<!ENTITY % dynamicdata SYSTEM "dynamic.ent" > %dynamicdata;
<!-- CVS revision of this document -->
- <!ENTITY cvs-rev "$Revision: 1.274 $">
+ <!ENTITY cvs-rev "$Revision: 1.322 $">
<!-- if you are translating this document, please notate the CVS
revision of the original developer's reference in cvs-en-rev -->
<copyright>
<copyrightsummary>
-copyright © 2004—2005 Andreas Barth</copyrightsummary>
+copyright © 2004—2007 Andreas Barth</copyrightsummary>
<copyrightsummary>
copyright © 1998—2003 Adam Di Carlo</copyrightsummary>
<copyrightsummary>
Quality Assurance (QA) work you can join maintainers already working on
these tasks and submit patches and improvements.
+ <p>
+One pitfall could be a too-generic local part in your mailadress:
+Terms like mail, admin, root, master should be avoided, please
+see <url id="http://www.debian.org/MailingLists/"> for details.
+
<sect id="mentors">Debian mentors and sponsors
<p>
In addition, if you have some packages ready for inclusion in Debian,
but are waiting for your new maintainer application to go through, you
might be able find a sponsor to upload your package for you. Sponsors
-are people who are official Debian maintainers, and who are willing to
+are people who are official Debian Developers, and who are willing to
criticize and upload your packages for you.
<!-- FIXME - out of order
Those who are seeking a
sponsor can request one at <url id="&url-sponsors;">.
-->
Please read the
-inofficial debian-mentors FAQ at <url id="&url-mentors;"> first.
+unofficial debian-mentors FAQ at <url id="&url-mentors;"> first.
<p>
If you wish to be a mentor and/or sponsor, more information is
available in <ref id="newmaint">.
<p>
Before you decide to register with &debian-formal;, you will need to
read all the information available at the <url id="&url-newmaint;"
-name="New Maintainer's Corner">. It describes exactly the
+name="New Maintainer's Corner">. It describes in detail the
preparations you have to do before you can register to become a Debian
developer.
The process of registering as a developer is a process of verifying
your identity and intentions, and checking your technical skills. As
the number of people working on &debian-formal; has grown to over
-&number-of-maintainers; people and our systems are used in several
+&number-of-maintainers; and our systems are used in several
very important places, we have to be careful about being compromised.
Therefore, we need to verify new maintainers before we can give them
accounts on our servers and let them upload packages.
competent work and will be a good contributor.
You show this by submitting patches through the Bug Tracking System
and having a package
-sponsored by an existing maintainer for a while. Also, we expect that
+sponsored by an existing Debian Developer for a while.
+Also, we expect that
contributors are interested in the whole project and not just in
maintaining their own packages. If you can help other maintainers by
providing further information on a bug or even a patch, then do so!
Registration requires that you are familiar with Debian's philosophy
and technical documentation. Furthermore, you need a GnuPG key which
has been signed by an existing Debian maintainer. If your GnuPG key
-is not signed yet, you should try to meet a Debian maintainer in
+is not signed yet, you should try to meet a Debian Developer in
person to get your key signed. There's a <url id="&url-gpg-coord;"
name="GnuPG Key Signing Coordination page"> which should help you find
-a maintainer close to you.
-(If there is no Debian maintainer close to you,
+a Debian Developer close to you.
+(If there is no Debian Developer close to you,
alternative ways to pass the ID check may be permitted
as an absolute exception on a case-by-case-basis.
See the <url id="&url-newmaint-id;" name="identification page">
-for more informations.)
+for more information.)
<p>
If you do not have an OpenPGP key yet, generate one. Every developer
-needs a OpenPGP key in order to sign and verify package uploads. You
+needs an OpenPGP key in order to sign and verify package uploads. You
should read the manual for the software you are using, since it has
much important information which is critical to its security. Many
more security failures are due to human error than to software failure
OpenPGP is an open standard based on <url id="&url-rfc2440;" name="RFC
2440">.
<p>
-You need a type 4 key for use in Debian Development.
+You need a version 4 key for use in Debian Development.
Your key length must be at least 1024
bits; there is no reason to use a smaller key, and doing so would be
-much less secure. Your key must be signed with your own user
-ID; this prevents user ID tampering. <prgn>gpg</prgn> does this
-automatically.
+much less secure.
+<footnote>Version 4 keys are keys conforming to
+the OpenPGP standard as defined in RFC 2440. Version 4 is the key
+type that has always been created when using GnuPG. PGP versions
+since 5.x also could create v4 keys, the other choice having beein
+pgp 2.6.x compatible v3 keys (also called "legacy RSA" by PGP).
+<p>
+Version 4 (primary) keys can either use the RSA or the DSA algorithms,
+so this has nothing to do with GnuPG's question about "which kind
+of key do you want: (1) DSA and Elgamal, (2) DSA (sign only), (5)
+RSA (sign only)". If you don't have any special requirements just pick
+the default.
+<p>
+The easiest way to tell whether an existing key is a v4 key or a v3
+(or v2) key is to look at the fingerprint:
+Fingerprints of version 4 keys are the SHA-1 hash of some key matieral,
+so they are 40 hex digits, usually grouped in blocks of 4. Fingerprints
+of older key format versions used MD5 and are generally shown in blocks
+of 2 hex digits. For example if your fingerprint looks like
+<tt>5B00 C96D 5D54 AEE1 206B AF84 DE7A AF6E 94C0 9C7F</tt>
+then it's a v4 key.
+<p>
+Another possibility is to pipe the key into <prgn>pgpdump</prgn>,
+which will say something like "Public Key Packet - Ver 4".
+<p>
+Also note that your key must be self-signed (i.e. it has to sign
+all its own user IDs; this prevents user ID tampering). All
+modern OpenPGP software does that automatically, but if you
+have an older key you may have to manually add those signatures.
+</footnote>
<p>
-If your public key isn't on public key servers such as &pgp-keyserv;,
-please read the documentation available locally in &file-keyservs;.
+If your public key isn't on a public key server such as &pgp-keyserv;,
+please read the documentation available at
+<url id="&url-newmaint-id;" name="NM Step 2: Identification">.
That document contains instructions on how to put your key on the
public key servers. The New Maintainer Group will put your public key
on the servers if it isn't already there.
cryptography even for authentication is forbidden
then please contact us so we can make special arrangements.
<p>
-To apply as a new maintainer, you need an existing Debian maintainer
-to verify your application (an <em>advocate</em>). After you have
+To apply as a new maintainer, you need an existing Debian Developer
+to support your application (an <em>advocate</em>). After you have
contributed to Debian for a while, and you want to apply to become a
registered developer, an existing developer with whom you
have worked over the past months has to express their belief that you
issue several calls for votes on &email-debian-devel-announce; (and all
developers are expected to be subscribed to that list). Democracy doesn't
work well if people don't take part in the vote, which is why we encourage
-all developers to vote. Voting is conducted via GPG-signed/encrypted emails
+all developers to vote. Voting is conducted via GPG-signed/encrypted email
messages.
<p>
-The list of all the proposals (past and current) is available on the
+The list of all proposals (past and current) is available on the
<url id="&url-vote;" name="Debian Voting Information"> page, along with
information on how to make, second and vote on proposals.
<p>
It is common for developers to have periods of absence, whether those are
planned vacations or simply being buried in other work. The important thing
-to notice is that the other developers need to know that you're on vacation
+to notice is that other developers need to know that you're on vacation
so that they can do whatever is needed if a problem occurs with your
packages or other duties in the project.
<p>
Usually this means that other developers are allowed to NMU (see
-<ref id="nmu">) your package if a big problem (release critical bugs,
+<ref id="nmu">) your package if a big problem (release critical bug,
security update, etc.) occurs while you're on vacation. Sometimes it's
-nothing as critical as that, but it's still appropriate to let the others
+nothing as critical as that, but it's still appropriate to let others
know that you're unavailable.
<p>
In order to inform the other developers, there are two things that you should do.
All bug reports that have severity <em>critical</em>, <em>grave</em> or
<em>serious</em> are considered to have an impact on whether the package can
be released in the next stable release of Debian.
-Those bugs can delay the Debian release
+These bugs can delay the Debian release
and/or can justify the removal of a package at freeze time. That's why
these bugs need to be corrected as quickly as possible.
<p>
<item>
Orphan all your packages, as described in <ref id="orphaning">.
<item>
-Send an email about why you are leaving the project to
+Send an gpg-signed email about why you are leaving the project to
&email-debian-private;.
<item>
Notify the Debian key ring maintainers that you are leaving by
-emailing to &email-debian-keyring;.
+opening a ticket in Debian RT by sending a mail
+to keyring@rt.debian.org with the words 'Debian RT' somewhere in the subject
+line (case doesn't matter).
</enumlist>
<sect id="irc-channels">IRC channels
<p>
Several IRC channels are dedicated to Debian's development. They are mainly
-hosted on the <url id="&url-openprojects;" name="freenode"> network
-(previously known as Open Projects Network).
-The <tt>irc.debian.org</tt> DNS entry is an alias to
-<tt>irc.freenode.net</tt>.
+hosted on the <url id="&url-oftc;" name="Open and free technology community
+(OFTC)"> network. The <tt>irc.debian.org</tt> DNS entry is an alias to
+<tt>irc.oftc.net</tt>.
<p>
The main channel for Debian in general is <em>#debian</em>. This is a large,
general-purpose channel where users can find recent news in the topic and
all the files.
<p>
There are other additional channels dedicated to specific subjects.
