Free software activities in December 2025

My monthly update covering what I've been doing in the free software world during December 2025.Here is my monthly update covering what I have been doing in the free software world during December 2025 (previous month).

Reproducible Builds

One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.

This month, I:

• Kept isdebianreproducibleyet.com up to date. [...]

• Submitted 67 (!) patches to fix specific reproducibility issues in authselect, bibtexparser, cif2cell, circlator, dh-cargo, fff, fortran-regex, geoalchemy2, golang-forgejo-forgejo-levelqueue, golang-github-akavel-rsrc, golang-github-appleboy-easyssh-proxy, golang-github-apptainer-sif, golang-github-artyom-mtab, golang-github-cue-lang-cue, golang-github-cznic-ql, golang-github-digitorus-timestamp, golang-github-dreamitgetit-statuscake, golang-github-foxboron-go-tpm-keyfiles, golang-github-foxboron-go-uefi, golang-github-gin-gonic-gin, golang-github-go-macaron-toolbox, golang-github-google-go-attestation, golang-github-google-go-pkcs11, golang-github-google-go-tpm, golang-github-issue9-identicon, golang-github-jhoonb-archivex, golang-github-jonas-p-go-shp, golang-github-jung-kurt-gofpdf, golang-github-kr-binarydist, golang-github-kshedden-dstream, golang-github-linkedin-goavro, golang-github-muesli-termenv, golang-github-notaryproject-notation-go, golang-github-otiai10-copy, golang-github-reviewdog-errorformat, golang-github-roaringbitmap-roaring, golang-github-shenwei356-breader, golang-github-spf13-afero, golang-github-theupdateframework-go-tuf, golang-github-tjfoc-gmsm, golang-github-ulikunitz-xz, golang-github-valyala-fasthttp, golang-github-viant-toolbox, golang-github-yudai-gojsondiff, golang-goptlib, golang-k8s-apimachinery, golang-k8s-sigs-kustomize-cmd-config, golang-k8s-sigs-release-utils, golang-mvdan-editorconfig, goobook, graudit, in-toto-golang, libopenoffice-oodoc-perl, lua-penlight, microbiomeutil, node-convert-source-map, php-dompdf, plyara, python-openstep-plist, python-pyshortcuts, rust-doxx, rust-fslock, rust-rustpython-parser, rust-xdg, sigstore-go, tdiary & zope.deferredimport.

• Drafted, published and publicised our monthly report for November 2025.

• Categorised a large number of packages and issues in the Reproducible Builds notes.git repository.

• Elsewhere in our tooling, I updated diffoscope in Debian trixie, fixing an issue after an upload of systemd-ukify in order to fix Debian bug #1121754. [...]

Debian

• docbook-to-man (2.0.0-50) — Fix cross-building. (#1122264)

• memcached (1.6.40-1) — New upstream release.

• python-django:

  • 4.2.27-1 — New upstream security release.
  • 6.0-1 — New upstream 6.0 release.

Debian LTS

This month I have worked 30 hours on Debian Long Term Support (LTS) and on its sister Extended LTS (ELTS) project.

• Issued DLA 4425-1 as it was discovered that there were two issues in Django:

  • CVE-2025-64459: A potential SQL injection via _connector keyword argument in QuerySet/Q objects. The QuerySet methods filter(), exclude() and get() as well as the Q() class were subject to SQL injection when using a suitably crafted dictionary as the _connector argument.

  • CVE-2025-64460: A potential denial-of-service vulnerability in XML serializer text extraction. An algorithmic complexity issue in django.core.serializers.xml_serializer.getInnerText() allowed a remote attacker to cause a potential denial-of-service triggering CPU and memory exhaustion via a specially crafted XML input submitted to a service that invokes said Deserializer class. The vulnerability resulted from repeated string concatenation while recursively collecting text nodes, which produced superlinear computation.

• Investigated and triaged ELA-1602-1 for Django as well, although only to fix CVE-2025-64460.

• As part of a more general audit of CVEs assigned to Django, I also filed Debian bug #1121788 and continued work on a package for the next stable update.

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

You can find out more about the Debian LTS project via the following video:

You can subscribe to new posts via email or RSS.