Free software activities in August 2020

Here is another monthly update covering what I have been doing in the free software world during August 2020 (previous month):

• Filed a pull request against django-enumfield, a library that provides an enumeration-like model field for the Django web development framework. The classproperty helper has been moved to django.utils.functional in newer versions of Django. [...]

• Transferred the maintainership of my Strava Enhancement Suite Chrome extension to improve the user experience on the Strava athletic tracker to Pavel Dolecek.

• As part of my role of being the assistant Secretary of the Open Source Initiative and a board director of Software in the Public Interest, I attended their respective monthly meetings and participated in various licensing and other discussions occurring on the internet, as well as the usual internal discussions, etc.

• Filed a pull request for JSON-C, a reference counting library to allow you to easily manipulate JSON objects from C in order to make the documentation build reproducibly. [...]

• Reviewed and merged some changes to my django-auto-one-to-one library for Django from Dan Palmer (which automatically creates and destroys associated model instances) to not configure signals for models that aren't installed and to honour INSTALLED_APPS during model setup. [...]

• Merged a pull request from Michael K. to cleanup the codebase after dropping support for Python 2 and Django 1.x [...] in my django-slack library which provides a convenient wrapper between projects using the Django and the Slack chat platform.

• Updated my django-staticfiles-dotd utility that concatenates Debian .d-style directories containing Javascript and CSS to drop unquote usage from the six compatibility library. [...]

I uploaded Lintian versions 2.86.0, 2.87.0, 2.88.0, 2.89.0, 2.90.0, 2.91.0 and 2.92.0, as well as made the following changes:

• New features:

  • Check for StandardOutput= and StandardError= fields that use the deprecated syslog or syslog-console systemd facilities. (#966617)
  • Add support for clzip as an alternative for lzip. (#967083)
  • Check for User=nobody and Group=nogroup in systemd .service files. (#966623)

• Bug fixes:

  • Don't emit the patch-not-forwarded-upstream tag for README files under debian/patches. (#968845)
  • Fix a false positive with the no-dh-sequencer tag due to indirect target dependences. (#968108)

• Reporting/interface:

  • Clarify the grammar of the package-uses-old-debhelper-compat-version tag. [...]
  • Update link to the detagtive web interface code as it has been moved to the lintian salsa namespace. [...]
  • Drop the misleading "Beta testing" from the webpage header. [...]

• Misc:

  • Add justification for the use of the lzip dependency in a previous debian/changelog entry. (#966817)
  • Update the generate-tag-summary release script to reflect change of tag definition filename extension change from .desc → .tag. [...]
  • Revert a change to the spelling-error-in-rules-requires-root tag's severity; this is not a "spelling" check in the sense that it does not use our dictionary. [...]
  • Drop an unused $skip_tag argument in the extract_service_file_values routine. [...]

Reproducible Builds

One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

The project is proud to be a member project of the Software Freedom Conservancy. Conservancy acts as a corporate umbrella allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.

• Further refined my merge request against the debian-installer component to allow all arguments from sources.list files (such as [check-valid-until=no]) in order that we can test the reproducibility of the installer images on the Reproducible Builds own testing infrastructure and sent a gentle ping to the team that maintains that code.

• Responded at length to a discussion about the status of the reproducibility of ISO images [...], wrote back to the maintainer of WalletScrutiny asking why Android developers appear to be "allergic" to their application not being reproducible [...] and passed on an issue about the diffoscope website being down [...]. I also added a few short remarks on a proposal to bundle .buildinfo files within .deb archives [...].

This month, I:

• Filed a pull request for JSON-C, a reference counting library to allow you to easily construct JSON objects from C in order to make the documentation build reproducibly. [...]

• In Debian, I:

  • Kept isdebianreproducibleyet.com up to date. [...][...][...][...]

  • Submitted the following patches to fix reproducibility-related toolchain issues within Debian:

    • debhelper: Please make the examples from dh_missing reproducible. (#968187)

    • evolution: Please make the shipped .h files reproducible. (#968700)

  • I also submitted 9 patches to fix specific reproducibility issues in aflplusplus, chirp, golang-gonum-v1-plot, json-c, nmh, pencil2d, pixelmed-codec, serd & tpot.

• Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.

• Filed a build-failure bug against the muroar package that was discovered while doing reproducibility testing. (#968189)

• We operate a large and many-featured Jenkins-based testing framework that powers tests.reproducible-builds.org. This month, I updated the self-serve package rescheduler to use HTML <pre> tags when dumping any debugging data. [...]

• Updated the main Reproducible Builds website and documentation to:

  • Clarify & fix a few entries on the "who" page [...][...] and ensure that images do not get to large on some viewports [...].
  • Clarify use of a pronoun re. Conservancy. [...]
  • Use "View all our monthly reports" over "View all monthly reports". [...]
  • Move a "is a" suffix out of the link target on the SOURCE_DATE_EPOCH age. [...]

