Free software activities in November 2018

Here is my monthly update covering what I have been doing in the free software world during November 2018 (previous month):

• I was honoured to give the opening keynote at Freenode.live in Bristol, UK on what can Free Software can learn from classical music and later presented at SFScon in Bolzano, Italy on reproducible builds and how they can prevent developers from becoming targets of various attacks.

• My activities as the current Debian Project Leader are covered in my Bits from the DPL email to the debian-devel-announce mailing list.

• Represented Debian (and the free software community) in general as part of my duties of being on the board of directors of the Open Source Initiative at our biannual face-to-face board meeting.

• Continued to maintain a set of module repositories forked from prior to Redis Labs relicensing a number of AGPL-licensed Redis modules with the "Commons Clause" amendment.

• Did further work on my Debbugs Enhancement Suite browser extension to enhance various parts of the bugs.debian.org web interface to add support for collapsing package headers [...] and for removing matching package name prefixes from bug lists [...].

• For the Tails website I had previously fixed an issue in the Ikiwiki wiki compiler where the first inline directive would be translated but subsequent inlines of the same file would result in the raw contents of the .po being inserted into the page instead [...] and I spent some time this month trying to get a regression test working in the testsuite [...].

• Authored three pull requests for the Redis key-value database to not treat unsupported protocols such as IPv6 as fatal errors [...], clarifying a error message [...] and to correct a typo [...].

• Added Add to CC [...] and Rename Thread [...] buttons to my Fastmail Enhancement Suite, and moved to using the event loop properly [...].

• Filed two upstream pull request against the multiple-τ statistics library to make the build reproducible [...) and to correct multiple "multiple" typos [...].

• Suggested some changes to Git-powered Salsa webhooks to drop unneccessary commas [...] and to strip whitespace from commit messages [...].

• Merged a pull request by Jesse Laukkanen for my django-dynamic-subdomains library which adds dynamic (eg. database-backed) and static subdomain support for Django projects to support new-style middleware [...].

• Blogged about the Record number of uploads of a Debian package in a day as well as wrote a review of coffee from the "Trojan Room" in Cambridge University's Department of Computer Science and Technology

• Merged a pull request for my django-slack library that provides a convenient library between projects using the Django and the Slack chat platform from Lukas Martini to add a backend for asynchronous message sending using Django-Q. [...]

• More hacking on the Lintian static-analysis tool for Debian packages:

  • New features:

    • Unify all dpkg internal database checks into a new uses-dpkg-database-directly check, extending it to check upstream code. (#913974)
    • Emit an warning for .service files that do not use any hardening features. (#913605)
    • Warn about packages that use vendor-specific patch series files since the CTTE decision in #904302. [...]
    • Rework the init.d-script-does-not-implement-optional-option tag and rename it to init.d-script-does-not-implement-status-option. (#913466)
    • Check for packages that install files to /usr/share/hal. (#913280)
    • Suggest that hunspell-* packages use the text section, not localization. (#913723)
    • Warn if a PIDFile in a .service unit references /var/run. (#913078)

  • Bug fixes:

    • Ensure the Architecture field in a .changes file contains only the string source rather than checking whether it is defined or not. (#914163)
    • Prevent readMesh_off.m false-positives for package-contains-documentation-outside-usr-share-doc. (#914500)
    • Apply a patch from Stephen Kitt to avoid false-positives for package-does-not-use-debhelper-or-cdbs if the call to dh(1) is prefixed with @, + or -. (#914538)
    • Apply patch from James McCoy to fix invalid-template-id-in-symbols-file & syntax-error-in-symbols-file false-positives. (#913290)
    • Avoid debian-watch-file-should-mangle-version false-positives when the file uses the @DEB_EXT@ or auto features. (#913761)
    • Prevent an uninitialized value warning when processing empty/truncated .class files. (#913398)
    • Correct "creating", "ocurrence" and "ocurrences" spelling corrections [...] and add a missing plural correction [...].

  • Reporting:

    • Clarify the distinction between the package-installs-java-bytecode and source-contains-prebuilt-java-object tags. (#879851)
    • Consistently use DEP 5 over DEP-5 (etc). (#914562)
    • Ensure --dbgsym-migration='with spaces' is correctly displayed when emitting debug-symbol-migration-possibly-complete. [...]
    • Expand rationale for file-contains-trailing-whitespace. [...]
    • Make No no-op correction present... test failure messages include the offending correction. [...]
    • Bump the severity of the source-contains-prebuilt-windows-binary tag from P: to W:. [...]

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws almost all software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

This month I:

• Hosted a seminar and a lengthy Q&A session at the William Gates Building at the University of Cambridge on reproducible builds as part of the Computer Laboratory NetOS Group. Thanks to Allison Randal for arranging this opportunity.

• Gave a presentation at the SFScon conference in Bolzano, Italy on reproducible builds and how they can prevent developers from becoming targets of various attacks.

• Filed an upstream pull request against the multiple-τ Python statistics library to make the build reproducible. [...]

• In Debian, I:

  • Wrote a patch to fix a reproducibility-related toolchain issue in gnuradio where the output of the grcc command was non-deterministic, causing many other packages to be unreproducible. (#914252)

  • Submitted 4 patches to fix specific reproducibility issues in cfitsio, googletest, netcdf-parallel & python-multipletau.

• I also made the following changes to diffoscope, our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues:

  • Don't assume all files called .a are ELF binaries. (#903446)
  • Avoid a large number of warnings if getfacl(1) is not available. (#902369)
  • Prevent tracebacks when obtaining PDF metadata from files with multiple definition entries. (#913315)
  • Display the reason when cannot extract metadata from PDF files. [...)]

