Free software activities in November 2019

Software Freedom Conservancy, the fiscal sponsor for the Reproducible Builds project, have announced their fundraising season with a huge pledge to match donations. If you have been considering joining as a supporter, now would be the time to do so.

Here is my monthly update covering what I have been doing in the free software world during November 2019 (previous month):

• As part of my duties of being on the board of directors of the Open Source Initiative I attended our autumn face-to-face meeting hosted by Zolando in Berlin, Germany. I also participated in various licensing and other discussions occurring on the internet, as well as the usual internal discussions regarding logistics, policy, etc. liasing at times with the ClearlyDefined project.

• Started early conversations as the Head Judge for the next interation of the OpenUK awards to be given out in June 2020.

• As part serving on board of the Software in the Public Interest, Inc. I attended my first face-to-face meeting in Manhattan, New York which was graciously hosted by Hudson River Trading. It was great to meet the rest of the board in person after talking at such length over the internet.

• Opened pull requests to make the build reproducible in:

  • Sybil, a framework for automated testing for examples in documentation. [...]

  • IMAP Spam Begone a tool that makes it easy to scan an IMAP inbox for spam using SpamAssassin. [...]

  • splitpatch, a utility to split a patch into separate sections. [...]

  • Snakemake, a workflow management system. [...]

• For the Tails privacy-oriented operating system, I uploaded the latest version of OnionShare (2.2) to Debian.

• Opened a pull request to correct an "environment" typo in SPIRV-Tools, part of the Khronos 3D graphics processing libraries. [...]

• Even more hacking on the Lintian static analysis tool for Debian packages:

  • New features/changes:

    • Suggest switching from debian/compat to debhelper-compat. (#933304)
    • Upgrade the severity of missing-systemd-service-for-init.d-script from "pedantic" to a normal warning. (#943957)
    • Bump maximum length of the field-too-long check to 32,768. (#942493)

  • Reporting:

    • Drop quoting around the field that violates field-too-long. [...]

  • Bug fixes:

    • Don't emit changelog-file-missing-explicit-entry for stable updates. (#944098)
    • Don't complain about long descriptions or Build-Id fields that appear to be too long. (#942493)
    • Don't emit debian-rules-not-executable if debian/rules is a symlink as we warn about this via debian-rules-is-symlink. [...]
    • Don't emit package-supports-alternative-init-but-no-init.d-script when we have a .path and .service pair. (#944094)
    • Correct logic when excluding .path/.timer & .service pairs from systemd-service-file-missing-install-key. (#944145)
    • Don't emit systemd-service-file-missing-install-key for .service files with corresponding .path or .timer pairs. (#944145)
    • Don't emit missing-depends-on-sensible-utils for sensible-utils itself. (#944895)

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws almost all software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

The initiative is proud to be a member project of the Software Freedom Conservancy, a not-for-profit 501(c)(3) charity focused on ethical technology and user freedom.

Conservancy acts as a corporate umbrella, allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.

Conservancy's fundraising season has begin in earnest with a huge pledge to match donations from a number of illustrious individuals. If you have ever considered joining as a supporter, now would be the time to do so.

This month, I:

• Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.

• Filed upstream pull requests for Sybil, IMAP Spam Begone, splitpatch & Snakemake

• In Debian:

  • Kept isdebianreproducibleyet.com up to date. [...]

  • I submitted 8 patches to fix specific reproducibility issues in intel-gpu-tools, isbg, libaqbanking, liblopsub, python-sybil, splitpatch, superlu-dist & tm-align.

• I spent a few moments on our website this month too including dropping the duplicated use the term "community" and other words [...][...], correcting the capitalisation of GitHub & GitLab [...] and corrected the use of "an" [...].

• Drafted, published and publicised our monthly report.

• strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build. This month, I added file as a dependency for libfile-stripnondeterminism-perl (#945212) and moved away from deprecated $ADTTMP variable [...].

• Did some arrangement, organisation and financial administration regarding our upcoming summit meeting in Marrakesh, Morocco.

