Here is my monthly update covering what I have been doing in the free software world in August 2017 (previous month):
- Created ZeroCoolOS, a live operating system that plays the film Hackers (1995) on a continuous loop.
- Sent a patch for pristine-tar to allow storage of detached upstream signatures. (#871809)
- Worked more on Lintian, a static analysis tool for Debian packages, reporting on various errors, omissions and quality-assurance issues to the maintainer (previous changes):
- Fix an apache2-unparsable-dependency false positive by allowing periods in dependency names. (#873701)
- Ignore "repacked" packages when checking for upstream source tarball signatures as they will never match.
- Downgrade the severity of orig-tarball-missing-upstream-signature. (#870722)
- From a suggestion by Theodore Ts'o, expand the explanation of orig-tarball-missing-upstream-signature to include the location of where dpkg-source looks.
- Address a number of issues in the copyright-year-in-future tag including preventing false positives in port numbers, email addresses, ISO standard numbers and street addresses (#869788), as well as "meta" or testing statements (#873323). In addition, report all violating years in a line and expand the testsuite.
- Don't match quoted "FIXME" variants of file-contains-fixme-placeholder (#870199), avoid checking copyright_hints files (#872843) and downgrade the tag's severity.
- Apply a patch from Alex Muntada to recommend "substr" over of "substring" in mentions-deprecated-usr-lib-perl5-directory. (#871767)
- Prevent missing-build-dependency-for-dh_-command false positives exposed by following the advice in useless-autoreconf-build-depends. (#869541)
- Ensure readme-debian-contains-debmake-template also checks for files containing "Automatically generated by debmake".
- Check python3-foo packages have a Section: python, not just python2-foo. (#870272)
- Check for packages shipping compiled Java class files. (#873211)
- Additionally consider .cljc files to avoid codeless-jar warnings. (#870649)
- Prevent desktop-entry-lacks-keywords-entry false positives for Link and Directory-style .desktop files. (#873702)
- Split out Python checks from checks/scripts.pm check to a new, source check of type source.
- Check for python-foo without a corresponding python3-foo package. (#870681)
- Complain about packages that Build-Depend on python-sphinx only. (#870730)
- Warn about packages that alternatively Build-Depend on the Python 2 and Python 3 versions of Sphinx. (#870758)
- Check for packages that depend on Python 2.x. (#870822)
- Correct false positives in unconditional-use-of-dpkg-statoverride by detecting "if !" as a shell prefix. (#869587)
- Alert on for missing calls to dpkg-maintscript-helper(1) in maintainer scripts. (#872042)
- Check for packages using sensible-utils without declaring a dependency after splitting from debianutils. (#872611)
- Warn about scripts using nodejs as an interpreter now that the nodejs script provides /usr/bin/node. (#873096)
- Remove recommendations to add a Testsuite: autopkgtest field to debian/control and emit a new tag the package if it does so. (#865531)
- Recognise autopkgtest-pkg-elpa as a valid test suite. (#873458)
- Add note to /etc/bash_completion.d's obsolete path warning output regarding stricter filename requirements. (#814599)
- Add 4.0.1 and 4.1.0 as known Policy standards versions.
- Apply a patch from Maia Everett to avoid British spellings under the en_US locale. (#868897)
- Stop emitting {maintainer,uploader}-address-causes-mail-loops for @packages.debian.org addresses. (#871575)
- Modify Lintian::Data's all subroutine to always return keys in insertion order.
- Apply a patch from Steve Langasek to accomodate binutils outputting symbols in a different format on the ppc64el architecture. (#869750)
- Add an explicit test for packages including external fonts via the Google Font and TypeKit APIs. (#873434)
- Add missing entries in internal Test-For fields to make development/testing workflow less error-prone.
- Sent three pull requests to git-buildpackage, a tool to assist in Debian packaging from Git repositories:
- Make pq --abbrev= configurable. (#872351)
- Use build profiles to avoid installation of test dependencies. (#31)
- Correct "allow to" grammar. (#30)
- Updated travis.debian.net (my hosted service for projects that host their Debian packaging on GitHub to use the Travis CI continuous integration platform for testing):
- Move away from deb.debian.org; Travis appears to be using a HTTP proxy that strips SRV records. (commit)
- Highlight double quotes are required for TRAVIS_DEBIAN_EXTRA_REPOSITORY. (commit)
- Use force-unsafe-io. (commit)
- Clarify docs when upstream already has a travis.yml file. (#46)
- Make documentation easier to copy-paste. (commit)
- Merged a pull request in django-slack, my library to easily post messages to the Slack group-messaging utility, where instantiation of a SlackException was failing. (#71)
- Assigned two pull requests to the Redis key-value database store to correct "did not received" and "faield" typos. (#4216 & #4215).
