Here is my monthly update covering what I have been doing in the free software world during April 2022 (previous month):
- Attended and presented at HACS 2022 in Amsterdam, Holland. The workshop on High Assurance Crypto Software (HACS) was launched in 2016 with the goal is to foster collaborations towards making cryptographic software "flawless".
- As part of my duties of being on the board of directors of the Software in the Public Interest I attended their monthly meeting and participated in various licensing and other discussions occurring on the internet.
Reproducible Builds
The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised. This month, I:
-
Published two 'supporter spotlights' on our blog: the first about Amateur Radio Digital Communications (ARDC); the second about Google Open Source Security Team (GOSST).
-
I submitted 3 patches to fix specific reproducibility issues in
datalad,python-iso8601&rsync. -
Kept isdebianreproducibleyet.com up to date. [...]
-
Attended and presented at HACS 2022 in Amsterdam, Holland. The workshop on High Assurance Crypto Software (HACS) was launched in 2016 with the goal is to foster collaborations towards making cryptographic software "flawless".
-
Categorised a large number of packages and issues in the Reproducible Builds
notes.gitrepository. -
Collaborated on a number of curious reproducibility issues, including an issue in
krb5that results in nondeterministic missing spaces in the generated documentation as well as one in Python where Python variables named '_m' lead to unreproducible.pycfiles. -
Drafted, published and publicised our monthly report for March 2022.
-
Updated the main Reproducible Builds website and documentation to incorporate suggestions about squashfs by Larry Doolittle [...] as well as to increase the maximum width of blog/news posts [...] and render news items with identical CSS to monthly reports [...].
-
For diffoscope, our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues, I performed a significant amount of bug triage, uploaded a new version as well as fixed an issue caused by some Python
.pycfiles being reported as "data" by thefile(1)tool, so support.pycas a fallback extension [...].
Debian
Bugs filed:
-
python-cai-doc: Documentation contains error message instead of documentation. (#1010316) -
threeb: Correct the formatting of thedebian/changelogfile. (#1010277)
Uploads
-
bfs(2.5-1) — New upstream release. -
memcached(1.6.15-1) — New upstream release. -
4.0.4-1— New upstream security release.3.2.13-1— New upstream security release
-
redis(7.0~rc3-1) — New upstream release candidate.
Debian LTS
This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.
-
Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.
-
Investigated and triaged
composer(CVE-2022-24828),e2fsprogs(CVE-2022-1304,ffmpeg(CVE-2022-1475),ghostscript(CVE-2019-25059),giflib(CVE-2022-28506),git(CVE-2022-24765),grunt(CVE-2022-0436),hoteldruid(CVE-2021-42948,[CVE-2021-42949](https://security-tracker.debian.org/tracker/CVE-2021-42949)& CVE-2022-26564),libpam-tacplus(CVE-2016-20014),libspring-java(CVE-2022-22968),nekohtml(CVE-2022-24839),node-ejs(CVE-2022-29078),node-moment(CVE-2022-24785),opensc(CVE-2021-42778, CVE-2021-42779, CVE-2021-42780, CVE-2021-42781 & CVE-2021-42782),python-django(CVE-2022-28347),ruby-devise-two-factor(CVE-2021-43177),ruby2.3(CVE-2022-28739,subversion(CVE-2022-24070), etc. etc. -
Issued DLA 2982-1 to fix a potential SQL injection attack in the Django web development framework.
You can find out more about the Debian LTS project via the following video: