Here is my monthly update covering what I have been doing in the free software world (previous month):
- Fixed two issues in try.diffoscope.org, a web-based version of the diffoscope in-depth and content-aware diff utility:
- Made a number of improvements to travis.debian.net, my hosted service for projects that host their Debian packaging on GitHub to use the Travis CI continuous integration platform to test builds on every code change) travis.debian.net, including:
- Fixed an issue in django-staticfiles-dotd, my Django staticfiles adaptor to concatentate .d-style directories, where some .d directories were being skipped. This was caused by modifying the contents of a Python list during iteration. (#3)
- Performed some miscelleanous cleanups in django12factor, a Django utility to make projects adhere better to the 12-factor web-application philosophy. (#58)
- Submitted a pull request for Doomsday-Engine, a portable, enhanced source port of Doom, Heretic and Hexen, to make the build reproducible (#16)
- Created a pull request for gdata-python-client (a Python client library for Google APIs) to make the build reproducible. (#56)
- Filed a pull request against vine, a Python promises library, to avoid non-determinstic default keyword argument appearing in the documentation. (#12)
- Filed an issue for the Redis key-value database addressing build failures on the MIPS architecture. (#3874)
- Submitted a bug report against xdotool — a tool to automate window and keyboard interactions — reporting a crash when searching after binding an action with behave. (#169)
- Reviewed a pull request from Dan Palmer for django-email-from-template, a library to send emails in Django generated entirely from the templating system, which intends to add an option to send mails upon transaction commit.
Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users.
The motivation behind the Reproducible Builds effort is to permit verification that no flaws have been introduced — either maliciously or accidentally — during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
This month I:
- Submitted the following patches to fix reproducibility-related toolchain issues within Debian:
- Categorised a large number of packages and issues in the Reproducible Builds notes.git repository.
- I also submitted 12 patches to fix specific reproducibility issues in archvsync, dask.distributed, doomsday, eric, fritzing, golang-github-go-macaron-toolbox, neutron, node-mocha, ns2, python-gdata, qtltools & vine.
- Worked on publishing our weekly reports. (#96, #97, #98, #99 & #100)
I also made the following changes to our tooling:
diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.
- New features/optimisations:
- Extract squashfs archive in one go rather than per-file, speeding up ISO comparison by ~10x.
- Add support for .docx and .odt files via docx2txt & odt2txt. (#859056).
- Add support for PGP files via pgpdump. (#859034).
- Add support for comparing Pcap files. (#858867).
- Compare GIF images using gifbuild. (#857610).
- Bug fixes:
- Ensure that we really are using ImageMagick and not the GraphicsMagick compatibility layer. (#857940).
- Fix and add test for meaningless 1234-content metadata when introspecting archives. (#858223).
- Fix detection of ISO9660 images processed with isohybrid.
- Skip icc tests if the Debian-specific patch is not present. (#856447).
- Support newer versions of cbfstool to avoid test failures. (#856446).
- Update the progress bar prior to working to ensure filename is in sync.
- Use /usr/share/dpkg/pkg-info.mk over manual calls to dpkg-parsechangelog in debian/rules.
- Ensure tests and the runtime environment can locate binaries in /usr/sbin (eg. tcpdump).
strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build.
- Fix a possible endless loop while stripping .ar files due to trusting the file's own file size data. (#857975).
- Add support for testing files we should reject and include the filename when evaluating fixtures.
buildinfo.debian.net is my experiment into how to process, store and distribute .buildinfo files after the Debian archive software has processed them.
- Add support for Format: 1.0. (#20).
- Don't parse Format: header as the source package version. (#21).
- Show the reproducible status of packages.
This month I have been paid to work 14.75 hours on Debian Long Term Support (LTS). In that time I did the following:
- "Frontdesk" duties, triaging CVEs, etc.
- Issued DLA 848-1 for the freetype font library fixing a denial of service vulnerability.
- Issued DLA 851-1 for wget preventing a header injection attack.
- Issued DLA 863-1 for the deluge BitTorrent client correcting a cross-site request forgery vulnerability.
- Issued DLA 864-1 for jhead (an EXIF metadata tool) patching an arbitrary code execution vulnerability.
- Issued DLA 865-1 for the suricata intrusion detection system, fixing an IP protocol matching error.
- Issued DLA 871-1 for python3.2 fixing a TLS stripping vulnerability in the smptlib library.
- Issued DLA 873-1 for apt-cacher preventing a HTTP response splitting vulnerability.
- Issued DLA 876-1 for eject to prevent an issue regarding the checking of setuid(2) and setgid(2) return values.
- 1:1.10.6-1 — New upstream bugfix release.
- 1:1.11~rc1-1 — New upstream release candidate.
- 3:3.2.8-2 — Avoid conflict between RuntimeDirectory and tmpfiles.d(5) both attempting to create /run/redis with differing permissions. (#856116)
- 3:3.2.8-3 — Revert the creation of a /usr/bin/redis-check-rdb to /usr/bin/redis-server symlink to avoid a dangling symlink if only the redis-tools package is installed. (#858519)
- gunicorn 19.7.0-1 & 19.7.1-1 — New upstream releases.
