Free software activities in November 2020

Here is my monthly update covering what I have been doing in the free software world during November 2020 (previous month):

• Merged a pull request from Jens Nistler for django-slack (my library which provides a convenient wrapper between projects using the Django and the Slack chat platform) to make it compatible with Celery version 5. [...]

• Created a pull request for the Emscripten LLVM-to-WebAssembly compiler to make the Document Object Model codes reproducible. [...]

• Added a link to my deprecated static analyser for Django to point to Richard Tier's Django Doctor. [...]

• As a board member of both the Open Source Initiative and Software in the Public Interest I attended their respective monthly meetings, including the bi-annual OSI multi-day "face-to-face" meetings.

Reproducible Builds

One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

The project is proud to be a member project of the Software Freedom Conservancy. Conservancy acts as a corporate umbrella allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.

This month, I:

• Made further progress on an academic paper in collaboration with Stefano Zacchiroli that details the theoretical and practical workings of the reproducible builds distributed consensus scheme.

• Created an upstream pull request for the Emscripten LLVM-to-WebAssembly compiler to make DOM codes reproducible (with a number of followups). [...]

• In Debian:

  • I kept isdebianreproducibleyet.com up to date. [...]

  • Submitted 11 patches to fix specific reproducibility issues in amavisd-milter, armagetronad, emscripten, less.js, metakernel, open-iscsi, os-autoinst, python-biom-format, python-pairix, requirejs & sympow.

  • Sent a large number of followups to old bugs that had not been updated for some time (for example, #968700, etc.)

• Categorised a large number of packages and issues in the Reproducible Builds "notes" repository, including categorising three new toolchain issues: build_path_captured_by_pyuic5, build_path_captured_by_octave & build_path_captured_by_nim.

• Drafted, published and publicised last month's report as well maintained the Project's various social media accounts.

• Updated the main Reproducible Builds website and documentation to clarify that SOURCE_DATE_EPOCH is not Debian specific [...] and make a number of misc cosmetic changes [...][...].

I also made the following changes to diffoscope:

• Improvements:

  • Move the slightly-confusing behaviour if a single file is passed to diffoscope on the command-line to a new --load-existing-diff command. [...]
  • Ensure the new diffoscope-minimal package that was introduced by Mattia Rizzolo has a different short description from the primary diffoscope one. [...]
  • Refresh the long and short descriptions of all of the Debian packages. [...]

• Bug fixes:

  • Don't depend on radare2 in the Debian 'autopkgtests' as it will not be in bullseye due to security considerations. (#975313)
  • Avoid some incorrectly-formatted error messages. This was caused by diffoscope raising an artificial CalledProcessError exception in a generic handler. [...]

• Codebase improvements:

  • Add a comment regarding Java tests to aid diffoscope contributors who are not using Debian [...] and don't use the old-style super(...) call [...].

Debian

I performed the following uploads to the Debian Linux distribution this month:

• python-django (2.2.17-1 & 3.1.3-1) — New upstream releases.

• memcached (1.6.9+dfsg-1) — New upstream release.

• lintian (2.101.0, 2.102.0, 2.103.0 & 2.104.0) — New upstream releases.

• xtrlock (2.14) — Mark an autopkgtest as 'superficial'. (#974491)

• bfs (2.1-1) — New upstream release.

• splint (3.1.2+dfsg-3) — Re-upload a previous QA upload of mine (3.1.2+dfsg-2) to ensure the package's transition to the testing distribution. (#974872)

I also filed a release-critical bug against the minidlna package which could not be successfully purged from the system without reporting a cannot remove '/var/log/minidlna' error. (#975372)

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project, including:

• Investigated and triaged codemirror-js, glibc, jupyter-notebook, krb5, libhibernate3-java, raptor2, spice-vdagent & webcit.

• 'Frontdesk' duties, participating in mailing list discussions, attending the monthly meeting and organising LTS and ELTS frontdesk allocations for 2021.

• Issued DLA 2433-1 for the Bouncy Castle cryptography library to prevent an issue where attackers could obtain sensitive information due to observable differences in its responses to invalid input. (CVE-2020-26939)

• Issued DLA 2434-1 for the GNOME display manager (gdm3) where gdm3 detecting any users may have caused gdm3 to launch the initial system setup, permitting the creation of new users with superuser capabilities. (CVE-2020-16125)

• Issued DLA 2436-1 for the sddm display manager. Here, local and unprivileged users could create a connection to the X server. (CVE-2020-28049)

• Issued DLA 2437-1 & ELA-308-1 as it was discovered that there was a denial of service vulnerability in the MIT Kerberos network authentication system, krb5. The lack of a limit in an ASN.1 decoder could lead to infinite recursion and allow an attacker to overrun the stack and cause the process to crash. (CVE-2020-28196)

• Issued DLA 2438-1 and ELA-309-1 to prevent two heap overflow vulnerabilities in raptor2, a set of parsers for Resource Description Framework (RDF) files used in LibreOffice and other applications. (CVE-2017-18926)

• Issued DLA 2465-1 to correct filename sanitisation issues in a utility used to access PHP Pear, a distribution system for reusable PHP components. (CVE-2020-28948 & CVE-2020-28949)

You can find out more about the Debian LTS project via the following video:

You can subscribe to new posts via email or RSS.