Free software activities in November 2024

Here is my monthly update covering what I have been doing in the free software world during November 2024 (previous month):

• Merged a patch to my python-fadvise posix_fadvise(2) wrapper library to support Python 3 […] — thanks, Marc Mengel!

Reproducible Builds

The motivation behind the Reproducible Builds effort is to ensure no malicious flaws have (or can) be introduced during software compilation processes.

This month, I:

• In Debian:

  • Kept isdebianreproducibleyet.com up to date. [...]

  • I submitted 6 patches to fix specific reproducibility issues in fritzconnection, python-aiohomekit, python-aiovlc, python-pydash, rust-broot & tracy, etc.

• Categorised a large number of packages and issues in the Reproducible Builds notes.git repository.

• Published a tribute to Jérémy Bobbio aka ‘Lunar’.

• Drafted, published and publicised our monthly report.

• Updated the main Reproducible Builds website and documentation, mostly through reviewing, triaging, testing and ultimately merging a large number of contributions from others. For instance, Philip Rinn provided a commit to import the first 47 historical weekly reports and I helped land a dramatic overhaul of the homepage after significant testing, with some additional post-release bug-fixing and triaging of new reported issues. Separate to this, I ensured that the CSS files were "cachebusted" after each release so that changes to the design were properly reflected in a timely fashion.

Debian

Patches contributed

• git-buildpackage: Prevent pq export from creating unparsable diffs when diff.noprefix=true is set. (#1088032)

Uploads

• python-django (5.1.3-1) — New upstream bugfix release.

• memcached (1.6.32-3) — Don't run the tests for the experimental proxy feature yet. ( #1088571)

• bfs (4.0.4-1) — New upstream release.

• lastpass-cli (1.6.1-1) — New upstream release.

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged qbittorrent (CVE-2024-51774), libheif (CVE-2023-49462, CVE-2023-29659, etc.)

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

• Preparing a significant update of the ruby-sinatra package, to be released early December.

• Issued DLA 3945-1 because it was discovered that there were two issues in libheif, a decoder and encoder for the High Efficiency Image File Format (HEIF) and AVIF image formats that could have been exploited by a malicious actor by providing specially-crafted image files. In particular, an attacker could have exploited this through a crafted file to cause a buffer overflow in linear memory during a memcpy call. Subsequent to this, ELA 1229-1 was announced and released to fix the same underlying issue in Debian buster.

You can find out more about the Debian LTS project via the following video:

You can subscribe to new posts via email or RSS.