Debian (pronounced /ˈdɛbiən/) is a computer operating system composed of software packages released as free and open source software especially under the GNU General Public License and other free software licenses.
The primary form, Debian GNU/Linux, which uses the Linux kernel and GNU OS tools,is a popular and influential GNU/Linux distribution.
It is distributed with access to repositories containing thousands of software packages ready for installation and use. Debian is known for relatively strict adherence to the Unix and free software philosophiesas well as using collaborative software development and testing processes.
Debian can be used as a desktop as well as server operating system. It focuses on stability and security and is used as a base for many other distributions.
The Debian Project is governed by the Debian Constitution and the Social Contract which set out the governance structure of the project as well as explicitly stating that the goal of the project is the development of a free operating system. Debian is developed by over one thousand volunteers from around the world and supported by donations through several non-profit organizations around the world. Most important of these is Software in the Public Interest, the owner of the Debian trademark and umbrella organization for various other community free software projects.
Thus, the Debian Project is an independent decentralized organization; it is not backed by a company like some other GNU/Linux distributions such as Ubuntu, openSUSE, Fedora, and Mandriva. The cost of developing all the packages included in Debian 4.0 etch (283 million lines of code), using the COCOMO model, has been estimated to be close to US$13 billion. As of April 2, 2009, Ohloh estimates that the codebase of the Debian GNU/Linux project (45 million lines of code), using the COCOMO model, would cost about US$819 million to develop.
Many distributions are based on Debian, including Ubuntu, MEPIS, Dreamlinux, Damn Small Linux, Xandros, Knoppix, BackTrack, Linspire, sidux, Kanotix, Parsix and LinEx, among others.
Debian is known for an abundance of options. The current stable release includes over twenty five thousand software packages for twelve computer architectures. These architectures range from the Intel/AMD 32-bit/64-bit architectures commonly found in personal computers to the ARM architecture commonly found in embedded systems and the IBM eServer zSeries mainframes.
Prominent features of Debian are the APT package management system, repositories with large numbers of packages, strict policies regarding packages, and the high quality of releases. These practices allow easy upgrades between releases as well as automated installation and removal of packages.
The Debian standard install makes use of the GNOME desktop environment. It includes popular programs such as OpenOffice.org, Iceweasel (a rebranding of Firefox), Evolution mail, CD/DVD writing programs, music and video players, image viewers and editors, and PDF viewers. There are pre-built CD images for KDE, Xfce and LXDE as well. The remaining discs, which span five DVDs or over thirty CDs, contain all packages currently available and are not necessary for a standard install. Another install method is via a net install CD which is much smaller than a normal install CD/DVD. It contains only the bare essentials needed to start the installer and downloads the packages selected during installation via APT. These CD/DVD images can be freely obtained by web download, BitTorrent, jigdo or buying them from online retailers.
Software packages in development are either uploaded to the project distribution named unstable (also known as sid), or to the experimental repository. Software packages uploaded to unstable are normally versions stable enough to be released by the original upstream developer, but with the added Debian-specific packaging and other modifications introduced by Debian developers. These additions may be new and untested. Software not ready yet for the unstable distribution is typically placed in the experimental repository.
After a version of a software package has remained in unstable for a certain length of time (depending on the urgency of the software's changes), that package is automatically migrated to the testing distribution. The package's migration to testing occurs only if no serious (release-critical) bugs in the package are reported and if other software needed for package functionality qualifies for inclusion in testing.
Since updates to Debian software packages between official releases do not contain new features, some choose to use the testing and unstable distributions for their newer packages. However, these distributions are less tested than stable, and unstable does not receive timely security updates. In particular, incautious upgrades to working unstable packages can sometimes seriously break software functionality. Since September 9, 2005 the testing distribution's security updates have been provided by the testing security team.
After the packages in testing have matured and the goals for the next release are met, the testing distribution becomes the next stable release. The timing of the release is decided by the Release Managers, and in the past the exact date was rarely announced earlier than a couple of weeks beforehand; however, this is expected to change in 2010 to a release model where times are known in advance.
Each Debian software package has a maintainer who keeps track of releases by the "upstream" authors of the software and ensures that the package is compliant with Debian Policy, coheres with the rest of the distribution, and meets the standards of quality of Debian. In relations with users and other developers, the maintainer uses the bug tracking system to follow up on bug reports and fix bugs. Typically, there is only one maintainer for a single package, but increasingly small teams of developers "co-maintain" larger and more complex packages and groups of packages.
Periodically, a package maintainer makes a release of a package by uploading it to the "incoming" directory of the Debian package archive (or an "upload queue" which periodically batch-transmits packages to the incoming directory). Package uploads are automatically processed to ensure that they are well-formed (all the requisite files are in place) and that the package is digitally signed by a Debian developer using OpenPGP-compatible software. All Debian developers have public keys. Packages are signed to be able to reject uploads from hostile outsiders to the project, and to permit accountability in the event that a package contains a serious bug, a violation of policy, or malicious code.
If the package in incoming is found to be validly signed and well-formed, it is installed into the archive into an area called the "pool" and distributed every day to hundreds of mirrors worldwide. Initially, all package uploads accepted into the archive are only available in the "unstable" suite of packages, which contains the most up-to-date version of each package.
However, new code is also untried code, and those packages are only distributed with clear disclaimers. For packages to become candidates for the next "stable" release of the Debian distribution, they first need to be included in the "testing" suite. The requirements for a package to be included in "testing" is that it:
- Must have been in unstable for the appropriate length of time (the exact duration depends on the "urgency" of the upload).
- Must not have a greater number of "release-critical" bugs filed against it than the current version in testing. Release-critical bugs are those bugs which are considered serious enough that they make the package unsuitable for release.
- Must be compiled for all release architectures the package claims to support (e.g.: the i386-specific package gmod can be included in "testing").
- All of its dependencies must either be satisfiable by packages already in testing, or be satisfiable by the group of packages which are going to be installed at the same time.
- The operation of installing the package into testing must not break any packages currently in testing.
Thus, a release-critical bug in a package on which many packages depend, such as a shared library, may prevent many packages from entering the "testing" area, because that library is considered deficient.
Periodically, the Release Manager publishes guidelines to the developers in order to ready the release, and in accordance with them eventually decides to make a release. This occurs when all important software is reasonably up-to-date in the release-candidate suite for all architectures for which a release is planned, and when any other goals set by the Release Manager have been met. At that time, all packages in the release-candidate suite ("testing") become part of the released suite ("stable").
It is possible for a package – particularly an old, stable, and seldom-updated one – to belong to more than one suite at the same time. The suites are simply collections of pointers into the package "pool" mentioned above.
Security information and policy
The Debian Project, being free software, handles security policy through public disclosure rather than through security through obscurity. Many advisories are coordinated with other free software vendors and are published the same day a vulnerability is made public. Debian has a security audit team that reviews the archive looking for new or unfixed security bugs. Debian also participates in security standardization efforts: the Debian security advisories are compatible with the Common Vulnerabilities and Exposures (CVE) dictionary, and Debian is represented in the Board of the Open Vulnerability and Assessment Language (OVAL) project.
The Debian Project offers extensive documentation and tools to harden a Debian installation both manually and automatically. SELinux (Security-Enhanced Linux) packages are installed by default though not enabled.