Here is my monthly update covering what I have been doing in the free software world during July 2017 (previous month):
- Updated travis.debian.net, my hosted service for projects that host their Debian packaging on GitHub to use the Travis CI continuous integration platform to test builds:
- Updated django-slack, my library to easily post messages to the Slack group-messaging utility:
- Added Pascal support to Louis Taylor's anyprint hack to add support for "print" statements from other languages into Python. […]
- Filed a PR against Julien Danjou's daiquiri Python logging helper to clarify an issue in the documentation. […]
- Merged a PR to Strava Enhancement Suite — my Chrome extension that improves and fixes annoyances in the web interface of the Strava cycling and running tracker — to remove Zwift activities with maps. […]
- Submitted a pull request for Redis key-value database store to fix a spelling mistake in a binary. […]
- Sent patches upstream to the authors of the OpenSVC cloud engine and the Argyll Color Management System to fix some "1204" typos.
- Fixed a number of Python and deployment issues in my stravabot IRC bot. […]
- Correct a "1204" typo in Facebook's RocksDB key-value store. […]
- Corrected =+ typos in the Calibre e-book reader software. […]
- Filed a PR against the diaspy Python interface to the DIASPORA social network to correct the number of seconds in a day. […]
- Sent a pull request to remedy a =+ typo in sparqlwrapper, a SPARQL endpoint interface for Python. […]
- Filed a PR against Postfix Admin to fix some =+ typos. […]
- Fixed a "1042" typo in ImageJ, a Java image processing library. […]
- On a less-serious note, I filed an issue for Brad Abraham's bot for the Reddit sub-reddit to add some missing "hit the gym" advice. […]
I also blogged about my recent Lintian hacking and installation-birthday package.
Reproducible builds
Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users.
The motivation behind the Reproducible Builds effort is to permit verification that no flaws have been introduced — either maliciously or accidentally — during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
(I have generously been awarded a grant from the Core Infrastructure Initiative to fund my work in this area.)
This month I:
- Assisted Mattia with a draft of an extensive status update to the debian-devel-announce mailing list. There were interesting follow-up discussions on Hacker News and Reddit.
- Submitted the following patches to fix reproducibility-related toolchain issues within Debian:
- apt: Make the output of apt-ftparchive reproducible. Thanks to Colin Percival from Tarsnap for the initial bug report. (#869557)
- gconf: Make the output of /var/lib/gconf/defaults/%gconf-tree-*.xml files reproducible. (#867848, forwarded upstream)
- grunt: Make the output reproducible. (#867753, forwarded upstream)
- node-marked-man: Make the output reproducible. (#868321, forwarded upstream)
- xorg-server: Make BUILD_{DATE,TIME} reproducible. (#868843)
- I also submitted 5 patches to fix specific reproducibility issues in autopep8, castle-game-engine, grep, libcdio & tinymux.
- Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.
- Worked on publishing our weekly reports. (#114 #115, #116 & #117)
I also made the following changes to our tooling:
diffoscope
diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.
- comparators.xml:
- APK files can also be identified as "DOS/MBR boot sector". (#868486)
- comparators.sqlite: Simplify file detection by rewriting manual recognizes call with a Sqlite3Database.RE_FILE_TYPE definition. […]
- comparators.directory:
strip-nondeterminism
strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build.
- Add missing File::Temp imports in the JAR and PNG handlers. This appears to have been exposed by lazily-loading handlers in #867982. (#868077)
buildinfo.debian.net
buildinfo.debian.net is my experiment into how to process, store and distribute .buildinfo files after the Debian archive software has processed them.
- Avoid a race condition between check-and-creation of Buildinfo instances. […]
Debian
My activities as the current Debian Project Leader are covered in my "Bits from the DPL emails to the debian-devel-announce mailing list.
Patches contributed
- obs-studio: Remove annoying "click wrapper" on first startup. (#867756)
- vim: Syntax highlighting for debian/copyright files. (#869965)
- moin: Incorrect timezone offset applied due to "84600" typo. (#868463)
- ssss: Add a simple autopkgtest. (#869645)
- dch: Please bump $latest_bpo_dist to current stable release. (#867662)
- python-kaitaistruct: Remove Markdown and homepage references from package long descriptions. (#869265)
- album-data: Correct invalid Vcs-Git URI. (#869822)
- pytest-sourceorder: Update Homepage field. (#869125)
I also made a very large number of contributions to the Lintian static analysis tool. To avoid duplication here, I have outlined them in a separate post.
Debian LTS
This month I have been paid to work 18 hours on Debian Long Term Support (LTS). In that time I did the following:
- "Frontdesk" duties, triaging CVEs, etc.
- Issued DLA 1014-1 for libclamunrar, a library to add unrar support to the Clam anti-virus software to fix an arbitrary code execution vulnerability.
- Issued DLA 1015-1 for the libgcrypt11 crypto library to fix a "sliding windows" information leak.
- Issued DLA 1016-1 for radare2 (a reverse-engineering framework) to prevent a remote denial-of-service attack.
- Issued DLA 1017-1 to fix a heap-based buffer over-read in the mpg123 audio library.
- Issued DLA 1018-1 for the sqlite3 database engine to prevent a vulnerability that could be exploited via a specially-crafted database file.
- Issued DLA 1019-1 to patch a cross-site scripting (XSS) exploit in phpldapadmin, a web-based interface for administering LDAP servers.
- Issued DLA 1024-1 to prevent an information leak in nginx via a specially-crafted HTTP range.
- Issued DLA 1028-1 for apache2 to prevent the leakage of potentially confidential information via providing Authorization Digest headers.
- Issued DLA 1033-1 for the memcached in-memory object caching server to prevent a remote denial-of-service attack.
Uploads
- redis:
- 4:4.0.0-1 — Upload new major upstream release to unstable.
- 4:4.0.0-2 — Make /usr/bin/redis-server in the primary package a symlink to /usr/bin/redis-check-rdb in the redis-tools package to prevent duplicate debug symbols that result in a package file collision. (#868551)
- 4:4.0.0-3 — Add -latomic to LDFLAGS to avoid a FTBFS on the mips & mipsel architectures.
- 4:4.0.1-1 — New upstream version. Install 00-RELEASENOTES as the upstream changelog.
- 4:4.0.1-2 — Skip non-deterministic tests that rely on timing. (#857855)
- python-django:
- 1:1.11.3-1 — New upstream bugfix release. Check DEB_BUILD_PROFILES consistently, not DEB_BUILD_OPTIONS.
- bfs:
- 1.0.2-2 & 1.0.2-3 — Use help2man to generate a manpage.
- 1.0.2-4 — Set hardening=+all for bindnow, etc.
- 1.0.2-5 & 1.0.2-6 — Don't use upstream's release target as it overrides our CFLAGS & install RELEASES.md as the upstream changelog.
- 1.1-1 — New upstream release.
- libfiu:
- 0.95-4 — Apply patch from Steve Langasek to fix autopkgtests. (#869709)
- python-daiquiri:
- 1.0.1-1 — Initial upload. (ITP)
- 1.1.0-1 — New upstream release.
- 1.1.0-2 — Tidy package long description.
- 1.2.1-1 — New upstream release.
I also reviewed and sponsored the uploads of gtts-token 1.1.1-1 and nlopt 2.4.2+dfsg-3.
Debian bugs filed
FTP Team
As a Debian FTP assistant I ACCEPTed 45 packages: 2ping, behave, cmake-extras, cockpit, cppunit1.13, curvedns, flask-mongoengine, fparser, gnome-shell-extension-dash-to-panel, graphene, gtts-token, hamlib, hashcat-meta, haskell-alsa-mixer, haskell-floatinghex, haskell-hashable-time, haskell-integer-logarithms, haskell-murmur-hash, haskell-quickcheck-text, haskell-th-abstraction, haskell-uri-bytestring, highlight.js, hoel, libdrm, libhtp, libpgplot-perl, linux, magithub, meson-mode, orcania, pg-dirtyread, prometheus-apache-exporter, pyee, pytest-pep8, python-coverage-test-runner, python-digitalocean, python-django-imagekit, python-rtmidi, python-transitions, qdirstat, redtick, ulfius, weresync, yder & zktop.
I additionally filed 5 RC bugs against packages that had incomplete debian/copyright files against: cockpit, cppunit, cppunit1.13, curvedns & highlight.js.