Here is my monthly update covering what I have been doing in the free software world during December 2020 (previous month):
- Reviewed and merged a contribution from Peter Law to my django-cache-toolbox library for Django-based web applications, including explicitly requiring that cached relations are primary keys (#23) and improving the example in the
README(#25).
- I took part in an interview with Vladimir Bejdo, an intern at the Software Freedom Conservancy, in order to talk about the Reproducible Builds project, my participation in software freedom, the importance of reproducibility in software development, and to have a brief discussion on the issues facing free software as a whole. The full interview can be found on Conservancy's webpages.
- As part of my duties of being on the board of directors of the Open Source Initiative, I attended its monthly meeting and participated in various licensing and other related discussions occurring on the internet. Unfortunately, I could not attend the parallel meeting for Software in the Public Interest this month.
Reproducible Builds
One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.
The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
This month, I:
-
Submitted a draft academic paper to IEEE Software. The article (co-written by Stefano Zacchiroli) is aimed a fairly general audience. It first defines the overal problem and then provides insight into the challenges of actually making real-world software reproducible. It then outlines the experiences of the Reproducible Builds project in making large-scale software collections/supply-chains/ecosystems reproducible and concludes by describing the affinity between reproducibility efforts and quality assurance.
-
Kept isdebianreproducibleyet.com up to date. [...]
-
Submitted 11 patches in Debian to fix specific reproducibility issues in
circlator,dvbstreamer,eric,jbbp,knot-resolver,libjs-qunit,mail-expire,osmo-mgw,python-pyramid,pyvows&sayonara. -
Categorised a huge number of packages and issues in the Reproducible Builds 'notes' repository.
-
For disorderfs (our FUSE-based filesystem that deliberately introduces non-determinism into directory system calls in order to flush out reproducibility issues), I made the following changes:
-
Drafted, published and publicised our monthly report, as well managed the project's various social media accounts.
-
Contributed to a discussion about the recent 'SolarWinds' attack. [...]
- I also made a large number of changes to the main Reproducible Builds website and documentation, including applying a typo fix from Roland Clobus [...], fixed the draft detection logic (#28), added more academic articles to our list [...] and corrected a number of grammar issues [...][...].
I also made the following changes to diffoscope, our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues, including releasing version 163:
-
New features & bug fixes:
-
Codebase improvements:
- Update the
debian/copyrightfile to match the copyright notices in the source tree. (#224) - Update various years across the codebase in
.pycopyright headers. [...] - Rewrite the filter routine that post-processes the output from
readelf(1). [...] - Remove unnecessary PEP 263 encoding header lines; unnecessary after PEP 3120. [...]
- Use
minimalinstead ofbasicas a variable name to match the underlying package name. [...] - Use
pprint.pformatin the JSON comparator to serialise the differences fromjsondiff. [...]
- Update the
Debian
Uploads
-
2.2.17-2— Fix compatibility with GNU gettext version 0.21. (#978263)3.1.4-1— New upstream bugfix release.
-
mtools(4.0.26-1) — New upstream release.
I also sponsored an upload of adminer (4.7.8-2) on behalf of Alexandre Rossi and performed two QA uploads of sendfile (2.1b.20080616-7 and 2.1b.20080616-8) to make the build the build reproducible (#776938) and to fix a number of other unrelated issues.
Debian LTS
This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.
-
Investigated and triaged:
awstats,imagemagick,node-ini,openexr,openssl1.0,p11-kit,pypy,python-py,sqlite3,sympa, etc. -
Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.
-
Issued DLA 2477-1 for the Jupyter Notebook interactive notebook system, where a maliciously-crafted link could redirect the browser to a malicious/spoofed website. (CVE-2020-26215)
-
Issued DLA 2491-1 and ELA-333-1 to fix two issues in OpenEXR, a set of tools to manipulate OpenEXR image files, often used in the computer-graphics industry for visual effects and animation. (CVE-2020-16588 & CVE-2020-16589)
-
Issued DLA 2503-1 as it was discovered that there was an issue in
node-ini, an.iniconfiguration file format parser/serialiser for Node.js, where an application could be exploited by a malicious input file.
You can find out more about the Debian LTS project via the following video: