Free software activities in December 2019

Software Freedom Conservancy (the fiscal sponsor for the Reproducible Builds project) have announced their fundraising season with a huge pledge to match donations from a number of illustrious individuals. If you have ever considered joining as a supporter, now would be the time to do so.

Whilst it was a busy month away from the keyboard for me, here is my update covering what I have been doing in the free software world during December 2019 (previous month):

• Attended the fifth Reproducible Builds summit meeting in Marrakesh, Morocco.

• As part of my duties of being on the board of directors of the Open Source Initiative and Software in the Public Interest (SPI) I attended and prepared for their respective monthly meetings, participated in various licensing and other free software related topics occurring on the internet, as well as the usual internal discussions regarding logistics, policy, etc.

• Opened a pull request against the Chart.js JavaScript charting library to make the build reproducible. [...]

• Updated my django-slack library that provides a convenient library between projects using the Django and the Slack chat platform to drop Python 2.7 support prior to its uncoming deprecation [...] and add support for Python 3.8 [...]...][...].

• Made some changes to my tickle-me-email library which implements Gettings Things Done-like behaviours in IMAP inboxes including fixing an issue where we could add a duplicate empty Subject header that would result in emails being rejected as invalid by mail servers. [...]

• Opened a pull request to make the build reproducible in infernal, a tool for analysing RNA molecule data. [...]

• Even more hacking on the Lintian static analysis tool for Debian packages including a considerable amount of issue and merge request triage, as well as:

  • Bug fixes:

    • Don't attempt to check manual section if we don't know the section number in order to silence Perl warnings on the commandline. (#946471)

  • Cleanups:

    • Move exceptions to the field-too-long tag to a list. [...]
    • Drop an unused List::MoreUtils any import. [...]

  • Reporting:

    • Add missing tag summary checks to debian/changelog and fix our generate-tag-summary script to match our newer style of changelog entry placeholder. [...]
    • Update the long description of debian-rules-not-executable tag to not imply that precisely 0755 permissions are required. [...]

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws almost all software is distributed pre-compiled to end users. The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

The initiative is proud to be a member project of the Software Freedom Conservancy, a not-for-profit 501(c)(3) charity focused on ethical technology and user freedom.

Conservancy acts as a corporate umbrella allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.

I made the following changes to diffoscope, our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues:

• Always pass a filename with a .zip extension to zipnote otherwise it will return with an UNIX exit code of 9 and we fallback to displaying a binary difference for the entire file. [...]
• Include the libarchive file listing for ISO images to ensure that timestamps -- and not just dates -- are visible in any difference. (#81)
• Ensure that our autopkgtests are run with our pyproject.toml present for the correct black source code formatter settings. (#945993)
• Rename the text_option_with_stdiout test to text_option_with_stdout [...] and tidy some unnecessary boolean logic in the ISO9660 tests [...].

I also:

• Attended our Reproducible Builds summit meeting in Marrakesh, Morocco and helped with various facets of its organisation.

• Filed upstream pull requests for infernal (a project for analysing RNA molecule data) [...] and the Chart.js JavaScript charting library [...].

• In Debian:

  • Kept isdebianreproducibleyet.com up to date. [...]

  • Submitted two patches to fix reproducibility-related toolchain issues within Debian for gtk-doc (#946331), libtext-markdown-perl (#947708) and markdown (#947608).

  • I also submitted patches to fix specific reproducibility issues in infernal (#946315), libtext-markdown-perl (#947708), nftables (#946332), node-chart.js (#946333), parsinsert (#946335) & usb-modeswitch-data (#946330).

• Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.

• Drafted, published and publicised our monthly report.

• I spent a few moments on our website this month too, including:

  • Adding a link to the Tails privacy-related operating system's instructions on how to verify a downloaded image. [...]

  • Adding links to the Reproducible Builds subreddit to the page footer. [...]

  • Correcting a "name" typo [...], adding a missing "to" [...] and adjusting capitalisations of "OCaml" [...].

Debian

Debian LTS

This month I have worked 16½ hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged: asterisk (CVE-2019-13161), cacti, firefox-esr (CVE-2019-17012, etc.), gnome-font-viewer, gnome-sushi, heimdal (CVE-2019-14870), inetutils, jruby, keystone (CVE-2019-19687), librabbitmq (CVE-2019-18609), netkit-telnet, netkit-telnet-ssl, npm (CVE-2019-16777, etc.), openslp-dfsg (CVE-2019-5544, etc.), python-django (CVE-2019-19118), rabbitmq-server (CVE-2019-11287, etc.), ruby-rack (CVE-2019-16782), thunderbird (CVE-2019-17012, etc.), tomcat8 (CVE-2019-12418, etc.), waitress (CVE-2019-16786, etc.), wireshark (CVE-2019-19553), yara (CVE-2019-19648) & zabbix (CVE-2013-7484)

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

• Issued DLA 2022-1 to correct an integer overflow vulnerability in librabbitmq, a library for robust messaging between applications and servers.

• Issued DLA 2024-1 for phpmyadmin on behalf of Utkarsh Gupta.

• Issued DLA 2025-1 for openslp-dfsg on behalf of Utkarsh Gupta.

• Issued DLA 2026-1 for htmldoc on behalf of Utkarsh Gupta.

• Issued DLA 2032-1 for to fix an unsafe deserialisation issue in the cacti server monitoring system.

• Issued DLA 2042-1 for python-django to fix a Unicode-related account hijack vulnerabilility in Django, the Python-based web development framework.

• Issued DLA 2048-1 to address a potential denial of service vulnerability in libxml2, the GNOME XML parsing library.

You can find out more about the project via the following video:

Uploads

• redis (6.0~rc1-1) — New upstream RC release.

• python-django:

  • 2.2.8-1 — New upstream security release.
  • 2.2.9-1 — New upstream security release.
  • 2.2.9-2 — Add python3-selenium to test-dependencies and to a runtime Suggests. (#947549)
  • 3.0-1 — New upstream major announce.
  • 3.0.1-1 — New upstream security release.

• lastpass-cli (1.3.3-3) — Move to using the provided build system to CMake (etc.) to enable cross builds. (#947209)

• libfiu (1.00-5) — Disable a number of non-deterministic tests.

• For the Tails privacy-oriented operating system, I uploaded obfs4proxy (0.0.8-1)

FTP Team

As a Debian FTP assistant I ACCEPTed eight packages: fluidsynth, golang-github-bmatcuk-doublestar, golang-github-pearkes-cloudflare, librandomx, meep, meep-mpi-default, meep-openmpi & node-webassemblyjs. I additionally filed two RC bugs against packages that had potentially-incomplete debian/copyright files against fluidsynth & meep.

You can subscribe to new posts via email or RSS.