 OK, so hello. So the talk is called today, actually. Ask me anything about Debian, or for French-speaking persons, demandez ce que vous voulez savoir sur Debian. I didn't prepare anything special. I just thought it would be a good idea if you have some time where people just can ask some random stuff. Of course, I'm not the ultimate Debian guru. Maybe some people know better if there's a specific question about Debian. People can know about that. So just to introduce myself, my name is Emmanuel Casper. I've been a Debian user since 10 years. And now I'm a Debian developer since one year. Maybe if you've seen the talk from Helen before, you see they have different status of Debian developers. So I'm not myself doing Debian packaging. I'm doing ready-to-be-installed image with the Debian cloud teams. So we are a bunch of people who are making ready-to-use Debian image for different cloud providers like Amazon, Microsoft Azure, and OpenStack. And myself, I'm working to make Debian ready image for Vagrant, which is a DevOps tool. This is what I'm doing in Debian. And so I'm not doing at the moment any packaging. But I hope I can start to do this again in the near future as soon as I have more time. So just a question here, because the aim of the Open Day is for new person in Debian who are not using Debian yet. So who's here is using Debian on at least one of its computer? OK, most of these people. Actually, everybody here speaks English. I don't need to switch to French. But if you want to ask something in French, I can answer in French. So now what would you like to know about Debian? Up to you. Packaging, technical, why should I switch to Debian instead to another distribution? I think we have a question there. We will give you a microphone so everybody can hear you, including myself. So I didn't get time to play with Debian 9. So it might be a simple question for some of you. But I know that IF config for interfaces is not a thing anymore. Do you know why and what is the replacement for it? Which package was interfaced? IF config to see interfaces. So IF config has been replaced with the IP tools. Actually, I don't know the reason of that. I just know that it's a part of the general trend that's we're moving from EF config and net stats to this new tool, which is now I don't think EF config was called in the package called net tools, and it's not installed by default. So it's still available, but I don't think it's installed by default anymore. So for each package from net tools, you have replacements in the IP tool package. So for instance, IF config is EP. For instance, for net stats, if you want to list your second opens, you can replace that with SS. And for root, you can use IP root. I think each package more or less have a replacement. Actually, we run into that problem because when doing cloud image, some package were dependent on EF config, and we had to install the package because it was not installed by default. Hi, Pascal. And I want to know with the difference between coming from the band eight to nine. So as Helen said before, Debian is basically a software collection, which is made by extra people. You have the guys doing the Linux kernels. You have the guys doing the desktop interface GNOME. You have the guys doing the network stack like this EF tools. And basically, we take from Debian 8, from Debian 9, you will have from all of these things a new version. So it's difficult to know package for package what is exactly happening is going to be inside the new version of Debian. But one thing which is nice is that for every package you had installed in Debian 8, for 95% of them, you will get the new version. So you always get up to date to the new versions. So for instance, when you start a Mac or a Windows laptop, each program starts at the same time to its own installer and you get this full of pop-up. Oh, I've got a new version of Java. I have a new version of OpenOffice. I have a new version of Plash. Please install me, install me, install me. In Debian, everything is centralized. And when you make this Debian 8 to Debian 9, all package get an update at the same time, which is also interesting on the desktop, but even more on the server because you are sure that nobody is, no server package is left unappended. For instance, a lot of problem in securities happen. For instance, people installed a new version of WordPress that they download from WordPress.org. Oh, it's fine. They have the latest versions, but after six months, one years, two years, three years, five years, nobody updates this package. And this way you have security problem. If you install the WordPress Debian package, first, you're sure that you have a security update which is back-ported. And it will be always taken care of in the next Debian upgrade. So everybody goes and everybody becomes an upgrade. So you don't have some legacy software installed that nobody forgets. Think it's very important. Me, as a CIS admin, I always try whenever I can to install Debian package because I'm sure I will have an upgrade path and it's not some package which is left unappended on the server. Does that answer your question? Okay, so everybody's knowing everything about Debian. Package to Debian. It's a good question. I would say the answer, like any good question. Is it easy to publish a package to Debian? Yes or no. It depends. From the technical side, it's basically you have to know a GNU make because the Debian rules which builds the make files is a make file by itself. So you have a lot of tools which goes on that but basically it's a set of make files. It helps if you know what GNU makes. So it's not for package, for instance, which software which has already released like classical or GNU software where you do configure, make, make install. It's very easy because a lot of tooling have been done in the last 20 years about this. For instance, if you want to do some packaging like Node.js or Java, it's more complicated because you have a lot of small libraries and we want to do a package for all of this. Actually, it depends. You want to make a Debian package for yourself or to make a Debian package that you want to upload in Debian. So as I said. It's to publish freely in all the Debian servers. So it's dependent on how is the upstream software done if it's auto-conf kind of software is very easy. Now, once you have the packaging done, the second step is you have to find someone inside Debian which is interested by your package. So there is a website which is called mentors where people propose their package until Debian developers say, okay, this looks interesting, the packaging is nice. I want to have this into Debian or not. For instance, my own experience, like three years ago, I made a package of a program which is called VM Touch which is a program to manipulate the page cache of the system. I uploaded into mentors, nobody was interested. The package is not any to Debian, but the original bug, it was still in the bug tracking system. Now I've seen that six months ago, one Debian developer started to talk with upstream also of VM Touch to make this into Debian. Again, it's the guy didn't have any time anymore. Now, one week ago, another Debian developer said to me, oh, I saw, I'm sorry, we didn't upload your VM Touch, but I want to have this in Debian, so please propose it again to Spencers, and I will put into the archive. So, you know, it's just everybody's life. What you can say is Debian developers are most of the time very busy and doing a lot of stuff. So, a brand new package depends of how interesting is your software, will get or will not get into Debian. Why? Because some people say during the time of healing, healing, it's sometimes better to start inside part of the team. But of course, it's better to learn from scratch. You want to do your own package to see how everything works and. When the package gets accepted, how do you update, how do you push updates into the Debian servers? Hello. When you are not a Debian developer, for instance, I was before also a Debian maintainer. I had a, we had a common Git infrastructure where I have access on a Debian server, which is called Alliot. So, I was making my packaging here. And when the packaging was finished for after a new stream release, so I updated the change log, some minor stuff pushing files around. And then I said to my mentor, which was the guy who had the right to put the package inside Debian. What was the name of this package? I forget. I wrote an email, hey, I have a new package release. Can you please upload? The guy had a look and then upload. And then after some kind, some, I say one year he said, well, you're good enough. I don't want to do the work all the time. So now I'm granting you the status of Debian maintainers where you can put, where you can upload yourself, by yourself this package directly. In your opinion, do you consider that there are some areas or teams in the Debian project that need more participants or currently need more activity to make Debian either now bigger or to improve some stuff that is not very well developed? In your opinion, which areas do you consider that need this? Well, from what I know, I know some core teams that people taking care of each server of the G-Lipsy are understaffed, but it's a very technical topic what they're doing. So I mean, for this, you really need to have studied computer sciences to help or to be very strong. But it's not the most, for instance, it was one guy who published a lot of real-time patch for the Linux kernel, which was from Profession Anesthesi, so it was working in a hospital, putting anesthesi. And he wrote a lot of kernel code. But I think I know, for instance, for these teams are a bit understaffed. Everybody happy? Yes? Can you talk about the long-term support? Yeah. So long-term support is an initiative which was taught to provide a security upgrade, a security update, sorry, for Debian package besides the normal lifetime of a Debian release. So normally a Debian release comes, it's released when it's ready, so you cannot say how long, when will the next one come. But there is basically a security update for Debian stable release for the whole lifetime of the release, plus one year. So at the end, it goes around three or four years, depending when comes the next release. So what this means is stable security updates is that the Debian maintainers take care to add to each package you have installed, take care to have only the small security fix which has added to the package and downloaded to your computer workstation so you don't get a new version of the package. So for instance, Linux is now a version 4.12 or whatever, but Debian GC had version, a Debian Stretch had version 4.10, probably. But if there is, for instance, a bug which is discovered in the Debian kernel, it will only be fixed in the Linux kernel for the latest release. So the Debian developer takes this small fix and put it back in the stable version that you have. So for instance, the idea is that each time you do app etiquette update, you get a bug-free, security-free version of Apache or for OpenOffice without getting a new version where you have to update all your configuration files. So security updates. Now, enterprise Linux distributions like Hedat, like so-called enterprise Linux distribution because Debian is also an enterprise Linux distribution, I use it in my company, have very long support cycles like seven years where in seven years, for seven years, you will have always this security updates without having to install new versions for software. And for very big organizations, you need to have this very long cycle because when you have thousands of servers, even making a major upgrade every three or four years is too much. So the thing is doing this security work is a very tedious work and people don't like to desist always for free on their free time. So there is a sponsor initiative by a guy called Rafael Herzog that a couple of developers pull