Here is my monthly update covering what I have been doing in the free software world during December 2018 (previous month):
My activities as the current Debian Project Leader are covered in my "Bits from the DPL" email to the
Represented Debian at the Paris Open Source Summit, presenting a session entitled "Debian: Past, Present & Future". It was great to see so many fellow Developers at this event as well as the the vibrant and active Debian booth; thank you to all those who helped make this happen.
Attended to the fourth Reproducible Builds summit in Paris, France.
Continued to maintain a set of module repositories forked from prior to Redis Labs relicensing a number of AGPL-licensed Redis modules with the "Commons Clause" amendment.
Updated travis.debian.net (my hosted service for projects that host their Debian packaging on GitHub to use the Travis CI continuous integration platform) to merge a patch to fix the Ubuntu images [...] and to print a message that it's safe to ignore a Git warning [...].
Even more hacking on the Lintian static analysis tool for Debian packages:
- Add 4.3.0 as a known
- Check for packages that embed a varying build path. (#916021)
- Check for GNU triplets when testing for package-contains-no-arch-dependent-files. [...]
- Check that
1.2-3~debXuYstanzas follow a
- Refactor, tidy and optimise various checks for contents of files. [...]
- Bump the recommended and experimental
debhelpercompat levels to 12 and 13 respectfully (#917344) and update descriptions to use the new numbers in examples [...].
- Add 4.3.0 as a known
- Allow packages to define an
- Use output from
file(1)when determining whether to emit package-contains-no-arch-dependent-files. (#916023)
- Don't emit package-contains-documentation-outside-usr-share-doc for files under
- Allow alternatives in invariant sections checks. (#916095)
- Correct logic of package-contains-no-arch-dependent-files detection. [...]
- Prevent package-contains-no-arch-dependent-files false-positives by assuming
/usr/lib/*/*files are architecture-dependent. (#916901)
- Avoid a number of false-positives when processing uses-dpkg-database-directly. [...][...]
- Don't emit systemd-service-file-missing-hardening-features for
WantedBy=sleep.targetsystemd services [...] and add
network-onlineto the list of valid
- Allow packages to define an
- Clarify that spaces are valid in variable assignments. (#917120)
- Downgrade appstream-metadata-missing-modalias-provide from
- Update dependency-on-python-version-marked-for-end-of-life's description to recommend a commented override. (#917264)
- Include the
debhelper-compatmethod of setting the compatibility level in a number of tag descriptions. (#917345)
- Downgrade package-uses-vendor-specific-patch-series from
- Fix the description of the non-standard-apache2-module-package-name. [...]
- Mark debian-watch-does-not-check-gpg-signature as experimental. (#916207)
- Clarify that symbols-file-missing-build-depends-package-field is emitted per-package. [...]
- Clarify that
Build-Depends-Packagelines should start in column 1 of the file. [...]
Whilst anyone can inspect the source code of free software for malicious flaws almost all software is distributed pre-compiled to end users.
The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
This month I:
Attended and assisted in the organisation of the fourth Reproducible Builds summit in Paris, France.
Started to merge in new style guide to our main project website but also completely overhauled the diffoscope.org website, updating the design [...] as well as informing users that they should file issues on Salsa [...] and adding corresponding link to our registration instruction [...].
Categorised a huge number of packages and issues in the Reproducible Builds notes repository.
I also made the following changes to our tooling:
diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.
.zipfile comments with
- Fix a
test_mozzip_compressed_filesfailure under Alpine Linux. (#916353)
file_headerto simplify magic detection and version parsing. [...][...][...]
- Calculate the path to test
.iccfile to avoid a error with new versions of Pytest. (#916226)
- Drop old
- Correct a "positives" typo. [...]
strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build.
javapropertieshandler after Emmanuel Bourg's patch was shipped in OpenJDK 11. (#914289)
.arhandler; binutils output should now be reproducible. (#781262, #843811)
- Ignore encrypted
.zipfiles; we can never normalise them. (#852207)
console-setup: Please add a reference to
dpkg-scanpackages:Needlessly calculates all checksums. (#916456)
git-buildpackage: Please correct "was build" grammatical errors. (#916044)
Frontdesk duties, responding to user/developer questions, reviewing others' packages, etc.
