Here is my monthly update covering what I have been doing in the free software world during May 2019 (previous month):
As part of my duties of being on the board of directors of the Open Source Initiative I attended our biannual face-to-face board meeting in New York, attending the OSI's local event organised by Open Source NYC in order to support my colleagues who were giving talks, as well as participated in various licensing discussions, advocacy activities etc. throughout the rest of the month over the internet.
For the Tails privacy-oriented operating system, I attended an online "remote sprint" where we worked collaboratively on issues, features and adjacent concerns regarding the move to Debian buster. I particularly worked on a regression in Fontconfig to ensure the cache filenames remain determinstic [...] as well as reviewed/tested release candidates and others' patches.
Gave a few informal talks to Microsoft employees on Reproducible Builds in Seattle, Washington.
Hacking on the Lintian static analysis tool for Debian packages:
- Correct more false-positives for
missing-systemd-timer-for-cron-scriptdue to an incorrect regular expression. (#927970)
package-contains-python-header-in-incorrect-directoryas Python 3.8+ changes the directory format. (#928617)
- Correct equality operator preventing the correct parsing of
--onlyrunwhich was breaking the continuous integration tests. (#929430)
- Add references to Debian Policy §4.9.2 and §5.6.31 for checks regarding Rules-Requires-Root. (#929428)
- Remove unnecessary commas from long descriptions and improve the grammar in the description of
- I also filed an request to unblock the latest version of Lintian for Debian buster via #929676.
- Correct more false-positives for
Whilst anyone can inspect the source code of free software for malicious flaws almost all software is distributed pre-compiled to end users.
The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
Conservancy acts as a corporate umbrella, allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.
This month, I:
Gave a number of informal talks to Microsoft employeers on Reproducible Builds in Seattle, Washington.
Drafted, published and publicised our monthly report.
I spent some time our website this month, adding various fixes for larger/smaller screens [...], added a logo suitable for printing physical pin badges [...]. I also refreshed the text on our
Categorised a huge number of packages and issues in the Reproducible Builds "notes" repository, kept isdebianreproducibleyet.com up to date [...] and posted some branded merchandise to other core team members.
I also made the of following changes to diffoscope, our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues:
Support the latest PyPI package repository upload requirements by using real reStructuredText comments instead of the
rawdirective [...] and by stripping out manpage-only parts of the
READMErather than using the
Fix execution of symbolic links that point to the
bin/diffoscopeentry point in a checked-out version of our Git repository by fully resolving the location as part of dynamically calculating Python's module include path. [...]
Ported the entire site to Python 3 and Django 2.x as Python 2.x is due for deprecation. This required updates to a huge number of parts around the site including but not limited to completely reconfiguring and integrating the Celery queue processor, all the string formatting, etc.
Moved to using the published/public Docker image to execute builds instead rolling our own container.
Updated and upgraded the underlying operating system to the Debian stable distribution.
Moved the canonical Git repository from Github to the Reproducible Builds group on salsa.debian.org, requiring moving to Gitlab's own continuous integration (CI) support from Travis CI, working around the aggressive firewall (exclusively outgoing ports 80/443) applied to the Salsa-based CI runners.
Investigated and triaged
firefox-esrfor jessie LTS, and
CVE-2019-12218) for wheezy LTS.
Frontdesk duties, responding to user/developer questions, reviewing others' packages, etc.
Issued DLA 1793-1 for the
dhcpcd5network management protocol client to fix a read overflow vulnerability.
Issued DLA 1805-1 to fix a use-after-free vulnerability in
minissdpd, a network device discovery daemon where a remote attacker could abuse this to crash the process.
minissdpd, I filed an appropriate tracking bug for its outstanding CVE (#929297) and then fixed it in the current Debian stable distribution, proposing its inclusion in the next point release via #929613.
5:5.0.5-1) — New upstream release.
2:2.2.1-1) — New upstream release.
1.4.1-1) — New upstream release.
I also made the following non-maintainer uploads (NMUs) to fix release-critical bugs in Debian buster:
As a Debian FTP assistant I ACCEPTed 16 packages: cc-tool, gdal, golang-github-joyent-gosign, golang-github-mgutz-str, golang-github-mgutz-to, golang-github-ovh-go-ovh, golang-github-src-d-gcfg, golang-golang-x-xerrors, golang-gopkg-ldap.v3, libgit2, nodejs, opensbi, openzwave, rustc, u-boot & websocketd.