Free software activities in July 2025

Here is my monthly update covering what I have been doing in the free software world during July 2025 (previous month):

• Opened a pull request to add Redis ver. $REDIS_VERSION output to the LOLWUT Easter Egg output in Redis as some testsuites were relying on it being present. […]

• Merged a series of commits from Olivier Sels to use Python setuptools package autodiscovery in django-slack, my library that provides a convenient wrapper between projects using the Django web development framework and the Slack chat platform. […]

Reproducible Builds

One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.

This month, I:

• Filed an (incorrect) upstream pull request for the Meson build system. […]

• In Debian:

  • Kept isdebianreproducibleyet.com up to date. […]

  • Submitted 2 patches to fix specific reproducibility issues in piglit & rust-microformats.

• Categorised a large number of packages and issues in the Reproducible Builds notes.git repository.

• Drafted, published and publicised our monthly report for June 2025.

• Spent a significant amount of time preparing for FOSSY 2025 in Portland, OR, including work on a presentation and creating promotional materials.

• Add a tmpfs to try.diffoscope.org so that diffoscope has a non-trivial temporary area to unpack archives, etc. […]

• Updated the main Reproducible Builds website and documentation to:

  • Replace the rbtlog run by Fay by `rbtlog run by Benl on the Who is involved page. […]
  • Add a centered version of the RB logo. […]

Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and uploading versions 301, 302 and 303 to Debian:

• Improvements:

  • Use Difference.from_operation in an attempt to pipeline the output of the extract-vmlinux script, potentially avoiding it all in memory. […]
  • Memoize a number of calls to --version, saving a very large number of external subprocess calls.

• Bug fixes:

  • Don't check for PyPDF version 3 specifically, check for versions greater than 3. […]
  • Ensure that Java class files are named .class on the filesystem before passing them to javap(1). […]
  • Mask stderr from extract-vmlinux script. […][…]
  • Avoid spurious differences in h5dump output caused by exposure of absolute internal extraction paths. ([]#1108690]()(https://bugs.debian.org/1108690))

• Misc:

  • Use our_check_output in the ODT comparator. […]
  • Update copyright years. […]

Debian

• python-django (5.2.4-1) — New upstream bugfix release.

• redis:

  • 8.0.2-2 — Address two security issues, CVE-2025-32023 and CVE-2025-48367.
  • 8.0.2-3 — Add a patch to re-add Redis ver. $REDIS_VERSION output to the LOLWUT Easter Egg output as a some testsuites were relying on it being present. This upstream change was made in 8.0.2, not in 8.0.0.
  • Filed an unblock preapproval for the latest version(s) of Redis so that it will be present in Debian trixie. (#1108985)

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Issued DLA 4238-1 as it was discovered that there was a link following vulnerability in sslh, a protocol multiplexor often used to share SSH and HTTPS on the same port.

• Issued DLA 4240-1 and ELA-1481-1 for the Redis key-value database server. This was to address two issues:

  • CVE-2025-32023: An authenticated user may have used a specially-crafted string to trigger a stack/heap out-of-bounds write during hyperloglog operations, potentially leading to a remote code execution vulnerability. Installations that used Redis' ACL system to restrict hyperloglog HLL commands are unaffected by this issue.

  • CVE-2025-48367: An unauthenticated connection could have caused repeated IP protocol errors, leading to client starvation and ultimately become a Denial of Service (DoS) attack

• Issued DLA 4261-1 as it was discovered that there was a potential HTTP Parameter Pollution (HPP) issue in node-form-data, a tool to create multipart/form-data streams module in Node.js applications.

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc. and triaging packages.

• I also prepared an update for Redis in Debian bookworm, addressing CVE-2025-48367, CVE-2025-32023 and CVE-2025-48367.

You can find out more about the Debian LTS project via the following video:

You can subscribe to new posts via email or RSS.