Free software activities in June 2020

Here is my monthly update covering what I have been doing in the free software world during June 2020 (previous month):

• Opened two pull requests against the Ghostwriter distraction-free Markdown editor to:

  • Persist whether "focus mode" is enabled across between sessions. (#522)
  • Correct the ordering of the MarkdownAST::toString() debugging output. (#520)

• Will McGugan's "Rich" is a Python library to output formatted text, tables, syntax etc. to the terminal. I filed a pull request in order to allow for easy enabling and disabling of displaying the file path in Rich's logging handler. (#115)

• As part of my duties of being on the board of directors of the Open Source Initiative and Software in the Public Interest I attended their respective monthly meetings and participated in various licensing and other discussions occurring on the internet, as well as the usual internal discussions regarding logistics and policy etc.

• Filed a pull request against the PyQtGraph Scientific Graphics and graphical user interface library to make the documentation build reproducibly. (#1265)

• Reviewed and merged a large number of changes by Pavel Dolecek to my Strava Enhancement Suite, a Chrome extension to improve the user experience on the Strava athletic tracker.

For Lintian, the static analysis tool for Debian packages:

• Don't emit breakout-link for architecture-independent .jar files under /usr/lib. (#963939)
• Correct a reference to override_dh_ in the long description of the excessive-debhelper-overrides tag. [...]
• Update data/fields/perl-provides for Perl 5.030003. [...]
• Check for execute_after and execute_before spelling mistakes just like override_*. [...]

Reproducible Builds

One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

The project is proud to be a member project of the Software Freedom Conservancy. Conservancy acts as a corporate umbrella allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.

This month, I:

• Filed a pull request against the PyQtGraph to make the documentation build reproducibly. (#1265)

• Addressed a regression in the octave-queueing package in the handling of absolute paths in Texinfo files. (#962187)

• Submitted the following patches to fix reproducibility-related toolchain issues within Debian:

  • critcl: Please make the teapot.txt files reproducible. (#963600)

  • sasmodels: Regression in debian/patches/reproducible-c-models.patch. (#962050)

• Contributed to a discussion regarding improving the reproducibility of packages that use the CMake build system. [...]

• Added to a conversation regarding the nondeterministic execution of order of Debian maintainer scripts that results in the arbitrary allocation of UNIX group IDs referencing the Tails operating system. [...]

• I also submitted 14 patches to fix specific reproducibility issues in fonts-anonymous-pro, gftl, golang-github-viant-toolbox, golang-v2ray-core, libmbim, libqmi, neovim-qt, netcdf-fortran, petitboot, python-pauvre, python-pyqtgraph, python-stem, seqtools & tkabber-plugins.

• Kept isdebianreproducibleyet.com up to date. [...][...]

• Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.

• Updated the main Reproducible Builds website and documentation to limit the number of "news" posts to, for example, avoid showing items from 2017. [...]

• Drafted, published and publicised our monthly report.

Elsewhere in our tooling, I made the following changes to diffoscope including preparing and uploading versions 147, 148 and 149 to Debian:

• New features:

  • Add output from strings(1) to ELF binaries. (#148)
  • Allow user to mask/filter diff output via --diff-mask=REGEX. (!51)
  • Dump PE32+ executables (such as EFI applications) using objdump(1). (#181)
  • Add support for Zsh shell completion. (#158)

• Bug fixes:

  • Prevent a traceback when comparing PDF documents that did not contain metadata (ie. a PDF /Info stanza). (#150)
  • Fix compatibility with jsondiff version 1.2.0. (#159)
  • Fix an issue in GnuPG keybox file handling that left filenames in the diff. [...]
  • Correct detection of JSON files due to missing call to File.recognizes that checks candidates against file(1). [...]

• Output improvements:

  • Use the CSS word-break property over manually adding U+200B zero-width spaces as these were making copy-pasting cumbersome. (!53)
  • Downgrade the tlsh warning message to an "info" level warning. (#29)

• Logging improvements:

  • Log calls to subprocess.check_output by using a wrapper. (#151)
  • Clarify that we are generating presenter formats in a debug-level message. [...]
  • Log the version of jsondiff used. [...]

• Testsuite improvements:

  • Update tests for file(1) version 5.39. (#179)
  • Drop an accidentally-duplicated copy of the --diff-mask tests. [...]
  • Don't mask an existing test. [...]

• Codebase improvements:

  • Replace obscure references to "WF" with "Wagner-Fischer" for clarity. [...]
  • Use a semantic AbstractMissingType type instead of remembering to check for both types of "missing" files. [...]
  • Add a comment regarding potential security issue in the .changes, .dsc and .buildinfo comparators. [...]
  • Drop a large number of unused imports. [...][...][...][...][...]
  • Make many code sections more Pythonic. [...][...][...][...]
  • Prevent some variable aliasing issues. [...][...][...]
  • Use some tactical f-strings to tidy up code [...][...] and remove explicit u"unicode" strings [...].
  • Refactor a large number of routines for clarity. [...][...][...][...]

trydiffoscope is the web-based version of diffoscope. This month, I specified a location for the celerybeat scheduler to ensure that the clean/tidy tasks are actually called which had caused an accidental resource exhaustion. (#12)

Debian

I filed three bugs against:

• cmark: Please update the homepage URI. (#962576)
• petitboot: Please update Vcs-Git urls. (#963123)
• python-pauvre: FTBFS if the DISPLAY environment variable is exported. (#962698)

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 5¼ hours on its sister Extended LTS project.

• Investigated and triaged angular.js [...],icinga2 [...], intel-microcode [...], jquery [...], pdns-recursor [...], unbound [...] & wordpress [...].

• Frontdesk duties, including responding to user/developer questions, reviewing others' packages, participating in mailing list discussions as well as attending our contributor meeting.

• Issued DLA 2233-1 to fix two issues in the Django web development framework in order to fix a potential data leakage via malformed memcached keys (CVE-2020-13254) and to prevent a cross-site scripting attack in the Django administration system (CVE-2020-13596). This was followed by DLA 2233-2 to address a regression as well as uploads to Debian stretch (1.10.7-2+deb9u9) and buster (1.11.29-1~deb10u1). (More info)

• Issued DLA 2235-1 to prevent a file descriptor leak in the D-Bus message bus (CVE-2020-12049).

• Issued DLA 2239-1 for a security module for using the TACACS+ authentication service to prevent an issue where shared secrets such as private server keys were being added in plaintext to various logs.

• Issued DLA 2244-1 to address an escaping issue in PHPMailer, an email generation utility class for the PHP programming language.

• Issued DLA 2252-1 for the ngircd IRC server as it was discovered that there was an out-of-bounds access vulnerability in the server-to-server protocol.

• Issued DLA 2253-1 to resolve a vulnerability in the Lynis a security auditing tool because a shared secret could be obtained by simple observation of the process list when a data upload is being performed.

You can find out more about the project via the following video:

Uploads

• redis (6.0.4-1 & 6.0.5-1) — New upstream releases.

• python-django:

  • 2.2.13-1 — New upstream security release followed by a fix for an upstream regression 2.2.13-2
  • 3.0.7-1 — New upstream security release followed by a fix for an upstream regression in 3.0.7-2
  • 3.1~beta1-1 — New upstream beta release.

You can subscribe to new posts via email or RSS.