Debian components breach terms of GPLv2
You want source code with that?
Daniel Baumann, who maintains the Debian Syslinux bootloader package, has said Debian components were being released only in binary form without source code - resulting in problems for Apple Macintosh users.
"I don't want to blame individual persons," Baumann said. "This is just a note of how disappointed I'm about some parts of Debian that are not complying to licenses when it comes to distributing software."
One problem concerns Debian CD - the toolkit used to build new versions of Debian for public release. Baumann found the toolkit was using an embedded binary version of Syslinux rather than taking a full version with source code from the official Debian archive. Another instance involved the Sarge release of Debian that shipped with Syslinux 2.04 in binary and Syslinux 2.11 in source.
Baumann also found that source code for some components was missing from last November's beta version of KDE 4 - although this has now been removed from the Debian Live CDs distribution list.
The problem of synchronizing source and binary versions of Debian packages affected some Apple users last week when they tried to install the first beta release of the Lenny, the latest version Debian. Some users found their keyboard freezing up as a result of the wrong binary-only version of Syslinux being included in the package. In this case the current archive version of Syslinux (3.71) did not work - while an earlier version (3.63) embedded in Debian Installer worked fine.
Baumann has acknowledged that the problem is most likely the result of the increasingly heavy workload faced by the Debian community and the growing popularity of Debian-based Linux distros.
"It appears that as good as our package checks are, we spend little to no time to check our resulting products made from these packages," Baumann said.®
Debian "Lenny" great
I have been building Debian desktops for some years now and mostly in the range of betas and some alpha "SID" versions, such as "Lenny-sid". sid is - still in development, not an acronym, just that Sid was the kid who broke all of the toys :)
Lenny is still being finalized for preparation to be the next formal release... as it is as its always been, very good and I have been using the net install versions for some time now... I think that if I needed source code it was always available with just a little looking. but since everything evolves real fast and often... I just go with the flow, so to speak.
The Debian community works real hard, and this is just par for the course.
No great scandal here... just life at the bazaar.
Looking for trying what ever follows the release of Lenny since I like to live near the cliff with a view of the future... fantastic system is Debian.
So get gentoo, if you're that paranoid
"How do we know these mismatched binaries don't include some sort of malware?"
So get gentoo (http://www.gentoo.org/) if you're that paranoid, and compile everything yourself. Of course, just compiling KDE or Gnome take an afternoon, and OOo isn't much faster either. And generally, it's the choice for tough guys whose time is worth nothing, and who think the stone age and chipping your own flint spearhead was the golden age of user-friendliness.
But in the end, it boils down to trust. If you don't trust Debian's binaries as they are, why would they trust them with sources included? Just because both the source and the program say version 126.96.36.199, isn't some kind of foolproof guarantee that noone added a bit of malicious code without changing the version number.
Heck, even if you compile everything from scratch, if you use their compiler to start the whole thing, I'll kindly point out the ancient story of the compiler which would:
1. add a backdoor to the login handling, when it recognized that piece of code, and
2. added a bit of extra code to handle 1 and 2 to its own code, when compiling itself.
So you'd look at the sources of the compiler and see nothing wrong. The malicious bits were removed from the source after compiling the malicious executable, since they weren't needed any more: the "infected" compiler would add those bits anyway when compiling itself. compile them with itself, and get a bit more than the sources said you'd get.
How paranoid do you want to be there? Which starting point would you really trust, to start that cycle from?
Or you could just realize that the Debian guys probably have better fish to fry than pwning your computer to send viagra spam ;)
Untidy, and GPL isn't the real problem
It's the way that, when sources are included, they don't match the binary.
How do we know these mismatched binaries don't include some sort of malware?