Free software activities in September 2019

Here is my monthly update covering what I have been doing in the free software world during September 2019 (previous month):

• Attended the launch event of OpenUK, a new organisation with the purpose of supporting the growth of free software, hardware and data. It was hosted at the House of Commons of the United Kingdom and turned out to be quite the night to be attending Parliament.

• As part of my duties of being on the board of directors of the Open Source Initiative and Software in the Public Interest I attended their respective monthy meetings and participated in various licensing and other discussions occurring on the internet, as well as the usual internal discussions regarding logistics, policy etc.

• Made a number of changes to my tickle-me-email library to implement Gettings Things Done-like behaviours in IMAP inboxes including:

  • Add support for a sendmail-like command. [...]
  • Don't require specifying the target of sent items in the send-later command [...] and decode messages correctly for the same command [...].

• Opened pull requests to make the build reproducible in:

  • pydantic, a library to perform data validation and settings management using Python type hinting. [...]

  • The sdaps optical mark recognition (OMR) program. [...]

  • libubootenv, tools to access and modify the U-Boot bootloader environment. [...]

  • The libnbd component of the libguestfs set of tools for accessing and modifying virtual machine disk images. [...]

• Opened a pull request for the memcached distributed memory object caching system to... correct the spelling of "ensure". [...]

• More work on the Lintian static analysis tool for Debian packages, releasing versions 2.20.0, 2.21.0, 2.22.0, 2.23.0 & 2.24.0 as well as:

  • New features:

    • Add a tag to check for packages refering to the deprecated Alioth service in their Homepage fields. (#933500)
    • Allow the lowercase version of UNRELEASED changelog entries in various tags, a convention used in Debian Ports. (#940877)
    • Emit missing-build-dependency for packages that do not use debhelper but use specific parts of dh-autoreconf without build-depending on it. (#939874)
    • Merge our two Salsa CI pipeline stages, avoiding an additional ~5 minute initial setup time as well as avoiding having to parse the checksums of the yet-to-be-downloaded build dependencies. [...]
    • Suggest using libjs-bootstrap over libjs-twitter-bootstrap as the latter is not available in Debian buster. (#939416)
    • Add iIF to the list of spelling exceptions ignored in binaries. (#939637)

  • Bug fixes:

    • Fix false positives for templated systemd .service files when checking for packages that might lack corresponding init scripts. [...]
    • Correct logic of debian-news-entry-has-strange-distribution. [...]
    • Drop matching for Source-Version substvars; they are not supported by dpkg-dev anymore and results in accidentally matching an incorrect Source-:Upstream-Version variable. (#940878)
    • Don't emit missing-build-dependency, package-uses-debhelper-but-lacks-build-depends or debhelper-but-no-misc-depends for packages that do not use debhelper but use specific parts of dh-autoreconf. (#939874)
    • Don't emit latest-debian-changelog-entry-changed-to-native if the latest changelog entry references "native package". [...]
    • Quote the package build path to avoid test failures when building in a directory whose name contains a + or other regex metacharacters. (#939674)
    • Don't emit python3-depends-but-no-python3-helper when we build-depend on dh-sequence-python3, etc. (#939050)

  • Misc:

    • Bump severity of script-uses-unversioned-python-in-shebang (ie. #!/usr/bin/env python) from classification to "pedantic" severity. (#934853)
    • Upgrade and rename classification-level tag rules-requires-root-implicitly to rules-requires-root-missing. (#933240)
    • Drop the now-unnecessary pear-package-feature-requires-newer-pkg-php-tools tag. (#939698)
    • Factor out parsing of the date of the previous stable Debian release [...] and add the last stable release date to data/common/releases [...].

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws almost all software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

The initiative is proud to be a member project of the Software Freedom Conservancy, a not-for-profit 501(c)(3) charity focused on ethical technology and user freedom.

Conservancy acts as a corporate umbrella, allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.

This month I:

• Filed upstream pull requests for:

  • pydantic, a library to perform data validation and settings management using Python type hinting. [...]

  • libubootenv, tools to access and modify the U-Boot bootloader environment. [...]

  • The sdaps optical mark recognition (OMR) program. [...]

  • The libnbd component of the libguestfs set of of tools for accessing and modifying virtual machine disk images. [...]

• In Debian:

  • Kept isdebianreproducibleyet.com up to date. [...]

  • I also submitted 10 patches to fix specific reproducibility issues in apophenia, dsdp, fathom, kivy, libnbd, libubootenv, libvdpau, pydantic, sdaps & vala-panel.

• Categorised a large number of packages and issues in the Reproducible Builds "notes" repository, adding new buildpath_in_code_generated_by_bison, buildpath_in_postgres_opcodes and ghc_captures_build_path_via_tempdir toolchain issues.

• Drafted, published and publicised our monthly report.

• I spent some more time working on our website this month, including:

  • Add missing image for in-toto on the "Who is Involved?" page. [...]
  • Don't align images when on "extra small" (ie. mobile) devices as they make the text wrapping look suboptimal. [...]
  • Use {% raw %} to escape Markdown in templated Jinja code. [...]

I also made the following changes to our tooling:

diffoscope

diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.

• New features:

  • Add /srv/diffoscope/bin to the Docker image path. (#70)
  • When skipping tests due to the lack of installed tool, print the package that might provide it. [...]
  • Update the "no progressbar" logging message to match the parallel "missing tlsh module" warnings. [...]
  • Update "requires foo" messages to clarify that they are referring to Python modules. [...]

• Testsuite updates

  • The test_libmix_differences ELF binary test requires the xxd tool. (#940645)
  • Build the OCaml test input files on-demand rather than shipping them with the package in order to prevent test failures with OCaml 4.08. (#67)
  • Also conditionally skip the identification and "no differences" tests as we require the Ocaml compiler to be present when building the test files themselves. (#940471)
  • Rebuild our test squashfs images to exclude the character device as they requires root or fakeroot to extract. (#65) [...]

• Code cleanups, including dropping some unnecessary control flow [...], dropping unnecessary pass statements [...] and dropping explicitly inheriting from object class as it unnecessary in Python 3 [...].

Debian

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Ported the contact-maintainers script to Python 3.x. [...]

• Investigated and triaged expat, firefox-esr, libgcrypt11, libgcrypt20, memcachedb, nmap, pam-python, php-pecl-http, poppler, python2.7 (CVE-2019-16056), suricat (CVE-2019-10054, CVE-2019-10055 and CVE-2019-10056) systemd, unzip & xtrlock.

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

• Issued DLA 1908-1 for the pump BOOTP and DHCP client to prevent an arbitrary code execution vulnerability.

• Issued DLA 1912-1 and ELA-161-1 for expat to stop a heap-based buffer overread vulnerability in this XML parsing library.

• Issued DLA 1913-1 for the memcached distributed memory object caching system in order to patch a stack-based buffer overread issue.

• Issued DLA 1917-1 for a heap buffer overflow vulnerability the curl tool for transferring data over the internet.

• Closed an ECDSA timing attack by issuing DLA 1931-1 against the libgcrypt20 cryptographic library.

You can find out more about the projects via the following video:

Uploads

• redis (5.0.6-1) — New upstream release

• python-django:

  • 2.2.5-1 — New upstream bugfix release
  • 3.0~alpha1-1 — New upstream "alpha" release

• aptfs:

  • 1.0.0:
    • Port to Python 3.x. (#936131)
    • Move to a native package and import external Debian packaging from into this repository.
    • Add a pyproject.toml and apply the black source code formatter to the source tree.
    • Drop TODO file; we use our code hosting platform's issue tracker now.
  • 1.0.1 — Fix opening/reading of files after Python 3.x migration.

• gunicorn:

  • 19.9.0-2 — Drop support for Python 2.x; the gunicorn package now provides the Python 3.x version. (#936679)
  • 19.9.0-3 — Port autopkgtests to Python 3.x.
  • 19.9.0-4 — Add a /usr/bin/gunicorn3 → /usr/bin/gunicorn compatibility symlink. (#939409)

• installation-birthday (13):

  • Don't use the deprecated platform library. (#940803)
  • Add a gitlab-ci.yml.
  • Misc coding updates, inculding use the logging module's own string interpolation, not inheriting from object etc.

• libfiu:

  • 1.00-1:

    • New upstream release.
    • Drop Python 2.x packages. (#936856)
    • Register HTML documentation with doc-base.
    • Update Lintian overrides, including overriding pkg-config-unavailable-for-cross-compilation for usr/lib/pkgconfig/libfiu.pc.

  • 1.00-2 — Also drop Python 2 support in the autopkgtests.

  • 1.00-3 — Patch the upstream Makefile to not build the Python 2.x bindings to ensure the tests pass.

• memcached:

  • 1.5.17-1:
    • Adopt package. (#939425)
    • New upstream release. (#924584, #939337, #879797, #835456, #789835)
    • Source /etc/default/memcached in /etc/init.d/memcached. (#934542)
    • Add a Pre-Depends on ${misc:Pre-Depends} to ensure a correct dependency on init-system-helpers for the --skip-systemd-native flag.
    • Install README.damemtop to /usr/share/doc/memcached instead of under /usr/share/memcached
  • 1.5.17-2:
    • In the systemd .service file, specify a PIDFile under /run.
    • Add missing ${perl:Depends} to binary dependencies.
  • 1.5.18-1 — New upstream release

New upstream releases of bfs (1.5.1-1), django-auto-one-to-one (3.2.0-1), python-daiquiri (1.6.0-1), python-hiredis (1.0.0-1) and python-redis (3.3.7-1).

Finally, I sponsored uploads of adminer (4.7.3-1) and python-pyocr (0.7.2-1).

FTP Team

As a Debian FTP assistant I ACCEPTed 33 packages: crypto-policies, firmware-tomu, gdmd, golang-github-bruth-assert, golang-github-paypal-gatt, golang-github-rivo-uniseg, golang-github-xlab-handysort, golang-gopkg-libgit2-git2go.v28, icingaweb2-module-audit, icingaweb2-module-boxydash, icingaweb2-module-businessprocess, icingaweb2-module-cube, icingaweb2-module-director, icingaweb2-module-eventdb, icingaweb2-module-graphite, icingaweb2-module-map, icingaweb2-module-nagvis, icingaweb2-module-pnp, icingaweb2-module-statusmap, icingaweb2-module-x509, lazygit, ldh-gui-suite, meep, minder, node-solid-jose, ocaml-charinfo-width, ocaml-stdcompat, ppxfind, ppxlib, printrun, python-securesystemslib, sshesame & tpm2-initramfs-tool.

I additionally filed 6 RC bugs against packages that had potentially-incomplete debian/copyright files against crypto-policies, golang-github-paypal-gatt, icingaweb2-module-graphite, icingaweb2-module-statusmap, minder & printrun.

You can subscribe to new posts via email or RSS.