-<em>#debian-bugs</em> is used for coordinating bug squash parties.
+<em>#debian-bugs</em> is used for coordinating bug squashing parties.
<em>#debian-boot</em> is used to coordinate the work on the debian-installer.
<em>#debian-doc</em> is
occasionally used to talk about documentation, like the document you are
French speaking people interested in Debian's development.
<p>
Channels dedicated to Debian also exist on other IRC networks, notably on
-the <url name="Open and free technology community (OFTC)"
-id="http://www.oftc.net/"> IRC network.
+the <url id="&url-openprojects;" name="freenode"> IRC network, which was
+pointed at by the <tt>irc.debian.org</tt> alias until 4th June 2006.
<p>
-To get a cloak on freenode, you send Göran Weinholt <weinholt@debian.org>
+To get a cloak on freenode, you send Jörg Jaspert <joerg@debian.org>
a signed mail where you tell what your nick is.
Put "cloak" somewhere in the Subject: header.
The nick should be registered:
The non-US server <tt>non-us.debian.org</tt>
was discontinued with the release of sarge. The pseudo-package
<package>nonus.debian.org</package>
-stil exists for now.
+still exists for now.
<sect1 id="servers-www">The www-master server
<p>
<sect1 id="dchroot">chroots to different distributions
<p>
On some machines, there are chroots to different distributions available.
-You can use them like
+You can use them like this:
<example>
vore% dchroot unstable
<sect1>Architectures
<p>
-In the first days, the Linux kernel was only available for the Intel
-i386 (or greater) platforms, and so was Debian. But when Linux became
+In the first days, the Linux kernel was only available for Intel
+i386 (or greater) platforms, and so was Debian. But as Linux became
more and more popular, the kernel was ported to other architectures,
too.
<p>
contains the sources of the program. If a package is distributed
elsewhere too, the <file>.orig.tar.gz</file> file stores the so-called
<em>upstream source code</em>, that is the source code that's
-distributed from the <em>upstream maintainer</em> (often the author of
+distributed by the <em>upstream maintainer</em> (often the author of
the software). In this case, the <file>.diff.gz</file> contains the
changes made by the Debian maintainer.
<p>
These are the <manref name="sources.list" section="5"> lines for
<em>experimental</em>:
<example>
-deb http://ftp.<var>xy</var>.debian.org/debian/ ../project/experimental main
-deb-src http://ftp.<var>xy</var>.debian.org/debian/ ../project/experimental main
+deb http://ftp.<var>xy</var>.debian.org/debian/ experimental main
+deb-src http://ftp.<var>xy</var>.debian.org/debian/ experimental main
</example>
<p>
If there is a chance that the software could do grave damage to a system,
<p>
Every released Debian distribution has a <em>code name</em>: Debian
1.1 is called `buzz'; Debian 1.2, `rex'; Debian 1.3, `bo'; Debian 2.0,
-`hamm'; Debian 2.1, `slink'; Debian 2.2, `potato'; and Debian 3.0, `woody'. There is also
-a ``pseudo-distribution'', called `sid', which is the current
+`hamm'; Debian 2.1, `slink'; Debian 2.2, `potato'; Debian 3.0, `woody';
+Debian 3.1, "sarge";
+Debian 4.0, "etch".
+There is also a ``pseudo-distribution'', called `sid', which is the current
`unstable' distribution; since packages are moved from `unstable' to
`testing' as they approach stability, `sid' itself is never released.
As well as the usual contents of a Debian distribution, `sid' contains
until it is really installed
in the Debian archive.
This happens only once a day
-(and is also called `dinstall run' for historical reasons);
+(and is also called the `dinstall run' for historical reasons);
the package
is then removed from incoming and installed in the pool along with all
the other packages. Once all the other updates (generating new
<tag><tt>summary</tt>
<item>
-(This is a planned expansion.)
-The regular summary emails about the package's status (bug statistics,
-porting overview, progression in <em>testing</em>, ...).
+Regular summary emails about the package's status.
+Currently, only progression in <em>testing</em> is sent.
+
</taglist>
<p>
<item>
Translations of descriptions or debconf templates
submitted to the Debian Description Translation Project.
+
+ <tag><tt>derivatives</tt>
+ <item>
+Information about changes made to the package in derivative distributions
+(for example Ubuntu).
</taglist>
<sect1 id="pts-commands">The PTS email interface
<p>
You can control your subscription(s) to the PTS by sending
-various commands to <email>pts@qa.debian.org</email>.
+various commands to <email>pts@qa.debian.org</email>.
<taglist>
using the specified email address or the sender address if the second
argument is left out.
+<tag><tt>unsubscribeall [<email>]</tt>
+<item>
+ Removes all subscriptions of the specified email address or the sender
+ address if the second argument is left out.
+
<tag><tt>which [<email>]</tt>
<item>
Lists all subscriptions for the sender or the email address optionally
<item><tt>summary</tt>: automatic summary mails about the state of a package
<item><tt>cvs</tt>: notification of CVS commits
<item><tt>ddtp</tt>: translations of descriptions and debconf templates
+ <item><tt>derivatives</tt>: changes made on the package by derivative distributions
<item><tt>upload-source</tt>: announce of a new source upload that
has been accepted
<item><tt>upload-binary</tt>: announce of a new binary-only upload (porting)
<tag><tt>keyword [<email>] {+|-|=} <list of keywords></tt>
<item>
Accept (+) or refuse (-) mails classified under the given keyword(s).
- Define the list (=) of accepted keywords.
+ Define the list (=) of accepted keywords. This changes the default set
+ of keywords accepted by a user.
+
+<tag><tt>keywordall [<email>] {+|-|=} <list of keywords></tt>
+<item>
+ Accept (+) or refuse (-) mails classified under the given keyword(s).
+ Define the list (=) of accepted keywords. This changes the set of
+ accepted keywords of all the currently active subscriptions of a user.
<tag><tt>keyword <sourcepackage> [<email>] {+|-|=} <list of keywords></tt>
<item>
the bot.
</taglist>
+ <p>
+The <prgn>pts-subscribe</prgn> command-line utility (from the
+<package>devscripts</package> package) can be handy to temporarily
+subscribe to some packages, for example after having made an
+non-maintainer upload.
+
<sect1 id="pts-mail-filtering">Filtering PTS mails
<p>
Once you are subscribed to a package, you will get the mails sent to
useful information.
<p>
It is a good idea to look up your own data regularly so that
-you don't forget any open bug, and so that you don't forget which
-packages are under your responsibility.
+you don't forget any open bugs, and so that you don't forget which
+packages are your responsibility.
<sect id="alioth">Debian *Forge: Alioth
<p>
changelog of the new package in order for the bug report to be
automatically closed once the new package is installed in the archive
(see <ref id="upload-bugfix">).
+ <p>
+When closing security bugs include CVE numbers as well as the
+"Closes: #nnnnn".
+This is useful for the security team to track vulnerabilities.
+If an upload is made to fix the bug before the advisory ID is known,
+it is encouraged to modify the historical changelog entry with the next upload.
+Even in this case, please include all available pointers to background
+information in the original changelog entry.
+
<p>
There are a number of reasons why we ask maintainers to announce their
intentions:
The announcements give maintainers and other interested parties a
better feel of what is going on, and what is new, in the project.
</list>
-
+ <p>
+Please see <url id="http://ftp-master.debian.org/REJECT-FAQ.html">
+for common rejection reasons for a new package.
<sect id="changelog-entries">Recording changes in the package
<p>
tests the <file>postrm</file> and <file>prerm</file> scripts.
<item>
Remove the package, then reinstall it.
+ <item>
+Copy the source package in a different directory and try unpacking it and
+rebuilding it. This tests if the package relies on existing files outside of
+it, or if it relies on permissions being preserved on the files shipped inside
+the .diff.gz file.
</list>
source tar-file used by <prgn>dpkg-source</prgn> when constructing the
<file>.dsc</file> file and diff to be uploaded <em>must</em> be
byte-for-byte identical with the one already in the archive.
+ <p>
+Please notice that, in non-native packages, permissions on files that are not
+present in the .orig.tar.gz will not be preserved, as diff does not store file
+permissions in the patch.
<sect id="distribution">Picking a distribution
<sect1 id="upload-stable">
<heading>Special case: uploads to the <em>stable</em> distribution</heading>
<p>
-Uploading to <em>stable</em> means that the package will be placed into the
-<file>stable-proposed-updates</file> directory of the Debian archive for further
-testing before it is actually included in <em>stable</em>.
+Uploading to <em>stable</em> means that the package will transfered to the
+<em>p-u-new</em>-queue for review by the stable release managers, and
+if approved will be installed in
+<file>stable-proposed-updates</file> directory of the Debian archive.
+From there, it will be included in <em>stable</em> with the next point release.
<p>
Extra care should be taken when uploading to <em>stable</em>. Basically, a
package should only be uploaded to stable if one of the following happens:
those other packages uninstallable, is strongly discouraged.
<p>
The Release Team (which can be reached at &email-debian-release;) will
-regularly evaluate the uploads in <em>stable-proposed-updates</em> and decide if
+regularly evaluate the uploads To <em>stable-proposed-updates</em> and decide if
your package can be included in <em>stable</em>. Please be clear (and
verbose, if necessary) in your changelog entries for uploads to
<em>stable</em>, because otherwise the package won't be considered for
<sect1 id="upload-non-us">Uploading to <tt>non-US</tt>
<p>
-<em>Note:</em> non-us was discontinued with release of sarge.
+<em>Note:</em> non-us was discontinued with the release of sarge.
<sect1 id="delayed-incoming">Delayed uploads
Delayed uploads are done for the moment via the delayed queue at
gluck. The upload-directory is
<ftpsite>gluck:~tfheen/DELAYED/[012345678]-day</ftpsite>.
-0-day is uploaded approximately one hour before dinstall runs.
+0-day is uploaded multiple times per day to ftp-master.
<p>
With a fairly recent dput, this section
<example>
<sect1>Security uploads
<p>
-Do NOT upload a package to the security upload queue (oldstable-security,
+Do <strong>NOT</strong> upload a package to the security upload queue
+(oldstable-security,
stable-security, etc.) without prior authorization from the security
team. If the package does not exactly meet the team's requirements, it
will cause many problems and delays in dealing with the unwanted upload.
due to the login restrictions on those hosts.
<p>
The anonymous queues on ftp.uni-erlangen.de and ftp.uk.debian.org are
-currently down. Work is underway to resurrect those.
+currently down. Work is underway to resurrect them.
<p>
The queues on master.debian.org, samosa.debian.org, master.debian.or.jp,
and ftp.chiark.greenend.org.uk are down permanently, and will not be
<em>override file</em>.
<p>
To alter the actual section that a package is put in, you need to
-first make sure that the <file>debian/control</file> in your package
+first make sure that the <file>debian/control</file> file in your package
is accurate. Next, send an email &email-override; or submit a bug
against <package>ftp.debian.org</package> requesting that the section
or priority for your package be changed from the old section or
Operations such as reassigning bugs to other packages, merging separate
bug reports about the same issue, or reopening bugs when they are
prematurely closed, are handled using the so-called control mail server.
-All of the commands available in this server are described in the
+All of the commands available on this server are described in the
<url id="&url-bts-control;" name="BTS control server documentation">.
<sect1 id="bug-monitoring">Monitoring bugs
bug log (that means you don't need to send a copy of the mail to
<email>123@&bugs-host;</email>).
<p>
-If you get a bug which mentions "FTBFS", that means "Fails to build
+If you get a bug which mentions "FTBFS", this means "Fails to build
from source". Porters frequently use this acronym.
<p>
Once you've dealt with a bug report (e.g. fixed it), mark it as
the unmerge command, see the BTS control server documentation.
<item>
The bug submitter may have forgotten to provide some information, in which
-case you have to ask them the required information. You may use the
+case you have to ask them for the required information. You may use the
<tt>moreinfo</tt> tag to mark the bug as such. Moreover if you can't
reproduce the bug, you tag it <tt>unreproducible</tt>. Anyone who
can reproduce the bug is then invited to provide more information
Forwarding a bug is not enough, you have to check at each release if
the bug has been fixed or not. If it has, you just close it, otherwise
you have to remind the author about it. If you have the required skills
-you can prepare a patch that fixes the bug and that you send at the
-same time to the author. Make sure to send the patch to the BTS and to
+you can prepare a patch that fixes the bug and
+send it to the author at the same time.
+Make sure to send the patch to the BTS and to
tag the bug as <tt>patch</tt>.
<item>
If you have fixed a bug in your local copy, or if a fix has been
<sect1 id="upload-bugfix">When bugs are closed by new uploads
<p>
-As bugs and problems are fixed your packages, it is your
-responsibility as the package maintainer to close the bug. However,
-you should not close the bug until the package which fixes the bug has
+As bugs and problems are fixed in your packages, it is your
+responsibility as the package maintainer to close these bugs. However,
+you should not close a bug until the package which fixes the bug has
been accepted into the Debian archive. Therefore, once you get
notification that your updated package has been installed into the
archive, you can and should close the bug in the BTS.
+Also, the bug should be closed with the correct version.
<p>
However, it's possible to avoid having to manually close bugs after the
upload — just list the fixed bugs in your <file>debian/changelog</file>
We prefer the <tt>closes: #<var>XXX</var></tt> syntax, as it is the
most concise entry and the easiest to integrate with the text of the
<file>changelog</file>.
- <p>
-If an upload is identified as <qref id="nmu">Non-maintainer upload (NMU)</qref>
-(and that is the case if the name of the person who commits this change
-is not exactly the same as any one of Maintainer or Uploader,
-except if the maintainer is the qa group),
-than the bug is only tagged <tt>fixed</tt> instead of being closed.
-If a maintainer upload is targetted to experimental,
-than the tag <tt>fixed-in-experimental</tt> is added to the bug;
-for NMUs, the tag <tt>fixed</tt> is used.
-(The special rule for experimental is expected to change
-as soon as version-tracking is added to the bug tracking system.)
+Unless specified different by the <var>-v</var>-switch to
+<prgn>dpkg-buildpackage</prgn>, only the bugs closed in the
+most recent changelog entry are closed (basically, exactly
+the bugs mentioned in the changelog-part
+in the <file>.changes</file> file are closed).
+ <p>
+Historically, uploads identified as
+<qref id="nmu">Non-maintainer upload (NMU)</qref>
+were tagged <tt>fixed</tt> instead of being closed,
+but that practice was ceased with the advent of version-tracking.
+The same applied to the tag <tt>fixed-in-experimental</tt>.
<p>
If you happen to mistype a bug number or forget a bug in the changelog
entries, don't hesitate to undo any damage the error caused. To reopen
-wrongly closed bugs, send an <tt>reopen <var>XXX</var></tt> command to
+wrongly closed bugs, send a <tt>reopen <var>XXX</var></tt> command to
the bug tracking system's control address, &email-bts-control;. To
close any remaining bugs that were fixed by your upload, email the
<file>.changes</file> file to <email>XXX-done@&bugs-host;</email>,
-where <var>XXX</var> is your bug number.
+where <var>XXX</var> is the bug number, and
+put "Version: YYY" and an empty line as the first two lines
+of the body of the email,
+where <var>YYY</var> is the first version
+where the bug has been fixed.
+
<p>
Bear in mind that it is not obligatory to close bugs using the
changelog as described above. If you simply want to close bugs that
Due to their sensitive nature, security-related bugs must be handled
carefully. The Debian Security Team exists to coordinate this
activity, keeping track of outstanding security problems, helping
-maintainers with security problems or fix them themselves, sending
+maintainers with security problems or fixing them themselves, sending
security advisories, and maintaining security.debian.org.
<!-- information about the security database goes here once it's ready -->
Useful information includes, for example:
<list compact>
- <item>What versions of the package are known to be affected by the
+ <item>Which versions of the package are known to be affected by the
bug. Check each version that is present in a supported Debian
release, as well as testing and unstable.
whether it is already a matter of public knowledge.
<p>
-There are a few ways developers can learn of a security problem:
+There are several ways developers can learn of a security problem:
<list compact>
<item>they notice it on a public forum (mailing list, web site, etc.)
<item>If the problem is severe, it is preferable to share the
information with
other vendors and coordinate a release. The security team keeps
- contacts with the various organizations and individuals and can take
+ in contact with the various organizations and individuals and can take
care of that.
</list>
approved by the security team, it needs to be uploaded so that it can
be installed in the archives. For security uploads, the place to
upload to is
-<tt>ftp://security.debian.org/pub/SecurityUploadQueue/</tt> .
+<tt>ftp://security-master.debian.org/pub/SecurityUploadQueue/</tt> .
<p>
Once an upload to the security queue has been accepted, the package
<p>
If a member of the security team accepts a package, it will be
-installed on security.debian.org as well as the proper
-<var>distribution</var>-proposed-updates on ftp-master or in the non-US
-archive.
+installed on security.debian.org as well as proposed for the proper
+<var>distribution</var>-proposed-updates on ftp-master.
<sect id="archive-manip">
<heading>Moving, removing, renaming, adopting, and orphaning
<p>
Some archive manipulation operations are not automated in the Debian
upload process. These procedures should be manually followed by
-maintainers. This chapter gives guidelines in what to do in these
+maintainers. This chapter gives guidelines on what to do in these
cases.
<sect1 id="moving-pkgs">Moving packages
If you need to change the section for one of your packages, change the
package control information to place the package in the desired
section, and re-upload the package (see the <url id="&url-debian-policy;"
-name="Debian Policy Manual"> for details). If your new section is
+name="Debian Policy Manual"> for details).
+You must ensure that you include the <file>.orig.tar.gz</file> in your upload
+(even if you are not uploading a new upstream version),
+or it will not appear in the new section together with the rest of the package.
+If your new section is
valid, it will be moved automatically. If it does not, then contact
the ftpmasters in order to understand what happened.
<p>
If for some reason you want to completely remove a package (say, if it
is an old compatibility library which is no longer required), you
need to file a bug against <tt>ftp.debian.org</tt> asking that the
-package be removed. Make sure you indicate which distribution the
+package be removed;
+as all bugs, this bug should normally have normal severity.
+Make sure you indicate which distribution the
package should be removed from. Normally, you can only have packages
removed from <em>unstable</em> and <em>experimental</em>. Packages
are not removed from <em>testing</em> directly. Rather, they will be
removed automatically after the package has been removed from
<em>unstable</em> and no package in <em>testing</em> depends on it.
<p>
-You also have to detail the reasons justifying that request. This is to
+There is one exception when an explicit removal request is not necessary:
+If a (source or binary) package is an orphan, it will be removed
+semi-automatically.
+For a binary-package, this means if there is no longer any source package
+producing this binary package;
+if the binary package is just no longer produced on some architectures,
+a removal request is still necessary.