themselves, pull resources so we can have longer security updates for Debian stable release. I think the aim is to make five years at least, but I don't have the exact numbers, but the idea is instead of having a stable system with security update for between three or four years, you have that for a longer cycle. I'm not using myself, but I think it works because they just do the same process that we do for Debian stable, they do it for older release. I'm going to speak French. I wanted to know because for a long time, we use Linux, it's been already 10, 15 years, but on the market, we still have Windows. Before, we didn't have smart phone smart phones, we use smart phones, but what is the future in 10, 20 years of Linux versus Windows? Are we going to continue to do small groups where it's going to be like a world of Linux 100% and internet of objects, there are many things that happen, but Linux is always like that. So the question was that it looks like Linux is always used in small groups and not mainstream again, how it will be in 15 or 20 years. In fact, we have the impression that Linux is the small groups, but in fact, in the world of the server, in the world of the smart phone, in the world of everything that is embedded, in fact, there is only Linux, the part of Windows is really minimal. The only thing is that all the markets that appeared in the 90s, 90s, 2000, everywhere it was in expansion, everywhere it was in expansion, Linux took the place. After the market of work, Windows is always dominant at 80, 90% because in fact, people mainly, there are quite a few pre-installed Linux, but in fact, in the world of the server, everything we hear cloud and all that, it's just Linux, Amazon, it's just Linux, Google, it's just Linux. It's only on the workplace, in fact, most of the big companies that I know, I live in Austria, for example, they all have jobs in Windows, but the server is only Linux. After that, I think there is a reason in the big productive environments, the big production environments, it's the Windows office, in fact, for example, it's quite easy to define policies at the level of the group, or for example, we can say, this computer will have the right to do that, it will have the right to connect, this type of key, it will have access to this type of print, it will have access to this type of program to be authorized to be launched. I think that maybe the Linux office is a bit late, so that's why we don't see it too much in the big developments, but for example, all the cases in Austria, in fact, all the cases, what we call the point of sales, it all runs under Linux, in fact. So it's rather Linux, which is very major in terms of Windows. Obviously, it's not what we see, it's not what we see when we go, for example, in a large surface, and we're not going to buy a portable computer, we only see Windows or Mac, but it's a small part of the computer. If we take the security point of view, because all the hackers are in Windows, and Linux is still well protected, like it was before, is it not an argument to push Linux towards the world? Yes, but it's not, indeed, it's not one, but it's not an argument that's enough. When we have, it's a question of habit, in fact, to go to Linux, in fact, when we have a user on the Windows office, it's like changing brand of mobile phones, in fact. It's like, for example, going from iPhone to Android. It's not more complicated than that. After, when we have all these programs installed, when we have the habit of walking, there is a certain cost, it's a change of habit to do. A few months after the Jesse release, I've heard about some guy that puts a backdoor in the Chromium browser package. Is that true? You mean after the Jesse release, so like three years ago? I didn't hear about this. I'm very skeptical. You mean the Chromium package, the Chromium source code, which was the upstream developer or inside the Debian package, which is made from the code from Google? Inside the Debian package directly. I don't know. I don't know it's the true mediator because I've heard that on Twitter and some medias. I don't know. Does anybody knows about this? That's nice. Take your sources, take your sources. I mean, I don't believe it, frankly speaking. That's a good news. I know there have been some big security problems in Debian, for instance. One happened that the laptop of a developer was compromised and we knew because some stuff which were compromised were uploaded to the servers and we found it and we fixed it. And so we don't hide things. So, I don't know. I don't believe it. Just show me your source afterwards. Also, I want to add that related to this, the reproducible builds are doing a great job precisely to avoid that kind of backdoors in the code or to copy exactly the code as the original source is. So, yes, it's very important that. Have you heard about this Debian initiative called Reproducial Reproducible Build? Nope. The idea is that you can download the code which is used to make the Debian package. You rebuild it again and it's a binary identical bit by bit to the one which is on the Debian archive. So you can be sure that nothing was tampered in between. This is an ongoing effort. Now 80% of the Debian package are reproducible. So it means basically you have to take care of, you don't have inside your package a change log, for instance, with a timestamp of the build. So I haven't, myself, use it again because I haven't found yet the end user, the documentation. Oh, I want to check that I can reproduce this package from the source code exactly how I download it, but I know it's now 80% of the package are covered. There will be some talks about reproducible build during Debian because it's a topic where a lot of people are working at the moment. Does someone else have another question? It could be even polemic if you want. You can start a polemic. We haven't talked about system D yet. Ha, ha, ha, ha, ha, ha, ha, ha, ha, ha, ha, ha, ha, ha. Hi, can you give us some information about your work on Image for Cloud? About the work I make for the cloud? For the cloud, do you prepare Image for Amazon? So I'm inside the team which is making Image for Amazon, which is called very originally Debian Cloud. So we try to agree about common tools and common what should be inside a Debian image which is uploaded on the cloud for Amazon. The idea is that actually a lot up to now a lot of Debian system were installed with a Debian installer when you put your CD in next, next day, but now a lot more of Debian system are just you log to the website of some cloud providers and start this and for the biggest, it is actually from some very big cloud providers like Azure and Amazon. They want to have the Debian stamp that it comes officially for Debian. It's good for us also because we are sure they're not putting some package, for instance, which are non-free or don't respect our policy or we disagree technically. Currently, we try to, there is an ongoing work to switch, everybody started with their own way to build Image. Me, I'm using some software which is called Packer. Some guys used Bootstrap Visits, some guys used VMD Bootstrap. Now, in the future, we want to use a software which is called FII Diskimage. The author of FII Diskimage is also a deep-conf and will make an introduction. So it's just like you run against, you run your manifest with FII Diskimage program, you get a raw Diskimage, you sign this as a Debian developer and you upload that to the cloud provider. So me, I'm uploading to, it's not exactly a cloud provider because the image are online, but you run them on your own computer, which is called Vagrant, so on appvagrantapp.com. So people have some things they can trust. Then you use Vagrant and for Docker, there are some official image. For the good questions, there are two Debian developers who are doing Docker images, but I don't think they are in the process of making them officials. But if you go, for instance, to, as far as I remember, inside Docker itself, the two guys who are committing to the build infrastructure, which is creating the Debian Docker image, are two Debian developers, but we haven't been in a lot of contact with them, so you should trust them. It would be better if it would be an official cloud image built on the Debian infrastructure, but we are not there yet, for instance, simply because the whole Debian infrastructure is made that you can build packages non-root. So, for instance, you don't have to be root on a Debian server to build a Debian package, but for this cloud image, you have to be root because you create device nodes and stuff like this, and the Debian infrastructure is not yet ready at the moment for this kind of work zone. That was the cloud image. I have a question for you. I don't know about Debian, but I know there are a lot of developers. Are there people who know each other on the network? Because we would have questions about something in particular in Linux. People who know each other on the network? I don't know the word. It means... Networking. Okay. Virtualization. Oh, yes. Well, yes. First, Debian Cloud, we all work in virtualization. After that, people inside Debian who package software that are connected to the network, they know each other on the network. Okay, and are there people at the Debian conference who know each other? I mean, people in the room? I don't know. Okay, but in the end... Okay, I'm going to take the bullet. To make it short, basically, OVH, in their service, we... Well, I'm not going to go any further, but I'll come back to Debian right after. Basically, OVH works with IPv4 and then a 64-bit IPv6 slash. Except that OVH in virtualization doesn't expect that we give IPv6 to containers, so we can use it ourselves. And in the end, they block the NDP and they don't give my address to the IPv4. Essentially, what we want to try to do is to make a proxy NDP of a host to the containers. And that's it. There's a package that is now in Debian 9, it's NDPD, except that it's extremely bad documented and then we take a chance, if I had someone in the room who would have already done that kind of proxy IPv6 NDP. OK. I see a lot of problems. I don't know much about my work. I work for a company called Proxmox where we do virtualization. What exactly is the problem? I don't quite understand. The containers with IPv6, it's not internet? That's it. We study Proxmox, and in the end, there's no problem giving IPv6 to nodes because it takes my address. Except that if we don't give IPv4 to containers but just IPv6, they don't have my address. So I know that a way with a proxy NDP is to make sure that the containers that have IPv6 use my address of the nodes that are in the background. I know it's complicated as a problem. It's been two weeks. It's a bit off topic, but I know that I have a colleague at Proxmox who is working on an IPv6 documentation. So in two weeks. We'll talk about that later. I'm working at Proxmox here. I'm working for a Debian-based virtualization solution which is called Proxmox. But most of my Debian work, I do it outside Proxmox. I would say 90% I do it on my own time and 10% in my Proxmox time. What is the biggest problem that you consider actually in the Debian project, in the technical or in the social way? In your opinion, what could be the biggest problem for you nowadays? Debian developers don't have enough time to do all the stuff they would like to do. Okay, so I think we are reaching now slowly the end. For those people here who don't have Debian yet on their own computer, I will be also this afternoon we will have an install fest which means we have a lot of USB sticks. I have some USB sticks here. And each of these USB sticks is a Debian installer and we will help you put Debian and put on your laptop and configure all the software you like. So it starts, I think, four o'clock. So half-past to the Debian install fest. So for people who don't have Debian on their computer, come, last question. Okay, thank you.