Here is my monthly update covering what I have been doing in the free software world during January 2023 (previous month):
Building and distributing software that is secure throughout its entire lifecycle turns out to be very challenging. Attacks can emerge at any step of the chain, such as when building, packaging, uploading and distributing software on its long journey from coding to installation. Nefarious third-parties can compromise systems by injecting malicious code into ostensibly secure software during these compilation and distribution processes. Reproducible Builds is a project that is implementing tools, strategies and frameworks to secure software on its way to end-user devices, and additionally helps to prevent attacks on developers themselves.
This month, I:
Submitted a patch to fix a reproducibility-related issue in Debian's
python-miiopackage, which was actually rooted in its (in)compatibility with versions of Click versions greater than 8.x. (#1029295)
Attended the Open Tech Fund's summit in Austin, TX.
I additionally created a patch to remove temporary files created during the build of the
towncrierDebian package which was causing the package to unreproducible. This was swiftly fixed by Ben Finney — thanks. (#1027992)
Drafted, published and publicised our monthly report for December 2022.
Categorised a very large number of packages and issues in the Reproducible Builds
Finally, I also made the following non-maintainer uploads (NMUs) to fix reproducibility issues within Debian:
Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and uploading versions
234 to Debian:
- No need for
from __future__ import print_functionimport anymore. [...]
- Comment and tidy the
- Split inline Python code to generate test
Recommendsinto a separate Python script. [...]
debian/tests/controlafter merging support for PyPDF support. [...]
- Correctly catch segfauling cd-iccdump binary. [...]
- Drop some old debugging code. [...]
- Allow ICC tests to (temporarily) fail. [...]
This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.
Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.
Issued DLA 3261-1 as it was discovered that there was a potential null pointer dereference vulnerability in
libetpan, an low-level library for handling email.
Issued DLA 3262-1 for smarty3, a widely-used PHP templating engine because it was discovered that there was a potential cross-site scripting vulnerability.
Issued DLA 3264-1 for
ruby-sinatraas it was discovered that there was a potential reflected file download (RFD) vulnerability in this Ruby library for writing HTTP applications. A Content-Disposition HTTP header was being incorrectly derived from a (potentially) user-supplied filename.
Issued DLA 3266-1 and ELA-768-1. This was because it was announced that there were two issues in ViewVC, a web-based interface for browsing Subversion and CVS repositories. The attack vectors involved files with unsafe names; names that, when embedded into an HTML stream, could cause the browser to run unwanted code.
You can find out more about the Debian LTS project via the following video:
You can subscribe to new posts via email or RSS.