Free software activities in May 2021

Here's my monthly update covering what I have been doing in the free software world for May 2021 (previous month):

• Opened a pull request to make the build reproducible in the apispec API specification generator. The issue at hand is that the copyright message in the generated documentation used the current build date so that the build would vary depending on whenever you built it. [...]

• Updated my Tickle Me Email tool that implements Gettings Things Done-like behaviours in any IMAP inbox in order to sort various items by the date, not by their subject field. [...]

• As part of my role of being the assistant Secretary of the Open Source Initiative and a board director of Software in the Public Interest, I attended their respective usual monthly meetings. As I outlined last month, my term on the OSI board has been slightly extended due to the discovery of a vulnerability in OSI's recent election — as a result, the 2021 election will be re-run to ensure transparency of the process. SPI had their virtual 'face to face' meeting this month as well, spread out over three evenings.

Reproducible Builds

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

• Kept isdebianreproducibleyet.com up to date. [...]

• Categorised a large number of packages and issues in the Reproducible Builds notes.git" repository.

• Filed an upstream pull request to make the build reproducible in the apispec specification generator. This was also filed in Debian as bug #988978. [...]

• Filed a bug against the Debian jenkins.debian.org virtual packages to report that the reproducible rescheduling CGI script uses the deprecated Debian SSO service. (#989088)

• Drafted, published and publicised our monthly report for April 2021.

• I also made the following changes to strip-nondeterminism, our tool to remove specific non-deterministic results from a completed build:

  • Added support for Python pyzip files: they require special handling to not mangle the UNIX shebang. (#18)

  • Dropped single-debian-patch, etc. from the Debian source package options. [...]

I also made the following changes to diffoscope, including preparing and uploading versions 174, 175 and 176 to Debian:

• Bug fixes:

  • Check that we are parsing an actual Debian .buildinfo file, not just a file with that particular extension — after all, it could be any file. (#254, #987994)
  • Support signed .buildinfo files again. It appears that some versions of file(1) reports them as PGP signed message. [...]
  • Use the actual filesystem path name (instead of diffoscope's concept of the source archive name) in order to correct filename filtering when an APK file has been extracted from a container format. In particular, we need to filter the auto-incremented 1.apk instead of original-name.pk. (#255)

• New features:

  • Update ffmpeg tests to work with version 4.4. (#258)
  • Correct grammar in a fsimage.py debug message. [...]

• Misc:

  • Don't unnecessarily call os.path.basename twice in the APK comparator. [...]
  • Added instructions on how to install diffoscope on openSUSE on the diffoscope website [...].
  • Add a comment about stripping filenames. [...]
  • Corrected a reference to site.salsa_url which was breaking the "File a new issue" link on the website [...].

Debian

• python-django:

  • 2.2.21-1 — New upstream security release.
  • 2.2.22-1 — Another new upstream security release.
  • 2.2.23-1 — New upstream release.
  • 3.2.1-1 (to experimental) — New upstream security release.
  • 3.2.2-1 (to experimental) — Another new upstream security release.
  • 3.2.3-1 (to experimental) — New upstream release.

• redis:

  • 6.0.13-1 — New upstream security release. (#988045)
  • 6.2.3-1 (to experimental) — New upstream security release. (#988045)

Finally, I also made a sponsored upload of adminer (4.7.9-2) for Alexandre Rossi.

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged: apserver (CVE-2021-32062), bundler, djvulibre (CVE-2021-3500), graphviz (CVE-2020-18032), hivex (CVE-2021-3504), libgetdata (CVE-2021-20204), libjs-handlebars (CVE-2021-23383), liblivemedia (CVE-2021-28899), libsixel (CVE-2020-36120), lucene-solor (CVE-2021-27905), opendmarc (CVE-2020-12272), pillow (CVE-2021-25287, CVE-2021-25288, etc.), qemu (CVE-2021-3527), redmine (CVE-2019-25026) and sabnzbdplus (CVE-2021-29488).

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

• Prepared versions of both velocity (1.7-5+deb10u1) and ruby-websocket-extensions (0.1.2-1+deb10u1) to upload to Debian stable to ensure clean upgrades of security-related. I filed two 'unblock requests' for these packages as well (#988455) & #988454).

• Issued DLA 2651-1 and ELA-421-1 for Django, the popular Python-based web development framework. The MultiPartParser, UploadedFile and FieldFile classes allowed directory-traversal via uploaded files with suitably crafted file names. In order to mitigate this risk, stricter path 'basename' and path sanitation is now applied. Specifically, empty file names and paths with dot segments are rejected.

• Issued DLA 2657-1 and ELA-427-1 as it was discovered that there was a potential memory corruption vulnerability in the lz4 compression algorithm library.

You can find out more about the project via the following video:

You can subscribe to new posts via email or RSS.