Free software activities in May 2019

Here is my monthly update covering what I have been doing in the free software world during May 2019 (previous month):

• As part of my duties of being on the board of directors of the Open Source Initiative I attended our biannual face-to-face board meeting in New York, attending the OSI's local event organised by Open Source NYC in order to support my colleagues who were giving talks, as well as participated in various licensing discussions, advocacy activities etc. throughout the rest of the month over the internet.

• For the Tails privacy-oriented operating system, I attended an online "remote sprint" where we worked collaboratively on issues, features and adjacent concerns regarding the move to Debian buster. I particularly worked on a regression in Fontconfig to ensure the cache filenames remain determinstic [...] as well as reviewed/tested release candidates and others' patches.

• Gave a few informal talks to Microsoft employees on Reproducible Builds in Seattle, Washington.

• Opened a pull request against the django-markdown2 utilitiy to correct the template tag name in a documentation example. [...]

• Hacking on the Lintian static analysis tool for Debian packages:

  • Correct more false-positives for missing-systemd-timer-for-cron-script due to an incorrect regular expression. (#927970)
  • Adjust package-contains-python-header-in-incorrect-directory as Python 3.8+ changes the directory format. (#928617)
  • Correct equality operator preventing the correct parsing of --onlyrun which was breaking the continuous integration tests. (#929430)
  • Add references to Debian Policy §4.9.2 and §5.6.31 for checks regarding Rules-Requires-Root. (#929428)
  • Remove unnecessary commas from long descriptions and improve the grammar in the description of testsuite-autopkgtest-missing. [...]
  • I also filed an request to unblock the latest version of Lintian for Debian buster via #929676.

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws almost all software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

The initiative is proud to be a member project of the Software Freedom Conservancy, a not-for-profit 501(c)(3) charity focused on ethical technology and user freedom.

Conservancy acts as a corporate umbrella, allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.

This month, I:

• Gave a number of informal talks to Microsoft employeers on Reproducible Builds in Seattle, Washington.

• Drafted, published and publicised our monthly report.

• Authored and submitted 5 patches to fix reproducibility issues in fonts-ipaexfont, ghmm, liblopsub, ndpi & xorg-gtest.

• I spent some time our website this month, adding various fixes for larger/smaller screens [...], added a logo suitable for printing physical pin badges [...]. I also refreshed the text on our SOURCE_DATE_EPOCH page.

• Categorised a huge number of packages and issues in the Reproducible Builds "notes" repository, kept isdebianreproducibleyet.com up to date [...] and posted some branded merchandise to other core team members.

I also made the of following changes to diffoscope, our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues:

• Support the latest PyPI package repository upload requirements by using real reStructuredText comments instead of the raw directive [...] and by stripping out manpage-only parts of the README rather than using the only directive [...].

• Fix execution of symbolic links that point to the bin/diffoscope entry point in a checked-out version of our Git repository by fully resolving the location as part of dynamically calculating Python's module include path. [...]

• Add a Dockerfile [...] with various subsequent fixups [...][...][...].

• Published the resulting Docker image in the diffoscope container registry and updated the diffoscope homepage to provide "quick start" instructions on how to use diffoscope via this image.

Finally, I made a large number of following changes to my web-based ("no installation required") version of the diffoscope tool, try.diffoscope.org:

• Ported the entire site to Python 3 and Django 2.x as Python 2.x is due for deprecation. This required updates to a huge number of parts around the site including but not limited to completely reconfiguring and integrating the Celery queue processor, all the string formatting, etc.

• Moved to using the published/public Docker image to execute builds instead rolling our own container.

• Updated and upgraded the underlying operating system to the Debian stable distribution.

• Moved the canonical Git repository from Github to the Reproducible Builds group on salsa.debian.org, requiring moving to Gitlab's own continuous integration (CI) support from Travis CI, working around the aggressive firewall (exclusively outgoing ports 80/443) applied to the Salsa-based CI runners.

• Avoid having to update the Let's Encrypt-provided SSL certificate manually every 90 days by moving to using Certbot in --auto mode.

Debian

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged CVE-2019-12217, CVE-2019-12219, CVE-2019-12220, CVE-2019-12221 and CVE-2019-12222 in libsdl1.2/libsdl2, simplesamlphp, freeimage & firefox-esr for jessie LTS, and capstone (CVE-2016-7151), sysdig (CVE-2019-8339), enigmail (CVE-2019-12269), firefox-esr (CVE-2019-1169) & sdl-image1.2 (CVE-2019-12218) for wheezy LTS.

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, etc.

• Issued DLA 1793-1 for the dhcpcd5 network management protocol client to fix a read overflow vulnerability.

• Issued DLA 1805-1 to fix a use-after-free vulnerability in minissdpd, a network device discovery daemon where a remote attacker could abuse this to crash the process.

• Issued ELA-119-1 and DLA 1801-1 for zookeeper (a distributed co-ordination server) where users who were not authorised to read any data were still able to view the access control list.

• For minissdpd, I filed an appropriate tracking bug for its outstanding CVE (#929297) and then fixed it in the current Debian stable distribution, proposing its inclusion in the next point release via #929613.

Uploads

• redis (5:5.0.5-1) — New upstream release.

• python-django (2:2.2.1-1) — New upstream release.

• bfs (1.4.1-1) — New upstream release.

I also made the following non-maintainer uploads (NMUs) to fix release-critical bugs in Debian buster:

• coturn (4.5.1.1-1.1) — Don't ship the (empty) /var/lib/turn/turndb SQLite database and generate it on-demand in the post-installation script to avoid overwriting it on upgrade/reinstall. (#929269)

• libzorpll (7.0.1.0~alpha1-1.1) — Apply a patch from Andreas Beckmann to add suitable Breaks for smoother upgrades from stretch. (#928883)

• mutt (1.10.1-2.1) — Prevent undefined behaviour when parsing invalid Content-Disposition mail headers. (#929017)

FTP Team

As a Debian FTP assistant I ACCEPTed 16 packages: cc-tool, gdal, golang-github-joyent-gosign, golang-github-mgutz-str, golang-github-mgutz-to, golang-github-ovh-go-ovh, golang-github-src-d-gcfg, golang-golang-x-xerrors, golang-gopkg-ldap.v3, libgit2, nodejs, opensbi, openzwave, rustc, u-boot & websocketd.

You can subscribe to new posts via email or RSS.