Reproducible builds
Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users.
The motivation behind the Reproducible Builds effort is to allow verification that no flaws have been introduced — either maliciously or accidentally — during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
I have generously been awarded a grant from the Core Infrastructure Initiative to fund my work in this area.
This month I:
- Presented a status update at Debconf17 in Montréal, Canada alongside Holger Levsen, Maria Glukhova, Steven Chamberlain, Vagrant Cascadian, Valerie Young and Ximin Luo.
- I worked on the following issues upstream:
- Within Debian:
- My work as Debian Project Leader (DPL) is covered in my monthly Bits from the DPL email to debian-devel-announce.
- Created isdebianreproducibleyet.com.
- Sent a patch to dpkg to sort the "unused substitution" warnings. (#870221)
- Added a script to devscripts to report on reproducibility status of installed packages. (#872514)
- Modified the Debian archive tools (dak) to automatically reject packages which do not bump their date in debian/changelog. (debian-devel post)
- Fixed an QA issue in snappy that was caught by the reproducible builds continuous integration framework. (#872226)
- I submitted three patches to fix specific reproducibility issues in grap, isa-support & python-numpy.
- Finally, I also performed two non-maintainer uploads (NMUs) for jsmath-fonts (#792319) and xvier (#777330) to make their builds reproducible.
- Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.
- Worked on publishing our weekly reports. (#118, #119, #120, #121 & #122)
I also made the following changes to our tooling:
diffoscope
diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.
- Use name attribute over path to avoid leaking comparison full path in output. (commit)
- Add missing skip_unless_module_exists import. (commit)
- Tidy diffoscope.progress and the XML comparator (commit, commit)
Debian
Patches contributed
- openssh: Quote the IP address in ssh-keygen -f suggestions. (#872643)
- libgfshare:
- devscripts:
- Enable hardening buildflags for /usr/bin/debpkg. (#873379)
- Add missing scripts/debc to .gitignore. (#873381)
- memcached: Add hardening to systemd .service file. (#871610)
- googler: Tidy long and short package descriptions. (#872461)
- gnome-split: Homepage points to domain-parked website. (#873037)
Uploads
- python-django 1:1.11.4-1 — New upstream release.
- redis:
- 4:4.0.1-3 — Drop yet more non-deterministic tests.
- 4:4.0.1-4 — Tighten systemd/seccomp hardening.
- 4:4.0.1-5 — Drop even more tests with timing issues.
- 4:4.0.1-6 — Don't install completions to /usr/share/bash-completion/completions/debian/bash_completion/.
- 4:4.0.1-7 — Don't let sentinel integration tests fail the build as they use too many timers to be meaningful. (#872075)
- python-gflags 1.5.1-3 — If SOURCE_DATE_EPOCH is set, either use that as a source of current dates or the UTC-version of the file's modification time (#836004), don't call update-alternatives --remove in postrm. update debian/watch/Homepage & refresh/tidy the packaging.
- bfs 1.1.1-1 — New upstream release, tidy autopkgtest & patches, organising the latter with Pq-Topic.
- python-daiquiri 1.2.2-1 — New upstream release, tidy autopkgtests & update travis.yml from travis.debian.net.
- aptfs 2:0.10-2 — Add upstream signing key, refer to /usr/share/common-licenses/GPL-3 in debian/copyright & tidy autopkgtests.
- adminer 4.3.1-2 — Add a simple autopkgtest & don't install the Selenium-based tests in the binary package.
- zoneminder (1.30.4+dfsg-2) — Prevent build failures with GCC 7 (#853717) & correct example /etc/fstab entries in README.Debian (#858673).
Finally, I reviewed and sponsored uploads of astral, inflection, more-itertools, trollius-redis & wolfssl.
Debian LTS
This month I have been paid to work 18 hours on Debian Long Term Support (LTS). In that time I did the following:
- "Frontdesk" duties, triaging CVEs, etc.
- Issued DLA 1049-1 for libsndfile preventing a remote denial of service attack.
- Issued DLA 1052-1 against subversion to correct an arbitrary code execution vulnerability.
