Free software activities in June 2022

Here is my monthly update covering what I've doing in the free software world during June 2022 (previous month):

I'm entering my final month as a directors of Software in the Public Interest, and I wish the organisation all the best in the future. This month, however, I attended its respective monthly meetings and participated in various licensing and other discussions occurring on the internet, as well as the usual internal discussions regarding onboarding new projects, etc.
Opened pull requests to make the build reproducible in:
sphinxcontrib-mermaid in order to make the class diagram generation reproducible. [...]
yt-dlp in order to make the build reproducible. [...]
Opened a pull request to correct a "certificate" typo in the Redis in-memory data store. [...]
Updated my Tickle Me Email tool that implements Gettings Things Done-like behaviours in any IMAP inbox, including moving messages in reverse order to ensure that internal IMAP message identifiers are not invalidated when acting on a folder with multiple messages[...] and, when injecting a from a local file or pipe, support emails that do not have a Date field by artificially adding one [...].

Reproducible Builds

The motivation behind Reproducible Builds is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

The project is proud to be a member project of the Software Freedom Conservancy. Conservancy acts as a corporate umbrella allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.

This month, I:

Published a long post containing an interview with Hans-Christoph Steiner of the F-Droid project as part of our long-running "supporter spotlight" series [...][...][...]. This is the actually fifth instalment in a series featuring the projects, companies and individuals who support the Reproducible Builds project. We started this series by featuring the Civil Infrastructure Platform project and followed this up with a post about the Ford Foundation as well as a recent ones about ARDC, the Google Open Source Security Team (GOSST) and Jan Nieuwenhuizen on Bootstrappable Builds, GNU Mes and GNU Guix.
Filed upstream pull requests for sphinxcontrib-mermaid (in order to make the class diagram generation reproducible) [...] and yt-dlp (in order to make the build reproducible as a whole) [...].
Kept isdebianreproducibleyet.com up to date. [...]
Submitted a patch to fix a reproducibility-related toolchain issue in libxsmm (#1013257). I also submitted 7 patches to fix specific reproducibility issues in coffeescript, mapproxy, node-dommatrix, rtpengine, sphinxcontrib-mermaid, yaru-theme & yt-dlp.
Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.

Various misc. updates to the main Reproducible Builds website and documentation, but also added a CoffeeScript example for the SOURCE_DATE_EPOCH variable documentation [...]. I also drafted, published and publicised our monthly report.

diffoscope

Elsewhere in our reproducibility-related tooling, I made the following changes to diffoscope, including preparing and uploading versions 215, 216 and 217 to Debian:

New features:
- Print profile output if we were called with --profile and we were killed via a TERM signal. This should help in situations where diffoscope is terminated due to some sort of timeout. [...]
- Support both PyPDF 1.x and 2.x. [...]
Bug fixes:
- Also catch IndexError exceptions (in addition to ValueError) when parsing .pyc files. (#1012258)
- Correct the logic for supporting different versions of the argcomplete module. [...]
Output improvements:
- Don't leak the (likely-temporary) pathname when comparing PDF documents. [...]
Logging improvements:
- Update test fixtures for GNU readelf 2.38 (now in Debian unstable). [...][...]
- Be more specific about the minimum required version of readelf (ie. binutils), as it appears that this 'patch' level version change resulted in a change of output, not the 'minor' version. [...]
- Use our @skip_unless_tool_is_at_least decorator (NB. at_least) over @skip_if_tool_version_is (NB. is) to fix tests under Debian stable. [...]
- Emit a warning if/when we are handling a UNIX TERM signal. [...]
Codebase improvements:
- Clarify in what situations the main finally block gets called with respect to TERM signal handling. [...]
- Clarify control flow in the diffoscope.profiling module. [...]
- Correctly package the scripts/ directory. [...]

Debian

Uploads

redis:
- 7.0.1-1 — New upstream release (to Debian experimental).
- 7.0.1-2 — Drop support for using the systemwide hiredis and Lua libraries, reverting to using the built-in cjson module, etc. (#1012658) and Add an internal timeout for the cluster tests to prevent a build failure (#1011187.
- 7.0.1-3 — Fix a crash when systemd's ProcSubset=pid; /proc/sys/vm/overcommit_memory was inaccessible and a log warning message was incorrectly constructed in memory, resulting in a crash. In addition, add missing CPPFLAGS when building the hdr_histogram module.
- 7.0.1-4 — Upload the 7.x branch to Debian unstable.
- 7.0.2-1 — New upstream release, dropping various local patches that have been incorporated upstream.
- 7.0.2-2 — Add /lib to allowed ExecPaths in the systemd configuration in order to support systems that have been /usr-merged (or not). (#1013172)
python-django:
- 4.0.5-1 — Upload of the 4.x stable release stream to Debian unstable.
- 4.0.5-2 — Add updated version of a patch to ensure compatibility with SQLite 3.37. (#1012784)
- 4.1~beta1-1 — New upstream beta release (to Debian experimental).
hiredis (0.14.1-3) — Update a test for compatibility with Redis 7.x. (#1013615)

I also updated all of my packages packaging so that they are using the semi-official GitLab CI pipeline definition for building and testing Debian packages.

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

Investigated and triaged exo, giflib (CVE-2021-40633), harfbuzz (CVE-2022-33068), librecad, ntfs-3g (CVE-2021-46790), nuitka (CVE-2022-2054), php-horde-mime-viewer, php7.0 (CVE-2022-31625 & CVE-2022-31626), plinth, request-tracker4 & waitress (CVE-2022-31015)
Made some significant changes to the documentation of the new Git workflow for LTS and ELTS packages, including instructions if the imported package already contains a gbp.conf [...], fixing the automated build of the page itself [...], referencing external GitLab documentation [...], clarifying that the default branch is now called main [...] as well as various punctuation and grammar fixes [...][...][...].
Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.
Pushed the following to lts / lts-team.pages.debian.net:
Issued DLA 3045-1 as it was discovered that there was a potential XSS vulnerability in the php-horde-mime-viewer package, a MIME viewer library for the Horde groupware platform.
Issued DLA 3046-1 because was discovered that there was a potential heap buffer overflow in LibreCAD, a popular computer-aided design system. Here, a specially crafted .dxf file could have led to arbitrary code execution.
Issued DLA 3056-1 for it was discovered that there was an issue where attackers could execute arbitrary code because xdg-open would execute a .desktop file on an attacker-controlled FTP server.
Issued DLA 3057-1 as it was discovered that there was an issue in Request Tracker, an extensible ticket/issue tracking system. Sensitive information could have been revealed by way of a timing attack on the authentication system.

You can find out more about the Debian LTS project via the following video:

You can subscribe to new posts via email or RSS.