Here is my monthly update covering what I have been doing in the free software world during April 2021 (previous month):
-
Reviewed and merged two pull request from Michael K. to my django-slack library which provides a convenient wrapper between projects using the Django web development framework and the Slack chat platform. Michael's pull requests made Python 3.6+ a hard requirement (#102) and to run the tests against Python 3.9 (#103).
-
Made a "no-change" release of my
django-email-from-templatelibrary to upload a Python wheel (.whl) file to PyPI. [...]
-
As part of my role of being the assistant Secretary of the Open Source Initiative and a board director of Software in the Public Interest, I attended their respective monthly meetings. My term on the OSI board has been slightly extended due to the discovery of a vulnerability in OSI's recent election — as a result, the 2021 election will be re-run to ensure transparency of the process.
-
Filed a pull request against
libsass-python(a Python implementation of the Sass CSS preprocessor) in order to make the build reproducible. (#319)
Reproducible Builds
One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.
The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
The project is proud to be a member project of the Software Freedom Conservancy. Conservancy acts as a corporate umbrella allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.
This month, I:
-
Interviewed the Ford Foundation's Michael Brennan and published the transcript on our website.
-
Drafted, published and publicised our monthly report.
-
Filed an upstream pull request for
libsass-python(a Python implementation of the Sass CSS preprocessor) in order to make the build reproducible. [... -
In Debian:
-
Kept isdebianreproducibleyet.com up to date. [...]
-
I also submitted 2 patches to fix specific reproducibility issues in pristine-lfs and rust-configparser.
-
-
Categorised a large number of packages and issues in the Reproducible Builds
notes.git" repository.
-
Updated the main Reproducible Builds website and documentation:
- Highlight our mailing list on the Contribute. page [...]
- Add a noun (and drop an unnecessary full-stop) on the landing page. [...][...]
- Correct a reference to the
datemetadata attribute on reports, restoring the display of months on the homepage. [...] - Correct a typo of "instalment" within a previous news entry. [...]
- Added a conspicuous "draft" banner to unpublished blog posts in order to match the report draft banner. [...]
-
I also made the following changes to diffoscope, including uploading versions
172and173to Debian:
Debian
-
redis(5:6.2.2-1) (to experimental) — New upstream release. -
2.2.20-1— New upstream security release.3.2-1(to experimental) — New major upstream release (release notes).
-
hiredis(1.0.0-2) — Build with SSL/TLS support (#987114), and overhaul various aspects of the packaging. -
mtools(4.0.27-1) — New upstream release.
Debian Long Term Support (LTS)
This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project:
-
Investigated and triaged
avahi(CVE-2021-3468),exiv2(CVE-2021-3482),file-roller(CVE-2020-36314),fluidsynth(CVE-2021-28421),gnuchess(CVE-2021-30184),gpac(CVE-2021-28300),imagemagick(CVE-2021-20309,CVE-2021-20243),ircii(CVE-2021-29376),jetty9(CVE-2021-28163),libcaca(CVE-2021-30498,CVE-2021-30499),libjs-handlebars,libpano13,libpodofo(CVE-2021-30469,CVE-2021-30470,CVE-2021-30471,CVE-2021-30472),mediawiki,mpv(CVE-2021-30145),nettle(CVE-2021-20305),nginx(CVE-2020-36309),nim(CVE-2021-21372,CVE-2021-21373,CVE-2021-21374),node-glob-parent(CVE-2020-28469),openexr(CVE-2021-3474),python-django-registration(CVE-2021-21416),qt4-x11(CVE-2021-3481),qtsvg-opensource-src(CVE-2021-3481),ruby-kramdown,scrollz(CVE-2021-29376),syncthing(CVE-2021-21404),thunderbird(CVE-2021-23991,CVE-2021-23992,CVE-2021-23993) &wordpress(CVE-2021-29447). -
Issued DLA 2620-1 to address a cross-site scripting (XSS) vulnerability in
python-bleach, a whitelist-based HTML sanitisation library. -
Issued DLA 2622-1 and ELA 402-1 as it was discovered that there was a potential directory traversal issue in Django, the popular Python-based web development framework. The vulnerability could have been exploited by maliciously crafted filenames. However, the upload handlers built into Django itself were not affected. (#986447)
-
Jan-Niklas Sohn discovered that there was an input validation failure in the X.Org display server. Insufficient checks on the lengths of the XInput extension's
ChangeFeedbackControlrequest could have lead to out of bounds memory accesses in the X server. These issues could have led to privilege escalation for authorised clients, particularly on systems where the X server is running as a privileged user. I, therefore, issued both DLA 2627-1 and ELA 405-1 to address this problem. -
Frontdesk duties, reviewing others' packages, participating in mailing list discussions, etc., as well as attending our monthly meeting.
You can find out more about the project via the following video: