Here is my monthly update covering what I have been doing in the free software world during September 2025 (previous month).
Reproducible Builds
The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during compilation processes by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
This month, I:
-
Submitted a number of patches to fix specific reproducibility issues, including ones
g2o,golang-forgejo-forgejo-levelqueue,llama.cpp,octave-optics,openrgb,python-mcstasscript&rocm-docs-core. -
Kept isdebianreproducibleyet.com up to date. [...]
-
Drafted, published and publicised our monthly report for August 2025.
-
Categorised a large number of packages and issues in the Reproducible Builds
notes.gitrepository. -
Updated the main Reproducible Builds website and documentation.
I also made the following changes to diffoscope, including preparing and uploading versions, 303, 304 and 305 to Debian:
-
Improvements:
- Use
sed(1)backreferences when generatingdebian/tests/controlto avoid duplicating ourselves. […] - Move from a
mono-utilsdependency to versionedmono-devel | mono-utilsdependency, taking care to maintain the[!riscv64]architecture restriction. […] - Use
sedoverawkto avoid mangling dependency lines containing=(equals) symbols such as version restrictions. […]
- Use
-
Bug fixes:
- Fix a test after the upload of
systemd-ukifyversion258~rc3. […] - Ensure that Java class files are named
.classon the filesystem before passing them tojavap(1). […] - Do not run
jsondiffon files over 100KiB as the algorithm runs in O(n^2) time. […] - Don't check for PyPDF version 3 specifically; check for
>=3. […]
- Fix a test after the upload of
-
Misc:
Debian
-
lastpass-cli(1.6.1-4) — Fix compatibility with CMake 4.0. (#1113094) -
libfiu(1.2-4) — Apply an upstream patch to fix a build failure under GCC version 15. (#1097184) -
5.2.6-1— New upstream security release.4.2.24-1— New upstream security release.6.0~alpha1-1— New upstream beta release.
-
Filed a bug against the
ms-gslpackage as it contained an invalid date line in thedebian/changelogfile. (#1113809)
Debian LTS
This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.
-
Investigated and triaged
python-future(CVE-2025-50817). -
Worked on preparing packages for embargoed Django and Redis to be released in early October.
-
Issued DLA 4301-1 as it was discovered that there was a potential SQL injection attack in Django, the popular Python-based web development framework. Specifically, the
FilteredRelationclass was vulnerable to an SQL injection through its use of column aliases. This could have been exploited using a suitably crafted dictionary that was controlled by an attacker, either with dictionary expansion via the**kwargspassed toQuerySet.annotate()or by usingQuerySet.alias()directly. -
Issued ELA-1517-1 because a potential HTTP Request Smuggling vulnerability was discovered in
python-eventlet, a concurrent networking library for Python. This issue was caused by the improper handling of HTTP trailer sections. This vulnerability could have permitted attackers to bypass front-end security controls, launch targeted attacks against active site users and/or poison web caches. This problem has been addressed by dropping trailers, a potentially breaking change if a backend behind theeventlet.wsgiproxy requires such trailers.
You can find out more about the Debian LTS project via the following video:
