Here is my monthly update covering what I have been doing in the free software world in February 2018 (previous month):
Submitted a pull request to the libical calendar library to make the build reproducible. [...]
Reviewed a pull request for my email debugging tool which aids development of Django web applications that email attachments / HTML components. [...]
Created a pull request for the RediSearch — a search engine module for Redis — to make the build reproducible. [...]
Added myself to Philip James' experimental project that attempts to find ways to funding development of software packages. [...]
Filed a pull request for the "ufo2ft" font conversion tool to make .OTF font generation reproducible. [...]
Re-submitted a pull request for the Promise.js library to make the build reproducible. [...]
Even more hacking on the Lintian static analysis tool for Debian packages:
- New features:
- Warn if maintainer scripts use chown -R to prevent hardlink attacks. (#889066)
- Warn if packages use ENABLED="true" in /etc/default. [...]
- Warn about systemd unit files that install to "unusual" WantedBy= targets. (#817170)
- Warn about changelog files that are too short. (#890920)
- Check for unnecessary SOURCE_DATE_EPOCH assignments. (#832099)
- Warn if packages define multiple "compat" levels. [...]
- Check for maintainer scripts that call udevadm without a guard as it can fail within a chroot. (#890224)
- Warn when specifying --parallel to dh(1) in compat levels ≥ 10. (#890358)
- Add classification tags for the .deb member compression format. (#738442, #889856)
- Check for .jar files that embed Foo.java alongside a Foo.class file. (#762113)
- Emit a pendatic warning for packages with repacked upstream tarballs that lack headers in debian/copyright. [...]
- Check for debian/rules files that are dh_make(1) templates. (#679124)
- Add pedantic check for packages using debian/source.lintian-overrides. [...]
- False-positives:
- Add simple GOTO parsing to avoid false positives when checking udev rules. (#869547, #889639)
- Check the first line of the description separately for spelling errors. (#890100)
- Do not emit package-does-not-install-examples if we don't have any binary packages in our laboratory. (#889591)
- Avoid false-positives when detecting Twitter's bootstrap library. (#888972)
- Allow rel="generator" and others; they do not cause internet access by default. (#891301)
- Avoid a false-positive in init.d-script-possible-missing-stop. (#889640)
- Avoid a false-positive when matching a Lena Söderberg image. (#890943)
- Fix a bug in version-substvar-for-external-package parsing to prevent false-positives when the LHS of the binary relation contains a substvar. (#726589)
- Prevent a large number of false-positives when checking debian-rules-is-dh_make-template. (#890660)
- Update override_dh_auto_test-does-not-check-DEB_BUILD_OPTIONS to fix a number of false positives. (#890537)
- Allow rel="canonical in <link/> HTML tags. (#762753)
- Avoid false positives by ignoring text that itself contains "typo" or "spelling". (#889964)
- Avoid false positives when checking binary packages depending on toolchain packages by ignoring packages starting with dh-. (#889486)
- Prevent false positives when checking for missing NOTICE.txt files by looking inside .jar archives. (#889760)
- Only warn about bad-jar-name for "public" .jar files. (#889628)
- Fix a number of false-positives when checking override_dh_auto-test-does-not-check-DEB_BUILD_PROFILES. (#889592)
- Improvements/bug fixes:
- Ensure salsa.debian.org Vcs-Git & Vcs-Browser are canonical. (#888809)
- Ignore any change of epoch when checking latest-debian-changelog-entry-without-new-version. (#889991)
- Detect core as an overly-generic module name. (#891027)
- Rework the missing systemd .service detection. (#858588)
- Also check for RUN= and DAEMONRUN= when evalating for init.d-script-should-always-start-service violations. (#890916)
- Make a large number of changes to override_dh_auto_test-does-not-check-DEB_BUILD_PROFILES. (#889746)
- Also match Make's "ignore result" prefix for override_dh_auto_test-does-not-check-DEB_BUILD_PROFILES [...]