Issued DLA 1623-1 and ELA-69-1 for
tar, fixing a denial of service vulnerability where the
--sparseargument looped endlessly if the file shrank whilst it was being read. (Tar would only break out of this loop if the file grew again to (or beyond) its original end of file.)
0.98-1) — New upstream release.
0.3.1-1) — New upstream releases.
Debian bugs filed
busybox: "Too many levels of symbolic links". (#915830)
fonts-roboto: Please ship
netplan.io: Please add a
python-envs: Please replace
usrmerge: Please handle aborted conversions more gracefully. (#917226)
I also filed bugs against packages that use vendor-specific patch series files for
As a Debian FTP assistant I ACCEPTed 141 packages: ansible, bambootracker, birdtray, bitlbee-mastodon, blis, capnproto, centreon-broker, chargebee-python, chargebee2-python, dar, darknet, dask-sphinx-theme, dav4tbsync, davs2, displaycal, django-anymail, dsmidiwifi, eas4tbsync, emerald, emerald-themes, erlang-horse, fusion-icon, ghostwriter, gitlab, go-cpe-dictionary, go-exploitdb, golang-1.12, golang-github-datadog-zstd, golang-github-justinas-alice, golang-github-namsral-flag, google-compute-image-packages, grim, grpc, haskell-gi-atk, haskell-gi-cairo, haskell-gi-dbusmenu, haskell-gi-dbusmenugtk3, haskell-gi-gdk, haskell-gi-gdkpixbuf, haskell-gi-gdkx11, haskell-gi-gio, haskell-gi-glib, haskell-gi-gobject, haskell-gi-gtk, haskell-gi-gtk-hs, haskell-gi-pango, haskell-gi-vte, haskell-gi-xlib, haskell-gtk-sni-tray, haskell-gtk-strut, haskell-status-notifier-item, haskell-system-posix-redirect, haskell-termonad, haskell-xml-html-qq, i3pystatus, jaxb, lablgtk3, libcloudflare-client-perl, libconfig-model-backend-yaml-perl, libcpan-common-index-perl, libhostfile-manager-perl, libhttp-tinyish-perl, libjs-jquery-center, libjs-jquery-markitup, libmenlo-legacy-perl, libmenlo-perl, libmoox-locale-passthrough-perl, libnewlib-nano, libnss-unknown, liborcus, libparse-binary-perl, librtr, libsearch-elasticsearch-client-1-0-perl, libsearch-elasticsearch-client-2-0-perl, libtie-handle-offset-perl, libzstd, lvm2, matplotlib2, med-fichier, meep, meep-lam4, meep-mpi-default, meep-mpich2, meep-openmpi, mir-core, mle, movim, netplan.io, node-lunr, node-ramda, node-react-audio-player, nodejs, oakleaf, olive, openrazer, puppet-module-heini-wait-for, puppet-module-octavia, puppet-module-voxpupuli-ssh-keygen, pylibtiff, pymilter, pyspectral, python-cytoolz, python-dpkt, python-envs, python-flask-cors, python-geotiepoints, python-glad, python-hgapi, python-ifaddr, python-internetarchive, python-markdown2, python-msgpack-numpy, python-netdisco, python-pipx, python-project-generator, python-project-generator-definitions, python-pywebview, python-sparkpost, python-sshoot, python-thinc, python-tornado4, pytroll-schedule, rcm, redberry-pipe, ruby-kitchen-salt, ruby-vcr, rust-crossbeam-channel, rust-crossbeam-utils-0.5, rust-ena, rust-hyphenation, slurp, theme-d-gnome, ticcutils, trollimage, trollsift, ulfius, vim-puppet, vland, voluptuous-serialize, vulkan-tools & xavs2.
I additionally filed 11 RC bugs against packages that had potentially-incomplete
debian/copyright files against centreon-broker, dav4tbsync, eas4tbsync, emerald, i3pystatus, lvm2, olive, python-pywebview, ruby-kitchen-salt, rust-crossbeam-channel & trollsift.