- Issued DLA 1054-1 for the libgxps XML Paper Specification library to prevent a remote denial of service attack.
- Issued DLA 1056-1 for cvs to prevent a command injection vulnerability.
- Issued DLA 1059-1 for the strongswan VPN software to close a denial of service attack.
Debian bugs filed
- wget: Please hash the hostname in ~/.wget-hsts files. (#870813)
- debian-policy: Clarify whether mailing lists in Maintainers/Uploaders may be moderated. (#871534)
- git-buildpackage: "pq export" discards text within square brackets. (#872354)
- qa.debian.org: Escape HTML in debcheck before outputting. (#872646)
- pristine-tar: Enable multithreaded compression in pristine-xz. (#873229)
- tryton-meta: Please combine tryton-modules-* into a single source package with multiple binaries. (#873042)
- azure-cli:
- fwupd-tests: Don't ship test files to generic /usr/share/installed-tests dir. (#872458)
- libvorbis: Maintainer fields points to a moderated mailing list. (#871258)
- rmlint-gui: Ship a rmlint-gui binary. (#872162)
- template-glib: debian/copyright references online source without quotation. (#873619)
FTP Team
As a Debian FTP assistant I ACCEPTed 147 packages: abiword, adacgi, adasockets, ahven, animal-sniffer, astral, astroidmail, at-at-clojure, audacious, backdoor-factory, bdfproxy, binutils, blag-fortune, bluez-qt, cheshire-clojure, core-match-clojure, core-memoize-clojure, cypari2, data-priority-map-clojure, debian-edu, debian-multimedia, deepin-gettext-tools, dehydrated-hook-ddns-tsig, diceware, dtksettings, emacs-ivy, farbfeld, gcc-7-cross-ports, git-lfs, glewlwyd, gnome-recipes, gnome-shell-extension-tilix-dropdown, gnupg2, golang-github-aliyun-aliyun-oss-go-sdk, golang-github-approvals-go-approval-tests, golang-github-cheekybits-is, golang-github-chzyer-readline, golang-github-denverdino-aliyungo, golang-github-glendc-gopher-json, golang-github-gophercloud-gophercloud, golang-github-hashicorp-go-rootcerts, golang-github-matryer-try, golang-github-opentracing-contrib-go-stdlib, golang-github-opentracing-opentracing-go, golang-github-tdewolff-buffer, golang-github-tdewolff-minify, golang-github-tdewolff-parse, golang-github-tdewolff-strconv, golang-github-tdewolff-test, golang-gopkg-go-playground-validator.v8, gprbuild, gsl, gtts, hunspell-dz, hyperlink, importmagic, inflection, insighttoolkit4, isa-support, jaraco.itertools, java-classpath-clojure, java-jmx-clojure, jellyfish1, lazymap-clojure, libblockdev, libbytesize, libconfig-zomg-perl, libdazzle, libglvnd, libjs-emojify, libjwt, libmysofa, libundead, linux, lua-mode, math-combinatorics-clojure, math-numeric-tower-clojure, mediagoblin, medley-clojure, more-itertools, mozjs52, openssh-ssh1, org-mode, oysttyer, pcscada, pgsphere, poppler, puppetdb, py3status, pycryptodome, pysha3, python-cliapp, python-coloredlogs, python-consul, python-deprecation, python-django-celery-results, python-dropbox, python-fswrap, python-hbmqtt, python-intbitset, python-meshio, python-parameterized, python-pgpy, python-py-zipkin, python-pymeasure, python-thriftpy, python-tinyrpc, python-udatetime, python-wither, python-xapp, pythonqt, r-cran-bit, r-cran-bit64, r-cran-blob, r-cran-lmertest, r-cran-quantmod, r-cran-ttr, racket-mode, restorecond, rss-bridge, ruby-declarative, ruby-declarative-option, ruby-errbase, ruby-google-api-client, ruby-rash-alt, ruby-representable, ruby-test-xml, ruby-uber, sambamba, semodule-utils, shimdandy, sjacket-clojure, soapysdr, stencil-clojure, swath, template-glib, tools-analyzer-jvm-clojure, tools-namespace-clojure, uim, util-linux, vim-airline, vim-airline-themes, volume-key, wget2, xchat, xfce4-eyes-plugin & xorg-gtest.
I additionally filed 6 RC bugs against packages that had incomplete debian/copyright files against: gnome-recipes, golang-1.9, libdazzle, poppler, python-py-zipkin & template-glib.