Free software activities in April 2019

Here is my monthly update covering what I have been doing in the free software world during April 2019 (previous month):

• It was my last month in my tenure as Debian Project Leader after two years in the post. Thank you so much for all the support and kind words that I received in the past few weeks and congratulations to Sam Hartman for being elected to the post for the upcoming year.

• Attended the foss-north.se conference in Gothenburg, Sweden where I gave a talk entitled "What can free software learn from classical music?". As part of this, I also organised a Debian Bug Squashing Party as part of the conference's Community Day — thanks to Kuro Studio for their hospitality.

• For the Tails privacy-oriented operating system, I attended an in-person sprint in France where I worked on countless issues, features and adjacent concerns regarding the move to Debian "buster".

• As part of my duties of being on the board of directors of the Open Source Initiative I attended our monthy board meeting, participated in various licensing discussions occurring on the internet, etc.

• Opened a pull request against the django-q task queue for projects using the Django web framework project in order to inline a Python import. This prevents circular imports under some toolchain combinations. [...]

• Opened a pull request for the ADMS code generator for the Verilog-AMS hardware description language to make the build reproducible. [...]

• More hacking on the Lintian static analysis tool for Debian packages, including:

  • Correct false-positives in the missing-systemd-timer-for-cron-script tag due to an incorrect regular expression. (#927970)
  • Don't check for the x86-specific "SafeSEH" hardening feature for code that is JIT-compiled by the Mono runtime. (#926334)
  • Triaged and accepted a huge number of patches and merge requests that had accumulated, adding a large number of new tags, updating systemd hardening flags [...], etc.

• Created a quick-and-dirty script to obtain Max Temkin's highlights of Star Trek: The Next Generation. [...]

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws almost all software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

The initiative is proud to be a member project of the Software Freedom Conservancy, a not-for-profit 501(c)(3) charity focused on ethical technology and user freedom.

Conservancy acts as a corporate umbrella, allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.

This month:

• Submitted 4 patches to fix Debian-specific reproducibility issues in adms, coda, fim & netcdf-parallel and wrote a patch for qpid-proton to make the documentation build reproducibly (#926300).

• Kept isdebianreproducibleyet.com up to date [...] as well as performed the regular maintenance and sysadmin work for try.diffoscope.org and buildinfo.debian.net.

• I contributed to a dicussion regarding the testing of the reproducibility status of Debian Installer images. (#926242)

• Opened an upstream pull request for the ADMS code generator for the Verilog-AMS programming language to make the build reproducible. [...]

• Categorised a huge number of packages and issues in the Reproducible Builds "notes" repository.

• Drafted, published and publicised our reports. (#205 & #206, etc.)

• Wrote a patch for jenkins.debian.net which runs our comprehensive testing framework to avoid double spaces in IRC output. [...]

I also made the following changes to diffoscope, our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues:

• Add support for semantic comparison of GnuPG "keybox" (.kbx) files. (#871244)
• Treat missing tools as failures if a "magic" environment variable is detected in order to faciliate interpreting required tools on the Debian autopkgtests as actual test failures, rather than skipping them. The behaviour of the existing testsuite remains unchanged. (#905885)
• Filed a "request for packaging" for the annocheck tool which can be used to "analyse an application's compilation". This is as part of an outstanding wishlist issue. (#926470)
• Consolidated on a single alias as the exception value across the entire codebase. [...]

I spent a considerable amount of time our website this month too, including:

• Using an explicit "draft" boolean flag for posts. Jekyll in Debian stable silently (!) does not support the where_exp filter. [...]
• Moving more pages away from the old design with HTML to Markdown formatting and the new design template. [...]
• Addding a simple Makefile to implicitly document how to build the site [...] and add a simple .gitlab-ci.yml to test branches/builds [...].
• Adding as simple "lint" command so we can see how many pages are using the old style. [...]
• Adding an explicit link to our "Who is involved?" page in the footer of the newer design [...] and add a link to donation page [...].
• Moved various bits of infrastructure to support a monthly report structure. [...]

Finally, I made the following changes to strip-nondeterminism, our tool to remove specific non-deterministic results from a completed build:

• Workaround Archive::Zip's incorrect handling of the localExtraField class member field by monkey-patching the accessor methods to always return normalised values. This fixes the normalisation of Unix ownership metadata within .zip and .epub files. (#858431)
• Actually check the return status from Archive::Zip when writing file to disk. [...]
• Catch an edge-case where we can't parse the length of a particular field within .zip files. [...]

Debian

Debian LTS

This month I have worked 17 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged evolution-ews (CVE-2019-3890), libpodofo (CVE-2019-10723), roundup (CVE-2019-10904), tryton-server (CVE-2019-10868), sqlite3 (CVE-2018-20506). I also wrote a work-in-progress/initial patch for CVE-2019-0217 in apache2. [...]

• Frontdesk duties, responding to user/developer questions, reviewing others' packages and changes. I also was part of discussions regarding potential marketing material for DebConf19.

• Issued DLA 1749-1 for Go programming language runtime library to prevent a CRLF injection attack.

• Issued DLA 1750-1 for the roundup issue-tracking to stop a cross-site scripting (XSS) vulnerability in the web frontend.

• Issued DLA 1756-1 in the libxslt XML transformation library to prevent an authentication bypass vulnerability.

• Issued DLA 1757-1 for the RRDTool monitoring front-end cacti to close a number of cross-site scripting vulnerabilies.

• Issued DLA 1764-1 to prevent a path traversal vulnerability in the Mercurial revision control system.

• Issued ELA-108-1 for the PHP programming language to fix two heap-buffer overflow vulnerabilities.

Uploads

• python-django (2:2.2-1) — New upstream release.
• python-redis (3.2.1-2) — Drop marking previously-failing autopkgtests as XFAIL that were introduced to workaround Debian bug #914800.
• bfs (1.4-1) — New upstream release.
• lastpass-cli (1.3.3-1) — New upstream release.

Finally, I also made the following non-maintainer uploads (NMUs) to fix release-critical bugs for "buster".

• cpio (2.12+dfsg-7, 2.12+dfsg-8 & 2.12+dfsg-9) — Don't remove /usr/sbin/rmt in a merged /usr environment in the prerm maintainer script. (#926698)

• libmcrypt (2.5.8-3.4) — Fix build failures on a number of architectures due to test failures. (#917203)

• python-whoosh (2.7.4+git6-g9134ad92-3) — Mark a non-deterministic test as being allowed to fail. (#897489)

FTP Team

As a Debian FTP assistant I ACCEPTed 30 packages: easygen, faudio, golang-github-anmitsu-go-shlex, golang-github-apparentlymart-go-cidr, golang-github-apparentlymart-go-rundeck-api, golang-github-corpix-uarand, golang-github-cyberdelia-heroku-go, golang-github-emirpasic-gods, golang-github-facebookgo-inject, golang-github-fzambia-sentinel, golang-github-gliderlabs-ssh, golang-github-hashicorp-go-safetemp, golang-github-hmrc-vmware-govcd, golang-github-icrowley-fake, golang-github-jesseduffield-gocui, golang-github-jesseduffield-pty, golang-github-jesseduffield-termbox-go, golang-github-kevinburke-ssh-config, golang-github-michaeltjones-walk, golang-github-nozzle-throttler, golang-github-stvp-roll, golang-github-willf-bloom, golang-gopkg-src-d-go-billy.v4, libdmtx, openjdk-13, pmdk-convert, python-deprecated, python-django-debreach, qgis & redfishtool.

I additionally filed 3 RC bugs against packages that had potentially-incomplete debian/copyright files against faudio, libdmtx & python-deprecated.

You can subscribe to new posts via email or RSS.