Here is my monthly update covering what I have been doing in the free software world during July 2018 (previous month):
- My activities as the current Debian Project Leader are covered in my "Bits from the DPL" email to the debian-devel-announce mailing list.
- I am currently at DebConf18 in Hsinchu, Taiwan where I have presented two talks so far, the first entitled Bits from the DPL but I was also extremely honoured to be invited to join Bdale Garbee, Enrico Zini and Steve McIntyre to a plenary session on "Ignoring Negativity". DebConf was also preceeded by DebCamp, a week where Developers can focus on their Debian-related projects, tasks or problems.
- Earlier in the month I attended the GUADEC 2018 conference and an Open Source Initiative board member call.
- Created a pull request to expose RSS syndication feeds on Pixelfed profile pages. [...]
- Created a work-in-progress Gitlab Enhancement Suite browser extension to work around a few personal annoyances with the web-based graphical user interface.
- Fixed an issue in my AptFs virtual filesystem to correct an issue where specifying the max_unpacked_packages resulted in packages never being cleaned up. [...]
- Added a deprecation warning to the Liferea feed reader in the Tails operating system. [...]
- Added the ability to disable sending of mail entirely to my Fastmail Enhancement Suite browser extension.
- Even more hacking on the Lintian static analysis tool for Debian packages:
- New features:
- Debian Policy 4.1.5 adopts FHS 3.0 so permit files in /usr/libexec. (#834607)
- Policy 10.4 states that Perl scripts must use /usr/bin/perl, not via /usr/bin/env. (#904414)
- Add "flaky" and "skippable" to the list of known Restrictions in test suite definitions. (#904623)
- Add 4.1.5 as a known Standards-Version. [...]
- Warn about mispellings of Rules-Requires-Root. (#904522)
- Check for mismatched Vcs-* fields. (#903690)
- Add the Julia programming language as a known interpreter. (#904140)
- Bug fixes:
- Don't emit r-data-without-readme-source by checking that .rda files aret actually R data files. (#903435)
- Correctly warn about packages using sensible-utils without a relationship. (#872611)
- Support parsing the filename component of tar -tvf output when delimited by multiple spaces. (#903307)
- Don't emit old-python-version-field for X-Python3-Version 3.5 just yet. (#903399)
- Add support and update tests for the Vcs-Git [subdir] syntax. (#903103)
- Replace references to an unknown libjs-normalize.css package. (#902926)
- Recognise that some hosting providers support multiple services. [...]
- Don't emit missing-depends-on-sensible-utils for Lintian itself. [...]
- New features:
- Merged a number of contributions for my django-cache-toolbox "non-magical" caching library for Django web applications as well as contributions to my django-force-logout.
- Prevented an XSS attack in the job search filtering on jobs.freenode.net. [...]
- Merged a patch to my python-fadvise posix_fadvise(2) wrapper library to close file objections in the case of errors. [...]
Whilst anyone can inspect the source code of free software for malicious flaws almost all software is distributed pre-compiled to end users.
The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
This month I:
- Performed a Non Maintainer Upload of the GNU mtools package in order to address two reproducibility-related bugs (#900409 & #900410) that are blocking the inclusion of my previous merge request to the Debian Installer to make the installation images (ISO, hd-media, netboot, etc,) bit-for-bit reproducible.
- Kept isdebianreproducibleyet.com up to date. [...]
- Submitted the following patches to fix reproducibility-related toolchain issues within Debian:
- I also submitted a patch to fix a specific reproducibility issue in v4l2loopback.
- Worked on publishing our weekly reports. (#166, #167, #168, #169 & #170)
- I also made the following changes to diffoscope, our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues:
- Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.
- "Frontdesk" duties, triaging CVEs, responding to user questions/queries, etc.
- Hopefully final updates to various scripts — both local and shared — to accommodate and support the introduction of the new "Extended LTS" initiative.
- Issued DLA 1417-1 for ca-certificates, updating the set of Certificate Authority (CA) certificates that are considered "valid" or otherwise should be trusted by systems.
- Issued DLA 1419-1 for ruby-sprockets to fix a path traversal issue exploitable via file:// URIs.
- Issued DLA 1420-1 for the Cinnamon Desktop Environment where a symlink attack could permit an attacker to overwrite an arbitrary file on the filesystem.
- Issued DLA 1427-1 for znc to address a path traversal vulnerability via ../ filenames in "skin" names as well as to fix an issue where insufficient validation could allow writing of arbitrary values to the znc.conf config file.
- Issued DLA 1443-1 for evolution-data-server to fix an issue where rejected requests to upgrade to a secure connection did not result in the termination of the connection.
- Issued DLA 1448-1 for policykit-1, uploading Abhijith PA's fix for a denial of service vulnerability.
- Issued ELA-13-1 for ca-certificates, also updating the set of Certificate Authority (CA) certificates that are considered "valid" or otherwise should be trusted by wheezy systems.
- python-django (1.11.14-1 & 2.1~rc1-1) — New upstream releases.
- redis (5:4.0.10-2) — Apply a patch from Daniel Shahaf to fix an issue in the manpage. (#903044)
- lastpass-cli (1.3.1-3 & 1.3.1-4) — Fix flaky/unreliable autopkgtests. (#903316)
- gunicorn (19.9.0-1), aptfs (0.13.0-1), bfs (1.2.3-1) & adminer (4.6.3-1) — New upstream releases.
Debian bugs filed
- cod-tools: Missing build-depends. (#903689)
- network-manager-openvpn: "Cannot specify device when activating VPN" error when connecting. (#903109)
- ukwm: override_dh_auto_test doesn't respect nocheck build profile. (#904889)
- ITP: gpg-encrypted-root — Encrypt root volumes with an OpenPGP smartcard. (#903163)
- gnumeric: ssconvert segmentation faults. (#903194)
As a Debian FTP assistant I ACCEPTed 213 packages: ahven, apache-mode-el, ats2-lang, bar-cursor-el, bidiui, boxquote-el, capstone, cargo, clevis, cockpit, crispy-doom, cyvcf2, debian-gis, devscripts-el, elementary-xfce, emacs-pod-mode, emacs-session, eproject-el, feedreader, firmware-nonfree, fwupd, fwupdate, gmbal, gmbal-commons, gmbal-pfl, gnome-subtitles, gnuastro, golang-github-avast-retry-go, golang-github-gdamore-encoding, golang-github-git-lfs-gitobj, golang-github-lucasb-eyer-go-colorful, golang-github-smira-go-aws-auth, golang-github-ulule-limiter, golang-github-zyedidia-clipboard, graphviz-dot-mode, grub2, haskell-iwlib, haskell-lzma, hyperscan, initsplit-el, intel-ipsec-mb, intel-mkl, ivulncheck, jaxws-api, jitterentropy-rngd, jp, json-c, julia, kitty, leatherman, leela-zero, lektor, libanyevent-fork-perl, libattribute-storage-perl, libbio-tools-run-alignment-clustalw-perl, libbio-tools-run-alignment-tcoffee-perl, libcircle-be-perl, libconvert-color-xterm-perl, libconvert-scalar-perl, libfile-copy-recursive-reduced-perl, libfortran-format-perl, libhtml-escape-perl, libio-fdpass-perl, libjide-oss-java, libmems, libmodule-build-pluggable-perl, libmodule-build-pluggable-ppport-perl, libnet-async-irc-perl, libnet-async-tangence-perl, libnet-cidr-set-perl, libperl-critic-policy-variables-prohibitlooponhash-perl, libppix-quotelike-perl, libpqxx, libproc-fastspawn-perl, libredis-fast-perl, libspatialaudio, libstring-tagged-perl, libtickit-async-perl, libtickit-perl, libtickit-widget-scroller-perl, libtickit-widget-tabbed-perl, libtickit-widgets-perl, libu2f-host, libuuid-urandom-perl, libvirt-dbus, libxsmm, lief, lightbeam, limesuite, linux, log4shib, mailscripts, mimepull, monero, mutter, node-unicode-data, octavia, octavia-dashboard, openstack-cluster-installer, osmo-iuh, osmo-mgw, osmo-msc, pg-qualstats, pg-stat-kcache, pgzero, php-composer-xdebug-handler, plasma-browser-integration, powerline-gitstatus, ppx-tools-versioned, pyside2, python-certbot-dns-gehirn, python-certbot-dns-linode, python-certbot-dns-sakuracloud, python-cheroot, python-django-dbconn-retry, python-fido2, python-ilorest, python-ipfix, python-lupa, python-morph, python-pygtrie, python-stem, pywws, r-cran-callr, r-cran-extradistr, r-cran-pkgbuild, r-cran-pkgload, r-cran-processx, rawtran, ros-ros-comm, ruby-bindex, ruby-marcel, rust-ar, rust-arrayvec, rust-atty, rust-bitflags, rust-bytecount, rust-byteorder, rust-chrono, rust-cloudabi, rust-crossbeam-utils, rust-csv, rust-csv-core, rust-ctrlc, rust-dns-parser, rust-dtoa, rust-either, rust-encoding-rs, rust-filetime, rust-fnv, rust-fuchsia-zircon, rust-futures, rust-getopts, rust-glob, rust-globset, rust-hex, rust-httparse, rust-humantime, rust-idna, rust-indexmap, rust-is-match, rust-itoa, rust-language-tags, rust-lazy-static, rust-libc, rust-memoffset, rust-nodrop, rust-num-integer, rust-num-traits, rust-openssl-sys, rust-os-pipe, rust-rand, rust-rand-core, rust-redox-termios, rust-regex, rust-regex-syntax, rust-remove-dir-all, rust-same-file, rust-scoped-tls, rust-semver-parser, rust-serde, rust-sha1, rust-sha2-asm, rust-shared-child, rust-shlex, rust-string-cache-shared, rust-strsim, rust-tar, rust-tempfile, rust-termion, rust-time, rust-try-lock, rust-ucd-util, rust-unicode-bidi, rust-url, rust-vec-map, rust-void, rust-walkdir, rust-winapi, rust-winapi-i686-pc-windows-gnu, rust-winapi-x86-64-pc-windows-gnu, rustc, simavr, tabbar-el, tarlz, ukui-media, ukui-menus, ukui-power-manager, ukui-window-switch, ukwm, vanguards, weevely & xml-security-c.
I also filed wishlist-level bugs against the following packages with potential licensing improvements:
- pgzero: Please inline/summarise web-based licensing discussion in debian/copyright. (#904674)
- plasma-browser-integration: "This_file_is_part_of_KDE" in debian/copyright? (#903713)
- rawtran: Please split out debian/copyright. (#904589)
- tabbar-el: Please inline web-based comments in debian/copyright. (#904782)
- feedreader: Please use wildcards in debian/copyright. (#904631)
Lastly, I filed 10 RC bugs against packages that had potentially-incomplete debian/copyright files against: ahven, ats2-lang, fwupd, ivulncheck, libmems, libredis-fast-perl, libtickit-widget-tabbed-perl, lief, rust-humantime & rust-try-lock.