This is my monthly update covering what I have been doing in the free software world throughout August 2021 (view report for July).
-
Although my term on Board directors of the Open Source Initiative (OSI) was extended earlier in the year due to exceptional circumstances surrounding the election, I finally had my meeting to formally vote in my replacement and the other directors this month. The last few years have involved a lot of change for the OSI, open source as well as the world as a whole. But compared to when I joined the Board back in 2018, the organisation is in a much better position to respond to changes, and I look forward to seeing what the organisation gets up to in the future, although now slightly from afar.
-
I opened a pull request to make the build reproducible in
pytsk, a project which provides Python bindings for the SleuthKit set of digital forensic tools. It turns out that thepytsk3.cfile was not being generated in a deterministic fashion due to iterating over a nondeterministic Python data structure. [...] -
Reviewed and merged a pull request to my django-slack library which provides a convenient wrapper between projects using the Django web development framework and the Slack chat platform. Specifically, the PR added support for the
unfurl_linksandunfurl_mediaparameters. [...]
Reproducible Builds
The motivation behind Reproducible Builds is to ensure no flaws have been introduced during compilation processes by promising identical results are always generated from a given source. This allows multiple third-parties to come to a consensus on whether a build was compromised or not.
This month, I:
-
Helped publicise a number of talks related to reproducible builds at DebConf21. This included Holger's talk on "Reproducible Buster, Bullseye & Bookworm" as well as Vagrant's talk called "Looking Forward to Reproducible Builds".
-
Uploaded
python-libarchive-cversion3.1-1to Debian experimental for the new 3.x branch. (python-libarchive-cis used by diffoscope. -
In Debian:
-
Kept isdebianreproducibleyet.com up to date. [...]
-
Submitted the following patches to fix reproducibility-related toolchain issues within Debian:
-
I also submitted 10 patches to fix specific reproducibility issues in
mapcache,numcodecs,pytsk,rust-coreutils,samtools,spatialindex,spirv-cross,surgescript,translateandtty-solitaire. -
I filed a bug against
libopenobexwith a patch to report a missing optional build-dependency ongraphvizwhich was uncovered during reproducibility testing. (#991938)
-
-
Opened a pull request to make the build reproducible in
pytsk, a project which provides Python bindings for the SleuthKit set of digital forensic tools. Thepytsk3.cfile was not being generated in a deterministic fashion. [...] -
Spent more time collecting data and other input for a long-running task to create an "ecosystem map" for the Reproducible Builds project.
-
Helped publicise and then attend our latest monthly IRC meeting.
-
Contributed to a thread on our mailing list regarding Android "desugaring" and its effects on reproducible builds.
-
Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.
-
Drafted, published and publicised our monthly report for July 2021.
I also made the following changes to diffoscope, including uploading versions 180, 181 and 182 to Debian.
-
New features:
- Add support for extracting Android V2 signing keys. [...]
- If we specify a suffix for a temporary file or directory within the code, ensure it starts with an underscore (ie. "_") to make the generated filenames more human-readable. [...]
- Don't include short
GCClines that differ on a single prefix byte either. These are distracting, not very useful and are simply the strings(1) command's idea of the build ID, which is displayed elsewhere in the diff. [...][...] - Don't include specific
.debug-like lines in the ELF-related output, as it is invariably a duplicate of the debug ID that exists better in thereadelf(1)differences for this file. [...]
-
Bug fixes:
- Add a special case to SquashFS image extraction to not fail if we aren't the superuser. [...]
- Only use
java -jar /path/to/apksigner.jarif we have anapksigner.jaras newer versions ofapksignerin Debian use a shell wrapper script which will be rejected if passed directly to the JVM. [...] - Reduce the maximum line length for calculating Wagner-Fischer, improving the speed of output generation a lot. [...]
- Don't require
apksignerin order to compare.apkfiles usingapktool. [...] - Update calls (and tests) for the new version of
odt2txt. [...]
-
Output improvements:
-
Logging improvements:
-
Codebase improvements:
- Clarify a comment about the
HUGE_TOOLSPython dictionary. [...] - We can pass
-fto apktool to avoid creating a strangely-named subdirectory. [...] - Drop an unused
Fileimport. [...] - Update the supported & minimum version of Black. [...]
- We don't use the
loggingvariable in a specific place, so alias it to an underscore (ie. "_") instead. [...] - Update some various copyright years. [...]
- Clarify a comment. [...]
- Clarify a comment about the
-
Test improvements:
- Update a test to check specific contents of SquashFS listings, otherwise it fails depending on the test systems user ID to username
passwd(5)mapping. [...] - Assign "seen" and "expected" values to local variables to improve contextual information in failed tests. [...]
- Don't print an orphan newline when the source code formatting test passes. [...]
- Update a test to check specific contents of SquashFS listings, otherwise it fails depending on the test systems user ID to username
Debian
-
python-django(3.2.6-1) — New upstream bugfix release. -
6.2.5-2— Explicitly specifyUSE_JEMALLOCto override upstream's detection of ARM architecture systems. This was affecting reproducibility as theaarch64kernel flavour was using Jemalloc (whilstarmv7lwas not).6.2.5-3— Skip OOM-related tests on incompatible platforms. (#982122)6.2.5-4— Use/runinstead of/var/runfor PID and UNIX socket files. Thanks to@MichaIng-guestfor the patch.
-
python-libarchive-c(3.1-1) — Non-maintainer upload to Debian experimental for the 3.x branch. (python-libarchive-cis used by diffoscope.
I also sponsored an upload of adminer version 4.8.1-1 for Alexandre Rossi.
Debian LTS
This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.
This month, I:
-
Investigated and triaged:
asterisk(CVE-2021-32686),gitit(CVE-2021-38711),glances(CVE-2021-23418),gradle(CVE-2021-32751),hoteldruid(CVE-2021-37832 & CVE-2021-37833),libapache2-mod-auth-mellon(CVE-2021-3639),pjproject(CVE-2021-32686),postgresql-9.1and `transfig (CVE-2020-21675). -
Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions etc. in addition to attending our monthly meeting as well as our public meeting at DebConf21.
-
Issued DLA 2727-1 as it was discovered that there was a code injection issue in
PyXDGa library used to locate freedesktop.org configuration/cache directories. -
Issued DLA 2728-1 to address four issues in the VideoLAN/VLC media player caused by buffer overflows and NULL-pointer deferences.
-
Issued DLA 2729-1 for the Asterisk telephony system to address an issue where if a particular driver received a packet that contained an unsupported media format, a crash could have occurred.
-
Issued DLA 2736-1 for
lynx(and ELA-472-1 forlynx-cur) to prevent a remote credential leak in the Lynx text-based web browser. After this update, it now correctly handles authentication subcomponents in URIs (eg. theuser:passsubstring inhttps://user:pass@example.com) to avoid remote attackers discovering cleartext credentials in SSL connection data. -
Issued DLA 2717-2 to address a regression in the previous update for Redis. A test was not correctly backported from the latest upstream release which meant that binaries were not available on all LTS platforms. The Redis server code itself was unaffected.
You can find out more about the LTS and ELTS projects via the following video: