Like each month, here comes a report about the work of paid contributors to Debian LTS. Individual reports In October, 221.50 work hours have been dispatched among 13 paid contributors. Their reports are available:

• Abhijith PA did 16.0h (out of 14h assigned and 2h from September).
• Adrian Bunk did 7h (out of 20.75h assigned and 5.75h from September), thus carrying over 19.5h to November.
• Ben Hutchings did 11.5h (out of 6.25h assigned and 9.75h from September), thus carrying over 4.5h to November.
• Brian May did 10h (out of 10h assigned).
• Chris Lamb did 18h (out of 18h assigned).
• Emilio Pozuelo Monfort did 20.75h (out of 20.75h assigned).
• Holger Levsen did 7.0h coordinating/managing the LTS team.
• Markus Koschany did 20.75h (out of 20.75h assigned).
• Mike Gabriel gave back the 8h he was assigned. See below
• Ola Lundqvist did 10.5h (out of 8h assigned and 2.5h from September).
• Roberto C. S nchez did 13.5h (out of 20.75h assigned) and gave back 7.25h to the pool.
• Sylvain Beucler did 20.75h (out of 20.75h assigned).
• Thorsten Alteholz did 20.75h (out of 20.75h assigned).
• Utkarsh Gupta did 20.75h (out of 20.75h assigned).

Evolution of the situation October was a regular LTS month with a LTS team meeting done via video chat thus there s no log to be shared. After more than five years of contributing to LTS (and ELTS), Mike Gabriel announced that he founded a new company called Frei(e) Software GmbH and thus would leave us to concentrate on this new endeavor. Best of luck with that, Mike! So, once again, this is a good moment to remind that we are constantly looking for new contributors. Please contact Holger if you are interested! The security tracker currently lists 42 packages with a known CVE and the dla-needed.txt file has 39 packages needing an update. Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
• TOSHIBA (for 62 months)
• GitHub (for 52 months)
• Civil Infrastructure Platform (CIP) (for 30 months)
• Gold sponsors:
• Blablacar (for 77 months)
• Roche Diagnostics International AG (for 73 months)
• Linode (for 67 months)
• Babiel GmbH (for 56 months)
• Plat Home (for 55 months)
• University of Oxford (for 12 months)
• Silver sponsors:
• The Positive Internet Company (for 78 months)
• Domeneshop AS (for 77 months)
• Nantes M tropole (for 71 months)
• Univention GmbH (for 63 months)
• Universit Jean Monnet de St Etienne (for 63 months)
• Ribbon Communications, Inc. (for 57 months)
• Exonet B.V. (for 46 months)
• Leibniz Rechenzentrum (for 40 months)
• CINECA (for 30 months)
• Minist re de l Europe et des Affaires trang res (for 24 months)
• Cloudways Ltd (for 13 months)
• Dinahosting SL (for 11 months)
• Platform.sh (for 6 months)
• Bauer Xcel Media Deutschland KG (for 5 months)
• Bronze sponsors:
• Seznam.cz, a.s. (for 78 months)
• Evolix (for 77 months)
• Linuxhotel GmbH (for 75 months)
• Intevation GmbH (for 74 months)
• Daevel SARL (for 73 months)
• Bitfolk LTD (for 72 months)
• Megaspace Internet Services GmbH (for 72 months)
• Greenbone Networks GmbH (for 71 months)
• NUMLOG (for 71 months)
• WinGo AG (for 70 months)
• Ecole Centrale de Nantes LHEEA (for 66 months)
• Entr ouvert (for 62 months)
• Adfinis AG (for 59 months)
• Tesorion (for 54 months)
• GNI MEDIA (for 53 months)
• Laboratoire LEGI UMR 5519 / CNRS (for 53 months)
• Bearstech (for 45 months)
• LiHAS (for 45 months)
• People Doc (for 41 months)
• Catalyst IT Ltd (for 39 months)
• Supagro (for 35 months)
• Demarcq SAS (for 33 months)
• Universit Grenoble Alpes (for 19 months)
• TouchWeb SAS (for 11 months)
• SPiN AG (for 8 months)
• CoreFiling (for 4 months)

No comment Liked this article? Click here. My blog is Flattr-enabled.