+For a source-package, this means that all binary packages it refers to
+have been taken over by another source package.
+ <p>
+In your removal request, you have to detail the reasons justifying the request.
+This is to
avoid unwanted removals and to keep a trace of why a package has been
removed. For example, you can provide the name of the package that
supersedes the one to be removed.
package. When invoked as <tt>apt-cache showpkg
<var>package</var></tt>, the program will show details for
<var>package</var>, including reverse depends.
+Other useful programs include
+<tt>apt-cache rdepends</tt>,
+<prgn>apt-rdepends</prgn> and
+<prgn>grep-dctrl</prgn>.
Removal of orphaned packages is discussed on &email-debian-qa;.
<p>
Once the package has been removed, the package's bugs should be handled.
They should either be reassigned to another package in the case where
the actual code has evolved into another package (e.g. <tt>libfoo12</tt>
was removed because <tt>libfoo13</tt> supersedes it) or closed if the
-software is simply no more part of Debian.
+software is simply no longer part of Debian.
<sect2>Removing packages from <file>Incoming</file>
<p>
<sect1 id="orphaning">Orphaning a package
<p>
-If you can no longer maintain a package, you need to inform the others
-about that, and see that the package is marked as orphaned.
+If you can no longer maintain a package, you need to inform others,
+and see that the package is marked as orphaned.
You should set the package maintainer to <tt>Debian QA Group
&orphan-address;</tt> and submit a bug report
against the pseudo package <package>wnpp</package>. The bug report should be
<sect1 id="adopting">Adopting a package
<p>
-A list of packages in need of a new maintainer is available at in the
+A list of packages in need of a new maintainer is available in the
<url name="Work-Needing and Prospective Packages list (WNPP)"
id="&url-wnpp;">. If you wish to take over maintenance of any of the
packages listed in the WNPP, please take a look at the aforementioned
get this wrong, the archive maintainers will reject your upload (due
to lack of corresponding source code).
<p>
-The ``magic'' for a recompilation-only NMU is triggered by using the
-third-level number on the Debian part of the version. For instance,
-if the latest version you are recompiling against was version
-``2.9-3'', your NMU should carry a version of ``2.9-3.0.1''. If the
-latest version was ``3.4-2.1'', your NMU should have a version number
-of ``3.4-2.1.1''.
+The ``magic'' for a recompilation-only NMU is triggered by using a
+suffix appended to the package version number,
+following the form b<number>.
+For instance, if the latest version you are
+recompiling against was version ``2.9-3'', your NMU should carry a
+version of ``2.9-3+b1''. If the latest version was ``3.4+b1'' (i.e, a
+native package with a previous recompilation NMU), your NMU should have
+a version number of ``3.4+b2''.
+
+<footnote>
+In the past, such NMUs used the third-level number on the Debian part of
+the revision to denote their recompilation-only status; however, this
+syntax was ambiguous with native packages and did not allow proper
+ordering of recompile-only NMUs, source NMUs, and security NMUs on the
+same package, and has therefore been abandoned in favor of this new
+syntax.</footnote>
<p>
Similar to initial porter uploads, the correct way of invoking
<prgn>dpkg-buildpackage</prgn> is <tt>dpkg-buildpackage -B</tt> to only
<sect1 id="porter-automation">
<heading>Porting infrastructure and automation</heading>
<p>
-There is infrastructure and several tools to help automate the package
+There is infrastructure and several tools to help automate package
porting. This section contains a brief overview of this automation and
porting to these tools; see the package documentation or references for
full information.</p>
bounds checking). It will also enable Debian to recompile entire
distributions quickly.
<p>
-The buildds admins of each arch can be contacted by the mail address
+The buildds admins of each arch can be contacted at the mail address
$arch@buildd.debian.org.
<sect1 id="packages-arch-specific">When your package is <em>not</em> portable
<p>
Some packages still have issues with building and/or working on some
of the architectures supported by Debian, and cannot be ported at all,
-or not with a reasonable amount of time. An example is a package that
+or not within a reasonable amount of time. An example is a package that
is SVGA-specific (only i386), or uses other hardware-specific features
not supported on all architectures.
<p>
package, it must be included in <file>packages-arch-specific</file>, a
list used by the <prgn>wanna-build</prgn> script.
The current version is available as
-<url id="http://cvs.debian.org/srcdep/Packages-arch-specific?rev=HEAD&cvsroot=dak&content-type=text/vnd.viewcvs-markup">;
+<url id="http://cvs.debian.org/srcdep/Packages-arch-specific?cvsroot=dak">;
please see the top of the file for whom to contact for changes.
</list>
<p>
A porter or any other person trying to build your package might
accidently upload it without noticing it doesn't work.
If in the past some binary packages were uploaded on unsupported architectures,
-request there removal by filing a bug against
+request their removal by filing a bug against
<package>ftp.debian.org</package>
See <ref id="buildd"> for some more information.
<p>
The main reason why NMUs are done is when a
-developer needs to fix another developer's packages in order to
+developer needs to fix another developer's package in order to
address serious problems or crippling bugs
or when the package maintainer is unable to release a fix
in a timely fashion.
However, aesthetic changes must <em>not</em> be made in a non-maintainer
upload.
<p>
-And please remember the Hippocratic Oath: "Above all, do no harm."
-It is better if a package has an grave bug open, than if a not working
-patch was applied, and the bug is only hidden now but not resolved.
+And please remember the Hippocratic Oath: "Above all, do no harm." It
+is better to leave a package with an open grave bug than applying a
+non-functional patch, or one that hides the bug instead of resolving
+it.
<sect1 id="nmu-guidelines">How to do a NMU
and accepted.
You should endeavor to reach the current maintainer of the package; they
might be just about to upload a fix for the problem, or have a better
-solution present.
+solution.
<p>
NMUs should be made to assist a package's maintainer in resolving bugs.
Maintainers should be thankful for that help, and NMUers should respect
for a package to enter testing is through unstable.
<p>
For the stable distribution, please take extra care. Of course, the release
-managers may also change the rules here. Please verify before upload that
+managers may also change the rules here. Please verify before you upload that
all your changes are OK for inclusion into the next stable release by the
release manager.
<p>
<sect1 id="nmu-changelog">
<heading>Source NMUs must have a new changelog entry</heading>
<p>
-A non-maintainer doing a source NMU must create a changelog entry,
+Anyone who is doing a source NMU must create a changelog entry,
describing which bugs are fixed by the NMU, and generally why the NMU
was required and what it fixed. The changelog entry will have the
-non-maintainer's email address in the log entry and the NMU version
-number in it.
+email address of the person who uploaded it in the log entry
+and the NMU version number in it.
<p>
By convention, source NMU changelog entries start with the line
<example>
architectures, then you do a source NMU as usual and you will have to
send a patch.
<p>
-If the source NMU (non-maintainer upload) fixes some existing bugs,
-these bugs should be tagged <em>fixed</em> in the Bug Tracking
-System rather than closed. By convention, only the official package
-maintainer or the original bug submitter close bugs.
-Fortunately, Debian's archive system recognizes NMUs and thus marks
-the bugs fixed in the NMU appropriately if the person doing the NMU
-has listed all bugs in the changelog with the <tt>Closes:
-bug#<var>nnnnn</var></tt> syntax (see <ref id="upload-bugfix"> for
-more information describing how to close bugs via the changelog).
-Tagging the bugs <em>fixed</em> ensures that everyone knows that the
-bug was fixed in an NMU; however the bug is left open until the
-changes in the NMU are incorporated officially into the package by
-the official package maintainer.
+Bugs fixed by source NMUs used to be tagged fixed instead of closed,
+but since version tracking is in place, such bugs are now also
+closed with the NMU version.
<p>
Also, after doing an NMU, you have to send
-that information to the existing bugs that are fixed by your NMU,
+the information to the existing bugs that are fixed by your NMU,
including the unified diff.
-Alternatively you can open a new bug and include a
+Historically, it was custom to open a new bug and include a
patch showing all the changes you have made.
The normal maintainer will either apply the patch or employ an alternate
method of fixing the problem. Sometimes bugs are fixed independently
really fixes each problem that was fixed in the non-maintainer release.
<p>
In addition, the normal maintainer should <em>always</em> retain the
-entry in the changelog file documenting the non-maintainer upload.
+entry in the changelog file documenting the non-maintainer upload --
+and of course, also keep the changes.
+If you revert some of the changes,
+please reopen the relevant bug reports.
<sect1 id="nmu-build">Building source NMUs
<p>
Source NMU packages are built normally. Pick a distribution using the
same rules as found in <ref id="distribution">, follow the other
-prescriptions in <ref id="upload">.
+instructions in <ref id="upload">.
<p>
Make sure you do <em>not</em> change the value of the maintainer in
the <file>debian/control</file> file. Your name as given in the NMU entry of
<p>
In any case, you should not be upset by the NMU. An NMU is not a
personal attack against the maintainer. It is a proof that
-someone cares enough about the package and that they were willing to help
+someone cares enough about the package that they were willing to help
you in your work, so you should be thankful. You may also want to
ask them if they would be interested in helping you on a more frequent
basis as co-maintainer or backup maintainer
packages which haven't had their maintainer set correctly is available at
<url id="&url-debian-qa-orphaned;">. If you perform an NMU on an
improperly orphaned package, please set the maintainer to ``Debian QA Group
-<packages@qa.debian.org>''. Also, the bugs are closed in that case,
-and not only marked fixed.
