Here is my monthly update covering what I have been doing in the free software world (previous month):
- Updated travis.debian.net, my hosted service for projects that host their Debian packaging on GitHub to use the Travis CI continuous integration platform to test builds:
- Support Debian "buster". (commit)
- Set TRAVIS=true environment variable when running autopkgtests. (#45)
- Updated the documentation in django-slack, my library to easily post messages to the Slack group-messaging utility to link to Slack's own message formatting documentation. (#66)
- Added "buster" support to local-debian-mirror, my package to easily maintain and customise a local Debian mirror via the DebConf configuration tool. (commit)
Reproducible builds
Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users.
The motivation behind the Reproducible Builds effort is to allow verification that no flaws have been introduced — either maliciously or accidentally — during this compilation process by promising identical results are always generated from a given source. Multiple third-parties then can come to a consensus on whether a build was compromised or not.
I have generously been awarded a grant from the Core Infrastructure Initiative to fund my work in this area.
This month I:
- Chaired our monthly IRC meeting. (Summary, logs, etc.)
- Presented at Hong Kong Open Source Conference 2017.
- Presented at LinuxCon China.
- Submitted the following patches to fix reproducibility-related toolchain issues within Debian:
- Submitted 6 patches to fix specific reproducibility issues in cd-hit, janus, qmidinet, singularity-container, tigervnc & xabacus.
- Submitted a wishlist request to the TeX mailing list to ensure that PDF files are reproducible even if generated from a difficult path after identifying underlying cause. (Thread)
- Categorised a large number of packages and issues in the Reproducible Builds notes.git repository.
- Worked on publishing our weekly reports. (#110, #111, #112 & #113)
- Updated our website with 13 missing talks (e291180), updated the metadata for some existing talks (650a201) and added OpenEmbedded to the projects page (12dfcf0).
I also made the following changes to our tooling:
diffoscope
diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.
- Add a comparator for fontconfig cache files. (df8360b)
- Split and tidy diffoscope.difference module. (5efe539, 04008ee)
strip-nondeterminism
strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build.
- Add libarchive-cpio-perl with the !nocheck build profile. (01e408e)
- Add dpkg-dev dependency build profile. (f998bbe)
Debian
My activities as the current Debian Project Leader are covered in my "Bits from the DPL" email to the debian-devel-announce mailing list. However, I:
- Attended a "stretch" release party at Tsinghua University, Beijing. Thanks to the local TUNA user group for organising.
- Posted an "Ask HN" thread to Hacker News entitled "What do you want to see in Debian 10?".
Debian LTS
This month I have been paid to work 16 hours hours on Debian Long Term Support (LTS). In that time I did the following:
- "Frontdesk" duties, triaging CVEs, etc.
- Issued DLA 974-1 fixing a command injection vulnerability in picocom, a dumb-terminal emulation program.
- Issued DLA 972-1 which patches a double-free vulnerability in the openldap LDAP server.
- Issued DLA 976-1 which corrects a buffer over-read vulnerability in the yodl ("Your Own Document Language") document processor.
- Issued DLA 985-1 to address a vulnerability in libsndfile (a library for reading/writing audio files) where a specially-crafted AIFF file could result in an out-of-bounds memory read.
- Issued DLA 990-1 to fix an infinite loop vulnerability in the expat, an XML parsing library.
- Issued DLA 999-1 for the openvpn VPN server — if clients used a HTTP proxy with NTLM authentication, a man-in-the-middle attacker could cause the client to crash or disclose stack memory that was likely to contain the proxy password.
Uploads
- bfs (1.0.2-1) — New upstream release, add basic/smoke autopkgtests.
- installation-birthday (5) — Add some basic autopkgtest smoke tests and correct the Vcs-{Git,Browser} headers.
- python-django:
- 1:1.11.2-1 — New upstream minor release & backport an upstream patch to prevent a test failure if the source is not writable. (#816435)
- 1:1.11.2-2 — Upload to unstable, use !nocheck profile for build dependencies that are only required for tests and various packaging updates.
I also made the following non-maintainer uploads (NMUs):
- kluppe (0.6.20-1.1) — Fix segmentation fault caused by passing a truncated pointer instead of a GtkType. (#863421)
- porg (2:0.10-1.1) — Fix broken LD_PRELOAD path for libporg-log.so. (#863495)
- ganeti-instance-debootstrap (0.16-2.1) — Fix "illegal option for fgrep" error by using "--" to escape the search needle. (#864025)
- pavuk (0.9.35-6.1) — Fix segmentation fault when opening the "Limitations" window due to pointer truncation in src/gtkmulticol.[ch]. (#863492)
- timemachine (0.3.3-2.1) — Fix two segmentation faults in src/gtkmeter.c and gtkmeterscale.c caused by passing a truncated pointers using guint instead of a GtkType. (#863420)
- jackeq (0.5.9-2.1) — Fix another segmentation fault caused by passing a truncated pointer instead of a GtkType. (#863416)
Debian bugs filed
FTP Team
As a Debian FTP assistant I ACCEPTed 16 packages: faceup, golang-github-andybalholm-cascadia, haskell-miniutter, libplack-builder-conditionals-perl, libprelude, lua-argparse, network-manager-l2tp, node-gulp-concat, node-readable-stream, node-stream-assert, node-xterm, pydocstyle, pytest-bdd, python-iso3166, python-zxcvbn & stressant.