December 31st 2017

Free software activities in December 2017

Here is my monthly update covering what I have been doing in the free software world in December 2017 (previous month):


Reproducible builds


Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds effort is to allow verification that no flaws have been introduced — either maliciously or accidentally — during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

I have generously been awarded a grant from the Core Infrastructure Initiative to fund my work in this area.

This month I:



I also made the following changes to our tooling:

diffoscope

diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.

  • Support Android ROM boot.img introspection. (#884557)
  • Handle case where a file to be "fuzzy" matched does not contain enough entropy despite being over 512 bytes. (#882981)
  • Ensure the cleanup of symlink placeholders is idempotent. [...]

trydiffoscope

trydiffoscope is a web-based version of the diffoscope in-depth and content-aware diff utility. Continued thanks to Bytemark for sponsoring the hardware.

  • Parse dpkg-parsechangeloga in setup.py instead of hardcoding version. [...]
  • Flake8 the main file. [...]

buildinfo.debian.net

buildinfo.debian.net is my experiment into how to process, store and distribute .buildinfo files after the Debian archive software has processed them.

  • Don't HTTP 500 if no request body. [...]
  • Catch TypeError: decode() argument 1 must be string, not None tracebacks. [...]


Debian

My activities as the current Debian Project Leader will be covered in my Bits from the DPL email to the debian-devel-announce mailing list.

Patches contributed

  • bitseq: Add missing Build-Depends on python-numpy for documentation generation. (#884677)
  • dh-golang: Avoid "uninitialized value" warnings. (#885696)
  • marsshooter: Avoid source-includes-file-in-files-excluded Lintian override. (#885732)
  • gtranslator: Do not ship .pyo and .pyc files. (#884714)
  • media-player-info: Bugs field does not refer to Debian infrastructure. (#885703)
  • pydoctor: Add a Homepage field to debian/control. (#884255)

Debian LTS


This month I have been paid to work 14 hours on Debian Long Term Support (LTS). In that time I did the following:

  • "Frontdesk" duties, triaging CVEs, etc.
  • Updating old notes in data/dla-needed.txt.
  • Issued DLA 1204-1 for the evince PDF viewer to fix an arbitrary command injection vulnerability where a specially-crafted embedded DVI filename could be exploited to run commands as the current user when "printing" to PDF.
  • Issued DLA 1209-1 to fix a vulnerability in sensible-browser (a utility to start the most suitable web browser based on one's environment or configuration) where remote attackers could conduct argument-injection attacks via specially-crafted URLs.
  • Issued DLA 1210-1 for kildclient, a "MUD" multiplayer real-time virtual world game to remedy a command-injection vulnerability.

Uploads

  • python-django (2:2.0-1) — Release the new upstream stable release to the experimental suite.
  • redis:
    • 5:4.0.5-1 — New upstream release & use "metapackage" over "meta-package" in debian/control.
    • 5:4.0.6-1 — New upstream bugfix release.
    • 5:4.0.6-2 — Replace redis-sentinel's main dependency with redis-tools from redis-server moving the creating/deletion of the redis user, associated data & log directories to redis-tools (#884321), and add stub manpages for redis-sentinel, redis-check-aof & redis-check-rdb.
    • 5:4.0.6-1~bpo9+1 — Upload to the stretch-backports repository.
  • redisearch:
    • 1.0.1-1 — New upstream release.
    • 1.0.2-1 — New upstream release, ensure .so file is hardered (upstream patch), update upstream's .gitignore so our changes under debian/ are visible without -f (upstream patch and override no-upstream-changelog in all binary packages.
  • installation-birthday (6) — Bump Standards-Version to 4.1.2 and replace Priority: extra with Priority: optional.

Finally, I also made the following miscellaneous uploads:

  • cpio (2.12+dfsg-6), NMU-ing a new 2.12 upstream version to the "unstable" suite.
  • wolfssl (3.12.2+dfsg-1 & 3.13.0+dfsg-1) — Sponsoring new upstream versions.

Debian bugs filed


FTP Team


As a Debian FTP assistant I ACCEPTed 106 packages: aodh, autosuspend, binutils, btrfs-compsize, budgie-extras, caja-seahorse, condor, cross-toolchain-base-ports, dde-calendar, deepin-calculator, deepin-shortcut-viewer, dewalls, dh-dlang, django-mailman3, flask-gravatar, flask-mail, flask-migrate, flask-paranoid, flask-peewee, gcc-5-cross-ports, getmail, gitea, gitlab, golang-github-go-kit-kit, golang-github-knqyf263-go-deb-version, golang-github-knqyf263-go-rpm-version, golang-github-mwitkow-go-conntrack, golang-github-parnurzeal-gorequest, golang-github-prometheus-tsdb, haskell-unicode-transforms, haskell-unliftio-core, htslib, hyperkitty, libcbor, libcdio, libcidr, libcloudproviders, libepubgen, libgaminggear, libgitlab-api-v4-perl, libgoocanvas2-perl, libical, libical3, libixion, libjaxp1.3-java, liblog-any-adapter-tap-perl, liborcus, libosmo-netif, libt3config, libtirpc, linux-show-player, mailman-hyperkitty, mailman-suite, mailmanclient, muchsync, node-browser-stdout, node-crc32, node-deflate-js, node-get-func-name, node-ip-regex, node-json-parse-better-errors, node-katex, node-locate-path, node-uglifyjs-webpack-plugin, nq, nvidia-cuda-toolkit, openstack-meta-packages, osmo-ggsn, osmo-hlr, osmo-libasn1c, osmo-mgw, osmo-pcu, patman, peewee, postorius, pyasn1, pymediainfo, pyprind, pysmi, python-colour, python-defaults, python-django-channels, python-django-x509, python-ldap, python-quamash, python-ratelimiter, python-rebulk, python-trezor, python3-defaults, python3-stdlib-extensions, python3.6, python3.7, qscintilla2, range-v3, rawkit, remmina, reprotest, ruby-gettext-i18n-rails-js, ruby-webpack-rails, sacjava, sphinxcontrib-pecanwsme, unicode-cldr-core, wolfssl, writerperfect, xrdp & yoshimi.

I additionally filed 4 RC bugs against packages that had incomplete debian/copyright files against: libtirpc, python-ldap, python-trezor & sphinxcontrib-pecanwsme.




You can subscribe to new posts via email or RSS.