Here is my monthly update covering what I have been doing in the free software world during June 2019 (previous month):
Fixed in issue in my Python wrapper around Daniel Silverstone's
libgfsharelibrary that implements Shamir’s method for secret sharing, a technique to split a "secret" into multiple sections that gives each participant its own unique part. Here, I added support for embedded
NULbytes in the secret itself. [...]
As part of my duties of being on the board of directors of the Open Source Initiative I attended our monthy meeting and participated in various licensing discussions occurring on the internet, etc. In addition, due to a colleague no longer being able to commit to the position I volunteered to take over as the ClearlyDefined project's official representative on the Board.
Reviewed and merged pull requests in both the django-enumfield and django-slack libraries of mine for the Django web application framework, the first to add translation support [...] and the second to add support for Slack layout blocks [...].
Whilst anyone can inspect the source code of free software for malicious flaws almost all software is distributed pre-compiled to end users. The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
The initiative is proud to be a member project of the Software Freedom Conservancy, a not-for-profit 501(c)(3) charity focused on ethical technology and user freedom. Conservancy acts as a corporate umbrella, allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.
Yet more work around testing of the reproducibility status of Debian Installer images. In particular, I was working around and patching an issue stemming from us testing builds far into the "future". (#926242)
Authored four patches to fix specific reproducibility issues (in
node-d3-scale-chromatic) and also submitted a patch for
combblasto make the its documentation reproducible (#931102).
Categorised a large number of packages and issues in the Reproducible Builds "notes" repository, including adding commented notes for
I then spent significant time working on
buildinfo.debian.net, my experiment into how to process, store and distribute
.buildinfo files after the Debian archive software has processed them. This included:
Started making the move to Python 3.x (and Django 2.x) [...][...][...][...][...][...][...], additionally performing a large number of adjacent cleanups including dropping the authentication framework [...], fixing a number of flake8 warnings [...], adding a
setup.cfgto silence some warnings [...], moving to
%-style interpolation and
u"unicode"strings [...], etc.
I also added a number of (as-yet unreleased…) features, including caching the expensive landing page queries. [...]
Took the opportunity to start migrating the hosting from its current GitHub home to a more-centralised repository on salsa.debian.org, moving from the Travis to the GitLab continuous integration platform, updating the URL to the source in the footer [...] and many other related changes [...].
I also made the following changes to our tooling:
In diffoscope (our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues) I documented that
run_diffoscopeshould not be considered a stable API [...] and adjusted the configuration to build our the Docker image from the current Git checkout, not the Debian archive [...]
Finally, I spent significant amount of time working on our website this month, including:
Move the remaining site to the newer website design. This was a long-outstanding task (#2) and required a huge number of changes, including moving all the event and documentation pages to the new design [...] and migrating/merging the old
_layouts/page.htmlinto the new design [...] too. This could then allow for many cleanups including moving/deleting files into cleaner directories, dropping a bunch of example layouts [...] and dropping the old "home" layout. [...]
Adding reports to the homepage. (#16)
I also took the opportunity to re-order and merge various top-level sections of the site to make the page easier to parse/navigate [...][... and I updated the documentation for
SOURCE_DATE_EPOCHto clarify that the alternative
date(1)is for compatibility with BSD variants of UNIX [...].
Filed a bug against
dh-rto drop automated
package-contains-documentation-outside-usr-share-docLintian override generation. (#930369)
Even more hacking on the Lintian static analysis tool for Debian packages, including the following new features:
- Warn about files referencing
/usr/bin/fooif the binary is actually installed under
--suppress-tags-from-filein the configuration file. (#930700)
… and the following bug fixes:
- Disable the duplicate word checker when analysing patch files. (#931183)
- Don't emit
dhinvocation uses variables in its arguments. (#928283)
debconf(7)template names in maintainer scripts. (#930677)
/lib/runit/invoke-runas a known interpreter to avoid false positives in checking runit scripts under
- Add an exception for documentation outside of
/usr/share/docfor "R" statistical computing modules as users expect them under
- Exclude X BitMap Graph files from being flagged as extra license files. (#930211)
- Avoid false-positives in
source-contains-prebuilt-doxygen-documentationagainst Doxygen templates. (#930109)
Frontdesk duties, responding to user/developer questions, reviewing others' packages, etc.
Uploaded an i386 build of
suricataon behalf of another LTS contributor.
Issued DLA 1832-1 for the libvirt virtualisation library to prevent a vulnerability where readonly clients could use the API to both specify an arbitrary path which would be accessed with the permissions of the
libvirtdprocess as well as an arbitrary code execution vulnerability via the API where a user-specified binary used to probe the domain's capabilities.
Worked with other LTS contributors to create promotional material to be distributed at the upcoming DebConf19 conference.