Here is my monthly update covering what I have been doing in the free software world during June 2018 (previous month):

My activities as the current Debian Project Leader are covered in my "Bits from the DPL" email to the debian-devel-announce mailing list.
Tom Yates published "Toward a fully reproducible Debian" on LWN based on my keynote presentation at FLOSSUK 2018 earlier this year.
Presented at FOSS Backstage in Berlin on Reproducible Builds and how they can prevent developers being targets for malicious attacks as well as on the history of the Open Source Initiative.
Created a merge request to make the Debian Installer images reproducible [...] as well as authored two required patches to fix non-determinism in GNU Mtools (#900409 & #900410)
For the Tails website, I reproduced, identified & patched an issue in the Ikiwiki wiki compiler where the first inline directive would be translated but subsequent inlines of the same file would result in the raw contents of the .po being inserted into the page instead. [...]
Opened a pull request for the kitty shell to support -T as an alias for --title to ensure it meets Debian Policy §11.8.3. [...]
Corrected a typo in the screenfetch screenshot utility [...] and a number of trivial typos in systemd [...]. I also pushed some cosmetic changes to the DebConf subtitle project regarding my diffoscope talk at MiniDebConf in Hamburg, Germany last month [...].
Even more hacking on the Lintian static analysis tool for Debian packages:
- New features:
  - Warn if debhelper is in Build-Depends-{Arch,Indep} but not Build-Depends. (#901507)
  - Warn if a debhelper "addon" is in Build-Depends-{Arch,Indep} but not in Build-Depends. (#901631)
  - Permit python2 (etc.) as substitutes for python for missing-dep-for-interpreter et al. (#901075)
  - Update the Vcs-* checks for PureOS now that Git layout has introduced sub-groups.
- Bug fixes:
  - Ignore "low" ASCII characters in ELF headers to avoid false-positives in Go libraries. (#898809)
  - Avoid #!/usr/bin/r false-positives when checking missing-dep-for-interpreter. (#901228)
  - Fix a false-positives in version-substvar-for-external-package when the "external" package is actually a "Provides" in the current source package. (#833608)
  - Ignore .debuginfo files under /usr/lib/jvm to prevent false-positives in shared-lib-without-dependency-information. (#900268)
  - Prevent false-positives in invalid-version-number-for-derivative. [...]
  - Drop non-hyphenated versions of "re-enable" and "re-enabled". [...]
  - Drop "some system" from the list of multiword spelling corrections. (#900670)
- Documentation
  - Update and expand the documentation of derivative-{changed-by,versions} data files to match the implementation. [...]
  - Correct DEB_BUILD_MAINT_OPTIONS reference in a tag description. (#901581)
- Misc:
  - Drop the "experimental" flag for override_dh_auto_test-does-not-check-DEB_BUILD_OPTIONS. [...]
  - Disable invalid-version-number-for-derivative for native packages. [...]
  - Don't use a potentially undefined value in .service files. [...]

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws almost all software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

This month:

Tom Yates published a post titled Toward a fully reproducible Debian on Linux Weekly News based on my keynote presentation at FLOSSUK 2018 earlier this year.
Created a series of patches to make the Debian Installer images reproducible [...] as well as wrote two required patches to fix non-determinism in GNU Mtools (#900409 & #900410).
Presented at FOSS Backstage in Berlin on how reproducible builds can prevent developers being targets for malicious attacks.
Rewrote a call to readdir_r(3) to use readdir(3) in disorderfs (our FUSE-based filesystem that deliberately introduces non-determinism) as the former has been deprecated in glibc. This silences a -Wdeprecated-declarations GCC warning. [...]
Made the following changes to diffoscope , our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues:
- Fix compatibility with Python 3.7. [...]
- Create all temporary directories under a single dir. (#902627)
- Fix compatibility with pytest 3.6.2-1 (in Debian experimental). [...]
- Drop dependency on pdftk. (#893702)
Filed an upstream pull-requests for sphinx-gallery (#901307). I also submitted 10 patches to fix specific reproducibility issues in allegro4.4, clipper, chemeq, cpl-plugin-uves, enigmail, log4cxx, nlohmann-json3, opgpcard, pyraf & vm.
Updated strip-nondeterminism (our tool to remove specific non-deterministic results from a completed build) to respect the nocheck build profile in DEB_BUILD_OPTIONS. [...]
Categorised a large number of packages and issues in the Reproducible Builds "notes" repository and worked on publishing our weekly reports. (#161, #162, #163, #164 & #165)
Fixed two typos in our jenkins.debian.net testing framework. ([1] & [2])
Made a number of changes to our website, including adding linkable slugs to the resources page [...], importing more presentations from the Debian wiki page [...] as well as adding a missing SEAGL talk [...], updating Steven Chamberlain's "Fun with .buildinfo" talk [...], etc.

