August 31st 2018

Free software activities in August 2018

Here is my monthly update covering what I have been doing in the free software world during August 2018 (previous month):

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws almost all software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

This month I:


Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

  • "Frontdesk" duties, triaging CVEs, responding to user questions, etc.
  • Updated the bin/gen-DSA script to try and avoid duplicated work when generating DLAs and ELAs due to potential lack of co-ordination in the -needed.txt files. [...]
  • Issued DLA 1459-1 addressing a directory traversal vulnerability in cgit, a web frontend for Git repositories.
  • Issued DLA 1460-1 to address denial-of-service (DoS) vulnerabilities in libmspack, a library used to handle Microsoft compression formats.
  • Issued DLA 1469-1 fixing a DoS vulnerability in libxcursor, a library designed to load cursors for the X Window System.
  • Issued DLA 1474-1 to prevent a user enumeration vulnerability in OpenSSH where a remote attacker couldtest whether a certain user exists on a target server.
  • Issued DLA 1478-1 for libextractor (a library to obtain metadata from files of arbitrary type) which was vulnerable to a stack-based buffer overflow and an infinite loop vulnerability.
  • Issued DLA 1484-1 in the squirrelmail webmail system correcting a number of cross-site scripting (XSS) vulnerabilities.
  • Dropped some trailing whitespace from the ELTS announcement template. [...]
  • Prepared security updates for the Debian "stable" distribution for:
    • python-django (1:1.10.7-2+deb9u2) — Fix an open redirect vulnerability. (#905216)
    • php-horde-image (2.3.6-1+deb9u1) — Fix an infinite loop DoS attack (#865504) & two remote-code execution vulnerabilities (#865505 & #876400).
    • libxcursor (1:1.1.14-1+deb9u2) — Fix a remote denial-of-service vulnerability. (#906012)


  • python-django (1:1.11.15-1 & 2:2.1-1) — New upstream security releases.
  • django-prometheus:
    • 1.0.15-1 — New upstream release, fixing compatibility with recent version of Django.
    • 1.0.15-2 — Updating and uploading package after a change from Martín Ferrari to missing build-deps. (#906348)
  • redis:
    • 5:4.0.11-2 — New upstream RC release
    • 5:5.0~rc4-1 — New upstream RC release
    • 5:5.0~rc4-2 — Drop a non-determinstic test.
    • 5:5.0~rc4-3 — Use the system versions of Lua (#901669) and jemalloc.
  • redisearch (1.3.0~preview2-1, 1.3.0~preview3-1, 1.4.0~rc1-1 & 1.4.0~rc3-1) — New release candidates. (NB. This package was removed in #907577)
  • aiopg (0.15.0-1) — Fix a Python async import issue. (#904361)
  • python-formencode (1.3.0-3) — Fix compatibility with newer versions of pycountry. (#880247)
  • mtools (4.0.18-2.1) — Non-maintainer upload (NMU) to fix two instances of non-determinism (#900409 & #900410). This is required to make meaningful progress on making Debian Installer images reproducible.

I also performed sponsored uploads for elpy (1.23.0-1), megadown (0~20180705+git83c53dd-1), playerctl (0.6.1-1) & wolfssl (3.15.3+dfsg-2).

Debian bugs filed

  • redisearch: "Apache 2.0 with Commons License" violates DFSG § 6. (#906920 & #907577)
  • python-os-faults: No such file or directory text in generated documentation. (#907450)
  • arbtt: "index too large" when running arbtt-stats. (#906815)
  • duktape: Please use a real make target. (#906201)
  • hiredis: New upstream release. (#907259)
  • hivelytracker: Please clarify why .ins files need to be executable. (#905948)
  • snapper-gui: Please clarify why you disable the testsuite. (#905314)
  • node-code: Please clarify origin of module. (#905746)
  • node-toidentifier: Unnecessary $(DEB_BUILD_PROFILES) check. (#905769)
  • radare2: Consolidate DEBUG_SUPPORT conditionals in debian/rules. (#905768)
  • spyder-kernels: Please clarify why you disable the testsuite. (#905394)
  • txws: Use dh_install -X over rm calls. (#905947)

I also filed a build-failure bug against gnucash.

FTP Team

As a Debian FTP assistant I ACCEPTed 183 packages: 389-ds-base, android-platform-external-boringssl, anet, astroidmail, automake-1.16, boohu, botan, breezy, cbatticon, ccdiff, chafa, claws-mail, cmake-vala, dbusada, debian-policy, debspawn, django-cas-server, duktape, e-wrapper, emacs-jedi, ess, flpsed, fonts-gnutypewriter, fonts-sil-alkalami, gamemode, ghdl, glasstty, glslang, golang-github-araddon-gou, golang-github-canonicalltd-raft-test, golang-github-frankban-quicktest, golang-github-gdamore-tcell, golang-github-gogo-googleapis, golang-github-graph-gophers-graphql-go, golang-github-jhoonb-archivex, golang-github-juju-collections, golang-github-machinebox-graphql, golang-github-matryer-is, golang-github-pzhin-go-sophia, golang-github-tmc-scp,, hibiscus, hivelytracker, imbalanced-learn, iptables-persistent, isc-kea, jaxrpc-api, jws-api, knot, ldc, libbioparser-dev, libbson-xs-perl, libcommons-jexl3-java, libedlib, libmbassador-java, libosmocore, libpgobject-util-pseudocsv-perl, libreoffice-dictionaries, libthread-pool, libx86emu, libzc, lilypond, linux, lloconv, llvm-toolchain-7, mariadb-10.1, metro-policy, minetest-mod-skyblock, moksha.common, node-code, node-csv-spectrum, node-toidentifier, node-vue-hot-reload-api, nsync, octave, opensaml, pcscada, poezio, puppet-module-puppetlabs-haproxy, python-async-generator, python-gnuplotlib, python-hdmedians, python-os-faults, python-priority, python-qinlingclient, python-sphinxcontrib.apidoc, python-stem, python-uinput, python-ulmo, python3-aiosasl, qlogo, r-cran-dendextend, r-cran-fansi, r-cran-flexmix, r-cran-fpc, r-cran-gclus, r-cran-heatmaply, r-cran-prabclus, r-cran-qap, r-cran-ranger, r-cran-reticulate, r-cran-seriation, r-cran-trimcluster, r-cran-tsp, racon, radare2, rails, renderdoc, ruby-aes-key-wrap, ruby-em-websocket, rust-byte-tools, rust-clap, rust-cmake, rust-colored, rust-commoncrypto, rust-commoncrypto-sys, rust-constant-time-eq, rust-cookie-factory, rust-core-foundation, rust-core-foundation-sys, rust-crossbeam-epoch, rust-crypto-hash, rust-curl-sys, rust-dhcp4r, rust-encoding-rs-io, rust-enum-primitive, rust-env-logger, rust-failure-derive, rust-foreign-types, rust-fs2, rust-generic-array, rust-git2, rust-grep, rust-home, rust-ignore, rust-itertools, rust-jobserver, rust-libgit2-sys, rust-libssh2-sys, rust-libz-sys, rust-mac, rust-miow, rust-new-debug-unreachable, rust-nom, rust-openssl, rust-pcap, rust-phf-shared, rust-pktparse, rust-quote, rust-ripgrep, rust-rusticata-macros, rust-serde-derive, rust-serde-ignored, rust-socket2, rust-structopt, rust-structopt-derive, rust-syn, rust-synstructure, rust-syscallz, rust-termios, rust-threadpool, rust-tokio-executor, rust-unicase, rust-url-serde, s-tui, saaj-ri, sleef, snapper-gui, spoa, spyder-kernels, stomper, termineter, tinyxml2, txws, unibetacode, utf8gen, utfcheck, virtualpg, vulkan-headers, xmltooling, yaha, yubikey-manager & zhcon.

I additionally filed 12 RC bugs against packages that had potentially-incomplete debian/copyright files against android-platform-external-boringssl, botan, dbusada, gamemode, ghdl, glslang, golang-github-graph-gophers-graphql-go, golang-github-pzhin-go-sophia, isc-kea, poezio, python-ulmo & renderdoc.

You can subscribe to new posts via email or RSS.