Free software activities in December 2021

Here is my monthly update covering what I have been doing in the world of free software world during December 2021 (previous month):

As part of my duties of being on the board of directors of the Software in the Public Interest I attended its respective monthly meetings and participated in various licensing and other discussions occurring on the internet, as well as the usual internal discussions regarding logistics and policy etc.

Reproducible Builds

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during compilation processes by promising that identical results are always generated from a given source, therefore allowing multiple third-parties to come to a consensus on whether a build was compromised.

This month, I:

• Categorised a very large number of packages and issues in the Reproducible Buildsnotes.git repository.

• Kept isdebianreproducibleyet.com up to date. [...]

• Submitted 3 patches to fix specific reproducibility issues in cwltool, locust & mate-submodules within Debian.

• Filed a bug against the perl6-readline Debian package to report and enquire about 'strange' files installed under /usr/lib/perl6/vendor/dist. (#1002496)

• Updated the main website and documentation to consolidate a number of duplicate images. [...]

• Drafted, published and publicised our monthly report for November 2021.

I also made the following changes to diffoscope, including preparing and uploading versions 195, 196, 197 and 198 to Debian:

• Support showing Ordering differences only within .dsc field values. [...]
• Add support for 'XMLb' files. [...]
• Also add, for example, /usr/lib/x86_64-linux-gnu to our local binary search path. [...]
• Support OCaml versions 4.11, 4.12 and 4.13. [...]
• Drop some unnecessary has_same_content_as logging calls. [...]
• Replace token variable with an anonymously-named variable instead to remove extra lines. [...]
• Don't use the runtime platform's native endianness when unpacking .pyc files. This fixes test failures on big-endian machines. [...]

Debian

• Memcached (1.6.12+dfsg-3) — Fix compilation errors under -O3-level optimisation level. (#1001357)

• Django:

  • 3.2.10-1 — New upstream security release.
  • 4.0-1 — New upstream major release.

• bfs (2.3-1) — New upstream release.

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project. This included:

• Investigating and triaging apache-log4j1.2 (CVE-2021-44228), apache-log4j2 (CVE-2021-44228), calibre (CVE-2021-44686), privoxy (CVE-2021-44540, CVE-2021-44541, CVE-2021-44542 & CVE-2021-44543), python-django (CVE-2021-44420), salt, openblas (CVE-2021-4048), pdns-bouncer (CVE-2020-25829 & CVE-2020-14196) & pgbouncer (CVE-2021-3935).

• Frontdesk duties, responding to user/developer questions, reviewing others' packages.

• Removing a number of entries marked 'end-of-life' for newly-supported packages. [...]

• Issuing DLA 2841-1 and ELA 526-1 for runc in order to correct an overflow issue in the Netlink 'bytemsg' length field handling.

• Participating in mailing list discussions about an upcoming survey as well as attending our monthly meeting.

• Filed a bullseye-pu bug for python-django version 2:2.2.25-1~debu11u1. (#1001285)

You can find out more about the project via the following video:

You can subscribe to new posts via email or RSS.