Here is my monthly update covering what I have been doing in the free software world during April 2025 (previous month):
Reproducible Builds
One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.
This month, I:
-
Kept isdebianreproducibleyet.com up to date. [...]
-
I submitted at least 4 patches to fix specific reproducibility issues, such as those in
magic-wormhole-mailbox-server
,openvpn3-client
,schism
andvcsh
. -
Filed a bug against the Debian
ants
package because, through reproducibility testing, I discovered that its manual packages contained error messages. (#1103254) -
Categorised a large number of packages and issues in the Reproducible Builds
notes.git
repository. -
Drafted, published and publicised our monthly report for March.
-
Updated the main Reproducible Builds website and documentation:
- Added a
configure.ac
(GNU Autotools) example for usingSOURCE_DATE_EPOCH
. [...] - Updated the
SOURCE_DATE_EPOCH
snippet and move the archive metadata to a more suitable location. [...] - Reviewed and merged work by Aman Sharma to improve the website's aesthetics. [...]
- Added a
Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and uploading version 294 to Debian:
- Use the
--walk
argument over the potentially dangerous alternative--scan
when calling out tozipdetails(1)
. (Closes: reproducible-builds/diffoscope#406) [...] - Correct a longstanding issue where many
>
-based version tests used in conditional fixtures were broken. This was used to ensure that specific tests were only run when the version on the system was newer than a particular number. Thanks to Colin Watson for the report (Debian bug #1102658) [...] - Address a long-hidden issue in the
test_versions
testsuite as well, where we weren't actually testing the greater-than comparisons mentioned above, as it was masked by the tests for equality. [...] - Update copyright years. [...]
Debian
python-django
(5.2-1
) — New upstream stable release.
Debian LTS
This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.
-
Investigated and triaged
libeconf
(CVE-2023-22652
&CVE-2023-32118
),monero
(CVE-2025-26819
),mydumper
,nvidia-graphics-drivers
(CVE-2025-23244
),nvidia-graphics-drivers-legacy-390xx
(CVE-2025-23244
),nvidia-graphics-drivers-tesla-418
(CVE-2025-23244
),nvidia-graphics-drivers-tesla-470
(CVE-2025-23244
),openjdk-11
(CVE-2025-21587
,CVE-2025-30691
&CVE-2025-30698
),openjdk-17
,qemu
(CVE-2024-6519
,CVE-2024-7730
,CVE-2024-8354
&CVE-2024-8612
),request-tracker4
andtomcat9
(CVE-2025-31650
&CVE-2025-31651
). -
Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.
-
Work towards a dual update for both LTS and ELTS for
CVE-2025-21605
, as an unauthenticated client could have caused unlimited growth of output buffers until the server runs out of memory. This work is ongoing, as the backporting process is involved. -
Internal follow-ups and technical investigations surrounding a Django regression related to a Django and Python 2.7 regression. This includes strengthening the package's configuration in relation to the ELTS build system so that the Django package is tested upon a Python update.
-
Work towards an (LTS-only) update for
libeconf
in order to address two buffer overflow issues,CVE-2023-22652
&CVE-2023-32181
, that have been addressed via a Debian Security Advisory (DSA) or a stable point release. These issues could lead to a Denial of Service (DoS) attack via malformed configuration files.
You can find out more about the Debian LTS project via the following video: