Here is my monthly update covering what I have been doing in the free software world during March 2021 (previous month):
Reviewed and merged a number of contributions from Dan Palmer for my
django-autologinlibrary aimed at applications that use the Django web-development framework that wish to include automatic "login" links in emails (etc.). Changes made include allowing callers to override
max-age[...], ensuring we always retrieve the same user account [...] and to improve the usability of the public API [...].
- As part of my role of being the assistant Secretary of the Open Source Initiative and a board director of Software in the Public Interest, I attended their respective monthly meetings and other miscellaneous discussions occurring on the internet as well as the usual internal discussions, etc. As it happens, my term on the OSI board has been temporarily extended due to the discovery of a vulnerability in OSI's recent election — as a result, the 2021 election will be re-run to ensure complete transparency of process.
One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.
The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
The project is proud to be a member project of the Software Freedom Conservancy. Conservancy acts as a corporate umbrella allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.
This month, I:
Categorised a huge number of packages and issues in the Reproducible Builds "notes" repository.
Whilst looking into reproducible builds issues, I noticed that the
heudiconvpackage could not be built reproducibly. This was because the call to
help2manfails, so the manual page includes a Python traceback instead of the actual manpage. I filed a bug with a patch as Debian bug #984778.
- Drafted, published and publicised our monthly report for February as well as updated the main Reproducible Builds website and documentation to fix some links in old reports [...].
I also made the following changes to diffoscope, including uploading versions
171 to Debian:
zipinfo(1)shows a difference but we cannot uncover a difference within the underlying
.apkfile, add a comment to the output and actually show the binary comparison. (#246)
- Ensure all our temporary directories have useful names. [...]
--debugand similar arguments when creating a (hopefully-useful) temporary directory suffix. [...]
- Add the target directory when logging which directory we are extracting containers to. [...]
- Format report size messages when generating HTML reports. [...]
- Don't emit a
Returning a FooContainerlogging message too, as we already emit
Instantiating a FooContainerlog message. [...]
- Reduce "Unable to stat file" warnings to debug messages as these are sometimes by design. [...]
6.0.12-1— New upstream release.
6.2.1-1— New upstream release.
2.2-1) — New upstream release.
This month I worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.
Frontdesk duties, responding to user/developer questions, attending monthly meeting, reviewing others' packages, participating in internal mailing list discussions, etc.
Investigated and triaged
edk2(CVE-2021-28210 & CVE-2021-28211),
[CVE-2021-20249](https://security-tracker.debian.org/tracker/CVE-2021-20249),CVE-2021-20266 & CVE-2021-20271),
squid3(CVE-2020-25097 & CVE-2021-28116),
Proposed an stable update for
python-djangoin buster. (#983526)
Prepared and uploaded a stable update for
redisin buster. (#983527)
Issued DLA 2595-1 and ELA 380-1 for
velocity, a Java-based template engine for writing web applications. Velocity could be exploited to run arbitrary code by applications that allowed untrusted users to upload/modify templates.
Issued DLA 2597-1 and ELA 381-1 to address a cross-site scripting (XSS) vulnerability in
velocity-tools, a collection of useful tools for the Velocity template engine. The default error page could be exploited to steal session cookies, perform requests in the name of the victim, used for phishing attacks and many other similar attacks.
Issued DLA 2600-1 and ELA 384-1 for
pygmentsas it was discovered that there was a series of denial of service vulnerabilities in this syntax highlighting library for Python. A number of regular expressions had cubic (or even exponential) worst-case complexity which could cause a remote denial of service (DoS) when provided with malicious input.
Issued DLA 2603-1 to address a number of vulnerabilities in
libmediainfo, a library reading metadata such as track names, lengths, etc. from media files.
You can find out more about the Debian LTS via the following video: