Here is my monthly update covering what I have been doing in the free software world (previous month):
- I was elected Debian Project Leader for 2017. I'd like to sincerely thank everyone who voted for me as well as everyone who took part in the election in general especially Mehdi Dogguy for being a worthy opponent. The result was covered on LWN, Phoronix, DistroWatch, iTWire, etc.
- Added support for the Monzo banking API in social-core, a Python library to allow web applications to authenticate using third-parties. (#68)
- Fixed a HTML injection attack in a demo of Russell Keith-Magee's BeeWare presentation library. (#3)
- Updated systemd's documentation to explain why we suggest explicitly calling make all despite the Makefile's "check" target calling it. (#5830)
- Updated the documentation of a breadth-first version of find(1) called bfs to refer to the newly-uploaded Debian package. (#23)
- Updated the configuration for the ticketbot IRC bot (zwiebelbot on OFTC) to identify #reproducible-builds as a Debian-related channel. This is so that bug Debian bug numbers are automatically expanded by the bot. (#7)
Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users.
The motivation behind the Reproducible Builds effort is to permit verification that no flaws have been introduced — either maliciously or accidentally — during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
This month I:
- Presented at foss-north.se 2017 in Gothenburg, Sweden on Reproducible Builds.
- Sent a patch for poti ‒ a library to generate paje traces ‒ to ensure the build is reproducible when Git is not available. (#7)
- Submitted a pull request to patat (a tool to make terminal-based presentations using Pandoc) to make the build reproducible. (#36)
- Fixed miniupnp's build system to make the build reproducible. (#237)
- Updated sunpinyin, a "statistical model" based Chinese input method, to make the .pc file output reproducible. (#73)
- taskflow (an OpenStack library) to ensure the generated documentation is reproducible. (#4)
- I also submitted 26 patches to fix specific reproducibility issues in avifile, crac, cyclades-serial-client, dactyl, debirf, drumkv1, forked-daapd, foxeye, golang-github-lunny-log, hp-search-mac, libccrtp, miniupnpd, openigtlink, ora2pg, osinfo-db, poti, python-taskflow, qjackctl, qtractor, samplv1, sunpinyin, synthv1, templayer, tf, viruskiller & xmlrpc-c.
- Categorised a large number of packages and issues in the Reproducible Builds notes.git repository.
- Worked on publishing our weekly reports. (#101, #102, #103 & #104).
- Updated our testing framework to also write a .bz2 version of reproducible.json. (#859254)
I also made the following changes to diffoscope, our recursive and content-aware diff utility used to locate and diagnose reproducibility issues:
- New features:
- Add support for comparing Ogg Vorbis files. (0436f9b)
- Bug fixes:
- msp430mcu: Invalid paths returned from msp430mcu-config
- camping: Fix broken font symlink
- dh-buildinfo: Please clarify this is unrelated to .buildinfo handling
- g2clib: Fix invalid libdir in grib2c.pc
- libccrtp: Missing (optional) Build-Depends on graphviz
- lintian: Please add "none were" → "none was" grammar correction
- sugar-memorize-activity: Fix broken icon symlink
- sunpinyin: Correct Homepage field
This month I have been paid to work 18 hours on Debian Long Term Support (LTS). In that time I did the following:
- "Frontdesk" duties, triaging CVEs, etc.
- Issued DLA 882-1 for the tryton-server general application platform to fix a path suffix injection attack.
- Issued DLA 883-1 for curl preventing a buffer read overrun vulnerability.
- Issued DLA 884-1 for collectd (a statistics collection daemon) to close a potential infinite loop vulnerability.
- Issued DLA 885-1 for the python-django web development framework patching two open redirect & XSS attack issues.
- Issued DLA 890-1 for ming, a library to create Flash files, closing multiple heap-based buffer overflows.
- Issued DLA 892-1 and DLA 891-1 for the libnl3/libnl Netlink protocol libraries, fixing integer overflow issues which could have allowed arbitrary code execution.
- redis (4:4.0-rc3-1) — New upstream RC release.
- 4.3.0-2 — Fix debian/watch file.
- 4.3.1-1 — New upstream release.
- 1.0-1 — Initial release.
- 1.0-2 — Drop fstype tests as they rely on /etc/mtab being available. (#861471)
- 1:1.10.7-1 — New upstream security release.
- 1:1.11-1 — New upstream stable release to experimental.
I sponsored the following uploads:
- wolfssl (3.10.2+dfsg-2) — Updating debian/copyright (#860046) and disabling the CRL monitor on all architectures (#860514).
- python-aniso8601 (1.2.0-1) — New upstream release.
I also performed the following QA uploads:
- gtkglext (1.2.0-7) — Correct installation location of gdkglext-config.h after "Multi-Archification" in 1.2.0-5. (#860007)
Finally, I made the following non-maintainer uploads (NMUs):
RC bugs filed
- khal: Please reference Reference-license-from-copyright-file.patch in debian/copyright
- libbsd-dev: Trying to overwrite 'explicit_bzero.3.gz', which is also in manpages-dev
- node-diffie-hellman: Please clarify security concerns
I also filed 2 bugs for packages that access the internet during build (against fail2ban & ruby-rack-proxy). I also filed 11 FTBFS bugs against bup, golang-github-lunny-nodb, hunspell-dict-ko, icinga-web, nanoc, oggvideotools, polygen, python-dogpile.cache, reapr, tendermint-go-merkle & z88.
As a Debian FTP assistant I ACCEPTed 155 packages: aiohttp-cors, bear, colorize, erlang-p1-xmpp, fenrir, firejail, fizmo-console, flask-ldapconn, flask-socketio, fontmanager.app, fonts-blankenburg, fortune-zh, fw4spl, fzy, gajim-antispam, gdal, getdns, gfal2, gmime, golang-github-go-macaron-captcha, golang-github-go-macaron-i18n, golang-github-gogits-chardet, golang-github-gopherjs-gopherjs, golang-github-jroimartin-gocui, golang-github-lunny-nodb, golang-github-markbates-goth, golang-github-neowaylabs-wabbit, golang-github-pkg-xattr, golang-github-siddontang-goredis, golang-github-unknwon-cae, golang-github-unknwon-i18n, golang-github-unknwon-paginater, grpc, grr-client-templates, gst-omx, hddemux, highwayhash, icedove, indexed-gzip, jawn, khal, kytos-utils, libbloom, libdrilbo, libhtml-gumbo-perl, libmonospaceif, libpsortb, libundead, llvm-toolchain-4.0, minetest-mod-homedecor, mini-buildd, mrboom, mumps, nnn, node-anymatch, node-asn1.js, node-assert-plus, node-binary-extensions, node-bn.js, node-boom, node-brfs, node-browser-resolve, node-browserify-des, node-browserify-zlib, node-cipher-base, node-console-browserify, node-constants-browserify, node-delegates, node-diffie-hellman, node-errno, node-falafel, node-hash-base, node-hash-test-vectors, node-hash.js, node-hmac-drbg, node-https-browserify, node-jsbn, node-json-loader, node-json-schema, node-loader-runner, node-miller-rabin, node-minimalistic-crypto-utils, node-p-limit, node-prr, node-sha.js, node-sntp, node-static-module, node-tapable, node-tough-cookie, node-tunein, node-umd, open-infrastructure-storage-tools, opensvc, openvas, pgaudit, php-cassandra, protracker, pygame, pypng, python-ase, python-bip32utils, python-ltfatpy, python-pyqrcode, python-rpaths, python-statistics, python-xarray, qtcharts-opensource-src, r-cran-cellranger, r-cran-lexrankr, r-cran-pwt9, r-cran-rematch, r-cran-shinyjs, r-cran-snowballc, ruby-ddplugin, ruby-google-protobuf, ruby-rack-proxy, ruby-rails-assets-underscore, rustc, sbt, sbt-launcher-interface, sbt-serialization, sbt-template-resolver, scopt, seqsero, shim-signed, sniproxy, sortedcollections, starjava-array, starjava-connect, starjava-datanode, starjava-fits, starjava-registry, starjava-table, starjava-task, starjava-topcat, starjava-ttools, starjava-util, starjava-vo, starjava-votable, switcheroo-control, systemd, tilix, tslib, tt-rss-notifier-chrome, u-boot, unittest++, vc, vim-ledger, vis, wesnoth-1.13, wolfssl, wuzz, xandikos, xtensor-python & xwallpaper.
I additionally filed 14 RC bugs against packages that had incomplete debian/copyright files against getdns, gfal2, grpc, mrboom, mumps, opensvc, python-ase, sniproxy, starjava-topcat, starjava-ttools, unittest++, wolfssl, xandikos & xtensor-python.