In this issue:
+ Email notifications for git commits on git.debian.org
+ alioth.debian.org now exports project meta-data as RDF (using DOAP/ADMS.SW)
+ Animate the Debian microblogging accounts!
+ Cryptographic verification of upstream packages
+ State of the debian-keyring
The news are collected on http://wiki.debian.org/DeveloperNews
Please contribute short news about your work/plans/subproject.
Email notifications for git commits on git.debian.org
Many projects rely on the git-commit-notice script provided on
git.debian.org to send mail notifications of the activity of the git
repositories hosted there. Up to now, this script was based on (a very
old copy of) the “post-receive-email” contrib script from Git upstream. I
recently updated it and it’s now based on git-multimail which
generates more useful mails (with better subjects, with commit ordering
per push, with proper support of merge, etc.). I have tweaked the script
to auto-migrate the old git configuration settings so most of you
shouldn’t have anything to do but you might want to review/tweak the
generated configuration (multimailhook.* git config settings) and drop
the old one (hooks.* git config settings).
— Raphaël Hertzog
alioth.debian.org now exports project meta-data as RDF (using DOAP/ADMS.SW)
The alioth.debian.org forge now runs the ADMS.SW FusionForge plugin,
which publishes projects meta-data as RDF / Linked Data. Every project’s
homepage https://alioth.debian.org/projects/PROJNAME/ is then available
as RDF for harvesting robots (using proper content-type negotiation, for
instance : $ curl -k -H “Accept: text/turtle”
https://alioth.debian.org/projects/PROJNAME/). The two main ontologies
used are DOAP and ADMS.SW, rendering such meta-data compatible with
other project indexes (such as meta-data published by the PTS). Note
that due to the big number of hosted projects on Alioth (950+) some
package indexes can’t be exported as RDF yet. More details in ADMS.SW
plugin for FusionForge deployed on Alioth.
— Olivier Berger
Animate the Debian microblogging accounts!
The Debian publicity team is seeking help to re-animate the Debian
microblogging accounts. If you or your team are are looking for help,
working on something, did something interesting, are holding a Debian
related event or have something short and Debian-related to say, please
propose a short message on the team IRC channel. We also welcome folks
who want to watch Debian IRC/lists/forums/planets and propose short
messages. We will use deb.li for link shortening. Messages will be
posted to identica and in the future possibly propagated to other
microblogging systems and social networks. Help us tell the world about
the Debian community!
— Paul Wise
Cryptographic verification of upstream packages
As of devscripts 2.13.3, uscan now supports verifying cryptographic
signatures on upstream source via the pgpsigurlmangle option in
debian/watch. See uscan(1) for details and examples. If your upstream
provides cryptographic signatures, set up your workflow to verify them
automatically! If your upstream doesn’t provide cryptographic signatures,
nag them until they start doing so!
State of the debian-keyring
Were keyring-maint to drop all embarrassingly-weak keys from the keyring,
would the web of trust fall apart? Over 62% of the primary keys in the
Debian keyring on 20131213 were only 1024 bits large. Over 72% of UIDs
and user attributes were signed with a digest algorithm weaker than
SHA-2. See more statistics here.
ci.debian.net is a new service that runs test suites for all packages
uploaded to unstable. ci.debian.net is powered up by a tool called debci,
which will be uploaded to the official Archive soon. It’s still work
in progress, so a test suite failure there might be due to a problem with
the platform. When it comes to a production-ready state, it will be
properly announced on the debian-debian-announce mailing list. If you
want to help, the debci git repository has a TODO list.
— Antonio Terceiro