Here s my (twenty-seventh) monthly but brief update about the activities I ve done in the F/L/OSS world.
Debian
This was my 36th month of actively contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
Just churning through the backlog again this month. Ugh.
Anyway, I did the following stuff in Debian:
Uploads and bug fixes:
ruby2.7 (2.7.5-1) - New upstream version fixing 3 new CVEs.
Other $things:
Mentoring for newcomers.
Moderation of -project mailing list.
Ubuntu
This was my 11th month of actively contributing to Ubuntu.
Now that I ve joined Canonical to work on Ubuntu full-time, there s a bunch of things I do! \o/
I mostly worked on different things, I guess.
I was too lazy to maintain a list of things I worked on so there s
no concrete list atm. Maybe I ll get back to this section later or
will start to list stuff from next year onward, as I was doing before. :D
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my twenty-seventh month as a Debian LTS and eighteenth month as a Debian ELTS paid contributor.
I was assigned 40.00 hours for LTS and 60.00 hours for ELTS and worked on the following things:
(since I had a 3-week vacation, I wanted to wrap things up that were pending and so I worked for 20h more for LTS, which I ll compensate the next month!)
Issued DLA 2854-1, fixing CVE-2017-18635, for novnc.
For Debian 9 stretch, these problems have been fixed in version 1:0.4+dfsg+1+20131010+gitf68af8af3d-6+deb9u1.
Issued ELA 536-1, fixing CVE-2021-43818, for lxml.
For Debian 8 jessie, these problems have been fixed in version Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain.
Started working on src:samba for CVE-2020-25717 to CVE-2020-25722 and CVE-2021-23192 for jessie and stretch, both.
The version difference b/w the suites are a bit too much for the patch(es) to be easily backported. I ve talked to Anton to work something out. \o/
Found the problem w/ libjdom1-java. Will have to roll the regression upload.
I ve prepared the patch but needs some testing to be finally rolled out. Same for stretch.
Other (E)LTS Work:
Front-desk duty from 29-11 to 05-12 and 20-12 to 26-12 for both LTS and ELTS.
In my two most recent posts, I listed the memoirs and biographies and followed this up with the non-fiction I enjoyed the most in 2021. I'll leave my roundup of 'classic' fiction until tomorrow, but today I'll be going over my favourite fiction.
Books that just miss the cut here include Kingsley Amis' comic Lucky Jim, Cormac McCarthy's The Road (although see below for McCarthy's Blood Meridian) and the Complete Adventures of Tintin by Herg , the latter forming an inadvertently incisive portrait of the first half of the 20th century.
Like ever, there were a handful of books that didn't live up to prior expectations. Despite all of the hype, Emily St. John Mandel's post-pandemic dystopia Station Eleven didn't match her superb The Glass Hotel (one of my favourite books of 2020). The same could be said of John le Carr 's The Spy Who Came in from the Cold, which felt significantly shallower compared to Tinker, Tailor, Soldier, Spy again, a favourite of last year. The strangest book (and most difficult to classify at all) was undoubtedly Patrick S skind's Perfume: The Story of a Murderer, and the non-fiction book I disliked the most was almost-certainly Beartown by Fredrik Bachman.
Two other mild disappointments were actually film adaptions. Specifically, the original source for Vertigo by Pierre Boileau and Thomas Narcejac didn't match Alfred Hitchock's 1958 masterpiece, as did James Sallis' Drive which was made into a superb 2011 neon-noir directed by Nicolas Winding Refn. These two films thus defy the usual trend and are 'better than the book', but that's a post for another day.
A Wizard of Earthsea (1971)
Ursula K. Le Guin
How did it come to be that Harry Potter is the publishing sensation of the century, yet Ursula K. Le Guin's Earthsea is only a popular cult novel? Indeed, the comparisons and unintentional intertextuality with Harry Potter are entirely unavoidable when reading this book, and, in almost every respect, Ursula K. Le Guin's universe comes out the victor.
In particular, the wizarding world that Le Guin portrays feels a lot more generous and humble than the class-ridden world of Hogwarts School of Witchcraft and Wizardry. Just to take one example from many, in Earthsea, magic turns out to be nurtured in a bottom-up manner within small village communities, in almost complete contrast to J. K. Rowling's concept of benevolent government departments and NGOs-like institutions, which now seems a far too New Labour for me. Indeed, imagine an entire world imbued with the kindly benevolence of Dumbledore, and you've got some of the moral palette of Earthsea.
The gently moralising tone that runs through A Wizard of Earthsea may put some people off:
Vetch had been three years at the School and soon would be made Sorcerer; he thought no more of performing the lesser arts of magic than a bird thinks of flying. Yet a greater, unlearned skill he possessed, which was the art of kindness.
Still, these parables aimed directly at the reader are fairly rare, and, for me, remain on the right side of being mawkish or hectoring. I'm thus looking forward to reading the next two books in the series soon.
Blood Meridian (1985)
Cormac McCarthyBlood Meridian follows a band of American bounty hunters who are roaming the Mexican-American borderlands in the late 1840s. Far from being remotely swashbuckling, though, the group are collecting scalps for money and killing anyone who crosses their path. It is the most unsparing treatment of American genocide and moral depravity I have ever come across, an anti-Western that flouts every convention of the genre. Blood Meridian thus has a family resemblance to that other great anti-Western, Once Upon a Time in the West: after making a number of gun-toting films that venerate the American West (ie. his Dollars Trilogy), Sergio Leone turned his cynical eye to the western.
Yet my previous paragraph actually euphemises just how violent Blood Meridian is. Indeed, I would need to be a much better writer (indeed, perhaps McCarthy himself) to adequately 0utline the tone of this book. In a certain sense, it's less than you read this book in a conventional sense, but rather that you are forced to witness successive chapters of grotesque violence... all occurring for no obvious reason. It is often said that books 'subvert' a genre and, indeed, I implied as such above. But the term subvert implies a kind of Puck-like mischievousness, or brings to mind court jesters licensed to poke fun at the courtiers. By contrast, however, Blood Meridian isn't funny in the slightest. There isn't animal cruelty per se, but rather wanton negligence of another kind entirely. In fact, recalling a particular passage involving an injured horse makes me feel physically ill.
McCarthy's prose is at once both baroque in its language and thrifty in its presentation. As Philip Connors wrote back in 2007, McCarthy has spent forty years writing as if he were trying to expand the Old Testament, and learning that McCarthy grew up around the Church therefore came as no real surprise. As an example of his textual frugality, I often looked for greater precision in the text, finding myself asking whether who a particular 'he' is, or to which side of a fight some two men belonged to. Yet we must always remember that there is no precision to found in a gunfight, so this infidelity is turned into a virtue. It's not that these are fair fights anyway, or even 'murder': Blood Meridian is just slaughter; pure butchery. Murder is a gross understatement for what this book is, and at many points we are grateful that McCarthy spares us precision.
At others, however, we can be thankful for his exactitude. There is no ambiguity regarding the morality of the puppy-drowning Judge, for example: a Colonel Kurtz who has been given free license over the entire American south. There is, thank God, no danger of Hollywood mythologising him into a badass hero. Indeed, we must all be thankful that it is impossible to film this ultra-violent book... Indeed, the broader idea of 'adapting' anything to this world is, beyond sick.
An absolutely brutal read; I cannot recommend it highly enough.
Bodies of Light (2014)
Sarah MossBodies of Light is a 2014 book by Glasgow-born Sarah Moss on the stirrings of women's suffrage within an arty clique in nineteenth-century England. Set in the intellectually smoggy cities of Manchester and London, this poignant book follows the studiously intelligent Alethia 'Ally' Moberly who is struggling to gain the acceptance of herself, her mother and the General Medical Council. You can read my full review from July.
House of Leaves (2000)
Mark Z. DanielewskiHouse of Leaves is a remarkably difficult book to explain. Although the plot refers to a fictional documentary about a family whose house is somehow larger on the inside than the outside, this quotidian horror premise doesn't explain the complex meta-commentary that Danielewski adds on top. For instance, the book contains a large number of pseudo-academic footnotes (many of which contain footnotes themselves), with references to scholarly papers, books, films and other articles. Most of these references are obviously fictional, but it's the kind of book where the joke is that some of them are not. The format, structure and typography of the book is highly unconventional too, with extremely unusual page layouts and styles.
It's the sort of book and idea that should be a tired gimmick but somehow isn't. This is particularly so when you realise it seems specifically designed to create a fandom around it and to manufacturer its own 'cult' status, something that should be extremely tedious. But not only does this not happen, House of Leaves seems to have survived through two exhausting decades of found footage: The Blair Witch Project and Paranormal Activity are, to an admittedly lesser degree, doing much of the same thing as House of Leaves.
House of Leaves might have its origins in Nabokov's Pale Fire or even Derrida's Glas, but it seems to have more in common with the claustrophobic horror of Cube (1997). And like all of these works, House of Leaves book has an extremely strange effect on the reader or viewer, something quite unlike reading a conventional book. It wasn't so much what I got out of the book itself, but how it added a glow to everything else I read, watched or saw at the time. An experience.
Milkman (2018)
Anna Burns
This quietly dazzling novel from Irish author Anna Burns is full of intellectual whimsy and oddball incident. Incongruously set in 1970s Belfast during The Irish Troubles, Milkman's 18-year-old narrator (known only as middle sister ), is the kind of dreamer who walks down the street with a Victorian-era novel in her hand.
It's usually an error for a book that specifically mention other books, if only because inviting comparisons to great novels is grossly ill-advised. But it is a credit to Burns' writing that the references here actually add to the text and don't feel like they are a kind of literary paint by numbers. Our humble narrator has a boyfriend of sorts, but the figure who looms the largest in her life is a creepy milkman an older, married man who's deeply integrated in the paramilitary tribalism. And when gossip about the narrator and the milkman surfaces, the milkman beings to invade her life to a suffocating degree.
Yet this milkman is not even a milkman at all. Indeed, it's precisely this kind of oblique irony that runs through this daring but darkly compelling book.
The First Fifteen Lives of Harry August (2014)
Claire North
Harry August is born, lives a relatively unremarkable life and finally dies a relatively unremarkable death. Not worth writing a novel about, I suppose. But then Harry finds himself born again in the very same circumstances, and as he grows from infancy into childhood again, he starts to remember his previous lives. This loop naturally drives Harry insane at first, but after finding that suicide doesn't stop the quasi-reincarnation, he becomes somewhat acclimatised to his fate. He prospers much better at school the next time around and is ultimately able to make better decisions about his life, especially when he just happens to know how to stay out of trouble during the Second World War.
Yet what caught my attention in this 'soft' sci-fi book was not necessarily the book's core idea but rather the way its connotations were so intelligently thought through. Just like in a musical theme and varations, the success of any concept-driven book is far more a product of how the implications of the key idea are played out than how clever the central idea was to begin with. Otherwise, you just have another neat Borges short story: satisfying, to be sure, but in a narrower way.
From her relatively simple premise, for example, North has divined that if there was a community of people who could remember their past lives, this would actually allow messages and knowledge to be passed backwards and forwards in time. Ah, of course! Indeed, this very mechanism drives the plot: news comes back from the future that the progress of history is being interfered with, and, because of this, the end of the world is slowly coming. Through the lives that follow, Harry sets out to find out who is passing on technology before its time, and work out how to stop them.
With its gently-moralising romp through the salient historical touchpoints of the twentieth century, I sometimes got a whiff of Forrest Gump. But it must be stressed that this book is far less certain of its 'right-on' liberal credentials than Robert Zemeckis' badly-aged film. And whilst we're on the topic of other media, if you liked the underlying conceit behind Stuart Turton's The Seven Deaths of Evelyn Hardcastle yet didn't enjoy the 'variations' of that particular tale, then I'd definitely give The First Fifteen Lives a try. At the very least, 15 is bigger than 7.
More seriously, though, The First Fifteen Lives appears to reflect anxieties about technology, particularly around modern technological accelerationism. At no point does it seriously suggest that if we could somehow possess the technology from a decade in the future then our lives would be improved in any meaningful way. Indeed, precisely the opposite is invariably implied. To me, at least, homo sapiens often seems to be merely marking time until we can blow each other up and destroying the climate whilst sleepwalking into some crisis that might precipitate a thermonuclear genocide sometimes seems to be built into our DNA. In an era of cli-fi fiction and our non-fiction newspaper headlines, to label North's insight as 'prescience' might perhaps be overstating it, but perhaps that is the point: this destructive and negative streak is universal to all periods of our violent, insecure species.
The Goldfinch (2013)
Donna Tartt
After Breaking Bad, the second biggest runaway success of 2014 was probably Donna Tartt's doorstop of a novel, The Goldfinch. Yet upon its release and popular reception, it got a significant number of bad reviews in the literary press with, of course, an equal number of predictable think pieces claiming this was sour grapes on the part of the cognoscenti. Ah, to be in 2014 again, when our arguments were so much more trivial.
For the uninitiated, The Goldfinch is a sprawling bildungsroman that centres on Theo Decker, a 13-year-old whose world is turned upside down when a terrorist bomb goes off whilst visiting the Metropolitan Museum of Art, killing his mother among other bystanders. Perhaps more importantly, he makes off with a painting in order to fulfil a promise to a dying old man: Carel Fabritius' 1654 masterpiece The Goldfinch. For the next 14 years (and almost 800 pages), the painting becomes the only connection to his lost mother as he's flung, almost entirely rudderless, around the Western world, encountering an array of eccentric characters.
Whatever the critics claimed, Tartt's near-perfect evocation of scenes, from the everyday to the unimaginable, is difficult to summarise. I wouldn't label it 'cinematic' due to her evocation of the interiority of the characters. Take, for example: Even the suggestion that my father had close friends conveyed a misunderstanding of his personality that I didn't know how to respond it's precisely this kind of relatable inner subjectivity that cannot be easily conveyed by film, likely is one of the main reasons why the 2019 film adaptation was such a damp squib. Tartt's writing is definitely not 'impressionistic' either: there are many near-perfect evocations of scenes, even ones we hope we cannot recognise from real life. In particular, some of the drug-taking scenes feel so credibly authentic that I sometimes worried about the author herself.
Almost eight months on from first reading this novel, what I remember most was what a joy this was to read. I do worry that it won't stand up to a more critical re-reading (the character named Xandra even sounds like the pharmaceuticals she is taking), but I think I'll always treasure the first days I spent with this often-beautiful novel.
Beyond Black (2005)
Hilary Mantel
Published about five years before the hyperfamous Wolf Hall (2004), Hilary Mantel's Beyond Black is a deeply disturbing book about spiritualism and the nature of Hell, somewhat incongruously set in modern-day England. Alison Harte is a middle-aged physic medium who works in the various towns of the London orbital motorway. She is accompanied by her stuffy assistant, Colette, and her spirit guide, Morris, who is invisible to everyone but Alison.
However, this is no gentle and musk-smelling world of the clairvoyant and mystic, for Alison is plagued by spirits from her past who infiltrate her physical world, becoming stronger and nastier every day. Alison's smiling and rotund persona thus conceals a truly desperate woman: she knows beyond doubt the terrors of the next life, yet must studiously conceal them from her credulous clients.
Beyond Black would be worth reading for its dark atmosphere alone, but it offers much more than a chilling and creepy tale. Indeed, it is extraordinarily observant as well as unsettlingly funny about a particular tranche of British middle-class life. Still, the book's unnerving nature that sticks in the mind, and reading it noticeably changed my mood for days afterwards, and not necessarily for the best.
The Wall (2019)
John LanchesterThe Wall tells the story of a young man called Kavanagh, one of the thousands of Defenders standing guard around a solid fortress that envelopes the British Isles. A national service of sorts, it is Kavanagh's job to stop the so-called Others getting in. Lanchester is frank about what his wall provides to those who stand guard: the Defenders of the Wall are conscripted for two years on the Wall, with no exceptions, giving everyone in society a life plan and a story.
But whilst The Wall is ostensibly about a physical wall, it works even better as a story about the walls in our mind. In fact, the book blends together of some of the most important issues of our time: climate change, increasing isolation, Brexit and other widening societal divisions. If you liked P. D. James' The Children of Men you'll undoubtedly recognise much of the same intellectual atmosphere, although the sterility of John Lanchester's dystopia is definitely figurative and textual rather than literal.
Despite the final chapters perhaps not living up to the world-building of the opening, The Wall features a taut and engrossing narrative, and it undoubtedly warrants even the most cursory glance at its symbolism. I've yet to read something by Lanchester I haven't enjoyed (even his short essay on cheating in sports, for example) and will be definitely reading more from him in 2022.
The Only Story (2018)
Julian BarnesThe Only Story is the story of Paul, a 19-year-old boy who falls in love with 42-year-old Susan, a married woman with two daughters who are about Paul's age. The book begins with how Paul meets Susan in happy (albeit complicated) circumstances, but as the story unfolds, the novel becomes significantly more tragic and moving.
Whilst the story begins from the first-person perspective, midway through the book it shifts into the second person, and, later, into the third as well. Both of these narrative changes suggested to me an attempt on the part of Paul the narrator (if not Barnes himself), to distance himself emotionally from the events taking place. This effect is a lot more subtle than it sounds, however: far more prominent and devastating is the underlying and deeply moving story about the relationship ends up. Throughout this touching book, Barnes uses his mastery of language and observation to avoid the saccharine and the maudlin, and ends up with a heart-wrenching and emotive narrative. Without a doubt, this is the saddest book I read this year.
Just as I did for 2020, I won't publically disclose exactly how many books I read in 2021, but they evidently provoked enough thoughts that felt it worth splitting my yearly writeup into separate posts. I will reveal, however, that I got through more books than the previous year, and, like before, I enjoyed the books I read this year even more in comparison as well.
How much of this is due to refining my own preferences over time, and how much can be ascribed to feeling less pressure to read particular books? It s impossible to say, and the question is complicated further by the fact I found many of the classics I read well worth of their entry into the dreaded canon.
But enough of the throat-clearing. In today's post I'll be looking at my favourite books filed under memoir and biography, in no particular order.
Books that just missed the cut here include: Bernard Crick's celebrated 1980 biography of George Orwell, if nothing else because it was a pleasure to read; Hilary Mantel's exhilaratingly bitter early memoir, Giving up the Ghost (2003); and Patricia Lockwood's hilarious Priestdaddy (2017). I also had a soft spot for Tim Kreider's We Learn Nothing (2012) as well, despite not knowing anything about the author in advance, likely a sign of good writing. The strangest book in this category I read was definitely Michelle Zauner's Crying in H Mart. Based on a highly-recommended 2018 essay in the New Yorker, its rich broth of genuine yearning for a departed mother made my eyebrows raise numerous times when I encountered inadvertent extra details about Zauner's relationships.
Beethoven: A Life in Nine Pieces (2020)
Laura Tunbridge
Whilst it might immediately present itself as a clickbait conceit, organising an overarching narrative around just nine compositions by Beethoven turns out to be an elegant way of saying something fresh about this grizzled old bear. Some of Beethoven's most famous compositions are naturally included in the nine (eg. the Eroica and the Hammerklavier piano sonata), but the book raises itself above conventional Beethoven fare when it highlights, for instance, his Septet, Op. 20, an early work that is virtually nobody's favourite Beethoven piece today. The insight here is that it was widely popular in its time, played again and again around Vienna for the rest of his life. No doubt many contemporary authors can relate to this inability to escape being artistically haunted by an earlier runaway
success.
The easiest way to say something interesting about Beethoven in the twenty-first century is to talk about the myth of Beethoven instead. Or, as Tunbridge implies, perhaps that should really be 'Beethoven' in leaden quotation marks, given so much about what we think we know about the man is a quasi-fictional construction. Take Anton Schindler, Beethoven's first biographer and occasional amanuensis, who destroyed and fabricated details about Beethoven's life, casting himself in a favourable light and exaggerating his influence with the composer. Only a few decades later, the idea of a 'heroic' German was to be politically useful as well; the Anglosphere often need reminding that Germany did not exist as a nation-state prior to 1871, so it should be unsurprising to us that the late nineteenth-century saw a determined attempt to create a uniquely 'German' culture ex nihilo. (And the less we say about Immortal Beloved the better, even though I treasure that film.) Nevertheless, Tunbridge cuts through Beethoven's substantial legacy using surgical precision that not only avoids feeling like it is settling a score, but it also does so in a way that is unlikely to completely alienate anyone emotionally dedicated to some already-established idea of the man to bring forth the tediously predictable sentiment that Beethoven has 'gone woke'.
With Alex Ross on the cult of Wagner, it seems that books about the 'myth of X' are somewhat in vogue right now. And this pattern within classical music might fit into some broader trend of deconstruction in popular non-fiction too, especially when we consider the numerous contemporary books on the long hangover of the Civil Rights era (Robin DiAngelo's White Fragility, etc.), the multifarious ghosts of Empire (Akala's Natives, Sathnam Sanghera's Empireland, etc.) or even the 'transmogrification' of George Orwell into myth.
But regardless of its place in some wider canon, A Life in Nine Pieces is beautifully printed in hardback form (worth acquiring for that very reason alone), and it is one of the rare good books about classical music that can be recommended to both the connoisseur and the layperson alike.
Sea State (2021)
Tabitha Lasley
In her mid-30s and jerking herself out of a terrible relationship, Tabitha Lasley left London and put all her savings into a six-month lease on a flat within a questionable neighbourhood in Aberdeen, Scotland. She left to make good on a lukewarm idea for a book about oil rigs and the kinds of men who work on them: I wanted to see what men were like with no women around, she claims. The result is Sea State, a forthright examination of the life of North Sea oil riggers, and an unsparing portrayal of loneliness, masculinity, female desire and the decline of industry in Britain. (It might almost be said that Sea State is an update of a sort to George Orwell's visit to the mines in the North of England.)
As bracing as the North Sea air, Sea State spoke to me on multiple levels but I found it additionally interesting to compare and contrast with Julian Barnes' The Man with Red Coat (see below). Women writers are rarely thought to be using fiction for higher purposes: it is assumed that, unlike men, whatever women commit to paper is confessional without any hint of artfulness. Indeed, it seems to me that the reaction against the decades-old genre of autofiction only really took hold when it became the domain of millennial women. (By contrast, as a 75-year-old male writer with a firmly established reputation in the literary establishment, Julian Barnes is allowed wide latitude in what he does with his sources and his writing can be imbued with supremely confident airs as a result.) Furthermore, women are rarely allowed metaphor or exaggeration for dramatic effect, and they certainly aren t permitted to emphasise darker parts in order to explore them... hence some of the transgressive gratification of reading Sea State.
Sea State is admittedly not a work of autofiction, but the sense that you are reading about an author writing a book is pleasantly unavoidable throughout. It frequently returns to the topic of oil workers who live multiple lives, and Lasley admits to living two lives herself: she may be in love but she's also on assignment, and a lot of the pleasure in this candid and remarkably accessible book lies in the way these states become slowly inseparable.
Twilight of Democracy (2020)
Anne Applebaum
For the uninitiated, Anne Applebaum is a staff writer for The Atlantic magazine who won a Pulitzer-prize for her 2004 book on the Soviet Gulag system. Her latest book, however, Twilight of Democracy is part memoir and part political analysis and discusses the democratic decline and the rise of right-wing populism. This, according to Applebaum, displays distinctly authoritarian tendencies, and who am I to disagree? Applebaum does this through three main case studies (Poland, the United Kingdom and the United States), but the book also touches on Hungary as well.
The strongest feature of this engaging book is that Appelbaum's analysis focuses on the intellectual classes and how they provide significant justification for a descent into authoritarianism. This is always an important point to be remembered, especially as much of the folk understanding of the rise of authoritarian regimes tends to place exaggerated responsibility on the ordinary and everyday citizen: the blame placed on the working-class in the Weimar Republic or the scorn heaped upon 'white trash' of the contemporary Rust Belt, for example.
Applebaum is uniquely poised to discuss these intellectuals because, well, she actually knows a lot of them personally. Or at least, she used to know them. Indeed, the narrative of the book revolves around two parties she hosted, both in the same house in northwest Poland. The first party, on 31 December 1999, was attended by friends from around the Western world, but most of the guests were Poles from the broad anti-communist alliance. They all agreed about democracy, the rule of law and the route to prosperity whilst toasting in the new millennium. (I found it amusing to realise that War and Peace also starts with a party.) But nearly two decades later, many of the attendees have ended up as supporters of the problematic 'Law and Justice' party which currently governs the country. Applebaum would now cross the road to avoid them, and they would do the same to her, let alone behave themselves at a cordial reception. The result of this autobiographical detail is that by personalising the argument, Applebaum avoids the trap of making too much of high-minded abstract argument for 'democracy', and additionally makes her book compellingly spicy too.
Yet the strongest part of this book is also its weakest. By individualising the argument, it often feels that Applebaum is settling a number of personal scores. She might be very well justified in doing this, but at times it feels like the reader has walked in halfway through some personal argument and is being asked to judge who is in the right. Furthermore, Applebaum's account of contemporary British politics sometimes deviates into the cartoonish: nothing was egregiously incorrect in any of her summations, but her explanation of the Brexit referendum result didn't read as completely sound.
Nevertheless, this lively and entertaining book that can be read with profit, even if you disagree with significant portions of it, and its highly-personal approach makes it a refreshing change from similar contemporary political analysis (eg. David Runciman's How Democracy Ends) which reaches for that more 'objective' line.
The Man in the Red Coat (2019)
Julian Barnes
As rich as the eponymous red coat that adorns his cover, Julian Barnes quasi-biography of French gynaecologist Samuel-Jean Pozzi (1846 1918) is at once illuminating, perplexing and downright hilarious. Yet even that short description is rather misleading, for this book evades classification all manner number of ways.
For instance, it is unclear that, with the biographer's narrative voice so obviously manifest, it is even a biography in the useful sense of the word. After all, doesn't the implied pact between author and reader require the biographer to at least pretend that they are hiding from the reader? Perhaps this is just what happens when an author of very fine fiction turns his hand to non-fiction history, and, if so, it represents a deeper incursion into enemy territory after his 1984 metafictional Flaubert's Parrot. Indeed, upon encountering an intriguing mystery in Pozzi's life crying out for a solution, Barnes baldly turns to the reader, winks and states: These matters could, of course, be solved in a novel. Well, quite.
Perhaps Barnes' broader point is that, given that's impossible for the author to completely melt into air, why not simply put down your cards and have a bit of fun whilst you're at it? If there's any biography that makes the case for a rambling and lightly polemical treatment, then it is this one.
Speaking of having fun, however, two qualities you do not expect in a typical biography is simply how witty they can be, as well as it having something of the whiff of the thriller about it. A bullet might be mentioned in an early chapter, but given the name and history of Monsieur Pozzi is not widely known, one is unlikely to learn how he lived his final years until the closing chapters. (Or what happened to that turtle.) Humour is primarily incorporated into the book in two main ways: first, by explicitly citing the various wits of the day ( What is a vice? Merely a taste you don t share. etc.), but perhaps more powerful is the gentle ironies, bon mots and observations in Barnes' entirely unflappable prose style, along with the satire implicit in him writing this moreish pseudo-biography to begin with.
The opening page, with its steadfast refusal to even choose where to begin, is somewhat characteristic of Barnes' method, so if you don't enjoy the first few pages then you are unlikely to like the rest. (Indeed, the whole enterprise may be something of an acquired taste. Like Campari.) For me, though, I was left wryly grinning and often couldn't wait to turn the page. Indeed, at times it reminded me of a being at a dinner party with an extremely charming guest at the very peak of his form as a wit and raconteur, delighting the party with his rambling yet well-informed discursive on his topic de jour. A significant book, and a book of significance.
Our project funding work continues with an active bid on the work of packaging a recent gradle in Debian. This month the bidder has been estimating the scope of the entire project.
The Grow Your Ideas project page also has some ambitious initiatives that may evolve into a funded project. The project ideas on that page range from a new wiki for Debian, a more efficient reimbursement process, and the implementation of PPAs for Debian.
We continue to looking forward to hearing about Debian project proposals from various Debian stakeholders. This month has seen work on a survey that will go out to Debian Developers to gather feedback on what they think should be the priorities for funding in the project.
Learn more about the rationale behind this initiative in this article.
Debian LTS contributors
In November 13 contributors were paid to work on Debian LTS, their reports are available below. If you re interested in participating in the LTS or ELTS teams, we welcome participation from the Debian community. Simply get in touch with Jeremiah if you are interested in participating.
Adrian Bunk did 62h out of 56h assigned for November and 6h from October.
Jeremiah Foster is coordinating/managing the LTS team did 29h (out of 10h assigned and 10h from October for LTS administration), and spent 9 hours on Projects funded directly through the project funding program.
Lee Garrett did 9 hours out 60 assigned and carried over 51h into December
Utkarsh Gupta did 30 (out of 40h assigned), thus carrying over 10h to December.
Evolution of the situation
In November we released 31 DLAs.
The security tracker currently lists 23 packages with a known CVE and the dla-needed.txt file has 16 packages needing an update.
Thanks to our sponsors
Sponsors that joined recently are in bold.
Here s my (twenty-sixth) monthly but brief update about the activities I ve done in the F/L/OSS world.
Debian
This was my 35th month of actively contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
Just churning through the backlog again this month. Ugh.
