May 31st 2018

Free software activities in May 2018

Here is my monthly update covering what I have been doing in the free software world during May 2018 (previous month):

Coding-wise, I:

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws, almost all software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by ensuring identical results are generated from a given source. This allows multiple third-parties to come to a consensus on whether a build was compromised.

This month I:

  • Fixed an issue in disorderfs (our FUSE-based filesystem that deliberately introduces non-determinism into directory system calls in order to flush out issues) to ensure readdir(2) calls returns consistent and unique inode numbers. (#898287)
  • Presented on our diffoscope "diff-on-steroids" tool, as well as provided an update on the Reproducible Builds effort at the MiniDebConf in Hamburg, Germany.
  • Filed reproducibility-related issues upstream for Fontconfig, tweeny, and zstd, as well as authored two patches for GNU mtools to fix reproducibility-related toolchain issues. (#900409 & #900410)
  • Make extensive changes to our website, including overhauling and updating our growing list of talks.
  • Submitted three Debian-specific patches to fix reproducibility issues in telepathy-gabble, vitrage & weston.
  • I categorised a large number of packages and issues in the notes repository and worked on publishing our weekly reports. (#157, #158, #159 & #160)
  • Provided three improvements to our extensive testing infrastructure:
    • Correct the "notes" link URL. [...]
    • Move the package name to the beginning of the "status change" subject lines. [...]
    • Add a X-Reproducible-Builds-Source header to "status change" emails. [...]
  • I also made the following changes to diffoscope, our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues:
    • Clarified the No file format specific differences found inside, yet data differs message. [...]
    • Don't append rather useless "(data)" suffix in the output. [...]
    • Made a number of PEP8-related fixups. (eg. [...], [...], [...], etc.)
  • Finally, I updated the website, including moving it to a Jekyll-based instance [...], adding a progress bar animation [...], updating the list of supported formats [...], etc.


  • Made some team-wide changes to packages under the care of the Debian Python Modules Team (DMPT) including:
    • Use HTTPS for Source field in debian/copyright files (eg. [...], [...], [...], etc.)
    • Made a large number of PEP8-related changes to Debian-specific scripts including limiting the line-length [...], placing colon-separated compound statement on separate lines [...], adding blank lines after end of function or class [...], fixing spacing after a comment [...], fixing indentation [...], etc.
    • Use HTTPS URLs for the Homepage field in debian/control. (eg. [...], [...], [...], etc.)
  • Fixed an permissions issue in an Alioth to Salsa repository migration script. [...]
  • Contributed specific patches:
    • cryptsetup: Make the failsleep parameter configurable. (#898495)
    • debhelper: Clarify the order of packages returned from dh_listpackages. (#897949)
    • mssh: Correct "develop" grammar in manual page. (#899368)
    • norwegian: Duplicate dh_build/dh_auto_build in debian/rules. (#900290)
  • Suggested a handful of PEP8-related changes to the Debian Archive Kit (dak) (eg. [...], [...], [...], etc.)
  • Removed build artefacts committed to the repository in the tvb-geodesic packaging. [...]
  • Use the <!nocheck> build profile over an explicit comment in the Python packaging of yarl. [...]
  • I also filed the following bug reports:
    • apt: Inconsistency between apt install ./binary.deb and dpkg -i ./binary.deb if package already up-to-date. (#900142)
    • Please move the website.git repository to salsa. (#899109)
    • git-buildpackage: Add setting to ~/.gbp.conf to prevent debian/gbp.conf overrides. (#898613)
    • plymouth: Repository missing latest upload. (#898511)
    • python-aniso8601: Please revert Python 2.x package drop. (#898245)
    • lastpass-cli: error: Peer certificate cannot be authenticated with given CA certificates. (#898940)
  • Lastly, I submitted 5 patches to fix typos in debian/rules files against catch, grr, imanx, pd-purest-json & tinyos.

Debian LTS

This month I have been paid to work on the Debian Long Term Support (LTS). In that time I did the following:

  • Extensive "Frontdesk" duties including triaging CVEs, following-up with other developers, upstream developers.
  • Filing and cross-referencing bugs in the Debian BTS (eg. #898856).
  • Issued DLA 1379-1 for curl to prevent a heap-based buffer overflow.
  • Preparing uploads to the jessie distribution distribution.
  • Helping prepare the "end-of-life" of the wheezy distribution.


  • redis (5:4.0.9-2) — Ignore test failures on problematic architectures to allow migration to testing.
  • ruby-rjb (1.5.5-3) — Replace call to the now-deprecated javah binary. (#897664)
  • python-django (1:1.11.13-1, 2:2.0.5-1 & 2:2.1~alpha1-1) — New upstream releases.
  • gunicorn (19.8.1-1) & redisearch (1.2.0-1) — New upstream releases.

I also performed the following sponsored uploads:

You can subscribe to new posts via email or RSS.