Free software activities in May 2026

Here is my monthly update covering what I have been doing in the free software world during May 2026 (previous month):

Reproducible Builds

One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

The project is proud to be a member project of the Software Freedom Conservancy. Conservancy acts as a corporate umbrella allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.

This month, I:

• Wrote and submitted at least 19 patches to fix specific reproducibility issues in cairocffi, dkimpy, docker-credential-gcr, fortran-stdlib, git-pw, golang-github-akavel-rsrc, golang-github-containerd-accelerated-container-image, golang-github-shirou-gopsutil, javacc5, libreoffice-dictionaries, pampi, powerline, pycayennelpp, pycorrfit, rssguard, ruby-otr-activerecord, sphinx-needs, vnu & xpenguins.

• Kept isdebianreproducibleyet.com up to date. [...]

• Categorised a large number of packages and issues in the Reproducible Builds notes.git repository.

• Drafted, published and publicised our monthly report for April 2026.

• Updated the main Reproducible Builds website and documentation in many ways, such as adding a missing + (plus sign) to the GNU Autotools example on the SOURCE_DATE_EPOCH documentation page. [...]

Debian

Idid a lot of work this month attempting to upgrade Django in Debian unstable to version 5.2. This included many uploads of packages maintained by the Debian Python Team, as well as providing a number of patches for other projects. For instance, I contributed a patch for lava to support Django 5.2 (#1135703) and filed bugs for other packages such as postorius (#1135698).

In addition, I needed to update Django in the trixie and bookworm distributions due to changes in the Python standard library. These were filed in Debian bugs #1137723 and #1137724.

Uploads

• bfs:

  • 4.1.1-1 — New upstream release.
  • 4.1.2-1 — New upstream release; update debian/watch file, etc.

• memcached:

  • 1.6.41-2 — Add procps to the autopkgtest dependencies as pidof is being moved out of the (Priority: Essential) package sysvinit-tools. (#1136530)
  • 1.6.42-1 — New upstream security release. (#1137214)

• pydevd (3.5.0+ds-2) — Fix support for Django 5.2.

• python-django:

  • 5.2.14-1 — New upstream security release. (#1135755)
  • 5.2.14-2 — Cherry-pick a patch to skip NOT NULL constraints on PostgreSQL 18 This addresses an issue that surfaces in python-django-postgres-extra. Thanks to Athos Ribeiro.
  • 6.0.5-1 — New upstream security release. (#1135755)

• python-django-postgres-extra (2.0.9-4) — Add some more debugging info in an attempt to diagnose compatibility issue with Django 5.2.

• redis:

  • 8.0.6-2 — Correct return values within CVE-2026-21863-related bounds checking. Huge thanks to Aron Xu for the observation. (#1136392)
  • 8.6.3-1 — New upstream security release.

Debian LTS

This month I have worked 30 hours on Debian Long Term Support (LTS) and on its sister Extended LTS (ELTS) project.

• Investigated and triaged: gnutls28 (CVE-2026-42015, CVE-2026-5419, etc.), hashcat (CVE-2026-42482, CVE-2026-42483 & CVE-2026-42484), imagemagick (CVE-2026-42050), krb5 (CVE-2026-40355 & CVE-2026-40356), lcms2 (CVE-2026-41254 & CVE-2026-42798), libplack-perl (CVE-2026-7381), libsndfile (CVE-2026-37555), lxc (CVE-2026-39402), mupdf (CVE-2026-7233), node-postcss (CVE-2026-41305), starman (CVE-2026-40560), swupdate (CVE-2026-28525), wget2 (CVE-2026-1858) and zookeeper (CVE-2026-24281 & CVE-2026-24308)

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

• Issued DLA 4567-1 as it was discovered that there was a potential use-after-free issue in the lrzip compression/decompression program.

• Issued DLA 4568-1 and ELA-1709-1 as there was an integer overflow vulnerability in the lcms2 package, aka the Little CMS color management library.

• Issued DLA 4601-1 and ELA 1733-1 because two side-channel attacks where publicised for memcached, the popular in-memory key/value database store. This could have been used to reveal or extract information about authentication details.

You can find out more about the Debian LTS project via the following video:

You can subscribe to new posts via email or RSS.