LTS This is my fourth month of working for LTS. I was assigned 12 hrs and worked all of them.

Released DLAs

1. DLA 2672-1 imagemagick_6.9.7.4+dfsg-11+deb9u13
   • CVE-2020-27751 A flaw was found in MagickCore/quantum-export.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned long long as well as a shift exponent that is too large for 64-bit type. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior.
   • CVE-2021-20243 A flaw was found in MagickCore/resize.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero.
   • CVE-2021-20245 A flaw was found in coders/webp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero.
   • CVE-2021-20309 A division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick.
   • CVE-2021-20312 An integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick.
   • CVE-2021-20313 A potential cipher leak when the calculate signatures in TransformSignature is possible.
2. DLA 2677-1 libwebp_0.5.2-1+deb9u1
   • CVE-2018-25009 An out-of-bounds read was found in function WebPMuxCreateInternal. The highest threat from this vulnerability is to data confidentiality and to the service availability.
   • CVE-2018-25010 An out-of-bounds read was found in function ApplyFilter. The highest threat from this vulnerability is to data confidentiality and to the service availability.
   • CVE-2018-25011 A heap-based buffer overflow was found in PutLE16(). The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
   • CVE-2018-25012 An out-of-bounds read was found in function WebPMuxCreateInternal. The highest threat from this vulnerability is to data confidentiality and to the service availability.
   • CVE-2018-25013 An out-of-bounds read was found in function ShiftBytes. The highest threat from this vulnerability is to data confidentiality and to the service availability.
   • CVE-2018-25014 An unitialized variable is used in function ReadSymbol. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
   • CVE-2020-36328 A heap-based buffer overflow in function WebPDecodeRGBInto is possible due to an invalid check for buffer size. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
   • CVE-2020-36329 A use-after-free was found due to a thread being killed too early. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
   • CVE-2020-36330 An out-of-bounds read was found in function ChunkVerifyAndAssign. The highest threat from this vulnerability is to data confidentiality and to the service availability.
   • CVE-2020-36331 An out-of-bounds read was found in function ChunkAssignData. The highest threat from this vulnerability is to data confidentiality and to the service availability.
   CVE-2020-36332 was marked as ignored for stretch due to too disruptive patch for older versions of libwebp.
3. DLA-2687-1 prosody_0.9.12-2+deb9u3
   • CVE-2021-32917 The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server s bandwidth.
   • CVE-2021-32921 Authentication module does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker.
4. DLA-2687-2 prosody_0.9.12-2+deb9u4 Upload prosody_0.9.12-2+deb9u3 introduced a regression in the mod_auth_internal_hashed module. Big thanks to Andre Bianchi for the reporting an issue and for testing the update. CVE-2021-32918, CVE-2021-32920, were marked as ignored for stretch: the affected code is not existing in that version of prosody.

LTS-Meeting I attended the Debian LTS team Jitsi-meeting.

Debian Science Team

openpiv-python I started to package python-openpiv. The software implements PIV (Particle Image Velocimetry) method to compare two images and obtain velocity field.

Other FLOSS activities

Admesh Admesh is the first package which I adopted over 10 years ago! Upstream is not active for a very long time, so I created a github-repo back in 2013. The software helps to manipulate STL-files. STL is the file format for meshes, mostly developed for CAD programs. This month I decided to clean the build system. It was switched to cmake. CI was updated, now it compiles the sources under Linux/Windows environment, runs tests, AddressSanitizer and UndefinedBehaviourSanitizer were employed. Work is ongoing.

I have just updated the Debian Continuous Integration platform with debci 3.1. This update brings a few database performance improvements, courtesy of adding indexes to very important columns that were missing them. And boy, querying a table with 13 million rows without the proper indexes is bad! :-) Now, the most user visible change in this update is the change from Debian SSO to Salsa Logins, which is part of Pavit Kaur's GSoC work. She has been working with me and Paul Gevers for a few weeks, and this was the first official task in the internship. For users, this means that you now can only log in via Salsa. If you have an existing session where you logged in with an SSO certificate, it will still be valid. When you log in with Salsa, your username will be changed to match the one in Salsa. This means that if your account on salsa gets renamed, it will automatically be renamed on Debian CI when you log in the next time. Unfortunately we don't have a logout feature yet, but in the meantime you can use the developer toolbar to delete any existing cookies you might have for ci.debian.net. Migrating to Salsa logins was in my TODO list for a while. I had the impression that it could do it pretty quick to do by using pre-existing libraries that provide gitlab authentication integration for Rack (Ruby's de facto standard web application interface, like uwsgi for Python). But in reality, the devil was in the details. We went through several rounds of reviews to get it right. During the entire process, Pavit demonstrated an excelent capacity for responding to feedback, and overall I'm very happy with her performance in the internship so far. While we were discussing the Salsa logins, we noted a limitation in the existing database structure, where we stored usernames directly as the test requestor field, and decided it was better to normalize that relationship with a proper foreign key to the users table, which she also worked on. This update also include the very first (and non-user visible) step of her next task, which is adding support for having private tests. Those will be useful for implementing testing for embargoed security updates, and other use cases. This was broken up into 7 or 8 seperate steps, so there is still some work to do there. I'm looking forward to the continuation of this work.

Like each month, have a look at the work funded by Freexian s Debian LTS offering. Debian project funding In May, we again put aside 2100 EUR to fund Debian projects. There was no proposals for new projects received, thus we re looking forward to receive more projects from various Debian teams! Please do not hesitate to submit a proposal, if there is a project that could benefit from the funding! We re looking forward to receive more projects from various Debian teams! Learn more about the rationale behind this initiative in this article. Debian LTS contributors In May, 12 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 7.0h (out of 14h assigned and 12h from April), thus carrying over 19h to June.
• Anton Gladky did 12h (out of 12h assigned).
• Ben Hutchings did 16h (out of 13.5h assigned plus 4.5h from April), thus is carrying over 2h for June.
• Chris Lamb did 18h (out of 18h assigned).
• Holger Levsen s work was coordinating/managing the LTS team, he did 5.5h and gave back 6.5h to the pool.
• Markus Koschany did 15h (out of 29.75h assigned and 15h from April), thus carrying over 29.75h to June.
• Ola Lundqvist did 12h (out of 12h assigned and 4.5h from April), thus carrying over 4.5h to June.
• Roberto C. S nchez did 7.5h (out of 27.5h assigned and 27h from April), and gave back 47h to the pool.
• Sylvain Beucler did 29.75h (out of 29.75h assigned).
• Thorsten Alteholz did 29.75h (out of 29.75h assigned).
• Utkarsh Gupta did 29.75h (out of 29.75h assigned).

Evolution of the situation In May we released 33 DLAs and mostly skipped our public IRC meeting and the end of the month. In June we ll have another team meeting using video as lined out on our LTS meeting page.
Also, two months ago we announced that Holger would step back from his coordinator role and today we are announcing that he is back for the time being, until a new coordinator is found.
Finally, we would like to remark once again that we are constantly looking for new contributors. Please contact Holger if you are interested! The security tracker currently lists 41 packages with a known CVE and the dla-needed.txt file has 21 packages needing an update. Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 69 months)
  • GitHub (for 59 months)
  • Civil Infrastructure Platform (CIP) (for 37 months)
• Gold sponsors:
  • Blablacar (for 84 months)
  • Roche Diagnostics International AG (for 80 months)
  • Linode (for 74 months)
  • Babiel GmbH (for 63 months)
  • Plat Home (for 62 months)
  • University of Oxford (for 19 months)
  • Deveryware (for 6 months)
  • VyOS
• Silver sponsors:
  • The Positive Internet Company (for 85 months)
  • Domeneshop AS (for 84 months)
  • Nantes M tropole (for 78 months)
  • Univention GmbH (for 70 months)
  • Universit Jean Monnet de St Etienne (for 70 months)
  • Ribbon Communications, Inc. (for 64 months)
  • Exonet B.V. (for 53 months)
  • Leibniz Rechenzentrum (for 47 months)
  • CINECA (for 37 months)
  • Minist re de l Europe et des Affaires trang res (for 31 months)
  • Cloudways Ltd (for 20 months)
  • Dinahosting SL (for 18 months)
  • Platform.sh (for 13 months)
  • Bauer Xcel Media Deutschland KG (for 12 months)
  • Moxa Intelligence Co., Ltd. (for 6 months)
  • sipgate GmbH (for 4 months)
  • OVH US LLC
  • Tilburg University
• Bronze sponsors:
  • Seznam.cz, a.s. (for 85 months)
  • Evolix (for 84 months)
  • Linuxhotel GmbH (for 82 months)
  • Intevation GmbH (for 81 months)
  • Daevel SARL (for 80 months)
  • Bitfolk LTD (for 79 months)
  • Megaspace Internet Services GmbH (for 79 months)
  • Greenbone Networks GmbH (for 78 months)
  • NUMLOG (for 78 months)
  • WinGo AG (for 77 months)
  • Ecole Centrale de Nantes LHEEA (for 73 months)
  • Entr ouvert (for 69 months)
  • Adfinis AG (for 66 months)
  • Tesorion (for 61 months)
  • GNI MEDIA (for 60 months)
  • Laboratoire LEGI UMR 5519 / CNRS (for 60 months)
  • Bearstech (for 52 months)
  • LiHAS (for 52 months)
  • People Doc (for 48 months)
  • Catalyst IT Ltd (for 46 months)
  • Demarcq SAS (for 40 months)
  • Universit Grenoble Alpes (for 26 months)
  • TouchWeb SAS (for 18 months)
  • SPiN AG (for 15 months)
  • CoreFiling (for 11 months)
  • Institut des sciences cognitives Marc Jeannerod (for 6 months)
  • Observatoire des Sciences de l Univers de Grenoble

To start writing about updates regarding my GSoC project, the first obvious thing I need to do is to explain what my project really is. So let s get started.

About my project

What is debci? Directly stating from the official docs:

The Debian continuous integration (debci) is an automated system that coordinates the execution of automated tests against packages in the Debian system.

Let s try decoding it: Debian is a huge system with thousands of packages and within these packages exist inter-package dependencies. So if any package is updated, it is important to test if that package is working correctly but it is equally important to test that all the packages which are dependent on this updated package are working correctly too. Debci is a platform serving this purpose of automated testing for the entire Debian archive whenever a new version of the package, or of any package in its dependency chain is available. It comes with a UI that lets developers easily run tests and see their results if they pass or not. For my GSoC project, I am working to implement some incremental improvements to debci making it easier to use and maintain.

Community Bonding Period

The debci community Everyone I have come across till now in the community is very nice. The debci community in itself is a small but active community. It really feels good to be a part of conversations here.

Weekly call set up I have two mentors for this project Antonio Terceiro and Paul Gevers and they have set up a weekly sync call with me in which I will share my updates regarding the work done in the past week, any issues I am facing, and discuss the work for next week. In addition to this, I can always contact them on IRC for any issue I am stuck in.

Work till now The first thing I did in the community bonding period is setting up this blog. I wanted to have one for a long time and this seems to be a really nice opportunity to start. And the fact this has been added to Planet Debian too makes me happier to write. I am still trying to get a hang of this and definitely need to learn how to spend less time writing it. I also worked on my already opened merge requests during this period and got them merged. Since I am already familiar with the codebase, so I started with my first deliverable a bit earlier before the official coding period begins which is migrating the logins to Salsa, Debian s Gitlab Instance. Currently, debci uses Debian SSO client certificates for logging in, but that is deprecated so it needs to be migrated to use Salsa as an identity provider. The OmniAuth library is being used to implement this with help of ruby-omniauth-gitlab strategy. I explored a great deal about integrating OmniAuth with our application and bumped into so many issues too when I began implementing that. Once I am done integrating the Salsa Authentication with debci, I am planning to write a separate tutorial on that which could be helpful to other people using OmniAuth with their application. With that, the community bonding period has ended on 7th June and the coding period officially begins and for now, I will be continuing working on my first deliverable. That s all for now. See you next time!

LTS This is my third month of working for LTS. I was assigned 12 hrs and worked all of them.

Released DLAs

1. DLA-2646-1 subversion_1.9.5-1+deb9u6
   • CVE-2020-17525: Remote unauthenticated denial-of-service in Subversion mod_authz_svn
2. DLA-2649-1 cgal_4.9-1+deb9u1
   • CVE-2020-28601: An oob read vulnerability exists in Nef_2/PM_io_parser.h PM_io_parser::read_vertex() Face_of[] OOB read. An attacker can provide malicious input to trigger this vulnerability.
   • CVE-2020-28636: An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sloop() slh->twin() An attacker can provide malicious input to trigger this vulnerability.
   • CVE-2020-35628: An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sloop() slh->incident_sface. An attacker can provide malicious input to trigger this vulnerability.
   • CVE-2020-35636: An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sface() sfh->volume(). An attacker can provide malicious input to trigger this vulnerability.
3. DLA-2660-1 libgetdata_0.9.4-1+deb9u1
   • CVE-2021-20204: A heap memory corruption problem (use after free) can be triggered when processing maliciously crafted dirfile databases. This degrades the confidentiality, integrity and availability of third-party software that uses libgetdata as a library.

Other LTS-related work

bind9 LTS-repo on salsa for testing Created a repo for bind9 to test the package in he salsa-pipeline. Package testing was asked in the mailing list. After that I have added autopkgtests, which were copied from the main salsa-repo and updated to stretch release.

libwebp and imagemagick Two packages with a high number of CVEs were in my focus this month. The work is not yet finished and DLAs will be released soon.

Debian Science Team I have prepared and uploaded following packages, which are maintained under the umbrella of Debian Science Team:

• gfsview_20121130+dfsg-7, fixed RC-Bug #987935 and created ci-pipeline for the package (team upload). And requested the package unblock #988112.
• Reviewed and sponsored linbox_1.6.3-3 (RC-Bug #987921)
• Prepared and uploaded libgetdata_0.10.0-5+deb10u1, fixing CVE-2021-20204 in buster (through proposed-updates)
• Reviewed and sponsored freefem++_3.61.1+dfsg1-6 (RC-Bug #957233)
• Prepared and uploaded sundials_4.1.0+dfsg-4 (RC-Bug #988551)

Like each month, have a look at the work funded by Freexian s Debian LTS offering. Debian project funding In April, we put aside 5775 EUR to fund Debian projects. There was no proposals for new projects received, thus we re looking forward to receive more projects from various Debian teams! Please do not hesitate to submit a proposal, if there is a project that could benefit from the funding! Debian LTS contributors In April, 11 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 14.0h (out of 14h assigned and 12h from March), thus carrying over 12h to May.
• Anton Gladky did 12h (out of 12h assigned).
• Ben Hutchings did 14h (out of 16h assigned and 2.5h from March), thus carrying over 4.5h to May.
• Chris Lamb did 18h (out of 18h assigned).
• Holger Levsen s work was coordinating/managing the LTS team, he did 10h (out of 12h assigned), and gave 2h back to the pool.
• Markus Koschany did 15.0h (out of 30h assigned), thus carrying over 15h to May.
• Ola Lundqvist did 7.5h (out of 12h assigned), thus carrying over 4.5h to May.
• Roberto C. S nchez did 9.5h (out of 32h assigned and 4.5h from March), thus carrying over 27h to May.
• Sylvain Beucler did 30h (out of 30h assigned).
• Thorsten Alteholz did 30h (out of 30h assigned).
• Utkarsh Gupta did 60h (out of 60h assigned).

Evolution of the situation In April we released 33 DLAs and held a LTS team meeting using video conferencing. The security tracker currently lists 53 packages with a known CVE and the dla-needed.txt file has 26 packages needing an update. We are please to welcome VyOS as a new gold sponsor! Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 68 months)
  • GitHub (for 59 months)
  • Civil Infrastructure Platform (CIP) (for 36 months)
• Gold sponsors:
  • Blablacar (for 83 months)
  • Roche Diagnostics International AG (for 79 months)
  • Linode (for 73 months)
  • Babiel GmbH (for 62 months)
  • Plat Home (for 62 months)
  • University of Oxford (for 18 months)
  • Deveryware (for 5 months)
  • VyOS
• Silver sponsors:
  • The Positive Internet Company (for 84 months)
  • Domeneshop AS (for 83 months)
  • Nantes M tropole (for 77 months)
  • Univention GmbH (for 69 months)
  • Universit Jean Monnet de St Etienne (for 69 months)
  • Ribbon Communications, Inc. (for 63 months)
  • Exonet B.V. (for 53 months)
  • Leibniz Rechenzentrum (for 47 months)
  • CINECA (for 36 months)
  • Minist re de l Europe et des Affaires trang res (for 30 months)
  • Cloudways Ltd (for 20 months)
  • Dinahosting SL (for 18 months)
  • Bauer Xcel Media Deutschland KG (for 12 months)
  • Platform.sh (for 12 months)
  • Moxa Intelligence Co., Ltd. (for 6 months)
  • sipgate GmbH (for 3 months)
  • OVH US LLC
  • Tilburg University
• Bronze sponsors:
  • Evolix (for 84 months)
  • Seznam.cz, a.s. (for 84 months)
  • Intevation GmbH (for 81 months)
  • Linuxhotel GmbH (for 81 months)
  • Daevel SARL (for 79 months)
  • Bitfolk LTD (for 78 months)
  • Megaspace Internet Services GmbH (for 78 months)
  • Greenbone Networks GmbH (for 77 months)
  • NUMLOG (for 77 months)
  • WinGo AG (for 77 months)
  • Ecole Centrale de Nantes LHEEA (for 73 months)
  • Entr ouvert (for 68 months)
  • Adfinis AG (for 65 months)
  • GNI MEDIA (for 60 months)
  • Laboratoire LEGI UMR 5519 / CNRS (for 60 months)
  • Tesorion (for 60 months)
  • Bearstech (for 51 months)
  • LiHAS (for 51 months)
  • People Doc (for 48 months)
  • Catalyst IT Ltd (for 46 months)
  • Supagro (for 41 months)
  • Demarcq SAS (for 40 months)
  • Universit Grenoble Alpes (for 26 months)
  • TouchWeb SAS (for 18 months)
  • SPiN AG (for 15 months)
  • CoreFiling (for 10 months)
  • Institut des sciences cognitives Marc Jeannerod (for 5 months)
  • Observatoire des Sciences de l Univers de Grenoble

I am really excited that my Google Summer of Code proposal with Debian for the project Debian Continuous Integration improvements has been accepted. Through this blog, I am here to share about my Pre-GSoC journey. I knew about GSoC since my first year of college but had this misconception that only great coders get selected for GSoC which did not let me apply to the program until my 3rd year of engineering. I applied this year not because I thought I have turned into one but because I actually wanted to give a fair try to this before the time I become ineligible to participate.

Finding Project Scrolling through the list of GSoC 2021 organizations, I was checking out projects of organizations I am familiar with. Debian is one of the huge Open Source communities that has always inspired developers around the world to contribute to Open Source. So as I checked through Debian projects, I got excited to find the Debian Continuous Integration improvements project (referred to as debci in this post) related to web development and more concerned with backend work which is something I am very much interested in. I joined the community, and as directed by the application tasks of the project I set up the debci on my machine and started with an issue labeled as a newcomer. Soon I was able to submit my first Merge Request and it was reviewed by Antonio Terceiro, the mentor of my GSoC Project. With his further guidance, I was able to turn MR into an acceptable patch, and voila it got merged! That really did boost my morale to contribute further to the project.

Student Application Period At the suggestion of the mentor, during the Student Application Period, I worked on more open issues which were helping me understand the codebase better and in turn the deliverables of the project for my proposal. For my every doubt, I first tried to tackle it myself, and if still not able to find a solution I turn to mentors who did their best to answer my queries and this is how I completed my proposal and got it reviewed by Antonio before finally submitting it on 13th April. I still cannot express that feeling of satisfaction I achieved on submitting the proposal. I finally successfully applied for GSoC.

After Proposal Submission I did not stop my contribution after the Student Application period ended and kept on working on more issues which helped me stay in touch with the project and also because I was enjoying it a lot. I had already made up my mind to contribute more in Open Source as I learned and enjoyed plenty during this process.

Day of Results On 17th May, I got my acceptance mail at around 11:30 pm at night and I remember screaming and waking everybody up in my home to announce the news to them. It was truly the happiest moment for me.

Moment of Truth I would admit that I got involved with GSoC because of the reputation associated with it but things I learned during this pre GSoC period have made me realize the fun and learning opportunities associated with working opensource and I am here to stay for sure. I plan to write more blogs regarding my project and keep you guys updated about my work. Stay tuned!

Here s my (nineteenth) monthly update about the activities I ve done in the F/L/OSS world.

Debian

This was my 28th month of actively contributing to Debian. I became a DM in late March 2019 and a DD on Christmas 19! \o/ Crazy month, as always. Lots of things happening and lots of moving parts.
Now that I am working on Ubuntu-full time, I barely get much time to do any extra stuff. Then the massive COVID wave that has plunged India had made this month further crazier. More on that later, maybe. IDK. Anyway, I did some Debian stuff, thanks to Salzburg BSP (more down below). I worked on the following stuff:

Uploads and bug fixes:

• ruby2.7 (2.7.3-1) - New upstream version, fixing CVE-2021-28965/#986807.
• jackson-databind (2.9.8-3+deb10u3) - buster-pu upload, fixing CVE-2020-24616, CVE-2020-24750, CVE-2020-25649, CVE-2020-35490, CVE-2020-35491, CVE-2020-35728, CVE-2020-36179, CVE-2020-36180, CVE-2020-36181, CVE-2020-36182, CVE-2020-36183, CVE-2020-36184, CVE-2020-36185, CVE-2020-36186, CVE-2020-36187, CVE-2020-36188, CVE-2020-36189, and CVE-2021-20190.
• ruby-librarian (0.6.4-3) - Fixing autpkgtest; cf: #987113.
• opendmarc (1.3.2-6+deb10u2) - buster-pu upload, fixing CVE-2020-12460/#966464.
• Sponsored upload of fluidsynth (2.1.7-1.1) to unstable, fixing CVE-2021-28421/#987168 for Reiner Herrmann.
• Sponsored upload of fluidsynth (1.1.11-1+deb10u1) to buster, fixing CVE-2021-28421/#987168 for Reiner Herrmann.
• Sponsored upload of libpam-alreadyloggedin (0.3-9) to unstable, fixing #958224, #986247, and #969122)) for Reiner Herrmann.

Other $things:

• Mentoring for newcomers and assisting people in BSP.
• Moderation of -project mailing list.

---

Salzburg BSP 2021 This was my first virtual BSP and the first BSP in Salzburg and it was absolutely amazing!
Many kudos to Bernd Zeimetz for organizing it so smoothly and wonderfully, for real! \o/ We had a bunch of amazing sessions, besides hacking, of course, like:

• yoga,
• sports,
• games, and
• datacenter tour -> which was super!

