Here is my monthly update covering what I have been doing in the free software world during May 2018 (previous month):

My activities as the current Debian Project Leader are covered in my monthly "Bits from the DPL" email to the debian-devel-announce mailing list.
I gave a talk at the Redis London on the advantages of using Debian packages for the Redis key-value database.
I also presented at the MiniDebConf in Hamburg, Germany where I gave a talk on the diffoscope tool and was part of a talk providing an update on the Reproducible Builds effort.

Coding-wise, I:

Created a pull request for the Redis key-value database to appease GCC's "fallthrough" statement detection. [...]
Opened two PRs against rjb Ruby-Java bridge, first to use javac -h over the deprecated a javah [...] and to correct a minor typo [...].
Made the following upstream reproducibility-related contributions:
- Reworked a patch for Fontconfig to make its output reproducible. [...]
- Opened a pull request for tweeny to make the build reproducible. [...]
- Opened a PR against Facebook's zstd library to make the build reproducible. [...]
- Opened a pull request for the vcr.py HTTP mocking library to make its build reproducible. [...]
Merged and reviewed the following changes in my Django web-development framework libraries:
- django-autologin (URL-based authentication module): Handle multiple values for a given query parameter. [...]
- django-enumfield (type-safe enumerations): Support using the enumfield_context outside of views. [...]
More hacking on the Lintian static analysis tool for Debian packages, including:
- New features:
  - Emit an error when a package bumps the epoch but the upstream version did not go "backwards". (#889816)
  - Specifically check for override_dh_build. (#900213)
  - Warn about packages that install files under /usr/include with overly-generic filenames. (#898377)
  - Warn about ancient/old X-Python{,3}-Version fields. (#892304)
  - Add scripts and script to the list of overly-generic Python module names. (#897692)
  - Prevent false-positives with comments and newlines when checking debhelper-compat-file-contains-multiple-levels. (#898799)
  - Also warn about the Python 3.x variants of malformed-python-version and python-version-current-is-deprecated. [...]
  - Warn about possibly-complete automatic debug symbol migrations. (#897608)
  - Add a pedantic warning for packages that do not use debhelper or CBDS. (#884499)
  - Add non-HTTPS gnu.org to the list of sites we warn about for homepage-field-uses-insecure-uri. (#898160)
  - Update the Vcs-* checks for PureOS now that code has moved to a GitLab instance.
- Bug fixes:
  - Update shared object detection for file(1) as newer versions identify shared objects depending on the executable bit (!). (#896840)
  - Allow /usr/share/doc/$pkg/examples to be a symlink when checking for packages that ship examples. (#897157)
  - Prevent false-positives when checking debug-package-for-multi-arch-same-pkg-not-coinstallable by ignoring Python "debug" packages. (#900122)
  - Don't warn about binary packages depending on toolchain packages via Conflicts/Breaks relations. (#896133)
  - Only warn about about (eg.) /usr/include/util.h when checking for overly generic header names. (#899192)
  - Correctly warn about packages that re-use a previous version number. (#889991)
  - Correct a default-mta-dependency-not-listed-first false-positive. (#897166)
  - Apply a patch from Ian Jackson to not flag browse.dgit.debian.org.git as a deprecated VCS. (#898708)
  - Support parsing tar(1) archives with high-resolution timestamps. (#898715)
  - Also permit python-scour to satisfy the requirement for the dh-scour addon. (#898077)
  - Also look in a package's dependencies for files listed in a doc-base control file. (#897244)
  - Fix orphaned-package-not-maintained-in-debian-infrastructure false positives for dgit. (#897915)
  - Pass --full-date and --utc to tar to ensure that we get a consistent output in the presence of spaces in other fields. (#897248 & [...])
  - Disable the duplicate word detection in copyright files to their extensive use of headings and other structures. (#897402)
  - Drop depends-on-mail-transport-agent-without-alternatives as it only consists of false-positives. (#898136)
- Misc:
  - Update references from dep.debian.net to dep-team.pages.debian.net. [...]
  - Rename python-generic-modules data file to generic-python-modules. [...]
  - Update references to the Go and pkg-perl team's homepages for the Alioth to Salsa migration. [...] & [...]
  - Include the offending field name in the output of malformed-python-version and python-version-current-is-deprecated tags. [...]
  - Mark dependency-on-python-version-marked-for-end-of-life as "experimental" and downgrade to "pedantic" severity. (#897213)
  - Add "DSFG" and "CBDS" spelling corrections. [...] & [...]

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws, almost all software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by ensuring identical results are generated from a given source. This allows multiple third-parties to come to a consensus on whether a build was compromised.

This month I:

Fixed an issue in disorderfs (our FUSE-based filesystem that deliberately introduces non-determinism into directory system calls in order to flush out issues) to ensure readdir(2) calls returns consistent and unique inode numbers. (#898287)
Presented on our diffoscope "diff-on-steroids" tool, as well as provided an update on the Reproducible Builds effort at the MiniDebConf in Hamburg, Germany.
Filed reproducibility-related issues upstream for Fontconfig, tweeny, vcr.py and zstd, as well as authored two patches for GNU mtools to fix reproducibility-related toolchain issues. (#900409 & #900410)
Make extensive changes to our website, including overhauling and updating our growing list of talks.
Submitted three Debian-specific patches to fix reproducibility issues in telepathy-gabble, vitrage & weston.
I categorised a large number of packages and issues in the notes repository and worked on publishing our weekly reports. (#157, #158, #159 & #160)
Provided three improvements to our extensive testing infrastructure:
- Correct the "notes" link URL. [...]
- Move the package name to the beginning of the "status change" subject lines. [...]
- Add a X-Reproducible-Builds-Source header to "status change" emails. [...]
I also made the following changes to diffoscope, our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues:
- Clarified the No file format specific differences found inside, yet data differs message. [...]
- Don't append rather useless "(data)" suffix in the output. [...]
- Made a number of PEP8-related fixups. (eg. [...], [...], [...], etc.)
Finally, I updated the diffoscope.org website, including moving it to a Jekyll-based instance [...], adding a progress bar animation [...], updating the list of supported formats [...], etc.

