June 30th 2018

Free software activities in June 2018

Here is my monthly update covering what I have been doing in the free software world during June 2018 (previous month):

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws almost all software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

This month:


Patches contributed

Debian LTS

This month I have been worked 18 hours on Debian Long Term Support (LTS) and 7 hours on its sister Extended LTS project. In that time I did the following:

  • "Frontdesk" duties, triaging CVEs, responding to user questions, etc.
  • A fair amount of initial setup and administraton to accomodate the introduction for the new "Extended LTS" initiative as well as for the transition of LTS moving from supporting Debian wheezy to jessie:
    • Fixing various shared scripts, including adding pushing to the remote repository for ELAs [...] and updating hard-coded wheezy references [...]. I also added instructions on exactly how to use the kernel offered by Extended LTS [...].
    • Updating, expanding and testing my personal scripts and workflow to also work for the new "Extended" initiative.
  • Provided some help on updating the Mercurial packages. [...]
  • Began work on updating/syncing the ca-certificates packages in both LTS and Extended LTS.
  • Issued DLA 1395-1 to fix two remote code execution vulnerabilities in php-horde-image, the image processing library for the Horde <https://www.horde.org/> groupware tool. The original fix applied upstream has a regression in that it ignores the "force aspect ratio" option which I have fixed upstream .
  • Issued ELA 9-1 to correct an arbitrary file write vulnerability in the archiver plugin for the Plexus compiler system — a specially-crafted .zip file could overwrite any file on disk, leading to a privilege esclation.
  • During the overlap time between the support of wheezy and jessie I took the opportunity to address a number of vulnerabilities in all suites for the Redis key-value database, including CVE-2018-12326, CVE-2018-11218 & CVE-2018-11219) (via #902410 & #901495).


  • redis:
    • 4.0.9-3 — Make /var/log/redis, etc. owned by the adm group. (#900496)
    • 4.0.10-1 — New upstream security release (#901495). I also uploaded this to stretch-backports and backported the packages to stretch.
    • Proposed 3.2.6-3+deb9u2 for inclusion in the next Debian stable release to address an issue in the systemd .service file. (#901811, #850534 & #880474)
  • lastpass-cli (1.3.1-1) — New upstream release, taking over maintership and completely overhauling the packaging. (#898940, #858991 & #842875)
  • python-django:
    • 1.11.13-2 — Fix compatibility with Python 3.7. (#902761)
    • 2.1~beta1-1 — New upstream release (to experimental).
  • installation-birthday (11) — Fix an issue in calcuclating the age of the system by always prefering the oldest mtime we can find. (#901005
  • bfs (1.2.2-1) — New upstream release.
  • libfiu (0.96-4) — Apply upstream patch to make the build more robust with --as-needed. (#902363)
  • I also sponsored an upload of yaml-mode (0.0.13-1) for Nicholas Steeves.

Debian bugs filed

  • cryptsetup-initramfs: "ERROR: Couldn't find sysfs hierarchy". (#902183)
  • git-buildpackage: Assumes capable UTF-8 locale. (#901586)
  • kitty: Render and ship HTML versions of asciidoc. (#902621)
  • redis: Use the system Lua to avoid an embedded code copy. (#901669)

You can subscribe to new posts via email or RSS.