We also had lots of things happening at #debian-bsp-2021-szg and did a lot of work.
Whilst everything we did is available on the pad, I work on the following things:

• [deki/utkarsh]: CVE-2021-28421/fluidsynth (sid); cf: #987168/#987471.
• [deki/utkarsh]: CVE-2021-28421/fluidsynth (buster); cf: #987168/#987494.
• [utkarsh]: 18 CVEs for jackson-databind (buster); cf: #987489.
• [utkarsh]: fix for ruby-librarian/#987113 (unblock request: #987501).
• [utkarsh]: 17 CVEs for jackson-databind (stretch); LTS upload.
• [utkarsh]: CVE-2020-12460/opendmarc (stretch); LTS upload.
• [utkarsh]: CVE-2020-12460/opendmarc (buster); cf: #987531.
• [deki/utkarsh]: libpam-alreadyloggedin, broken autopkgtest; #958224
• [deki/utkarsh]: libpam-alreadyloggedin, installed in wrong directory; #986247
• [deki/utkarsh]: libpam-alreadyloggedin, FTCBFS; #969122
• [donfede/utkarsh] 10 CVEs for salt (buster)
• [donfede/utkarsh] 10 CVEs for salt (bullseye)

And finally, we clicked a picture! \o/

---

Debian (E)LTS

Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success. And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support). This was my nineteenth month as a Debian LTS and tenth month as a Debian ELTS paid contributor.
I was assigned 60.00 hours for LTS and 60.00 hours for ELTS and worked on the following things:

LTS CVE Fixes and Announcements:

• Issued DLA 2615-1, fixing CVE-2020-1946, for spamassassin.
  For Debian 9 stretch, these problems have been fixed in version 3.4.2-1~deb9u4.
• Issued DLA 2624-1, fixing CVE-2021-20307, for libpano13.
  For Debian 9 stretch, these problems have been fixed in version 2.9.19+dfsg-2+deb9u1.
• Issued DLA 2625-1, fixing CVE-2021-28374, for courier-authlib.
  For Debian 9 stretch, these problems have been fixed in version 0.66.4-9+deb9u1.
• Issued DLA 2626-1, fixing CVE-2021-1405, for clamav.
  For Debian 9 stretch, these problems have been fixed in version 0.102.4+dfsg-0+deb9u2.
• Uploaded ruby2.7 to sid, fixing CVE-2021-28965.
  For Debian sid, these problems have been fixed in version 2.7.3-1.
• Issued DLA 2630-1, fixing CVE-2021-29447 and CVE-2021-29450, for wordpress.
  For Debian 9 stretch, these problems have been fixed in version 4.7.20+dfsg-1+deb9u1.
• Issued DLA 2633-1, fixing CVE-2021-23961, CVE-2021-23994, CVE-2021-23995, CVE-2021-23998, CVE-2021-23999, CVE-2021-24002, CVE-2021-29945, and CVE-2021-29946, for firefox-esr.
  For Debian 9 stretch, these problems have been fixed in version 78.10.0esr-1~deb9u1. Thanks, Emilio, for all your help on this! \o/
• Issued DLA 2638-1, fixing CVE-2020-24616, CVE-2020-24750, CVE-2020-35490, CVE-2020-35491, CVE-2020-35728, CVE-2020-36179, CVE-2020-36180, CVE-2020-36181, CVE-2020-36182, CVE-2020-36183, CVE-2020-36184, CVE-2020-36185, CVE-2020-36186, CVE-2020-36187, CVE-2020-36188, CVE-2020-36189, CVE-2021-20190, and CVE-2020-25649, for jackson-databind.
  For Debian 9 stretch, these problems have been fixed in version 2.8.6-1+deb9u9.
• Issued DLA 2639-1, fixing CVE-2020-12460, for opendmarc.
  For Debian 9 stretch, these problems have been fixed in version 1.3.2-2+deb9u3.
• Uploaded fluidsynth to sid, fixing CVE-2021-28421.
  For Debian sid, these problems have been fixed in version 2.1.7-1.1. Thanks to Reiner Herrmann for their work.
• Uploaded fluidsynth to buster-pu, fixing CVE-2021-28421.
  For Debian sid, these problems have been fixed in version 2.1.7-1.1. Thanks to Reiner Herrmann for their work.

ELTS CVE Fixes and Announcements:

• Issued ELA 396-1, fixing CVE-2021-23358, for underscore.
  For Debian 8 jessie, these problems have been fixed in version 1.7.0~dfsg-1+deb8u1.
• Issued ELA 397-1, fixing CVE-2020-1946, for spamassassin.
  For Debian 8 jessie, these problems have been fixed in version 3.4.2-0+deb8u4.
• Issued ELA 400-1, fixing CVE-2020-25286, CVE-2020-28032, CVE-2020-28033, CVE-2020-28034, CVE-2020-28035, CVE-2020-28036, CVE-2020-28037, CVE-2020-28038, CVE-2020-28039, and CVE-2020-28040, for wordpress.
  For Debian 8 jessie, these problems have been fixed in version 4.1.32+dfsg-0+deb8u1.
• Help issued ELA 401-1, fixing CVE-2021-25329 and CVE-2020-9484, for tomcat7, along with Markus.
  For Debian 8 jessie, these problems have been fixed in version 7.0.56-3+really7.0.100-1+deb8u3.
• Issued ELA 403-1, fixing CVE-2020-24616, CVE-2020-24750, CVE-2020-25649, CVE-2020-35490, CVE-2020-35491, CVE-2020-35728, CVE-2020-36179, CVE-2020-36180, CVE-2020-36181, CVE-2020-36182, CVE-2020-36183, CVE-2020-36184, CVE-2020-36185, CVE-2020-36186, CVE-2020-36187, CVE-2020-36188, CVE-2020-36189, and CVE-2021-20190, for jackson-databind.
  For Debian 8 jessie, these problems have been fixed in version 2.4.2-2+deb8u16.
• Uploaded jackson-databind to buster-pu, fixing CVE-2020-24616, CVE-2020-24750, CVE-2020-25649, CVE-2020-35490, CVE-2020-35491, CVE-2020-35728, CVE-2020-36179, CVE-2020-36180, CVE-2020-36181, CVE-2020-36182, CVE-2020-36183, CVE-2020-36184, CVE-2020-36185, CVE-2020-36186, CVE-2020-36187, CVE-2020-36188, CVE-2020-36189, and CVE-2021-20190.
  For Debian 10 buster, these problems have been fixed in version 2.9.8-3+deb10u3.
• Issued ELA 404-1, fixing CVE-2021-1405, for clamav.
  For Debian 8 jessie, these problems have been fixed in version 0.102.4+dfsg-0+deb8u2.
• Issued ELA 409-1, fixing CVE-2019-16378 and CVE-2020-12460, for opendmarc.
  For Debian 8 jessie, these problems have been fixed in version 1.3.0+dfsg-1+deb8u1.

Other (E)LTS Work:

• Front-desk duty from 29-03 until 04-04 and then from 26-04 until 02-05 for both LTS and ELTS.
• Triaged spamassassin, codemirror-js, jackson-databind, wordpress, gstreamer, underscore, python-bleach, plinth, libpano13, salt, dojo, ruby2.7, firefox-esr, clamav, composter, courier-authlib, opendmarc, openexr, libimage-exiftool-perl, tomcat7, libjs-handlebars, libnet-netmask-perl, network-manager, and curl.
• Mark CVE-2021-20297/network-manager as not-affected for jessie.
• Mark CVE-2021-22890/curl as not-affected for jessie and stretch.
• Mark CVE-2020-7760/codemirror-js as not-affected for jessie.
• Mark CVE-2021-25122/tomcat8 as not-affected for jessie.
• Mark CVE-2021-XXXX/plinth as no-dsa for stretch.
• Mark CVE-2021-29424/libnet-netmask-perl as no-dsa for stretch.
• Mark CVE-2021-28374/courier-authlib as fixed in 0.58-3.1 for jessie.
• Mark CVE-2021-1252/clamav as not-affected for jessie.
• Mark CVE-2021-1404/clamav as not-affected for jessie.
• Mark CVE-2020-4051/dojo as no-dsa for jessie.
• Mark CVE-2021-29447/wordpress as not-affected for jessie.
• Mark CVE-2021-29450/wordpress as not-affected for jessie.
• Mark CVE-2019-20920/libjs-handlebars as ignored for stretch and jessie.
• Mark CVE-2021-23369/libjs-handlebars as ignored for stretch and jessie.
• Mark CVE-2020-4051/dojo as fixed in 1.15.4+dfsg1-1 for sid and bullseye.
• Mark CVE-2021-28965/ruby2.7 fixed in 2.7.3-1 for sid.
• Mark CVE-2020-12272/opendmarc as postponed for jessie.
• Mark CVE-2021-20296, CVE-2021-3475, CVE-2021-3476, CVE-2021-3477, CVE-2021-3478, and CVE-2021-3479, affecting openexr, as no-dsa for jessie and stretch.
• Suggest proposed fixes for CVE-2021-22876/curl on LTS public list.
• Publish the missing DLA update for the website on behalf of the community contribution. Thread here.
• Help suggest and unblock work if FD is missing or something. Thread here.
• Suggest marking CVE-2021-23369/ node,libjs -handlebars as no-dsa/ignored for all suites. Thread here.
• Help unblock Anton with the failed python2.7 build on i386 by coordinating with the sec team. Thread here.
• Private ELTS-related discussion on the ELTS list (+ w/ Raphael).
• Auto EOL ed webkit2gtk, python-bleach, tika, linux, ircii, spice-vdagent, libspring-security-2.0-java, file-roller, rustc, python-django-registration, gsoap, thunderbird, mosquitto, ruby-sidekiq, gnuchess, libpodofo, unbound, drupal7, 389-ds-base, and scrollz for jessie.
• Answered questions (& discussions) on IRC (#debian-lts and #debian-elts).
• General and other discussions on LTS private and public mailing list.

---

Until next time.
:wq for today.

Like each month, have a look at the work funded by Freexian s Debian LTS offering. Debian project funding In March, we put aside 3225 EUR to fund Debian projects but sadly nobody picked up anything, so this one of the many reasons Raphael posted as series of blog posts titled Challenging times for Freexian , posted in 4 parts on the last two days of March and the first two of April. [Part one, two, three and four] So we re still looking forward to receive more projects from various Debian teams! Learn more about the rationale behind this initiative in this article! Debian LTS contributors In March, 11 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 9.0h (out of 9h assigned and 12h from February), thus carrying over 12h to April.
• Anton Gladky did 12h (out of 12h assigned).
• Ben Hutchings did 25.75h (out of 16h assigned and 12.25h from February), thus carrying over 2.5h to April.
• Chris Lamb did 18h (out of 18h assigned).
• Holger Levsen did 6h coordinating/managing the LTS team.
• Markus Koschany did 30h (out of 30h assigned).
• Ola Lundqvist did 6.h (out of 10h from February).
• Roberto C. S nchez did 9h (out of 32h assigned and 21.5h from February) and gave 40h back, thus carrying over 4.5h to April.
• Sylvain Beucler did 30h (out of 30h assigned).
• Thorsten Alteholz did 30h (out of 30h assigned).
• Utkarsh Gupta did 60h (out of 60h assigned).

Evolution of the situation In March we released 28 DLAs and held our second LTS team meeting for 2021 on IRC, with the next public IRC meeting coming up at the end of May. At that meeting Holger announced that after 2.5 years he wanted to step back from his role helping Rapha l in coordinating/managing the LTS team. We would like to thank Holger for his continuous work on Debian LTS (which goes back to 2014) and are happy to report that we already found a successor which we will introduce in the upcoming April report from Freexian. Finally, we would like to remark once again that we are constantly looking for new contributors. For a last time, please contact Holger if you are interested! The security tracker currently lists 42 packages with a known CVE and the dla-needed.txt file has 28 packages needing an update. We are also pleased to report that we got 4 new sponsors over the last 2 months : thanks to sipgate GmbH, OVH US LLC, Tilburg University and Observatoire des Sciences de l Univers de Grenoble ! Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 67 months)
  • GitHub (for 58 months)
  • Civil Infrastructure Platform (CIP) (for 35 months)
• Gold sponsors:
  • Blablacar (for 82 months)
  • Roche Diagnostics International AG (for 78 months)
  • Linode (for 72 months)
  • Babiel GmbH (for 61 months)
  • Plat Home (for 61 months)
  • University of Oxford (for 17 months)
  • Deveryware (for 4 months)
• Silver sponsors:
  • The Positive Internet Company (for 83 months)
  • Domeneshop AS (for 82 months)
  • Nantes M tropole (for 77 months)
  • Univention GmbH (for 68 months)
  • Universit Jean Monnet de St Etienne (for 68 months)
  • Ribbon Communications, Inc. (for 62 months)
  • Exonet B.V. (for 52 months)
  • Leibniz Rechenzentrum (for 46 months)
  • CINECA (for 35 months)
  • Minist re de l Europe et des Affaires trang res (for 30 months)
  • Cloudways Ltd (for 19 months)
  • Dinahosting SL (for 17 months)
  • Bauer Xcel Media Deutschland KG (for 11 months)
  • Platform.sh (for 11 months)
  • Moxa Intelligence Co., Ltd. (for 5 months)
  • sipgate GmbH
  • OVH US LLC
  • Tilburg University
• Bronze sponsors:
  • Evolix (for 83 months)
  • Seznam.cz, a.s. (for 83 months)
  • Intevation GmbH (for 80 months)
  • Linuxhotel GmbH (for 80 months)
  • Daevel SARL (for 78 months)
  • Bitfolk LTD (for 77 months)
  • Megaspace Internet Services GmbH (for 77 months)
  • NUMLOG (for 77 months)
  • Greenbone Networks GmbH (for 76 months)
  • WinGo AG (for 76 months)
  • Ecole Centrale de Nantes LHEEA (for 72 months)
  • Entr ouvert (for 67 months)
  • Adfinis AG (for 65 months)
  • GNI MEDIA (for 59 months)
  • Laboratoire LEGI UMR 5519 / CNRS (for 59 months)
  • Tesorion (for 59 months)
  • Bearstech (for 50 months)
  • LiHAS (for 50 months)
  • People Doc (for 47 months)
  • Catalyst IT Ltd (for 45 months)
  • Supagro (for 40 months)
  • Demarcq SAS (for 39 months)
  • Universit Grenoble Alpes (for 25 months)
  • TouchWeb SAS (for 17 months)
  • SPiN AG (for 14 months)
  • CoreFiling (for 9 months)
  • Institut des sciences cognitives Marc Jeannerod (for 4 months)
  • Observatoire des Sciences de l Univers de Grenoble

LTS This is my second month of working for LTS. I was assigned 12 hrs and worked all of them.

Released DLAs

1. DLA 2619-1 python3.5_3.5.3-1+deb9u4
   • CVE-2021-23336: only use & as a query string separator
   • CVE-2021-3426: remove the pydoc getfile feature
   • CVE-2021-3177: replace snprintf with Python unicode
   CVE-2021-23336 introduced an API-change. It was hard decision to upload this fix, because it can potentially break user s code, if they code uses semicolon as separator. Another option is not to fix it at all, leaving the security issue open. Not the best solution. Also I have fixed the failing autopkgtest, which was introduced in one of latest CVE fixes. CI-pipelines on salsa.d.o are helping now to detect such mistakes.
2. DLA 2628-1 python2.7_2.7.13-2+deb9u5
   • CVE-2021-23336: only use & as a query string separator
   • CVE-2019-16935: Escape the server title of DocXMLRPCServer.
   CVE-2021-23336 introduced an API-change, same as for python3.5. But the backporting was much harder because python3->2 is not always easy.

Other LTS-related work

CI-pipelines I try to setup for all LTS-packages which I touch CI-pipelines on salsa.d.o. Setting up pipelines for python3.5 and python2.7 was much harder as for other packages. Failing autopkgtests and some other issues. Though it takes at the beginning more time to setup, I believe it improves package quality.

LTS-Meeting I attended the Debian LTS team Jitsi-meeting.

Currently, Debian has two running votings: DPL election 2021 and GR about RSM. If you want to use the command line only for sending the filled ballot per email, there are a couple of helpers. Let us assume, that you have got the ballot, filled it and saved as a vote.txt.

Signed-only message If it is acceptable for you yo send signed only message (not encrypted), use following snippets:

• DPL-vote:

cat vote.txt   gpg --clearsign    mail leader2021@vote.debian.org

• GR-rms-vote:

cat vote.txt   gpg --clearsign    mail gr_rms@vote.debian.org

Signed and encrypted message If you wish to encrypt the message, the public key which is attached to the ballot should be imported with

gpg --import public_key.asc

Then you can vote.

• DPL-vote:

cat vote.txt   gpg --encrypt --armor -s -r leader2021@vote.debian.org    mail leader2021@vote.debian.org

• GR-rms-vote:

cat vote.txt   gpg --encrypt --armor -s -r gr_rms@vote.debian.org    mail gr_rms@vote.debian.org

You can specify some more parameters to the mail such as From:"-field and reply-to address:

...  mail gr_rms@vote.debian.org -a "From: Max Mustermann <max.mustermann@debian.org>" -r max.mustermann@debian.org

Hope that helps.

LTS This is my first (beside test time last year) official month of working for LTS. I was assigned 12 hrs and worked all of them. I could relatively easy set up the development environment for Debian Stretch and managed to release several DLAs.

Released DLAs

1. DLA-2588-1 zeromq3_4.2.1-4+deb9u4
   • CVE-2021-20234
   • CVE-2021-20235
2. DLA-2594-1 tomcat8_8.5.54-0+deb9u6
   • CVE-2021-24122
   • CVE-2021-25122
   • CVE-2021-25329.
3. DLA-2605-1 mariadb-10.1_10.1.48-0+deb9u2
   • CVE-2021-27928

Other LTS-related work

CVE-2020-119977 I investigated CVE-2020-119977, which was marked as guacamole-server issue. There were not so much information about this CVE. I was trying to analyze git log and git diff between affected and fixed versions without any visible success. After that I contacted upstream and they were very responsive! This CVE affects guacamole-client only and the ancient versions in the archive is very difficult to fix. So I decided to mark this CVE as NOT-FOR-US.

Repositories with pipelines For most of packages, which I touched due to LTS work the new repositories were created in LTS packages group on salsa.d.o with enabled CI-pipelines. It really helps to test updates though some tests needs to be disabled for passing pipelines.

LTS-Meeting I attended the Debian LTS team IRC-meeting.

Debian Science Team I have prepared and uploaded following packages, which are maintained under the umbrella of Debian Science Team:

• gmsh_4.7.1+ds1-5
• vtk7_7.1.1+dfsg2-10
• gl2ps_1.4.2+dfsg1-1~bpo10+1
• vtk9_9.0.1+dfsg1-8~bpo10+2
• sundials_5.7.0+dfsg-1~exp1

Other Debian related stuff

• Prepared, uploaded and requested unblock for boost1.74_1.74.0-9
• Moved 4 packages under the roof of Debian Electronics Team Team, which is a better place for them:
  • luma.core_2.3.1+dfsg1-1
  • luma.led-matrix_1.5.0+dfsg1-3
  • pyftdi_0.52.9-4
  • smbus2_0.4.1-3

The Debian CI platform is comprised of 30+ (virtual) machines. Maintaining this many machines, and being able to add new ones with some degree of reliability requires one to use some sort of configuration management. Until about a week ago, we were using Chef for our configuration management. I was, for several years, the main maintainer of Chef in Debian, so using it was natural to me, as I had used it before for personal and work projects. But last year I decided to request the removal of Chef from Debian, so that it won't be shipped with Debian 11 (bullseye). After evaluating a few options, I believed that the path of least resistance was to migrate to itamae. itamae was inspired by chef, and uses a DSL that is very similar to the Chef one. Even though the itamae team claim it's not compatible with Chef, the changes that I needed to do were relatively limited. The necessary code changes might look like a lot, but a large part of them could be automated or done in bulk, like doing simple search and replace operations, and moving entire directories around. In the rest of this post, I will describe the migration process, starting with the infrastructure changes, the types of changes I needed to make to the configuration management code, and my conclusions about the process. Infrastructure changes The first step was to add support for itamae to chake, a configuration management wrapper tool that I wrote. chake was originally written as a serverless remote executor for Chef, so this involved a bit of a redesign. I thought it was worth it to do, because at that point chake had gained several interesting managements features that we no directly tied to Chef. This work was done a bit slowly over the course of the several months, starting almost exactly one year ago, and was completed 3 months ago. I wasn't in a hurry and knew I had time before Debian 11 is released and I had to upgrade the platform. After this was done, I started the work of migrating the then Chef cookbooks to itamae, and the next sections present the main types of changes that were necessary. During the entire process, I sent a few patches out:

• itamae #317 - Make output unbuffered
• itamae #325 - file: add support for sensitive files
• itamae #327 - file: improve diff output
• itamae #337 - package: add :upgrade action. This is work in progress at the moment, and wasn't merged yet.
• serverspec #727 - debian: add support for Debian testing and unstable

Code changes These are the main types of changes that were necessary in the configuration code to accomplish the migration to itamae. Replace cookbook_file with remote_file. The resource known as cookbook_file in Chef is called remote_file in itamae. Fixing this is just a matter of search and replace, e.g.:

-cookbook_file '/etc/apt/apt.conf.d/00updates' do
+remote_file '/etc/apt/apt.conf.d/00updates' do

Changed file locations The file structure assumed by itamae is a lot simpler than the one in Chef. The needed changes were:

• static files and templates moved from cookbooks/$ cookbook / files,templates /default to cookbooks/$ cookbook / files,templates
• recipes moved from cookbooks/$ cookbook /recipes/*.rb to cookbooks/$ cookbook /*.rb
• host-specific files and templates are not supported directly, but can be implemented just by using an explicit source statement, like this:

  remote_file "/etc/foo.conf" do
    source "files/host-# node['fqdn'] /foo.conf"
  end

Explicit file ownership and mode Chef is usually design to run as root on the nodes, and files created are owned by root and have move 0644 by default. With itamae, files are by default owned by the user that was used to SSH into the machine. Because of this, I had to review all file creation resources and add owner, group and mode explicitly:

-cookbook_file '/etc/apt/apt.conf.d/00updates' do
-  source 'apt.conf'
+remote_file '/etc/apt/apt.conf.d/00updates' do
+  source 'files/apt.conf'
+  owner   'root'
+  group   'root'
+  mode    "0644"
 end

In the end, I guess being explicit make the configuration code more understandable, so I take that as a win. Different execution context One of the major differences between Chef itamae comes down the execution context of the recipes. In both Chef and itamae, the configuration is written in DSL embedded in Ruby. This means that the recipes are just Ruby code, and difference here has to do with where that code is executed. With Chef, the recipes are always execute on the machine you are configuring, while with itamae the recipe is executed on the workstation where you run itamae, and that gets translated to commands that need to be executed on the machine being configured. For example, if you need to configure a service based on how much RAM the machine has, with Chef you could do something like this:

total_ram = File.readlines("/proc/meminfo").find do  l 
  l.split.first == "MemTotal:"
end.split[1]
file "/etc/service.conf" do
  # use 20% of the total RAM
  content "cache_size = # ram / 5 KB"
end

With itamae, all that Ruby code will run on the client, so total_ram will contain the wrong number. In the Debian CI case, I worked around that by explicitly declaring the amount of RAM in the static host configuration, and the above construct ended up as something like this:

file "/etc/service.conf" do
  # use 20% of the total RAM
  content "cache_size = # node['total_ram'] / 5 KB"
end

Lessons learned This migration is now complete, and there are a few points that I take away from it:

• The migration is definitely viable, and I'm glad I picked itamae after all.
• Of course, itamae is way simpler than Chef, and has less features. On the other hand, this means that it a simple package to maintain, with less dependencies and keeping it up to date is a lot easier.
• itamae is considerably slower than Chef. On my local tests, a noop execution (e.g. re-applying the configuration a second time) against local VMs with itamae takes 3x the time it takes with Chef.

All in all, the system is working just fine, and I consider this to have been a successful migration. I'm happy it worked out.