+<packages@qa.debian.org>''.
<sect1 id="nmu-who">Who can do an NMU
<p>
-Only official, registered Debian maintainers can do binary or source
-NMUs. An official maintainer is someone who has their key in the
+Only official, registered Debian Developers can do binary or source
+NMUs. A Debian Developer is someone who has their key in the
Debian key ring. Non-developers, however, are encouraged to download
the source package and start hacking on it to fix problems; however,
rather than doing an NMU, they should just submit worthwhile patches
to the Bug Tracking System. Maintainers almost always appreciate
quality patches and bug reports.
- <sect1 id="nmu-katie">How dak detects NMUs
- <p>
-Whether an upload is treated as an NMU or as a maintainer upload by
-the archive scripts and the bugtracking system (see <ref
-id="nmu-patch">) is <em>not</em> decided by looking at the version
-number (see <ref id="nmu-version">). Instead, an upload is handled as
-an NMU if the maintainer address in the <tt>.changes</tt> file is not
-binary the same as the address in the <tt>Maintainer</tt> field, or
-any of the addresses the <tt>Uploaders</tt> field, of the <tt>dsc</tt>
-file, and also if the maintainer address is not special (i.e. it is
-not set to the QA Group address).
-
<sect1 id="nmu-terms">Terminology
<p>
There are two new terms used throughout this section: ``binary-only NMU''
source NMU rather than a binary-only NMU. As you can see, we don't
distinguish in terminology between porter NMUs and non-porter NMUs.
<p>
-Both classes of NMUs, source and binary-only, can be lumped by the
+Both classes of NMUs, source and binary-only, can be lumped under the
term ``NMU''. However, this often leads to confusion, since most
people think ``source NMU'' when they think ``NMU''. So it's best to
be careful: always use ``binary NMU'' or ``binNMU'' for binary-only
"Collaborative maintenance" is a term describing the sharing of Debian
package maintenance duties by several people. This collaboration is
almost always a good idea, since it generally results in higher quality and
-faster bug fix turnaround time. It is strongly recommended that
+faster bug fix turnaround times. It is strongly recommended that
packages with a priority of <tt>Standard</tt> or which are part of
the base set have co-maintainers.</p>
<p>
</item>
</list></p>
<p>
-Collaborative maintenance can often be further eased with the use of
+Collaborative maintenance can often be further eased by the use of
tools on Alioth (see <ref id="alioth">).
</sect>
Those delays may be doubled during a freeze, or testing transitions may be
switched off altogether;
<item>
-It must have fewer release-critical bugs than the version currently available
+It must have the same number or fewer release-critical bugs than the version currently available
in <em>testing</em>;
<item>
It must be available on all architectures on which it has previously
<item>
The packages on which it depends must either be available in <em>testing</em>
or they must be accepted into <em>testing</em> at the same time (and they will
-if they fulfill all the necessary criteria);
+be if they fulfill all the necessary criteria);
</list>
<p>
To find out whether a package is progressing into testing or not, see the
<p>
Sometimes, a package is removed to allow another package in: This happens
only to allow <em>another</em> package to go in if it's ready in every other
-sense. Suppose e.g. that <em>a</em> conflicts with the new version of
+sense. Suppose e.g. that <em>a</em> cannot be installed with the new version of
<em>b</em>; then <em>a</em> may be removed to allow <em>b</em> in.
<p>
Of course, there is another reason to remove a package from testing: It's
just too buggy (and having a single RC-bug is enough to be in this state).
+ <p>
+Furthermore, if a package has been removed from unstable,
+and no package in testing depends on it any more,
+then it will automatically be removed.
+
<sect2 id="circular">
<heading>circular dependencies</heading>
The packages are looked at to determine whether they are valid
candidates. This gives the "update excuses". The most common reasons
why a package is not considered are too young, RC-bugginess, and out of
-date on some arches. For this part, the release managers have hammers
-of any size to force britney to consider a package. (Also, the base
+date on some arches. For this part of britney,
+the release managers have hammers
+of various sizes to force britney to consider a package. (Also, the base
freeze is coded in that part of britney.) (There is a similar thing
for binary-only updates, but this is not described here. If you're
interested in that, please peruse the code.)
<p>
Now, the more complex part happens: Britney tries to update testing with
the valid candidates; first, each package alone, and then larger and even
-larger sets of packages together. Each try is accepted if unstable is not
+larger sets of packages together. Each try is accepted if testing is not
more uninstallable after the update than before. (Before and after this part,
some hints are processed; but as only release masters can hint, this is
probably not so important for you.)
<sect1 id="helper-scripts">Helper scripts
<p>
The rationale for using helper scripts in <file>debian/rules</file> is
-that lets maintainers use and share common logic among many packages.
+that they let maintainers use and share common logic among many packages.
Take for instance the question of installing menu entries: you need to
-put the file into <file>/usr/lib/menu</file>, and add commands to the
+put the file into <file>/usr/lib/menu</file> (or
+<file>/usr/lib/menu</file> for executable binary menufiles, if this is needed),
+and add commands to the
maintainer scripts to register and unregister the menu entries. Since
this is a very common thing for packages to do, why should each
maintainer rewrite all this on their own, sometimes with bugs? Also,
patches. See the package <package>dbs</package> for more information and
<package>hello-dbs</package> for an example.
<p>
-<prgn>dpatch</prgn> also provides these facilities, but it's intented to be
+<prgn>dpatch</prgn> also provides these facilities, but it's intended to be
even easier to use. See the package <package>dpatch</package> for
documentation and examples (in <file>/usr/share/doc/dpatch</file>).
A single source package will often build several binary packages,
either to provide several flavors of the same software (e.g.,
the <package>vim</package> source package) or to make several small
-packages instead of a big one (e.g., if the user can install only the
+packages instead of a big one (e.g., so the user can install only the
subset needed, and thus save some disk space).
<p>
The second case can be easily managed in <file>debian/rules</file>.
the package manager (e.g., "this is the client for the foo server")?
<p>
Be careful to avoid spelling and grammar mistakes. Ensure that you
-spell-check it. <prgn>ispell</prgn> has a special <tt>-g</tt> option
-for <file>debian/control</file> files:
+spell-check it. Both <prgn>ispell</prgn> and <prgn>aspell</prgn>
+have special modes for checking <file>debian/control</file> files:
<example>ispell -d american -g debian/control</example>
+<example>aspell -d en -D -c debian/control</example>
<p>
Users usually expect these questions to be answered in the package
description:
<file>debian/control</file> field understood by <prgn>dpkg</prgn> and
<tt>&packages-host;</tt>. If you don't want to bother migrating the
home page from the description to this field, you should probably wait
-until that is available.</p>
+until that is available.
+ Please make sure that this line matches the regular expression
+ <tt>/^ Homepage: [^ ]*$/</tt>,
+ as this allows <file>packages.debian.org</file> to parse it correctly.</p>
</sect1>
</sect>
tracking system.
<p>
It is an old tradition to acknowledge bugs fixed in non-maintainer
-uploads in the first changelog entry of the proper maintainer upload,
-for instance, in a changelog entry like this:
-<example>
- * Maintainer upload, closes: #42345, #44484, #42444.
-</example>
-This will close the NMU bugs tagged "fixed" when the package makes
-it into the archive. The bug for the fact that an NMU was done can be
-closed the same way. Of course, it's also perfectly acceptable to
-close NMU-fixed bugs by other means; see <ref id="bug-answering">.
+uploads in the first changelog entry of the proper maintainer upload.
+As we have version tracking now,
+it is enough to keep the NMUed changelog entries and
+just mention this fact in your own changelog entry.
</sect1>
<sect1 id="bpp-changelog-errors">
<heading>Common errors in changelog entries</heading>
<p>
-The following examples demonstrate some common errors or example of
+The following examples demonstrate some common errors or examples of
bad style in changelog entries.
<p>
this problem, though.
</sect>
- <sect id="bpp-debian-security-audit">
- <heading>Best practices for security review and design</heading>
-
-<p>When you are packaging software for other users you should make a
-best effort to ensure that the installation of the software, or its
-use, does not introduce security risks to either the system it is
-installed on or its users.</p>
-
-<p>You should make your best to review the source code of the package and
-detect issues that might introduce security bugs. The programming bugs
-which lead to security bugs typically include: <url
-id="http://en.wikipedia.org/wiki/Buffer_overflow" name="buffer
-overflows">, <url
-id="http://en.wikipedia.org/wiki/Cross_site_scripting" name="format
-string overflows">, <url
-id="http://en.wikipedia.org/wiki/Cross_site_scripting" name="heap
-overflows"> and <url
-id="http://en.wikipedia.org/wiki/Cross_site_scripting" name="integer
-overflows"> (in C/C++ programs), temporary <url
-id="http://en.wikipedia.org/wiki/Symlink_race" name="symlink race
-conditions"> (in scripts), <url
-id="http://en.wikipedia.org/wiki/Directory_traversal" name="directory
-traversal"> and command injection (in servers) and <url
-id="http://en.wikipedia.org/wiki/Cross_site_scripting"
-name="cross-site scripting">, and <url
-id="http://en.wikipedia.org/wiki/Cross_site_scripting" name="SQL
-injection bugs"> (in the case of web-oriented applications).</p>
-
-<p>Some of these issues might not be easy to spot unless you are an
-expert in the programming language the program uses, but some security
-problems are easy to detect and fix. For example, finding temporary
-race conditions in the source code can easily be done by running
-<tt>grep -r "/tmp/" .</tt> in the source code replace
-hardcoded filenames using temporary directories to calls to either
-<prgn>mktemp</prgn> or <prgn>tempfile</prgn> in shell
-scripts, <manref name="File::Temp" section="3perl"> in Perl scripts,
-and <manref name="tmpfile" section="3"> in C/C++. You can also use
-<url id="http://www.debian.org/security/audit/tools" name="specific
-tools"> to assist to the security code review phase.</p>
-
-<p>When packaging software make sure that:
-
-<list>
-
-<item>The software runs with the minimum privileges it needs:
-
-<list>
-<item>The package does install binaries setuid or setgid.
