Here is my monthly update covering what I have been doing in the free software world during June 2019 (previous month):
-
Fixed in issue in my Python wrapper around Daniel Silverstone's
libgfsharelibrary that implements Shamir’s method for secret sharing, a technique to split a "secret" into multiple sections that gives each participant its own unique part. Here, I added support for embeddedNULbytes in the secret itself. [...] -
As part of my duties of being on the board of directors of the Open Source Initiative I attended our monthy meeting and participated in various licensing discussions occurring on the internet, etc. In addition, due to a colleague no longer being able to commit to the position I volunteered to take over as the ClearlyDefined project's official representative on the Board.
-
Reviewed and merged pull requests in both the django-enumfield and django-slack libraries of mine for the Django web application framework, the first to add translation support [...] and the second to add support for Slack layout blocks [...].
Reproducible builds
Whilst anyone can inspect the source code of free software for malicious flaws almost all software is distributed pre-compiled to end users. The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
The initiative is proud to be a member project of the Software Freedom Conservancy, a not-for-profit 501(c)(3) charity focused on ethical technology and user freedom. Conservancy acts as a corporate umbrella, allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.
This month:
-
Yet more work around testing of the reproducibility status of Debian Installer images. In particular, I was working around and patching an issue stemming from us testing builds far into the "future". (#926242)
-
Authored four patches to fix specific reproducibility issues (in
node-d3-contour,node-d3-fetch,node-d3-hierarchy&node-d3-scale-chromatic) and also submitted a patch forcombblasto make the its documentation reproducible (#931102). -
Categorised a large number of packages and issues in the Reproducible Builds "notes" repository, including adding commented notes for
botan,bro,crac,genius,gudhi,gxemul,jboss-xnio,libkolabxml,metview,o2,rhythmbox,rr,skimage&tbb, -
Drafted, published and publicised our monthly report and kept isdebianreproducibleyet.com up to date. [...]
I then spent significant time working on buildinfo.debian.net, my experiment into how to process, store and distribute .buildinfo files after the Debian archive software has processed them. This included:
-
Started making the move to Python 3.x (and Django 2.x) [...][...][...][...][...][...][...], additionally performing a large number of adjacent cleanups including dropping the authentication framework [...], fixing a number of flake8 warnings [...], adding a
setup.cfgto silence some warnings [...], moving to__str__andstr.format(...)over%-style interpolation andu"unicode"strings [...], etc. -
I also added a number of (as-yet unreleased…) features, including caching the expensive landing page queries. [...]
-
Took the opportunity to start migrating the hosting from its current GitHub home to a more-centralised repository on salsa.debian.org, moving from the Travis to the GitLab continuous integration platform, updating the URL to the source in the footer [...] and many other related changes [...].
-
Applied the Black "uncompromising code formatter" to the codebase. [...]
I also made the following changes to our tooling:
-
strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build. This month, I added support for the clamp#ing of
tIMEchunks in.pngfiles. [...] -
In diffoscope (our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues) I documented that
run_diffoscopeshould not be considered a stable API [...] and adjusted the configuration to build our the Docker image from the current Git checkout, not the Debian archive [...]
Finally, I spent significant amount of time working on our website this month, including:
-
Move the remaining site to the newer website design. This was a long-outstanding task (#2) and required a huge number of changes, including moving all the event and documentation pages to the new design [...] and migrating/merging the old
_layouts/page.htmlinto the new design [...] too. This could then allow for many cleanups including moving/deleting files into cleaner directories, dropping a bunch of example layouts [...] and dropping the old "home" layout. [...] -
Adding reports to the homepage. (#16)
-
I also took the opportunity to re-order and merge various top-level sections of the site to make the page easier to parse/navigate [...][... and I updated the documentation for
SOURCE_DATE_EPOCHto clarify that the alternative-rcall todate(1)is for compatibility with BSD variants of UNIX [...]. -
Made a large number of visual fixups, particularly to accommodate the principles of responsive web design. [...][...][...][...][...]
-
Updated the lint functionality of the build system to check for URIs that are not using
{{ "/foo/" | prepend: site.baseurl }}-style relative URLs. [...]
Debian
-
Filed a bug against
dh-rto drop automatedpackage-contains-documentation-outside-usr-share-docLintian override generation. (#930369) -
Filed a bug against the
alotpackage to report that it will FTBFS in the future due to the testsuite validate time-limited GPG signatures. (#930057]) -
As a Debian FTP assistant I ACCEPTed 6 packages: apt, nvidia-cuda-toolkit, papi, qttools-opensource-src, swaybg & yubikey-personalization.
Lintian
Even more hacking on the Lintian static analysis tool for Debian packages, including the following new features:
- Warn about files referencing
/usr/bin/fooif the binary is actually installed under/usr/sbin/foo. (#930702) - Support
--suppress-tags-from-filein the configuration file. (#930700)
… and the following bug fixes:
- Disable the duplicate word checker when analysing patch files. (#931183)
- Don't emit
pkg-js-tools-test-is-missingif thedhinvocation uses variables in its arguments. (#928283) - Interpolate
$DPKG_MAINTSCRIPT_PACKAGEwithindebconf(7)template names in maintainer scripts. (#930677) - Add
/lib/runit/invoke-runas a known interpreter to avoid false positives in checking runit scripts under/etc/sv. (#930701) - Add an exception for documentation outside of
/usr/share/docfor "R" statistical computing modules as users expect them under/usr/lib/R/site-library. (#930311) - Exclude X BitMap Graph files from being flagged as extra license files. (#930211)
- Avoid false-positives in
source-contains-prebuilt-doxygen-documentationagainst Doxygen templates. (#930109)
Debian LTS
This month I have worked 17 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.
-
Investigated and triaged
CVE-2016-9969,CVE-2018-19800,CVE-2018-19801,CVE-2018-19802,CVE-2019-10156,CVE-2019-11708,CVE-2019-12308,CVE-2019-12495,CVE-2019-12616,CVE-2019-12779&CVE-2019-8943 -
Frontdesk duties, responding to user/developer questions, reviewing others' packages, etc.
-
Uploaded an i386 build of
suricataon behalf of another LTS contributor. -
Uploaded
zookeeperversion3.4.9-3+deb9u2andminissdpdversion1.2.20130907-4.1+deb9u1tostretch-securityto fix various security vulnerabilities in the Debianstabledistribution (eg.#929297) -
Issued DLA 1814-1 for the Django web-development framework to fix a cross-site scripting (XSS) vulnerability.
-
Issued DLA 1819-1 for PyXDG, a Python library to access freedesktop.org variables, etc.
-
Issued DLA 1832-1 for the libvirt virtualisation library to prevent a vulnerability where readonly clients could use the API to both specify an arbitrary path which would be accessed with the permissions of the
libvirtdprocess as well as an arbitrary code execution vulnerability via the API where a user-specified binary used to probe the domain's capabilities. -
Worked with other LTS contributors to create promotional material to be distributed at the upcoming DebConf19 conference.