Free software activities in November 2021

Here is my monthly update covering what I have been doing in the free software world during November 2021 (previous month):

• As part of my duties of being on the board of directors of the Software in the Public Interest I attended its respective monthly meetings and participated in various licensing and other discussions occurring on the internet, as well as the usual internal discussions regarding logistics and policy etc.

• Opened a pull request to make the .cmake files generated by the Meson build system reproducible. [...]

Reproducible Builds

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

This month, I:

• In Debian:

  • Kept isdebianreproducibleyet.com up to date. [...]

  • Submitted a patch via Debian bug #1000327 to fix a reproducibility-related toolchain issue within Debian, specifically within the meson package to ensure that the generated .cmake files are. A pull request was also filed upstream.

  • I also submitted 14 patches to fix specific reproducibility issues in golang-github-go-git-go-git, ibus-input-pad, input-pad, liboqs, node-cssstyle, node-marked, perfect-scrollbar, sphinxcontrib-applehelp, sphinxcontrib-htmlhelp, sphinxcontrib-htmlhelp, sphinxcontrib-jsmath, sphinxcontrib-restbuilder, ssh-tools & xrstools.

• Merged a pull request from Jonas Witschel for strip-nondeterminism, our tool to remove specific non-deterministic results from a completed build. The pull request in question ensures strip-nondeterminism to not fail on JAR archives containing invalid members with a .jar extension.

• Categorised a very large number of packages and issues in the Reproducible Builds notes.git repository.

• Attended and publicised our monthly IRC meeting.

• Drafted, published and publicised our monthly report.

Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and uploading versions 190, 191, 192, 193 and 194 to Debian:

• New features:

  • Continue loading a .changes file even if the referenced files do not exist, but include a comment in the returned diff. [...]
  • Log the reason if we cannot load a Debian .changes file. [...]

• Bug fixes:

  • Detect XML files as XML files if file(1) claims if they are XML files or if they are named .xml. (#999438)
  • Don't duplicate file lists at each directory level. (#989192)
  • Don't raise a traceback when comparing nested directories with non-directories. [...]
  • Re-enable test_android_manifest. [...]
  • Don't reject Debian .changes files if they contain non-printable characters. [...]

• Codebase improvements:

  • Avoid aliasing variables if we aren't going to use them. [...]
  • Use isinstance over type. [...]
  • Drop a number of unused imports. [...]
  • Update a bunch of %-style string interpolations into f-strings or str.format. [...]
  • When pretty-printing JSON, mark the difference as being reformatted, additionally avoiding including the full path. [...]
  • Import itertools top-level module directly. [...]

I also made an update to the command-line client to trydiffoscope , a web-based version of the diffoscope in-depth and content-aware diff utility, specifically only waiting for 2 minutes for try.diffoscope.org to respond in tests. (#998360)

Debian

• libfiu (1.1-1) — New upstream release & refresh packaging.

• lintian: 2.112.0, 2.113.0 & 2.114.0 — New upstream releases.

• memcached (1.6.12+dfsg-2) — Renable TLS support. (#1000463)

• python-django:

  • 3.2.9-1 — New upstream release.
  • 4.0~rc1-1 — New upstream RC release to Debian experimental.

• gunicorn (20.1.0-2) — Move packaging under the auspices to the Debian Python Team, functionally orphaning maintainership of the package.

I also filed a single non-reproducible bug this month against meson to note that it has an outdated Source field in the debian/copyright file. (#1000328)

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged: cacti (CVE-2020-14424), ffmpeg (CVE-2020-20891, CVE-2020-20892, CVE-2020-20896, CVE-2020-21688, CVE-2020-21697, CVE-2020-20902), gmp (CVE-2021-43618), lua5.3 (CVE-2021-43519), nim (CVE-2021-41259, openexr (CVE-2021-3933), redis (CVE-2021-32628, CVE-2021-32672, CVE-2021-41099) roundcube (CVE-2021-44025, CVE-2021-44026) & vim (CVE-2021-3973, CVE-2021-3974)

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

• Issued DLA 2810-1 and ELA-512-1 for the redis key-value database to fix a number of vulnerabilities, including CVE-2021-32672 which fixes a random heap reading issue with the Lua debugger, CVE-2021-32687 which addresses an heap buffer overflow with intsets, CVE-2021-32675 that refers to a potential Denial of Service attack when processing RESP request payloads and finally CVE-2021-32626 which speaks to how specially-crafted Lua scripts may result in a heap buffer overflow.

You can find out more about the project via the following video:

You can subscribe to new posts via email or RSS.