Free software activities in March 2026

Here is my monthly update covering what I have been doing in the free software world during March 2026 (previous month).

Reproducible Builds

One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

The project is proud to be a member project of the Software Freedom Conservancy. Conservancy acts as a corporate umbrella allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.

This month, I:

• Submitted 12 patches to fix specific reproducibility issues in aetos, dh-fortran, django-ninja, gfan, kanboard, libcupsfilters, moltemplate, python-agate, python-discovery, python-nxtomomill, sol2 & stacer.

• Kept isdebianreproducibleyet.com up to date. [...]

• Categorised a large number of packages and issues in the Reproducible Builds notes.git repository.

• Drafted, published and publicised our monthly report for February 2026.

• Updated the main Reproducible Builds website and documentation, merging Timo Pohl's change to add GitLab registration confirmation to the "register for Salsa" instructions. [...]

Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and uploading versions 314 and 315 to Debian:

• Add some debugging info for PyPI debugging. [...]
• Don't run test_code_is_black_clean test in autopkgtests. [...]

Debian

Uploads

• memcached (1.6.41-1) — New upstream release.

• python-django:

  • 4.2.29-1 — New upstream security release.
  • 6.0.3-1 — New upstream security release.

• redis:

  • 8.6.1-1 — New upstream release.
  • 8.6.2-1 — New upstream release.

Debian LTS

This month I have worked 30 hours on Debian Long Term Support (LTS) and on its sister Extended LTS (ELTS) project.

• Investigated and triaged: awstats (CVE-2025-63261), dpkg (CVE-2026-2219), libapache-session-perl (CVE-2025-40931), nfs-utils (CVE-2025-12801, python-django, pypdf2 (CVE-2026-28351), python2.7 (CVE-2025-69534 & CVE-2026-2297), python3.9 (CVE-2025-69534 & CVE-2026-2297) & squirrel3 (CVE-2026-2659, CVE-2026-2661, CVE-2026-3388 & CVE-2026-3389).

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in any mailing list discussions, etc.

• Issued DLA 4509-1 and ELA 1662-1 because it was discovered that there was a potential command injection vulnerability in awstats, an analytics tool for web servers and similar services.

• Did initial work on updates for redis, inetutils and python-geopandas to be released in early April.

You can find out more about the Debian LTS project via the following video:

You can subscribe to new posts via email or RSS.