Free software activities in December 2018

Here is my monthly update covering what I have been doing in the free software world during December 2018 (previous month):

My activities as the current Debian Project Leader are covered in my "Bits from the DPL" email to the debian-devel-announce mailing list.
Represented Debian at the Paris Open Source Summit, presenting a session entitled "Debian: Past, Present & Future". It was great to see so many fellow Developers at this event as well as the the vibrant and active Debian booth; thank you to all those who helped make this happen.
Attended to the fourth Reproducible Builds summit in Paris, France.
Continued to maintain a set of module repositories forked from prior to Redis Labs relicensing a number of AGPL-licensed Redis modules with the "Commons Clause" amendment.
Opened a pull request against Keith Packard's "Newt" programming language to add a "frequently asked question". [...]
Represented Debian (and the free software community in general) as part of my duties of being on the board of directors of the Open Source Initiative.
Updated travis.debian.net (my hosted service for projects that host their Debian packaging on GitHub to use the Travis CI continuous integration platform) to merge a patch to fix the Ubuntu images [...] and to print a message that it's safe to ignore a Git warning [...].
Even more hacking on the Lintian static analysis tool for Debian packages:
- New features/optimisations:
  - Add 4.3.0 as a known Standards-Version. [...]
  - Check for packages that embed a varying build path. (#916021)
  - Check for GNU triplets when testing for package-contains-no-arch-dependent-files. [...]
  - Check that 1.2-3~debXuY stanzas follow a 1.2-3 one. (#916877)
  - Refactor, tidy and optimise various checks for contents of files. [...]
  - Bump the recommended and experimental debhelper compat levels to 12 and 13 respectfully (#917344) and update descriptions to use the new numbers in examples [...].
- Bug fixes:
  - Allow packages to define an RPATH under /usr/lib/ghc. (#914873)
  - Use output from file(1) when determining whether to emit package-contains-no-arch-dependent-files. (#916023)
  - Don't emit package-contains-documentation-outside-usr-share-doc for files under /usr/share/help. (#916497)
  - Allow alternatives in invariant sections checks. (#916095)
  - Correct logic of package-contains-no-arch-dependent-files detection. [...]
  - Prevent package-contains-no-arch-dependent-files false-positives by assuming /usr/lib/*/* files are architecture-dependent. (#916901)
  - Avoid a number of false-positives when processing uses-dpkg-database-directly. [...][...]
  - Don't emit systemd-service-file-missing-hardening-features for Type=oneshot [...] or WantedBy=sleep.target systemd services [...] and add default & network-online to the list of valid WantedBy targets. [...]
- Reporting:
  - Clarify that spaces are valid in variable assignments. (#917120)
  - Downgrade appstream-metadata-missing-modalias-provide from W → I. (#916735)
  - Update dependency-on-python-version-marked-for-end-of-life's description to recommend a commented override. (#917264)
  - Include the debhelper-compat method of setting the compatibility level in a number of tag descriptions. (#917345)
  - Downgrade package-uses-vendor-specific-patch-series from E → W. [...]
  - Fix the description of the non-standard-apache2-module-package-name. [...]
  - Mark debian-watch-does-not-check-gpg-signature as experimental. (#916207)
  - Clarify that symbols-file-missing-build-depends-package-field is emitted per-package. [...]
  - Clarify that Build-Depends-Package lines should start in column 1 of the file. [...]
- Misc:
  - Drop debian-rules-makemaker-prefix-is-deprecated. (#914885)
  - Update location of the Python policy; it is now shipped by python3 [...] and update a number of references to Salsa [...].
  - Update data/fields/perl-provides for Perl 5.028001 [...] & data/output/manual-references [...].

