Here is my monthly update covering what I have been doing in the free software world in November 2017 (previous month):
- Submitted two pull requests for the Django web-development framework:
- Yet more hacking on the Lintian static analysis tool for Debian packages:
- New features:
- Warn for Homepage files that use well-known insecure URIs. (#849514)
- Warn on files called "-" (a literal hyphen) to detect programming errors related to writing to standard output.
- Warn if a "Team upload" (ie. that string is present in the changelog) is attmpted but the uploader is in the Maintainer or Uploaders fields. (#882954)
- Bug fixes:
- Don't warn about duplicate words separated by punctuation. (#822504)
- Remove "german" → "German" spelling entry; case corrections are covered elsewhere. (#883041)
- Don't count python-django and python3-django as Django modules. This avoids a warning where Django itself triggers django-package-does-not-depend-on-django.
- Apply patch from Simon McVittie to prevent a misdetection of libcanberra-gstreamer as a GNU Smalltalk library. (#880140)
- Allow trailing tabs in debian/rules files as they are a very common idiom in Makefiles.
- New features:
- Updated my Yet Another Django Thumbnailer library to not generate invalid URLs when using the new Amazon S3 version 4 signature scheme. [...]
- Submitted a PR to the django-auditlog library to stop using User.is_authenticated() as a callable. This is deprecated in Django 1.x and removed in Django 2.x. [...]
- Fixed the fail_silently keyword argument for my template-based email library for Django. [...]
- Add support for Django 2.x to the django-keyerror client for the KeyError.com error-tracking service. [...]
- Submitted two patches to the python-redis-rate-limit library which uses Redis to provide simple rate-limiting for-based websites to fix installation from PyPI. [...] & [...]
- I also blogged about faking cleaner URLs in the Debian BTS.
Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users.
The motivation behind the Reproducible Builds effort is to allow verification that no flaws have been introduced — either maliciously or accidentally — during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
This month I:
- Presented at the Open Compliance Summit 2017 in Yokohama, Japan and had many follow-up conversations regarding using reproducible builds as a way of ensuring the long-term sustainability of civil infrastructure.
- Created pull requests upstream for fswatch, bitz-server, stetl, nbsphinx & stardicter.
- Updated diffoscope, our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues, to only parse DTB's version number, not any -dirty suffix. (#880279)
- Expanded the documentation for disorderfs, our FUSE-based filesystem that deliberately introduces non-determinism into directory system calls in order to flush out reproducibility issues, highlighting the non-intuitive recommendation to sort instead of shuffle. [...]
- Made some brief changes to buildinfo.debian.net, my experiment into how to process, store and distribute .buildinfo files after the Debian archive software has processed them:
- Updated our website:
- In Debian:
- I met with the Debian JP local group in Yokohama and answered their questions on reproducible builds and similar topics.
- Submitted the following patches to fix reproducibility-related toolchain issues within Debian:
- sfepy: Please make the documentation reproducible. (#882639)
- I also submitted 25 patches to fix specific reproducibility issues in ardour, atk1.0, bitz-server, bugs-everywhere, debci, designate, fswatch, geocode-glib, json-glib, landslide, libffi-platypus-perl, nbsphinx, node-module-deps, opusfile, phatch, py3c, pymongo, python-kafka, python-stetl, pyzor, roundcube, ruby-mmap2, soundmodem, sphinx-intl & stardicter.
- Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.
- Made some changes to: jenkins.debian.net which uns our comprehensive testing framework:
- Worked on publishing our weekly reports. (#132, #133, #134 & #135)
My activities as the current Debian Project Leader are covered in my "Bits from the DPL" email to the debian-devel-announce mailing list.
This month I have been paid to work 13 hours on Debian Long Term Support (LTS). In that time I did the following:
- "Frontdesk" duties, triaging CVEs, etc.
- Issued DLA 1161-1 for the redis key-value storage database to fix cross-protocol scripting attack.
- Issued DLA 1162-1 & DLA 1163-1 to fix out-of-bounds memory vulnerabilites in apr and apr-util, portability libraries for various Apache applications.
- Issued DLA 1173-1 for procmail, a tool used to sort incoming mail into various directories and filter out spam messages to fix a heap-based buffer overflow.
- Issued DLA 1174-1 to correct a denial of service vulnerability in the konversation IRC client related to parsing of color formatting codes.
- Issued DLA 1175-1 for the lynx-cur web browser, preventing a use-after-free vulnerability in the HTML parser which could lead to memory/information disclosure.
- 4.0.2-6 — Correct locations of redis-sentinel pidfiles. (#880980)
- 4.0.2-7 — Add a redis metapackage. (#876475)
- 4.0.2-8 — Use get_current_dir_name over a PATHMAX, etc. (#881684), don't rely on taskset existing for kFreeBSD-* (#881683), drop "memory efficiency" tests on advice from upstream (#881682) and allow the package be bin-NMUable.
- 4.0.2-9 — Modify aof.c for MAXPATHLEN issues. (#881684)
- 4.0.2-9~bpo9+1 — Upload to stretch-backports.
- 1.1.4-1 — New upstream release.
- 1.1.4-2 — Use upstream's new manpage.
- 1.3.0-2 — Ensure all dependencies are available for DEP-8 tests. (#882876)
- redisearch (0.90.0~alpha1-1, 0.90.1-1, 0.99.0-1 & 0.99.2-1) — New upstream releases.
Debian bugs filed
- cappuccino: Broken symlink in /usr/games. (#880714)
- statsmodels: Accesses raw.github.com during build. (#882641)
- python-lti: Please run the upstream testsuite. (#880834)
- git-buildpackage: gbp dch needs a better workflow description. (#880552)
- audacity: New upstream release. (#880717)
- python-djangorestframework: New upstream release. (#880538)
- djangorestframework: New upstream release. (#880558)
As a Debian FTP assistant I ACCEPTed 58 packages: aladin, apulse, aribb24, ayatana-indicator-printers, beads, belr, binutils, breezy-debian, brightnessctl, cupt, dino-im, evqueue-core, fdm-materials, fonts-noto-color-emoji, gcc-8-cross, gcc-8-cross-ports, gnome-shell-extension-hide-veth, gnome-shell-extension-no-annoyance, gnome-shell-extension-tilix-shortcut, gnome-shell-extension-workspaces-to-dock, goocanvasmm-2.0, intel-vaapi-driver-shaders, ldc, libaws-signature4-perl, libcdio-paranoia, libemail-address-xs-perl, libjs-jquery-file-upload, libmath-utils-perl, libosmo-abis, libosmocore, libsavitar, libsignal-protocol-c, lr, mate-window-applets, node-ms, openjdk-10, phast, pspg, python-daphne, r-cran-cardata, r-cran-cvst, r-cran-forcats, r-cran-gower, r-cran-guerry, r-cran-haven, r-cran-lava, r-cran-nortest, r-cran-rcpproll, r-cran-readr, r-cran-spatstat.data, r-cran-tidyselect, ros-geometry2, shoogle, snapd-glib, sphinx-intl, tang, ulfius & webapps-metainfo.