• Requested that the Deterministic compilation Wikipedia page be renamed to Reproducible builds (via the Technical Move Requests mechanism) given that this is now overwhelmingly the term used for this concept.

• Categorised a huge number of packages and issues in the Reproducible Builds "notes" repository and added tagpending integration to the repositories hosted on Salsa.

• Updated strip-nondeterminism, our tool to remove specific non-deterministic results from a completed build to ignore encrypted .zip files as we can never normalise them (#852207) and to catch invalid "local" field lengths in ZIP files (#803503). I also applied a patch from Emmanuel Bourg to update the Javadoc handler to handle OpenJDK 11 (#913132) and uploaded version 0.044-1 to Debian unstable.

• Updated our website to use our Contribute to Salsa page in the footer [...], added a large number of missing dates to the Talks & Resources page [...] & kept isdebianreproducibleyet.com up to date [...].

• Authored two merge requests for our Jenkins-based testing framework that powers tests.reproducible-builds.org to add support for calculating a PureOS package set [...] and to also generate machine-readable diffoscope results alongside the existing text and HTML-based output [...].

• Drafted, finalised and publicised our weekly reports (#184, #185, #186 & 187) and helped author/publish the press release regarding the Reproducible Builds project joining the Software Freedom Conservancy.

Debian

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged golang-go.net-dev, libsdl2-image, lighttpd, nginx, pdns, poppler, rustc & xml-security-c amongst many others.

• "Frontdesk" duties, responding to user queries, etc.

• Issued DLA 1572-1 for nginx to fix a denial of service (DoS) vulnerability — as there was no validation for the size of a 64-bit atom in an .mp4 file this led to CPU exhaustion when the size was zero.

• Issued DLA 1576-1 correcting a SSH passphrase disclosure in ansible's User module leaking data in the global process list.

• Issued DLA 1584-1 for ruby-i18n to fix a remote denial-of-service vulnerability.

• Issued DLA 1585-1 to prevent an XSS vulnerability in ruby-rack where a malicious request could forge the HTTP scheme being returned to the underlying application.

• Issued DLA 1591-1 to fix two vulnerabilities in libphp-phpmailer where a arbitrary local files could be disclosed via relative path HTML transformations as well as an object injection attack.

• Uploaded libsdl2-image (2.0.3+dfsg1-3) and sdl-image1.2 (1.2.12-10) to the unstable distribution to fix buffer overflows on a corrupt or maliciously-crafted XCF files. (#912617 & #912618)

• Uploaded ruby-i18n (0.7.0-3) to unstable [...] and prepared a stable proposed update for a potential 0.7.0-2+deb9u1 in stretch (#914187).

• Uploaded ruby-rack (1.6.4-6) to unstable [...] and (2.0.5-2) to experimental [...]. I also prepared a proposed update for a 1.6.4-4+deb9u1 in the stable distribution (#914184).

Uploads

• python-django (2:2.1.3-1) — New upstream bugfix release.

• redis:

  • 5.0.1-1 — New upstream release, ensure that Debian-supplied Lua libraries are available during scripting. (#913185), refer to /run directly in .service files, etc.
  • 5.0.1-2 — Ensure that lack of IPv6 support does not prevent startup Debian where we bind to the ::1 interface by default. (#900284 & #914354)
  • 5.0.2-1 — New upstream release.

• redisearch (1.2.1-1) — Upload the last AGPLv3 (ie. non-Commons Clause)) package from my GoodFORM project.

• hiredis (0.14.0-3) — Adopt and tidy package (#911732).

• python-redis (3.0.1-1) — New upstream release.

• adminer (4.7.0-1) — New upstream release & ensure all documentation is under /usr/share/doc.

I also sponsored uploads of elpy (1.26.0-1) & muttrc-mode-el (1.2+git20180915.aa1601a-1).

Debian bugs filed

• molly-guard: Breaks conversion with usrmerge. (#914716)

• git-buildpackage: Please add gbp-dch --stable flag. (#914186)

• git-buildpackage: gbp pq -Pq suffixes are not actually optional. (#914281)

• python-redis: Autopkgtests fail. (#914800)

• git-buildpackage: Correct "saving" typo. (#914280)

• python-astropy: Please drop unnecessary dh_strip_nondeterminism override. (#914612)

• shared-mime-info: Don't assume every *.key file is an Apple Keynote file. (#913550, with patch)

FTP Team

As a Debian FTP assistant this month I ACCEPTed 37 packages: android-platform-system-core, arm-trusted-firmware, boost-defaults, dtl, elogind, fonts-ibm-plex, gnome-remote-desktop, gnome-shell-extension-desktop-icons, google-i18n-address, haskell-haskell-gi-base, haskell-rio, lepton-eda, libatteanx-serializer-rdfa-perl, librdf-trine-serializer-rdfa-perl, librdf-trinex-compatibility-attean-perl, libre-engine-re2-perl, libtest-regexp-pattern-perl, linux, lua-lxc, lxc-templates, ndctl, openssh, osmo-bsc, osmo-sgsn, othman, pg-rational, qtdatavis3d-everywhere-src, ruby-grape-path-helpers, ruby-grape-route-helpers, ruby-graphiql-rails, ruby-js-regex, ruby-regexp-parser, shellia, simple-revision-control, theme-d, ulfius & vim-julia.

You can subscribe to new posts via email or RSS.