• Drafted, published and publicised our monthly report.

diffoscope

I made the following changes to diffoscope, including preparing and uploading versions 155, 156, 157 and 158 to Debian:

• New features:

  • Support extracting data of PGP signed data. (#214)
  • Try files named .pgp against pgpdump(1) to determine whether they are Pretty Good Privacy (PGP) files. (#211)
  • Support multiple options for all file extension matching. [...]

• Bug fixes:

  • Don't raise an exception when we encounter XML files with <!ENTITY> declarations inside the Document Type Definition (DTD), or when a DTD or entity references an external resource. (#212)
  • pgpdump(1) can successfully parse some binary files, so check that the parsed output contains something sensible before accepting it. [...]
  • Temporarily drop gnumeric from the Debian build-dependies as it has been removed from the testing distribution. (#968742)
  • Correctly use fallback_recognises to prevent matching .xsb binary XML files.
  • Correct identify signed PGP files as file(1) returns "data". (#211)

• Logging improvements:

  • Emit a message when ppudump version does not match our file header. [...]
  • Don't use Python's repr(object) output in "Calling external command" messages. [...]
  • Include the filename in the "... not identified by any comparator" message. [...]

• Codebase improvements:

  • Bump Python requirement from 3.6 to 3.7. Most distributions are either shipping with Python 3.5 or 3.7, so supporting 3.6 is not only somewhat unnecessary but also cumbersome to test locally. [...]
  • Drop some unused imports [...], drop an unnecessary dictionary comprehensions [...] and some unnecessary control flow [...].
  • Correct typo of "output" in a comment. [...]

• Release process:

  • Move generation of debian/tests/control to an external script. [...]
  • Add some URLs for the site that will appear on PyPI.org. [...]
  • Update "author" and "author email" in setup.py for PyPI.org and similar. [...]

• Testsuite improvements:

  • Update PPU tests for compatibility with Free Pascal versions 3.2.0 or greater. (#968124) [...][...][...]
  • Mark that our identification test for .ppu files requires ppudump version 3.2.0 or higher. [...]
  • Add an assert_diff helper that loads and compares a fixture output. [...][...][...][...]

• Misc:

  • Duplicate docker instructions in the "Get diffoscope" section of the diffoscope website. [...]

Debian

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged chrony [...], golang-1.8 [...], golang-go.crypto [...], golang-golang-x-net-dev [...], icingaweb2 [...], lua5.3 [...], mongodb [...], net-snmp, php7.0 [...], qt4-x11, qtbase-opensource-src, ruby-actionpack-page-caching [...], ruby-doorkeeper [...], ruby-json-jwt [...], ruby-kaminari [...], ruby-kaminari [...], ruby-rack-cors [...], shiro [...] & squirrelmail.

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, attending the Debian LTS BoF at DebConf20 etc.

• Issued DLA 2313-1 and ELA-257-1 to fix a privilege escalation vulnerability in Net-SNMP.

• Issued ELA-263-1 for qtbase-opensource-src and ELA-261-1 for qt4-x11, two components of cross-platform C++ application framework. A specially-crafted XBM image file could have caused a buffer overread.

• Issued ELA-268-1 to address unsafe serialisation vulnerabilities that were discovered in the PHP-based squirrelmail webmail client.

• Issued DLA 2311-1 for zabbix, the PHP-based monitoring system to fix a potential cross-site scripting vulnerability via <iframe> HTML elements.

• Issued DLA 2334-1 to fix a denial of service vulnerability in ruby-websocket-extensions, a library for managing long-lived HTTP 'WebSocket' connections.

• Issued DLA 2345-1 for PHP 7.0 as it was discovered that there was a use-after-free vulnerability when parsing PHAR files, a method of putting entire PHP applications into a single file.

• I also updated the Extended LTS website to pluralise the "Related CVEs" text in announcement emails [...] and dropped some trailing whitespace [...].

You can find out more about the project via the following video:

Uploads to Debian

• memcached:

  • 1.6.6-2 — Enable TLS capabilities by default. (#968603)
  • 1.6.6-3 — Add libio-socket-ssl-perl to test TLS support and perform a general package refresh.

• python-django:

  • 2.2.15-1 (unstable) — New upstream bugfix release
  • 3.1-1 (experimental) — New upstream release.
  • 2.2.15-2 (unstable) & 3.1-2 (experimental) — Set the same PYTHONPATH when executing the runtime tests as we do in the package build. (#968577)

• docbook-to-man:

  • 2.0.0-43 — Refresh packaging, and upload some changes from the Debian Janitor.
  • 2.0.0-44 — Fix compatibility with GCC 10, restoring the missing /usr/bin/instant binary. (#968900)

• hiredis (1.0.0-1) — New upstream release to experimental.

You can subscribe to new posts via email or RSS.