Free software activities in February 2026

Here is my monthly update covering what I have been doing in the free software world during February 2026 (previous month).

Reproducible Builds

One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.

This month, I:

• Filed upstream pull requests for FIXME.

• Kept isdebianreproducibleyet.com up to date. [...]

• Categorised a large number of packages and issues in the Reproducible Builds notes.git repository.

• I made some changes to diffoscope, including not failing the entire pipeline if deploying to PyPI automatically fails. [...] I also prepared and uploaded versions 312 and 313.

• Drafted, published and publicised our monthly report for January.

• Updated the main Reproducible Builds website and documentation, adding the new repro-build tool to the website. [...]

Debian

• libfiu (1.2-5) — Remove the fiu.egg-info and the tests/utils/libs directories (#1048082) and enable SALSA_CI_DISABLE_VALIDATE_PACKAGE_CLEAN_UP.

• python-django:

  • 4.2.28-1 — New upstream security release.
  • 6.0.2-1 — New upstream security release.

Debian LTS

This month I have worked 30 hours on Debian Long Term Support (LTS) and on its sister Extended LTS (ELTS) project.

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

• Issued DLA 4482-1 as it was discovered that there was an issue in Ceph, the distributed storage and file system, where the Python bindings did not correctly implement SSL certificate checking.

• Issued DLA 4484-1 and ELA-1648-1 due to the announcement of multiple vulnerabilities in Django, the Python-based web-development framework:

  • CVE-2025-13473: The check_password function in django.contrib.auth.handlers.modwsgi for authentication via mod_wsgi allowed remote attackers to enumerate users via a timing attack.

  • CVE-2026-1207: Raster lookups on RasterField (only implemented on PostGIS) allowed remote attackers to inject SQL via the band index parameter.

  • CVE-2026-1285: The django.utils.text.Truncator.chars() and Truncator.words() methods (with html=True) and the truncatechars_html and truncatewords_html template filters allowed a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags.

  • CVE-2026-1287: FilteredRelation was subject to SQL injection in column aliases via control characters using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet methods annotate(), aggregate(), extra(), values(), values_list() and alias().

  • CVE-2026-1312: QuerySet.order_by() was subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in FilteredRelation.

You can find out more about the Debian LTS project via the following video:

You can subscribe to new posts via email or RSS.