Free software activities in October 2018

  • 31 October, 2018

Here is my monthly update covering what I have been doing in the free software world during October 2018 (previous month):

We intend to maintain changes to these modules under their original open source licenses and applying only free and open fixes and updates. You can find out more at

  • My activities as the current Debian Project Leader are covered in my monthly "Bits from the DPL" email to the debian-devel-announce mailing list.

  • I created Github-esque ribbons to display on Salsa-hosted websites. (Salsa being the collaborative development server for Debian and is the replacement for the now-deprecated Alioth service.)

  • Started a highly work-in-progress "Debbugs Enhancement Suite" Chrome browser extension to enhance various parts of the web interface.

  • Even more hacking on the Lintian static analysis tool for Debian packages:

    • New features:

      • Warn about packages that use PIUPARTS_* in maintainer scripts. (#912040)
      • Check for packages that parse /etc/passwd in maintainer scripts. (#911157)
      • Emit a warning for packages that do not specify Build-Depends-Package in symbol files. (#911451)
      • Check for non-Python files in top-level Python module directories. [...]
      • Check packages missing versioned dependencies on init-system-helpers. (#910594)
      • Detect calls to update-inetd(1) that use --group without --add, etc. (#909511)
      • Check for packages that encode a Python version number in their source package name. [...]
    • Bug fixes:

    • Misc:

      • Also show the maintainer name on the tag-specific reporting HTML. [...]
      • Tidy a number of references regarding the debhelper-compat virtual package. [...]

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws almost all software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

This month:

  • I attended the Tandon School of Engineering (part of New York University) to speak and work with students from the Application Security course on the topic of reproducible builds.

  • Wrote and forwarded patch for Fontconfig to ensure the cache filenames are determinstic. [...]

  • I sent two previously-authored patches for GNU mtools to ensure the Debian Installer images could become reproducible. (1 & 2)

  • Submitted 11 Debian patches to fix reproducibility issues in fast5, libhandy, lmfit-py, mp3fs, opari2, pjproject, radon, sword, syndie, wit & zsh-antigen. I also submitted an upstream pull request for python-changelog.

  • Made a large number of changes to our website, including adding step-by-step instructions and screenshots on how to signup to our project on Salsa and migrating the TimestampsProposal page on the Debian Wiki to our website.

  • Fixed an issue in disorderfs — our FUSE-based filesystem that deliberately introduces non-determinism into directory system calls in order to flush out reproducibility issues — where touch -m and touch -a were not working as expected (#911281). In addition, ensured that failing an XFail test should in-itself be a failure [...].

  • Made the following changes to diffoscope, our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues to:

    • Add support for comparing OCaml files via ocamlobjinfo. (#910542)

    • Add support for comparing PDF metadata using PyPDF2. (#911446)

    • Support gnumeric 1.12.43. [...]

    • Use str.startswith(...) over str.index(...) == 0 in the Macho comparator to prevent tracebacks if text cannot be found on the line. (#910540).

    • Add note on how to regenerate debian/tests/ and regenerate debian/tests/control with no material changes to add the regeneration comment itself. (1, 2)

    • Prevent test failures when running under stretch-backports by checking the OCaml version number. (#911846)

    • I also added a Salsa ribbon to the website. [...]

  • Categorised a huge number of packages and issues in the Reproducible Builds "notes" repository and kept up to date [...].

  • Worked on publishing our weekly reports. (#180, #181, #182 & #183)

  • Lastly, I fixed an issue in our Jenkins-based testing framework that powers to suppress some warnings from the cryptsetup initramfs hook which were causing some builds to be marked as "unstable". [...]


Debian bugs & patches filed

  • debbugs: Correct "favicon" location in <link/> HTML header. (#912186)

  • ikiwiki: "po" plugin can insert raw file contents with [[!inline]] directives. (#911356)

  • kitty: Please update homepage. (#911848)

  • pipenv: Bundles a large number of third-party libraries. (#910107)

  • mailman: Please include List-Id header on confirmation mails. (#910378)

  • fswatch: Clarify Files-Excluded entries. (#910330)

  • fuse3: Please obey nocheck build profile. (#910029)

  • gau2grid: Please add a non-boilerplate long description. (#911532)

  • hiredis: Please backport to stretch-backports. (#911732)

  • Please remove unnecessary overrides in fuse3 (#910030), puppet-module-barbican (#910374), python-oslo.vmware (#910011) & python3-antlr3(#910012)

  • python3-pypdf2: Python 3.x package ships non-functional Python 2.x examples. (#911649)

  • mtools: New upstream release. (#912285)

I also a filed requests with the stable release managers to update lastpass-cli (#911767) and python-django (#910821).