-<prgn>Lintian</prgn> will warn of <url id="
-http://lintian.debian.org/reports/Tsetuid-binary.html" name="setuid">,
-<url id="http://lintian.debian.org/reports/Tsetgid-binary.html"
-name="setgid"> and <url
-id="http://lintian.debian.org/reports/Tsetuid-gid-binary.html"
-name="setuid and setgid"> binaries.
-
-<item>The daemons the package provide run with a
-low privilege user (see <ref id="bpp-lower-privs">)
-
-</list>
-
-<item>Programmed (i.e., <prgn>cron</prgn>) tasks running in the
-system do NOT run as root or, if they do, do not implement complex
-tasks.
-
-</list>
-
-<p>If you have to do any of the above make sure the programs that
-might run with higher privileges have been audited for security
-bugs. If you are unsure, or need help, contact the <url
-id="http://www.debian.org/security/audit/" name="Debian Security Audit
-team">. In the case of setuid/setgid binaries, follow the Debian
-policy section regarding
-<url id="http://www.debian.org/doc/debian-policy/ch-files.html#s10.9"
-name="permissions and owners">
-</p>
-
-<p>For more information, specific to secure programming, make sure you
-read (or point your upstream to) <url
-id="http://www.dwheeler.com/secure-programs/" name="Secure Programming
-for Linux and Unix HOWTO"> and the <url
-id="https://buildsecurityin.us-cert.gov/portal/" name="Build Security
-In"> portal. For more information specific to Debian security you can
-read the <url
-id="http://www.debian.org/doc/manuals/securing-debian-howto/"
-name="Debian Security Manual">
-</p>
-
-<!-- This should be explained here until #291177 gets fixed and this is
- added to poliy -->
-
- <sect1 id="bpp-lower-privs">
- <heading>System users and groups for software daemons
-
-<p>If your software runs a daemon that does not need root privileges,
-you need to create a user for it. There are two kind of Debian users
-that can be used by packages: static uids (assigned by
-<package>base-passwd</package>) and dynamic uids in the range assigned
-to system users.
-
-<p>In the first case, you need to ask for a user or group id to the
-<package>base-passwd</package>, and a proper versioned depends to the
-<package>base-passwd</package> package that provides the user.
-
-<p>In the second case, you need to create the system user through maintainer
-scripts. <url id="http://www.debian.org/doc/debian-policy/ch-files.html#s10.9"
-name="policy"> requires you discuss an appropiate user and group name on
-<emv>debian-devel</em> and make sure it is unique and does not overlap
-with other packages.
-
-<p>Running programs with a user with limited privileges makes sure
-that any security issue with the program makes limited damaged to the
-system and follows the principle of <em>least privilege</em> you can
-limit privileges in programs through other mechanisms besides running
-as non-root. Fore more information, read the <url
-id="http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/minimize-privileges.html"
-name="Minimize Privileges"> chapter of the <em>Secure Programming for
-Linux and Unix HOWTO</em> book.
-
- <sect2 id="bpp-create-sysuser">
- <heading>Creating system users and groups
-
-<p>If you want to create system groups on package installatino you
-need to create it in either the <em>preinst</em> or in the <em>postinst</em>
-and have the package depend on <tt>adduser (>= 3.11)</tt>.
-
-<p>The following example code creates the user and group the daemon
-will run as when the package is installed or upgraded:
-
-<example>
-[...]
-case "$1" in
- install|upgrade)
-
- # If the package has default file it could be sourced, so that
- # the local admin can overwrite the defaults
- # Notice that the package could handle this defaults through
- # debconf so that the local admin could select a different
- # user name for the system user than the one hardcoded in the
- # package
-
- [ -f "/etc/default/<var>packagename</var>" ] && . /etc/default/<var>packagename</var>
-
-
- # Sane defaults:
-
- [ -z "$SERVER_HOME" ] && SERVER_HOME=<var>server_dir</var>
- [ -z "$SERVER_USER" ] && SERVER_USER=<var>server_user</var>
- [ -z "$SERVER_NAME" ] && SERVER_NAME="<var>Server description</var>"
- [ -z "$SERVER_GROUP" ] && SERVER_GROUP=<var>server_group</var>
-
- # Groups that the user will be added to, if undefined, then none.
- # Some daemons might need additional privileges and those can be
- # granted by adding it to additional groups.
- ADDGROUP=""
-
-
- # create user to avoid running server as root
- # 1. create group if not existing
- if ! getent group | grep -q "^$SERVER_GROUP:" ; then
- echo -n "Adding group $SERVER_GROUP.."
- addgroup --quiet --system $SERVER_GROUP 2>/dev/null ||true
- echo "..done"
- fi
- # 2. create homedir if it does not exist
- test -d $SERVER_HOME || mkdir $SERVER_HOME
- # 3. create user if it does not exist
- if ! getent passwd | grep -q "^$SERVER_USER:"; then
- echo -n "Adding system user $SERVER_USER.."
- adduser --quiet \
- --system \
- --ingroup $SERVER_GROUP \
- --no-create-home \
- --disabled-password \
- $SERVER_USER 2>/dev/null || true
- echo "..done"
- # 4. adjust passwd entry, only do this if the package
- # creates the user
- usermod -c "$SERVER_NAME" \
- -d $SERVER_HOME \
- -g $SERVER_GROUP \
- $SERVER_USER
- else
- # The package might want to check if the user already exists
- # and it is *not* a system user, in this case it should abort
- # the installation (like in this example) or ask the administrator
- # since otherwrise it might have unexpected consequences.
- # Some packages try to prevent collision by using a prefix such as 'Debian-'
- for LINE in `grep SYSTEM_UID /etc/adduser.conf | grep -v "^#"`; do
- case $LINE in
- FIRST_SYSTEM_UID*)
- FIST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='`
- ;;
- LAST_SYSTEM_UID*)
- LAST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='`
- ;;
- *)
- ;;
- esac
- done
- # Abort package installation if the user has not been created by
- # us.
- if [ -n "$FIST_SYSTEM_UID" ] && [ -n "$LAST_SYSTEM_UID" ]; then
- if USERID=`getent passwd $SERVER_USER | cut -f 3 -d ':'`; then
- if [ -n "$USERID" ]; then
- if [ "$FIST_SYSTEM_UID" -le "$USERID" ] && \
- [ "$USERID" -le "$LAST_SYSTEM_UID" ]; then
- echo "The user $SERVER_USER already exists as a non system user!" >&2
- echo "Aborting package installation" >&2
- exit 1
- fi
- fi
- fi
- fi
- fi
-
- # 5. adjust file and directory permissions
- # The example below sets the server home as 750 as it
- # contains (hypothetically) sensible information.
- if ! dpkg-statoverride --list $SERVER_HOME >/dev/null
- then
- chown -R $SERVER_USER:adm $SERVER_HOME
- chmod u=rwx,g=rxs,o= $SERVER_HOME
- fi
- # 6. Add the user to the ADDGROUP group
- if test -n $ADDGROUP
- then
- if ! groups $SERVER_USER | grep -q $ADDGROUP; then
- adduser $SERVER_USER $ADDGROUP
- fi
- fi
- ;;
- configure)
-
-[...]
-</example>
-
- <sect2 id="bpp-using-sysuser">
- <heading>Using system users
-
-<p>In order to make use of the system user you have to make sure that the
-init.d script file:
-
-<list>
-<item>Starts the daemon dropping privileges, if the software does not
-do the <manref name="setuid" section="2"> or <manref name="seteuid"
-section="2"> call itself, you can use the <tt>--chuid</tt>
-call of <prgn>start-stop-daemon</prgn>.
-
-<item>Stops the daemon only if the user id matches, you can use the
-<prgn>start-stop-daemon</prgn> <tt>--user</tt> option
-for this.
-
-<item>Does not run if either the user or the group do not exist:
-<example>
- if getent passwd | grep -q "^<var>server_user</var>:"; then
- echo "Server user does not exist. Aborting" >&2
- exit 1
- fi
- if getent group | grep -q "^<var>server_group</var>:" ; then
- echo "Server group does not exist. Aborting" >&2
- exit 1
- fi
-</example>
-
-</list>
-
-<p>File ownerships of files shipped by the package will need to be adjusted:
-
-<list>
-<item>Configuration files should be readable by the system user, if they
-contain sensitive information the system user should not own them unless there
-is a need for it to write to its own configuration files. Typically this means
-that the configuration files are owned by group, belong to the group of the
-system user and are mode 0640.
-
-<item>The system user if it generates state files (such as pidfiles) should
-have a directory under <tt>/var/run</tt> owned by it. This directory should be
-recreated by the init.d script since the state directory might be wiped out
-after a system boot.
-
-<item>If the daemon logs directly to <tt>/var/log</tt> logfiles should be
-writable by the system user but, once rotated, they should not be either owned
-or writable by it to prevent it from overwritting old log entries if a security
-vulnerability in the software were to be used. If the daemon logs to a
-directory under <tt>/var/log/</tt> then it should be owned by the system user
-and rotated log files need not be changed ownership.
-
-</list>
-
- <sect2 id="bpp-removing-sysuser">
- <heading>Removing system users
-
-<p>If the package creates the system user it can remove it when it is
-purged in its <em>postrm</em> script. This currently <em>not</em> recommended
-since it has a few known
-<footnote>
-Some relevant threads discussing these issues include:
-<url
-id="http://lists.debian.org/debian-mentors/2004/10/msg00338.html">,
-<url id="http://lists.debian.org/debian-devel/2004/05/msg01156.html">
-and
-<url id="http://lists.debian.org/debian-devel/2005/10/msg00988.html">.
-</footnote>
-drawbacks. For example, files created by the daemon (or by an admin
-impersonating it) either on the local filesystem or in backup files will be
-orphaned and might be taken over by a new system user in the future if it is
-assigned the same uid. On the other hand, an unused local system user can be
-used to access even if the account has been locked (as some authentication
-systems might not use PAM or shadow authentication).
-
-<p>If you want to remove a system user and there is a possibility of it
-leaving orphaned files, the administrator should be asked for the preferred
-action either when the package is installed or when it is removed (see <ref
-id="debconf">).
-
-<p>The following example code removes the user and groups created
-before only, and only if, the uid is in the range of dynamic assigned system
-uids and the gid is belongs to a system group:
-
-<example>
-case "$1" in
- purge)
-[...]
- # find first and last SYSTEM_UID numbers
- if [ -r /etc/adduser.conf ] ; then
- for LINE in `grep SYSTEM_UID /etc/adduser.conf | grep -v "^#"`; do
- case $LINE in
- FIRST_SYSTEM_UID*)
- FIST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='`
- ;;
- LAST_SYSTEM_UID*)
- LAST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='`
- ;;
- *)
- ;;
- esac
- done
- else
- # Sane defaults
- FIRST_SYSTEM_UID=100
- LAST_SYSTEM_UID=499
- fi
- # Remove system account if it is a system user
- CREATEDUSER="<var>server_user</var>"
- if [ -n "$FIST_SYSTEM_UID" ] && [ -n "$LAST_SYSTEM_UID" ]; then
- if USERID=`getent passwd $CREATEDUSER | cut -f 3 -d ':'`; then
- if [ -n "$USERID" ]; then
- if [ "$FIST_SYSTEM_UID" -le "$USERID" ] && \
- [ "$USERID" -le "$LAST_SYSTEM_UID" ]; then
- echo -n "Removing $CREATEDUSER system user.."
- deluser --quiet $CREATEDUSER || true
- echo "..done"
- fi
- fi
- fi
- fi
- # Remove system group if is a system group
- CREATEDGROUP=<var>server_group</var>
- if [ -r /etc/adduser.conf ] ; then
- FIRST_USER_GID=`grep ^USERS_GID /etc/adduser.conf | cut -f2 -d '='`
- else
- # Sane defaults
- FIRST_USER_GID=1000
- fi
- if [ -n "$FIST_USER_GID" ] then
- if GROUPGID=`getent group $CREATEDGROUP | cut -f 3 -d ':'`; then
- if [ -n "$GROUPGID" ]; then
- if [ "$FIST_USER_GID" -gt "$GROUPGID" ]; then
- echo -n "Removing $CREATEDGROUP group.."
- delgroup --only-if-empty $CREATEDGROUP || true
- echo "..done"
- fi
- fi
- fi
- fi
-[...]
-</example>
-
-<p>Other possibilities, are to make sure the account is locked (has an invalid
-password and <em>/bin/false</em> as a shell) and modify the GECOS field
-pointing out that the account is no longer used.
-
-</sect1>
-
-</sect>
<sect id="bpp-config-mgmt">
<heading>Configuration management with <package>debconf</package></heading>
<p>
These guidelines include some writing style and typography
recommendations, general considerations about debconf usage as well as
-more specific recommendations for some parts of the distribution (for
-instance, the installation system).
+more specific recommendations for some parts of the distribution (the
+installation system for instance).
<sect1>Do not abuse debconf
<p>
Avoid changing templates too often. Changing templates text induces
more work to translators which will get their translation "fuzzied". If
you plan changes to your original templates, please contact
-translators. Most active translators are very reactive and getting
+translators. Most active translators are very responsive and getting
their work included along with your modified templates will save you
additional uploads. If you use gettext-based templates, the
translator's name and e-mail addresses are mentioned in the po files
<sect2>Be gender neutral
<p>
The world is made of men and women. Please use gender-neutral
-constructions in your writing. This is not Political Correctness, this
-is showing respect to all humanity.
+constructions in your writing.
<sect1>Templates fields definition
<sect3>boolean:
<p>
-A true/false choice. Remember: true/false, NOT YES/NO...
+A true/false choice. Remember: true/false, <strong>not yes/no</strong>...
<sect3>select:
<p>
<sect3>error:
<p>
-<strong>THIS TEMPLATE TYPE IS NOT HANDLED BY DEBCONF YET.</strong>
- <p>
-It has been added to cdebconf, the C version of debconf, first used in
-the Debian Installer.
- <p>
-Please do not use it unless debconf supports it.
- <p>
-This type is designed to handle error message. It is mostly similar to
+This type is designed to handle error messages. It is mostly similar to
the "note" type. Frontends may present it differently (for instance,
the dialog frontend of cdebconf draws a red screen instead of the
usual blue one).
+ <p>
+It is recommended to use this type for any message that needs user
+attention for a correction of any kind.
<sect2>Description: short and extended description
<p>
-Templates descriptions have two parts: short and extended. The short
+Template descriptions have two parts: short and extended. The short
description is in the "Description:" line of the template.
<p>
The short description should be kept short (50 characters or so) so
should be kept short for improved readability. Do not mix two ideas
in the same paragraph but rather use another paragraph.
<p>
-Don't be too verbose. Some debconf interfaces cannot deal very well
-with descriptions of more than about 20 lines, so try to keep it below
-this limit.
+Don't be too verbose. User tend to ignore too long screens.
+20 lines are by experience a border you shouldn't cross,
+because that means that in the classical dialog interface,
+people will need to scroll, and lot of people just don't do that.
<p>
For specific rules depending on templates type (string, boolean,
etc.), please read below.
<sect3>String/password templates
<p>
<list>
-<item> The short description is a prompt and NOT a title. Avoid
+<item> The short description is a prompt and <strong>not</strong> a title. Avoid
question style prompts ("IP Address?") in favour of
"opened" prompts ("IP address:").
The use of colons is recommended.
question is rather long (remember that translations are often longer
than original versions)
-<item> The extended description should NOT include a question.
+<item> The extended description should <strong>not</strong> include a question.
<item> Again, please avoid referring to specific interface widgets. A common
mistake for such templates is "if you answer Yes"-type
<sect3>Select/Multiselect
<p>
<list>
-<item> The short description is a prompt and NOT a title. Do NOT use useless
+<item> The short description is a prompt and <strong>not</strong> a title.
+ Do <strong>not</strong> use useless
"Please choose..." constructions. Users are clever enough to figure
out they have to choose something...:)
<item> The extended description is what will be displayed as a more detailed
explanation of the note. Phrases, no terse writing style.
-<item> DO NOT ABUSE DEBCONF. Notes are the most common way to abuse
+<item> <strong>Do not abuse debconf.</strong>
+ Notes are the most common way to abuse
debconf. As written in debconf-devel manual page: it's best to use them
only for warning about very serious problems. The NEWS.Debian or
README.Debian files are the appropriate location for a lot of notes.
Do NOT use empty default field. If you don't want to use default
values, do not use Default at all.
<p>
-If you use po-debconf (and you SHOULD, see 2.2), consider making this
+If you use po-debconf (and you <strong>should</strong>, see 2.2), consider making this
field translatable, if you think it may be translated.
<p>
If the default value may vary depending on language/country (for
<p>
Policy specifies that documentation should be shipped in HTML format.
We also recommend shipping documentation in PDF and plain text format if
-convenient and quality output is possible. However, it is generally
+convenient and if output of reasonable quality is possible. However, it is generally
not appropriate to ship plain text versions of documentation whose source
format is HTML.</p>
<p>
There are two kinds of original source tarballs: Pristine source
and repackaged upstream source.
</p>
- <sect2 id="pristine source">
+ <sect2 id="pristinesource">
<heading>Pristine source</heading>
<p>
The defining characteristic of a pristine source tarball is that the
distributed by the upstream author.
<footnote>
We cannot prevent upstream authors from changing the tarball
-they distribute without also upping the version number, so
+they distribute without also incrementing the version number, so
there can be no guarantee that a pristine tarball is identical
to what upstream <em>currently</em> distributing at any point in
time. All that can be expected is that it is identical to
It unpacks the tarball in an empty temporary directory by doing
<example>
-zcat path/to/<packagename>_<upstream-version>.orig.tar.gz | tar xf - +</example>
+zcat path/to/<packagename>_<upstream-version>.orig.tar.gz | tar xf -
+</example>
</item>
<item>
If, after this, the temporary directory contains nothing but one
</enumlist>
</p>
</sect2>
- <sect2 id="repackaged origtargz">
+ <sect2 id="repackagedorigtargz">
<heading>Repackaged upstream source</heading>
<p>
You <strong>should</strong> upload packages with a pristine source
<strong>should</strong> use
<tt><packagename>-<upstream-version>.orig</tt> as the name
of the top-level directory in its tarball. This makes it possible to
-distinguish pristine tarballs from repackaged ones. + </item>
+distinguish pristine tarballs from repackaged ones.
