Here is my monthly update covering what I've doing in the free software world during June 2022 (previous month):
I'm entering my final month as a directors of Software in the Public Interest, and I wish the organisation all the best in the future. This month, however, I attended its respective monthly meetings and participated in various licensing and other discussions occurring on the internet, as well as the usual internal discussions regarding onboarding new projects, etc.
Opened pull requests to make the build reproducible in:
Updated my Tickle Me Email tool that implements Gettings Things Done-like behaviours in any IMAP inbox, including moving messages in reverse order to ensure that internal IMAP message identifiers are not invalidated when acting on a folder with multiple messages[...] and, when injecting a from a local file or pipe, support emails that do not have a
Datefield by artificially adding one [...].
The motivation behind Reproducible Builds is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
The project is proud to be a member project of the Software Freedom Conservancy. Conservancy acts as a corporate umbrella allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.
This month, I:
Published a long post containing an interview with Hans-Christoph Steiner of the F-Droid project as part of our long-running "supporter spotlight" series [...][...][...]. This is the actually fifth instalment in a series featuring the projects, companies and individuals who support the Reproducible Builds project. We started this series by featuring the Civil Infrastructure Platform project and followed this up with a post about the Ford Foundation as well as a recent ones about ARDC, the Google Open Source Security Team (GOSST) and Jan Nieuwenhuizen on Bootstrappable Builds, GNU Mes and GNU Guix.
Submitted a patch to fix a reproducibility-related toolchain issue in
libxsmm(#1013257). I also submitted 7 patches to fix specific reproducibility issues in coffeescript, mapproxy, node-dommatrix, rtpengine, sphinxcontrib-mermaid, yaru-theme & yt-dlp.
Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.
- Various misc. updates to the main Reproducible Builds website and documentation, but also added a CoffeeScript example for the SOURCE_DATE_EPOCH variable documentation [...]. I also drafted, published and publicised our monthly report.
Elsewhere in our reproducibility-related tooling, I made the following changes to diffoscope, including preparing and uploading versions 215, 216 and 217 to Debian:
- Don't leak the (likely-temporary) pathname when comparing PDF documents. [...]
- Update test fixtures for GNU readelf 2.38 (now in Debian unstable). [...][...]
- Be more specific about the minimum required version of
readelf(ie. binutils), as it appears that this 'patch' level version change resulted in a change of output, not the 'minor' version. [...]
- Use our
is) to fix tests under Debian stable. [...]
- Emit a warning if/when we are handling a UNIX
7.0.1-1— New upstream release (to Debian experimental).
7.0.1-2— Drop support for using the systemwide
hiredisand Lua libraries, reverting to using the built-in
cjsonmodule, etc. (#1012658) and Add an internal timeout for the cluster tests to prevent a build failure (#1011187.
7.0.1-3— Fix a crash when systemd's
/proc/sys/vm/overcommit_memorywas inaccessible and a log warning message was incorrectly constructed in memory, resulting in a crash. In addition, add missing
CPPFLAGSwhen building the
7.0.1-4— Upload the 7.x branch to Debian unstable.
7.0.2-1— New upstream release, dropping various local patches that have been incorporated upstream.
ExecPathsin the systemd configuration in order to support systems that have been
/usr-merged (or not). (#1013172)
I also updated all of my packages packaging so that they are using the semi-official GitLab CI pipeline definition for building and testing Debian packages.
This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.
Investigated and triaged
php7.0(CVE-2022-31625 & CVE-2022-31626),
Made some significant changes to the documentation of the new Git workflow for LTS and ELTS packages, including instructions if the imported package already contains a
gbp.conf[...], fixing the automated build of the page itself [...], referencing external GitLab documentation [...], clarifying that the default branch is now called
main[...] as well as various punctuation and grammar fixes [...][...][...].
Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.
Pushed the following to lts / lts-team.pages.debian.net:
Issued DLA 3046-1 because was discovered that there was a potential heap buffer overflow in LibreCAD, a popular computer-aided design system. Here, a specially crafted
.dxffile could have led to arbitrary code execution.
Issued DLA 3056-1 for it was discovered that there was an issue where attackers could execute arbitrary code because
xdg-openwould execute a
.desktopfile on an attacker-controlled FTP server.
Issued DLA 3057-1 as it was discovered that there was an issue in Request Tracker, an extensible ticket/issue tracking system. Sensitive information could have been revealed by way of a timing attack on the authentication system.
You can find out more about the Debian LTS project via the following video:
You can subscribe to new posts via email or RSS.