Free software activities in August 2018

  • 31 August, 2018

Here is my monthly update covering what I have been doing in the free software world during August 2018 (previous month):

  • My activities as the current Debian Project Leader are covered in my Bits from the DPL email to the debian-devel-announce mailing list. [...]
  • I previously accepted an invitation for Debian to join the KDE Advisory Board and subsequently helped draft a press release announcing the news. In this capacity I attended Akademy 2018 where I was particularly taken by Neofytos Kolokotronis talk on KDE's onboarding process (covered in LWN this week) but also found the Distro BoF illuminating.
  • Fixed an issue in the Tails operating system where the change of gid of the debian-tor user was breaking automatic upgrades [...] as well as submitted patches to use suitable shebangs [...] and to port a script to Python 3 [...].
  • Opened a pull request against the Pixelfed federated photo social network to avoid double-escaping captions in Atom feeds. [...]
  • Authored two pull requests for the Redis key-value database to add support for USE_SYSTEM_LUA [...] and USE_SYSTEM_JEMALLOC [...] build flags to avoid the use of embedded code copies.
  • Fixed an encoding error in my django-slack library that provides a convenient library between projects using the Django web-development framework and the Slack chat platform. [...]
  • Updated my pull request for promise.js to make the build reproducible. [...]
  • Opened a pull request against mblaze to correct a reference to the SOURCE_DATE_EPOCH environment variable. [...]
  • Opened a pull request for the Jekyll documentation generator to respect SOURCE_DATE_EPOCH over [...]
  • Fixed an issue in (my hosted service for projects that host their Debian packaging on GitHub to easily use Travis CI) where building from a branch called debian was broken. [...]
  • Corrected a "Remeber" → "Remember" typo in the gobby collaborative text editor. [...]
  • Updated the documentation in James Aylett's django-session-stashable library to make the User Django instance nullable. [...]
  • Opened a pull request to fix a large number of spelling errors in the gRPC RPC framework. [...]
  • Even more hacking on the Lintian static analysis tool for Debian packages:

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws almost all software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

This month I:


Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

  • "Frontdesk" duties, triaging CVEs, responding to user questions, etc.
  • Updated the bin/gen-DSA script to try and avoid duplicated work when generating DLAs and ELAs due to potential lack of co-ordination in the -needed.txt files. [...]
  • Issued DLA 1459-1 addressing a directory traversal vulnerability in cgit, a web frontend for Git repositories.
  • Issued DLA 1460-1 to address denial-of-service (DoS) vulnerabilities in libmspack, a library used to handle Microsoft compression formats.
  • Issued DLA 1469-1 fixing a DoS vulnerability in libxcursor, a library designed to load cursors for the X Window System.
  • Issued DLA 1474-1 to prevent a user enumeration vulnerability in OpenSSH where a remote attacker couldtest whether a certain user exists on a target server.
  • Issued DLA 1478-1 for libextractor (a library to obtain metadata from files of arbitrary type) which was vulnerable to a stack-based buffer overflow and an infinite loop vulnerability.
  • Issued DLA 1484-1 in the squirrelmail webmail system correcting a number of cross-site scripting (XSS) vulnerabilities.
  • Dropped some trailing whitespace from the ELTS announcement template. [...]
  • Prepared security updates for the Debian "stable" distribution for:
    • python-django (1:1.10.7-2+deb9u2) — Fix an open redirect vulnerability. (#905216)
    • php-horde-image (2.3.6-1+deb9u1) — Fix an infinite loop DoS attack (#865504) & two remote-code execution vulnerabilities (#865505 & #876400).
    • libxcursor (1:1.1.14-1+deb9u2) — Fix a remote denial-of-service vulnerability. (#906012)


  • python-django (1:1.11.15-1 & 2:2.1-1) — New upstream security releases.
  • django-prometheus:
    • 1.0.15-1 — New upstream release, fixing compatibility with recent version of Django.
    • 1.0.15-2 — Updating and uploading package after a change from Martín Ferrari to missing build-deps. (#906348)
  • redis:
    • 5:4.0.11-2 — New upstream RC release
    • 5:5.0~rc4-1 — New upstream RC release
    • 5:5.0~rc4-2 — Drop a non-determinstic test.
    • 5:5.0~rc4-3 — Use the system versions of Lua (#901669) and jemalloc.
  • redisearch (1.3.0~preview2-1, 1.3.0~preview3-1, 1.4.0~rc1-1 & 1.4.0~rc3-1) — New release candidates. (NB. This package was removed in #907577)
  • aiopg (0.15.0-1) — Fix a Python async import issue. (#904361)
  • python-formencode (1.3.0-3) — Fix compatibility with newer versions of pycountry. (#880247)
  • mtools (4.0.18-2.1) — Non-maintainer upload (NMU) to fix two instances of non-determinism (#900409 & #900410). This is required to make meaningful progress on making Debian Installer images reproducible.

I also performed sponsored uploads for elpy (1.23.0-1), megadown (0~20180705+git83c53dd-1), playerctl (0.6.1-1) & wolfssl (3.15.3+dfsg-2).

Debian bugs filed

  • redisearch: "Apache 2.0 with Commons License" violates DFSG § 6. (#906920 & #907577)
  • python-os-faults: No such file or directory text in generated documentation. (#907450)
  • arbtt: "index too large" when running arbtt-stats. (#906815)
  • duktape: Please use a real make target. (#906201)
  • hiredis: New upstream release. (#907259)
  • hivelytracker: Please clarify why .ins files need to be executable. (#905948)
  • snapper-gui: Please clarify why you disable the testsuite. (#905314)
  • node-code: Please clarify origin of module. (#905746)
  • node-toidentifier: Unnecessary $(DEB_BUILD_PROFILES) check. (#905769)
  • radare2: Consolidate DEBUG_SUPPORT conditionals in debian/rules. (#905768)
  • spyder-kernels: Please clarify why you disable the testsuite. (#905394)
  • txws: Use dh_install -X over rm calls. (#905947)

I also filed a build-failure bug against gnucash.

FTP Team

As a Debian FTP assistant I ACCEPTed 183 packages: 389-ds-base, android-platform-external-boringssl, anet, astroidmail, automake-1.16, boohu, botan, breezy, cbatticon, ccdiff, chafa, claws-mail, cmake-vala, dbusada, debian-policy, debspawn, django-cas-server, duktape, e-wrapper, emacs-jedi, ess, flpsed, fonts-gnutypewriter, fonts-sil-alkalami, gamemode, ghdl, glasstty, glslang, golang-github-araddon-gou, golang-github-canonicalltd-raft-test, golang-github-frankban-quicktest, golang-github-gdamore-tcell, golang-github-gogo-googleapis, golang-github-graph-gophers-graphql-go, golang-github-jhoonb-archivex, golang-github-juju-collections, golang-github-machinebox-graphql, golang-github-matryer-is, golang-github-pzhin-go-sophia, golang-github-tmc-scp,, hibiscus, hivelytracker, imbalanced-learn, iptables-persistent, isc-kea, jaxrpc-api, jws-api, knot, ldc, libbioparser-dev, libbson-xs-perl, libcommons-jexl3-java, libedlib, libmbassador-java, libosmocore, libpgobject-util-pseudocsv-perl, libreoffice-dictionaries, libthread-pool, libx86emu, libzc, lilypond, linux, lloconv, llvm-toolchain-7, mariadb-10.1, metro-policy, minetest-mod-skyblock, moksha.common, node-code, node-csv-spectrum, node-toidentifier, node-vue-hot-reload-api, nsync, octave, opensaml, pcscada, poezio, puppet-module-puppetlabs-haproxy, python-async-generator, python-gnuplotlib, python-hdmedians, python-os-faults, python-priority, python-qinlingclient, python-sphinxcontrib.apidoc, python-stem, python-uinput, python-ulmo, python3-aiosasl, qlogo, r-cran-dendextend, r-cran-fansi, r-cran-flexmix, r-cran-fpc, r-cran-gclus, r-cran-heatmaply, r-cran-prabclus, r-cran-qap, r-cran-ranger, r-cran-reticulate, r-cran-seriation, r-cran-trimcluster, r-cran-tsp, racon, radare2, rails, renderdoc, ruby-aes-key-wrap, ruby-em-websocket, rust-byte-tools, rust-clap, rust-cmake, rust-colored, rust-commoncrypto, rust-commoncrypto-sys, rust-constant-time-eq, rust-cookie-factory, rust-core-foundation, rust-core-foundation-sys, rust-crossbeam-epoch, rust-crypto-hash, rust-curl-sys, rust-dhcp4r, rust-encoding-rs-io, rust-enum-primitive, rust-env-logger, rust-failure-derive, rust-foreign-types, rust-fs2, rust-generic-array, rust-git2, rust-grep, rust-home, rust-ignore, rust-itertools, rust-jobserver, rust-libgit2-sys, rust-libssh2-sys, rust-libz-sys, rust-mac, rust-miow, rust-new-debug-unreachable, rust-nom, rust-openssl, rust-pcap, rust-phf-shared, rust-pktparse, rust-quote, rust-ripgrep, rust-rusticata-macros, rust-serde-derive, rust-serde-ignored, rust-socket2, rust-structopt, rust-structopt-derive, rust-syn, rust-synstructure, rust-syscallz, rust-termios, rust-threadpool, rust-tokio-executor, rust-unicase, rust-url-serde, s-tui, saaj-ri, sleef, snapper-gui, spoa, spyder-kernels, stomper, termineter, tinyxml2, txws, unibetacode, utf8gen, utfcheck, virtualpg, vulkan-headers, xmltooling, yaha, yubikey-manager & zhcon.

I additionally filed 12 RC bugs against packages that had potentially-incomplete debian/copyright files against android-platform-external-boringssl, botan, dbusada, gamemode, ghdl, glslang, golang-github-graph-gophers-graphql-go, golang-github-pzhin-go-sophia, isc-kea, poezio, python-ulmo & renderdoc.