So, 2021 isn't bad enough yet, but don't despair, people are working to fix that:

Welcome to the Stallman wars Team Cancel: https://rms-open-letter.github.io/ (repo) Team Support: https://rms-support-letter.github.io/ (repo) Current stats are:

Team Cancel:  3028 signers from 1413 individual commit authors
Team Support: 6249 signers from 5018 individual commit authors

Git shortlog (Top 10):

rms_cancel.git (Last update: 2021-04-07 15:42:33 (UTC))
  1228  Neil McGovern
   251  Joan Touzet
    86  Elana Hashman
    71  Molly de Blanc
    36  Shauna
    19  Juke
    18  Stefano Zacchiroli
    17  Alexey Mirages
    16  Devin Halladay
    14  Nader Jafari
rms_support.git (Last update: 2021-04-12 09:25:53 (UTC))
  1678  shenlebantongying
  1564  nukeop
  1550  Ivanq
   826  Victor
   746  Job Bautista
   123  nekonee
    61  Victor Gridnevsky
    38  Patrick Spek
    25  Borys Kabakov
    17  KIM Taeyeob

(last updated 2021-04-12 09:26:15 (UTC)) Technical info:
Signers are counted from their "Signed / Individuals" sections. Commits are counted with git shortlog -s.
Team Cancel also has organizational signatures with Mozilla, Suse and X.Org being among the notable signatories. Debian is in the process of running a GR to join (or not join) that list. The 16 original signers of the Cancel petition are added in their count. Neil McGovern, Juke and shenlebantongying need .mailmap support as they have committed with different names. Further reading:

• An introductory Ars Technica article in case you wonder what this all is about.
• Debian vote mailing-list: March 2021, April 2021
• NYT Magazine on the history of cancel culture
• Ed Santos' commentary and analysis

The following contributors got their Debian Developer accounts in the last two months:

• Nicholas D. Steeves (sten)
• Nilesh Patra (nilesh)
• David Su rez Rodr guez (deiv)
• Pierre Gruet (pgt)

The following contributors were added as Debian Maintainers in the last two months:

• Antonio Valentino
• Boian Nikolaev Bonev
• Filip Hroch
• Maarten L. Hekkelman
• Xialei Qin
• Xiang Gao

Congratulations!

In English

• Auto-antonym - Wikipedia, "a word with multiple meanings (senses) of which one is the reverse of another"
• Aizuchi - Wikipedia "the frequent interjections during a conversation that indicate the listener is paying attention or understands the speaker."
• Louis Wolfson (writer) - Wikipedia "an American author who writes in French. Treated for schizophrenia since childhood, he cannot bear hearing or reading his native language and has invented a method of immediately translating every English sentence into a foreign phrase with the same sound and meaning."
• 'N shu: China s secret female-only language'
• Lexical Distance Among the Languages of Europe "This chart shows the lexical distance that is, the degree of overall vocabulary divergence among the major languages of Europe."
• List of Latin legal terms - Wikipedia "A number of Latin terms are used in legal terminology and legal maxims."
• Pronunciation sounds-of-english

In Italiano

• Forestierismi "Lista dei forestierismi e dei loro traducenti italiani"
• La corrispondenza italiana: abbreviazioni
• Metrica italiana
• Accademia Attori - Corso di Dizione Online
• La questione dei nomi delle professioni al femminile una volta per tutte

Here s my (eleventh) monthly update about the activities I ve done in the F/L/OSS world.

Debian

This was my 20th month of contributing to Debian. I became a DM in late March last year and a DD last Christmas! \o/ Well, this month we had DebConf! \o/
(more about this later this week!) Anyway, here are the following things I did in Debian this month:

Uploads and bug fixes:

• rubocop (0.89.1+dfsg-1) - New upstream version for RuboCop::Packaging.
• ruby-rubocop-ast (0.3.0+dfsg-1) - New upstream version for RuboCop's latest version.
• ruby-rubocop-packaging (0.3.0-1) - Shouldn t check lib/ and gemspec file.
• bidi-clojure (2.1.3-1) - New upstream version for Puppet6.
• Source-only uploads for ruby-anima, ruby-uniform-notifier, ruby-unparser, ruby-morpher, and ruby-path-expander.

Other $things:

• Mentoring for newcomers.
• FTP Trainee reviewing.
• Moderation of -project mailing list.
• Sponsored php-dasprid-enum and php-bacon-baconqrcode for William and ruby-unparser, ruby-morpher, and ruby-path-exapander for Cocoa.

---

Goodbye GSoC! \o/ In May, I got selected as a Google Summer of Code student for Debian again! \o/
I am working on the Upstream-Downstream Cooperation in Ruby project. The other 5 blogs can be found here:

• GSoC Phase 1 (part 1).
• GSoC Phase 1 (part 2).
• GSoC Phase 2 (part 1).
• GSoC Phase 2 (part 2).
• GSoC Phase 3 (part 1).
• And this is GSoC Phase 3 (part 2).

Also, I log daily updates at gsocwithutkarsh2102.tk. Since this is a wrap and whilst the daily updates are already available at the above site^, I ll quickly mention the important points and links here.

• The git repository is hosted on GitHub: https://github.com/utkarsh2102/rubocop-packaging.
• It is a linter, an extension of RuboCop, focused on enforcing upstream best practices and coding conventions.
• There have been 5 releases in all, including 4 cops and other bug fixes (including false-positives and false-negatives).
• The entire source code is documented with a separate docs/ directory, which is hosted at https://docs.rubocop.org/rubocop-packaging.
• The packaging style guide is hosted at https://packaging.rubystyle.guide.
• At the time of writing this, it is being used by around 30 other projects ^.^
• Not only could you install this via gem install rubocop-packaging, but also via apt install ruby-rubocop-packaging.
• The total work consists of around 85 commits with 15 PRs, contributed by 4 amazing people (including me :P) in the last 3 months (June 20 to August 20).
• And finally, many thanks to two amazing people (the mentors for this project), Antonio Terceiro and David Rodr guez!

---

Continuation of GSoC for other Ruby related stuff!

Whilst working on Rubocop::Packaging, I contributed to more Ruby projects, refactoring their library a little bit and mostly fixing RuboCop issues and fixing issues that the Packaging extension reports as offensive .
Following are the PRs that I raised:

• PR #170 for autoprefixer-rails to drop git ls-files in gemspec.
• PR #479 for cucumber-rails to update RuboCop and RuboCop::Packaging.
• PR #1465 for cucumber-ruby for updating RuboCop to v0.89.
• PR #208 for cucumber-ruby-core to fix .rubocop.yml and add RuboCop::Packaging as a development dependency.
• PR #178 for webdrivers to update the RuboCop and RuboCop::RSpec version to the latest.
• PR #179 for webdrivers to drop git ls-files in gemspec.

---

Debian (E)LTS

Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success. And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support). This was my eleventh month as a Debian LTS and my second as a Debian ELTS paid contributor.
I was assigned 21.75 hours for LTS and 14.25 hours for ELTS and worked on the following things:

LTS CVE Fixes and Announcements:

• Issued DLA 2304-1, fixing CVE-2015-9542, for libpam-radius-auth.
  For Debian 9 Stretch, these problems have been fixed in version 1.3.16-5+deb9u1.
• Issued DLA 2305-1, fixing CVE-2018-10756, for transmission.
  For Debian 9 Stretch, these problems have been fixed in version 2.92-2+deb9u2.
• Issued DLA 2307-1, fixing CVE-2018-1000544, for ruby-zip.
  For Debian 9 Stretch, these problems have been fixed in version 1.2.0-1.1+deb9u1.
• Issued DLA 2308-1, fixing CVE-2019-17113, for libopenmpt.
  For Debian 9 Stretch, these problems have been fixed in version 0.2.7386~beta20.3-3+deb9u4.
• Issued DLA 2317-1, fixing CVE-2020-10177, for pillow.
  For Debian 9 Stretch, these problems have been fixed in version 4.0.0-4+deb9u2.
• Issued DLA 2318-1, fixing CVE-2019-10064 and CVE-2020-12695, for wpa.
  For Debian 9 Stretch, these problems have been fixed in version 2:2.4-1+deb9u7.
• Started working on uwsgi update for CVE-2020-11984. It seems that src:apache2 wasn t affected by that, but src:uwsgi was.

