Here is my monthly update covering what I have been doing in the free software world in November 2017 (previous month):

Submitted two pull requests for the Django web-development framework:
- Use the modern str.format logging formatting style over %. [...]
- Removed the unused django.utils.dates.WEEKDAYS_REV and MONTHS_3_REV. [...]
Yet more hacking on the Lintian static analysis tool for Debian packages:
- New features:
  - Warn for Homepage files that use well-known insecure URIs. (#849514)
  - Warn on files called "-" (a literal hyphen) to detect programming errors related to writing to standard output.
  - Warn if a "Team upload" (ie. that string is present in the changelog) is attmpted but the uploader is in the Maintainer or Uploaders fields. (#882954)
- Bug fixes:
  - Don't warn about duplicate words separated by punctuation. (#822504)
  - Remove "german" → "German" spelling entry; case corrections are covered elsewhere. (#883041)
  - Don't count python-django and python3-django as Django modules. This avoids a warning where Django itself triggers django-package-does-not-depend-on-django.
  - Apply patch from Simon McVittie to prevent a misdetection of libcanberra-gstreamer as a GNU Smalltalk library. (#880140)
  - Allow trailing tabs in debian/rules files as they are a very common idiom in Makefiles.
- Documentation:
  - Add a suggested [[:space:]]-based sed call for file-contains-trailing-whitespace. Thanks to Stuart Prescott. (#881389)
  - Don't recommend the use of Source-Version in tag descriptions.
  - Improve override documentation using the source-is-missing tag as an example. (#838807)
- Misc:
  - Remove the Experimental: yes flag from debian-control-has-obsolete-dbg-package. (#882154)
  - Rewrite the file-contains-trailing-whitespace tag to use a hash from the filename to the regex we should match.
Updated my Yet Another Django Thumbnailer library to not generate invalid URLs when using the new Amazon S3 version 4 signature scheme. [...]
Submitted a PR to the django-auditlog library to stop using User.is_authenticated() as a callable. This is deprecated in Django 1.x and removed in Django 2.x. [...]
Fixed the fail_silently keyword argument for my template-based email library for Django. [...]
Add support for Django 2.x to the django-keyerror client for the KeyError.com error-tracking service. [...]
Submitted two patches to the python-redis-rate-limit library which uses Redis to provide simple rate-limiting for-based websites to fix installation from PyPI. [...] & [...]
I also blogged about faking cleaner URLs in the Debian BTS.

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds effort is to allow verification that no flaws have been introduced — either maliciously or accidentally — during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

I have generously been awarded a grant from the Core Infrastructure Initiative to fund my work in this area.

This month I:

Presented at the Open Compliance Summit 2017 in Yokohama, Japan and had many follow-up conversations regarding using reproducible builds as a way of ensuring the long-term sustainability of civil infrastructure.
Created pull requests upstream for fswatch, bitz-server, stetl, nbsphinx & stardicter.
Updated diffoscope, our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues, to only parse DTB's version number, not any -dirty suffix. (#880279)
Expanded the documentation for disorderfs, our FUSE-based filesystem that deliberately introduces non-determinism into directory system calls in order to flush out reproducibility issues, highlighting the non-intuitive recommendation to sort instead of shuffle. [...]
Made some brief changes to buildinfo.debian.net, my experiment into how to process, store and distribute .buildinfo files after the Debian archive software has processed them:
- Add a by-hash API endpoint. [...]
- Support ?key__uid=X&key__uid=Y filtering. [...]
Updated our website:
- Move the "contribute" page from the Debian wiki to /contribute/. [...]
- Add a (redirecting) /docs/source-date-epoch/ page so we have a canonical URL. [...]
- Add recent talks to Resources page. [...]
- Cachebust CSS files. [...]
In Debian:
- I met with the Debian JP local group in Yokohama and answered their questions on reproducible builds and similar topics.
- Submitted the following patches to fix reproducibility-related toolchain issues within Debian:
  - sfepy: Please make the documentation reproducible. (#882639)
- I also submitted 25 patches to fix specific reproducibility issues in ardour, atk1.0, bitz-server, bugs-everywhere, debci, designate, fswatch, geocode-glib, json-glib, landslide, libffi-platypus-perl, nbsphinx, node-module-deps, opusfile, phatch, py3c, pymongo, python-kafka, python-stetl, pyzor, roundcube, ruby-mmap2, soundmodem, sphinx-intl & stardicter.
Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.
Made some changes to: jenkins.debian.net which uns our comprehensive testing framework:
- Ignore "warning" strings in commit messages causing builds to be marked as unstable. [...]
- Update the email subject of status change mails away from Debian-specific URI. [...]
- Move some IRC announcements to #debian-reproducible-changes. [...]
Worked on publishing our weekly reports. (#132, #133, #134 & #135)

Debian

My activities as the current Debian Project Leader are covered in my "Bits from the DPL" email to the debian-devel-announce mailing list.

Patches contributed

dget: Please support downloading packages over gopher://. (#880649)
gpaw: Incorrectly creates logging files called - instead of logging to standard output. (#882638)
pk4: Please avoid the use of avail in package descriptions. (#881343)

Debian LTS

This month I have been paid to work 13 hours on Debian Long Term Support (LTS). In that time I did the following:

"Frontdesk" duties, triaging CVEs, etc.
Issued DLA 1161-1 for the redis key-value storage database to fix cross-protocol scripting attack.
Issued DLA 1162-1 & DLA 1163-1 to fix out-of-bounds memory vulnerabilites in apr and apr-util, portability libraries for various Apache applications.
Issued DLA 1173-1 for procmail, a tool used to sort incoming mail into various directories and filter out spam messages to fix a heap-based buffer overflow.
Issued DLA 1174-1 to correct a denial of service vulnerability in the konversation IRC client related to parsing of color formatting codes.
Issued DLA 1175-1 for the lynx-cur web browser, preventing a use-after-free vulnerability in the HTML parser which could lead to memory/information disclosure.

Uploads

python-django:
- 1.11.6-2 — Add Breaks: openstack-dashboard (<< 3:12) to ensure this package gets upgraded first (#880409) and use a HTTPS URI in debian/watch.
- 1.11.7-1 — New upstream bugfix release.
- 2.0~rc1-1 — New upstream release candidate.
redis:
- 4.0.2-6 — Correct locations of redis-sentinel pidfiles. (#880980)
- 4.0.2-7 — Add a redis metapackage. (#876475)
- 4.0.2-8 — Use get_current_dir_name over a PATHMAX, etc. (#881684), don't rely on taskset existing for kFreeBSD-* (#881683), drop "memory efficiency" tests on advice from upstream (#881682) and allow the package be bin-NMUable.
- 4.0.2-9 — Modify aof.c for MAXPATHLEN issues. (#881684)
- 4.0.2-9~bpo9+1 — Upload to stretch-backports.
bfs:
- 1.1.4-1 — New upstream release.
- 1.1.4-2 — Use upstream's new manpage.
python-daiquiri:
- 1.3.0-2 — Ensure all dependencies are available for DEP-8 tests. (#882876)
redisearch (0.90.0~alpha1-1, 0.90.1-1, 0.99.0-1 & 0.99.2-1) — New upstream releases.

Finally, I also made a non-maintainer upload (NMU) of cpio (2.12+dfsg-5) to the experimental distribution.

Debian bugs filed

cappuccino: Broken symlink in /usr/games. (#880714)
statsmodels: Accesses raw.github.com during build. (#882641)
python-lti: Please run the upstream testsuite. (#880834)
git-buildpackage: gbp dch needs a better workflow description. (#880552)
audacity: New upstream release. (#880717)
python-djangorestframework: New upstream release. (#880538)
djangorestframework: New upstream release. (#880558)

I also filed 2 FTBFS bugs against django-axes & plinth.

FTP Team

As a Debian FTP assistant I ACCEPTed 58 packages: aladin, apulse, aribb24, ayatana-indicator-printers, beads, belr, binutils, breezy-debian, brightnessctl, cupt, dino-im, evqueue-core, fdm-materials, fonts-noto-color-emoji, gcc-8-cross, gcc-8-cross-ports, gnome-shell-extension-hide-veth, gnome-shell-extension-no-annoyance, gnome-shell-extension-tilix-shortcut, gnome-shell-extension-workspaces-to-dock, goocanvasmm-2.0, intel-vaapi-driver-shaders, ldc, libaws-signature4-perl, libcdio-paranoia, libemail-address-xs-perl, libjs-jquery-file-upload, libmath-utils-perl, libosmo-abis, libosmocore, libsavitar, libsignal-protocol-c, lr, mate-window-applets, node-ms, openjdk-10, phast, pspg, python-daphne, r-cran-cardata, r-cran-cvst, r-cran-forcats, r-cran-gower, r-cran-guerry, r-cran-haven, r-cran-lava, r-cran-nortest, r-cran-rcpproll, r-cran-readr, r-cran-spatstat.data, r-cran-tidyselect, ros-geometry2, shoogle, snapd-glib, sphinx-intl, tang, ulfius & webapps-metainfo.

I additionally filed 2 RC bugs against packages that had incomplete debian/copyright files against libsavitar & fdm-materials.

You can subscribe to new posts via email or RSS.