Free software activities in May 2025

Here is my monthly update covering what I have been doing in the free software world during May 2025 (previous month):

Reproducible Builds

One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.

This month, I:

• Kept isdebianreproducibleyet.com up to date. […]

• Submitted a patch to fix a specific reproducibility issues in golang-github-lucas-clemente-quic-go.

• Categorised a large number of packages and issues in the Reproducible Builds notes.git repository.

• Drafted, published and publicised our monthly report for April.

• Updated the main Reproducible Builds website and documentation:

  • Merged four or five suggestions from Guillem Jover for the GNU Autotools examples on the SOURCE_DATE_EPOCH example page […]
  • Incorporated a number of fixes for the JavaScript SOURCE_DATE_EPOCH snippet from Sebastian Davis, which did not handle non-integer values correctly. […]

Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and uploading versions 295, 296 and 297 to Debian:

• Don't rely on zipdetails' --walk argument being available, and only add that argument on newer versions after we test for that. […]
• Review and merge support for NuGet packages from Omair Majid. […]
• Update copyright years. […]
• Merge support for an lzma comparator from Will Hollywood. […][…]

… and I also merged an impressive changeset from Siva Mahadevan to make disorders more portable, especially on FreeBSD. disorderfs is our FUSE-based filesystem that deliberately introduces non-determinism into directory system calls in order to flush out reproducibility issues. […]

Debian

• lastpass-cli:

  • 1.6.1-2 — Don't fail the build if the testsuite fails. The underlying package works successfully, but the test harness supplied by upstream is regrettably, currently buggy. (#1092429)
  • 1.6.1-3 — Apply patch from @ncopa on upstream's Github issue to fix a compatibility issue with OpenSSL 3.5 worked around in the fix for #1092429.

• python-django:

  • 4.2.21-1 — New upstream security release.
  • 5.2.1-1 — New upstream security release.

• python-fakeredis:

  • 2.29.0-1 — New upstream release, intended to prevent an autopkgtest regression that was causing a regression within python-redis which was, in turn, preventing the redis package from migrating.
  • 2.29.0-2 — Allow two specific autopkgtests to fail, as they appear to be flaky and/or nondeterministic.
  • 2.29.0-3 — Address a number of autopkgtest regression issues exposed by the previous two uploads, including requiring Redis 8 and python3-mock and disabling the test_time test due to an incompatibility with the new version of Mock and mock_use_standalone_module. (#1105992)
  • 2.29.0-4 — Overhaul the list of flaky tests that are not run during autopkgtest execution; some of these had been renamed/reorganised since they were originally added. (#1105992)

• python-redis:

  • 6.1.0-1 — New upstream release required to support Redis 8.x; overhauled packaging somewhat.
  • 6.1.0-2 — Use Python's math.isclose() over testing for floating point equality. This should fix broken autopkgtests on the arm64, ppc64el, riscv64 and s390x architectures. (#1106376)

• redis:

  • 8.0.0-1 — New upstream release under new AGPL-3 licensing scheme, refreshing a number patches that had diverged or had been applied since version 7.0.15. […]
  • 8.0.0-2 — Upload for 8.0.0-1 to Debian unstable. […]

I also submitted patches for:

• libtest-redisserver-perl: Fix an issue where the testsuite was relying on Redis emitting a particular error message that changed in Redis 8. (#1106425)

• python-hypothesis: Ignore DeprecationWarning exceptions raised in the testsuite as it, in turn, causes interconnected compatibility issues with both python-fakeredis and python-redis. (#1106438)

And, finally, I submitted a request to unblock redis version 8.0.0-2 for inclusion in the next Debian stable release, trixie. (#1106871)

Debian LTS

This month I have worked 15.5 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged firefox-esr (CVE-2025-4083, CVE-2025-4087, CVE-2025-4091 & CVE-2025-4093), golang-golang-x-net (CVE-2025-22872), libeconf (CVE-2023-22652, CVE-2023-32181), nodejs (CVE-2025-47153), openjdk-17, python-django (CVE-2024-24680), qemu (CVE-2024-3446, CVE-2024-4467 & CVE-2024-7409), request-tracker4 (CVE-2024-3262, CVE-2025-30087 & CVE-2025-2545) & rust-tokio.

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc. Unfortunately, I could not make this month's IRC meeting.

• I also performed a number of tests of debusine.debian.net, a new way of preparing packages for Debian. Through this, I filed a merge request regarding the number of work requests displayed on logged-in homepage.

• Fully prepared an update for Django for jessie ELTS. This is to address three issues, and it will shortly be released (as 'ELA-1448-1') once the build finishes.

  • CVE-2025-32873: Prevent an issue where the strip_tags() function in django.utils.html was vulnerable to a potential denial-of-service (DoS) attack when processing inputs containing large sequences of incomplete HTML tags. The |striptags template filter was similarly vulnerable, for it is built on top of strip_tags(). (#1104872)

  • CVE-2024-24680: Prevent an issue where the |intcomma template filter was subject to a potential denial-of-service attack when (ab)used with very long strings.

  • CVE-2023-36053: Prevent an potential denial-of-service issue in the EmailValidator and URLValidator classes that could have been exploited via a very large number of domain name labels containing emails or web addresses. (#1040225)

• Issued DLA 4164-1 because it was discovered that there was a potential buffer overflow vulnerability in libeconf, a configuration file parser used in openSUSE and openSUSE-related projects. This issue could have been exploited via maliciously crafted configuration files.

You can find out more about the Debian LTS project via the following video:

You can subscribe to new posts via email or RSS.