Free software activities in September 2018

Here is my monthly update covering what I have been doing in the free software world during September 2018 (previous month):

• My activities as the current Debian Project Leader are covered in my "Bits from the DPL" email to the debian-devel-announce mailing list.

• Opened a pull request in the Sphinx documentation builder to ensure ensure Python frozenset object descriptions are reproducible. [...]

• Added an mbox command to my tickle-me-email library to implement Gettings Things Done-like behaviours in an IMAP inbox. [...]

• Made a large number of updates to my django-auto-one-to-one library to automatically create child model instances when a parent class is created in the Django web development framework including hrdcoding the use of auth.User over get_user_model [... and adding a .travis.yml and an (empty) testsuite [...] & [...].

• Fixed an issue in travis.debian.net (my hosted service for projects that host their Debian packaging on GitHub to use the Travis CI continuous integration platform to test builds) to always restore the Dockerfile to its previous state, either present or deleted. [...]

• Opened a pull request for the OpenSnitch firewall to drop a potentially unneccessary MimeType declaration. [...]

• Updated my pull request for the sphinx-gallery extension for the Sphinx documentation builder to automatically generate an example gallery to not show the "Total running time" if SOURCE_DATE_EPOCH is set. [...]

More hacking on the Lintian static analysis tool for Debian packages:

• New features:

  • Merge suggestion from Sven Joachim to add "practical" and "practically" as spelling corrections for "pratical" and "pratically" (#909772) then add "practically" as a correction for "practicaly" [...].
  • Check for overly-indented paragraph separators in package long descriptions. (#909272)
  • Warn about debian/source/options specifying custom compression settings. (#906614)
  • Check for packages hat build both foo-dbg and foo-dbgsym debug symbol variants. (#907423)
  • Reclassify xfonts-foo packages as part of the fonts section. (#907725)
  • Check for .pytest_cache/foo files in packages. (#907870)
  • Ensure .changes and debian/changelog distributions are identical. (#906610)
  • Check for invoke-rc.d --skip-systemd-native without a suitable `Pre-Depends. (#907836)
  • Warn about packages that use an excessive (> 20) number of overrides. [...]
  • Check for directories such as .cache in Python packaging, etc. (#907870)

• Bug fixes:

  • Don't emit udevadm-called-without-guard if the package has a dependency on udev. (#909801)
  • Also check override_dh_systemd_*-{arch,indep} for debian-rules-uses-deprecated-systemd-override. (#907845)
  • Don't emit changelog-empty-entry if distribution is UNRELEASED. (#909674)
  • Fix a number of false-positives when checking for incomplete Creative Commons licenses. (#906284)
  • Avoid false positives in init.d-script-possible-missing-stop when checking in "early boot" packages. (#908185)
  • Expand and rename xz-compression-level-too-high to warn about all manual adjustments to such settings. (#906611)
  • Refresh internal metadata allowing dir-or-file-in-etc-opt to be overridable. (#908911)
  • Also check the Source field when looking for repack explanations. (#909270)
  • Don't emit package-contains-documentation-outside-usr-share-doc for files in templates directories. (#907734)
  • Don't check the .dsc for XS-Autobuild. (#907681)
  • Do not emit package-does-not-install-examples for example directories under "vendor" or "third_party". [...]
  • Also add wiH (alongside wIH) to the spelling-error-in-binary exceptions. [...]
  • Correct an edge-case when checking for missing repacked tarball explanation. [...]

• Reporting:

  • Show the number of unused overrides in the "N: 1 tag overridden..." summary line. (#909319)
  • Ensure --dbgsym-migration='quoted' is correctly displayed when emitting the debug-symbol-migration-possibly-complete tag. [...]

• Misc:

  • Update tests to support the latest version of dash. [...]
  • Remove any duplicates from FTPmaster's list of supplied tags. [...]
  • Correct an (ironic) spelling mistake in the list of spelling exceptions. [...]

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws almost all software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

This month I:

• Opened a pull request in the Sphinx documentation builder to ensure ensure Python frozenset object descriptions are reproducible. [...]

• Followed-up to my previous merge request against the Redis key-value database and encouraged it to be merged upstream. [...]

• Made the following changes to diffoscope, our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues:

  • Fix testsuite under LLVM version 7.0+. (#908074)
  • Ensure "substvar" generation is deterministic regardless of installed packages. (#908072)
  • Fix tests under colord version 1.4.3+. (#908900)
  • Disable binwalk's configuration for predictable results, etc. (#903444)
  • Ensure we return bytes objects from Command.filter to prevent LLVM tracebacks. [...]
  • Don't print output from GnuPG. [...]
  • Drop print() statement in PPU tests. [...]
  • Strip trailing whitespace from ssconvert(1) output to support gnumeric 1.12.43+. [...]
  • Clarify distinction between tools and packages when generating substvars. [...]

• Updated my pull request for the sphinx-gallery extension for the Sphinx documentation builder to automatically generate an example gallery to not show the "Total running time" if SOURCE_DATE_EPOCH is set. [...]

• Within Debian:

  • I submitted 11 patches to fix specific reproducibility issues in botan, [[brohttps://bugs.debian.org/908379), coinmp, fltk1.1, gdk-pixbuf, infnoise, libgit2-glib, libhinawa, libinput, octavia, sphinxcontrib-restbuilder & taopm.

  • Uploaded disorderfs version 0.5.4-1 (our FUSE-based filesystem that deliberately introduces non-determinism) to the unstable distribution. [...]

  • Uploaded version 67.0.1 of trydiffoscope, a command-line client for try.diffoscope.org.

  • Kept isdebianreproducibleyet.com up to date. [...]

• Categorised a large number of packages and issues in the "package classification" repository.

• Updated our website including fixing some broken navigation [... and ensuring images were visible on all pages on the site [... as well as updated the SSL certificate for buildinfo.debian.net.

• Worked on publishing our weekly reports. (#174, #175, #176, #177 & #178)

• Corrected the spelling/grammar in a comment within strip-nondeterminism, our tool to remove specific non-deterministic results from a completed build. [...]

• Escaped the package name in the "Schedule a new build" links in our Jenkins-based testing framework that powers tests.reproducible-builds.org. [...]

Debian

• As a member of the Debian Python Module Team I pushed a large number of changes across 100s of repositories including removing empty debian/patches/series & debian/source/options files, correcting email addresses, dropping generated .debhelper dirs, removing trailing whitespaces, respecting the nocheck build profile via DEB_BUILD_OPTIONS and correcting spelling mistakes in debian/control files.

• Added a missing dependency on golang-golang-x-tools for digraph(1) in dh-make-golang as part of the Debian Go Packaging Team.

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project

• "Frontdesk" duties, triaging CVEs, responding to user questions, etc.

• Issued DLA 1492-1 fixing a string injection vulnerability in the dojo Javascript library.

• Issued DLA 1496-1 to correct an integer overflow vulnerability in the "Little CMS 2" colour management library. A specially-crafted input file could have lead to a heap-based buffer overflow.

• Issued DLA 1498-1 for the curl utility to fix an integer overflow vulnerability (background).

• Issued DLA 1501-1 to fix an out-of-bounds read vulnerability in libextractor, a tool to extract meta-data from files of arbitrary type.

• Issued DLA 1503-1 to prevent a potential denial of service and a potential arbitrary code execution vulnerability in the kamailio SIP (Session Initiation Protocol) server. A specially-crafted SIP message with an invalid Via header could cause a segmentation fault and crash the server due to missing input validation.

• Issued ELA 34-1 for the Redis key-value database where the redis-cli tool could have allowed an attacker to achieve code execution and/or escalate to higher privileges via a specially-crafted command line.

Uploads

• redis:

  • 5:5.0~rc5-1 — New upstream release.
  • 5:4.0.11-3 — Prevent the (non-deterministic) upstream testsuite from breaking the build. (#908540)

• python-django (2:2.1.1-1) — New upstream bugfix release.

• django-auto-one-to-one:

  • 3.0.0-1 — Initial upload. (#908723)
  • 3.1.0-1 — New upstream release.

• golang-github-evilsocket-ftrace:

  • 1.2.0-1 — Initial upload. (#908883)
  • 1.2.0-2 — Correct Vcs-{Git,Browser} and correct the Maintainer/Uploaders field distinction.

• python-grpc-tools (1.14.1-1) — Initial upload. (#908837)

• python-grpcio (1.15.0-1) — Initial upload. (#909304)

I also uploaded the following packages as a member of the Debian Python Module Team: django-ipware (2.1.0-1), django-adminaudit (0.3.3-2), python-openid (2.2.5-7), python-social-auth (1:0.2.21+dfsg-3). python-vagrant (0.5.15-2) & python-validictory (0.8.3-3)

Finally, I sponsored the following uploads: bm-el (201808-1), elpy (1.24.0-1), mutt-alias-el (1.5-1) & android-platform-external-boringssl (8.1.0+r23-2).

Debian bugs filed

• ftp.debian.org: NEW package summary contains strange text. (#909252)

• ipmitool: Use Lintian override for init.d-script-should-always-start-service. (#907832)

• Cosmetic/misc requests:

  • colmap: Please clarify why you skip the testsuite. (#909198)

  • fasttracker2: Strange and/or overly verbose binary Architecture field. (#909199)

  • trojan: Please elaborate package description. (#908338)

• cowpatty: Homepage field 404s. (#909516)

• mutt-alias-el: Should obey the nodoc build profile. (#909513)

• Intent to Package (ITP) bugs:

  • opensnitch: A port of the Little Snitch application firewall. (#909567)

  • python-grpcio: Python libraries for gRPC. (#909304)

  • python-grpc-tools: Protocol buffer code generator for gRPC. (#908837)

  • golang-github-evilsocket-ftrace: Trace Linux system calls using the ftrace kernel framework. (#908883)

FTP Team

As a Debian FTP assistant I ACCEPTed 81 packages: adios, android-platform-system-core, aom, appmenu-registrar, astroid2, black, bm-el, colmap, cowpatty, devpi-common, equinox-bundles, fabulous, fasttracker2, folding-mode-el, fontpens, ganeti-2.15, geomet, golang-github-google-go-github, golang-github-gregjones-httpcache, hub, infnoise, intel-processor-trace, its-playback-time, jsonb-api, kitinerary, kpkpass, libclass-tiny-chained-perl, libmoox-traits-perl, librda, libtwitter-api-perl, liburl-encode-perl, libwww-oauth-perl, llvm-toolchain-7, lucy, markdown-toc-el, mmdebstrap, mozjs60, mutt-alias-el, nvidia-graphics-drivers-legacy-390xx, o-saft, pass-tomb, pass-tomb-basic, pgformatter, picocli, pikepdf, pipewire, poliastro, port-for, pyagentx, pylint2, pynwb, pytest-flask, python-argon2, python-asteval, python-caldav, python-djangosaml2, python-pcl, python-persist-queue, python-rfc3161ng, python-treetime, python-x2go, python-x3dh, python-xeddsa, rust-crossbeam-deque, rust-iovec, rust-phf-generator, rust-simd, rust-spin, rustc, sentinelsat, sesman, sphinx-autobuild, sphinxcontrib-restbuilder, tao-pegtl, trojan, ufolib2, ufonormalizer, unarr, vlc-plugin-bittorrent, xlunzip & xxhash.

I additionally filed 6 RC bugs against packages that had potentially-incomplete debian/copyright files against adios, pgformatter, picocli, python-argon2, python-pcl & python-treetime.

You can subscribe to new posts via email or RSS.