- adminer 4.3.0-1 — New upstream release.
Finally, I also made the following non-maintainer uploads (NMUs):
- cpio (2.12+dfsg-4) — Add missing autoconf to Build-Depends (#855572)
- pygoocanvas (0.14.1-1.2) — Make the build reproducible (#828222), add docbook-xml to Build-Depends (#628813), re-add demo files (#450577), and update URL in debian/copyright (#693270).
- ucspi-tcp (1:0.88-3.1) — Make the build reproducible (#777020, #847036).
Debian bugs filed
- ca-certificates: Contains untrusted StartCom and WoSign certificates.
- python-kombu: Missing build-depends on python-vine
- devscripts: Please document Github's disparity between "tags" and "releases" re. Git submodules in uscan.
- mkchromecast: Documentation incorrectly refers to "python mkchromecast.py".
- spice-gtk: Spice-controller.h not always built from source.
- xdotool: Crashes when searching after binding with "behave".
- shadow: Please run the testsuite.
- libcanberra: Documentation not always generated from source.
I also filed 13 FTBFS bugs against android-platform-frameworks-base, ariba, calendar-exchange-provider, cylc, git, golang-github-grpc-ecosystem-go-grpc-prometheus, node-dateformat, python-eventlet, python-tz, sogo-connector, spyder-memory-profiler, sushi & tendermint-go-rpc.
As a Debian FTP assistant I ACCEPTed 121 packages: 4pane, adql, android-platform-system-core, android-sdk-helper, braillegraph, deepnano, dh-runit, django-auth-ldap, django-dirtyfields, drf-extensions, gammaray, gcc-7, gnome-keysign, golang-code.gitea-sdk, golang-github-bluebreezecf-opentsdb-goclient, golang-github-bsm-redeo, golang-github-cupcake-rdb, golang-github-denisenkom-go-mssqldb, golang-github-exponent-io-jsonpath, golang-github-facebookgo-ensure, golang-github-facebookgo-freeport, golang-github-facebookgo-grace, golang-github-facebookgo-httpdown, golang-github-facebookgo-stack, golang-github-facebookgo-subset, golang-github-go-openapi-loads, golang-github-go-openapi-runtime, golang-github-go-openapi-strfmt, golang-github-go-openapi-validate, golang-github-golang-geo, golang-github-gorilla-pat, golang-github-gorilla-securecookie, golang-github-issue9-assert, golang-github-issue9-identicon, golang-github-jaytaylor-html2text, golang-github-joho-godotenv, golang-github-juju-errors, golang-github-kisielk-gotool, golang-github-kubernetes-gengo, golang-github-lpabon-godbc, golang-github-lunny-log, golang-github-makenowjust-heredoc, golang-github-mrjones-oauth, golang-github-nbutton23-zxcvbn-go, golang-github-neelance-sourcemap, golang-github-ngaut-deadline, golang-github-ngaut-go-zookeeper, golang-github-ngaut-log, golang-github-ngaut-pools, golang-github-ngaut-sync2, golang-github-optiopay-kafka, golang-github-quobyte-api, golang-github-renstrom-dedent, golang-github-sergi-go-diff, golang-github-siddontang-go, golang-github-smartystreets-go-aws-auth, golang-github-xanzy-go-cloudstack, golang-github-xtaci-kcp, golang-github-yohcop-openid-go, graywolf, haskell-raaz, hfst-ospell, hikaricp, iptraf-ng, kanboard-cli, kcptun, kreport, libbluray, libcatmandu-store-elasticsearch-perl, libcsfml, libnet-prometheus-perl, libosmocore, libpandoc-wrapper-perl, libseqlib, matrix-synapse, mockldap, nfs-ganesha, node-buffer, node-pako, nose-el, nvptx-tools, nx-libs, open-ath9k-htc-firmware, pagein, paleomix, pgsql-ogr-fdw, profanity, pyosmium, python-biotools, python-django-extra-views, python-django-otp, python-django-push-notifications, python-dnslib, python-gmpy, python-gmpy2, python-holidays, python-kanboard, python-line-profiler, python-pgpy, python-pweave, python-raven, python-xapian-haystack, python-xopen, r-cran-v8, repetier-host, ruby-jar-dependencies, ruby-maven-libs, ruby-psych, ruby-retriable, seafile-client, spyder-unittest, stressant, systray-mdstat, telegram-desktop, thawab, tigris, tnseq-transit, typesafe-config, vibe.d, x2goserver & xmlrpc-c.
I additionally filed 14 RC bugs against packages that had incomplete debian/copyright files against: golang-github-cupcake-rdb, golang-github-sergi-go-diff, graywolf, hfst-ospell, libbluray, pgsql-ogr-fdw, python-gmpy, python-gmpy2, python-pgpy, python-xapian-haystack, repetier-host, telegram-desktop, tigris & xmlrpc-c.