Jump to content
Main menu
Main menu
move to sidebar
hide
Navigation
Main page
Recent changes
Random page
Help about MediaWiki
Special pages
Niidae Wiki
Search
Search
Appearance
Create account
Log in
Personal tools
Create account
Log in
Pages for logged out editors
learn more
Contributions
Talk
Editing
Debian
(section)
Page
Discussion
English
Read
Edit
View history
Tools
Tools
move to sidebar
hide
Actions
Read
Edit
View history
General
What links here
Related changes
Page information
Appearance
move to sidebar
hide
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Development == <div class="thumb tright"><div class="thumbinner" style="width: 25ex;"> {| style="margin: 0 auto 1ex auto" | style="width: 5ex" | | style="width: 1ex" | | style="width: 5ex" | | style="width: 4ex" | |- | align="center" colspan="3" style="border: 1px solid" | upstream | |- | | style="font-size: larger" | β | align="left" colspan="2" | packaging |- | align="center" colspan="3" style="border: 1px solid" | package | |- | | style="font-size: larger" | β | align="left" colspan="2" | upload |- | align="center" colspan="3" style="border: 1px solid" | incoming | |- | | style="font-size: larger" | β | align="left" colspan="2" | checks |- | align="center" colspan="3" style="background-color: #333; border: 1px solid #000; color: #fff" | unstable | |- | | style="font-size: larger" | β | align="left" colspan="2" | migration |- | align="center" colspan="3" style="background-color: #333; border: 1px solid #000; color: #fff" | testing | |- | | style="font-size: larger" | β | align="left" colspan="2" | freeze |- | align="center" colspan="3" style="background-color: #999; border: 1px solid #000; color: #fff" | frozen | |- | | style="font-size: larger" | β | align="left" colspan="2" | release |- | align="center" colspan="3" style="background-color: #333; border: 1px solid #000; color: #fff" | stable | |- |} <div class="thumbcaption">Flowchart of the life cycle of a Debian package</div></div></div> Each software package has a ''maintainer'' that may be either one person or a team of Debian developers and non-developer maintainers.<ref>{{cite web |url = http://www.debian.org/doc/debian-policy/ch-binary.html |work = Debian Policy Manual |title = Chapter 3 β Binary packages |publisher = Debian |date = 2013-10-28 |access-date = 2014-07-19 |archive-date = August 4, 2011 |archive-url = https://web.archive.org/web/20110804225620/http://www.debian.org/doc/debian-policy/ch-binary.html |url-status = live }}</ref><ref>{{cite web |url = http://www.debian.org/vote/2007/vote_003 |year = 2007 |access-date = 2008-12-13 |title = General Resolution: Endorse the concept of Debian Maintainers |publisher = Debian |archive-date = December 7, 2008 |archive-url = https://web.archive.org/web/20081207054617/http://www.debian.org/vote/2007/vote_003 |url-status = live }}</ref> The maintainer keeps track of [[upstream (software development)|upstream]] releases, and ensures that the package coheres with the rest of the distribution and meets the standards of quality of Debian. Packages may include modifications introduced by Debian to achieve compliance with Debian Policy, even to fix non-Debian specific bugs, although coordination with upstream developers is advised.<ref name="developer-duties" /> The maintainer releases a new version by uploading the package to the "incoming" system, which verifies the integrity of the packages and their [[digital signature]]s. If the package is found to be valid, it is installed in the package archive into an area called the "pool" and distributed every day to hundreds of [[Web mirror|mirrors]] worldwide. As of April 5, 2025, there were a total of 379 Debian mirrors operating.<ref name="Debian Mirrors (worldwide)">{{cite web |url=https://www.debian.org/mirror/list |publisher=Debian |access-date=13 April 2025 |title = Debian Mirrors (worldwide)|archive-url=https://web.archive.org/web/20250405202336/https://www.debian.org/mirror/list |archive-date=April 5, 2025 }}</ref> The upload must be signed using [[OpenPGP]]-compatible software.<ref name="distributions" /> All Debian developers have individual [[Public-key cryptography|cryptographic key pairs]].<ref>{{cite web |url = http://www.debian.org/doc/manuals/developers-reference/new-maintainer.html#registering |access-date = 2010-10-09 |work = Debian Developer's Reference |title = Chapter 2. Applying to Become a Maintainer |publisher = Debian |archive-date = September 23, 2020 |archive-url = https://web.archive.org/web/20200923124128/https://www.debian.org/doc/manuals/developers-reference/new-maintainer.html#registering |url-status = live }}</ref> Developers are responsible for any package they upload even if the packaging was prepared by another contributor.<ref>{{cite web |url = https://wiki.debian.org/DebianMentorsFaq?action=recall&rev=1#What.27s_a_sponsor.2C_why_do_I_want_one.2C_and_how_do_I_get_one.3F |title = DebianMentorsFaq |last = Costela |first = Leo |publisher = Debian Wiki |date = 2010-02-12 |access-date = 2014-10-17 |archive-date = October 21, 2014 |archive-url = https://web.archive.org/web/20141021063214/https://wiki.debian.org/DebianMentorsFaq?action=recall&rev=1#What.27s_a_sponsor.2C_why_do_I_want_one.2C_and_how_do_I_get_one.3F |url-status = live }}</ref> Initially, an accepted package is only available in the ''unstable'' branch.<ref name="distributions" /> For a package to become a candidate for the next release, it must migrate to the ''Testing'' branch by meeting the following:<ref>{{cite web |url = http://www.debian.org/doc/manuals/developers-reference/pkgs.html#testing |access-date = 2008-10-31 |work = Debian Developer's Reference |title = Chapter 5. Managing Packages |publisher = Debian |archive-date = January 9, 2021 |archive-url = https://web.archive.org/web/20210109150517/https://www.debian.org/doc/manuals/developers-reference/pkgs.html#testing |url-status = live }}</ref> * It has been in ''unstable'' for a certain length of time that depends on the urgency of the changes. * It does not have "release-critical" bugs, except for the ones already present in ''Testing''. Release-critical bugs are those considered serious enough that they make the package unsuitable for release. * There are no outdated versions in ''unstable'' for any release ports. * The migration does not break any packages in ''Testing''. * Its dependencies can be satisfied by packages already in ''Testing'' or by packages being migrated at the same time. * The migration is not blocked by a freeze. Thus, a release-critical bug in a new version of a shared library on which many packages depend may prevent those packages from entering ''Testing'', because the updated library must meet the requirements too.<ref>{{cite web |url = http://www.debian.org/devel/testing |access-date = 2008-11-24 |title = Debian 'testing' distribution |publisher = Debian |archive-date = November 20, 2008 |archive-url = https://web.archive.org/web/20081120222604/http://www.debian.org/devel/testing |url-status = live }}</ref> From the branch viewpoint, the migration process happens twice per day, rendering ''Testing'' in [[perpetual beta]].<ref name="distributions" /> Periodically, the release team publishes guidelines to the developers in order to ready the release. A new release occurs after a freeze, when all important software is reasonably up-to-date in the ''Testing'' branch and any other significant issues are solved. At that time, all packages in the ''testing'' branch become the new ''stable'' branch.<ref name="distributions" /> Although freeze dates are time-based,<ref name="two-year-cycle" /> release dates are not, which are announced by the release managers a couple of weeks beforehand.<ref>{{cite mailing list |url = https://lists.debian.org/debian-devel-announce/2013/04/msg00006.html |title = FINAL release update |last = McGovern |first = Neil |mailing-list = debian-devel-announce |publisher = Debian |date = 2013-04-18 |access-date = 2014-07-20 |archive-date = July 17, 2014 |archive-url = https://web.archive.org/web/20140717000040/https://lists.debian.org/debian-devel-announce/2013/04/msg00006.html |url-status = live }}</ref> A version of a package can belong to more than one branch, usually ''testing'' and ''unstable''. It is possible for a package to keep the same version between stable releases and be part of ''oldstable'', ''stable'', ''testing'' and ''unstable'' at the same time.<ref>{{cite web |url = https://packages.debian.org/search?keywords=dict-bouvier |title = Package Search Results β dict-bouvier |publisher = Debian |access-date = 2014-06-04 |archive-date = June 6, 2014 |archive-url = https://web.archive.org/web/20140606233141/https://packages.debian.org/search?keywords=dict-bouvier |url-status = live }}</ref> Each branch can be seen as a collection of pointers into the package "pool" mentioned above.<ref name="distributions" /> One way to resolve the challenge of a release-critical bug in a new application version is the use of [[#Cross-distribution package manager|optional package managers]]. They allow software developers to use sandbox environments, while at the same time remaining in control of security.<ref name=":0" /><ref name=":1" /> Another benefit of a cross-distribution package manager is that they allow application developers to directly provide updates to users without going through distributions, and without having to package and test the application separately for each distribution.<ref>{{Cite web|last=Larsson|first=Alexander|title=Kick-starting the revolution 1.0 β Alexander Larsson|date=August 21, 2018 |url=https://blogs.gnome.org/alexl/2018/08/21/kick-starting-the-revolution-1-0/|url-status=live|archive-url=https://archive.today/20211219113521/https://blogs.gnome.org/alexl/2018/08/21/kick-starting-the-revolution-1-0/|archive-date=December 19, 2021|access-date=2021-12-19|language=en-US}}</ref> === Release cycle === A new ''stable'' branch of Debian gets released approximately every 2 years. It will receive official support for about 3 years with update for major security or usability fixes. Point releases will be available every several months as determined by Stable Release Managers (SRM).<ref>{{cite web|title=Point Releases - Debian Wiki|url=https://wiki.debian.org/DebianReleases/PointReleases|access-date=2017-09-27|publisher=Debian Release Team|archive-date=September 25, 2019|archive-url=https://web.archive.org/web/20190925104409/https://wiki.debian.org/DebianReleases/PointReleases|url-status=live}}</ref> Debian also launched its Long Term Support (LTS) project since Debian 6 (Debian Squeeze). For each Debian release, it will receive two years of extra security updates provided by LTS Team after its End Of Life (EOL). However, no point releases will be made. Now each Debian release can receive 5 years of security support in total.<ref>{{cite web|url=https://wiki.debian.org/LTS|title=LTS - Debian Wiki|date=3 July 2018|work=Debian LTS Team|access-date=18 August 2018|archive-date=May 7, 2020|archive-url=https://web.archive.org/web/20200507040157/https://wiki.debian.org/LTS/|url-status=live}}</ref> === Security === The Debian project handles security through [[Full disclosure (computer security)|public disclosure]]. Debian security advisories are compatible with the [[Common Vulnerabilities and Exposures]] dictionary, are usually coordinated with other free software vendors and are published the same day a vulnerability is made public.<ref>{{cite web |url = http://www.debian.org/security/ |access-date = 2008-12-13 |title = Security Information |publisher = Debian |archive-date = October 31, 2012 |archive-url = https://web.archive.org/web/20121031073733/http://www.debian.org/security/ |url-status = live }}</ref><ref>{{cite web |url = https://cve.mitre.org/compatible/organizations.html#Software%20in%20the%20Public%20Interest,%20Inc. |title = Organizations Participating |publisher = [[Mitre Corporation|MITRE]] |date = 2014-04-16 |access-date = 2014-06-05 |archive-date = May 26, 2014 |archive-url = https://web.archive.org/web/20140526085923/http://cve.mitre.org/compatible/organizations.html#Software%20in%20the%20Public%20Interest,%20Inc. |url-status = live }}</ref> There used to be a security audit project that focused on packages in the stable release looking for security bugs;<ref>{{cite web |url = http://www.debian.org/security/audit/ |title = Debian Security Audit Project |publisher = Debian |date = 2014-03-15 |access-date = 2014-06-04 |archive-date = June 6, 2014 |archive-url = https://web.archive.org/web/20140606223459/https://www.debian.org/security/audit/ |url-status = live }}</ref> Steve Kemp, who started the project, retired in 2011 but resumed his activities and applied to rejoin in 2014.<ref>{{cite web |url = http://www.steve.org.uk/Security/Advisories/ |title = Advisories |publisher = Steve Kemp |access-date = 2014-08-18 |archive-date = August 19, 2014 |archive-url = https://web.archive.org/web/20140819084841/http://www.steve.org.uk/Security/Advisories/ |url-status = live }}</ref><ref>{{cite web |url = https://nm.debian.org/public/person/skx |title = Steve Kemp |publisher = Debian |access-date = 2014-08-18 |archive-date = August 19, 2014 |archive-url = https://web.archive.org/web/20140819084712/https://nm.debian.org/public/person/skx |url-status = live }}</ref> The ''stable'' branch is supported by the Debian security team; ''oldstable'' is supported for one year.<ref name="securityfaq">{{cite web |url = http://www.debian.org/security/faq |title = Debian security FAQ |date = 2007-02-28 |access-date = 2008-10-21 |publisher = Debian |archive-date = August 28, 2008 |archive-url = https://web.archive.org/web/20080828054249/http://www.debian.org./security/faq |url-status = live }}</ref> Although Squeeze is not officially supported, Debian is coordinating an effort to provide [[long-term support]] (LTS) until February 2016, five years after the initial release, but only for the IA-32 and x86-64 platforms.<ref>{{cite web |url = https://www.phoronix.com/scan.php?page=news_item&px=MTY2NzA |title = Debian To Maintain 6.0 Squeeze As An LTS Release |last = Larabel |first = Michael |author-link = Michael Larabel |publisher = [[Phoronix]] |date = 2014-04-18 |access-date = 2014-07-21 |archive-date = October 6, 2016 |archive-url = https://web.archive.org/web/20161006082828/https://www.phoronix.com/scan.php?page=news_item&px=MTY2NzA |url-status = live }}</ref> ''Testing'' is supported by the ''testing'' security team, but does not receive updates in as timely a manner as ''stable''.<ref>{{cite web |url = http://testing-security.debian.net |title = Debian testing security team |publisher = Debian |access-date = 2008-10-31 |url-status = dead |archive-url = https://web.archive.org/web/20081005233623/http://testing-security.debian.net/ |archive-date = October 5, 2008 |df = mdy }}</ref> ''Unstable''{{'}}s security is left for the package maintainers.<ref name="securityfaq" /> The Debian project offers documentation and tools to [[hardening (computing)|harden]] a Debian installation both manually and automatically.<ref>{{cite web |url = http://www.debian.org/doc/user-manuals#securing |access-date = 2008-12-13 |title = Securing Debian Manual |publisher = Debian |archive-date = January 28, 2021 |archive-url = https://web.archive.org/web/20210128190114/https://www.debian.org/doc/user-manuals#securing |url-status = live }}</ref> [[AppArmor]] support is available and enabled by default since Buster.<ref>{{Cite web|url=https://www.debian.org/News/2019/20190706.en.html|title=Debian -- News -- Debian 10 "buster" released|website=www.debian.org|access-date=2019-07-08|archive-date=July 7, 2019|archive-url=https://web.archive.org/web/20190707151659/https://www.debian.org/News/2019/20190706.en.html|url-status=live}}</ref> Debian provides an optional hardening wrapper, and does not harden all of its software by default using [[GNU Compiler Collection|gcc]] features such as [[Position-independent code|PIE]] and [[buffer overflow protection]], unlike operating systems such as [[OpenBSD]],<ref>{{cite web |url = http://d-sbd.alioth.debian.org/www/ |title = Debian Secure by Default |publisher = Debian: SbD |access-date = 2011-01-31 |archive-url = https://web.archive.org/web/20041103003535/http://d-sbd.alioth.debian.org/www/ |archive-date = November 3, 2004 |url-status = dead }}</ref> but tries to build as many packages as possible with hardening flags.<ref name="new-in-7">{{cite web |url = http://www.debian.org/releases/wheezy/i386/release-notes/ch-whats-new.html |work = Release Notes for Debian 7.0 (wheezy), 32-bit PC |title = Chapter 2. What's new in Debian 7.0 |publisher = Debian |access-date = 2014-05-27 |archive-date = June 6, 2014 |archive-url = https://web.archive.org/web/20140606220213/https://www.debian.org/releases/wheezy/i386/release-notes/ch-whats-new.html |url-status = live }}</ref> In May 2008, a Debian developer discovered that the [[OpenSSL]] package distributed with Debian and derivatives such as [[Ubuntu]] made a variety of security keys vulnerable to a [[random number generator attack]], since only 32,767 different keys were generated.<ref>{{cite web |url = http://www.debian.org/security/2008/dsa-1571 |title = DSA-1571-1 openssl: predictable random number generator |date = 2008-05-13 |access-date = 2008-10-31 |publisher = Debian |archive-date = March 9, 2011 |archive-url = https://web.archive.org/web/20110309045023/http://www.debian.org/security/2008/dsa-1571 |url-status = live }}</ref><ref>{{cite web |url = http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0166 |title = CVE-2008-0166 |access-date = 2014-07-21 |publisher = [[Mitre Corporation|MITRE]] |archive-date = July 14, 2014 |archive-url = https://web.archive.org/web/20140714005052/http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0166 |url-status = live }}</ref><ref name="garfinkel">{{cite magazine |url =https://www.technologyreview.com/2008/05/20/220474/alarming-open-source-security-holes/ |title = Alarming Open-Source Security Holes |last = Garfinkel |first = Simson |author-link = Simson Garfinkel |magazine = [[MIT Technology Review]] |date = 2008-05-20 |access-date = 2014-07-21 }}</ref> The security weakness was caused by changes made in 2006 by another Debian developer in response to memory debugger warnings.<ref name="garfinkel" /><ref>{{cite web |url = https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=363516 |title = valgrind-clean the RNG |publisher = Debian BTS |date = 2006-04-19 |access-date = 2014-06-21 |archive-date = August 6, 2014 |archive-url = https://web.archive.org/web/20140806025755/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=363516 |url-status = live }}</ref> The complete resolution procedure was cumbersome because patching the security hole was not enough; it involved regenerating all affected keys and certificates.<ref>{{cite web |url = http://cseweb.ucsd.edu/~hovav/dist/debiankey.pdf |title = When Private Keys are Public: Results from the 2008 Debian OpenSSL Vulnerability |publisher = [[University of California, San Diego]] |year = 2009 |access-date = 2014-06-22 |archive-date = March 4, 2016 |archive-url = https://web.archive.org/web/20160304192449/http://cseweb.ucsd.edu/~hovav/dist/debiankey.pdf |url-status = live }}</ref> Recent versions of Debian have focused more on safer defaults. Debian 10 had AppArmor enabled by default, and Debian 11 improved Secure Boot support and included persistent system journaling. The project is also making all packages reproducible, which helps to ensure software integrity.<ref name="Introduction to Deep Learning VM"/> === Value === The cost of developing all of the packages included in Debian 5.0 Lenny (323 million lines of code) has been estimated to be about {{US$|8 billion|link=yes}}, using one method based on the [[COCOMO]] model.<ref name="measuring-lenny">Amor, J. J.; Robles, G.; GonzΓ‘lez-Barahona, J. M.; Rivas, F.: [https://www.researchgate.net/profile/Jesus_Gonzalez-Barahona/publication/229014230_Measuring_Lenny_the_size_of_Debian_5.0/links/0deec5200b5b4b35e5000000.pdf Measuring Lenny: the size of Debian 5.0] {{Webarchive|url=https://web.archive.org/web/20210324060631/https://www.researchgate.net/profile/Jesus-Gonzalez-Barahona/publication/229014230_Measuring_Lenny_the_size_of_Debian_50/links/0deec5200b5b4b35e5000000/Measuring-Lenny-the-size-of-Debian-50.pdf |archive-url=https://web.archive.org/web/20210324060631/https://www.researchgate.net/profile/Jesus-Gonzalez-Barahona/publication/229014230_Measuring_Lenny_the_size_of_Debian_50/links/0deec5200b5b4b35e5000000/Measuring-Lenny-the-size-of-Debian-50.pdf |archive-date=2021-03-24 |url-status=live |date=March 24, 2021 }} ResearchGate</ref> {{As of|2024|5}}, Black Duck [[Open Hub]] estimated that the current [[codebase]] (74 million lines of code) would cost about {{US$|1.6 billion}} to develop, using a different method based on the same model.<ref>{{cite web |url = https://www.openhub.net/p/debian/estimated_cost |title = Estimated Cost |publisher = Black Duck [[Open Hub]] |access-date = 2024-05-03}}</ref><ref>{{cite web |url = https://packages.debian.org/stable/ohcount |title = Package: ohcount (3.0.0-8 and others) |publisher = Debian |access-date = 2024-05-03}}</ref>
Summary:
Please note that all contributions to Niidae Wiki may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
Encyclopedia:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Search
Search
Editing
Debian
(section)
Add topic
