Here is my monthly update covering what I have been doing in the free software world during January 2022 (previous month):
-
As part of my duties of being on the board of directors of the Software in the Public Interest I attended its respective monthly meetings and participated in various licensing and other discussions occurring on the internet, as well as the usual internal discussions regarding logistics and policy etc.
-
Opened a pull request to make the documentation year reproducible in the Fluid dynamics component of Chemical Engineering Design Library (ChEDL) library. [...]
Reproducible Builds
The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during compilation processes by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
The project is proud to be a member project of the Software Freedom Conservancy. Conservancy acts as a corporate umbrella allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.
This month, I:
-
Opened a pull request to make the documentation year reproducible in the Fluid dynamics component of Chemical Engineering Design Library (ChEDL) library. [...]
-
Drafted, published and publicised our monthly report for December 2021.
-
I performed significant research and investigation regarding unreproducible files generated by the Raduko implementation of the Raku programming language. (
#1002496) -
Kept
isdebianreproducibleyet.comup to date. [...] -
Submitted a patch to fix a reproducibility-related toolchain issue within Debian, specifically within
dh-rakuin order to make the contents of$pkg.dh-raku.listfiles reproducible. (#1003159) -
I also submitted six patches to fix specific reproducibility issues in
libgtkdatabox,ncurses,node-istanbul,node-ramda,python-fluids&qcelemental.
-
Updated the main Reproducible Builds website and documentation to:
- Split the
/who/page into two separate pages. [...] - Automatically add all contributors to the 'People' page, or at least those who are in the Git history of the website repository. [...]
- Improve the cosmetics of sponsor images. [...][...][...][...]
- Various other changes to the copy, etc. for the
/who/page. [...][...][...][...] - Add a missing
testframework.pngimage. [...]
- Split the
-
Categorised a large number of packages and issues in the Reproducible Builds
notes.gitrepository.
diffoscope
Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and uploading versions 199, 200, 201 and 202 to Debian:
-
New features:
- First attempt at incremental output support with a timeout. Now passing, for example,
--timeout=60will mean that diffoscope will not recurse into any sub-archives after 60 seconds total execution time has elapsed. Note that this is not a fixed/strict timeout due to implementation issues. [...][...] - Support both variants of
odt2txt, including the one provided by theunoconvpackage. [...]
- First attempt at incremental output support with a timeout. Now passing, for example,
-
Bug fixes:
- Do not return with a UNIX exit code of 0 if we encounter with a file whose human-readable metadata matches literal file contents. [...]
- Don't fail if comparing a nonexistent file with a
.pycfile (and add test). [...][...] - If the
debian.deb822module raises any exception on import, re-raise it as anImportError. This should fix diffoscope on some Fedora systems. [...] - Even if a Sphinx
.invinventory file is labelled The remainder of this file is compressed using zlib, it might not actually be. In this case, don't traceback and simply return the original content. [...]
-
Documentation:
- Improve documentation for the new
--timeoutoption due to a few misconceptions. [...] - Drop reference in the manual page claiming the ability to compare non-existent files on the command-line. (This has not been possible since version 32 which was released in September 2015). [...]
- Update 'X has been modified after
NT_GNU_BUILD_IDhas been applied' messages to, for example, not duplicating the full filename in the diffoscope output. [...]
- Improve documentation for the new
-
Codebase improvements:
Debian
Uploads
-
3.2.11-1— New upstream security release.3.2.11-2— Fix compatibility with SQLite versions 3.37+. (#1004464).4.0.1-1(to experimental) — New upstream security release.4.0.1-2(to experimental) — Fix compatibility with SQLite versions 3.37+. (#1004464)
-
1.6.12+dfsg-4— Incorporate a patch to remove staticlibssl1.1dependency.1.6.13-1— New upstream release.
-
bfs(2.3.1-1) — New upstream release. -
black(21.12b0-1) — New upstream release.
Debian LTS
This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project. This included:
-
Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc., as well as helping draft the surveys to be sent to various Debian developer lists.
-
Investigated and triaged:
expat(CVE-2021-45960),ghostscript(CVE-2021-45944 & CVE-2021-45949),mosquitto(CVE-2021-41039),nltk(CVE-2021-3842, CVE-2021-43854),python-django(CVE-2021-45115, CVE-2021-45116 & CVE-2021-45452),roundcube,uriparser(CVE-2021-46141),wireshark(CVE-2021-4181, CVE-2021-4182, CVE-2021-4183, CVE-2021-4184, CVE-2021-4186 & CVE-2021-4190) andwordpress(CVE-2022-21661, CVE-2022-21662, CVE-2022-21663 & CVE-2022-21664). -
Issued DLA 2883-1 and ELA 541-1 for the
uriparserURL parsing library in order to address two "invalid free" issues. (This was then followed up by DLA 2883-2 and ELA-541-2 as it was reported that the previous DLA and ELA security releases were not complete.) -
Issued DLA 2896-1 as it was discovered that there was a potential arbitrary code execution vulnerability in IPython, the interactive Python shell. This issue stemmed from IPython executing untrusted files in the current working directory.
-
Filed Debian bug #1003659 in order to propose a stable update for Django in Debian bullseye.
You can find out more about the Debian LTS project via the following video: