Free software activities in April 2026

Here is my monthly update covering what I have been doing in the free software world during April 2026 (previous month):

Reproducible Builds

This month, I:

• Submitted a very large number of patches to fix specific reproducibility issues in fonts-spleen, geoalchemy2, golang-github-deruina-timberjack, golang-github-go-ini-ini, gunicorn, gwcs, mage, node-yarnpkg, php-dompdf, python-bayespy, python-msgspec, python-observabilityclient, ruby-timers, rust-opam-file-rs, spaln, supercell, vim-youcompleteme & wapiti.

• Kept isdebianreproducibleyet.com up to date. [...]

• Categorised a large number of packages and issues in the Reproducible Builds notes.git repository.

• Drafted, published and publicised our monthly report for March 2026.

Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and uploading versions, 316, 317 and 318 to Debian:

• Bump Standards-Version to 4.7.4. […]
• Correct ordering of python3-guestfs architecture restrictions. […]
• Limit python3-guestfs Build-Dependency to architectures that are not i386. […]
• Try to fix PYPI_ID_TOKEN debugging. […]

Debian

• python-django:

  • 4.2.30-1 — New upstream security release.
  • 5.2.13-1 — Upload of 5.2 branch to unstable.
  • 6.0.4-1 — New upstream security release.

• redis (8.0.6-1) — New upstream security release.

I made the following uploads to fix compatibility with Django 5.x:

• djangorestframework-filters (1.0.0.dev2-4)
• python-crispy-bootstrap3 (2024.1-2 and 2024.1-3)
• python-django-contrib-comments (2.2.0-3)
• python-django-crispy-forms (2.6-2)
• python-django-crum (0.7.9-7)
• python-django-dynamic-fixture (4.0.1-3)
• python-django-extra-views (0.14.0-5)
• python-django-postgres-extra (2.0.9-2 & 2.0.9-3)
• python-django-waffle (4.2.0-2)
• python-djangorestframework-yaml (3.0.1-4)

Finally, I also made the following sponsored uploads:

• sol2 (3.5.0-3)

Debian bugs filed

• django-axes: Please fix compatibility with Django 5.x. (#1134826)

• hyperkitty: Please fix compatibility with Django 5.x. (#1134838)

Debian LTS

This month I have worked 30 hours on Debian Long Term Support (LTS) and on its sister Extended LTS (ELTS) project.

• Investigated and triaged efivar (CVE-2026-6862), emacs (CVE-2026-6861), gpac (CVE-2026-7135), haproxy (CVE-2026-33555), libcryptx-perl (CVE-2026-41564), libxpm (CVE-2026-4367), mako (CVE-2026-41205), mbedtls, mitmproxy (CVE-2026-40606), mongo-c-driver (CVE-2026-6691), nano (CVE-2026-6842 & CVE-2026-6843), node-follow-redirects (CVE-2026-40895), node-uuid (CVE-2026-41907 & CVE-2026-41988), nsis (CVE-2026-42171), opencryptoki (CVE-2026-40253), php7.0 (CVE-2024-2408), php7.3 (CVE-2024-2408), php7.4 (CVE-2024-2408), redis (CVE-2025-67733), sed (CVE-2026-5958) and wireshark (CVE-2026-6530, CVE-2026-6529 & CVE-2026-5653).

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

• Issued DLA 4523-1 because it was discovered that there was a potential SQL vulnerability in GeoPandas, a tool for working with geographic/geospatial data in the Pandas data analysis suite.

You can find out more about the Debian LTS project via the following video:

You can subscribe to new posts via email or RSS.