian” as a combination of the first name of his then girlfriend Debra Lynn and his own first name.[24] Murdock and Debra later married, then filed for divorce on the week of 2007-08-10.[25]

The Debian Project grew slowly at first and released the first 0.9x versions in 1994 and 1995. The first ports to other, non-i386 architectures began in 1995, and the first 1.x version of Debian was released in 1996. In 1996, Bruce Perens replaced Ian Murdock as the project leader. In the same year, fellow developer Ean Schuessler suggested that Debian should establish a social contract with its users. He distilled the resulting discussion on Debian mailing lists into the Debian Social Contract and the Debian Free Software Guidelines, defining fundamental commitments for the development of the distribution. He also initiated the creation of the legal umbrella organization, Software in the Public Interest.[9]

Perens left the project in 1998 before the release of the first glibc-based Debian, 2.0. The Project elected new leaders and made two more 2.x releases, each including more ports and packages. The Advanced Packaging Tool was deployed during this time and the first port to a non-Linux kernel, Debian GNU/Hurd, was started. The first Linux distributions based on Debian, namely Libranet, Corel Linux and Stormix‘s Storm Linux, were started in 1999.[9]

2000–present

In late 2000, the project made major changes to archive and release management, reorganizing software archive processes with new “package pools” and creating a testing distribution as an ongoing, relatively stable staging area for the next release. In the same year, developers began holding an annual conference called DebConf with talks and workshops for developers and technical users.[9]

In July 2002, the Project released version 3.0, codenamed woody, a stable release which would see relatively few updates until the following release, 3.1 sarge in June 2005.[9]

There were many major changes in the sarge release, mostly due to the large time it took to freeze and release the distribution. Not only did this release update over 73% of the software shipped in the previous version, but it also included much more software than previous releases, almost doubling in size with 9,000 new packages. A new installer replaced the aging boot-floppies installer with a modular design. This allowed advanced installations (with RAID, XFS and LVM support) including hardware detection, making installations easier for novice users. The installation system also boasted full internationalization support as the software was translated into almost forty languages. An installation manual and comprehensive release notes were released in ten and fifteen different languages respectively. This release included the efforts of the Debian-Edu/Skolelinux, Debian-Med and Debian-Accessibility sub-projects which boosted the number of educational packages and those with a medical affiliation as well as packages designed especially for people with disabilities.[9]

Debian 4.0 (etch) was released April 8, 2007 for the same number of architectures as in sarge. It included the AMD64 port but dropped support for m68k. The m68k port was, however, still available in the unstable distribution. There were around 18,200 binary packages maintained by more than 1,030 Debian developers.[9]

Debian 5.0 (lenny) was released February 14, 2009 after 22 months of development. It includes over 25,000 software packages. Support was added for Marvell’s Orion platform and for netbooks such as the Asus Eee PC.[1] The release was dedicated to Thiemo Seufer, an active developer and member of the community who died in a car accident on December 26, 2008.[26]

Mozilla Corporation software rebranded by the Debian project

Firefox and Thunderbird were rebranded in 2006 to Iceweasel and Icedove, along with other Mozilla software. The Mozilla Corporation stated that Debian may not use the Firefox trademark if it distributes Firefox with modifications which have not been approved by the Mozilla Corporation. Two prominent reasons that Debian modifies the Firefox software are to change the artwork, and to provide security patches. Debian’s free software guidelines consider Mozilla’s artwork non-free. Debian provides long term support for older versions of Firefox in the stable release, where Mozilla prefers that old versions are not supported. The software programs owned by the Mozilla Corporation were rebranded but the programs’ source codes remained the same only with minor differences.[27]

Development procedures

Software packages in development are either uploaded to the project distribution named unstable (also known as sid), or to the experimental repository. Software packages uploaded to unstable are normally versions stable enough to be released by the original upstream developer, but with the added Debian-specific packaging and other modifications introduced by Debian developers. These additions may be new and untested. Software not ready yet for the unstable distribution is typically placed in the experimental repository.[28]

After a version of a software package has remained in unstable for a certain length of time (depending on the urgency of the software’s changes), that package is automatically migrated to the testing distribution. The package’s migration to testing occurs only if no serious (release-critical) bugs in the package are reported and if other software needed for package functionality qualifies for inclusion in testing.[28]

Since updates to Debian software packages between official releases do not contain new features, some choose to use the testing and unstable distributions for their newer packages. However, these distributions are less tested than stable, and unstable does not receive timely security updates. In particular, incautious upgrades to working unstable packages can sometimes seriously break software functionality.[29] Since September 9, 2005[30] the testing distribution’s security updates have been provided by the testing security team.[31]

After the packages in testing have matured and the goals for the next release are met, the testing distribution becomes the next stable release. The latest stable release of Debian (lenny) is 5.0, released on February 14, 2009. The forthcoming release is version 6.0, codenamed “Squeeze“.[28]

Project organization

Diagram of the organizational structure of the project

The Debian Project is a volunteer organization with three foundational documents:

  • The Debian Social Contract defines a set of basic principles by which the project and its developers conduct affairs.[8]
  • The Debian Free Software Guidelines define the criteria for “free software” and thus what software is permissible in the distribution, as referenced in the Social Contract. These guidelines have also been adopted as the basis of the Open Source Definition. Although it can be considered a separate document for all practical purposes, it formally is part of the Social Contract.[8]
  • The Debian Constitution describes the organizational structure for formal decision-making within the Project, and enumerates the powers and responsibilities of the Debian Project Leader, the Debian Project Secretary, and the Debian Developers generally.[7]

Currently, the project includes more than a thousand developers. Each of them sustains some niche in the project, be it package maintenance, software documentation, maintaining the project infrastructure, quality assurance, or release coordination. Package maintainers have jurisdiction over their own packages, although packages are increasingly co-maintained. Other tasks are usually handled by the domain of smaller, more collaborative groups of developers.

The project maintains official mailing lists and conferences for communication and coordination between developers.[32] For issues with single packages or domains, a public bug tracking system is used by developers and end-users. Informally, Internet Relay Chat channels (primarily on the OFTC and freenode networks) are used for communication among developers and users as well.

Together, the Developers may make binding general decisions by way of a General Resolution or election. All voting is conducted by Cloneproof Schwartz Sequential Dropping, a Condorcet method of voting. A Project Leader is elected once per year by a vote of the Developers; in April 2008, Steve McIntyre was voted into this position, succeeding Sam Hocevar. The Debian Project Leader has several special powers, but this power is far from absolute and is rarely used. Under a General Resolution, the Developers may, among other things, recall the leader, reverse a decision by him or his delegates, and amend the constitution and other foundational documents.

The Leader sometimes delegates authority to other developers in order for them to perform specialized tasks. Generally this means that a leader delegates someone to start a new group for a new task, and gradually a team gets formed that carries on doing the work and regularly expands or reduces their ranks as they think is best and as the circumstances allow.

A role in Debian with a similar importance to the Project Leader’s is that of a Release Manager. Release Managers set goals for the next release, supervise the processes, and make the final decision as to when to release.[33] [34]

Project leaders

The project has had the following leaders:[35]

  1. Ian Murdock (August 1993 – March 1996), founder of the Debian Project
  2. Bruce Perens (April 1996 – December 1997)
  3. Ian Jackson (January 1998 – December 1998)
  4. Wichert Akkerman (January 1999 – March 2001)
  5. Ben Collins (April 2001 – April 2002)
  6. Bdale Garbee (April 2002 – April 2003)
  7. Martin Michlmayr (March 2003 – March 2005)
  8. Branden Robinson (April 2005 – April 2006)
  9. Anthony Towns (April 2006 – April 2007)
  10. Sam Hocevar (April 2007 – April 2008)
  11. Steve McIntyre (April 2008 – Present)

A supplemental position, Debian Second in Charge (2IC), was created by Anthony Towns. Steve McIntyre held the position between April 2006 and April 2007. Since April 2009 this position is held by Luk Claes.

Release managers

  • Brian C. White (1997–1999)
  • Richard Braakman (1999–2000)
  • Anthony Towns (2000–2004)
  • Steve Langasek, Andreas Barth and Colin Watson (2004–2007)
  • Andreas Barth and Luk Claes (2007–2008)
  • Luk Claes and Marc Brockschmidt (2008–2009)
  • Luk Claes and Adeodato Simó (2009–present)

Note that this list includes the active release managers; it does not include the release assistants (first introduced in 2003) and the retiring managers (“release wizards”).[33]

Developer recruitment, motivation, and resignation

The Debian project has a steady influx of applicants wishing to become developers. These applicants must undergo an elaborate vetting process which establishes their identity, motivation, understanding of the project’s goals (embodied in the Social Contract), and technical competence.[36]

Debian Developers join the Project for a number of reasons; some that have been cited in the past include:[37]

  • A desire to contribute back to the Free Software community (practically all applicants are users of Free Software)
  • A desire to see some specific software task accomplished (some view the Debian user community as a valuable testing or proving ground for new software)
  • A desire to make, or keep, Free Software competitive with proprietary alternatives
  • A desire to work closely with people that share some of their aptitudes, interests, and goals (there is a very strong sense of community within the Debian project which some applicants do not experience in their paid jobs)
  • A simple enjoyment of the iterative process of software development and maintenance

Debian Developers may resign their positions at any time by orphaning the packages they were responsible for and sending a notice to the developers and the keyring maintainer (so that their upload authorization can be revoked).

Package life cycle

Flowchart of the life cycle of a Debian package

Each Debian software package has a maintainer who keeps track of releases by the “upstream” authors of the software and ensures that the package is compliant with Debian Policy, coheres with the rest of the distribution, and meets the standards of quality of Debian. In relations with users and other developers, the maintainer uses the bug tracking system to follow up on bug reports and fix bugs. Typically, there is only one maintainer for a single package, but increasingly small teams of developers “co-maintain” larger and more complex packages and groups of packages.[38]

Periodically, a package maintainer makes a release of a package by uploading it to the “incoming” directory of the Debian package archive (or an “upload queue” which periodically batch-transmits packages to the incoming directory). Package uploads are automatically processed to ensure that they are well-formed (all the requisite files are in place) and that the package is digitally signed by a Debian developer using OpenPGP-compatible software. All Debian developers have public keys.[39] Packages are signed to be able to reject uploads from hostile outsiders to the project, and to permit accountability in the event that a package contains a serious bug, a violation of policy, or malicious code.

If the package in incoming is found to be validly signed and well-formed, it is installed into the archive into an area called the “pool” and distributed every day to hundreds of mirrors worldwide. Initially, all package uploads accepted into the archive are only available in the “unstable” suite of packages, which contains the most up-to-date version of each package.

However, new code is also untried code, and those packages are only distributed with clear disclaimers. For packages to become candidates for the next “stable” release of the Debian distribution, they first need to be included in the “testing” suite. The requirements for a package to be included in “testing” is that it:[40] [41]

  • Must have been in unstable for the appropriate length of time (the exact duration depends on the “urgency” of the upload)
  • Must not have a greater number of “release-critical” bugs filed against it than the current version in testing. Release-critical bugs are those bugs which are considered serious enough that they make the package unsuitable for release.
  • Must be compiled for all release architectures the package claims to support (eg: the i386-specific package gmod can be included in “testing”)
  • All of its dependencies must either be satisfiable by packages already in testing, or be satisfiable by the group of packages which are going to be installed at the same time.
  • The operation of installing the package into testing must not break any packages currently in testing.

Thus, a release-critical bug in a package on which many packages depend, such as a shared library, may prevent many packages from entering the “testing” area, because that library is considered deficient.

Periodically, the Release Manager publishes guidelines to the developers in order to ready the release, and in accordance with them eventually decides to make a release. This occurs when all important software is reasonably up-to-date in the release-candidate suite for all architectures for which a release is planned, and when any other goals set by the Release Manager have been met. At that time, all packages in the release-candidate suite (“testing”) become part of the released suite (“stable”).

It is possible for a package – particularly an old, stable, and seldom-updated one – to belong to more than one suite at the same time. The suites are simply collections of pointers into the package “pool” mentioned above.

Security information and policy

The Debian Project, being free software, handles security policy through public disclosure rather than through security through obscurity. Many advisories are coordinated with other free software vendors and are published the same day a vulnerability is made public. Debian has a security audit team that reviews the archive looking for new or unfixed security bugs. Debian also participates in security standardization efforts: the Debian security advisories are compatible with the Common Vulnerabilities and Exposures (CVE) dictionary, and Debian is represented in the Board of the Open Vulnerability and Assessment Language (OVAL) project.[42]

The Debian Project offers extensive documentation and tools to harden a Debian installation both manually and automatically.[43] SELinux (Security-Enhanced Linux) packages are installed by default though not enabled.

Source : en.wikipedia.org

History

[edit] 1993–2000

Debian was first announced on 16 August 1993 by Ian Murdock.[19] Murdock initially called the system “the Debian Linux Release”.[20] Prior to Debian’s release, the Softlanding Linux System (SLS) had been the first Linux distribution compiled from various software packages, and was a popular basis for other distributions in 1993-1994.[21] The perceived poor maintenance and prevalence of bugs in SLS[22] motivated Murdock to launch a new distribution.

In 1993 Murdock also released the Debian Manifesto,[23] outlining his view for the new operating system. In it he called for the creation of a distribution to be maintained in an open manner, in the spirit of Linux and GNU. He formed the name “Debian” as a combination of the first name of his then girlfriend Debra Lynn and his own first name.[24] Murdock and Debra later married, then filed for divorce on the week of 2007-08-10.[25]

The Debian Project grew slowly at first and released the first 0.9x versions in 1994 and 1995. The first ports to other, non-i386 architectures began in 1995, and the first 1.x version of Debian was released in 1996. In 1996, Bruce Perens replaced Ian Murdock as the project leader. In the same year, fellow developer Ean Schuessler suggested that Debian should establish a social contract with its users. He distilled the resulting discussion on Debian mailing lists into the Debian Social Contract and the Debian Free Software Guidelines, defining fundamental commitments for the development of the distribution. He also initiated the creation of the legal umbrella organization, Software in the Public Interest.[9]

Perens left the project in 1998 before the release of the first glibc-based Debian, 2.0. The Project elected new leaders and made two more 2.x releases, each including more ports and packages. The Advanced Packaging Tool was deployed during this time and the first port to a non-Linux kernel, Debian GNU/Hurd, was started. The first Linux distributions based on Debian, namely Libranet, Corel Linux and Stormix‘s Storm Linux, were started in 1999.[9]

[edit] 2000–present

In late 2000, the project made major changes to archive and release management, reorganizing software archive processes with new “package pools” and creating a testing distribution as an ongoing, relatively stable staging area for the next release. In the same year, developers began holding an annual conference called DebConf with talks and workshops for developers and technical users.[9]

In July 2002, the Project released version 3.0, codenamed woody, a stable release which would see relatively few updates until the following release, 3.1 sarge in June 2005.[9]

There were many major changes in the sarge release, mostly due to the large time it took to freeze and release the distribution. Not only did this release update over 73% of the software shipped in the previous version, but it also included much more software than previous releases, almost doubling in size with 9,000 new packages. A new installer replaced the aging boot-floppies installer with a modular design. This allowed advanced installations (with RAID, XFS and LVM support) including hardware detection, making installations easier for novice users. The installation system also boasted full internationalization support as the software was translated into almost forty languages. An installation manual and comprehensive release notes were released in ten and fifteen different languages respectively. This release included the efforts of the Debian-Edu/Skolelinux, Debian-Med and Debian-Accessibility sub-projects which boosted the number of educational packages and those with a medical affiliation as well as packages designed especially for people with disabilities.[9]

Debian 4.0 (etch) was released April 8, 2007 for the same number of architectures as in sarge. It included the AMD64 port but dropped support for m68k. The m68k port was, however, still available in the unstable distribution. There were around 18,200 binary packages maintained by more than 1,030 Debian developers.[9]

Debian 5.0 (lenny) was released February 14, 2009 after 22 months of development. It includes over 25,000 software packages. Support was added for Marvell’s Orion platform and for netbooks such as the Asus Eee PC.[1] The release was dedicated to Thiemo Seufer, an active developer and member of the community who died in a car accident on December 26, 2008.[26]

[edit] Mozilla Corporation software rebranded by the Debian project

Main article: Mozilla Corporation software rebranded by the Debian project

Firefox and Thunderbird were rebranded in 2006 to Iceweasel and Icedove, along with other Mozilla software. The Mozilla Corporation stated that Debian may not use the Firefox trademark if it distributes Firefox with modifications which have not been approved by the Mozilla Corporation. Two prominent reasons that Debian modifies the Firefox software are to change the artwork, and to provide security patches. Debian’s free software guidelines consider Mozilla’s artwork non-free. Debian provides long term support for older versions of Firefox in the stable release, where Mozilla prefers that old versions are not supported. The software programs owned by the Mozilla Corporation were rebranded but the programs’ source codes remained the same only with minor differences.[27]

[edit] Development procedures

Software packages in development are either uploaded to the project distribution named unstable (also known as sid), or to the experimental repository. Software packages uploaded to unstable are normally versions stable enough to be released by the original upstream developer, but with the added Debian-specific packaging and other modifications introduced by Debian developers. These additions may be new and untested. Software not ready yet for the unstable distribution is typically placed in the experimental repository.[28]

After a version of a software package has remained in unstable for a certain length of time (depending on the urgency of the software’s changes), that package is automatically migrated to the testing distribution. The package’s migration to testing occurs only if no serious (release-critical) bugs in the package are reported and if other software needed for package functionality qualifies for inclusion in testing.[28]

Since updates to Debian software packages between official releases do not contain new features, some choose to use the testing and unstable distributions for their newer packages. However, these distributions are less tested than stable, and unstable does not receive timely security updates. In particular, incautious upgrades to working unstable packages can sometimes seriously break software functionality.[29] Since September 9, 2005[30] the testing distribution’s security updates have been provided by the testing security team.[31]

After the packages in testing have matured and the goals for the next release are met, the testing distribution becomes the next stable release. The latest stable release of Debian (lenny) is 5.0, released on February 14, 2009. The forthcoming release is version 6.0, codenamed “Squeeze“.[28]

[edit] Project organization

Diagram of the organizational structure of the project

The Debian Project is a volunteer organization with three foundational documents:

  • The Debian Social Contract defines a set of basic principles by which the project and its developers conduct affairs.[8]
  • The Debian Free Software Guidelines define the criteria for “free software” and thus what software is permissible in the distribution, as referenced in the Social Contract. These guidelines have also been adopted as the basis of the Open Source Definition. Although it can be considered a separate document for all practical purposes, it formally is part of the Social Contract.[8]
  • The Debian Constitution describes the organizational structure for formal decision-making within the Project, and enumerates the powers and responsibilities of the Debian Project Leader, the Debian Project Secretary, and the Debian Developers generally.[7]

Currently, the project includes more than a thousand developers. Each of them sustains some niche in the project, be it package maintenance, software documentation, maintaining the project infrastructure, quality assurance, or release coordination. Package maintainers have jurisdiction over their own packages, although packages are increasingly co-maintained. Other tasks are usually handled by the domain of smaller, more collaborative groups of developers.

The project maintains official mailing lists and conferences for communication and coordination between developers.[32] For issues with single packages or domains, a public bug tracking system is used by developers and end-users. Informally, Internet Relay Chat channels (primarily on the OFTC and freenode networks) are used for communication among developers and users as well.

Together, the Developers may make binding general decisions by way of a General Resolution or election. All voting is conducted by Cloneproof Schwartz Sequential Dropping, a Condorcet method of voting. A Project Leader is elected once per year by a vote of the Developers; in April 2008, Steve McIntyre was voted into this position, succeeding Sam Hocevar. The Debian Project Leader has several special powers, but this power is far from absolute and is rarely used. Under a General Resolution, the Developers may, among other things, recall the leader, reverse a decision by him or his delegates, and amend the constitution and other foundational documents.

The Leader sometimes delegates authority to other developers in order for them to perform specialized tasks. Generally this means that a leader delegates someone to start a new group for a new task, and gradually a team gets formed that carries on doing the work and regularly expands or reduces their ranks as they think is best and as the circumstances allow.

A role in Debian with a similar importance to the Project Leader’s is that of a Release Manager. Release Managers set goals for the next release, supervise the processes, and make the final decision as to when to release.[33] [34]

[edit] Project leaders

The project has had the following leaders:[35]

  1. Ian Murdock (August 1993 – March 1996), founder of the Debian Project
  2. Bruce Perens (April 1996 – December 1997)
  3. Ian Jackson (January 1998 – December 1998)
  4. Wichert Akkerman (January 1999 – March 2001)
  5. Ben Collins (April 2001 – April 2002)
  6. Bdale Garbee (April 2002 – April 2003)
  7. Martin Michlmayr (March 2003 – March 2005)
  8. Branden Robinson (April 2005 – April 2006)
  9. Anthony Towns (April 2006 – April 2007)
  10. Sam Hocevar (April 2007 – April 2008)
  11. Steve McIntyre (April 2008 – Present)

A supplemental position, Debian Second in Charge (2IC), was created by Anthony Towns. Steve McIntyre held the position between April 2006 and April 2007. Since April 2009 this position is held by Luk Claes.

[edit] Release managers

  • Brian C. White (1997–1999)
  • Richard Braakman (1999–2000)
  • Anthony Towns (2000–2004)
  • Steve Langasek, Andreas Barth and Colin Watson (2004–2007)
  • Andreas Barth and Luk Claes (2007–2008)
  • Luk Claes and Marc Brockschmidt (2008–2009)
  • Luk Claes and Adeodato Simó (2009–present)

Note that this list includes the active release managers; it does not include the release assistants (first introduced in 2003) and the retiring managers (“release wizards”).[33]

[edit] Developer recruitment, motivation, and resignation

The Debian project has a steady influx of applicants wishing to become developers. These applicants must undergo an elaborate vetting process which establishes their identity, motivation, understanding of the project’s goals (embodied in the Social Contract), and technical competence.[36]

Debian Developers join the Project for a number of reasons; some that have been cited in the past include:[37]

  • A desire to contribute back to the Free Software community (practically all applicants are users of Free Software)
  • A desire to see some specific software task accomplished (some view the Debian user community as a valuable testing or proving ground for new software)
  • A desire to make, or keep, Free Software competitive with proprietary alternatives
  • A desire to work closely with people that share some of their aptitudes, interests, and goals (there is a very strong sense of community within the Debian project which some applicants do not experience in their paid jobs)
  • A simple enjoyment of the iterative process of software development and maintenance

Debian Developers may resign their positions at any time by orphaning the packages they were responsible for and sending a notice to the developers and the keyring maintainer (so that their upload authorization can be revoked).

[edit] Package life cycle

Flowchart of the life cycle of a Debian package

Each Debian software package has a maintainer who keeps track of releases by the “upstream” authors of the software and ensures that the package is compliant with Debian Policy, coheres with the rest of the distribution, and meets the standards of quality of Debian. In relations with users and other developers, the maintainer uses the bug tracking system to follow up on bug reports and fix bugs. Typically, there is only one maintainer for a single package, but increasingly small teams of developers “co-maintain” larger and more complex packages and groups of packages.[38]

Periodically, a package maintainer makes a release of a package by uploading it to the “incoming” directory of the Debian package archive (or an “upload queue” which periodically batch-transmits packages to the incoming directory). Package uploads are automatically processed to ensure that they are well-formed (all the requisite files are in place) and that the package is digitally signed by a Debian developer using OpenPGP-compatible software. All Debian developers have public keys.[39] Packages are signed to be able to reject uploads from hostile outsiders to the project, and to permit accountability in the event that a package contains a serious bug, a violation of policy, or malicious code.

If the package in incoming is found to be validly signed and well-formed, it is installed into the archive into an area called the “pool” and distributed every day to hundreds of mirrors worldwide. Initially, all package uploads accepted into the archive are only available in the “unstable” suite of packages, which contains the most up-to-date version of each package.

However, new code is also untried code, and those packages are only distributed with clear disclaimers. For packages to become candidates for the next “stable” release of the Debian distribution, they first need to be included in the “testing” suite. The requirements for a package to be included in “testing” is that it:[40] [41]

  • Must have been in unstable for the appropriate length of time (the exact duration depends on the “urgency” of the upload)
  • Must not have a greater number of “release-critical” bugs filed against it than the current version in testing. Release-critical bugs are those bugs which are considered serious enough that they make the package unsuitable for release.
  • Must be compiled for all release architectures the package claims to support (eg: the i386-specific package gmod can be included in “testing”)
  • All of its dependencies must either be satisfiable by packages already in testing, or be satisfiable by the group of packages which are going to be installed at the same time.
  • The operation of installing the package into testing must not break any packages currently in testing.

Thus, a release-critical bug in a package on which many packages depend, such as a shared library, may prevent many packages from entering the “testing” area, because that library is considered deficient.

Periodically, the Release Manager publishes guidelines to the developers in order to ready the release, and in accordance with them eventually decides to make a release. This occurs when all important software is reasonably up-to-date in the release-candidate suite for all architectures for which a release is planned, and when any other goals set by the Release Manager have been met. At that time, all packages in the release-candidate suite (“testing”) become part of the released suite (“stable”).

It is possible for a package – particularly an old, stable, and seldom-updated one – to belong to more than one suite at the same time. The suites are simply collections of pointers into the package “pool” mentioned above.

[edit] Security information and policy

The Debian Project, being free software, handles security policy through public disclosure rather than through security through obscurity. Many advisories are coordinated with other free software vendors and are published the same day a vulnerability is made public. Debian has a security audit team that reviews the archive looking for new or unfixed security bugs. Debian also participates in security standardization efforts: the Debian security advisories are compatible with the Common Vulnerabilities and Exposures (CVE) dictionary, and Debian is represented in the Board of the Open Vulnerability and Assessment Language (OVAL) project.[42]

The Debian Project offers extensive documentation and tools to harden a Debian installation both manually and automatically.[43] SELinux (Security-Enhanced Linux) packages are installed by default though not enabled.

« »


Aksi

Information

Tinggalkan komentar