Debian

Patches contributed

git-buildpackage: Suggest import-dscs --debsnap for people looking for --download. (#900606)
Updated the Debian packaging for blinker to add a missing test for nocheck build profile in DEB_BUILD_OPTIONS. [...]
nlohmann-json3: Ignores "nocheck" in DEB_BUILD_OPTIONS and always runs testsuite. (#900549)
python-defaults: Fix a typo in dh_python2 manpage. (#901079)
Updated the Debian packaging for sshtunnel to correct the capitalisation in the package description. [...]

Debian LTS

This month I have been worked 18 hours on Debian Long Term Support (LTS) and 7 hours on its sister Extended LTS project. In that time I did the following:

"Frontdesk" duties, triaging CVEs, responding to user questions, etc.
A fair amount of initial setup and administraton to accomodate the introduction for the new "Extended LTS" initiative as well as for the transition of LTS moving from supporting Debian wheezy to jessie:
- Fixing various shared scripts, including adding pushing to the remote repository for ELAs [...] and updating hard-coded wheezy references [...]. I also added instructions on exactly how to use the kernel offered by Extended LTS [...].
- Updating, expanding and testing my personal scripts and workflow to also work for the new "Extended" initiative.
Provided some help on updating the Mercurial packages. [...]
Began work on updating/syncing the ca-certificates packages in both LTS and Extended LTS.
Issued DLA 1395-1 to fix two remote code execution vulnerabilities in php-horde-image, the image processing library for the Horde <https://www.horde.org/> groupware tool. The original fix applied upstream has a regression in that it ignores the "force aspect ratio" option which I have fixed upstream .
Issued ELA 9-1 to correct an arbitrary file write vulnerability in the archiver plugin for the Plexus compiler system — a specially-crafted .zip file could overwrite any file on disk, leading to a privilege esclation.
During the overlap time between the support of wheezy and jessie I took the opportunity to address a number of vulnerabilities in all suites for the Redis key-value database, including CVE-2018-12326, CVE-2018-11218 & CVE-2018-11219) (via #902410 & #901495).

Uploads

redis:
- 4.0.9-3 — Make /var/log/redis, etc. owned by the adm group. (#900496)
- 4.0.10-1 — New upstream security release (#901495). I also uploaded this to stretch-backports and backported the packages to stretch.
- Proposed 3.2.6-3+deb9u2 for inclusion in the next Debian stable release to address an issue in the systemd .service file. (#901811, #850534 & #880474)
lastpass-cli (1.3.1-1) — New upstream release, taking over maintership and completely overhauling the packaging. (#898940, #858991 & #842875)
python-django:
- 1.11.13-2 — Fix compatibility with Python 3.7. (#902761)
- 2.1~beta1-1 — New upstream release (to experimental).
installation-birthday (11) — Fix an issue in calcuclating the age of the system by always prefering the oldest mtime we can find. (#901005
bfs (1.2.2-1) — New upstream release.
libfiu (0.96-4) — Apply upstream patch to make the build more robust with --as-needed. (#902363)
I also sponsored an upload of yaml-mode (0.0.13-1) for Nicholas Steeves.

Debian bugs filed

cryptsetup-initramfs: "ERROR: Couldn't find sysfs hierarchy". (#902183)
git-buildpackage: Assumes capable UTF-8 locale. (#901586)
kitty: Render and ship HTML versions of asciidoc. (#902621)
redis: Use the system Lua to avoid an embedded code copy. (#901669)

FTP Team

As a Debian FTP assistant I ACCEPTed 35 packages: aptly, argon2, changeme, cryptsetup, csv-mode, debian-el, dgit, dpkg-dev-el, easyloggingpp, ell, genometester, gkl, glib-d, golang-github-json-iterator-go, golang-github-modern-go-concurrent, golang-github-modern-go-reflect2, haskell-bindings-uname, haskell-servant-client-core, kdecoration, libctl, libopencsd, magit-popup, monero, nb2plots, neutron, play.it, pyaxmlparser, python-bx, python-cartopy, python-django-rest-hooks, python-furl, python-orderedmultidict, python-pytest-asyncio, qtlocation-opensource-src & sshtunnel.

I additionally filed 3 RC bugs against packages that had potentially-incomplete debian/copyright files against: easyloggingpp, magit-popup & monero. /j

You can subscribe to new posts via email or RSS.