I also made the following changes to diffoscope, our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues:

• New features / improvements:

  • Allow all possible .zip file variations to return from external tools with non-zero exit codes, not just known types we can identify (eg. Java .jmod and .jar files). (#78)
  • Limit .dsc and .buildinfo file matching to files in ASCII or UTF-8 format. (#77)
  • Bump the previous max_page_size limit from 400 kB to 4 MB. [...]
  • Clarify in the HTML and text outputs that the limits are per-format, not global. (#944882)
  • Don't use line-base dbuffering when communucating with subprocesses in "binary" mode. (#75)

• Regression fixes:

  • Correct the substitution/filtering of paths in ELF output to avoid unnecessary differences depending on the path name provided and commandline. (#945572)
  • Silence/correct a Python SyntaxWarning message due to incorrectly comparing an integer by identity vs. equality. (#945531)

• Testsuite improvements:

  • Refresh the OCaml test fixtures to support versions greater than 4.08.1. [...]
  • Update an Android manifest test to reflect that parsed XML attributes are returned in a new/sorted manner under Python 3.8. [...]
  • Dramatically Truncate the tcpdump expected diff to 8KB from ~600KB to reduce the size of the release tarball. [...]
  • Add a self-test to encourage that new test data files are generated dynamically or at least no new ones are added without an explicit override. [...]
  • Add a comment that the text_ascii1 and text_ascii2 fixture files are used in multiple tests so is not trivial to remove/replace them. [...]
  • Drop two more test fixture files for the directory tests. [...]
  • Don't run our self-test against the output of the Black source code reformatter with versions earlier than ours as it will generate different results. [...]
  • Update an XML test for Python 3.8. [...]
  • Drop unused an unused BASE_DIR global. [...]

• Code improvements:

  • Rework a long string of or statements into a loop with a break. [...]
  • Update code to reflect the latest version of the Black source code reformatter. [...]
  • Correct a reference to the .rdx extension suffix in a comment. [...]

Debian

Uploads

• redis (5:5.0.7-1) — New upstream release.

• python-django (2.2.7-1 & 3.0~rc1-1) — New upstream releases.

• cpio (2.13+dfsg-1) — New upstream release.

• libfiu (1.00-4) — Prevent a build failure when multiple Python version libraries exist in the build tree by manually deleting all but the version for the default Python version returned by py3versions prior to running the test suite. (#944911)

• gunicorn (20.0.0-1 & 20.0.2-1) — New upstream releases.

• memcached (1.5.20-1) — New upstream release.

I also sponsored an upload of adminer (4.7.5-1) of behalf of Alexandre Rossi.

Debian bugs filed

• RFP (Request for Package) for container-diff. (#945524)

• bowtie2: imp Python module deprecation warning is embedded into bowtie2-inspect(1) manpage. (#945422)

• golang-github-nrdcg-goinwx: Please update/expand the "Andrew" copyright holder. (#944066)

• pcb-rnd: /usr/lib symlinks point to an (absolute) build directory. (#943955)

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged dia, freerdp, freetds, gnupg2, inetutils, jetty8, libjackson-json-java, libvpx, llvm-toolchain-6.0, mailutils, netkit-telnet-ssl, proftpd-dfsg, python-reportlab, ruby-rack-cors, ruby2.1, shiro, simplesamlphp, symfony, tnef, vino, wordpress & xcftools.

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

• Issued DLA 1985-1 to fix a NULL pointer dereference issue in the IW44 encoder/decoder within DjVu, a set of compression technologies for high-resolution images.

• Issued DLA 1998-1 to address multiple double-free vulnerabilities in psutil, a Python module providing convenience functions for accessing system process data.

You can find out more about the project via the following video:

FTP Team

As a Debian FTP assistant I ACCEPTed 21 packages: golang-github-boj-redistore, golang-github-dchest-uniuri, golang-github-jackc-fake, golang-github-joyent-gocommon, golang-github-mattetti-filebuffer, golang-github-nrdcg-goinwx, golang-github-pearkes-dnsimple, golang-github-soniah-dnsmadeeasy, golang-github-vultr-govultr, golang-github-zorkian-go-datadog-api, meep, meep-mpi-default, meep-openmpi, node-eslint-plugin-requirejs, node-i18next, node-node-sass, node-re2, ocplib-endian, python-asynctest, python-janus & python-matrix-nio.

You can subscribe to new posts via email or RSS.