Here is my monthly update covering what I have been doing in the free software world during November 2021 (previous month):
As part of my duties of being on the board of directors of the Software in the Public Interest I attended its respective monthly meetings and participated in various licensing and other discussions occurring on the internet, as well as the usual internal discussions regarding logistics and policy etc.
The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
This month, I:
Submitted a patch via Debian bug
#1000327to fix a reproducibility-related toolchain issue within Debian, specifically within the
mesonpackage to ensure that the generated
.cmakefiles are. A pull request was also filed upstream.
I also submitted 14 patches to fix specific reproducibility issues in golang-github-go-git-go-git, ibus-input-pad, input-pad, liboqs, node-cssstyle, node-marked, perfect-scrollbar, sphinxcontrib-applehelp, sphinxcontrib-htmlhelp, sphinxcontrib-htmlhelp, sphinxcontrib-jsmath, sphinxcontrib-restbuilder, ssh-tools & xrstools.
Merged a pull request from Jonas Witschel for strip-nondeterminism, our tool to remove specific non-deterministic results from a completed build. The pull request in question ensures strip-nondeterminism to not fail on JAR archives containing invalid members with a
Categorised a very large number of packages and issues in the Reproducible Builds
Attended and publicised our monthly IRC meeting.
Drafted, published and publicised our monthly report.
Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and uploading versions
194 to Debian:
- Detect XML files as XML files if
file(1)claims if they are XML files or if they are named
- Don't duplicate file lists at each directory level. (
- Don't raise a traceback when comparing nested directories with non-directories. [...]
- Don't reject Debian
.changesfiles if they contain non-printable characters. [...]
- Detect XML files as XML files if
- Avoid aliasing variables if we aren't going to use them. [...]
- Drop a number of unused imports. [...]
- Update a bunch of
%-style string interpolations into f-strings or
- When pretty-printing JSON, mark the difference as being reformatted, additionally avoiding including the full path. [...]
itertoolstop-level module directly. [...]
I also made an update to the command-line client to trydiffoscope , a web-based version of the diffoscope in-depth and content-aware diff utility, specifically only waiting for 2 minutes for
try.diffoscope.org to respond in tests. (#998360)
1.1-1) — New upstream release & refresh packaging.
2.114.0— New upstream releases.
20.1.0-2) — Move packaging under the auspices to the Debian Python Team, functionally orphaning maintainership of the package.
I also filed a single non-reproducible bug this month against
meson to note that it has an outdated
Source field in the
debian/copyright file. (#1000328)
This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.
Investigated and triaged: cacti (
CVE-2020-14424), ffmpeg (
CVE-2020-20902), gmp (
CVE-2021-43618), lua5.3 (
CVE-2021-43519), nim (
CVE-2021-41259, openexr (
CVE-2021-3933), redis (
CVE-2021-41099) roundcube (
CVE-2021-44026) & vim (
Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.
Issued DLA 2810-1 and ELA-512-1 for the
rediskey-value database to fix a number of vulnerabilities, including
CVE-2021-32672which fixes a random heap reading issue with the Lua debugger,
CVE-2021-32687which addresses an heap buffer overflow with
CVE-2021-32675that refers to a potential Denial of Service attack when processing RESP request payloads and finally
CVE-2021-32626which speaks to how specially-crafted Lua scripts may result in a heap buffer overflow.
You can find out more about the project via the following video:
You can subscribe to new posts via email or RSS.