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws almost all software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

This month I:

Attended and assisted in the organisation of the fourth Reproducible Builds summit in Paris, France.
Submitted 4 patches to fix specific reproducibility issues in node-nodedbi, python-ruffus, python-sshoot & tracker.
Updated the Lintian quality-assurance tool for Debian packages to check for files that reference the build path. (#916021)
Started to merge in new style guide to our main project website but also completely overhauled the diffoscope.org website, updating the design [...] as well as informing users that they should file issues on Salsa [...] and adding corresponding link to our registration instruction [...].
Proposed a number of updates to our Jenkins-based testing framework that powers tests.reproducible-builds.org, including:
- Generate and serve diffoscope JSON output in addition to the existing HTML and text formats (example). (!17)
- Add a PureOS default installation package set. (!24)
- Avoid ugly double spaces in IRC notifications. (!23)
Added tagpending integration to some of our repositories hosted on Salsa.
Drafted, published and publicised our weekly reports (#188, #189, #190 & 191).
Categorised a huge number of packages and issues in the Reproducible Builds notes repository.
Kept isdebianreproducibleyet.com up to date. [...]

I also made the following changes to our tooling:

diffoscope

diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.

Compare .zip file comments with zipnote(1). (#901757)
Fix a test_mozzip_compressed_files failure under Alpine Linux. (#916353)
Use file_header to simplify magic detection and version parsing. [...][...][...]
Calculate the path to test .icc file to avoid a error with new versions of Pytest. (#916226)
Drop old debbindiff Breaks/Replaces. [...]
Correct a "positives" typo. [...]

strip-nondeterminism

strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build.

Remove javaproperties handler after Emmanuel Bourg's patch was shipped in OpenJDK 11. (#914289)
Drop .ar handler; binutils output should now be reproducible. (#781262, #843811)
Ignore encrypted .zip files; we can never normalise them. (#852207)

Debian

Patches contributed

console-setup: Please add a reference to setupcon(1) in /etc/default/keyboard. (#917463)
dpkg-scanpackages: Needlessly calculates all checksums. (#916456)
git-buildpackage: Please correct "was build" grammatical errors. (#916044)
dak: Make Lintian's package-uses-vendor-specific-patch-series grounds for auto-rejection. [...]

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

Investigated and triaged CVE-2018-20102, CVE-2018-20103, CVE-2018-19843, CVE-2018-19960, CVE-2018-19840, CVE-2018-19841, CVE-2018-19134, CVE-2018-19871, CVE-2018-16868 & CVE-2018-19655.
Frontdesk duties, responding to user/developer questions, reviewing others' packages, etc.
Issued DLA 1604-1 for lxml closing an XSS vulnerability where javascript: URLs escaping such as "j a v a s c r i p t:".
Issued DLA 1623-1 and ELA-69-1 for tar, fixing a denial of service vulnerability where the --sparse argument looped endlessly if the file shrank whilst it was being read. (Tar would only break out of this loop if the file grew again to (or beyond) its original end of file.)

Uploads

redis:
- 5:5.0.3-1 — New upstream release.
- 5:5.0.3-2 — Pass --no-as-needed to ensure linking to the Lua libraries on systems where this the default. (#916831)
python-django:
- 1.11.16-4 — Cherry-pick two patches from upstream to fix test failures under Python 3.7. (#891753)
- 1.11.17-1 — New upstream bugfix release.
- 2.1.4-1 — New upstream release.
- 1.11.17-2 & 2.1.4-2 — Apply patch from upstream to fix compatibility with SQLite 3.26. (#915626)
libfiu (0.98-1) — New upstream release.
python-hiredis (0.3.0-1 & 0.3.1-1) — New upstream releases.
python-redis (3.0.1-2 & 3.0.1-3) — Mark a number of failing autopkgtests as XFAIL.
lastpass-cli (1.3.1-6) — Add missing pkg-config to Build-Depends. (#916268)
creoleparser (0.7.4-2) & django-pagination (1.0.7-2) — Completely overhaul packaging.
adminer (4.7.0-2) — Additionally depend on the php-fpm virtual package. (#906692)

Debian bugs filed

ITS (Intent to Salvage): mtools. (#916127)
busybox: "Too many levels of symbolic links". (#915830)
dpkg-mergechangelogs: Strips vim modelines. (#916056)
fonts-roboto: Please ship .woff files (eg. Roboto-Light-webfont.woff). (#915360)
jenkins.debian.org: Lintian test jobs have not run since November. (#917119)
netplan.io: Please add a Homepage field. (#917233)
python-envs: Please replace Homepage: reference. (#917230)
usrmerge: Please handle aborted conversions more gracefully. (#917226)

I also filed bugs against packages that use vendor-specific patch series files for deluge, fail2ban, filezilla, hexchat, libfreenect, libxfce4util, liferea, mate-power-manager, mate-terminal, mixxx, numix-gtk-theme, packagekit, smuxi, xchat & xfce4-smartbookmark-plugin.

FTP Team

As a Debian FTP assistant I ACCEPTed 141 packages: ansible, bambootracker, birdtray, bitlbee-mastodon, blis, capnproto, centreon-broker, chargebee-python, chargebee2-python, dar, darknet, dask-sphinx-theme, dav4tbsync, davs2, displaycal, django-anymail, dsmidiwifi, eas4tbsync, emerald, emerald-themes, erlang-horse, fusion-icon, ghostwriter, gitlab, go-cpe-dictionary, go-exploitdb, golang-1.12, golang-github-datadog-zstd, golang-github-justinas-alice, golang-github-namsral-flag, google-compute-image-packages, grim, grpc, haskell-gi-atk, haskell-gi-cairo, haskell-gi-dbusmenu, haskell-gi-dbusmenugtk3, haskell-gi-gdk, haskell-gi-gdkpixbuf, haskell-gi-gdkx11, haskell-gi-gio, haskell-gi-glib, haskell-gi-gobject, haskell-gi-gtk, haskell-gi-gtk-hs, haskell-gi-pango, haskell-gi-vte, haskell-gi-xlib, haskell-gtk-sni-tray, haskell-gtk-strut, haskell-status-notifier-item, haskell-system-posix-redirect, haskell-termonad, haskell-xml-html-qq, i3pystatus, jaxb, lablgtk3, libcloudflare-client-perl, libconfig-model-backend-yaml-perl, libcpan-common-index-perl, libhostfile-manager-perl, libhttp-tinyish-perl, libjs-jquery-center, libjs-jquery-markitup, libmenlo-legacy-perl, libmenlo-perl, libmoox-locale-passthrough-perl, libnewlib-nano, libnss-unknown, liborcus, libparse-binary-perl, librtr, libsearch-elasticsearch-client-1-0-perl, libsearch-elasticsearch-client-2-0-perl, libtie-handle-offset-perl, libzstd, lvm2, matplotlib2, med-fichier, meep, meep-lam4, meep-mpi-default, meep-mpich2, meep-openmpi, mir-core, mle, movim, netplan.io, node-lunr, node-ramda, node-react-audio-player, nodejs, oakleaf, olive, openrazer, puppet-module-heini-wait-for, puppet-module-octavia, puppet-module-voxpupuli-ssh-keygen, pylibtiff, pymilter, pyspectral, python-cytoolz, python-dpkt, python-envs, python-flask-cors, python-geotiepoints, python-glad, python-hgapi, python-ifaddr, python-internetarchive, python-markdown2, python-msgpack-numpy, python-netdisco, python-pipx, python-project-generator, python-project-generator-definitions, python-pywebview, python-sparkpost, python-sshoot, python-thinc, python-tornado4, pytroll-schedule, rcm, redberry-pipe, ruby-kitchen-salt, ruby-vcr, rust-crossbeam-channel, rust-crossbeam-utils-0.5, rust-ena, rust-hyphenation, slurp, theme-d-gnome, ticcutils, trollimage, trollsift, ulfius, vim-puppet, vland, voluptuous-serialize, vulkan-tools & xavs2.

I additionally filed 11 RC bugs against packages that had potentially-incomplete debian/copyright files against centreon-broker, dav4tbsync, eas4tbsync, emerald, i3pystatus, lvm2, olive, python-pywebview, ruby-kitchen-salt, rust-crossbeam-channel & trollsift.

You can subscribe to new posts via email or RSS.