Free software activities in September 2020

Here is my monthly update covering what I have been doing in the free software world during September 2020 (previous month):

• Updated my tickle-me-email library (which implements Getting Things Done (GTD)-like behaviours in IMAP inboxes) to support adding 'TODO' entries as read or unread based on a runtime configuration parameter. [...]

• As part of my role of being the assistant Secretary of the Open Source Initiative and a board director of Software in the Public Interest, I attended their respective monthly meetings and participated in various licensing and other discussions occurring on the internet as well as the usual internal discussions, etc. I participated in the OSI's inaugural State of the Source conference and began the 'onboarding' of a new project to SPI.

Reproducible Builds

One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

The project is proud to be a member project of the Software Freedom Conservancy. Conservancy acts as a corporate umbrella allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.

This month, I:

• Uploaded a number of Debian packages to close reproducibility issues that I had previously provided patches for, including cfingerd (#831021), grap (#870573), splint (#924003) & schroot (#902804)

• Categorised a huge number of packages and issues in the Reproducible Builds "notes" repository and began work on an auto-classifier script.

• I also submitted 8 patches to fix specific reproducibility issues within Debian for check-pgbackrest, cif2cell, evince, haskell-haskell-gi-base, libiio, jhbuild, smartdns & smartlist.

• Updated the main Reproducible Builds website and documentation:

  • Worked with Amateur Radio Digital Communications in order to announce their generous sponsorship of the Reproducible Builds project.
  • Drafted, published and publicised August's monthly report.
  • Update a few titles and the ordering of some top-level navigation elements. [...]
  • Improve the documentation on how to signup to Salsa. [...]
  • Add some more links to academic papers. [...]
  • Also include the general news in our RSS feed [...] and drop including weekly reports from the RSS feed (they are never shown now that we have over 10 items) [...].
  • Update ordering and location of various news and links to tarballs, etc. [...][...][...]

• Kept isdebianreproducibleyet.com up to date. [...]

• Continued collaborative work on a scientific/academic article, hopefully to be published within a few months.

diffoscope

I made the following changes to diffoscope, including preparing and uploading versions 159 and 160 to Debian:

• New features:

  • Show "ordering differences" only in strings(1) output by applying the ordering check to all differences across the codebase. [...]

• Bug fixes:

  • Mark some PGP tests that they require pgpdump, and check that the associated binary is actually installed before attempting to run it. (#969753)
  • Don't raise exceptions when cleaning up after guestfs cleanup failure. [...]
  • Ensure we check FALLBACK_FILE_EXTENSION_SUFFIX, otherwise we run pgpdump against all files that are recognised by file(1) as data. [...]

• Codebase improvements:

  • Add some documentation for the EXTERNAL_TOOLS dictionary. [...]
  • Abstract out a variable we use a couple of times. [...]

• diffoscope.org website improvements:

  • Make the (long) demonstration GIF less prominent. [...]

Debian

Lintian

For Lintian, the static analysis tool for Debian packages, I uploaded versions 2.93.0, 2.94.0, 2.95.0 & 2.96.0 (not counting uploads to the backports repositories), as well as:

• Bug fixes:

  • Don't emit odd-mark-in-description for large numbers such as 300,000. (#969528)
  • Update the expected Vcs-{Browser,Git} location of modules and applications maintained by recently-merged Python module/app teams. (#970743)
  • Relax checks around looking for the dh(1) sequencer by not looking for the preceding target:. (#970920)
  • Don't try and open debian/patches/series if it does not exist. [...]
  • Update all $LINTIAN_VERSION assignments in scripts and not just the ones we specify; we had added and removed some during development. [...]

• Tag updates:

  • Clarify which Vcs-* the vcs-field-not-canonical tag is being emitted for and update its long description to remove misleading messages. (#970201)
  • Clarify logic in the long description for odd-mark-in-description. [...]
  • Correct a typo in the long description for the odd-mark-in-description tag. [...]

• Developer documentation updates:

  • Add prominent and up-to-date information on how to run the testsuite. (#923696)
  • Drop recommendation to update debian/changelog manually. [...]
  • Apply wrap-and-sort -sa to the debian subdirectory. [...]
  • Merge data/README into CONTRIBUTING.md for greater visibility [...] and move CONTRIBUTING.md to use #-style Markdown headers [...].

Debian LTS

This month I've worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged golang-1.7, inspircd, kleopatra, libdbi-perl, open-build-service, openssl, openssl1.0, python-django., tinymce, yaws & zeromq3, amongst others.

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, attending our monthly IRC meeting, participating in mailing list discussions, etc.

• Issued DLA 2368-1 for grunt to fix an arbitrary code execution vulnerability due to the unsafe loading of YAML documents.

• Issued DLA 2370-1 and ELA-281-1 for the python-pip Python package installer to fix a directory traversal attack where arbitrary local files (eg. /root/.ssh/authorized_keys) could be overridden.

• Issued DLA 2372-1 and ELA-282-1 to prevent a denial of service attack in libproxy, a library to make applications HTTP proxy-aware.

• Issued DLA 2374-1 for the gnome-shell component of the GNOME desktop. In certain configurations, when logging out of an account, the password box from the login dialog could reappear with the password visible in plaintext.

• Issued DLA 2380-1 for ruby-gon, a library to send/convert data to Javascript from Ruby applications, to prevent cross-site scripting (XSS) vulnerabilities.

You can find out more about the project via the following video:

Uploads

• python-django (2.2.16-1 & 3.1.1-1) — New upstream security releases.

• memcached:

  • 1.6.7+dfsg-1 — New upstream release.
  • 1.6.7+dfsg-2 & 1.6.7+dfsg-3 — Run tests in single CPU mode. (#968603)

• redis (6.0.7-1 & 6.0.8-1) — New upstream releases & miscellaneous packaging updates.

• docbook-to-man (2.0.0-45) — Ensure shunit2 autopkgtest dependency is cross-architecture friendly. (#969604)

Bugs filed

• bluez-source: Contains bluez-source-tmp directory. (#970130)

• bookworm: Manual page contains debugging/warning/error information from running binary. (#970277)

• jhbuild: Missing runtime dependency on python3-distutils. (#971418)

• wxwidgets3.0: Links in documentation points to within the original build path, not the installed path. (#970431)

You can subscribe to new posts via email or RSS.