ELTS CVE Fixes and Announcements:

• Issued ELA 255-1, fixing CVE-2020-14344, for libx11.
  For Debian 8 Jessie, these problems have been fixed in version 2:1.6.2-3+deb8u3.
• Issued ELA 259-1, fixing CVE-2020-10177, for pillow.
  For Debian 8 Jessie, these problems have been fixed in version 2.6.1-2+deb8u5.
• Issued ELA 269-1, fixing CVE-2020-11985, for apache2.
  For Debian 8 Jessie, these problems have been fixed in version 2.4.10-10+deb8u17.
• Started working on clamAV update, it s a major bump from v0.101.5 to v0.102.4. There were lots of movings parts. Contacted upstream maintainers to help reduce the risk of regression. Came up with a patch to loosen the libcurl version requirement. Hopefully, the update could be rolled out soon!

Other (E)LTS Work:

• I spent an additional 11.15 hours working on compiling the responses of the LTS survey and preparing a gist of it for its presentation during the Debian LTS BoF at DebConf20.
• Triaged qemu, pillow, gupnp, clamav, apache2, and uwsgi.
• Marked CVE-2020-11538/pillow as not-affected for Stretch.
• Marked CVE-2020-11984/apache2 as not-affected for Stretch.
• Marked CVE-2020-10378/pillow as not-affected for Jessie.
• Marked CVE-2020-11538/pillow as not-affected for Jessie.
• Marked CVE-2020-3481/clamav as not-affected for Jessie.
• Marked CVE-2020-11984/apache2 as not-affected for Jessie.
• Marked CVE-2020- 9490,11993 /apache2 as not-affected for Jessie.
• Hosted Debian LTS BoF at DebConf20. Recording here.
• General discussion on LTS private and public mailing list.

---

Until next time.
:wq for today.

As a response to Antonio Terceiro s blog post, I m publishing some FFmpeg commands I ve been using recently. Embedding subtitles Sometimes you have a video with subtitles in multiple languages and you don t want to clutter the directory with a lot of similarly-named files or maybe you want to be able to easily transfer the video and subtitles at once. In this case, it may be useful to embed to subtitles directly into the video container file. This commands recodes the subtitle file into a format appropriate for the MP4 container and embeds it with a metadata element telling the video player what language it is in. You can add multiple subtitles at once, or you can also transcode the audio to AAC while doing so (I found that a lot of Android devices can t play Ogg Vorbis streams): Hard subtitles Sometimes you need to play the video with subtitles on devices not supporting them. In that case, it may be useful to hardcode the subtitles directly into the video stream: Unfortunately, if you also want to apply more transformations to the video, it starts getting tricky, the -vf option is no longer enough: This command adds an overlay to the video stream (in my case I overlaid a full frame over the original video offering some explanations), increases the volume ten times and adds hard subtitles. P.S. You can see the practical application of the above in this video with a head of one of the electoral commissions in Belarus forcing the members of the staff to manipulate the voting results. I transcribed the video in both Russian and English and encoded the English subtitles into the video.

Following Antonio Terceiro s post on tips for using ffmpeg for editing video, I will also share a bit of my experience producing my video for my session in DebConf20. I recorded my talk today. As Terceiro mentioned, even though I m used to speaking in front of my webcam (i.e. for my classes and some smaller conferences I ve worked on during the COVID lockdown), it does feel a bit weird to present a live talk to nobody :- OK, one step back. Why are we doing this? Because our hardworking friends of the DebConf20 video team recommended so. In order to minimize connecitvity issues from the variety of speakers throughout the world, we were requested to pre-record the exposition part of our talks, send them to the video team (deadline: today 2020-08-16, in case you still owe yours!), and make sure to be present at the end of the talk for the Q&A session. Of course, for a 45 minute talk, I prepared a 30 minute presentation, saving time for said Q&A session. Anyway, I used the excellent OBS studiolive video mixing/editing program (of course, Debian packages are available. This allowed me to set up several predefined views (combinations and layouts of the presentation, webcam, and maybe some other sources) and professionally and elegantly switch between them on the fly. I am still a newbie with OBS, but I surely see it becoming a part of my day to day streaming. Of course, my setup still was obvious (me looking right every now and then to see or control OBS, as I work on a dual-monitor setup ) Anyway, the experience was very good, much smoother and faster than what I usually have to do when editing video. But just as I was finishing thanking the (future) audience and closing the recording I had to tell the camera, oh, fuck! The button labeled Start Recording Had not been pressed. So, did I just lose 30 minutes of my life, plus a half-decent delivered talk? No, fortunately not. I had previously been playing with OBS, and configured some things. The button I did press was Start Streaming . So, my talk (swearing included, of course) was dutifully streamed over to my YouTube channel. It seems up to five people got a sneak preview as to what will my DebConf participation be (of course, I ve de-listed the video). I pulled it with the always-handy youtube-dl, edited out my curses using kdenlive, and pushed it to the DebConf video server. Oh, make sure you follow the advice for recording presentations. It has all the relevant advice, the settings you should use, and much more welcome information if you are new to this. So Next week, DebConf20! Be there or be square!

For DebConf20, we are recommending that speakers pre-record the presentation part of their talks, and will have live Q&A. We had a smaller online MiniDebConf a couple of months ago, where for instance I had connectivity issues during my talk, so even though it feels too artificial, I guess pre-recording can decrease by a lot the likelihood of a given talk going bad. Paul Gevers and I submitted a short 20 min talk giving an update on autopkgtest, ci.debian.net and friends. We will provide the latest updates on autopkgtest, autodep8, debci, ci.debian.net, and its integration with the Debian testing migration software, britney. We agreed on a split of the content, each one recorded their part, and I offered to join them together. The logical chaining of the topics is such that we can't just concatenate the recordings, so we need to interlace our parts. So I set out to do a full video editing work. I have done this before, although in a simpler way, for one of the MiniDebconfs we held in Curitiba. In that case, it was just cutting the noise at the beginning and the end of the recording, and adding beginning and finish screens with sponsors logos etc. The first issue I noticed was that both our recordings had a decent amount of audio noise. To extract the audio track from the videos, I resorted to How can I extract audio from video with ffmpeg? on Stack Overflow:

ffmpeg -i input-video.avi -vn -acodec copy output-audio.aac

I then edited the audio with Audacity. I passed a noise reduction filter a couple of times, then a compressor filter to amplify my recording on mine, as Paul's already had a good volume. And those are my more advanced audio editing skills, which I acquired doing my own podcast. I now realized I could have just muted the audio tracks from the original clip and align the noise-free audio with it, but I ended up creating new video files with the clean audio. Another member of the Stack Overflow family came to the rescue, in How to merge audio and video file in ffmpeg. To replace the audio stream, we can do something like this:

ffmpeg -i video.mp4 -i audio.wav -c:v copy -c:a aac -map 0:v:0 -map 1:a:0 output.mp4

Paul's recording had a 4:3 aspect ratio, while the requested format is 16:9. This late in the game, there was zero chance I would request him to redo the recording. So I decided to add those black bars on the side to make it the right aspect when showing full screen. And yet again the quickest answer I could find came from the Stack Overflow empire: ffmpeg: pillarbox 4:3 to 16:9:

ffmpeg -i "input43.mkv" -vf "scale=640x480,setsar=1,pad=854:480:107:0" [etc..]

The final editing was done with pitivi, which is what I have used before. I'm a very basic user, but I could do what I needed. It was basically splitting the clips at the right places, inserting the slides as images and aligning them with the video, and making most our video appear small in the corner when presenting the slides. P.S.: all the command lines presented here are examples, basically copied from the linked Q&As, and have to be adapted to your actual input and output formats.