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

  • Multiple "frontdesk" shifts, triaging upstream CVEs, liasing with the Security Team, etc.

  • Issued DLA 1528-1 to prevent a denial-of-service (DoS) vulnerability in strongswan, a virtual private network (VPN) client and server where verification of an RSA signature with a very short public key caused an integer underflow in a length check that resulted in a heap buffer overflow.

  • Issued DLA 1547-1 for the Apache PDFBox library to fix a potential DoS issue where a malicious file could have triggered an extremely long running computation when parsing the PDF page tree.

  • Issued DLA 1550-1 for src:drupal7 to close remote code execution and an external URL injection exploit in the Drupal web-based content management framework as part of Drupal's SA-CORE-2018-006 security release.

  • Issued ELA-49-1 for the Adplug sound library to fix potential DoS attack due to double-free vulnerability.


  • redis:

    • 5.0~rc5-2 — Use the Debian hiredis library now that #907259 has landed. (#907258)
    • 5.0.0-1 — New upstream release.
    • 5.0.0-2 — Update patch to sentinel.conf to ensure the correct runtime PID file location (#911407), listen on ::1 interfaces too for redis-sentinel to match redis-server, & run the new LOLWUT command in the autopkgtests.
  • python-django:

    • 1.11.16-1 — New upstream bugfix release.
    • 1.11.16-2 — Fix some broken README.txt symlinks. (#910120)
    • 1.11.16-3 — Default to supporting Spatialite 4.2. (#910240)
    • 2.1.2-1 — New upstream security release.
    • 2.1.2-2 — Default to supporting Spatialite 4.2. (#910240)
  • libfiu:

  • 0.96-5 — Apply patch from upstream to write atomically to avoid a.parallel build failure. (#909843)

  • 0.97-1 — New upstream release.
  • 0.97-2 — Mangle return offset sizes for 64-bit variants to prevent build failures on 32-bit architectures. (#911733)

  • adminer (4.6.3-2) — Use continue 2 to avoid a switch/continue warning in PHP 7.3, thus preventing an autopkgtest regression. (#911825)

  • bfs (1.2.4-1) — New upstream release.

  • django-auto-one-to-one (3.1.1-1) — New upstream release.

  • lastpass-cli (1.3.1-5) — Add ca-certificates to Depends.

  • python-redis (2.10.6-5) — Fix debian/watch file.

  • python-daiquiri (1.5.0-1) — New upstream release.

I also sponsored uploads of elpy (1.25.0-1) and hiredis (0.14.0-1).

FTP Team

As a Debian FTP assistant I ACCEPTed 95 packages: barrier, cct, check-pgactivity, cloudkitty-dashboard, cmark-gfm, eclipse-emf, eclipse-jdt-core, eclipse-platform-team, eclipse-platform-ua, eclipse-platform-ui, eos-sdk, equinox-p2, fontcustom, fonts-fork-awesome, fswatch, fuse3, gau2grid, gitlab, glom, grapefruit, grub-cloud, gsequencer, haskell-base-compat-batteries, haskell-invariant, haskell-parsec-numbers, haskell-reinterpret-cast, haskell-resolv, haskell-shelly, haskell-skylighting-core, haskell-wcwidth, hollywood, intelhex, javapoet, libgpg-error, libjsoncpp, libnbcompat, lintian-brush, llvm-toolchain-snapshot, mando, mat2, mini-httpd-run, modsecurity, mtree-netbsd, neutron-tempest-plugin, ngspice, openstack-cluster-installer, pg-checksums, pg-cron, pg-dirtyread, pg-qualstats, pg-repack, pg-similarity, pg-stat-kcache, pgaudit, pgextwlist, pgfincore, pgl-ddl-deploy, pgmemcache, pgpool2, pgrouting, pgsql-ogr-fdw, pgstat, pipenv, postgresql-hll, postgresql-plproxy, postgresql-plsh, puppet-module-barbican, puppet-module-icann-quagga, puppet-module-icann-tea, puppet-module-rodjek-logrotate, pykwalify, pyocd, python-backports.csv, python-fastfunc, python-httptools, python-redmine, python-tld, python-yaswfp, python3-simpletal, r-cran-eaf, r-cran-emoa, r-cran-ggally, r-cran-irace, r-cran-parallelmap, r-cran-popepi, r-cran-pracma, r-cran-spp, radon, rust-semver-parser-0.7, syndie, unicycler, vitetris, volume-key, weston & zram-tools.

I additionally filed 14 RC bugs against packages that had potentially-incomplete debian/copyright files against fontcustom, fuse3, intelhex, libnbcompat, mat2, modsecurity, mtree-netbsd, puppet-module-barbican, python-redmine, r-cran-eaf, r-cran-emoa, r-cran-pracma, radon & syndie.