- Ensure package-contains-python-doctree-file also warns about compressed .doctree files. [...]
- Don't emit warnings when debian/patches is a file. (#889535)
- Pick the first out of debian/source/lintian-overrides & debian/source.lintian-overrides. (#890361)
- Documentation:
- Improve the long description of maintainer-script-should-not-use-recursive-chown-or-chmod. (#889489)
- Correct a grammatical error and tighten the language of binary-package-depends-on-toolchain-package. (#890530)
- Update text for epoch-change-without-comment, making it much clearer for skim-readers. [...]
- Update maintainer-script-should-not-use-service to include advice and Debian Policy reference. (#889154)
- Reporting:
- Link package entries to sources.debian.org. [...]
- Improve the long description of epoch-change-without-comment.. (#889814)
- Downgrade severity of build-depends-on-obsolete-package from error to warning. (#889638)
- Misc:
- Update requirement for dh_scour from python3-scour to scour. (#889016)
- Update architecture lists to include riscv64. This will change everything. (#891387)
- Drop all the overrides for Lintian itself now that we use the <!nocheck> build profile. [...]
- Add cwl-runner as an interpreter for CWL scripts. (#890667)
- Also check, for example, override_dh_fixperms-(indep|arch) targets for override_dh_fixperms-does-not-call-dh_fixperms. [...] [...]
- New features:
Reproducible builds
Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users.
The motivation behind the Reproducible Builds effort is to allow verification that no flaws have been introduced — either maliciously or accidentally — during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
This month I:
- Filed upstream pull requests for redisearch, libical, Promise.js and ufo2ft.
- Published our weekly reports. (#145, #146, #147 & #148)
- Within Debian, I:
- Kept isdebianreproducibleyet.com up to date. [...]
- Submitted the following patches to fix reproducibility-related toolchain issues:
- I also submitted 30 patches to fix specific reproducibility issues in 3dldf, ardour, awl, clblas, cloudkitty, cpl-plugin-visir, dashel, designate, desmume, dialign-t, gap-autpgrp, gr-gsm, juce, keepassxc, libical3, mailman, mblaze, nsf, octave-geometry, opari2, php7.2, puppet, pydispatcher, scowl, shark, sleekxmpp, tkgate, tkmpeg, wreport & xastir.
- Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.
I also made the following changes to diffoscope, our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues:
- Add support for comparing Berkeley DB files. (Unfortunately this is currently incomplete because the libraries do not report metadata reliably!) (#890528)
- Add support for comparing "XMLBeans" binary schemas. [...]
- Drop spurious debugging code in Android tests. [...]
Debian
My activities as the current Debian Project Leader are covered in my "Bits from the DPL" email to the debian-devel-announce mailing list.
Patches contributed
Debian LTS
This month I have been paid to work 18 hours on Debian Long Term Support (LTS). In that time I did the following:
- "Frontdesk" duties, triaging CVEs, etc.
- Issued:
- DLA 1249-2: Fix a regression in the smarty3 update released in DLA 1249-1.
- DLA 1269-1: dokuwiki had a reflected file download vulnerability.
- DLA 1278-1: The librsvg rendering library could leak data to remote attackers via a specially-crafted file.
- DLA 1287-1: Correct a denial-of-service attack in the zziplib archive library.
- DLA 1288-1: The CUPS printer system allowed remote attackers arbitrary command execution.
- DLA 1289-1: irssi had three separate NULL-pointer (etc.) issues.
- DLA 1293-1: The Imagemagick graphics library allowed a specially-crafted TIFF file to peform a remote denial-of-service attack.
- DLA 1294-1: Prevent an arbitrary command execution vulnerability in the Golang programming language.
- Worked on improvements to our internal scripts.
Uploads
- redis:
- 4.0.8-1 — New upstream release and fix a potential hardlink vulnerability.
- 4.0.8-2 — Also listen on ::1 (IPv6) by default. (#891432)
- python-django:
- 1.11.10-1 — New upstream security release.
- 2.0.2-1 — New upstream security release.
- redisearch:
- 1.0.6-1 — New upstream release.
- 1.0.7-1 — New upstream release & add Lintian overrides for package-does-not-install-examples.
- 1.0.8-1 — New upstream release, which includes my reproducibility-related change improvement.
- adminer:
- 4.6.1-1 — New upstream release and override debian-watch-does-not-check-gpg-signature as upstream do not release signatures.
- 4.6.2-1 — New upstream release.
- process-cpp:
- 3.0.1-3 — Make the documentation reproducible.
- 3.0.1-4 — Correct Vcs-Bzr to Vcs-Git.
- sleekxmpp (1.3.3-3) — Make the build reproducible. (#890193)
- python-redis (2.10.6-2) — Correct autopkgtest dependencies and misc packaging updates.
- bfs (1.2.1-1) — New upstream release.
I also made misc packaging updates for docbook-to-man (1:2.0.0-41), gunicorn (19.7.1-4), installation-birthday (8) & python-daiquiri (1.3.0-3).
Finally, I performed the following sponsored uploads: check-manifest (0.36-2), django-ipware (2.0.1-1), nose2 (0.7.3-3) & python-keyczar (0.716+ds-2).
Debian bugs filed
FTP Team
As a Debian FTP assistant I ACCEPTed 123 packages: apticron, aseba, atf-allwinner, bart-view, binutils, browserpass, bulk-media-downloader, ceph-deploy, colmap, core-specs-alpha-clojure, ctdconverter, debos, designate, editorconfig-core-py, essays1743, fis-gtm, flameshot, flex, fontmake, fonts-league-spartan, fonts-ubuntu, gcc-8, getdns, glyphslib, gnome-keyring, gnome-themes-extra, gnome-usage, golang-github-containerd-cgroups, golang-github-go-debos-fakemachine, golang-github-mattn-go-zglob, haskell-regex-tdfa-text, https-everywhere, ibm-3270, ignition-fuel-tools, impass, inetsim, jboss-bridger, jboss-threads, jsonrpc-glib, knot-resolver, libctl, liblouisutdml, libopenraw, libosmo-sccp, libtest-postgresql-perl, libtickit, linux, live-tasks, minidb, mithril, mutter, neuron, node-acorn-object-spread, node-babel, node-call-limit, node-color, node-colormin, node-console-group, node-consolidate, node-cosmiconfig, node-css-color-names, node-date-time, node-err-code, node-gulp-load-plugins, node-html-comment-regex, node-icss-utils, node-is-directory, node-mdn-data, node-mississippi, node-mutate-fs, node-node-localstorage, node-normalize-range, node-postcss-filter-plugins, node-postcss-load-options, node-postcss-load-plugins, node-postcss-minify-font-values, node-promise-retry, node-promzard, node-require-from-string, node-rollup, node-rollup-plugin-buble, node-ssri, node-validate-npm-package-name, node-vue-resource, ntpsec, nvidia-cuda-toolkit, nyx, pipsi, plasma-discover, pokemmo, pokemmo-installer, polymake, privacybadger, proxy-switcher, psautohint, purple-discord, pytest-astropy, pytest-doctestplus, pytest-openfiles, python-aiomeasures, python-coverage, python-fitbit, python-molotov, python-networkmanager, python-os-service-types, python-pluggy, python-stringtemplate3, python3-antlr3, qpack, quintuple, r-cran-animation, r-cran-clustergeneration, r-cran-phytools, re2, sat-templates, sfnt2woff-zopfli, sndio, thunar, uhd, undertime, usbauth-notifier, vmdb2 & xymonq.
I additionally filed 15 RC bugs against packages that had incomplete debian/copyright files against: browserpass, designate, fis-gtm, flex, gnome-keyring, ibm-3270, knot-resolver, libopenraw, libtest-postgresql-perl, mithril, mutter, ntpsec, plasma-discover, pytest-arraydiff & r-cran-animation.