+ </item>
<item>
<strong>should</strong> be gzipped with maximal compression.
</item>
The file should have a name that makes it clear which binary file it
encodes. Usually, some postfix indicating the encoding should be
appended to the original filename.
+Note that you don't need to depend on <package>sharutils</package> to get
+the <prgn>uudecode</prgn> program if you use <prgn>perl</prgn>'s
+<tt>pack</tt> function.
+The code could look like
+<example>
+uuencode-file:
+ perl -ne 'print(pack "u", $$_);' $(file) > $(file).uuencoded
+
+uudecode-file:
+ perl -ne 'print(unpack "u", $$_);' $(file).uuencoded > $(file)
+</example>
</footnote>.
The file would then be decoded and copied to its place during the
build process. Thus the change will be visible quite easy.
</p>
</sect2>
</sect1>
+ <sect1 id="bpp-dbg">
+ <heading>Best practices for debug packages</heading>
+ <p>
+A debug package is a package with a name ending in "-dbg", that contains
+additional information that gdb can use. Since Debian binaries are
+stripped by default, debugging information, including function names and
+line numbers, is otherwise not available when running gdb on Debian binaries.
+Debug packages allow users who need this additional debugging information to
+install it, without bloating a regular system with the information.
+ <p>
+It is up to a package's maintainer whether to create a debug package or
+not. Maintainers are encouraged to create debug packages for library
+packages, since this can aid in debugging many programs linked to a
+library. In general, debug packages do not need to be added for all
+programs; doing so would bloat the archive. But if a maintainer finds
+that users often need a debugging version of a program, it can be
+worthwhile to make a debug package for it. Programs that are core
+infrastructure, such as apache and the X server are also good candidates
+for debug packages.
+ <p>
+Some debug packages may contain an entire special debugging build of a
+library or other binary, but most of them can save space and build time
+by instead containing separated debugging symbols that gdb can find and
+load on the fly when debugging a program or library. The convention in
+Debian is to keep these symbols in <file>/usr/lib/debug/<em>path</em></file>,
+where <em>path</em> is the path to the executable or library. For example,
+debugging symbols for <file>/usr/bin/foo</file> go in
+<file>/usr/lib/debug/usr/bin/foo</file>, and
+debugging symbols for <file>/usr/lib/libfoo.so.1</file> go in
+<file>/usr/lib/debug/usr/lib/libfoo.so.1</file>.
+ <p>
+The debugging symbols can be extracted from an object file using
+"objcopy --only-keep-debug". Then the object file can be stripped, and
+"objcopy --add-gnu-debuglink" used to specify the path to the debugging
+symbol file. <manref name="objcopy" section="1"> explains in detail how this
+works.
+ <p>
+The dh_strip command in debhelper supports creating debug packages, and
+can take care of using objcopy to separate out the debugging symbols for
+you. If your package uses debhelper, all you need to do is call
+"dh_strip --dbg-package=libfoo-dbg", and add an entry to debian/control
+for the debug package.
+ <p>
+Note that the Debian package should depend on the package that it
+provides debugging symbols for, and this dependency should be versioned.
+For example:
+
+<example>
+Depends: libfoo-dbg (= ${binary:Version})
+</example>
</sect>
will help prevent a situation in which several maintainers start
filing the same bug report simultaneously.
<p>
+Please use the programms <prgn>dd-list</prgn> and
+if appropriate <prgn>whodepends</prgn>
+(from the package devscripts)
+to generate a list of all affected packages, and include the
+output in your mail to &email-debian-devel;.
+ <p>
Note that when sending lots of bugs on the same subject, you should
send the bug report to <email>maintonly@&bugs-host;</email> so
that the bug report is not forwarded to the bug distribution mailing
<p>
You may also be interested in contacting the persons who are
subscribed to a given source package via <ref id="pkg-tracking-system">.
-You can do so by using the <tt><package-name>@&pts-host;</tt>
+You can do so by using the <tt><package>@&pts-host;</tt>
email address.
<!-- FIXME: moo@packages.d.o is easily confused with moo@packages.qa.d.o -->
it is also possible that they just need a reminder.
<p>
There is a simple system (the MIA database) in which information about
-maintainers who are deemed Missing In Action are recorded. When a member of the
+maintainers who are deemed Missing In Action is recorded.
+When a member of the
QA group contacts an inactive maintainer or finds more information about
one, this is recorded in the MIA database. This system is available
in /org/qa.debian.org/mia on the host qa.debian.org, and can be queried
-with a tool known as <prgn>mia-history</prgn>. By default,
-<prgn>mia-history</prgn> shows information about every person it knows
-about, but it accepts regular expressions as arguments which it uses to
-match user names. <example>mia-history --help</example> shows which
-arguments are accepted. If you find that no information has been recorded
-about an inactive maintainer already, or that you can add more information,
+with a tool known as <prgn>mia-query</prgn>.
+Use <example>mia-query --help</example> to see how to query the database.
+If you find that no information has been recorded
+about an inactive maintainer yet, or that you can add more information,
you should generally proceed as follows.
<p>
-The first step is to politely contact the maintainer, and wait for a
-response for a reasonable time. It is quite hard to define "reasonable
+The first step is to politely contact the maintainer,
+and wait a reasonable time for a response.
+It is quite hard to define "reasonable
time", but it is important to take into account that real life is sometimes
very hectic. One way to handle this would be to send a reminder after two
weeks.
<list>
<item>The "echelon" information available through the
<url id="&url-debian-db;" name="developers' LDAP database">,
- which indicates when the developer last has posted to
+ which indicates when the developer last posted to
a Debian mailing list. (This includes uploads via
debian-*-changes lists.) Also, remember to check whether the
maintainer is marked as "on vacation" in the database.
non-Debian mailing lists or news groups.
</list>
<p>
-One big problem are packages which were sponsored — the maintainer is not
+A bit of a problem are packages which were sponsored — the maintainer is not
an official Debian developer. The echelon information is not available for
sponsored people, for example, so you need to find and contact the Debian
developer who has actually uploaded the package. Given that they signed the
-package, they're responsible for the upload anyhow, and should know what
+package, they're responsible for the upload anyhow, and are likely to know what
happened to the person they sponsored.
<p>
It is also allowed to post a query to &email-debian-devel;, asking if anyone
is aware of the whereabouts of the missing maintainer.
+Please Cc: the person in question.
<p>
-Once you have gathered all of this, you can contact &email-debian-qa;.
-People on this alias will use the information you provided in order to
+Once you have gathered all of this, you can contact &email-mia;.
+People on this alias will use the information you provide in order to
decide how to proceed. For example, they might orphan one or all of the
-packages of the maintainer. If a packages has been NMUed, they might prefer
+packages of the maintainer. If a package has been NMUed, they might prefer
to contact the NMUer before orphaning the package — perhaps the person who
has done the NMU is interested in the package.
<p>
One last word: please remember to be polite. We are all volunteers and
cannot dedicate all of our time to Debian. Also, you are not aware of the
circumstances of the person who is involved. Perhaps they might be
-seriously ill or might even had died — you do not know who may be on the
+seriously ill or might even have died — you do not know who may be on the
receiving side. Imagine how a relative will feel if they read the e-mail
-of the deceased and find a very impolite, angry and accusing message!)
+of the deceased and find a very impolite, angry and accusing message!
<p>
On the other hand, although we are volunteers, we do have a responsibility.
So you can stress the importance of the greater good — if a maintainer does
not have the time or interest anymore, they should "let go" and give the
package to someone with more time.
+ <p>
+If you are interested in working in the MIA team, please have a look at the
+README file in /org/qa.debian.org/mia on qa.debian.org where the technical
+details and the MIA procedures are documented and contact &email-mia;.
<sect id="newmaint">
are available from the Central Debian translation statistics site.
<p>
For general documentation about Debian, the process is more or less the same
-than for the web pages (the translators have access to the CVS), but there are
+as for the web pages (the translators have access to the CVS), but there are
no statistics pages.
<p>
For package-specific documentation (man pages, info documents, other formats),
avoid the chaos resulting in having several versions of the same document in
bug reports.
<p>
-The best solution is to fill a regular bug containing the translation against
+The best solution is to file a regular bug containing the translation against
the package. Make sure to use the 'PATCH' tag, and to not use a severity higher
than 'wishlist', since the lack of translation never prevented a program from
running.
<list>
<item>
As a maintainer, never edit the translations in any way (even to reformat the
-layout) without asking to the corresponding l10n mailing list. You risk for
-example to break the encoding of the file by doing so. Moreover, what you
-consider as an error can be right (or even needed) in the given language.
+layout) without asking on the corresponding l10n mailing list. You risk for
+example breaksing the encoding of the file by doing so. Moreover, what you
+consider an error can be right (or even needed) in the given language.
<item>
As a translator, if you find an error in the original text, make sure to report
it. Translators are often the most attentive readers of a given text, and if
<package>debhelper</package>.
<p>
The consensus is that <package>debmake</package> is now deprecated in
-favor of <package>debhelper</package>. However, it's not a bug to use
-<package>debmake</package>.
+favor of <package>debhelper</package>. It is a bug to use
+<package>debmake</package> in new packages. New packages using
+<package>debmake</package> will be rejected from the archive.
</sect1>
<sect1 id="dh-make">