Free software activities in January 2021

Here is my monthly update covering what I have been doing in the free software world during January 2021 (previous month):

• As part of my duties of being on the board of directors of the Open Source Initiative, I attended its monthly meeting and participated in various licensing and other related discussions occurring on the internet. Unfortunately, I could not attend the parallel meeting for Software in the Public Interest this month.

• After a rather turbulent 2020, I was very grateful to have been chosen in OpenUK's 2021 honours as one of the 100 top influencers in the UK's open technology community, which recognises contributions to open source software, open data and open hardware. Congratulations to all of the other open source heroes and heroines who were also listed — am looking forward to an exciting year together.

Reproducible Builds

One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

This month, I:

• Categorised a huge number of packages and issues in the Reproducible Builds "notes" repository.

• Drafted, published and publicised our monthly report and attended a number of IRC meetings.

• In Debian:

  • Kept isdebianreproducibleyet.com up to date. [...]

  • Submitted the following patches to fix reproducibility-related toolchain issues within Debian:

  • I also submitted a number of patches to fix specific reproducibility issues including apertium-anaphora & davs2, as well as a number of issues found during reproducibility testing. For example, I discovered that node-tap-parser's manual pages contained errors instead of documentation (#980293).

• disorderfs is our FUSE-based filesystem that deliberately introduces non-determinism into system calls to reliably flush out reproducibility issues. This month, I updated our benchmarking tools to call use a tool that will call stat(2) repeatedly. [...]

• Updated the main Reproducible Builds website and documentation with many changes, including adding a missing image [...] and to ignore commits that start with, for example, '2020 12' when generating commit listings [...].

• strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build. This month, I ensured that the tool did not process unwritable files and printing a warning in this case (#980356) as well as a number of codebase improvements such as reflowing logic to make future changes easier. [...]

I also made the following changes to diffoscope, our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues, releasing version 164, version 165 and version 166 as well as triaging and merging many contributions from others:

• New features:

  • Save sys.argv in our top-level temporary directory, in case it helps debug why temporary directories might not get cleaned up. [...]
  • Collapse the --acl and --xattr arguments into --extended-filesystem-attributes to cover all of these extended attributes, defaulting the new option to false (ie. to not check these expensive external calls). [...][...]

• Bug fixes:

  • Explicitly remove our top-level temporary directory. (#981123)
  • Adjust the fuzzy matching threshold to ensure that we show more differences. [...][...]
  • Use magic.Magic() over the now-deprecated magic.open() compatibility interface. [...]

• Output improvements:

  • Show the 'fuzziness' amount in percentage terms, not out of the rather-arbitrary '400'. [...]
  • Improve help text for the --exclude-directory-metadata argument. [...]
  • Wrap our external call to cmp(1) with a missing profiling point. [...]
  • Truncate jsondiff differences at 512 bytes, in case they consume the entire page. [...]
  • Improve the logging around fuzzy matching. [...]

• Codebase improvements:

  • Clarify in a comment that __del__ is not always called in Python, so temporary directories are not necessarily removed the moment they go out of scope. [...]
  • Print the free space in our temporary directory when we create it, not from within diffoscope.main. [...]
  • Tidy the diffoscope.comparators.utils.fuzzy module. [...]
  • Add a note regarding the special ordering of test_all_tools_are_listed within that module. [...]

Debian

Uploads

• python-django:

  • 3.1.5-1 — New upstream bugfix release.
  • 3.2~alpha1-1 — New upstream 3.2 alpha release & misc packaging updates.

• redis:

  • 6.0.9-2 (to unstable) — Enable systemd Type=notify support. (#977852lllllllllll)
  • 6.0.9-3 (to unstable) — Allow /etc/redis to be rewritten and also removed upon purge. (#981000)
  • 6.0.9-4 (to unstable) — Send systemd readiness notification when we are ready to accept connections in order to fix replicaof support. Thanks to Guillem Jover for the report and patch. (#981226)
  • 6.2~rc2-1 (to experimental) — New upstream release.
  • 6.2~rc2-2 (to experimental) — Allow /etc/redis to be rewritten and also removed upon purge. (#981000)

Debian LTS

This month I worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged: cairo (CVE-2020-35492), firefox-esr (CVE-2020-16044), jackson-databind (CVE-2020-36179 → CVE-2020-36189), nvidia-graphics-drivers (CVE-2021-1052, CVE-2021-1053 & CVE-2021-1056)), opensmtpd (CVE-2020-35680 & CVE-2020-35679), php7.0 (CVE-2020-7071)), python-autobahn (CVE-2020-35678) & tlslite-ng (CVE-2020-26263.

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, attending a monthly meeting, etc.

• Issued DLA 2515-1 for csync2. The cluster synchronization tool did not correctly check for the return value from GnuTLS security routines; it neglected to repeatedly call this function as required by the design of the API.

• Issued DLA 2516-1 for gssproxy to fix a privilege separation issue that arose from failing to unlock a shared resource.

• Issued DLA 2517-1 and ELA 342-1 for the Dovecot to fix two issues. The first was an issue where an attacker could cause the IMAP server to discover filesystem directory structures and even access other users' emails using a specially crafted command (CVE-2020-24386). The second was an issue where a malicious sender could crash Dovecot by sending messages with more than 10,000 (!) attachments (CVE-2020-25275).

• It was discovered that there was an in issue in the command-line tool for the Pacemaker High Availability stack. Local attackers were able to execute commands via shell code injection to the crm history command-line tool, potentially allowing escalation of privileges. DLA 2533-1 was issued to address this.

You can find out more about the project via the following video:

You can subscribe to new posts via email or RSS.