Anyway, I did the following stuff in Debian:
Uploads and bug fixes:
rails (2:6.1.4.1+dfsg-3) - No-change rebuild for unstable.
Other $things:
Mentoring for newcomers.
Moderation of -project mailing list.
Ubuntu
This was my 10th month of actively contributing to Ubuntu.
Now that I ve joined Canonical to work on Ubuntu full-time, there s a bunch of things I do! \o/
I mostly worked on different things, I guess.
I was too lazy to maintain a list of things I worked on so there s
no concrete list atm. Maybe I ll get back to this section later or
will start to list stuff from next year onward, as I was doing before. :D
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my twenty-sixth month as a Debian LTS and seventeenth month as a Debian ELTS paid contributor.
I was assigned 30.00 hours for LTS and 45.00 hours for ELTS and worked on the following things:
Issued DLA 2836-1, fixing CVE-2021-43527, for nss.
For Debian 9 stretch, these problems have been fixed in version 2:3.26.2-1.1+deb9u3.
Started working on src:samba for CVE-2020-25717 to CVE-2020-25722 and CVE-2021-23192 for jessie and stretch, both.
The version difference b/w the suites are a bit too much for the patch(es) to be easily backported. I ve talked to Anton to work something out. \o/
Found the problem w/ libjdom1-java. Will have to roll the regression upload.
I ve prepared the patch but needs some testing to be finally rolled out. Same for jessie.
Issued ELA 524-1, fixing CVE-2021-43618, for gmp.
For Debian 8 jessie, these problems have been fixed in version 2:6.0.0+dfsg-6+deb8u1.
Issued ELA 525-1, fixing CVE-2021-43527, for nss.
For Debian 8 jessie, these problems have been fixed in version 2:3.26-1+debu8u14.
Started working on src:samba for CVE-2020-25717 to CVE-2020-25722 and CVE-2021-23192 for jessie and stretch, both.
The version difference b/w the suites are a bit too much for the patch(es) to be easily backported. I ve talked to Anton to work something out. \o/
Found the problem w/ libjdom1-java. Will have to roll the regression upload.
I ve prepared the patch but needs some testing to be finally rolled out. Same for stretch.
Other (E)LTS Work:
Front-desk duty from 29-11 to 05-12 for both LTS and ELTS.
It's been a while since I've posted one of these, and I also may have had
a few moments of deciding to support authors by buying their books even if
I'm not going to get a chance to read them soon. There's also a bit of
work reading in here.
Ryka Aoki Light from Uncommon Stars (sff)
Frederick R. Chromey To Measure the Sky (non-fiction)
Neil Gaiman, et al. Sandman: Overture (graphic novel)
Alix E. Harrow A Spindle Splintered (sff)
Jordan Ifueko Raybearer (sff)
Jordan Ifueko Redemptor (sff)
T. Kingfisher Paladin's Hope (sff)
TJ Klune Under the Whispering Door (sff)
Kiese Laymon How to Slowly Kill Yourself and Others in America
(non-fiction)
Yuna Lee Fox You (romance)
Tim Mak Misfire (non-fiction)
Naomi Novik The Last Graduate (sff)
Shelley Parker-Chan She Who Became the Sun (sff)
Gareth L. Powell Embers of War (sff)
Justin Richer & Antonio Sanso OAuth 2 in Action (non-fiction)
Dean Spade Mutual Aid (non-fiction)
Lana Swartz New Money (non-fiction)
Adam Tooze Shutdown (non-fiction)
Bill Watterson The Essential Calvin and Hobbes (strip collection)
Bill Willingham, et al. Fables: Storybook Love (graphic novel)
David Wong Real-World Cryptography (non-fiction)
Neon Yang The Black Tides of Heaven (sff)
Neon Yang The Red Threads of Fortune (sff)
Neon Yang The Descent of Monsters (sff)
Neon Yang The Ascent to Godhood (sff)
Xiran Jay Zhao Iron Widow (sff)
Our project funding work continues with an active bid on the work of packaging gradle in Debian. The next steps are reviewing the bid and formal approval.
We re looking forward to receiving more projects from various Debian teams! Learn more about the rationale behind this initiative in this article.
Debian LTS contributors
In October 12 contributors were paid to work on Debian LTS, their reports are available below.
Adrian Bunk did 40.5h in October (out of 28.5h assigned and 18h remaining, thus keeping 6h for November).
Evolution of the situation
In October we released 34 DLAs.
Also, we would like to remark once again that we are constantly looking for new contributors. Please contact Jeremiah if you are interested!
The security tracker currently lists 37 packages with a known CVE and the dla-needed.txt file has 22 packages needing an update.
Thanks to our sponsors
Sponsors that joined recently are in bold.
We currently face an issue in all packages requiring bunlder/setup and trying
to run the tests for Ruby 2.7 and 3.0. The problem is that the first tests will
create Gemfile.lock (or gemfile/gemfile-*.lock) using Ruby 2.7 and the next
run for Ruby 3 will report e.g.:
Failure/Error: require 'bundler/setup' # Set up gems listed in the Gemfile.
Bundler::GemNotFound:
Could not find racc-1.4.16 in any of the sources
or
/usr/share/rubygems-integration/all/gems/bundler-2.2.27/lib/bundler/definition.rb:496:in materialize':
Could not find rexml-3.2.3.1 in any of the sources (Bundler::GemNotFound)
Both bugs #996207 and
#996302 are incarnations of this issue. The
fix is as easy as making sure that the .lock files are removed before each
run. This can be done in e.g. debian/ruby-tests.rake as very first task:
File.delete("Gemfile.lock") if File.exist?("Gemfile.lock")
In another case the .lock file is created
by the tests in gemfiles/. While the first examples could actually be solved
by gem2deb removing Gemfile.lock on its own, I m not quite sure how to
handle the last case using packaging tools.
The interesting part is that we will unlikely be confronted with this issue
anytime soon again. It seems very specific to the Ruby 3.0 transition.
Update
After talking to Antonio he added some code to gem2deb-test-runner to moving
Gemfile.lock files out of the way. The tool already did this in an
autopkgtest environment. In the upcoming 1.7 release it will do it in general
and this will fix some more FTBFSes, e.g. #998497 and #996141 - originally
reported against ruby-voight-kampff and ruby-bootsnap.
Like each month, have a look at the work funded by Freexian s Debian LTS offering.
Debian project funding
Folks from the LTS team, along with members of the Debian Android Tools team and Phil Morrel, have proposed work on the Java build tool, gradle, which is currently blocked due to the need to build with a plugin not available in Debian. The LTS team reviewed the project submission and it has been approved. After approval we ve created a Request for Bids which is active now.
You ll hear more about this through official Debian channels, but in the meantime, if you feel you can help with this project, please submit a bid. Thanks!
This September, Freexian set aside 2550 EUR to fund Debian projects.
We re looking forward to receive more projects from various Debian teams! Learn more about the rationale behind this initiative in this article.
Debian LTS contributors
In September, 15 contributors have been paid to work on Debian LTS, their reports are available:
Abhijith PA has returned hours and marked themselves inactive, at least for the time being. He did 0h out of 14h, carried over 14h and returned 28h.
Adrian Bunk did 19.5h (out of 24.75h assigned and 12.75 from August), carrying over 18h to October.
Emilio Pozuelo Monfort did not report back about their work so we assume they did nothing (out of 5.5h assigned plus 74.5h from August), thus is carrying over 80h for October.
Holger Levsen did 3h (out of 12h assigned) and gave back 9h and carried over 3h.
Jeremiah Foster worked 10 hours (out of 20h assigned) on LTS work, carrying over 10h.
Lee Garrett did not report back about their work so we assume they did nothing (out of 24.75h assigned and 23.75 from August), thus is carrying over 48.50h for October.
Markus Koschany did 43.5h (out of 24.75h assigned and 18.75h from August)
Utkarsh Gupta did 24.75h (out of 24.75h assigned) but did not publish his report yet.
Ola Lundqvist did 2 hours (out of 21h carried over from previous months), and is thus carrying 19h for October.
Evolution of the situation
In September we released 30 DLAs. September was also the second month of Jeremiah coordinating LTS contributors.
Also, we would like say that we are always looking for new contributors to LTS. Please contact Jeremiah if you are interested!
The security tracker currently lists 33 packages with a known CVE and the dla-needed.txt file has 26 packages needing an update.
Thanks to our sponsors
Sponsors that joined recently are in bold.
The Ruby team is working now on transitioning to ruby 3.0. Even though most
packages will work just fine, there is substantial amount of packages that
require some work to adapt. We have been doing test rebuilds for a while during
transitions, but usually triaged the problems manually.
This time I decided to try
collab-qa-tools, a set of
scripts Lucas Nussbaum uses when he does archive-wide rebuilds. I'm really glad
that I did, because those tols save a lot of time when processing a large
number of build failures. In this post, I will go through how to triage a set
of build logs using collab-qa-tools.
I have
somesomeimprovements
to the code. Given my last merge request is very new and was not merged yet,
a few of the things I mention here may apply only to
my own ruby3.0 branch.
collab-qa-tools also contains a few tools do perform the builds in the
cloud, but since we already had the builds done, I will not be mentioning that
part and will write exclusively about the triaging tools.
Installing collab-qa-tools
The first step is to clone the git repository. Make sure you have the
dependencies from debian/control installed (a few Ruby libraries).
One of the patches I sent, and was already accepted, is the ability to run it
without the need to install:
source /path/to/collab-qa-tools/activate.sh
This will add the tools to your $PATH.
Preparation
The first think you need to do is getting all your build logs in a directory.
The tools assume .log file extension, and they can be named
$ PACKAGE _*.log or just $ PACKAGE .log.
Creating a TODO file
cqa-scanlogs grep -v OK > todo
todo will contain one line for each log with a summary of the failure, if
it's able to find one. collab-qa-tools has a large set of regular expressions
for finding errors in the build logs
It's a good idea to split the TODO file in multiple ones. This can easily be
done with split(1), and can be used to delimit triaging sessions, and/or to
split the triaging between multiple people. For example this will create
todo into todo00, todo01, ..., each containing 30 lines:
split --lines=30 --numeric-suffixes todo todo
Triaging
You can now do the triaging. Let's say we split the TODO files, and will start
with todo01.
The first step is calling cqa-fetchbugs (it does what it says on the tin):
cqa-fetchbugs --TODO=todo01
Then, cqa-annotate will guide you through the logs and allow you to report
bugs:
cqa-annotate --TODO=todo01
I wrote myself a process.sh wrapper script for cqa-fetchbugs and
cqa-annotate that looks like this:
#!/bin/shset-eufor todo in$@;do# force downloading bugsawk' print(".bugs." $1) '"$ todo" xargs rm-f
cqa-fetchbugs --TODO="$ todo"
cqa-annotate \--template=template.txt.jinja2 \--TODO="$ todo"done
The --template option is a recent contribution of mine. This is a template
for the bug reports you will be sending. It uses
Liquid templates,
which is very similar to Jinja2 for Python. You will notice that I am even
pretending it is Jinja2 to trick vim into doing syntax highlighting
for me. The template I'm using looks like this:
From: fullname<email>
To: submit@bugs.debian.org
Subject: package: FTBFS with ruby3.0: summary
Source: package
Version: versionsplit:'+rebuild'first
Severity: serious
Justification: FTBFS
Tags: bookworm sid ftbfs
User: debian-ruby@lists.debian.org
Usertags: ruby3.0
Hi,
We are about to enable building against ruby3.0 on unstable. During a test
rebuild, package was found to fail to build in that situation.
To reproduce this locally, you need to install ruby-all-dev from experimental
on an unstable system or build chroot.
Relevant part (hopefully):
%forlineinextract% > line %endfor%
The full build log is available at
https://people.debian.org/~kanashiro/ruby3.0/round2/builds/3/package/filenamereplace:".log",".build.txt"
The cqa-annotate loop
cqa-annotate will parse each log file, display an extract of what it found as
possibly being the relevant part, and wait for your input:
######## ruby-cocaine_0.5.8-1.1+rebuild1633376733_amd64.log ########
--------- Error:
Failure/Error: undef_method :exitstatus
FrozenError:
can't modify frozen object: pid 2351759 exit 0
# ./spec/support/unsetting_exitstatus.rb:4:in undef_method'
# ./spec/support/unsetting_exitstatus.rb:4:in singleton class'
# ./spec/support/unsetting_exitstatus.rb:3:in assuming_no_processes_have_been_run'
# ./spec/cocaine/errors_spec.rb:55:in block (2 levels) in <top (required)>'
Deprecation Warnings:
Using should from rspec-expectations' old :should syntax without explicitly enabling the syntax is deprecated. Use the new :expect syntax or explicitly enable :should with config.expect_with(:rspec) c c.syntax = :should instead. Called from /<<PKGBUILDDIR>>/spec/cocaine/command_line/runners/backticks_runner_spec.rb:19:in block (2 levels) in <top (required)>'.
If you need more of the backtrace for any of these deprecations to
identify where to make the necessary changes, you can configure
config.raise_errors_for_deprecations! , and it will turn the
deprecation warnings into errors, giving you the full backtrace.
1 deprecation warning total
Finished in 6.87 seconds (files took 2.68 seconds to load)
67 examples, 1 failure
Failed examples:
rspec ./spec/cocaine/errors_spec.rb:54 # When an error happens does not blow up if running the command errored before execution
/usr/bin/ruby3.0 -I/usr/share/rubygems-integration/all/gems/rspec-support-3.9.3/lib:/usr/share/rubygems-integration/all/gems/rspec-core-3.9.2/lib /usr/share/rubygems-integration/all/gems/rspec-core-3.9.2/exe/rspec --pattern ./spec/\*\*/\*_spec.rb --format documentation failed
ERROR: Test "ruby3.0" failed:
----------------
ERROR: Test "ruby3.0" failed: Failure/Error: undef_method :exitstatus
----------------
package: ruby-cocaine
lines: 30
------------------------------------------------------------------------
s: skip
i: ignore this package permanently
r: report new bug
f: view full log
------------------------------------------------------------------------
Action [s i r f]:
You can then choose one of the options:
s - skip this package and do nothing. You can run cqa-annotate again
later and come back to it.
i - ignore this package completely. New runs of cqa-annotate won't ask
about it again.
This is useful if the package only fails in your rebuilds due to another
package, and would just work when that other package gets fixes. In the Ruby
transition this happens when A depends on B, while B builds a C extension and
failed to build against the new Ruby. So once B is fixed, A should
just work (in principle). But even if A would even have problems of its own,
we can't really know before B is fixed so we can retry A.
r - report a bug. cqa-annotate will expand the template with the data
from the current log, and feed it to mutt. This is currently a limitation:
you have to use mutt to report bugs.
After you report the bug, cqa-annotate will ask if it should edit the TODO
file. In my opinion it's best to not do this, and annotate the package with a
bug number when you have one (see below).
f - view the full log. This is useful when the extract displayed doesn't
have enough info, or you want to inspect something that happened earlier (or
later) during the build.
When there are existing bugs in the package, cqa-annotate will list them
among the options. If you choose a bug number, the TODO file will be annotated
with that bug number and new runs of cqa-annotate will not ask about that
package anymore. For example after I reported a bug for ruby-cocaine for the
issue listed above, I aborted with a ctrl-c, and when I run my process.sh
script again I then get this prompt:
----------------
ERROR: Test "ruby3.0" failed: Failure/Error: undef_method :exitstatus
----------------
package: ruby-cocaine
lines: 30
------------------------------------------------------------------------
s: skip
i: ignore this package permanently
1: 996206 serious ruby-cocaine: FTBFS with ruby3.0: ERROR: Test "ruby3.0" failed: Failure/Error: undef_method :exitstatus
r: report new bug
f: view full log
------------------------------------------------------------------------
Action [s i 1 r f]:
Chosing 1 will annotate the TODO file with the bug number, and I'm done with
this package. Only a few other hundreds to go.
Like each month, have a look at the work funded by Freexian s Debian LTS offering.
Debian project funding
In August, we put aside 2460 EUR to fund Debian projects. We received a new project proposal that got approved and there s an associated bid request if you feel like proposing yourself to implement this project.
We re looking forward to receive more projects from various Debian teams! Learn more about the rationale behind this initiative in this article.
Debian LTS contributors
In August, 14 contributors have been paid to work on Debian LTS, their reports are available:
Abhijith PA did 4.0h (out of 14h assigned and 5h from August), thus carrying over 15h to September.
Adrian Bunk did 11h (out of 23.75h assigned), thus carrying over 12.75h to September.
Emilio Pozuelo Monfort did not report back about their work so we assume they did nothing (out of 23.75h assigned plus 50.75h from August), thus is carrying over 74.5h for September.
Holger Levsen did 3h (out of 12h assigned) to help coordinate the team, and gave back the remaining hours.
Lee Garrett did nothing (out of 23.75h assigned), thus is carrying over 23.75h for September.
Markus Koschany did 35h (out of 23.75h assigned and 30h from August), thus carrying over 18.75h to September.
Neil Williams did 24h (out of 23.75h assigned), thus anticipating 0.25h of October.
Roberto C. S nchez did 22.25h (out of 23.75h assigned), thus carrying over 1.5h to September.
Sylvain Beucler did 21.5h (out of 23.75h assigned), thus carrying over 2.25h to September.
Evolution of the situation
In August we released 30 DLAs.
This is the first month of Jeremiah coordinating LTS contributors. We would like to thank Holger Levsen for his work on this role up to now.
Also, we would like to remark once again that we are constantly looking for new contributors. Please contact Jeremiah if you are interested!
The security tracker currently lists 73 packages with a known CVE and the dla-needed.txt file has 29 packages needing an update.
Thanks to our sponsors
Sponsors that joined recently are in bold.
CVE-2020-22036: A heap-based Buffer Overflow vulnerability in filter_intra at libavfilter/vf_bwdif.c, which might lead
to memory corruption and other potential consequences.
CVE-2020-22032: A heap-based Buffer Overflow vulnerability in
gaussian_blur, which might lead to memory corruption and other
potential consequences.
CVE-2020-22031: A Heap-based Buffer Overflow vulnerability in
filter16_complex_low, which might lead to memory corruption and
other potential consequences.
CVE-2020-22028: Buffer Overflow vulnerability
in filter_vertically_8 at libavfilter/vf_avgblur.c, which could cause a remote
Denial of Service.
CVE-2020-22026: Buffer Overflow vulnerability exists in the config_input function at libavfilter/af_tremolo.c, which could let a remote malicious
user cause a Denial of Service.
CVE-2020-22025: A heap-based Buffer Overflow vulnerability
exists in gaussian_blur at libavfilter/vf_edgedetect.c, which might lead to memory
corruption and other potential consequences.
CVE-2020-22023: A heap-based Buffer Overflow vulnerabililty
exists in filter_frame at libavfilter/vf_bitplanenoise.c, which might lead to
memory corruption and other potential consequences.
CVE-2020-22022: A heap-based Buffer Overflow vulnerability exists in
filter_frame at libavfilter/vf_fieldorder.c, which might lead to memory
corruption and other potential consequences.
CVE-2020-22021: Buffer Overflow vulnerability at filter_edges function in libavfilter/vf_yadif.c, which could let a remote malicious user cause a
Denial of Service.
CVE-2020-22020: Buffer Overflow vulnerability in the build_diff_map function
in libavfilter/vf_fieldmatch.c, which could let a remote malicious user
cause a Denial of Service.
CVE-2020-22016: A heap-based Buffer Overflow vulnerability
at libavcodec/get_bits.h when writing .mov files, which might lead to memory corruption and other potential consequences.
