Free software activities in February 2021

Here is my monthly update covering what I have been doing in the free software world during February 2021 (previous month):

• Reviewed and merged a number of contribution from Peter Law to my django-cache-toolbox library for Django-based web applications, including: support always fetching some relations when loading a model (#27), allow use of custom auth.User model. (#29), avoid some more database calls (#30), wrap some collections in tuples for compatibility (#32) and cope with only some of our related models actually being loaded (#33).

• As part of my role of being the assistant Secretary of the Open Source Initiative and a board director of Software in the Public Interest, I attended their respective monthly meetings and participated in various licensing and other discussions occurring on the internet, as well as the usual internal discussions, etc.

• Opened a pull request to fix the relative target of manpage links in Roger Wesson's mocassin library. [...]

Reproducible Builds

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during compilation process by promising identical results are always generated from a given source, therefore allowing multiple third-parties to come to a consensus on whether a build was compromised.

The project is proud to be a member project of the Software Freedom Conservancy. Conservancy acts as a corporate umbrella allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.

This month, I:

• Filed an upstream pull request to fix relative symlink targets of manpage links in mocassin. [...]

• In Debian:

  • Submitted 5 patches to fix specific reproducibility issues in crossfire, golang-github-revel-revel, golang-github-viant-toolbox, python-aiosqlite & zmk.

  • Kept isdebianreproducibleyet.com up to date. [...]

  • Submitted a patch to fix reproducibility-related toolchain issue in kjs: Please make the opcodes.h file reproducible. (#983046)

• Categorised a large number of packages and issues in the Reproducible Builds notes.git repository as well as wrote a script to automatically-classify a number of issues [...].

• Drafted, published and publicised our monthly report for January.

I also made the following changes to diffoscope, including preparing and uploading versions 167 and 168 to Debian:

• Bug fixes:

  • Don't call difflib.Differ.compare with very large inputs; it is at least O(n^2) and makes diffoscope (appear to) hang. [...]
  • Don't rely on dumpimage returning an appropriate exit code; check that the file actually exists. [...]
  • Don't rely on magic.Magic to have an identical API between file's magic.py and PyPI's python-magic library. [...]

• Revamp temporary file handling:

  • Ensure we cleanup our temporary directory by avoiding confusion between the TemporaryDirectory instance and underlying directory. (#981123)
  • Try and use a potentially-useful suffix to our temporary directory. [...]

• Testsuite improvements:

  • Strip newlines when determining Black version to avoid requires black >= 20.8b1 (18.9b0\n detected) in test output. [...]
  • Fix weakref-related handling in Python 3.7 (i.e. Debian buster). [...]
  • If our temporary directory does not exist anymore, recreate it. [...]
  • Fix FIT-related tests in Debian buster [...] and fit_expected_diff [...].
  • Gnumeric is back in testing so re-add to (test) Build-Depends. [...]
  • Mark test_apk.py::test_android_manifest as being allowed to fail for now. [...]
  • Add u-boot-tools to (test) Build-Depends so salsa.debian.org pipelines test the new U-Boot FIT comparator. [...]
  • Move to assert_diff utility in a number of tests. [...][...]

• Codebase improvements:

  • Correct capitalisation of 'jQuery'. [...]
  • Update my copyright years. [...]
  • Tidy imports in diffoscope.comparators.fit. [...]
  • Don't use Inheriting PATH of X, use PATH is X in logging messages. [...]
  • Drop unused Config.acl and Config.xattr attributes [...] and set a default Config.extended_filesystem_attributes. [...]

Debian

Uploads

• python-django:

  • 2.2.18-1 — New upstream security release. (#981562)
  • 2.2.19-1 — New upstream security release. (#983090)
  • 3.2~alpha1-2 — Apply security fix from upstream. (#983090)
  • 3.2~beta1-1 — New upstream beta release.

• redis:

  • 6.0.10-4 — New upstream release, fixing cluster access to unaligned memory on ARM architectures with hard alignment requirements (such as armhf and arm64). (#982504)
  • 6.0.11-1 — New upstream release, incorporating security fixes. (#983446)
  • 6.2~rc3-1 — New upstream release candidate.
  • 6.2.0-1 — New upstream stable release, incorporating security fixes. (#983446)

• gunicorn (20.1.0-1) — New upstream release.

• xtrlock (2.15) — Also support the XK_KP_Enter key (i.e. the Enter on the numeric keypad) to submit a password. (#982634)

I also sponsored an upload of adminer (4.7.9-1) for Alexandre Rossi.

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, and attending our monthly development meeting. etc.

• Updated the lts-cve-triage.py tool to configure Python paths early due to transitive imports in an included library. [...]

• Investigated and triaged: avahi (CVE-2021-26720), gdk-pixbuf (CVE-2021-20240), libraw (CVE-2020-24870), python3.5 (CVE-2021-3177), qemu (CVE-2020-15469, CVE-2020-15859, CVE-2020-25084 etc.), rails (CVE-2021-22880 & CVE-2021-22881), stunnel4 (CVE-2021-20230 & CVE-2021-20231) & zeromq3 (CVE-2021-20237)

• Issued DLA 2555-1 for netty as it was discovered that there was an insecure temporary file issue that could have lead to disclosure of arbitrary local files.

• Issued DLA 2562-1 to address a remote code execution vulnerability in mumble, a VoIP client commonly used for group chats. The exploit could have been been triggered by a maliciously crafted URL on the server list.

• Issued DLA 2563-1, DLA 2565-1 and ELA-366-1 for openssl to prevent an issue where "Digital EnVeloPe" EVP-related calls could cause applications to behave incorrectly or even crash (CVE-2021-23840) and address to an issue in the X.509 certificate parsing caused by the lack of error handling while ingesting the 'issuer' field.

• Issued DLA 2568-1 and ELA-369-1 as it was discovered that there was a buffer overflow attack in the bind9 DNS server, caused by an issue in the GSSAPI ("Generic Security Services") security policy negotiation.

• Issued DLA 2540-1, DLA 2569-1 and ELA-354-1 for python-django to address a potential directory-traversal (CVE-2021-3281) and a cache-poisoning issue (CVE-2021-23336).

• Issued DLA 2576-1 for redis as it was reported that there were a number of integer overflow.

You can find out more about the project via the following video:

You can subscribe to new posts via email or RSS.