Here is my monthly update covering what I have been doing in the free software world during February 2020 (previous month):
- Attended FOSDEM and CopyleftConf in Brussels, Belgium. Thanks to all the organisers and attendees for making this happen.
Further conversations for the next iteration of the OpenUK awards to be presented in June.
As part of my duties of being on the board of directors of the Open Source Initiative and Software in the Public Interest (SPI) I attended and prepared for their respective monthly meetings, participated in various licensing and other free software related topics occurring on the internet, had a number of discussions at FOSDEM and CopyleftConf, as well as participated the usual internal discussions regarding logistics, policy, etc.
python-debianbts is a Python Interface to Debian's Bug Tracking System by Bastian Venthur. This month I submitted two small pull requests including moving to using the
logging.warning[...] and to document missing
archivekeyword argument to the
Reviewed and merged two patches for django-enumfield, a library of mine for the Django web application framework to fix tests against some Django versions [...] and to correct an import for migration deconstruction [...].
Opened a number of pull requests to make the build reproducible in upstream projects, including:
python_example, an example pybind11 module built with a Python-based build system, I suggested sorting the extension sources to ensure a reproducible build in any projects based on this template. [...]
Even more hacking on the Lintian static analysis tool for Debian packages:
- Clarify the error messages when tags are not covered in the testsuite. [...]
For the Tails privacy-oriented operating system, I uploaded the following packages to Debian:
- Add missing
dh-pythonto Build-Depends. (#952366)
sphinxdoc:Dependsto binary package dependencies. (#832588)
- Update Tox dependency for Python 3.x.
tool:pytestsection in setup.cfg over plain "pytest".
- Update build-dependency on
dh-systemdwith debhelper version 9.20160709, specify
Rules-Requires-Root: no, use secure URL in debian/copyright, update
Vcs-Browserand bump the package's
- Add missing
One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.
The motivation behind the Reproducible Builds effort is to provide the ability to demonstrate these binaries originated from a particular — trusted — source release: if identical results are generated from a given source in all circumstances, reproducible builds provides the means for multiple third-parties to reach a consensus on whether a build was compromised via distributed checksum validation or some other scheme.
Conservancy acts as a corporate umbrella allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.
This month, I:
Filed upstream pull requests for:
python_example, an example
pybind11module built with a Python-based build system, I suggested sorting the extension sources to ensure a reproducible build in any projects based on this template. [...]
Attended FOSDEM and CopyleftConf in Brussels, Belgium and had a number of ad hoc meetings regarding the organisation itself, potential future collaborations with other projects as well as to generally represent the project in a wider ense.
Begun collaborative work on an academic paper to be published within the next few months.
Filed a pull request for the core
debian-installerpackage to allow all arguments from
sources.listfiles (such as
[check-valid-until=no]) in order that we can test the reproducibility of the installer images on the Reproducible Builds own testing infrastructure. (#13)
Submitted a patch to
openstack-pkg-toolsto fix a curious issue where packages built differently if they built "too fast" — for example, if we built for both Python 3.7 and Python 3.8 but the installation of the latter occurs within the same wall clock second of the former, the Python 3.8 version will not overwrite the Python 3.7 version and lead to a shebang of
#!/usr/bin/python3.7, whilst if it does not occur within the same second, the shebang will be overwritten to
I also submitted 9 patches to fix specific reproducibility issues in azure-uamqp-python (nondeterministic
#includedirectives), designate (embedded build path), javatools (nondeterminstic parsing of command-line variables), mate-desktop (build timestamps), msgpack-c (embeds build path), pynwb (embedded timestamps in test files), python-oslo.reports (nondeterminstic/random numbers), snapd-glib (embedded build path) & xavs2 (embedded timestamps).
Kept isdebianreproducibleyet.com up to date.
Categorised a huge number of packages and issues in the Reproducible Builds "notes" repository, including identifying a number of new generalised issues.
Authored a report as part of the Open Technology Fund's previous investment in our project.
Drafted, published and publicised our monthly report.
I spent a few moments on our website this month including improving the documentation for CMake [...], adding a
Meson.buildexample to the
SOURCE_DATE_EPOCHdocumentation [...], replacing instances of "anyone can" with "anyone may" [...], correcting/improving the logic to skip commits when generating drafts [...][...][...], etc.
In our tooling, I also made the following changes to diffoscope, our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues, including uploading version
137 to Debian:
sngimage utility will return 1 if there are even minor errors in the file. (#950806)
- Also extract
- No need to use
str.formatif we are just returning the string. [...]
- Add generalised support for "ignoring" returncodes [...] and move special-casing of returncodes in zip to use
Investigated and triaged:
Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.
1.10.7-2+deb9u8to Debian stretch and
1.11.28-1~deb10u1for Debian buster to address CVE-2020-7471, a potential SQL injection vulnerability.
You can find out more about the project via the following video:
0.14.0-6) — Set the
Repository-Browseupstream metadata fields and rely on pre-initialised
20.0.4-2— Set the upstream metadata fields (
Repository-Browse, etc.), bump
20.0.4-3— Specify that the
gunicornbinary package provides the
httpd-wsgi3virtual package. (#952706)
DEB_BUILD_MAINT_OPTIONSto support operating on large files. (#949665)
- Add a
- Use secure HTTPS URL in debian/copyright, set
Rules-Requires-Root: noand bump the
4.0.23-3— Drop quotes from
DEB_BUILD_MAINT_OPTIONSexport line. (#951037)