CVE-2020-22015: Buffer Overflow vulnerability in mov_write_video_tag due to the out of bounds in libavformat/movenc.c, which could let a remote
malicious user obtain sensitive information, cause a Denial of Service, or
execute arbitrary code.
CVE-2020-21041: Buffer Overflow vulnerability exists via
apng_do_inverse_blend in libavcodec/pngenc.c, which could let a remote
malicious user cause a Denial of Service
CVE-2021-3566: The tty demuxer did not have a read_probe function
assigned to it. By crafting a legitimate ffconcat file that references an
image, followed by a file the triggers the tty demuxer, the contents of the
second file will be copied into the output file verbatim (as long as the
-vcodec copy option is passed to ffmpeg).
CVE-2021-38114: libavcodec/dnxhddec.c does not check the return value of the init_vlc function. Crafted DNxHD data can cause unspecified impact.
DLA 2742-2 ffmpeg_7:3.2.15-0+deb9u4
During the backporting of one of patches in CVE-2020-22021 one line was wrongly
interpreted and it caused the regression during the deinterlacing process.
Thanks to Jari Ruusu for the reporting the issue and for the testing of
prepared update.
Other LTS-related work
Analyzed CVE-2020-22027 and
marked as ignored for stretch. Original patch is not appliable. The issue is reproducible though.
Like each month, have a look at the work funded by Freexian s Debian LTS offering.
Debian project funding
In July, we put aside 2400 EUR to fund Debian projects. We haven t received proposals of projects to fund in the last months, so we have scheduled a discussion during Debconf to try to to figure out why that is and how we can fix that. Join us on August 26th at 16:00 UTC on this link.
We are pleased to announce that Jeremiah Foster will help out to make this initiative a success : he can help Debian members to come up with solid proposals, he can look for people willing to do the work once the project has been formalized and approved, and he will make sure that the project implementation keeps on track when the actual work has begun.
We re looking forward to receive more projects from various Debian teams! Learn more about the rationale behind this initiative in this article.
Debian LTS contributors
In July, 12 contributors have been paid to work on Debian LTS, their reports are available:
Abhijith PA did 5.0h (out of 7h assigned and 3h remaining), thus carrying over 5h to August.
Emilio Pozuelo Monfort did not report back about their work so we assume they did nothing (out of 39.75h assigned plus 11h from June), thus is carrying over 50.75h for August.
Holger Levsen s work was coordinating/managing the LTS team, he did 3.5h (out of 12h assigned) and gave back 8.5h to the pool.
Markus Koschany did 30h (out of 30h assigned and 30h from June), thus carrying over 30h to August.
Ola Lundqvist did nothing (out of 12h assigned plus 20h from June), thus is carrying over 32h for August.
Roberto C. S nchez did 13.5h (out of 32h assigned and 20h from June), and gave back 38.5h to the pool.
Evolution of the situation
In July we released 30 DLAs. Also we were glad to welcome Neil Williams and Lee Garrett who became active contributors.
The security tracker currently lists 63 packages with a known CVE and the dla-needed.txt file has 17 packages needing an update.
We would like to thank Holger Levsen for the years of work where he managed/coordinated the paid LTS contributors. Jeremiah Foster will take over his duties.
Thanks to our sponsors
Sponsors that joined recently are in bold.
About the Project
Debian Continuous Integration is Debian s CI platform. It runs tests on the packages published in the Debian archive, and today is used to control migration of packages from unstable, Debian s development area, to testing, the area of the archive where the next Debian release is being prepared. This makes it a crucial part of Debian s infrastructure.
The web platform shows the results of all the tests executed. Debian CI provides developers both API and a GUI Self-Service section to request tests for the packages and get information on test history.
This project involves implementing incremental improvements to the platform, making it easier to use and maintain.
Deliverables of the project:
Migrating Logins to Salsa
Adding support for testing security uploads and Debian LTS
Work done
Migrating Logins to Salsa
Originally, Debian CI used Debian SSO client certificates for logging in, but since that was deprecated logins are migrated to Salsa, Debian s Gitlab instance and this is implemented with the help of OmniAuth, the ruby authentication framework.
Another thing fixed as part of this task was that there exists a limitation in the existing database structure, where usernames were directly stored as the test requestor field, so that relationship was normalized with a proper foreign key to the users table.
Adding support for testing security uploads and Debian LTS
In this task, work was done to enable private tests in Debian CI for adding support for testing security uploads and Debian LTS. It includes tasks from adding the private field in the API and Self-Service section in requesting tests to adding an option to publish them when ready through both interfaces.
Merge Requests:
Learning Takeaways
I learned a lot throughout the entire journey. Some of the things to mention are:
Writing tests: I learned about using Rspec for writing tests in ruby and understood how writing tests is an integral part of coding any project.
Using good coding practices: By my merge requests reviews done by my mentor Antonio, I came to know about good coding practices which help in keeping the code both clean and concise.
Acknowledgement
I owe huge thanks to my mentors Antonio Terceiro and Paul Gevers for their constant support and guidance throughout the entire duration. It is for them that I was able to get started with the code-base of the project in the first place. And while working on the project, they were extremely responsive to all my queries. My merge requests were all thoroughly reviewed which enables me to learn more and work more efficiently. It was a complete pleasure interacting with them on weekly meet calls.
To sum up, my GSoC journey was awesome and I had a fun and productive summer with Debian
What s next?
As part of a continuation of my project task Adding support for testing security uploads and Debian LTS, I would be working on Debian CI to facilitate the process of connecting the embargoed archive.
It s the end of my GSoC journey but certainly not the end of my journey with Debian or Open-Source. I plan to stay an active contributor to Debian and get involve with more Open Source projects as well
Extras
The link to my Salsa Profile for all my work activities can be found here.
To know more about my journey, my other GSoC blog posts can be found below:
Hello there.
So here we are near the end of GSoC 2021 and with that, I am sharing details of the work I completed in the second phase of the coding period.
Continuing with details of the task I left on
Task: Adding support for testing security uploads and Debian LTS
The extra-apt-sources parameter is added to both API and Self-Service section for the test request object and the part which took some time was deciding on its validation since if you ever deal with apt sources, you would know that there exist a lot of combinations of a valid apt source and in the end, the decision was taken to just add the minimal checks.
Since, we have enough setup to request private tests, it made sense to have a way of looking them up in the Self-Service section. So a new column is added to the test records in Job-History marking the visibility of a test (private or public) and a new filter to filter out records based on the visibility.
The option to retry tests is also added in Self-Service in the Job-History section so that private tests can also be retried. As earlier, this option was only available in Package History pages but those pages do not show the private tests.
The next thing in the list was to publish these test results of private tests at some point.
For the API section, a new endpoint is added to accept a string of run_ids which is ready to be published, and for the Self-Service , in the Job-History page a Publish button is added to be clicked after check boxing the required tests.
This ends the list of my planned work for the project.
Some more interesting stuff
As we got some more time for the coding period to end, my mentor Antonio Terceiro suggested that I could pick any issue from the opened issues list to work on so I picked up the one to add a user menu for the Self-Service section and completed that.
Antonio also gave me insights into Debian Packaging and even let me try packaging a newer upstream version of the package itamae which is one of the packages maintained by him.
I also worked on creating a video about my GSoC project for DebConf21 and this was truly the hardest thing to do. From setting up everything to final editing, it took me about 2 days to create something sane to submit. Now, I am excited about DebConf21
That concludes my work in the second phase of the coding period and next, I will be sharing my Final Evaluation Submission real soon.
Stay tuned!
The Last Battle is the seventh and final book of the
Chronicles of Narnia in every reading order. It ties together (and
spoils) every previous Narnia book, so you do indeed want to read it last
(or skip it entirely, but I'll get into that).
In the far west of Narnia, beyond the Lantern Waste and near the great
waterfall that marks Narnia's western boundary, live a talking ape named
Shift and a talking donkey named Puzzle. Shift is a narcissistic asshole
who has been gaslighting and manipulating Puzzle for years, convincing the
poor donkey that he's stupid and useless for anything other than being
Shift's servant. At the start of the book, a lion skin washes over the
waterfall and into the Cauldron Pool. Shift, seeing a great opportunity,
convinces Puzzle to retrieve it.
The king of Narnia at this time is Tirian. I would tell you more about
Tirian except, despite being the protagonist, that's about all the
characterization he gets. He's the king, he's broad-shouldered and
strong, he behaves in a correct kingly fashion by preferring hunting
lodges and simple camps to the capital at Cair Paravel, and his close
companion is a unicorn named Jewel. Other than that, he's another
character like Rilian from The Silver
Chair who feels like he was taken from a medieval Arthurian story.
(Thankfully, unlike Rilian, he doesn't talk like he's in a medieval
Arthurian story.)
Tirian finds out about Shift's scheme when a dryad appears at Tirian's
camp, calling for justice for the trees of Lantern Waste who are being
felled. Tirian rushes to investigate and stop this monstrous act, only to
find the beasts of Narnia cutting down trees and hauling them away for
Calormene overseers. When challenged on why they would do such a thing,
they reply that it's at Aslan's orders.
The Last Battle is largely the reason why I decided to do this
re-read and review series. It is, let me be clear, a bad book. The plot
is absurd, insulting to the characters, and in places actively offensive.
It is also, unlike the rest of the Narnia series, dark and depressing for
nearly all of the book. The theology suffers from problems faced by
modern literature that tries to use the Book of Revelation and related
Christian mythology as a basis. And it is, most famously, the site of one
of the most notorious authorial betrayals of a character in fiction.
And yet, The Last Battle, probably more than any other single book,
taught me to be a better human being. It contains two very specific
pieces of theology that I would now critique in multiple ways but which
were exactly the pieces of theology that I needed to hear when I first
understood them. This book steered me away from a closed, judgmental, and
condemnatory mindset at exactly the age when I needed something to do
that. For that, I will always have a warm spot in my heart for it.
I'm going to start with the bad parts, though, because that's how the book
starts.
MAJOR SPOILERS BELOW.
