Free software activities in July 2021

Here is my monthly update covering what I have been doing in the free software world during July 2021 (previous month):

As part of my role of being the assistant Secretary of the Open Source Initiative and a board director of Software in the Public Interest I attended their respective monthly meetings. As outlined in last months posts, however, my term on the OSI board has been slightly extended due to the discovery of a vulnerability in OSI's recent election — as a result, the 2021 election is currently being re-run.

Reproducible Builds

One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes. The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

This month, I:

• Updated the Lintian static analysis tool to check for Python tracebacks in manual pages, usually caused by failing help2man calls and the cause of avoidable reproducibility issues. (#984778 filed against the heudiconv package is a good example of the problem.) [...]

• Updated the main Reproducible Builds website and documentation, including migrating the 'history' page from the Debian wiki [...], make the emphasis on 2020 less prominent [...] and many other changes.

• Further work on an ecosystem map of organisations, projects, people and initiatives involved in reproducible builds.

• Kept isdebianreproducibleyet.com up to date. [...]

• Categorised several packages and issues in the Reproducible Builds 'notes.git` repository.

• Sorting out a billing issue after the purchase of Bytemark by iomart.

• Drafted, published and publicised our monthly report for June 2021.

• Announcing and attending our monthly IRC meeting.

I also made the following changes to diffoscope, including preparing and uploading versions 178 and 179 to PyPI and Debian:

• Ensure that various LLVM tools are installed, even when testing whether a MacOS binary has no differences compared to itself. (#270)
• Rewrite how we calculate the 'fuzzy hash' of a file to make the control flow cleaner. [...][...]
• Don't traceback when encountering a broken symlink within a directory. (#269)
• Update some copyright years. [...]

Debian

Bugs filed

• flameshot: Don't 'phone home' for potential updates by default. (#991392)

Uploads

• redis:

  • 6.0.15-1 — New upstream security release.
  • 6.2.5-1 (to Debian experimental) — New upstream security release.

• python-django:

  • 3.2.5-1 (to Debian experimental) — New upstream security release.
  • 3.2.5-2 (to Debian experimental) — Don't symlink /usr/bin/django-admin to django-admin.py. Instead, ship the script generated by the Python entry_points system, otherwise we introduce a confusing django-admin.py-related deprecation message when using django-admin (ie. without the .py extension). (#991098)

• mtools:

  • 4.0.32-1 — New upstream release.
  • 4.0.33-1 — New upstream release.
  • 4.0.33-1+really4.0.32-1 — Revert to version 4.0.32-1 due to regressions on ARM systems affecting the Debian Installer. (#991403)

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• It was discovered that there was a potential an entity-expansion issue in libjdom1-java, a lightweight and fast library for using XML. Attackers could have caused a denial of service via a specially-crafted HTTP request. I therefore issued DLA 2712-1 to address this problem.

• Issued DLA 2717-1 and ELA 460-1 for the redis key-value database system to address several integer overflow issues. Some BITFIELD commands were affected, although only on 32-bit systems. The issue was also addressed in Debian sid and experimental too.

• Investigated and triaged icu (CVE-2021-30535), kimageformats (CVE-2021-36083), libsepol (CVE-2021-36084, CVE-2021-36085, CVE-2021-36086 & CVE-2021-36087), libuv1 (CVE-2021-22918), mediawiki (CVE-2021-35197), ndpi, php7.0 (CVE-2021-21704), postsrsd (CVE-2021-35525), putty (CVE-2021-36367), quassel (CVE-2021-34825), roundcube (CVE-2020-18670 & CVE-2020-18671), etc.

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, attending (and chairing) our monthly meeting, etc.

You can find out more about the project via the following video:

You can subscribe to new posts via email or RSS.