Here is my monthly update covering what I have been doing in the free software world (previous month):

Started work on a Python API to the UK Postbox mail scanning and forwarding service. (repo)
Lots of improvements to buildinfo.debian.net, my experiment into how to process, store and distribute .buildinfo files after the Debian archive software has processed them, including making GPG signatures mandatory (#7), updating jenkins.debian.net to sign them and moving to SSL.
Improved the Django client to the KeyError error tracking software, enlarging the test coverage and additionally adding support for grouping errors using a context manager.
Made a number of improvements to travis.debian.net, my hosted service for projects that host their Debian packaging on GitHub to use the Travis CI continuous integration platform to test builds on every code change:
- Install build-dependencies with debugging output. Thanks to @waja. (#31)
- Install Lintian by default. Thanks to @freeekanayaka. (#33).
- Call mktemp with --dry-run to avoid having to delete it later. (commit)
Submitted a pull request to Wheel (a utility to package Python libraries) to make the output of METADATA files reproducible. (#73)
Submitted some miscellaneous documentation updates to the Tails operating system. (patches)

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds effort is to permit verification that no flaws have been introduced — either maliciously or accidentally — during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

This month:

I was proud to announce that I have been awarded a grant from the Core Infrastructure Initiative (CII) to fund my previously-voluntary work in this area.
Presented a talk with Holger Levsen entitled "Reproducible builds status update" talk at MiniDebConfCambridge 2016. (Slides)
Attended the Tails operating system's Reproducible Builds sprint making excellent progress towards making the next release reproducible.
Ensured that Webconverger kiosk operating system can now be built reproducibly.
Within Debian, I filed a bug requesting that packages should be reproducible by policy. (#844431)

My work in the Reproducible Builds project was also covered in our weekly reports (#80, #81, #82 #83).

Toolchain issues

I submitted the following patches to fix reproducibility-related toolchain issues with Debian:

amd64-microcode: Please make the early initramfs image reproducible
initramfs-tools: Please ensure initrd images are reproducible
markdown: Please make the output reproducible
python-defaults: Please make the substvars reproducible
wheel: Please make the output of METADATA files reproducible

strip-nondeterminism

strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build.

Ensure tests do not rely on Debian-specific Debian::Debhelper::Dh_Lib. (b9d5b06)
Filed a wishlist bug to support normalising NTFS timestamps in .zip files.

jenkins.debian.net

jenkins.debian.net runs our comprehensive testing framework.

buildinfo.debian.net has moved to SSL. (ac3b9e7)
Submit signing keys to keyservers after generation. (bdee6ff)
Various cosmetic changes, including
- Prefer if X not in Y over if not X in Y. (bc23884)
- No need for a dictionary; let's just use a set. (bf3fb6c)
- Avoid DRY violation by using a for loop. (4125ec5)

I also submitted 9 patches to fix specific reproducibility issues in apktool, cairo-5c, lava-dispatcher, lava-server, node-rimraf, perlbrew, qsynth, tunnelx & zp.

Debian

Debian LTS

This month I have been paid to work 11 hours on Debian Long Term Support (LTS). In that time I did the following:

"Frontdesk" duties, triaging CVEs, etc.
Issued DLA 697-1 for bsdiff fixing an arbitrary write vulnerability.
Issued DLA 705-1 for python-imaging correcting a number of memory overflow issues.
Issued DLA 713-1 for sniffit where a buffer overflow allowed a specially-crafted configuration file to provide a root shell.
Issued DLA 723-1 for libsoap-lite-perl preventing a Billion Laughs XML expansion attack.
Issued DLA 724-1 for mcabber fixing a roster push attack.

Uploads

redis:
- 3.2.5-2 — Tighten permissions of /var/{lib,log}/redis. (#842987)
- 3.2.5-3 & 3.2.5-4 — Improve autopkgtest tests and install upstream's MANIFESTO and README.md documentation.
gunicorn (19.6.0-9) — Adding autopkgtest tests.
libfiu:
- 0.94-1 — Add autopkgtest tests.
- 0.95-1, 0.95-2 & 0.95-3 — New upstream release and improve autopkgtest coverage.
python-django (1.10.3-1) — New upstream release.
aptfs (0.8-3, 0.8-4 & 0.8-5) — Adding and subsequently improving the autopkgtext tests.

I performed the following QA uploads:

boxbackup (0.11.1~r2837-3) — Fix compatibility with OpenSSL 1.1.0. (#828253)
httperf (0.9.0-6) — Fix compatibility with OpenSSL 1.1.0. (#828343)
ike (2.2.1+dfsg-6) — Fix compatibility with OpenSSL 1.1.0. (#828349)
polygraph (4.3.2-4) — Fix compatibility with GCC 6. (#831125)
samdump2 (3.0.0-4) — Fix compatibility with OpenSSL 1.1.0. (#828537)
qink (0.3.5-8) — Fix FTBFS. (#841572)

Finally, I also made the following non-maintainer uploads:

libident (0.22-3.1) — Move from obsolete Source-Version substvar to binary:Version. (#833195)
libpcl1 (1.6-1.1) — Move from obsolete Source-Version substvar to binary:Version. (#833196)
pygopherd (2.0.18.4+nmu1) — Move from obsolete Source-Version substvar to ${source:Version}. (#833202)

Debian bugs filed

bugs.debian.org: Please provide "Content-Disposition: attachment; filename=[..]" headers
initramfs-tools: Don't print a warning if /etc/modprobe.d is empty
cwltool: Accesses the internet during build

RC bugs

dpdk: maintainer address bounces
libc6-dev: static linking with stack protector fails: undefined reference to `__memcpy_chk'
libpcap: libpcap0.8-dev does not contain remote-ext.h
libspring-java: Invalid optional dependencies in the Maven POMs
libssl1.1: 1.1.0c broke Python
linux, linux-2.6, linux-2.6.24: linux/atm_zatm.h change breaks time.h inclusion
php-memcached: php-memcached must Build-depend on zlib1g-dev
php-pecl-http: php-pecl-http must Build-depend on zlib1g-dev
pokerth: -std=gnu++98 workaround no longer works with Qt 5.7
pyelliptic: Does not support OpenSSL 1.1
salt-call fails with libcrypto.so.1.1: undefined symbol: OPENSSL_no_config
potrace: CVE-2016-8685 CVE-2016-8686
ming: CVE-2016-9264 CVE-2016-9265 CVE-2016-9266

I also filed 59 FTBFS bugs against arc-gui-clients, asyncpg, blhc, civicrm, d-feet, dpdk, fbpanel, freeciv, freeplane, gant, golang-github-googleapis-gax-go, golang-github-googleapis-proto-client-go, haskell-cabal-install, haskell-fail, haskell-monadcatchio-transformers, hg-git, htsjdk, hyperscan, jasperreports, json-simple, keystone, koji, libapache-mod-musicindex, libcoap, libdr-tarantool-perl, libmath-bigint-gmp-perl, libpng1.6, link-grammar, lua-sql, mediatomb, mitmproxy, ncrack, net-tools, node-dateformat, node-fuzzaldrin-plus, node-nopt, open-infrastructure-system-images, open-infrastructure-system-images, photofloat, ppp, ptlib, python-mpop, python-mysqldb, python-passlib, python-protobix, python-ttystatus, redland, ros-message-generation, ruby-ethon, ruby-nokogiri, salt-formula-ceilometer, spykeviewer, sssd, suil, torus-trooper, trash-cli, twisted-web2, uftp & wide-dhcpv6.

FTP Team

As a Debian FTP assistant I ACCEPTed 70 packages: bbqsql, coz-profiler, cross-toolchain-base, cross-toolchain-base-ports, dgit-test-dummy, django-anymail, django-hstore, django-html-sanitizer, django-impersonate, django-wkhtmltopdf, gcc-6-cross, gcc-defaults, gnome-shell-extension-dashtodock, golang-defaults, golang-github-btcsuite-fastsha256, golang-github-dnephin-cobra, golang-github-docker-go-events, golang-github-gogits-cron, golang-github-opencontainers-image-spec, haskell-debian, kpmcore, libdancer-logger-syslog-perl, libmoox-buildargs-perl, libmoox-role-cloneset-perl, libreoffice, linux-firmware-raspi3, linux-latest, node-babel-runtime, node-big.js, node-buffer-shims, node-charm, node-cliui, node-core-js, node-cpr, node-difflet, node-doctrine, node-duplexer2, node-emojis-list, node-eslint-plugin-flowtype, node-everything.js, node-execa, node-grunt-contrib-coffee, node-grunt-contrib-concat, node-jquery-textcomplete, node-js-tokens, node-json5, node-jsonfile, node-marked-man, node-os-locale, node-sparkles, node-tap-parser, node-time-stamp, node-wrap-ansi, ooniprobe, policycoreutils, pybind11, pygresql, pysynphot, python-axolotl, python-drizzle, python-geoip2, python-mockupdb, python-pyforge, python-sentinels, python-waiting, pythonmagick, r-cran-isocodes, ruby-unicode-display-width, suricata & voctomix-outcasts.

I additionally filed 4 RC bugs against packages that had incomplete debian/copyright files against node-cliui, node-core-js, node-cpr & node-grunt-contrib-concat.

You can subscribe to new posts via email or RSS.