Here is my monthly update covering what I have been doing in the free software world during April 2018 (previous month).

It was a great honour to learn that I was re-elected by the community to the post of Debian Project Leader for another year. I wholeheartedly thank everyone for placing their trust in me for another term and I am looking forward to the year ahead. My specific activities this month as the Debian Project Leader are covered in my "Bits from the DPL" email to the debian-devel-announce mailing list.
Gave the keynote presentation at FLOSSUK's Spring Conference in Edinburgh, Scotland on reproducible builds and how it can prevent individual developers & centralised infrastructure from becoming targets from malicious actors.
Presented at foss-north 2018 in Gothenburg, Sweden to speak about diffoscope, a tool to analyse reproducibility issues in packages and how it can be used in quality-assurance efforts more generally.
Added support to curl for a --rootme command line parameter. [...]
Filed 10 upstream patches to make their build or output reproducible for the Sphinx documentation generator [...], the Lexicon DNS manager [...], the Dashell C++ stream library [...], the Pylint static analysis tool [...], the vcr.py HTTP-interaction testing tool [...], the Click Python command-line parser [...], the ASDF interchange format [...], the strace system call tracer [...], the libdazzle Glib component library [...] and the Corosync Cluster Engine [...].
I attended two Open Source Initiative board meetings.
Wrote a pull request for the redis-py Python library to prevent testsuite failures when run against a 32-bit installation of Redis. [...]
Sent a pull request for dh-virtualenv (a tool to create Debian packages that wrap a Python virtual environment) to prevent broken builds if building from within a virtual environment. [...]
Opened an issue against the wasavi browser extension which transforms <textarea> element of any page into a vim-style editor to report a crashing bug. [...]
Requested that the Bad Voltage podcast appears on Rajeev Bharshetty's list of awesome podcasts. [...]
Even more hacking on the Lintian static analysis system for Debian packages:
- New features:
  - Entirely rework the description-synopsis-might-not-be-phrased-properly tag. (#896671)
  - Detect debian/rules files that specify the sanitize=+all build flag. (#895831)
  - Make the file-contains-trailing-whitespace tag also emit for whitespace at end of files. [...]
  - Disable the changelog-should-mention-nmu and source-nmu-has-incorrect-version-number tags in the PureOS vendor profile. [...]
  - Re-enable YAML parsing of upstream metadata which was disabled in in #861958 to close CVE-2017-8829 — we can now use the $LoadBlessed option of YAML:XS. (#894747)
  - Also check for find(1) calls when checking for maintainer scripts that use a recursive chown or chmod. (#895370)
  - Warn about packages that have apparently unnecessary get-orig-source targets such as single-line calls to uscan(1). (#895036)
  - Add support for derivative-specific field parsing to allow enforcement of additional restrictions (eg. Vcs-Git format, etc.) [...], version numbers [...] and Changed-By [...].
  - Add support for blacklisting source packages. [...]
  - Add 4.1.4 as a known Standards-Version. [...]
- Bug fixes:
  - Stop recommending that packages with repacked tarballs specify get-orig-source; this was removed in Policy 4.1.4. [...]
  - Add a special case for the Debhelper python3 addon as it needs a dependency on dh-python unless the -dev packages are used. (#895284)
  - Avoid false-positives in Mallard XML files. (#894690)
  - Ensure directory names end in a trailing forward-slash in source indexes. (#896010)
  - Prevent false-positives in the non-consecutive-debian-revision and possible-new-upstream-release-without-new-version tags by skipping them if the source package was renamed. (#896675)
  - Allow spaces within the ownership field of tar -tvf output. (#895175)
  - Add wIH (#895841) and selectOn (#895818) to the list of spelling-error-in-binary exceptions.
  - Don't warn about binary-package-depends-on-toolchain-package for Conflicts/Breaks relations. (#896133)
  - Disable "anchored roots" for packages, otherwise the systemd-complex-service-file tag breaks. [...]
  - Don't use Perl's $. operator out of context. [...]
- Reporting:
  - Include the offending output in the description-synopsis-might-not-be-phrased-properly [...], non-consecutive-debian-revision [...] & dep5-copyright-license-name-not-unique [...] tags and also include the shebang for missing interpreters [...] and the X-script-but-no-X-dep tags [...].
  - Correct the classification of maybe-not-arch-all-binnmuable by marking it as experimental, downgrading the certainty and adding a note recommending against making any changes. (#895674)
  - Change the severity from P: → I: for the missing-explanation-for-repacked-upstream-tarball tag. [...]
- Documentation:
  - Update description of debian-watch-uses-insecure-uri to clarify what to do if there is currently no secure URI. (#897082)
  - Clarify the "2020" date for Python 2.x deprecation. (#896079)
  - Correct confusing not-binnmuable-any-depends-all tag description. (#895656)
- Misc:
  - Add a toogle → toggle spelling correction. (#895573)
  - Add a passing testcase to ensure /usr/share/doc/$pkg/examples can be a symlink for package-does-not-install-examples (re. #897157). [...]
  - Correct an as_anchored_root_dir → has_anchored_root_dir typo. [...]
  - Move repository from Alioth to salsa. [...]

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds effort is to allow verification that no flaws have been introduced — either maliciously or accidentally — during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

This month I:

Gave the keynote presentation at FLOSSUK's Spring Conference in Edinburgh, Scotland on reproducible builds and how it can prevent individual developers & centralised infrastructure from becoming targets from malicious actors.
Presented at foss-north 2018 in Gothenburg, Sweden to speak about diffoscope, our in-depth tool to analyse reproducibility issues in packages and how it can be used in quality-assurance efforts more generally.
Filed 10 upstream patches to make their build or output reproducible for the Sphinx documentation generator [...], the Lexicon DNS manager [...], the Dashell C++ stream library [...], Pylint static analysis tool [...], the vcr.py HTTP-interaction testing tool [...], the Click Python command-line parser [...], the ASDF interchange format [...], the strace system call tracer [...], the libdazzle Glib component library [...] and the Corosync Cluster Engine [...].
Updated the diffoscope tests to prevent a build failure under file 5.33. (#897099)
Dropped support for stripping text from PHP Pear registry file in our strip-nondeterminism tool to remove specific non-deterministic results from a completed build as we can fix this in the toolchain instead. [...]
Added an example on how to unmount the manpage in disorderfs, our FUSE-based filesystem that deliberately introduces non-determinism into directory system calls in order to flush out reproducibility issues. [...]
Migrated our weekly blog reports and related machinery from the deprecated Alioth and Debian-branded service to the more-generic reproducible-builds.org domain as well as made some cosmetic changes to the site itself. [...]
In Debian, I:
- Uploaded python-setuptools 39.0.1-1.0~reproducible1 to our local repository to work around an issue where version 39.0.1 onwards generated PKG-INFO files with a non-deterministic Provides-Extra field (#894215). This was subsequently superseded by Matthias Klose' upload of 39.0.1-2 into unstable.
- Kept isdebianreproducibleyet.com up to date. [...]
- Asked that the debian-devel-changes bot emit diffoscope-related changes to #reproducible-builds as well as #debian-reproducible. [...]
- Corrected the parsing of diffoscope versions since the most-recent update of PyPI.org. (#895951)
- I also submitted three patches to fix specific reproducibility issues in libmypaint, osmo-iuh & tcl-signal.
Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.
Worked on publishing our weekly reports. (#154, #155 & #156).

Debian

My activities as the Debian Project Leader are covered in my monthly "Bits from the DPL" email to the debian-devel-announce mailing list.

I contributed the following patches for Debian:

debhelper: Does not accept zero as a valid version number in debian/changelog. (#894895)
python-colormap: Please drop override of new-package-should-not-package-python2-module. (#896662)
whatthepatch: Please drop override of new-package-should-not-package-python2-module. (#896664)
libdazzle: Incorrect Homepage: field. (#896065)
python-click: Please correct Homepage: field. (#895277)
libmypaint: Incorrect Homepage: field. (#895402)
figlet: Add missing space in figlet(6) manpage. (#894541)

Debian LTS

This month I have been paid to work 16¼ hours on the Debian Long Term Support (LTS) project. In that time I did the following:

"Frontdesk" duties, triaging CVEs, etc.
Issued DLA 1338-1 for beep to prevent a local privilege escalation.
Issued DLA 1348-1 for patch — an ed(1) script embedded in a regular input file could result in arbitrary code execution.
Issued DLA 1357-1 for gunicorn to prevent a header-injection vulnerability. I also uploaded this to jessie as 19.0-1+deb8u1 and to stretch as 19.6.0-10+deb9u1.
Issued DLA 1360-1 to prevent an XML external entity expansion vulnerability in lucene-solr, a search engine library for Java.

Uploads

sphinx (1.7.2-1) — New upstream release, apply my upstream patch to make the set output reproducible (#895553), don't use Google Fonts to avoid local privacy breaches, fix testsuite to not rely on specific return types, etc.
python-django (1:1.11.12-1 & 2.0.4-1) — New upstream bugfix releases.
installation-birthday (9) — Also use /var/lib/vim to determine installation date. (#895686)
ruby-rjb (1.5.5-2) — Fix FBTFS under Java 9. (#874146)
redisearch:
- 1.0.10-1 — New upstream release.
- 1.0.10-2 — Drop -mpopcnt from CFLAGS. (#896593)
- 1.0.10-3 — Use upstream's patch for removing -mpopcnt.
- 1.1.0-1 — New upstream release.
libfiu (0.96-2) — Apply patch from upstream to make the build reproducible. (#894776)
redis (5:4.0.9-1) — New upstream release.
python-redis (2.10.6-3) — Fix tests when performed against an i386 Redis server. (#896864)

I also performed six sponsored uploads: connman-ui (0~20150623-0.1), playerctl (0.5.0-1), yasnippet-snippets (0.2-1), nose2 (0.7.4-2), pytest-tornado (0.5.0-1) & django-ipware (2.0.2-1).

FTP Team

As a Debian FTP assistant I ACCEPTed 108 packages: appstream, ayatana-indicator-messages, ayatana-indicator-notifications, buildbot, ccextractor, ccnet, cfitsio, cloudcompare, cpprest, cross-toolchain-base, cross-toolchain-base-ports, dde-qt5integration, deepin-deb-installer, deepin-voice-recorder, desktop-autoloader, dh-r, dlib, falkon, flask-babelex, flif, fscrypt, gcc-7-cross, gcc-7-cross-ports, gcc-8-cross, gcc-8-cross-ports, gegl, gimp, golang-github-dropbox-dropbox-sdk-go-unofficial, golang-github-jedisct1-dlog, golang-github-jedisct1-xsecretbox, golang-github-sanity-io-litter, googleplay-api, haskell-bsb-http-chunked, haskell-cmark-gfm, haskell-config-ini, haskell-genvalidity, haskell-genvalidity-property, haskell-hedgehog, haskell-hslua-module-text, haskell-ini, haskell-microstache, haskell-multimap, haskell-onetuple, haskell-only, haskell-parser-combinators, haskell-product-isomorphic, haskell-rate-limit, haskell-singleton-bool, haskell-tasty-expected-failure, haskell-validity, haskell-vector-builder, haskell-wl-pprint-annotated, haskell-word-wrap, haskell-yi-keymap-emacs, haskell-yi-keymap-vim, horizon-eda, iwd, jquery-i18n.js, kitty, kiwisolver, knot-resolver, libbpp-phyl, libdeclare-constraints-simple-perl, libgpg-error, libkf5incidenceeditor, libmypaint, linux, linux-latest, maildir-utils, moment-timezone.js, musescore-general-soundfont, mypaint-brushes, nmap, node-tar, openstack-meta-packages, orcania, osmo-fl2k, osmo-iuh, peek, peruse, protobuf, python-async-generator, python-cerberus, python-datrie, python-h11, python-libevdev, python-panwid, python-plaster, python-plaster-pastedeploy, python-readme-renderer, qpid-proton, razercfg, rebound, ruby-iso8601, ruby-tomlrb, ruby-xmlrpc, rustc, sent, shoogle, snapcast, texext, texlive-bin, u-boot, virtualbox-guest-additions-iso, vnlog, vtk7, xorgxrdp & zodbpickle.

I additionally filed 10 RC bugs against packages that had incomplete debian/copyright files against: appstream, cfitsio, dlib, falkon, horizon-eda, maildir-utils, osmo-fl2k, peruse, python-h11 & qpid-proton.

You can subscribe to new posts via email or RSS.