First, and most seriously, this is a
second-order
idiot plot. Shift shows up with a donkey wearing a lion skin (badly),
only lets anyone see him via firelight, claims he's Aslan, and starts
ordering the talking animals of Narnia to completely betray their laws and
moral principles and reverse every long-standing political position of the
country... and everyone just nods and goes along with this. This is the
most blatant example of a long-standing problem in this series: Lewis does
not respect his animal characters. They are the best feature of his
world, and he treats them as barely more intelligent than their
non-speaking equivalents and in need of humans to tell them what to do.
Furthermore, despite the assertion of the narrator, Shift is not even
close to clever. His deception has all the subtlety of a five-year-old
who doesn't want to go to bed, and he offers the Narnians absolutely
nothing in exchange for betraying their principles. I can forgive Puzzle
for going along with the scheme since Puzzle has been so emotionally
abused that he doesn't know what else to do, but no one else has any
excuse, especially Shift's neighbors. Given his behavior in the book,
everyone within a ten mile radius would be so sick of his whining,
bullying, and lying within a month that they'd never believe anything he
said again. Rishda and Ginger, a Calormene captain and a sociopathic cat
who later take over Shift's scheme, do qualify as clever, but there's no
realistic way Shift's plot would have gotten far enough for them to get
involved.
The things that Shift gets the Narnians to do are awful. This is by far
the most depressing book in the series, even more than the worst parts of
The Silver Chair. I'm sure I'm not the only one who struggled to
read through the first part of this book, and raced through it on re-reads
because everything is so hard to watch. The destruction is wanton and
purposeless, and the frequent warnings from both characters and narration
that these are the last days of Narnia add to the despair. Lewis takes
all the beautiful things that he built over six books and smashes them
before your eyes. It's a lot to take, given that previous books would
have treated the felling of a single tree as an unspeakable catastrophe.
I think some of these problems are due to the difficulty of using
Christian eschatology in a modern novel. An antichrist is obligatory, but
the animals of Narnia have no reason to follow an antichrist given their
direct experience with Aslan, particularly not the aloof one that Shift
tries to give them. Lewis forces the plot by making everyone act stupidly
and out of character. Similarly, Christian eschatology says everything
must become as awful as possible right before the return of Christ, hence
the difficult-to-read sections of Narnia's destruction, but there's no
in-book reason for the Narnians' complicity in that destruction. One can
argue about whether this is good theology, but it's certainly bad
storytelling.
I can see the outlines of the moral points Lewis is trying to make about
greed and rapacity, abuse of the natural world, dubious alliances,
cynicism, and ill-chosen prophets, but because there is no explicable
reason for Tirian's quiet kingdom to suddenly turn to murderous resource
exploitation, none of those moral points land with any force. The best
moral apocalypse shows the reader how, were they living through it, they
would be complicit in the devastation as well. Lewis does none of that
work, so the reader is just left angry and confused.
The book also has several smaller poor authorial choices, such as the
blackface incident. Tirian, Jill, and Eustace need to infiltrate Shift's
camp, and use blackface to disguise themselves as Calormenes. That alone
uncomfortably reveals how much skin tone determines nationality in this
world, but Lewis makes it far worse by having Tirian comment that he
"feel[s] a true man again" after removing the blackface and switching to
Narnian clothes.
All of this drags on and on, unlike Lewis's normally tighter pacing, to
the point that I remembered this book being twice the length of any other
Narnia book. It's not; it's about the same length as the rest, but it's
such a grind that it feels interminable. The sum total of the bright
points of the first two-thirds of the book are the arrival of Jill and
Eustace, Jill's one moment of true heroism, and the loyalty of a single
Dwarf. The rest is all horror and betrayal and doomed battles and abject
stupidity.
I do, though, have to describe Jill's moment of glory, since I complained
about her and Eustace throughout The Silver Chair. Eustace is
still useless, but Jill learned forestcraft during her previous adventures
(not that we saw much sign of this previously) and slips through the
forest like a ghost to steal Puzzle and his lion costume out from the
under the nose of the villains. Even better, she finds Puzzle and the
lion costume hilarious, which is the one moment in the book where one of
the characters seems to understand how absurd and ridiculous this all is.
I loved Jill so much in that moment that it makes up for all of the
pointless bickering of The Silver Chair. She doesn't get to do
much else in this book, but I wish the Jill who shows up in The Last
Battle had gotten her own book.
The end of this book, and the only reason why it's worth reading, happens
once the heroes are forced into the stable that Shift and his
co-conspirators have been using as the stage for their fake Aslan. Its
door (for no well-explained reason) has become a door to Aslan's Country
and leads to a reunion with all the protagonists of the series. It also
becomes the frame of Aslan's final destruction of Narnia and judging of
its inhabitants, which I suspect would be confusing if you didn't already
know something about Christian eschatology. But before that, this
happens, which is sufficiently and deservedly notorious that I think it
needs to be quoted in full.
"Sir," said Tirian, when he had greeted all these. "If I have read the
chronicle aright, there should be another. Has not your Majesty two
sisters? Where is Queen Susan?"
"My sister Susan," answered Peter shortly and gravely, "is no longer a
friend of Narnia."
"Yes," said Eustace, "and whenever you've tried to get her to come and
talk about Narnia or do anything about Narnia, she says 'What
wonderful memories you have! Fancy your still thinking about all
those funny games we used to play when we were children.'"
"Oh Susan!" said Jill. "She's interested in nothing nowadays except
nylons and lipstick and invitations. She always was a jolly sight too
keen on being grown-up."
"Grown-up indeed," said the Lady Polly. "I wish she would grow
up. She wasted all her school time wanting to be the age she is now,
and she'll waste all the rest of her life trying to stay that age.
Her whole idea is to race on to the silliest time of one's life as
quick as she can and then stop there as long as she can."
There are so many obvious and dire problems with this passage, and so many
others have written about it at length, that I will only add a few points.
First, I find it interesting that neither Lucy nor Edmund says a thing.
(I would like to think that Edmund knows better.) The real criticism
comes from three characters who never interacted with Susan in the series:
the two characters introduced after she was no longer allowed to return to
Narnia, and a character from the story that predated hers. (And Eustace
certainly has some gall to criticize someone else for treating Narnia as a
childish game.)
It also doesn't say anything good about Lewis that he puts his rather
sexist attack on Susan into the mouths of two other female characters.
Polly's criticism is a somewhat generic attack on puberty that could
arguably apply to either sex (although "silliness" is usually reserved for
women), but Jill makes the attack explicitly gendered. It's the attack of
a girl who wants to be one of the boys on a girl who embraces things that
are coded feminine, and there's a whole lot of politics around the
construction of gender happening here that Lewis is blindly reinforcing
and not grappling with at all.
Plus, this is only barely supported by single sentences in
The Voyage of the Dawn Treader and
The Horse and His Boy and directly
contradicts the earlier books. We're expected to believe that Susan the
archer, the best swimmer, the most sensible and thoughtful of the four
kids has abruptly changed her whole personality. Lewis could have made me
believe Susan had soured on Narnia after the attempted kidnapping (and,
although left unstated, presumably eventual attempted rape) in The
Horse and His Boy, if one ignores the fact that incident supposedly
happens before Prince Caspian where
there is no sign of such a reaction. But not for those reasons, and not
in that way.
Thankfully, after this, the book gets better, starting with the Dwarfs,
which is one of the two passages that had a profound influence on me.
Except for one Dwarf who allied with Tirian, the Dwarfs reacted to the
exposure of Shift's lies by disbelieving both Tirian and Shift, calling a
pox on both their houses, and deciding to make their own side. During the
last fight in front of the stable, they started killing whichever side
looked like they were winning. (Although this is horrific in the story, I
think this is accurate social commentary on a certain type of cynicism,
even if I suspect Lewis may have been aiming it at atheists.) Eventually,
they're thrown through the stable door by the Calormenes. However, rather
than seeing the land of beauty and plenty that everyone else sees, they
are firmly convinced they're in a dark, musty stable surrounded by refuse
and dirty straw.
This is, quite explicitly, not something imposed on them. Lucy rebukes
Eustace for wishing Tash had killed them, and tries to make friends with
them. Aslan tries to show them how wrong their perceptions are, to no
avail. Their unwillingness to admit they were wrong is so strong that
they make themselves believe that everything is worse than it actually is.
"You see," said Aslan. "They will not let us help them. They have
chosen cunning instead of belief. Their prison is only in their own
minds, yet they are in that prison; and so afraid of being taken in
that they cannot be taken out."
I grew up with the US evangelical version of Hell as a place of eternal
torment, which in turn was used to justify religious atrocities in the
name of saving people from Hell. But there is no Hell of that type in
this book. There is a shadow into which many evil characters simply
disappear, and there's this passage. Reading this was the first time I
understood the alternative idea of Hell as the absence of God instead of
active divine punishment. Lewis doesn't use the word "Hell," but it's
obvious from context that the Dwarfs are in Hell. But it's not something
Aslan does to them and no one wants them there; they could leave any time
they wanted, but they're too unwilling to be wrong.
You may have to be raised in conservative Christianity to understand how
profoundly this rethinking of Hell (which Lewis tackles at greater length
in The Great Divorce) undermines the system of guilt and fear
that's used as motivation and control. It took me several re-readings and
a lot of thinking about this passage, but this is where I stopped
believing in a vengeful God who will eternally torture nonbelievers, and
thus stopped believing in all of the other theology that goes with it.
