Here is my monthly update covering what I have been doing in the free software world during March 2019 (previous month):

  • My activities as the current Debian Project Leader are covered in my Bits from the DPL (March 2019) email to the debian-devel-announce mailing list. Attentive followers of the on-going Debian Project Leader Elections will have noted that I am not running for a consecutive third term, so this was therefore my last such update, at least for the time being…

  • Presented at the Free Software Foundation's 2019 edition of LibrePlanet at Massachusetts Institute of Technology, Cambridge, MA on Redis Labs and the tragedy of the Commons Clause. It was great catching up with a large number of free software friends and colleagues. A splendid event as usual but a special congratulations here to Deb Nicholson for winning the FSF's award for the Advancement of Free Software.

  • As part of my duties of being on the board of directors of the Open Source Initiative I attended our monthy board meeting, participated in various licensing discussions occurring on the internet and formally approved the results of the recent OSI Board Member Election results which, as it happens, means that the Board is now predominantly female.

  • Updated my pull request for the shadow UNIX password system to make the build reproducible in order to support the case where secure_getenv(3) is not provided by the system C library. [...]

  • Opened pull requests for the Toil workflow engine [...] and the Vue.js URL router [...] to make their respective builds reproducible.

  • Attended a Debian Bug Squashing Party in Cambridge, United Kingdom. Thanks to Steve McIntyre for arranging and hosting the event.

  • For the Tails privacy-oriented operating system I reviewed and tested a number of feature branches (eg. #16452 & #16559) as well as contributed to a number of discussions on IRC, the mailing lists and on the issue tracker itself (eg. #16552).

  • Updated my django-agpl library — which makes it easier for Django web applications to satisfy the conditions of the GNU Affero General Public License — to set the correct mimetype for .zip files. [...]

  • Fastmail recently updated their user interface which had broken my Fastmail Enhancement Suite Chrome browser extension, requiring some attention. [...]

  • More hacking on the Lintian static analysis tool for Debian packages:

    • Check for placeholder "<project>" strings in debian/watch files as it can result in uscan(1) generating a file with shell metacharacters. (#923589)
    • Support dh-sequence-{gir,gnome,python3} virtual packages as satisfying various build-dependencies. (#924082)
    • Fix false-positives for the version-substvar-for-external-package tag when the Provides field contains multiple items or leading whitespace. (#833608)
    • Correct false-positives in when checking for dh-runit packages that lack a Breaks substitution variable. (#924116)
    • Don't detect non-maintainer upload versions when checking for maintainer scripts that support "ancient" package versions. (#924501)
    • Add itialize to the list of spelling-error-in-binary exceptions. (#923725)
    • Update a large number of tag long descriptions. [...][...][...]


Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws almost all software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

The initiative is proud to be a member project of the Software Freedom Conservancy, a not-for-profit 501(c)(3) charity focused on ethical technology and user freedom. Conservancy acts as a corporate umbrella, allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.

This month, I:

I also made the following changes to our tooling:

diffoscope

diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.

  • Always warn if the tlsh module is not available (not just if a specific fuzziness threshold is specified) to match the epilog of the --help output. This prevents missing support for file rename detection. (#29)
  • Provide explicit help when the libarchive system package is missing / incomplete. (#50)
  • Fix a number of tests when using GhostScript 9.20 vs 9.26 for Debian stable vs. the same distribution with the security/point release applied. [...]
  • Improved the displayed comment whenever resorting to a binary diff to mention the file's type. (#49)
  • Make --use-dbgsym a ternary operator to make it easier to totally disable. (re. #2)
  • Explicitly mention when the guestfs module is missing at runtime and thus are falling back to a binary diff. (#45)
  • Tidied definition of the no file-specific differences were detected message suffix. [...]
  • Corrected a "recurse" typo [...] and uploaded version 113 to Debian unstable.

strip-nondeterminism

strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build.


Debian

Patches contributed

  • pymongo: Please update the Homepage field. (#924078)

  • wondershaper: Suggest using $IFACE in an /etc/network/interfaces reference. (#924011)

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

  • Investigated and triaged cron, python2.7, python3.4, systemd, openssl (CVE-2019-1543), etc.

  • Frontdesk duties, responding to user/developer questions, reviewing others' packages, etc., particulary around the removal of the wheezy and jessie suites.

  • Issued DLA 1719-1 — it was discovered that there was a denial of service vulnerability in the libjpeg-turbo JPEG image library. A heap-based buffer over-read could be triggered by a specially-crafted bitmap file.

  • Uploaded ruby-i18n 0.7.0-2+deb9u1 to strech-security to prevent a remote denial-of-service vulnerability via an application crash. (#913093)

  • Updated the website to add some missing announcement texts.

Uploads

Finally, I also made the following non-maintainer uploads (NMUs) to fix release-critical (RC) bugs for the upcoming Debian buster release:

FTP Team

As a Debian FTP assistant I ACCEPTed 14 packages: gcc-9, gcc-9-cross, gcc-9-cross-ports, gnome-shell-extension-bluetooth-quick-connect, golang-github-facebookgo-structtag, golang-github-rs-zerolog, golang-gopkg-stretchr-testify.v1, httpdirfs-fuse, maint-guide, nvidia-graphics-drivers, piuparts, pyglet, qtbase-opensource-src & qtdeclarative-opensource-src.