Here is my monthly update covering what I have been doing in the free software world during August 2018 (previous month):

My activities as the current Debian Project Leader are covered in my Bits from the DPL email to the debian-devel-announce mailing list. [...]
I previously accepted an invitation for Debian to join the KDE Advisory Board and subsequently helped draft a press release announcing the news. In this capacity I attended Akademy 2018 where I was particularly taken by Neofytos Kolokotronis talk on KDE's onboarding process (covered in LWN this week) but also found the Distro BoF illuminating.
Fixed an issue in the Tails operating system where the change of gid of the debian-tor user was breaking automatic upgrades [...] as well as submitted patches to use suitable shebangs [...] and to port a script to Python 3 [...].
Opened a pull request against the Pixelfed federated photo social network to avoid double-escaping captions in Atom feeds. [...]
Authored two pull requests for the Redis key-value database to add support for USE_SYSTEM_LUA [...] and USE_SYSTEM_JEMALLOC [...] build flags to avoid the use of embedded code copies.
Fixed an encoding error in my django-slack library that provides a convenient library between projects using the Django web-development framework and the Slack chat platform. [...]
Updated my pull request for promise.js to make the build reproducible. [...]
Opened a pull request against mblaze to correct a reference to the SOURCE_DATE_EPOCH environment variable. [...]
Opened a pull request for the Jekyll documentation generator to respect SOURCE_DATE_EPOCH over Time.now. [...]
Fixed an issue in travis.debian.net (my hosted service for projects that host their Debian packaging on GitHub to easily use Travis CI) where building from a branch called debian was broken. [...]
Corrected a "Remeber" → "Remember" typo in the gobby collaborative text editor. [...]
Updated the documentation in James Aylett's django-session-stashable library to make the User Django instance nullable. [...]
Opened a pull request to fix a large number of spelling errors in the gRPC RPC framework. [...]
Even more hacking on the Lintian static analysis tool for Debian packages:
- New features:
  - Warn about maintainer scripts that directly query the dpkg database. (#905469)
  - Warn about Multi-Arch: same packages that use py{,3}compile in maintainer scripts. (#907276)
  - Check for packages that contain X11 fonts but do not run update-fonts. (#905879)
  - Detect source-only uploads to non-free that will not be auto-built. (#905467)
  - Check for Creative Commons license texts that use the incomplete summary. (#903470)
  - Check for packages that have a relation on both Python 2 & 3. (#904817)
  - Support "debhelper-compat (= X) build-dependency as a replacement for debhelper (>= X~). (#904886)
  - Check for packages that pass -V to dh_shlibdeps. (#906722)
  - Apply patch to warn about uploads that have a version containing ~bpo but do not actually target backports. (#906155)
  - Add 4.2.0 and 4.2.1 as known Standards-Versions. [...] & [...]
- Bug fixes:
  - Match foo_o.golden with foo.cc to avoid source-is-missing false-positives. (#907475)
  - Don't emit unknown-runtime-tests-feature for autopkgtest features named test-name=foo. (#907620)
  - Don't assume that tar -tv always includes a time. (#905423)
  - Prevent ruby-script-but-no-ruby-dep false positives by also accepting ruby:any. (#905258)
  - Drop the no-upstream-changelog tag. (#513544, #646192)
  - Don't emit mentions-deprecated-usr-lib-perl5-directory for debian/install. (#905635)
- Reporting:
  - Rename vcs-deprecated-in-debian-infrastructure and update the documentation to match. (#907578)
  - Expand the description to explain why we emit wrong-path-for-interpreter for #!/usr/bin/env perl shebangs. [...]

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws almost all software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

This month I:

Filed or updated upstream pull requests for jekyll, mblaze & promise.js.
Updated the Reproducible Builds website to add jelle's talk to our resources page [...], added Monero to the Who is Involved? page and added the relevant DebConf 18 presentations to our database [...].
Performed a non-maintainer upload (NMU) of the Debian mtools package to fix two instances of non-determinism in the GNU Mtools (#900409 & #900410). This is required to make meaningful progress on making Debian Installer images reproducible.
Kept isdebianreproducibleyet.com up to date. [...]
Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.
Updated jenkins.debian.net which runs our comprehensive testing framework to:
- Escape package names in the "Schedule new build" links. [...]
- Print zero (not an empty) string when division denomination is zero. [...]
Submitted Debian patches to fix specific reproducibility issues in leiningen-clojure, mblaze & rawtherapee.
I also made the following changes to diffoscope, our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues:
- Don't include the filename in llvm-bcanalyzer results. (#905598)
- Merged a patch from Daniel Kahn Gillmor to avoid line eraser errors on dumb terminals. (#906967)
- Reviewed and applied a patch from Alexis Murzeau to fix an issue with .deb archive members. (#903565)
- Applied a patch from Ricardo Gaviria to fix errors with encrypted archive files. (#904685)
Worked on publishing our weekly reports. (#171, #172, #173 & #174)

Debian

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

"Frontdesk" duties, triaging CVEs, responding to user questions, etc.
Updated the bin/gen-DSA script to try and avoid duplicated work when generating DLAs and ELAs due to potential lack of co-ordination in the -needed.txt files. [...]
Issued DLA 1459-1 addressing a directory traversal vulnerability in cgit, a web frontend for Git repositories.
Issued DLA 1460-1 to address denial-of-service (DoS) vulnerabilities in libmspack, a library used to handle Microsoft compression formats.
Issued DLA 1469-1 fixing a DoS vulnerability in libxcursor, a library designed to load cursors for the X Window System.
Issued DLA 1474-1 to prevent a user enumeration vulnerability in OpenSSH where a remote attacker couldtest whether a certain user exists on a target server.
Issued DLA 1478-1 for libextractor (a library to obtain metadata from files of arbitrary type) which was vulnerable to a stack-based buffer overflow and an infinite loop vulnerability.
Issued DLA 1484-1 in the squirrelmail webmail system correcting a number of cross-site scripting (XSS) vulnerabilities.
Dropped some trailing whitespace from the ELTS announcement template. [...]
Prepared security updates for the Debian "stable" distribution for:
- python-django (1:1.10.7-2+deb9u2) — Fix an open redirect vulnerability. (#905216)
- php-horde-image (2.3.6-1+deb9u1) — Fix an infinite loop DoS attack (#865504) & two remote-code execution vulnerabilities (#865505 & #876400).
- libxcursor (1:1.1.14-1+deb9u2) — Fix a remote denial-of-service vulnerability. (#906012)

Uploads

python-django (1:1.11.15-1 & 2:2.1-1) — New upstream security releases.
django-prometheus:
- 1.0.15-1 — New upstream release, fixing compatibility with recent version of Django.
- 1.0.15-2 — Updating and uploading package after a change from Martín Ferrari to missing build-deps. (#906348)
redis:
- 5:4.0.11-2 — New upstream RC release
- 5:5.0~rc4-1 — New upstream RC release
- 5:5.0~rc4-2 — Drop a non-determinstic test.
- 5:5.0~rc4-3 — Use the system versions of Lua (#901669) and jemalloc.
redisearch (1.3.0~preview2-1, 1.3.0~preview3-1, 1.4.0~rc1-1 & 1.4.0~rc3-1) — New release candidates. (NB. This package was removed in #907577)
aiopg (0.15.0-1) — Fix a Python async import issue. (#904361)
python-formencode (1.3.0-3) — Fix compatibility with newer versions of pycountry. (#880247)
mtools (4.0.18-2.1) — Non-maintainer upload (NMU) to fix two instances of non-determinism (#900409 & #900410). This is required to make meaningful progress on making Debian Installer images reproducible.

I also performed sponsored uploads for elpy (1.23.0-1), megadown (0~20180705+git83c53dd-1), playerctl (0.6.1-1) & wolfssl (3.15.3+dfsg-2).

Debian bugs filed

redisearch: "Apache 2.0 with Commons License" violates DFSG § 6. (#906920 & #907577)
python-os-faults: No such file or directory text in generated documentation. (#907450)
arbtt: "index too large" when running arbtt-stats. (#906815)
duktape: Please use a real make target. (#906201)
hiredis: New upstream release. (#907259)
hivelytracker: Please clarify why .ins files need to be executable. (#905948)
snapper-gui: Please clarify why you disable the testsuite. (#905314)
node-code: Please clarify origin of module. (#905746)
node-toidentifier: Unnecessary $(DEB_BUILD_PROFILES) check. (#905769)
radare2: Consolidate DEBUG_SUPPORT conditionals in debian/rules. (#905768)
spyder-kernels: Please clarify why you disable the testsuite. (#905394)
txws: Use dh_install -X over rm calls. (#905947)

I also filed a build-failure bug against gnucash.

FTP Team

As a Debian FTP assistant I ACCEPTed 183 packages: 389-ds-base, android-platform-external-boringssl, anet, astroidmail, automake-1.16, boohu, botan, breezy, cbatticon, ccdiff, chafa, claws-mail, cmake-vala, dbusada, debian-policy, debspawn, django-cas-server, duktape, e-wrapper, emacs-jedi, ess, flpsed, fonts-gnutypewriter, fonts-sil-alkalami, gamemode, ghdl, glasstty, glslang, golang-github-araddon-gou, golang-github-canonicalltd-raft-test, golang-github-frankban-quicktest, golang-github-gdamore-tcell, golang-github-gogo-googleapis, golang-github-graph-gophers-graphql-go, golang-github-jhoonb-archivex, golang-github-juju-collections, golang-github-machinebox-graphql, golang-github-matryer-is, golang-github-pzhin-go-sophia, golang-github-tmc-scp, gotest.tools, hibiscus, hivelytracker, imbalanced-learn, iptables-persistent, isc-kea, jaxrpc-api, jws-api, knot, ldc, libbioparser-dev, libbson-xs-perl, libcommons-jexl3-java, libedlib, libmbassador-java, libosmocore, libpgobject-util-pseudocsv-perl, libreoffice-dictionaries, libthread-pool, libx86emu, libzc, lilypond, linux, lloconv, llvm-toolchain-7, mariadb-10.1, metro-policy, minetest-mod-skyblock, moksha.common, node-code, node-csv-spectrum, node-toidentifier, node-vue-hot-reload-api, nsync, octave, opensaml, pcscada, poezio, puppet-module-puppetlabs-haproxy, python-async-generator, python-gnuplotlib, python-hdmedians, python-os-faults, python-priority, python-qinlingclient, python-sphinxcontrib.apidoc, python-stem, python-uinput, python-ulmo, python3-aiosasl, qlogo, r-cran-dendextend, r-cran-fansi, r-cran-flexmix, r-cran-fpc, r-cran-gclus, r-cran-heatmaply, r-cran-prabclus, r-cran-qap, r-cran-ranger, r-cran-reticulate, r-cran-seriation, r-cran-trimcluster, r-cran-tsp, racon, radare2, rails, renderdoc, ruby-aes-key-wrap, ruby-em-websocket, rust-byte-tools, rust-clap, rust-cmake, rust-colored, rust-commoncrypto, rust-commoncrypto-sys, rust-constant-time-eq, rust-cookie-factory, rust-core-foundation, rust-core-foundation-sys, rust-crossbeam-epoch, rust-crypto-hash, rust-curl-sys, rust-dhcp4r, rust-encoding-rs-io, rust-enum-primitive, rust-env-logger, rust-failure-derive, rust-foreign-types, rust-fs2, rust-generic-array, rust-git2, rust-grep, rust-home, rust-ignore, rust-itertools, rust-jobserver, rust-libgit2-sys, rust-libssh2-sys, rust-libz-sys, rust-mac, rust-miow, rust-new-debug-unreachable, rust-nom, rust-openssl, rust-pcap, rust-phf-shared, rust-pktparse, rust-quote, rust-ripgrep, rust-rusticata-macros, rust-serde-derive, rust-serde-ignored, rust-socket2, rust-structopt, rust-structopt-derive, rust-syn, rust-synstructure, rust-syscallz, rust-termios, rust-threadpool, rust-tokio-executor, rust-unicase, rust-url-serde, s-tui, saaj-ri, sleef, snapper-gui, spoa, spyder-kernels, stomper, termineter, tinyxml2, txws, unibetacode, utf8gen, utfcheck, virtualpg, vulkan-headers, xmltooling, yaha, yubikey-manager & zhcon.

I additionally filed 12 RC bugs against packages that had potentially-incomplete debian/copyright files against android-platform-external-boringssl, botan, dbusada, gamemode, ghdl, glslang, golang-github-graph-gophers-graphql-go, golang-github-pzhin-go-sophia, isc-kea, poezio, python-ulmo & renderdoc.

You can subscribe to new posts via email or RSS.