Here is my monthly update covering what I have been doing in the free software world (previously):
- Made a large number of improvements to travis.debian.net, my hosted service for projects that host their Debian packaging on GitHub to use the Travis CI continuous integration platform to test builds on every code change:
- Enabled the use of Git submodules. Thanks to @unera & @hosiet. (#30)
- Managed a contribution from @xhaakon to allow adding an extra repository for custom dependencies. (#17)
- Fixed an issue where builds did not work under Debian Wheezy or Ubuntu Trusty due to a call to dpkg-buildpackage --show-field. (#28)
- Fixed an issue where TRAVIS_DEBIAN_EXTRA_REPOSITORY was accidentally required. (#27)
- Made a number of miscellaneous cosmetic improvements. (f7e5b080 & 037de91cc, etc.)
- Submitted a pull request to Alabaster, the default theme for the Python Sphinx documentation system, to ensure that "extra navigation links" are rendered reproducibly. (#90)
- Improved my Chrome extension for the FastMail web interface:
- Managed a pull request from @jlerner to add an optional confirmation dialogue before sending any message. (#10)
- Added an optional Ctrl+Enter alias for Alt+Enter to limit searches to the current folder; the latter shortcut is already mapped by my window manager. (d691b07)
- Various cosmetic changes to the options page. (7b95e887 & 833ff0fe)
- Submitted two pull requests to mypy, an experimental static type checker for Python:
- Updated django-slack, my library to easily post messages to the Slack group-messaging utility:
- Made a number of cosmetic improvements to AptFs, my FUSE-based filesystem that provides a view on unpacked Debian source packages as regular folders.
- Updated the SSL certificate for try.diffoscope.org, a hosted version of the diffoscope in-depth and content-aware diff utility. Continued thanks to Bytemark for sponsoring the hardware.
Debian & Reproducible builds
Whilst anyone can inspect the source code of free software for malicious flaws, most GNU/Linux distributions provide binary (or "compiled") packages to end users. The motivation behind the Reproducible Builds effort is to allow verification that no flaws have been introduced — either maliciously and accidentally — during this compilation process by promising identical binary packages are always generated from a given source.
Presented a talk entitled "Reproducible Builds" at Software Freedom Kosova, in Prishtina, Republic of Kosovo.
I filed my 2,500th bug in the Debian BTS: #840972: golang-google-appengine: accesses the internet during build.
In order to build packages reproducibly, one not only needs identical sources but also some external and sharable definition of the environment used for a particular build, stipulating such things such as the version numbers of the required build-dependencies.
It is not currently clear how to handle these .buildinfo files after the archive software has processed them and how to make them available to the world so I started development on a proof-of-concept server to see what issues arise in practice. It is available at buildinfo.debian.net.
Chaired an IRC meeting and ran a poll to determine a regular time .
Submitted two design proposals to our wiki page.
Improvements to our tests.reproducible-builds.org testing framework:
- Move regular "Scheduled in..." messages to the #debian-reproducible-changes IRC channel.
- Use our log_info method instead of manual echo calls.
- Correct an "all sources packages" → "all source packages" typo.
- Submit .buildinfo files to buildinfo.debian.net.
- Create GPG key on nodes for buildinfo.debian.net at deploy time, not "lazily".
I also submitted 14 patches to fix specific reproducibility issues in bio-eagle, cf-python, fastx-toolkit, fpga-icestorm, http-icons, lambda-align, mypy, playitslowly, seabios, stumpwm, sympa, tj3, wims-help & xotcl.
This month I have been paid to work 13 hours on Debian Long Term Support (LTS). In that time I did the following:
- Seven days of "frontdesk" duties, triaging CVEs, etc.
- Issued DLA 647-1 for freeimage correcting an out-of-bounds write vulnerability in the XMP image handling functionality.
- Issued DLA 649-1 for python-django fixing a possible CSRF protection bypass on sites that use Google Analytics.
- Issued DLA 654-1 for libxfixes preventing an integer overflow when a malicious client sent INT_MAX as a "length".
- Issued DLA 662-1 for quagga correcting a programming error where two constants were confused that could cause stack overrun in IPv6 routing code.
- Issued DLA 688-1 for cairo to prevent a DoS attack where a malicious SVG could generate invalid pointers.
- python-debian: Missing chardet from setup.py depends
- lintian: Drop double spaces in includes-maintscript paragraph
- db5.3: maintscript includes "maint-script parameters"
- dracut: maintscript includes "maint-script parameters"
- 19.6.0-7 — Set supplementary groups when changing uid, add an example systemd .service file to gunicorn-examples, and expand README.Debian to make it clearer what to do now that /etc/gunicorn.d has been removed.
- 19.6.0-8 — Correct previous supplementary groups patch to be compatible with Python 3.
- 3:3.2.4-2 — Ensure that sentinel's configuration actually writes to a pidfile location so that systemd can detect that the daemon has started.
- 3:3.2.5-1 — New upstream release.
- 0.94-8 — Fix FTBFS under Bash due to lack of && in debian/rules.
- 0.94-9 — Ensure the build is reproducible by sorting injected modules.
- aptfs (2:0.8-2) — Minor cosmetic changes.
- zeroinstall-injector (2.12-2) on behalf of Thomas Leonard.
- librep (0.92.6-1) on behalf of Jose M Calhariz.
- xloadimage (4.1-24) on behalf of Dominik George.
- libxml-dumper-perl (0.81-1.2) — Move away from a unsupported debhelper compat level 4.
- netatalk (2.2.5-1.1) — Drop build-dependency on hardening-includes.
- anon-proxy (00.05.38+20081230-4) — Move to a supported debhelper compatibility level 9.
- ara (1.0.32) — Make the build reproducible.
- binutils-m68hc1x (1:2.18-8) — Make the build reproducible & move to a supported debhelper compatibility level.
- fracplanet (0.4.0-5) — Make the build reproducible.
- libnss-ldap (265-5) — Make the build reproducible.
- python-uniconvertor (1.1.5-3) — Fix an "option release requires an argument" FTBFS. (#839375)
- ripole (0.2.0+20081101.0215-3) — Actually include the ripole binary in package. (#839919) & enable hardening flags.
- twitter-bootstrap (2.0.2+dfsg-10) — Fix incorrect copyright formatting when building under Bash. (#824592)
- zpaq (1.10-3) — Make the build reproducible.
Bugs filed (without patches)
- flex: Not compiled with -fPIC
- lintian: init.d-script-needs-depends-on-lsb-base does not use strict enough version for status_of_proc
- qa.debian.org: UDD upload_history table has stopped updating
I additionally filed 7 bugs for packages that access the internet during build against berkshelf, golang-google-appengine, node-redis, python-eventlet, python-keystoneclient, python-senlinclient & tornado-pyvows.
I also filed 65 FTBFS bugs against android-platform-external-jsilver, auto-multiple-choice, awscli, batmon.app, bgpdump, cacti-spine, cucumber, check, debci, eximdoc4, freetennis, freezegun, gatos, git/gnuit, gnucash, grads, haskell-debian, haskell-hsopenssl-x509-system, homesick, ice-builder-gradle, kscreen, latex-cjk-japanese-wadalab, libdbd-firebird-perl, libgit2, libp11, libzypp, mozart-stdlib, mqtt-client, mtasc, musicbrainzngs, network-manager-openvpn, network-manager-vpnc, nim, node-lodash, node-once, npgsql, ocamlbuild, ocamldsort, ohai, partclone, plaso, polyglot-maven, projectreactor, python-launchpadlib, python-pygraphviz, python-pygraphviz, python-pygraphviz, python-textile, qbittorrent, qbrew, qconf, qjoypad, rdp-alignment, reel, ruby-foreman, ruby-gettext, ruby-gruff, ruby-rspec-rails, samtools, sbsigntool, spock, sugar, taglib-extras, tornado-pyvows, unifdef, virt-top, vmware-nsx & zshdb.
Debian FTP Team
As a Debian FTP assistant I ACCEPTed 147 packages: ace-link, amazon-s2n, avy, basez, bootstrap-vz, bucklespring, camitk, carettah, cf-python, debian-reference, dfcgen-gtk, efivar, entropybroker, fakesleep, gall, game-data-packager, gitano, glare, gnome-panel, gnome-shell-extension-dashtodock, gnome-shell-extension-refreshwifi, gnome-shell-extension-remove-dropdown-arrows, golang-github-gogits-go-gogs-client, golang-github-gucumber-gucumber, golang-github-hlandau-buildinfo, golang-github-hlandau-dexlogconfig, golang-github-hlandau-goutils, golang-github-influxdata-toml, golang-github-jacobsa-crypto, golang-github-kjk-lzma, golang-github-miekg-dns, golang-github-minio-sha256-simd, golang-github-nfnt-resize, golang-github-nicksnyder-go-i18n, golang-github-pointlander-compress, golang-github-pointlander-jetset, golang-github-pointlander-peg, golang-github-rfjakob-eme, golang-github-thecreeper-go-notify, golang-github-twstrike-gotk3adapter, golang-github-unknwon-goconfig, golang-gopkg-dancannon-gorethink.v1, golang-petname, haskell-argon2, haskell-binary-parsers, haskell-bindings-dsl, haskell-deriving-compat, haskell-hackage-security, haskell-hcwiid, haskell-hsopenssl-x509-system, haskell-megaparsec, haskell-mono-traversable-instances, haskell-prim-uniq, haskell-raaz, haskell-readable, haskell-readline, haskell-relational-record, haskell-safe-exceptions, haskell-servant-client, haskell-token-bucket, haskell-zxcvbn-c, irclog2html, ironic-ui, lace, ledger, libdancer2-plugin-passphrase-perl, libdatetime-calendar-julian-perl, libdbix-class-optimisticlocking-perl, libdbix-class-schema-config-perl, libgeo-constants-perl, libgeo-ellipsoids-perl, libgeo-functions-perl, libgeo-inverse-perl, libio-async-loop-mojo-perl, libmojolicious-plugin-assetpack-perl, libmojolicious-plugin-renderfile-perl, libparams-validationcompiler-perl, libspecio-perl, libtest-time-perl, libtest2-plugin-nowarnings-perl, linux, lua-scrypt, mono, mutt-vc-query, neutron, node-ansi-font, node-buffer-equal, node-defaults, node-formatio, node-fs-exists-sync, node-fs.realpath, node-is-buffer, node-jison-lex, node-jju, node-jsonstream, node-kind-of, node-lex-parser, node-lolex, node-loud-rejection, node-random-bytes, node-randombytes, node-regex-not, node-repeat-string, node-samsam, node-set-value, node-source-map-support, node-spdx-correct, node-static-extend, node-test, node-to-object-path, node-type-check, node-typescript, node-unset-value, nutsqlite, opencv, openssl1.0, panoramisk, perl6, pg-rage-terminator, pg8000, plv8, puppet-module-oslo, pymoc, pyramid-jinja2, python-bitbucket-api, python-ceilometermiddleware, python-configshell-fb, python-ewmh, python-gimmik, python-jsbeautifier, python-opcua, python-pyldap, python-s3transfer, python-testing.common.database, python-testing.mysqld, python-testing.postgresql, python-wheezy.template, qspeakers, r-cran-nleqslv, recommonmark, rolo, shim, swift-im, tendermint-go-clist, tongue, uftrace & zaqar-ui.