Debian

Made some team-wide changes to packages under the care of the Debian Python Modules Team (DMPT) including:
- Use HTTPS for Source field in debian/copyright files (eg. [...], [...], [...], etc.)
- Made a large number of PEP8-related changes to Debian-specific scripts including limiting the line-length [...], placing colon-separated compound statement on separate lines [...], adding blank lines after end of function or class [...], fixing spacing after a comment [...], fixing indentation [...], etc.
- Use HTTPS URLs for the Homepage field in debian/control. (eg. [...], [...], [...], etc.)
Fixed an permissions issue in an Alioth to Salsa repository migration script. [...]
Contributed specific patches:
- cryptsetup: Make the failsleep parameter configurable. (#898495)
- debhelper: Clarify the order of packages returned from dh_listpackages. (#897949)
- mssh: Correct "develop" grammar in manual page. (#899368)
- norwegian: Duplicate dh_build/dh_auto_build in debian/rules. (#900290)
Suggested a handful of PEP8-related changes to the Debian Archive Kit (dak) (eg. [...], [...], [...], etc.)
Removed build artefacts committed to the repository in the tvb-geodesic packaging. [...]
Use the <!nocheck> build profile over an explicit comment in the Python packaging of yarl. [...]
I also filed the following bug reports:
- apt: Inconsistency between apt install ./binary.deb and dpkg -i ./binary.deb if package already up-to-date. (#900142)
- ftp.debian.org: Please move the website.git repository to salsa. (#899109)
- git-buildpackage: Add setting to ~/.gbp.conf to prevent debian/gbp.conf overrides. (#898613)
- plymouth: Repository missing latest upload. (#898511)
- python-aniso8601: Please revert Python 2.x package drop. (#898245)
- lastpass-cli: error: Peer certificate cannot be authenticated with given CA certificates. (#898940)
Lastly, I submitted 5 patches to fix typos in debian/rules files against catch, grr, imanx, pd-purest-json & tinyos.

Debian LTS

This month I have been paid to work on the Debian Long Term Support (LTS). In that time I did the following:

Extensive "Frontdesk" duties including triaging CVEs, following-up with other developers, upstream developers.
Filing and cross-referencing bugs in the Debian BTS (eg. #898856).
Issued DLA 1379-1 for curl to prevent a heap-based buffer overflow.
Preparing uploads to the jessie distribution distribution.
Helping prepare the "end-of-life" of the wheezy distribution.

Uploads

redis (5:4.0.9-2) — Ignore test failures on problematic architectures to allow migration to testing.
ruby-rjb (1.5.5-3) — Replace call to the now-deprecated javah binary. (#897664)
python-django (1:1.11.13-1, 2:2.0.5-1 & 2:2.1~alpha1-1) — New upstream releases.
gunicorn (19.8.1-1) & redisearch (1.2.0-1) — New upstream releases.

I also performed the following sponsored uploads:

elpy (1.20.0-1 & 1.21.0-1), imenu-list (0.8-1) playerctl (0.6.0-1) & smart-mode-line (2.11.0-1).

FTP Team

As a Debian FTP assistant I ACCEPTed 75 packages: autodeb, autopep8, braceexpand, calamares-settings-debian, django-ldapdb, flask-assets, flask-cache, flask-oauthlib, hashcheck, hoel, inifile, libgit2, libosmocore, libsmpp34, libterm-readline-ttytter-perl, m2crypto, mbrola-ar1, mbrola-ar2, mbrola-bz1, mbrola-ca1, mbrola-ca2, mbrola-cn1, mbrola-cz1, mbrola-de8, mbrola-es3, mbrola-es4, mbrola-fr2, mbrola-fr3, mbrola-fr5, mbrola-fr6, mbrola-fr7, mbrola-hb1, mbrola-hb2, mbrola-hn1, mbrola-in1, mbrola-in2, mbrola-it1, mbrola-it2, mbrola-jp1, mbrola-jp2, mbrola-jp3, mbrola-ma1, mbrola-nl1, mbrola-nl3, mbrola-nz1, mbrola-tl1, node-normalize.css, node-turbolinks, opencascade, osmo-ggsn, php-cocur-slugify, php-defuse-php-encryption, php-dflydev-fig-cookies, php-embed, php-fabiang-sasl, php-nesbot-carbon, php-react-zmq, postgresql-11, python-aniso8601, python-cmarkgfm, python-sexpdata, python-transliterate, python-typeguard, qtbase-opensource-src, reactphp-cache, reactphp-event-loop, reactphp-promise-timer, reactphp-stream, seafile, spirv-headers, ulfius, vlc, wayland, wesnoth-1.14 & wig.

I additionally filed 4 RC bugs against packages that had incomplete debian/copyright files against: flask-cache, seafile, spirv-headers & wayland.

You can subscribe to new posts via email or RSS.