Here is my monthly update covering what I have been doing in the free software world during April 2025 (previous month):
Reproducible Builds
One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.
This month, I:
-
Kept isdebianreproducibleyet.com up to date. [...]
-
I submitted at least 4 patches to fix specific reproducibility issues, such as those in
magic-wormhole-mailbox-server,openvpn3-client,schismandvcsh. -
Filed a bug against the Debian
antspackage because, through reproducibility testing, I discovered that its manual packages contained error messages. (#1103254) -
Categorised a large number of packages and issues in the Reproducible Builds
notes.gitrepository. -
Drafted, published and publicised our monthly report for March.
-
Updated the main Reproducible Builds website and documentation:
- Added a
configure.ac(GNU Autotools) example for usingSOURCE_DATE_EPOCH. [...] - Updated the
SOURCE_DATE_EPOCHsnippet and move the archive metadata to a more suitable location. [...] - Reviewed and merged work by Aman Sharma to improve the website's aesthetics. [...]
- Added a
Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and uploading version 294 to Debian:
- Use the
--walkargument over the potentially dangerous alternative--scanwhen calling out tozipdetails(1). (Closes: reproducible-builds/diffoscope#406) [...] - Correct a longstanding issue where many
>-based version tests used in conditional fixtures were broken. This was used to ensure that specific tests were only run when the version on the system was newer than a particular number. Thanks to Colin Watson for the report (Debian bug #1102658) [...] - Address a long-hidden issue in the
test_versionstestsuite as well, where we weren't actually testing the greater-than comparisons mentioned above, as it was masked by the tests for equality. [...] - Update copyright years. [...]
Debian
python-django(5.2-1) — New upstream stable release.
Debian LTS
This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.
-
Investigated and triaged
libeconf(CVE-2023-22652&CVE-2023-32118),monero(CVE-2025-26819),mydumper,nvidia-graphics-drivers(CVE-2025-23244),nvidia-graphics-drivers-legacy-390xx(CVE-2025-23244),nvidia-graphics-drivers-tesla-418(CVE-2025-23244),nvidia-graphics-drivers-tesla-470(CVE-2025-23244),openjdk-11(CVE-2025-21587,CVE-2025-30691&CVE-2025-30698),openjdk-17,qemu(CVE-2024-6519,CVE-2024-7730,CVE-2024-8354&CVE-2024-8612),request-tracker4andtomcat9(CVE-2025-31650&CVE-2025-31651). -
Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.
-
Work towards a dual update for both LTS and ELTS for
CVE-2025-21605, as an unauthenticated client could have caused unlimited growth of output buffers until the server runs out of memory. This work is ongoing, as the backporting process is involved. -
Internal follow-ups and technical investigations surrounding a Django regression related to a Django and Python 2.7 regression. This includes strengthening the package's configuration in relation to the ELTS build system so that the Django package is tested upon a Python update.
-
Work towards an (LTS-only) update for
libeconfin order to address two buffer overflow issues,CVE-2023-22652&CVE-2023-32181, that have been addressed via a Debian Security Advisory (DSA) or a stable point release. These issues could lead to a Denial of Service (DoS) attack via malformed configuration files.
You can find out more about the Debian LTS project via the following video: