Here is my monthly update covering what I have been doing in the free software world during November 2018 (previous month):
I was honoured to give the opening keynote at Freenode.live in Bristol, UK on what can Free Software can learn from classical music and later presented at SFScon in Bolzano, Italy on reproducible builds and how they can prevent developers from becoming targets of various attacks.
My activities as the current Debian Project Leader are covered in my Bits from the DPL email to the
Continued to maintain a set of module repositories forked from prior to Redis Labs relicensing a number of AGPL-licensed Redis modules with the "Commons Clause" amendment.
Did further work on my Debbugs Enhancement Suite browser extension to enhance various parts of the bugs.debian.org web interface to add support for collapsing package headers [...] and for removing matching package name prefixes from bug lists [...].
For the Tails website I had previously fixed an issue in the Ikiwiki wiki compiler where the first
inlinedirective would be translated but subsequent inlines of the same file would result in the raw contents of the
.pobeing inserted into the page instead [...] and I spent some time this month trying to get a regression test working in the testsuite [...].
Merged a pull request by Jesse Laukkanen for my django-dynamic-subdomains library which adds dynamic (eg. database-backed) and static subdomain support for Django projects to support new-style middleware [...].
Blogged about the Record number of uploads of a Debian package in a day as well as wrote a review of coffee from the "Trojan Room" in Cambridge University's Department of Computer Science and Technology
Merged a pull request for my django-slack library that provides a convenient library between projects using the Django and the Slack chat platform from Lukas Martini to add a backend for asynchronous message sending using Django-Q. [...]
More hacking on the Lintian static-analysis tool for Debian packages:
- Unify all
dpkginternal database checks into a new uses-dpkg-database-directly check, extending it to check upstream code. (#913974)
- Emit an warning for
.servicefiles that do not use any hardening features. (#913605)
- Warn about packages that use vendor-specific patch series files since the CTTE decision in #904302. [...]
- Rework the
init.d-script-does-not-implement-optional-optiontag and rename it to init.d-script-does-not-implement-status-option. (#913466)
- Check for packages that install files to
- Suggest that
hunspell-*packages use the
- Warn if a
- Unify all
- Ensure the
Architecturefield in a
.changesfile contains only the string
sourcerather than checking whether it is defined or not. (#914163)
readMesh_off.mfalse-positives for package-contains-documentation-outside-usr-share-doc. (#914500)
- Apply a patch from Stephen Kitt to avoid false-positives for package-does-not-use-debhelper-or-cdbs if the call to
dh(1)is prefixed with
- Apply patch from James McCoy to fix invalid-template-id-in-symbols-file & syntax-error-in-symbols-file false-positives. (#913290)
- Avoid debian-watch-file-should-mangle-version false-positives when the file uses the
- Prevent an
uninitialized valuewarning when processing empty/truncated
- Correct "creating", "ocurrence" and "ocurrences" spelling corrections [...] and add a missing plural correction [...].
- Ensure the
- Clarify the distinction between the package-installs-java-bytecode and source-contains-prebuilt-java-object tags. (#879851)
- Consistently use DEP 5 over DEP-5 (etc). (#914562)
--dbgsym-migration='with spaces'is correctly displayed when emitting debug-symbol-migration-possibly-complete. [...]
- Expand rationale for file-contains-trailing-whitespace. [...]
No no-op correction present...test failure messages include the offending correction. [...]
- Bump the severity of the source-contains-prebuilt-windows-binary tag from
Whilst anyone can inspect the source code of free software for malicious flaws almost all software is distributed pre-compiled to end users.
The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
This month I:
Hosted a seminar and a lengthy Q&A session at the William Gates Building at the University of Cambridge on reproducible builds as part of the Computer Laboratory NetOS Group. Thanks to Allison Randal for arranging this opportunity.
Gave a presentation at the SFScon conference in Bolzano, Italy on reproducible builds and how they can prevent developers from becoming targets of various attacks.
In Debian, I:
I also made the following changes to diffoscope, our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues:
- Don't assume all files called
.aare ELF binaries. (#903446)
- Avoid a large number of warnings if
getfacl(1)is not available. (#902369)
- Prevent tracebacks when obtaining PDF metadata from files with multiple definition entries. (#913315)
- Display the reason when cannot extract metadata from PDF files. [...)]
- Don't assume all files called
Requested that the Deterministic compilation Wikipedia page be renamed to Reproducible builds (via the Technical Move Requests mechanism) given that this is now overwhelmingly the term used for this concept.
Categorised a huge number of packages and issues in the Reproducible Builds "notes" repository and added
tagpendingintegration to the repositories hosted on Salsa.
Updated strip-nondeterminism, our tool to remove specific non-deterministic results from a completed build to ignore encrypted .zip files as we can never normalise them (#852207) and to catch invalid "local" field lengths in ZIP files (#803503). I also applied a patch from Emmanuel Bourg to update the Javadoc handler to handle OpenJDK 11 (#913132) and uploaded version
Updated our website to use our Contribute to Salsa page in the footer [...], added a large number of missing dates to the Talks & Resources page [...] & kept isdebianreproducibleyet.com up to date [...].
Authored two merge requests for our Jenkins-based testing framework that powers tests.reproducible-builds.org to add support for calculating a PureOS package set [...] and to also generate machine-readable diffoscope results alongside the existing text and HTML-based output [...].
Drafted, finalised and publicised our weekly reports (#184, #185, #186 & 187) and helped author/publish the press release regarding the Reproducible Builds project joining the Software Freedom Conservancy.
Investigated and triaged
xml-security-camongst many others.
"Frontdesk" duties, responding to user queries, etc.
Issued DLA 1572-1 for
nginxto fix a denial of service (DoS) vulnerability — as there was no validation for the size of a 64-bit atom in an
.mp4file this led to CPU exhaustion when the size was zero.
Issued DLA 1576-1 correcting a SSH passphrase disclosure in
Usermodule leaking data in the global process list.
Issued DLA 1584-1 for
ruby-i18nto fix a remote denial-of-service vulnerability.
Issued DLA 1585-1 to prevent an XSS vulnerability in
ruby-rackwhere a malicious request could forge the HTTP scheme being returned to the underlying application.
Issued DLA 1591-1 to fix two vulnerabilities in
libphp-phpmailerwhere a arbitrary local files could be disclosed via relative path HTML transformations as well as an object injection attack.
5.0.1-1— New upstream release, ensure that Debian-supplied Lua libraries are available during scripting. (#913185), refer to
5.0.1-2— Ensure that lack of IPv6 support does not prevent startup Debian where we bind to the
::1interface by default. (#900284 & #914354)
5.0.2-1— New upstream release.
3.0.1-1) — New upstream release.
4.7.0-1) — New upstream release & ensure all documentation is under
Debian bugs filed
molly-guard: Breaks conversion with
git-buildpackage: Please add
gbp-dch --stableflag. (#914186)
gbp pq -Pqsuffixes are not actually optional. (#914281)
python-redis: Autopkgtests fail. (#914800)
git-buildpackage: Correct "saving" typo. (#914280)
python-astropy: Please drop unnecessary
shared-mime-info: Don't assume every
*.keyfile is an Apple Keynote file. (#913550, with patch)
As a Debian FTP assistant this month I ACCEPTed 37 packages: android-platform-system-core, arm-trusted-firmware, boost-defaults, dtl, elogind, fonts-ibm-plex, gnome-remote-desktop, gnome-shell-extension-desktop-icons, google-i18n-address, haskell-haskell-gi-base, haskell-rio, lepton-eda, libatteanx-serializer-rdfa-perl, librdf-trine-serializer-rdfa-perl, librdf-trinex-compatibility-attean-perl, libre-engine-re2-perl, libtest-regexp-pattern-perl, linux, lua-lxc, lxc-templates, ndctl, openssh, osmo-bsc, osmo-sgsn, othman, pg-rational, qtdatavis3d-everywhere-src, ruby-grape-path-helpers, ruby-grape-route-helpers, ruby-graphiql-rails, ruby-js-regex, ruby-regexp-parser, shellia, simple-revision-control, theme-d, ulfius & vim-julia.