(I wrote this up for an internal work post, but I figure it’s worth sharing more publicly too.)
I spent last week at DebConf23, this years instance of the annual Debian conference, which was held in Kochi, India. As usual, DebConf provides a good reason to see a new part of the world; I’ve been going since 2004 (Porto Alegre, Brazil), and while I’ve missed a few (Mexico, Bosnia, and Switzerland) I’ve still managed to make it to instances on 5 continents.
This has absolutely nothing to do with work, so I went on my own time + dime, but I figured a brief write-up might prove of interest. I first installed Debian back in 1999 as a machine that was being co-located to operate as a web server / email host. I was attracted by the promise of easy online upgrades (or, at least, upgrades that could be performed without the need to be physically present at the machine, even if they naturally required a reboot at some point). It has mostly delivered on this over the years, and I’ve never found a compelling reason to move away. I became a Debian Developer in 2000. As a massively distributed volunteer project DebConf provides an opportunity to find out what’s happening in other areas of the project, catch up with team mates, and generally feel more involved and energised to work on Debian stuff. Also, by this point in time, a lot of Debian folk are good friends and it’s always nice to catch up with them.
On that point, I felt that this year the hallway track was not quite the same as usual. For a number of reasons (COVID, climate change, travel time, we’re all getting older) I think fewer core teams are achieving critical mass at DebConf - I was the only member physically present from 2 teams I’m involved in, and I’d have appreciated the opportunity to sit down with both of them for some in-person discussions. It also means it’s harder to use DebConf as a venue for advancing major changes; previously having all the decision makers in the same space for a week has meant it’s possible to iron out the major discussion points, smoothing remote implementation after the conference. I’m told the mini DebConfs are where it’s at for these sorts of meetings now, so perhaps I’ll try to attend at least one of those next year.
Of course, I also went to a bunch of talks. I have differing levels of comment about each of them, but I’ve written up some brief notes below about the ones I remember something about. The comment was made that we perhaps had a lower level of deep technical talks, which is perhaps true but I still think there were a number of high level technical talks that served to pique ones interest about the topic.
Finally, this DebConf was the first I’m aware of that was accompanied by tragedy; as part of the day trip Abraham Raji, a project member and member of the local team, was involved in a fatal accident.
Talks (videos not yet up for all, but should appear for most)
Not much to say here; welcome to DebConf!
Continuous Key-Signing Party introduction
I ended up running this, as Gunnar couldn’t make it. Debian makes heavy use of the OpenPGP web of trust (no mass ability to send out Yubikeys + perform appropriate levels of identity verification), so making sure we’re appropriately cross-signed, and linked to local conference organisers, is a dull but important part of the conference. We use a modified keysigning approach where identity verification + fingerprint confirmation happens over the course of the conference, so this session was just to explain how that works and confirm we were all working from the same fingerprint list.
State of Stateless - A Talk about Immutability and Reproducibility in Debian
Stateless OSes seem to be gaining popularity, so I went along to this to see if there was anything of note. It was interesting, but nothing earth shattering - very high level.
What’s missing so that Debian is finally reproducible?
Reproducible builds are something I’ve been keeping an eye on for a long time, and I continue to be impressed by the work folks are putting into this - both for Debian, and other projects. From a security standpoint reproducible builds provide confidence against trojaned builds, and from a developer standpoint knowing you can build reproducibly helps with not having to keep a whole bunch of binary artefacts around.
Hello from keyring-maint
In the distant past the process of getting your OpenPGP key into the Debian keyring (which is used to authenticate uploads + votes, amongst other things) was a clunky process that was often stalled. This hasn’t been the case for at least the past 10 years, but there’s still a residual piece of project memory that thinks keyring is a blocker. So as a team we say hi and talk about the fact we do monthly updates and generally are fairly responsive these days.
A declarative approach to Linux networking with Netplan
/etc/network/interfacesis a fairly basic (if powerful) mechanism for configuring network interfaces. NetworkManager is a better bet for dynamic hosts (i.e. clients), and
systemd-networkseems to be a good choice for servers (I’m gradually moving machines over to it). Netplan tries to provide a unified mechanism for configuring both with a single configuration language. A noble aim, but I don’t see a lot of benefit for anything I use - my NetworkManager hosts are highly dynamic (so no need to push shared config) and
/etc/network/interfaces) works just fine on the other hosts. I’m told Netplan has more use with more complicated setups, e.g. when OpenVSwitch is involved.
Quick peek at ZFS, A too good to be true file system and volume manager.
People who use ZFS rave about it. I’m naturally suspicious of any file system that doesn’t come as part of my mainline kernel. But, as a longtime cautious mdraid+lvm+ext4 user I appreciate that there have been advances in the file system space that maybe I should look at, and I’ve been trying out btrfs on more machines over the past couple of years. I can’t deny ZFS has a bunch of interesting features, but nothing I need/want that I can’t get from an mdraid+lvm+btrfs stack (in particular data checksumming + reflinks for dedupe were strong reasons to move to btrfs over ext4).
Bits from the DPL
Exactly what it says on the tin; some bits from the DPL.
Enrico is always worth hearing talk; Adulting was no exception. Main takeaway is that we need to avoid trying to run the project on martyrs and instead make sure we build a sustainable project. I’ve been trying really hard to accept I just don’t have time to take on additional responsibilities, no matter how interesting or relevant they might seem, so this resonated.
My life in git, after subversion, after CVS.
Putting all of your home directory in revision control. I’ve never made this leap; I’ve got some Ansible playbooks that push out my core pieces of configuration, which is held in git, but I don’t actually check this out directly on hosts I have accounts on. Interesting, but not for me.
EU Legislation BoF - Cyber Resilience Act, Product Liability Directive and CSAM Regulation
The CRA seems to be a piece of ill informed legislation that I’m going to have to find time to read properly. Discussion was a bit more alarmist than I personally feel is warranted, but it was a short session, had a bunch of folk in it, and even when I removed my mask it was hard to make myself understood.
What’s new in the Linux kernel (and what’s missing in Debian)
An update from Ben about new kernel features. I’m paying less attention to such things these days, so nice to get a quick overview of it all.
Intro to SecureDrop, a sort-of Linux distro
Actually based on Ubuntu, but lots of overlap with Debian as a result, and highly customised anyway. Notable, to me, for using OpenPGP as some of the backend crypto support. I managed to talk to Kunal separately about some of the pain points around that, which was an interesting discussion - they’re trying to move from GnuPG to Sequoia, primarily because of the much easier integration and lack of requirement for the more complicated GnuPG features that sometimes get in the way.
The Docker(.io) ecosystem in Debian
I hate Docker. I’m sure it’s fine if you accept it wants to take over the host machine entirely, but when I’ve played around with it that’s not been the case. This talk was more about the difficulty of trying to keep a fast moving upstream with lots of external dependencies properly up to date in a stable release. Vendoring the deps and trying to get a stable release exception seems like the least bad solution, but it’s a problem that affects a growing number of projects.
This was kinda of interesting, but I think I missed the piece about why more granular packaging wasn’t an option. The premise is you can take an existing
.deband “chisel” it into smaller components, which then helps separate out dependencies rather than pulling in as much as the original
.debwould. This was touted as being useful, in particular, for building targeted containers. Definitely appealing over custom built userspaces for containers, but in an ideal world I think we’d want the information in the main packaging and it becomes a lot of work.
Debian Contributors shake-up
Debian Contributors is a great site for massaging your ego around contributions to Debian; it’s also a useful point of reference from a data protection viewpoint in terms of information the project holds about contributors - everything is already public, but the Contributors website provides folk with an easy way to find their own information (with various configurable options about whether that’s made public or not). Tássia is working on improving the various data feeds into the site, but realistically this is the responsibility of every Debian service owner.
New Member BOF
I’m part of the teams that help get new folk into Debian - primarily as a member of the New Member Front Desk, but also as a mostly inactive Application Manager. It’s been a while since we did one of these sessions so the Front Desk/Debian Account Managers that were present did a panel session. Nothing earth shattering came out of it; like keyring-maint this is a team that has historically had problems, but is currently running smoothly.