Free software activities in September 2021

Here is my monthly update covering what I have been doing in the free software world during September 2021 (previous month):

• For Lintian, the static analysis tool for Debian packages, I corrected some confusion between left and right parenthesis which was leading to output such as ')2 errors)' [...]. I also uploaded versions 2.105.0, 2.106.0 & 2.106.1, and as part of this release process, I filed two bugs against the Lintian package: the first concerning the program failing to run when packaged into a .deb (#993651); the second was an issue where it emitted warnings when run against its own .deb package (#993711).

• I also opened a pull request to make the build process of pybedtools reproducible, a set of programs widely used for genomic interval manipulation. [...]

• As part of my duties of being on the board of directors of the Software in the Public Interest, I attended their monthly IRC meeting.

Reproducible Builds

The project is proud to be a member project of the Software Freedom Conservancy. Conservancy acts as a corporate umbrella allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.

This month, I:

• I submitted 8 patches to fix specific reproducibility issues in the htscodecs, lcalc, osdlyrics, python-pairix, python-pybedtools, python-tomli, rust-insta & xtermcontrol Debian packages.

• Kept isdebianreproducibleyet.com up to date. [...]

• Opened a pull request upstream to make the build process for pybedtools reproducible, a set of programs widely used for genomic interval manipulation. [...]

• Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.

• Drafted, published and publicised our monthly report as well as continued to maintain our @ReproBuilds Twitter account.

diffoscope

Elsewhere in Reproducible Builds' tooling, I made the following changes to diffoscope, including preparing and uploading versions 183, 184 and 185 and significant triaging of merge requests and other incoming issues:

• New features:

  • Support a newer format version of the R language's .rds files. [...]
  • Update tests for OCaml 4.12. [...]
  • Add a missing format_class import. [...]

• Bug fixes:

  • Don't call close_archive when garbage collecting Archive instances, unless open_archive definitely returned successfully. This prevents, for example, an AttributeError where PGPContainer's cleanup routines were rightfully assuming that its temporary directory had actually been created. [...]
  • Fix (and test) the comparison of R language's .rdb files after refactoring temporary directory handling. [...]
  • Ensure that "RPM archives" exists in the Debian package description, regardless of whether python3-rpm is installed or not at build time. [...]

• Codebase improvements:

  • Use our assert_diff routine in tests/comparators/test_rdata.py. [...]
  • Move diffoscope.versions to diffoscope.tests.utils.versions. [...]
  • Reformat a number of modules with Black. [...][...]

Debian

Package uploads

• python-django:

  • 3.2.7-1 — New upstream bugfix release.
  • 3.2.7-2 — Upload 3.2 branch to Debian unstable.
  • 3.2.7-4 — Skip a minor test.
  • 4.0~alpha1-1 — New upstream 4.x 'alpha' release (to experimental).

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged ghostscript (CVE-2021-3781), gpac (CVE-2020-19750), pure-ftpd (CVE-2021-40524), python3.5 (CVE-2021-3733), redis (CVE-2020-21468) & tiff (CVE-2020-19131).

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions and attending the monthly meeting etc. I also started a thread on the development mailing list regarding LTS-specific updates to Lintian.

• Pushed a missing update to the website, specifically DLA-2717-2 to followup to DLA-2712-2. [...]

• Issued DLA 2727-1 as it was discovered that there was a code injection issue in PyXDG a library used to locate freedesktop.org configuration/cache directories.

• Issued DLA 2728-1 to address four issues in the VideoLAN/VLC media player caused by buffer overflows and NULL-pointer deferences.

• Issued DLA 2729-1 for the Asterisk telephony system to address an issue where if a particular driver received a packet that contained an unsupported media format, a crash could have occurred.

You can find out more about the Debian LTS project in the following video:

You can subscribe to new posts via email or RSS.