The second passage that changed me is Emeth's story. Emeth is a devout
Calormene, a follower of Tash, who volunteered to enter the stable when
Shift and his co-conspirators were claiming Aslan/Tash was inside. Some
time after going through, he encounters Aslan, and this is part of his
telling of that story (and yes, Lewis still has Calormenes telling stories
as if they were British translators of the Arabian Nights):
[...] Lord, is it then true, as the Ape said, that thou and Tash are
one? The Lion growled so that the earth shook (but his wrath was not
against me) and said, It is false. Not because he and I are one, but
because we are opposites, I take to me the services which thou hast
done to him. For I and he are of such different kinds that no service
which is vile can be done to me, and none which is not vile can be
done to him. Therefore if any man swear by Tash and keep his oath for
the oath's sake, it is by me that he has truly sworn, though he know
it not, and it is I who reward him. And if any man do a cruelty in my
name, then, though he says the name Aslan, it is Tash whom he serves
and by Tash his deed is accepted. Dost thou understand, Child? I
said, Lord, thou knowest how much I understand. But I said also (for
the truth constrained me), Yet I have been seeking Tash all my days.
Beloved, said the Glorious One, unless thy desire had been for me,
thou wouldst not have sought so long and so truly. For all find what
they truly seek.
So, first, don't ever say this to anyone. It's horribly condescending
and, since it's normally said by white Christians to other people, usually
explicitly colonialist. Telling someone that their god is evil but since
they seem to be a good person they're truly worshiping your god is only
barely better than saying yours is the only true religion.
But it is better, and as someone who, at the time, was wholly
steeped in the belief that only Christians were saved and every follower
of another religion was following Satan and was damned to Hell, this
passage blew my mind. This was the first place I encountered the
idea that someone who followed a different religion could be saved, or
that God could transcend religion, and it came with exactly the context
and justification that I needed given how close-minded I was at the time.
Today, I would say that the Christian side of this analysis needs far more
humility, and fobbing off all the evil done in the name of the Christian
God by saying "oh, those people were really following Satan" is a total
moral copout. But, nonetheless, Lewis opened a door for me that I was
able to step through and move beyond to a less judgmental, dismissive, and
hostile view of others.
There's not much else in the book after this. It's mostly Lewis's
charmingly Platonic view of the afterlife, in which the characters go
inward and upward to truer and more complete versions of both Narnia and
England and are reunited (very briefly) with every character of the
series. Lewis knows not to try too hard to describe the indescribable,
but it remains one of my favorite visions of an afterlife because it makes
so explicit that this world is neither static or the last, but only the
beginning of a new adventure.
This final section of The Last Battle is deeply flawed, rather
arrogant, a little bizarre, and involves more lectures on theology than
precise description, but I still love it. By itself, it's not a bad
ending for the series, although I don't think it has half the beauty or
wonder of the end of The Voyage of the Dawn Treader. It's a shame
about the rest of the book, and it's a worse shame that Lewis chose to
sacrifice Susan on the altar of his prejudices. Those problems made it
very hard to read this book again and make it impossible to recommend.
Thankfully, you can read the series without it, and perhaps most readers
would be better off imagining their own ending (or lack of ending) to
Narnia than the one Lewis chose to give it.
But the one redeeming quality The Last Battle will always have for
me is that, despite all of its flaws, it was exactly the book that I
needed to read when I read it.
Rating: 4 out of 10
CVE-2021-33054: SOGo does not validate the signatures of any
SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method.
Other LTS-related work
Many hours were spent, working on ffmpeg, where currently 18 CVEs are opened. Some of them are fixed in git.The work is ongoing.
LTS-Meeting
I attended the Debian LTS team IRC-meeting this month.
Other FLOSS activities
One week before the full freeze of Debian Bullseye the release-critical bug
#990895 against the package
httraqt was filed. Thanks to the reporter I could fix it within the
hour after the ticket was created, uploaded as the version httraqt_1.4.9-5, filed an unblock-request, which was
approved.
If you have been involved in Debian packaging at all in the last few years, you
are probably aware that autopkgtest is now an important piece of the Debian
release process. Back in 2018, the automated testing migration process started
considering autopkgtest test results as part of its decision
making.
Since them, this process has received several improvements. For example, during
the bullseye freeze, non-key packages with a non-trivial
autopkgtest test suite could migrate automatically to testing without their
maintainers needing to open unblock requests, provided there was no regression
in theirs autopkgtest (or those from their reverse dependencies).
Since 2014 when ci.debian.net was first introduced, we have seen an
amazing increase in the number of packages in Debian that can be automatically
tested. We went from around 100 to 15,000 today. This means not only happier
maintainers because their packages get to testing faster, but also improved
quality assurance for Debian as a whole.
However, the growth rate seems to be decreasing. Maybe the low hanging fruit
have all been picked, or maybe we just need to help more people jump in the
automated testing bandwagon.
With that said, we would like to encourage and help more maintainers to add
autopkgtest to their packages. To that effect, I just created the
autopkgtest-help repository on salsa, where we will take
help requests from maintainers working on autopkgtest for their packages.
If you want help, please go ahead and create an issue in there.
To quote the repository README:
Valid requests:
"I want to add autopkgtest to package X. X is a tool that [...] and it works
by [...]. How should I approach testing it?"
It's OK if you have no idea where to start. But at least try to describe your
package, what it does and how it works so we can try to help you.
"I started writing autopkgtest for X, here is my current work in progress
[link]. But I encountered problem Y. How to I move forward?"
If you already have an autopkgtest but is having trouble making it work as
you think it should, you can also ask here.
Invalid requests:
"Please write autopkgtest for my package X for me".
As with anything else in free software, please show appreciation for other
people's time, and do your own research first. If you pose your question with
enough details (see above) and make it interesting, it may be that whoever
answers will write at least a basic structure for you, but as the maintainer
you are still the expert in the package and what tests are relevant.
If you ask your question soon, you might get your answer recorded in video: we
are going to have a DebConf21 talk next month, where we I and
Paul Gevers (elbrus) will answer a few autopkgtest questions in video for
posterity.
Now, if you have experience enabling autopkgtest for you own packages, please
consider watching that repository there to help us help our fellow maintainers.
Like each month, have a look at the work funded by Freexian s Debian LTS offering.
Debian project funding
In June, we put aside 5775 EUR to fund Debian projects for which we re looking forward to receive more projects from various Debian teams! Learn more about the rationale behind this initiative in this article.
Debian LTS contributors
In June, 12 contributors have been paid to work on Debian LTS, their reports are available:
Abhijith PA did 18.0h (out of 14h assigned and 19h from May), thus carrying over 15h to July.
Utkarsh Gupta did not report back about their work so we assume they did nothing (out of 40h assigned), thus is carrying over 40h for July.
Evolution of the situation
In June we released 30 DLAs. As already written last month we are looking for a Debian LTS project manager and team coordinator. Finally, we would like to remark once again that we are constantly looking for new contributors. Please contact Holger if you are interested!
The security tracker currently lists 41 packages with a known CVE and the dla-needed.txt file has 23 packages needing an update.
Thanks to our sponsors
Sponsors that joined recently are in bold.
Hello there.
I still can t believe that the first half of GSoC period is almost over. So it s been about 5 weeks working on the project and that means I have a lot to share about it. So without further ado, let s get started.
I will be listing up my work done in the respective tasks.
Task: Migrating Logins to Salsa
The objective of this task was that the users could log in to their account on debci using their Debian Salsa account (collaborative development server for Debian based on the GitLab software) and this is implemented with the help of OmniAuth, the ruby authentication framework.
At the beginning of this, I had to discuss quite a few issues with my mentors that I was bumping into, and by the end of it with multiple revisions and discussions, the following was implemented:
The previous users' table schema of debci comprises the username field which contained mostly the emails of the users with some exceptions and to accommodate the Salsa logins, a new uid field is added to the table to store the Salsa uid of the logged-in user with the username field storing Salsa usernames now and as the Salsa users have the liberty to change their usernames, the updation of username as well as in debci database is also taken care of.
For Salsa login, the ruby-omniauth-gitlab strategy has been used and for login in development mode, the developer strategy which comes with ruby-omniauth has been set up.
Added a Login Page giving the option to log in using Salsa and an additional option to login in Developer Mode which is accessible only in Development Setup so that other contributors don t have to set up dummy Salsa applications for working.
Added specs for the new login process. This was an interesting part, as I got the chance to understand RSpec and facilities provided by OmniAuth to mock the authentication for Integration Testing.
One blocker that I dealt with was that the Debian release from where packages were pulled out for debci have the OmniAuth version 1.8, which was not working well with the developer strategy implementation for the application so to resolve that I did a minor change to the callback API for developer strategy until the time that release have the newer version of OmniAuth.
Another thing we discussed in one of the meetings that in the existing database structure, the tests do not have a real reference to the users' table and rather the username is stored directly as a string for the requestor field, so this thing was fixed as part of this task.
The migration of the existing users' data for the new logins was handled by my mentor Antonio Terceiro and with this, our first task is concluded. All these changes are now part of Debian Continuous Integration platform and you can find the blogpost for same by Antonio here.
This task also allowed me to write my first ever tutorial Tutorial: Integrating OmniAuth with Sinatra Application to help people looking to integrate their ruby application with OmniAuth.
Moving further to the next task in progress.
Task: Adding support for testing security uploads and Debian LTS
This is the next task I am working on enabling private tests in debci for adding support for testing security uploads and Debian LTS. Since it s a bigger task, it is broken down into about 6-7 steps and till now, the following has been done:
The schema of jobs' (tests) table is updated to have a boolean field to store whether the job is private or not.
The is_private parameter is added to both API and Self-Service section so the private test can be submitted through the API as well as through GUI form on the web platform.
Another thing which comes up through discussion in meetings that a parameter is required to add extra-apt-sources for getting packages of security repository and this is the part in progress.
So that concludes my work till now. It has been an amazing journey with lots of learning and also the guidance from the wonderful mentors of my project and I am looking forward to more exciting parts ahead.
That s all for now. See you next time!
In my two most recent posts, I listed the 
Continuing with details of the task I left on
However, the growth rate seems to be decreasing. Maybe the low hanging fruit
have all been picked, or maybe we just need to help more people jump in the
automated testing bandwagon.
With that said, we would like to encourage and help more maintainers to add
autopkgtest to their packages. To that effect, I just created the
I will be listing up my work done in the respective tasks.