Here is my monthly update covering what I have been doing in the free software world (previous month):
- Celebrated my 10-year anniversary of contributing to Debian. An excerpt of this post was quoted on LWN.
- Made a number of improvements to AptFS, my FUSE-based filesystem that provides a view on unpacked Debian source packages as regular folders, including move from the popen2 Python module to subprocess and correcting the parsing of package lists.
- Corrected an UnboundLocalError exception in the Finnish social security number generator in faker, a tool to generate test data in Python applications. (#441)
- Made a small change to travis.debian.net (my hosted service for projects that host their Debian packaging on GitHub to use the Travis CI continuous integration platform to test builds on every code change) to fix an issue with malformed YAML.
- Added the ability to specify the clone target to gbp-import-dsc etc. in git-buildpackage, a tool to build Debian packages using Git. (commit)
- Filed three issues against the Redis key-value database:
Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users.
The motivation behind the Reproducible Builds effort is to permit verification that no flaws have been introduced — either maliciously or accidentally — during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
- The 2nd Reproducible Builds World Summit was held in Berlin. The event was a great success with enthusiastic participation from an extremely diverse group of projects. Many thanks to our sponsors for making this event possible.
- I wrote a patch for dak to preserve .buildinfo files on the local ftp-master filesystem. This is a temporary measure to prevent "historical" data loss; the files were previously being silently discarded.
- My talk proposal for Linux.conf.au was accepted.
- I submitted the following patches to fix reproducibility-related toolchain issues within Debian:
- apt: Please make the "moo" reproducible
- python-setuptools: Please make the generated install_files.txt reproducible
- I submitted 7 patches to fix specific reproducibility issues in hoichess, jupyter-notebook, libcorelinux, minicoredumper, nethogs, node-gulp & tinyeartrainer.
- Made a number of updates to the reproducible-builds.org website including editing the language of our definitiom, updating the "Tools" section and adding previous talks of mine to the relevant section, as well as many æsthetic changes to accomodate mobile browsers, etc.
- Worked on publishing our weekly reports. (#84. #85. #86 & #87)
I also made the following changes to our tooling:
diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.
- Avoid unnecessary string manipulation writing --text output (~20x speedup).
- Avoid n iterations over archive files (~8x speedup).
- Don't analyse .deb s twice when comparing .changes files (2x speedup).
- Avoid shelling out to colordiff by implementing color support directly.
- Memoize calls to distutils.spawn.find_executable to avoid excessive stat(1) syscalls.
- Progress bar:
- Show current file / ELF section under analysis etc. in progress bar.
- Move the --status-fd output to use JSON and to include the current filename.
- Code tidying:
- Update dex_expected_diffs test to ensure compatibility with enjarify ≥ 1.0.3.
- Ensure that running from Git will always use that checkout's Python modules.
- Add a simple profiling framework.
strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build.
- Makefile.PL: Change NAME argument to a Perl package name.
- Ensure our binaries are available in autopkgtest tests.
- Show progress bar and position in queue, etc. (#25 & #26)
- Promote command-line client with PyPI instructions.
- Increase comparison time limit to 90 seconds.
This month I have been paid to work 13½ hours on Debian Long Term Support (LTS). In that time I did the following:
- "Frontdesk" duties, triaging CVEs, etc.
- Issued DLA 733-1 for openafs, fixing an information leak vulnerability. Due to incomplete initialization or clearing of reused memory, directory objects could contain 'dead' directory entry information.
- Issued DLA 734-1 for mapserver closing an information leakage vulnerability.
- Issued DLA 737-1 for roundcube preventing arbitrary remote code execution by sending a specially crafted email.
- Issued DLA 738-1 for spip patching a cross-site scripting (XSS) vulnerability.
- Issued DLA 740-1 for libgsf fixing a null pointer deference exploit via a crafted .tar file.
- 3.2.5-5 — Add RunTimeDirectory=redis to systemd .service files.
- 3.2.5-6 — Add missing Depends on lsb-base for /lib/lsb/init-functions usage in redis-sentinel's initscript.
- 3.2.6-1 — New upstream release.
- 4.0-1 & 4.0-rc2-1 — New upstream experimental releases.
- aptfs: 0.9-1 & 0.10-1 — New upstream releases.
Debian bugs filed
- bugs.debian.org: Please move the canonical bug URLs to /123456
- git-gui: Error when staging hunk
- lcms2: liblcms2-2 causes cd-iccdump to output incorrect locale names
- nbformat: Doesn't support non-UTF-8 paths
- sagenb-export: Fails when LC_CTYPE is not explicitly UTF-8
- roundcube: Maintainer address bounces
I filed 29 FTBFS bugs against a7xpg, conntrack-tools, factory-boy, faker, glimpse, gunroar, hexchat-otr, jackson-datatype-guava, jalview, jquery, kodi-pvr-mythtv, leap-cli, libbio-graphics-perl, libparanoid-perl, libsass-python, metastudent-data, node-temporary, node-yargs, python-requests-unixsocket, python-restless, ruby-bunny, ruby-github-markup, ruby-rabl, sagenb-export, seaborn, soapdenovo2, titanion, ufw & vagrant-cachier.
Debian FTP Team
As a Debian FTP assistant I ACCEPTed 107 packages: android-platform-libcore, compiz, debian-edu, dehydrated, dh-cargo, gnome-shell-extension-pixelsaver, golang-1.8, golang-github-btcsuite-btcd-btcec, golang-github-elithrar-simple-scrypt, golang-github-pelletier-go-toml, golang-github-restic-chunker, golang-github-weaveworks-mesh, golang-google-genproto, igmpproxy, jimfs, kpmcore, libbio-coordinate-perl, libdata-treedumper-oo-perl, libdate-holidays-de-perl, libpgobject-type-bytestring-perl, libspecio-library-path-tiny-perl, libterm-table-perl, libtext-hogan-perl, lighttpd, linux, linux-signed, llmnrd, lua-geoip, lua-sandbox-extensions, lua-systemd, node-cli-cursor, node-command-join, node-death, node-detect-indent, node-domhandler, node-duplexify, node-end-of-stream, node-first-chunk-stream, node-from2, node-glob-stream, node-has-binary, node-inquirer, node-interpret, node-is-negated-glob, node-is-unc-path, node-lazy-debug-legacy, node-lazystream, node-load-grunt-tasks, node-merge-stream, node-object-assign-sorted, node-orchestrator, node-pkg-up, node-resolve-from, node-resolve-pkg, node-rx, node-sorted-object, node-stream-shift, node-streamtest, node-string.prototype.codepointat, node-strip-bom-stream, node-through2-filter, node-to-absolute-glob, node-unc-path-regex, node-vinyl, openzwave, openzwave-controlpanel, pcb-rnd, pd-upp, pg-partman, postgresql-common, pybigwig, python-acora, python-cartopy, python-codegen, python-efilter, python-flask-sockets, python-intervaltree, python-jsbeautifier, python-portpicker, python-pretty-yaml, python-protobix, python-sigmavirus24-urltemplate, python-sqlsoup, python-tinycss, python-watson-developer-cloud, python-zc.customdoctests, python-zeep, r-cran-dbitest, r-cran-dynlm, r-cran-mcmcpack, r-cran-memoise, r-cran-modelmetrics, r-cran-plogr, r-cran-prettyunits, r-cran-progress, r-cran-withr, ruby-clean-test, ruby-gli, ruby-json-pure, ruby-parallel, rustc, sagemath, sbuild, scram, sidedoor, toolz & yabasic.