Free software activities in March 2021

Here is my monthly update covering what I have been doing in the free software world during March 2021 (previous month):

• Reviewed and merged a number of contributions from Dan Palmer for my django-autologin library aimed at applications that use the Django web-development framework that wish to include automatic "login" links in emails (etc.). Changes made include allowing callers to override max-age [...], ensuring we always retrieve the same user account [...] and to improve the usability of the public API [...].

• Opened a pull request to make the build process for Scrapy (a framework for extracting data from websites) reproducible. [...]

• As part of my role of being the assistant Secretary of the Open Source Initiative and a board director of Software in the Public Interest, I attended their respective monthly meetings and other miscellaneous discussions occurring on the internet as well as the usual internal discussions, etc. As it happens, my term on the OSI board has been temporarily extended due to the discovery of a vulnerability in OSI's recent election — as a result, the 2021 election will be re-run to ensure complete transparency of process.

Reproducible Builds

One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

The project is proud to be a member project of the Software Freedom Conservancy. Conservancy acts as a corporate umbrella allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.

This month, I:

• Categorised a huge number of packages and issues in the Reproducible Builds "notes" repository.

• In Debian:

  • Kept isdebianreproducibleyet.com up to date. [...]

  • I submitted 4 patches to fix specific reproducibility issues in cdebootstrap, jalview, php8.0 & python-scrapy.

  • Whilst looking into reproducible builds issues, I noticed that the heudiconv package could not be built reproducibly. This was because the call to help2man fails, so the manual page includes a Python traceback instead of the actual manpage. I filed a bug with a patch as Debian bug #984778.

  • I uploaded flask-peewee (0.6.7-3) to Debian to make the build reproducible (#885326) and did the same for pyvows (3.0.0-3) (#977487) too, refreshing the packaging at the same time.

• Drafted, published and publicised our monthly report for February as well as updated the main Reproducible Builds website and documentation to fix some links in old reports [...].

I also made the following changes to diffoscope, including uploading versions 169, 170 and 171 to Debian:

• New features:

  • If zipinfo(1) shows a difference but we cannot uncover a difference within the underlying .zip or .apk file, add a comment to the output and actually show the binary comparison. (#246)
  • Ensure all our temporary directories have useful names. [...]
  • Ignore --debug and similar arguments when creating a (hopefully-useful) temporary directory suffix. [...]

• Optimisations:

  • Avoid frequent long lines in RPM header outputs that cause extremely slow HTML output generation. (#245)
  • Use larger read buffer block sizes when extracting files from archives. [...]
  • Use a much-shorter HTML class name instead of diffponct to optimise HTML output. [...]

• Output improvements:

  • Make error extracting X, falling back to binary comparison 'Y' error message in diffoscope's output nicer. [...]
  • Don't emit "Unable to stat file" debug messages at all. We have entirely-artificial directory "entries" such as ELF sections which, of course, will never exist as files. [...]

• Logging improvements:

  • Add the target directory when logging which directory we are extracting containers to. [...]
  • Format report size messages when generating HTML reports. [...]
  • Don't emit a Returning a FooContainer logging message too, as we already emit Instantiating a FooContainer log message. [...]
  • Reduce "Unable to stat file" warnings to debug messages as these are sometimes by design. [...]

• Misc improvements:

  • Clarify a comment regarding not extracting excluded files. [...]
  • Remove trailing newline from updated test file (re: #243). [...]
  • Fix test_libmix_differences failure on openSUSE Tumbleweed. (#244)
  • Move test_rpm to use the assert_diff utility helper.

Debian

Uploads

• redis:

  • 6.0.12-1 — New upstream release.
  • 6.2.1-1 — New upstream release.

• python-django (3.2~rc1-1) — New upstream beta release.

• flask-peewee (0.6.7-3) (via the Debian Python packaging team) — Upload to refresh packaging and to make the build reproducible. (#885326)

• bfs (2.2-1) — New upstream release.

• pyvows (3.0.0-3) (via the Debian Python packaging team) — Refresh packaging and make the build reproducible. (#977487)

Debian LTS

This month I worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Frontdesk duties, responding to user/developer questions, attending monthly meeting, reviewing others' packages, participating in internal mailing list discussions, etc.

• Investigated and triaged botan1.10 (CVE-2021-24115), busybox (CVE-2021-28831), courier-authlib (CVE-2021-28374), edk2 (CVE-2021-28210 & CVE-2021-28211), netty (CVE-2021-21295), open-build-service (CVE-2020-8031), openjpeg2 (CVE-2020-27844), python2.7 (CVE-2021-23336), rpm (CVE-2021-20248, [CVE-2021-20249](https://security-tracker.debian.org/tracker/CVE-2021-20249), CVE-2021-20266 & CVE-2021-20271), ruby-activerecord-session-store (CVE-2019-25025), ruby-carrierwave (CVE-2021-21288), salt (CVE-2020-28243, etc.), slic3r (CVE-2020-28591), squid3 (CVE-2020-25097 & CVE-2021-28116), velicity-tools (CVE-2020-13959), velocity (CVE-2020-13936) & yara (CVE-2021-3402).

• Proposed an stable update for python-django in buster. (#983526)

• Prepared and uploaded a stable update for redis in buster. (#983527)

• Issued DLA 2595-1 and ELA 380-1 for velocity, a Java-based template engine for writing web applications. Velocity could be exploited to run arbitrary code by applications that allowed untrusted users to upload/modify templates.

• Issued DLA 2597-1 and ELA 381-1 to address a cross-site scripting (XSS) vulnerability in velocity-tools, a collection of useful tools for the Velocity template engine. The default error page could be exploited to steal session cookies, perform requests in the name of the victim, used for phishing attacks and many other similar attacks.

• Issued DLA 2600-1 and ELA 384-1 for pygments as it was discovered that there was a series of denial of service vulnerabilities in this syntax highlighting library for Python. A number of regular expressions had cubic (or even exponential) worst-case complexity which could cause a remote denial of service (DoS) when provided with malicious input.

• Issued DLA 2603-1 to address a number of vulnerabilities in libmediainfo, a library reading metadata such as track names, lengths, etc. from media files.

You can find out more about the Debian LTS via the following video:

You can subscribe to new posts via email or RSS.