Here is my monthly update covering what I have been doing in the free software world in September 2017 (previous month):
- Submitted a pull request to Quadrapassel (the Gnome version of Tetris) to start a new game when the pause button is pressed outside of a game. This means you would no longer have to use the mouse to start a new game. [...]
- Made a large number of improvements to AptFS — my FUSE-based filesystem that provides a view on unpacked Debian source packages as regular folders — including moving away from manual parsing of package lists [...] and numerous code tidying/refactoring changes.
- Sent a small patch to django-sitetree, a Django library for menu and breadcrumb navigation elements to not mask test exit codes from the surrounding shell. [...]
- Updated travis.debian.net, my hosted service for projects that host their Debian packaging on GitHub to use the Travis CI continuous integration platform to test builds:
- Add support for "sloppy" backports. Thanks to Bernd Zeimetz for the idea and ongoing testing. [...]
- Merged a pull request from James McCoy to pass DEB_BUILD_PROFILES through to the build. [...]
- Workaround Travis CI's HTTP proxy which does not appear to support SRV records. [...]
- Run debc from devscripts if the build was successful [...] and output the .buildinfo file if it exists [...].
- Fixed a few issues in local-debian-mirror, my package to easily maintain and customise a local Debian mirror via the DebConf configuration tool:
- Updated django-staticfiles-dotd, my Django staticfiles adaptor to concatentate static media in .d-style directories to support Python 3.x by using bytes objects (commit) and move away from monkeypatch as it does not have a Python 3.x port yet (commit).
- I also posted a short essay to my blog entitled "Ask the Dumb Questions" as well as provided an update on the latest Lintian release.
Reproducible builds
Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users.
The motivation behind the Reproducible Builds effort is to allow verification that no flaws have been introduced — either maliciously or accidentally — during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
I have generously been awarded a grant from the Core Infrastructure Initiative to fund my work in this area.
This month I:
- Published a short blog post about how to determine which packages on your system are reproducible. [...]
- Submitted a pull request for Numpy to make the generated config.py files reproducible. [...]
- Provided a patch to GTK upstream to ensure the immodules.cache files are reproducible. [...]
- Within Debian:
- Updated isdebianreproducibleyet.com, moving it to HTTPS, adding cachebusting as well as keeping the number up-to-date.
- Submitted the following patches to fix reproducibility-related toolchain issues:
- Submitted a patch to fix a reproducibility issue in doit.
- Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.
- Chaired our monthly IRC meeting. [...]
- Worked on publishing our weekly reports. (#123, #124, #125, #126 & #127)
I also made the following changes to our tooling:
reproducible-check
reproducible-check is our script to determine which packages actually installed on your system are reproducible or not.
- Handle multi-architecture systems correctly. (#875887)
- Use the "restricted" data file to mask transient issues. (#875861)
- Expire the cache file after one day and base the local cache filename on the remote name. [...] [...]
I also blogged about this utility. [...]
diffoscope
diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.
- Filed an issue attempting to identify the causes behind an increased number of timeouts visible in our CI infrastructure, including running a number of benchmarks of recent versions. (#875324)
- New features:
- Bug fixes:
- Testing:
- Misc:
strip-nondeterminism
strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build.
disorderfs
disorderfs is our FUSE-based filesystem that deliberately introduces non-determinism into directory system calls in order to flush out reproducibility issues.
- Add a simple autopkgtest. [...]
Debian
My activities as the current Debian Project Leader are covered in my monthly "Bits from the DPL" email to the debian-devel-announce mailing list.
Lintian
I made a large number of changes to Lintian, the static analysis tool for Debian packages. It reports on various errors, omissions and general quality-assurance issues to maintainers:
- Add 4.1.1 as a supported Standards-Version. (#875509)
- Warn about Django libraries that do not depend on Django itself. (#877292)
- Add a --list-tags option to print all tags Lintian knows about. (#779675)
- Prevent false positives in copyright-year-in-future when matching URLs, the Tcl license (#876360) and "meta" statements such as "Original Author" (#873323).
- Ensure that missing-build-dependency-for-dh_-command is not emitted for dh-strip-nondeterminism at Debhelper compatbility level 10. (#876443)
- Also ignore lines that self-reference "typo" when checking for spelling-error-in-changelog.
- Avoid false positives in missing-source checks for "CSS Browser Selector". (#874381)
- Clarify explanation of description-starts-with-leading-spaces tag. (#849622)
- Check for packages including ?rev=0&sc=0 in Vcs-Browser. (#681713)
- Drop problematic missing-classpath check. (#857123)
- Correct grammar and punctuation in the description of node-package-install-in-nodejs-rootdir.
- Recognise autopkgtest-pkg-octave as a valid test suite. (#875985)
- Update the description of unknown-testsuite to reflect that autopkgtest is not the only valid value. (#876003)
- Apply patch from Guillem Jover to add more package → section mappings. (#874121)
- Update the data/fields/perl-provides and data/fields/virtual-packages files from the archive; the latter fixes a false positive in bacula-director. (#835120)
- Apply a patch from Jakub Wilk to prevent test failures on armhf/arm64, etc. (#877147)
- Apply patch from Gianfranco Costamagnato fix a failing LFS test on 32-bit architectures. (#876343)
- Apply patches from Guillem Jover & Boud Roukema to improve the description of the binary-file-built-without-LFS-support tag. (#874078)
- Correct Depends of python2.7 → python3 in Python 3 test package.
- Update private/generate-tag-summary to ensure that git-describe(1) will always emit 7 hexadecimal digits as the abbreviated object name, use deb.debian.org as the default mirror, and update the remote locations of Contents-<arch> files.
I also blogged specifically about the Lintian 2.5.54 release.
Patches contributed
- debconf: Please add a context manager to debconf.py. (#877096)
- nm.debian.org: Add pronouns to ALL_STATUS_DESC. (#875128)
- user-setup: Please drop set_special_users hack added for "the convenience of heavy testers". (#875909)
- postgresql-common: Please update README.Debian for PostgreSQL 10. (#876438)
- django-sitetree: Should not mask test failures. (#877321)
- charmtimetracker:
I also submitted 5 patches for packages with incorrect calls to find(1) in debian/rules against hamster-applet, libkml, pyferret, python-gssapi & roundcube.
Debian LTS
This month I have been paid to work 15¾ hours on Debian Long Term Support (LTS). In that time I did the following:
- "Frontdesk" duties, triaging CVEs, etc.
- Documented an example usage of autopkgtests to test security changes.
- Issued DLA 1084-1 and DLA 1085-1 for libidn and libidn2-0 to fix an integer overflow vulnerabilities in Punycode handling.
- Issued DLA 1091-1 for unrar-free to prevent a directory traversal vulnerability from a specially-crafted .rar archive. This update introduces an regression test.
- Issued DLA 1092-1 for libarchive to prevent malicious .xar archives causing a denial of service via a heap-based buffer over-read.
- Issued DLA 1096-1 for wordpress-shibboleth, correcting an cross-site scripting vulnerability in the Shibboleth identity provider module.
Uploads
- python-django:
- redis:
- 4.0.2-1 — New upstream release.
- 4.0.2-2 — Update 0004-redis-check-rdb autopkgtest test to ensure that the redis.rdb file exists before testing against it.
- 4.0.2-2~bpo9+1 — Upload to stretch-backports.
- aptfs (0.11.0-1) — New upstream release, moving away from using /var/lib/apt/lists internals. Thanks to Julian Andres Klode for a helpful bug report. (#874765)
- lintian (2.5.53, 2.5.54) — New upstream releases. (Documented in more detail above.)
- bfs (1.1.2-1) — New upstream release.
- docbook-to-man (1:2.0.0-39) — Tighten autopkgtests and enable testing via travis.debian.net.
- python-daiquiri (1.3.0-1) — New upstream release.
I also made the following non-maintainer uploads (NMUs):
- vimoutliner (0.3.4+pristine-9.3):
- bittornado (0.3.18-10.3):
- Make the build reproducible. (#796212).
- Add missing Build-Depends on dh-python.
- dtc-xen (0.5.17-1.1):
- Make the build reproducible. (#777322)
- Add missing Build-Depends on dh-python.
- dict-gazetteer2k (1.0.0-5.4):
- Make the build reproducible. (#776376).
- Override empty-binary-packagea Lintian warning to avoid dak autoreject.
- cgilib (0.6-1.1) — Make the build reproducible. (#776935)
- dhcping (1.2-4.2) — Make the build reproducible. (#777320)
- dict-moby-thesaurus (1.0-6.4) — Make the build reproducible. (#776375)
- dtaus (0.9-1.1) — Make the build reproducible. (#777321)
- fastforward (1:0.51-3.2) — Make the build reproducible. (#776972)
- wily (0.13.41-7.3) — Make the build reproducible. (#777360)
Debian bugs filed
- clipit: Please choose a sensible startup default in "live" mode. (#875903)
- git-buildpackage: Please add a --reset option to gbp pull. (#875852)
- bluez: Please default Device "friendly name" to hostname without domain. (#874094)
- bugs.debian.org: Please explicitly link to {packages,tracker}.debian.org. (#876746)
- Requests for packaging:
FTP Team
As a Debian FTP assistant I ACCEPTed 86 packages: bgw-replstatus, build-essential, caja-admin, caja-rename, calamares, cdiff, cockpit, colorized-logs, comptext, comptty, copyq, django-allauth, django-paintstore, django-q, django-test-without-migrations, docker-runc, emacs-db, emacs-uuid, esxml, fast5, flake8-docstrings, gcc-6-doc, gcc-7-doc, gcc-8, golang-github-go-logfmt-logfmt, golang-github-google-go-cmp, golang-github-nightlyone-lockfile, golang-github-oklog-ulid, golang-pault-go-macchanger, h2o, inhomog, ip4r, ldc, libayatana-appindicator, libbson-perl, libencoding-fixlatin-perl, libfile-monitor-lite-perl, libhtml-restrict-perl, libmojo-rabbitmq-client-perl, libmoosex-types-laxnum-perl, libparse-mime-perl, libplack-test-agent-perl, libpod-projectdocs-perl, libregexp-pattern-license-perl, libstring-trim-perl, libtext-simpletable-autowidth-perl, libvirt, linux, mac-fdisk, myspell-sq, node-coveralls, node-module-deps, nov-el, owncloud-client, pantomime-clojure, pg-dirtyread, pgfincore, pgpool2, pgsql-asn1oid, phpliteadmin, powerlevel9k, pyjokes, python-evdev, python-oslo.db, python-pygal, python-wsaccel, python3.7, r-cran-bindrcpp, r-cran-dotcall64, r-cran-glue, r-cran-gtable, r-cran-pkgconfig, r-cran-rlang, r-cran-spatstat.utils, resolvconf-admin, retro-gtk, ring-ssl-clojure, robot-detection, rpy2-2.8, ruby-hocon, sass-stylesheets-compass, selinux-dbus, selinux-python, statsmodels, webkit2-sharp & weston.
I additionally filed 4 RC bugs against packages that had incomplete debian/copyright files against: comptext, comptext, ldc & python-oslo.concurrency.