Here is my monthly update covering what I have been doing in the free software world (previous month):
- Wrote and released installation-birthday. Installing this package will celebrate the anniversary of installing your system by sending you an email via cron(8).
- Fixed an issue in the Django web development framework where you couldn't run the testsuite against a read-only copy of the source code. This was found by the Debian Continuous Integration service. (#26755)
- Provided a pull request for the "wammu" mobile phone manager to ensure the build is reproducible. (#49)
Reproducible builds
Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users.
The motivation behind the Reproducible Builds effort is to permit verification that no flaws have been introduced — either maliciously or accidentally — during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
(I have generously been awarded a grant from the Core Infrastructure Initiative to fund my work in this area.)
This month I:
- Presented a talk on the Reproducible Builds project at OSCAL 2017 in Tirana, Albania.
- Attended the Reproducible Builds hackathon in Hamburg, Germany. (Report)
- Submitted a highly proof-of-concept implementation of an APT that can warn about installation of packages that are not reproducible. (#863622)
- Sent patches to dak to submit .buildinfo files to buildinfo.debian.net. (#862073 & #862538)
- Followed up on an reproducibility-related issue that could result in corrupt backups. (Thread)
- Conducted a poll to determine a new schedule for IRC meetings. Our next meeting is scheduled for Thursday June 1 at 16:00 UTC.
- Submitted the following patches to fix reproducibility-related toolchain issues within Debian:
- debhelper: Regression in dh_fixperms causes packages to be unreproducible. (#862003)
- doxygen: Please make the output of $year reproducible. (#863054)
- jellyfish: Please make the output reproducible. (#863015)
- canna: Please make the output of mkbindic reproducible. (#861955)
- libwibble: Please make the output reproducible #861672
- I also submitted 19 patches to fix specific reproducibility issues in acct, armagetronad, compass-h5bp-plugin, fbreader, golang-github-pkg-profile, ironic, libjgroups-java, manila, mp3fs, ofxstatement-plugins, pd-pdstring, sbt, scilab, sendip, seqan2, taskcoach, tkhtml1, vim-command-t & wammu.
- Categorised a large number of packages and issues in the Reproducible Builds notes.git repository.
- Worked on publishing our weekly reports. (#105 & #106, #107, #108 & #109)
I also made the following changes to our tooling:
diffoscope
diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.
- Don't fail when run under perversely-recursive input files. (#780761).
strip-nondeterminism
strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build.
- Move from verbose_print to nonquiet_print so we print when normalising a file. This is so we can start to target the removal of strip-nondeterminism itself.
- Only print log messages by default if the file was actually modified. (#863033)
- Update package long descriptions to clarify that the tool itself is a temporary workaround. (#862029)
Debian
My activities as the current Debian Project Leader are covered in my "Bits from the DPL" email to the debian-devel-announce list.
However, I:
- Represented Debian at the OSCAL 2017 in Tirana, Albania.
- Attended the Reproducible Builds hackathon in Hamburg, Germany. (Report)
- Finally, I attended Debian SunCamp 2017 in Lloret de Mar in Catalonia, Spain.
Patches contributed
- xarchiver: Adding files to .tar.xz deletes existing content. (#862593)
- screen-message: Please invert the default colours. (#862056)
- fontconfig: fc-cache returns with exit code 0 on 256 errors. (#863427)
- quadrapassel: Segfaults when unpausing a paused finished game. (#863106)
- camping: Broken symlink. (#861040)
- dns-root-data: Does not build if /bin/sh is Bash. (#862252)
- dh-python: bit.ly link doesn't work anymore. (#863074)
Debian LTS
This month I have been paid to work 18 hours on Debian Long Term Support (LTS). In that time I did the following:
- "Frontdesk" duties, triaging CVEs, adding links to upstream patches, etc.
- Issued DLA 930-1 fixing a remote application crash vulnerability in libxstream-java, a Java library to serialize objects to XML and back again
- Issued DLA 935-1 correcting a local denial of service vulnerability in lxterminal, the terminal emulator for the LXDE desktop environment.
- Issued DLA 940-1 to remedy an issue in sane-backends which allowed remote attackers to obtain sensitive memory information via a crafted SANE_NET_CONTROL_OPTION packet.
- Issued DLA 943-1 for the deluge bittorrent client to fix a directory traversal attack vulnerability in the web user interface.
- Issued DLA 949-1 fixing an integer signedness error in the miniupnpc UPnP client that could allow remote attackers to cause a denial of service attack.
- Issued DLA 959-1 for the libical calendaring library. A use-after-free vulnerability could allow remote attackers could cause a denial of service and possibly read heap memory via a specially crafted .ICS file.
Uploads
- redis (3:3.2.9-1) — New upstream release.
- python-django:
- 1:1.11.1-1 — New upstream minor release.
- 1:1.11.1-2 & 1:1.11.1-3 — Add missing Build-Depends on libgdal-dev due to new GIS tests.
- docbook-to-man:
- 1:2.0.0-36 — Adopt package. Apply a patch to prevent undefined behaviour caused by a memcpy(3) parameter overlap. (#842635, #858389)
- 1:2.0.0-37 — Install manpages using debian/docbook-to-man.manpages over manual calls.
- installation-birthday — Initial upload and misc. subsequent fixes.
- bfs:
- 1.0-3 — Fix FTBFS on hurd-i386. (#861569)
- 1.0.1-1 — New upstream release & correct debian/watch file.
I also made the following non-maintainer uploads (NMUs):
- ca-certificates (20161130+nmu1) — Remove StartCom and WoSign certificates as they are now untrusted by the major browser vendors. (#858539)
- sane-backends (1.0.25-4.1) — Correct missing error handler in (generated) prerm script. (#862334)
- seqan2 (2.3.1+dfsg-3.1) — Fix broken /usr/bin/splazers symlink on 32-bit architectures. (#863669)
- jackeq (0.5.9-2.1) — Fix a segmentation fault caused by passing a truncated pointer instead of a GtkType. (#863416)
- kluppe (0.6.20-1.1) — Fix segmentation fault at startup. (#863421)
- coyim (0.3.7-2.1) — Skip tests that require internet access to avoid FTBFS. (#863414)
- pavuk (0.9.35-6.1) — Fix segmentation fault when opening "Limitations" window. (#863492)
- porg (2:0.10-1.1) — Fix broken LD_PRELOAD path. (#863495)
- timemachine (0.3.3-2.1) — Fix two segmentation faults caused by truncated pointers. (#863420)
Debian bugs filed
- acct: Docs incorrectly installed to "accounting.html" directory. (#862180)
- git-hub: Does not work with 2FA-enabled accounts. (#863265)
- libwibble: Homepage and Vcs-Darcs fields are outdated. (#861673)
I additionally filed 2 bugs for packages that access the internet during build against flower and r-bioc-gviz.
I also filed 6 FTBFS bugs against cronutils, isoquery, libgnupg-interface-perl, maven-plugin-tools, node-dateformat, password-store & simple-tpm-pk11.
FTP Team
As a Debian FTP assistant I ACCEPTed 105 packages: boinc-app-eah-brp, debug-me, e-mem, etcd, fdroidcl, firejail, gcc-6-cross-ports, gcc-7-cross-ports, gcc-defaults, gl2ps, gnome-software, gnupg2, golang-github-dlclark-regexp2, golang-github-dop251-goja, golang-github-nebulouslabs-fastrand, golang-github-pkg-profile, haskell-call-stack, haskell-foundation, haskell-nanospec, haskell-parallel-tree-search, haskell-posix-pty, haskell-protobuf, htmlmin, iannix, libarchive-cpio-perl, libexternalsortinginjava-java, libgetdata, libpll, libtgvoip, mariadb-10.3, maven-resolver, mysql-transitional, network-manager, node-async-each, node-aws-sign2, node-bcrypt-pbkdf, node-browserify-rsa, node-builtin-status-codes, node-caseless, node-chokidar, node-concat-with-sourcemaps, node-console-control-strings, node-create-ecdh, node-create-hash, node-create-hmac, node-cryptiles, node-dot, node-ecc-jsbn, node-elliptic, node-evp-bytestokey, node-extsprintf, node-getpass, node-gulp-coffee, node-har-schema, node-har-validator, node-hawk, node-jsprim, node-memory-fs, node-pbkdf2, node-performance-now, node-set-immediate-shim, node-sinon-chai, node-source-list-map, node-stream-array, node-string-decoder, node-stringstream, node-verror, node-vinyl-sourcemaps-apply, node-vm-browserify, node-webpack-sources, node-wide-align, odil, onionshare, opensvc, otb, perl, petsc4py, pglogical, postgresql-10, psortb, purl, pymodbus, pymssql, python-decouple, python-django-rules, python-glob2, python-ncclient, python-parse-type, python-prctl, python-sparse, quoin-clojure, quorum, r-bioc-genomeinfodbdata, radlib, reprounzip, rustc, sbt-test-interface, slepc4py, slick-greeter, sparse, te923con, trabucco, traildb, typescript-types & writegood-mode.
I additionally filed 6 RC bugs against packages that had incomplete debian/copyright files against: libgetdata, odil, opensvc, python-ncclient, radlib and reprounzip.