Free software activities in February 2025

Here is my monthly update covering what I have been doing in the free software world during February 2025 (previous month).

Reproducible Builds

• Kept isdebianreproducibleyet.com up to date. [...]

• Submitted 8 patches to fix specific reproducibility issues in acme.sh, node-svgdotjs-svg.js, onevpl-intel-gpu, pkg-rocm-tools, python-assertpy, rocdbgapi, siege & terminaltables3.

• Drafted, published and publicised our monthly report for January 2025.

• Categorised a large number of packages and issues in the Reproducible Builds notes.git repository.

• Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and uploading versions 288 and 289 to Debian:

  • Add asar to DIFFOSCOPE_FAIL_TESTS_ON_MISSING_TOOLS in order to address Debian bug #1095057) [...]
  • Catch a CalledProcessError when calling html2text. [...]
  • Update the minimal Black version. [...]

Debian

Uploads

• bfs:

  • 4.0.5-2 — Fix a test failure due to changes in gawk/bash. (#1095329)
  • 4.0.6-1 — New upstream release.

• docbook-to-man (1:2.0.0-48) — Set -std=gnu17 to avoid a build failure under GCC 15. (#1096534)

• memcached:

  • 1.6.36-1 — New upstream release.
  • 1.6.37-1 — New upstream release.

• python-django:

  • 4.2.19-1 — New upstream bugfix release.
  • 5.2~beta1-1 — New upstream beta release.

Finally, I also sponsored the following packages on behalf of Reiner Herrmann:

• musl (1.2.5-2) — Import upstream fix for an out-of-bounds write vulnerability. (#1098238)

• sng (1.1.1-1) — New upstream release. (#1097904)

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged: libcap2 (CVE-2023-2603) and phpmyadmin (CVE-2025-24529, CVE-2025-24530).

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

• Uploaded musl version 1.2.5-2 to unstable in order to fix an out-of-bounds write vulnerability (#1098238).

• Prepared uploads for libcap2, musl and phpmyadmin, pending release in early March after completing review. These uploads will address 4+ CVEs.

• Issued DLA 4062-1 because it was discovered that there was a potential remote code execution vulnerability in python-werkzeug, a library used to create WSGI-based web applications in Python.

You can find out more about the project via the following video:

You can subscribe to new posts via email or RSS.