Like each month, here comes a report about the work of paid contributors to Debian LTS. Individual reports In September, 208.25 work hours have been dispatched among 13 paid contributors. Their reports are available:

• Abhijith PA did 12.0h (out of 14h assigned), thus carrying over 2h to October.
• Adrian Bunk did 14h (out of 19.75h assigned), thus carrying over 5.75h to October.
• Ben Hutchings did 8.25h (out of 16h assigned and 9.75h from August), but gave back 7.75h, thus carrying over 9.75h to October.
• Brian May did 10h (out of 10h assigned).
• Chris Lamb did 18h (out of 18h assigned).
• Emilio Pozuelo Monfort did 19.75h (out of 19.75h assigned).
• Holger Levsen did 5h coordinating/managing the LTS team.
• Markus Koschany did 31.75h (out of 19.75h assigned and 12h from August).
• Ola Lundqvist did 9.5h (out of 12h from August), thus carrying 2.5h to October.
• Roberto C. S nchez did 19.75h (out of 19.75h assigned).
• Sylvain Beucler did 19.75h (out of 19.75h assigned).
• Thorsten Alteholz did 19.75h (out of 19.75h assigned).
• Utkarsh Gupta did 8.75h (out of 19.75h assigned), while he already anticipated the remaining 11h in August.

Evolution of the situation September was a regular LTS month with an IRC meeting. The security tracker currently lists 45 packages with a known CVE and the dla-needed.txt file has 48 packages needing an update. Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
• TOSHIBA (for 61 months)
• GitHub (for 51 months)
• Civil Infrastructure Platform (CIP) (for 28 months)
• Gold sponsors:
• Blablacar (for 76 months)
• Roche Diagnostics International AG (for 71 months)
• Linode (for 66 months)
• Babiel GmbH (for 55 months)
• Plat Home (for 54 months)
• University of Oxford (for 10 months)
• Silver sponsors:
• The Positive Internet Company (for 77 months)
• Domeneshop AS (for 76 months)
• Nantes M tropole (for 70 months)
• Univention GmbH (for 62 months)
• Universit Jean Monnet de St Etienne (for 62 months)
• Ribbon Communications, Inc. (for 55 months)
• Exonet B.V. (for 45 months)
• Leibniz Rechenzentrum (for 39 months)
• CINECA (for 29 months)
• Minist re de l Europe et des Affaires trang res (for 23 months)
• Cloudways Ltd (for 12 months)
• Dinahosting SL (for 10 months)
• Bauer Xcel Media Deutschland KG (for 4 months)
• Platform.sh (for 4 months)
• Bronze sponsors:
• Seznam.cz, a.s. (for 77 months)
• Evolix (for 76 months)
• Linuxhotel GmbH (for 74 months)
• Intevation GmbH (for 73 months)
• Daevel SARL (for 72 months)
• Bitfolk LTD (for 71 months)
• Megaspace Internet Services GmbH (for 71 months)
• Greenbone Networks GmbH (for 70 months)
• NUMLOG (for 70 months)
• WinGo AG (for 69 months)
• Ecole Centrale de Nantes LHEEA (for 65 months)
• Entr ouvert (for 60 months)
• Adfinis AG (for 58 months)
• GNI MEDIA (for 52 months)
• Laboratoire LEGI UMR 5519 / CNRS (for 52 months)
• Tesorion (for 52 months)
• Bearstech (for 44 months)
• LiHAS (for 44 months)
• People Doc (for 40 months)
• Catalyst IT Ltd (for 38 months)
• Supagro (for 34 months)
• Demarcq SAS (for 32 months)
• Universit Grenoble Alpes (for 18 months)
• TouchWeb SAS (for 10 months)
• SPiN AG (for 7 months)
• CoreFiling (for 3 months)

No comment Liked this article? Click here. My blog is Flattr-enabled.

I'm mirroring and reworking a large Git repository with git filter-branch (conversion ETA: 20h), and I was wondering how to use --state-branch which is supposed to speed-up later updates, or split a large conversion in several updates. The documentation is pretty terse, the option can produce weird results (like an identity mapping that breaks all later updates, or calling the expensive tree-filter but discarding the results), wrappers are convoluted, but I got something to work so I'll share The main point is: run the initial script and the later updates in the same configuration, which means the target branch needs to be reset to the upstream branch each time, before it's rewritten again by filter-branch. In other words, don't re-run it on the rewritten branch, nor attempt some complex merge/cherry-pick.

git fetch
git branch --no-track -f myrewrite origin/master
git filter-branch \
  --xxx-filter ... \
  --xxx-filter ... \
  --state-branch refs/heads/filter-branch/myrewrite \
  -d /dev/shm/filter-branch/$$ -f \
  myrewrite

Updates restart from scratch but only take a few seconds to skim through all the already-rewritten commits, and maintain a stable history. Note that if the process is interrupted, the state-branch isn't modified, so it's not a stop/resume feature. If you want to split a lenghty conversion, you could simulate multiple upstream updates by checking out successive points in history (e.g. per year using $(git rev-list -1 --before='2020-01-01 00:00:00Z')). --state-branch isn't meant to rewrite in reverse chronological order either, because all commit ids would constantly change. Still, you can rewrite only the recent history for a quick discardable test. Be cautious when using/deleting rewritten branches, especially during early tests, because Git tends to save them to multiple places which may desync (e.g. .git/refs/heads/, .git/logs/refs/, .git/packed-refs). Also remember to delete the state-branch between different tests. Last, note the unique temporary directory -d to avoid ruining concurrent tests ^_^'

Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor. In September, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 19.75h for LTS (out of my 30 max; all done) and 20h for ELTS (out of my 20 max; all done). ELTS - Jessie

• qemu: jessie triage: finish work started in August
• qemu: backport 5 CVE fixes, perform virtual and physical testing, security upload ELA-283-1
• libdbi-perl: global triage: clarifications, confirm incomplete and attempt to get upstream action, request new CVE following discussion with security team
• libdbi-perl: backport 5 CVE fixes, test, security upload ELA-285-1

LTS - Stretch

• qemu: stretch triage, while working on ELTS update; mark several CVEs unaffected, update patch/status
• wordpress: global triage: reference new patches, request proper CVE to fix our temporary tracking
• wordpress: revamp package: upgrade to upstream's stable 4.7.5->4.7.18 to ease future updates, re-apply missing patches, fix past regression and notify maintainer, security upload DLA-2371-1
• libdbi-perl: common work with ELTS, security upload DLA-2386-1
• public IRC team meeting

Documentation/Scripts

• LTS/TestSuites/wordpress: new page with testsuite import and manual tests
• LTS/TestSuites/qemu: minor update
• wiki.d.o/Sympa: update Sympa while using it as a libdbi-perl reverse-dep test (update for newer versions, explain how to bootstrap admin access)
• www.d.o/lts/security: import a couple missing announcements and notify uploaders about procedures
• Check status for pdns-recursor, following user request
• Check status for golang-1.7 / CVE-2019-9514 / CVE-2019-9512
• Attempt to improve cooperation after seeing my work discarded and redone as-is, which sadly isn't the first time; no answer
• Historical analysis of our CVE fixes: experiment to gather per-CVE tracker history

Like each month, here comes a report about the work of paid contributors to Debian LTS. Individual reports In August, 237.25 work hours have been dispatched among 14 paid contributors. Their reports are available:

• Abhijith PA did 10.0h (out of 10h assigned).
• Adrian Bunk did 31h (out of 21.75h assigned and 9.25h from July).
• Ben Hutchings did 6.25h (out of 16h assigned), thus carrying over 9.75h to September.
• Brian May did 10h (out of 10h assigned).
• Chris Lamb did 18h (out of 18h assigned).
• Emilio Pozuelo Monfort did 21.75h (out of 21.75h assigned).
• Holger Levsen did 7h coordinating/managing the LTS team.
• Markus Koschany did 20h (out of 21.75h assigned and 10.25h from July), thus carrying over 12h to September.
• Mike Gabriel did 16.0h (out of 8h assigned and 8h from July).
• Ola Lundqvist did 6.9h (out of 8h assigned and 16h from July), and gave back 5.1h, thus carrying over 12h to September.
• Roberto C. S nchez did 21.75h (out of 21.75h assigned).
• Sylvain Beucler did 21.75h (out of 21.75h assigned).
• Thorsten Alteholz did 21.75h (out of 21.75h assigned).
• Utkarsh Gupta did 32.75h (out of 21.75h assigned and anticipating 11h from September).

Evolution of the situation August was a regular LTS month once again, even though it was only our 2nd month with Stretch LTS.
At the end of August some of us participated in DebConf 20 online where we held our monthly team meeting. A video is available.
As of now this video is also the only public resource about the LTS survey we held in July, though a written summary is expected to be released soon. The security tracker currently lists 56 packages with a known CVE and the dla-needed.txt file has 55 packages needing an update. Thanks to our sponsors Sponsors that recently joined are in bold.

• Platinum sponsors:
• TOSHIBA (for 60 months)
• GitHub (for 50 months)
• Civil Infrastructure Platform (CIP) (for 27 months)
• Gold sponsors:
• Blablacar (for 75 months)
• Roche Diagnostics International AG (for 70 months)
• Linode (for 65 months)
• Babiel GmbH (for 54 months)
• Plat Home (for 53 months)
• University of Oxford (for 9 months)
• Silver sponsors:
• The Positive Internet Company (for 76 months)
• Domeneshop AS (for 75 months)
• Nantes M tropole (for 69 months)
• Univention GmbH (for 61 months)
• Universit Jean Monnet de St Etienne (for 61 months)
• Ribbon Communications, Inc. (for 54 months)
• Exonet B.V. (for 44 months)
• Leibniz Rechenzentrum (for 38 months)
• CINECA (for 28 months)
• Minist re de l Europe et des Affaires trang res (for 22 months)
• Cloudways Ltd (for 11 months)
• Dinahosting SL (for 9 months)
• Bauer Xcel Media Deutschland KG (for 3 months)
• Platform.sh (for 3 months)
• Bronze sponsors:
• Seznam.cz, a.s. (for 76 months)
• Evolix (for 75 months)
• Linuxhotel GmbH (for 73 months)
• Intevation GmbH (for 72 months)
• Daevel SARL (for 71 months)
• Bitfolk LTD (for 70 months)
• Megaspace Internet Services GmbH (for 70 months)
• Greenbone Networks GmbH (for 69 months)
• NUMLOG (for 69 months)
• WinGo AG (for 68 months)
• Ecole Centrale de Nantes LHEEA (for 64 months)
• Entr ouvert (for 59 months)
• Adfinis AG (for 57 months)
• GNI MEDIA (for 51 months)
• Laboratoire LEGI UMR 5519 / CNRS (for 51 months)
• Tesorion (for 51 months)
• Bearstech (for 43 months)
• LiHAS (for 43 months)
• People Doc (for 39 months)
• Catalyst IT Ltd (for 37 months)
• Supagro (for 33 months)
• Demarcq SAS (for 31 months)
• Universit Grenoble Alpes (for 17 months)
• TouchWeb SAS (for 9 months)
• SPiN AG (for 6 months)
• CoreFiling

No comment Liked this article? Click here. My blog is Flattr-enabled.

Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor. In August, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 21.75h for LTS (out of my 30 max; all done) and 14.25h for ELTS (out of my 20 max; all done). We had a Birds of a Feather videoconf session at DebConf20, sadly with varying quality for participants (from very good to unusable), where we shared the first results of the LTS survey. There were also discussions about evaluating our security reactivity, which proved surprisingly hard to estimate (neither CVE release date and criticality metrics are accurate nor easily available), and about when it is appropriate to use public naming in procedures. Interestingly ELTS gained new supported packages, thanks to a new sponsor -- so far I'd seen the opposite, because we were close to the EOL. As always, there were opportunities to de-dup work through mutual cooperation with the Debian Security team, and LTS/ELTS similar updates. ELTS - Jessie

• Fresh build VMs
• rails/redmine: investigate issue, initially no-action as it can't be reproduced on Stretch and isn't supported in Jessie; follow-up when it's supported again
• ghostscript: global triage: identify upstream fixed version, distinguish CVEs fixed within a single patch, bisect non-reproducible CVEs, reference missing commit (including at MITRE)
• ghostscript: fix 25 CVEs, security upload ELA-262-1
• ghostscript: cross-check against the later DSA-4748-1 (almost identical)
• software-properties: jessie triage: mark back for update, at least for consistency with Debian Stretch and Ubuntu (all suites)
• software-properties: security upload ELA-266-1
• qemu: global triage: update status and patch/regression/reproducer links for 6 pending CVEs
• qemu: jessie triage: fix 4 'unknown' lines for qemu following changes in package attribution for XSA-297, work continue in September

LTS - Stretch

• sane-backends: global triage: sort and link patches for 7 CVEs
• sane-backends: fix dep-8 test and notify the maintainer,
• sane-backends: security upload DLA-2332-1
• ghostscript: security upload DLA 2335-1 (cf. common ELTS work)
• ghostscript: rebuild ("give back") on armhf, blame armhf, get told it was a concurrency / build system issue -_-'
• software-properties: security upload DLA 2339-1 (cf. common ELTS work)
• wordpress: global triage: reference regression for CVE-2020-4050
• wordpress: stretch triage: update past CVE status, work continues in September with probably an upstream upgrade 4.7.5 -> 4.7.18
• nginx: cross-check my July update against the later DSA-4750-1 (same fix)
• DebConf BoF + IRC follow-up

Documentation/Scripts

• Clarify/link salsa:lts-team/lts-extra-tasks against salsa:freexian-team/project-funding (description)
• Historical analysis of our CVE fixes: check feasibility
• webwml:find-missing-advisories: handle missing trailing slash, print DSA/DLA date, print affected package rather than committer
• discussion on public naming (shaming?)
• LTS/TestsSuites/sane-backends: test with more complex DEP-8/autopkgtest setup

Like each month, albeit a bit later due to vacation, here comes a report about the work of paid contributors to Debian LTS. Individual reports In July, 249.25 work hours have been dispatched among 14 paid contributors. Their reports are available:

• Abhijith PA did 18.0h (out of 14h assigned and 6h from June), and gave back 2h to the pool.
• Adrian Bunk did 16.0h (out of 25.25h assigned), thus carrying over 9.25h to August.
• Ben Hutchings did 5h (out of 20h assigned), and gave back the remaining 15h.
• Brian May did 10h (out of 10h assigned).
• Chris Lamb did 18h (out of 18h assigned).
• Emilio Pozuelo Monfort did 60h (out of 5.75h assigned and 54.25h from June).
• Holger Levsen spent 10h (out of 10h assigned) for managing LTS and ELTS contributors.
• Markus Koschany did 15h (out of 25.25h assigned), thus carrying over 10.25h to August.
• Mike Gabriel did nothing (out of 8h assigned), thus is carrying over 8h for August.
• Ola Lundqvist did 3h (out of 12h assigned and 7h from June), thus carrying over 16h to August.
• Roberto C. S nchez did 26.5h (out of 25.25h assigned and 1.25h from June).
• Sylvain Beucler did 25.25h (out of 25.25h assigned).
• Thorsten Alteholz did 25.25h (out of 25.25h assigned).
• Utkarsh Gupta did 25.25h (out of 25.25h assigned).

Evolution of the situation July was our first month of Stretch LTS! Given this is our fourth LTS release we anticipated a smooth transition and it seems everything indeed went very well. Many thanks to the members of the Debian ftpmaster-, security, release- and publicity- teams who helped us make this happen!
Stretch LTS begun on July 18th 2020 after the 13th and final Stretch point release. and is currently scheduled to end on June 30th 2022. Last month, we asked you to participate in a survey and we got 1764 submissions, which is pretty awesome. Thank you very much for participating!. Right now we are still busy crunching the results, but we already shared some early analysis during the Debconf LTS bof this week. The security tracker currently lists 54 packages with a known CVE and the dla-needed.txt file has 52 packages needing an update. Thanks to our sponsors New sponsors are in bold.

• Platinum sponsors:
• TOSHIBA (for 59 months)
• GitHub (for 50 months)
• Civil Infrastructure Platform (CIP) (for 27 months)
• Gold sponsors:
• Blablacar (for 74 months)
• Roche Diagnostics International AG (for 70 months)
• Linode (for 64 months)
• Babiel GmbH (for 53 months)
• Plat Home (for 53 months)
• University of Oxford (for 9 months)
• Silver sponsors:
• The Positive Internet Company (for 75 months)
• Domeneshop AS (for 74 months)
• Nantes M tropole (for 68 months)
• Univention GmbH (for 60 months)
• Universit Jean Monnet de St Etienne (for 60 months)
• Ribbon Communications, Inc. (for 54 months)
• Exonet B.V. (for 44 months)
• Leibniz Rechenzentrum (for 38 months)
• CINECA (for 27 months)
• Minist re de l Europe et des Affaires trang res (for 21 months)
• Cloudways Ltd (for 11 months)
• Dinahosting SL (for 9 months)
• Bauer Xcel Media Deutschland KG (for 3 months)
• Platform.sh (for 3 months)
• Bronze sponsors:
• Evolix (for 75 months)
• Seznam.cz, a.s. (for 75 months)
• Linuxhotel GmbH (for 72 months)
• Intevation GmbH (for 71 months)
• Daevel SARL (for 70 months)
• Bitfolk LTD (for 69 months)
• Megaspace Internet Services GmbH (for 69 months)
• Greenbone Networks GmbH (for 68 months)
• NUMLOG (for 68 months)
• WinGo AG (for 68 months)
• Ecole Centrale de Nantes LHEEA (for 64 months)
• Entr ouvert (for 59 months)
• Adfinis AG (for 56 months)
• GNI MEDIA (for 51 months)
• Laboratoire LEGI UMR 5519 / CNRS (for 51 months)
• Tesorion (for 51 months)
• Bearstech (for 42 months)
• LiHAS (for 42 months)
• People Doc (for 39 months)
• Catalyst IT Ltd (for 37 months)
• Supagro (for 32 months)
• Demarcq SAS (for 31 months)
• Universit Grenoble Alpes (for 17 months)
• TouchWeb SAS (for 9 months)
• SPiN AG (for 6 months)
• CoreFiling

No comment Liked this article? Click here. My blog is Flattr-enabled.

The system running planet.gnu.org was upgraded/reinstalled to Debian 10 "buster"
Documentation was updated. Let me know if you notice any issue - planet@gnu.org. For the next upgrade, we'll have to decide whether to takeover Planet Venus and upgrade it to Python 3, or migrate to another Planet software.
Suggestions/help welcome

Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor. In July, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 25.25h for LTS (out of 30 max; all done) and 13.25h for ELTS (out of 20 max; all done). We shifted suites: welcome Stretch LTS and Jessie ELTS. The LTS->ELTS switch happened at the start of the month, but the oldstable->LTS switch happened later (after finalizing and flushing proposed-updates to a last point release), causing some confusion but nothing major. ELTS - Jessie

• New local build setup
• ELTS buildds: request timezone harmonization
• Reclassify in-progress updates from jessie-LTS to jessie-ELTS
• python3.4: finish preparing update, security upload ELA 239-1
• net-snmp: global triage: bisect CVE-2019-20892 to identify affected version, jessie/stretch not-affected
• nginx: global triage: clarify CVE-2013-0337 status; locate CVE-2020-11724 original patch and regression tests, update MITRE
• nginx: security upload ELA-247-1 with 2 CVEs

LTS - Stretch

• Reclassify in-progress/needed updates from stretch/oldstable to stretch-LTS
• rails: upstream security: follow-up on CVE-2020-8163 (RCE) on upstream bug tracker and create pull request for 4.x (merged), hence getting some upstream review
• rails: global security: continue coordinating upload in multiple Debian versions, prepare fixes for common stretch/buster vulnerabilities in buster
• rails: security upload DLA-2282 fixing 3 CVEs
• python3.5: security upload DLA-2280-1 fixing 13 pending non-critical vulnerabilities, and its test suite
• nginx: security upload DLA-2283 (cf. common ELTS work)
• net-snmp: global triage (cf. common ELTS work)
• public IRC monthly team meeting
• reach out to clarify the intro from last month's report, following unsettled feedback during meeting

Documentation/Scripts

• ELTS/README.how-to-release-an-update: fix typo
• ELTS buildd: attempt to diagnose slow perfs, provide comparison with Debian and local builds
• LTS/Meetings: improve presentation
• SourceOnlyUpload: clarify/de-dup pbuilder doc
• LTS/Development: reference build logs URL, reference proposed-updates issue during dists switch, reference new-upstream-versioning discussion, multiple jessie->stretch fixes and clean-ups
• LTS/Development/Asan: drop wheezy documentation
• Warn about jruby mis-triage
• Provide feedback for ksh/CVE-2019-14868
• Provide feedback for condor update
• LTS/TestsSuites/nginx: test with new request smuggling test cases

Like each month, here comes a report about the work of paid contributors to Debian LTS. Individual reports In June, 202.00 work hours have been dispatched among 12 paid contributors. Their reports are available:

• Abhijith PA did 8h (out of 14h assigned), thus carrying over 6h to July.
• Ben Hutchings did 20h (out of 20h assigned).
• Brian May did 10h (out of 10h assigned).
• Chris Lamb did 18h (out of 18h assigned).
• Emilio Pozuelo Monfort did 4h from his backlog of 58.25h from May, thus carrying over 54.25h to July.
• Markus Koschany did 60h (out of 48.25h backlog from May and 11.75h extra hours manually assigned).
• Mike Gabriel did 8h (out of 8h assigned).
• Ola Lundqvist did 12.5h (out of 12h assigned and 7.5h from May), thus carrying over 7h to July.
• Roberto C. S nchez did 28.75h (out of 30h assigned), thus carrying over 1.25h to July.
• Sylvain Beucler did 30h (out of 30h assigned).
• Thorsten Alteholz did 30h (out of 30h assigned).
• Utkarsh Gupta did 30h (out of 30h assigned).

Evolution of the situation June was the last month of Jessie LTS which ended on 2020-06-20. If you still need to run Jessie somewhere, please read the post about keeping Debian 8 Jessie alive for longer than 5 years.
So, as (Jessie) LTS is dead, long live the new LTS, Stretch LTS! Stretch has received its last point release, so regular LTS operations can now continue.
Accompanying this, for the first time, we have prepared a small survey about our users and contributors, who they are and why they are using LTS. Filling out the survey should take less than 10 minutes. We would really appreciate if you could participate in the survey online! On July 27th 2020 we will close the survey, so please don t hesitate and participate now! After that, there will be a followup with the results. The security tracker for Stretch LTS currently lists 29 packages with a known CVE and the dla-needed.txt file has 44 packages needing an update in Stretch LTS. Thanks to our sponsors New sponsors are in bold. We welcome CoreFiling this month!

• Platinum sponsors:
• TOSHIBA (for 58 months)
• GitHub (for 48 months)
• Civil Infrastructure Platform (CIP) (for 26 months)
• Gold sponsors:
• Blablacar (for 73 months)
• Roche Diagnostics International AG (for 69 months)
• Linode (for 63 months)
• Babiel GmbH (for 52 months)
• Plat Home (for 51 months)
• University of Oxford (for 8 months)
• Silver sponsors:
• The Positive Internet Company (for 74 months)
• Domeneshop AS (for 73 months)
• Nantes M tropole (for 67 months)
• Univention GmbH (for 59 months)
• Universit Jean Monnet de St Etienne (for 59 months)
• Ribbon Communications, Inc. (for 53 months)
• Exonet B.V. (for 42 months)
• Leibniz Rechenzentrum (for 36 months)
• CINECA (for 26 months)
• Minist re de l Europe et des Affaires trang res (for 20 months)
• Cloudways Ltd (for 9 months)
• Dinahosting SL (for 7 months)
• Platform.sh
• Bauer Xcel Media Deutschland KG
• Bronze sponsors:
• Seznam.cz, a.s. (for 74 months)
• Evolix (for 73 months)
• Linuxhotel GmbH (for 71 months)
• Intevation GmbH (for 70 months)
• Daevel SARL (for 69 months)
• Bitfolk LTD (for 68 months)
• Megaspace Internet Services GmbH (for 68 months)
• Greenbone Networks GmbH (for 67 months)
• NUMLOG (for 67 months)
• WinGo AG (for 66 months)
• Ecole Centrale de Nantes LHEEA (for 63 months)
• Entr ouvert (for 58 months)
• Adfinis AG (for 55 months)
• Laboratoire LEGI UMR 5519 / CNRS (for 50 months)
• Tesorion (for 50 months)
• GNI MEDIA (for 49 months)
• Bearstech (for 41 months)
• LiHAS (for 41 months)
• People Doc (for 37 months)
• Catalyst IT Ltd (for 36 months)
• Supagro (for 31 months)
• Demarcq SAS (for 29 months)
• Universit Grenoble Alpes (for 16 months)
• TouchWeb SAS (for 8 months)
• SPiN AG (for 4 months)
• CoreFiling

No comment Liked this article? Click here. My blog is Flattr-enabled.

Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor. In June, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 30h for LTS (out of 30 max; all done) and 5.25h for ELTS (out of 20 max; all done). While LTS is part of the Debian project, fellow contributors sometimes surprise me: suggestion to vote for sponsors-funded projects with concorcet was only met with overhead concerns, and there were requests for executive / business owner decisions (we're currently heading towards consultative vote); I heard concerns about discussing non-technical issues publicly (IRC team meetings are public though); the private mail infrastructure was moved from self-hosting straight to Google; when some got an issue with Debian Social for our first video conference, there were immediate suggestions to move to Zoom...
Well, we do need some people to make those LTS firmware updates in non-free Also this was the last month before shifting suites: goodbye to Jessie LTS and Wheezy ELTS, welcome Stretch LTS and Jessie ELTS. ELTS - Wheezy

• mysql-connector-java: improve testsuite setup; prepare wheezy/jessie/stretch triple builds; coordinate versioning scheme with security-team; security upload ELA 234-1
• ntp: wheezy+jessie triage: 1 ignored (too intrusive to backport); 1 postponed (hard to exploit, no patch)
• Clean-up (ditch) wheezy VMs

LTS - Jessie

• mysql-connector-java: see common work in ELTS
• mysql-connector-java: security uploads DLA 2245-1 (LTS) and DSA 4703 (oldstable)
• ntp: wheezy+jessie triage (see ELTS)
• rails: global triage, backport 2 patches, security upload DLA 2251-1
• rails: global security: prepare stretch/oldstable update
• rails: new important CVE on unmaintained 4.x, fixes introduce several regressions, propose new fix to upstream, update stretch proposed update [and jessie, but rails will turn out unsupported in ELTS]
• python3.4: prepare update to fix all pending non-criticial issues, 5/6 ready
• private video^W^Wpublic IRC team meeting

Documentation/Scripts

• LTS/TestsSuites/mysql-connector-java: improve testsuite setup for better coverage
• LTS/TestSuites/tiff: document package maintainer's (extensive) tests
• LTS/TestSuites/rails: first version
• LTS/TestSuites/python: how to run individual test
• LTS/Development: clarifications on grouping fixes and validating patches
• internal discussion on (not) capping LTS-funded hours
• discussion on unbound and freerdp EOL
• tzdata, libdatetime-timezone-perl: check and explain delayed update workflow
• ELTS: update new tracker URL in documentation

Like each month, here comes a report about the work of paid contributors to Debian LTS. Individual reports In May, 198 work hours have been dispatched among 14 paid contributors. Their reports are available:

• Abhijith PA did 18.0h (out of 14h assigned and 4h from April).
• Anton Gladky gave back the assigned 10h and declared himself inactive.
• Ben Hutchings did 19.75h (out of 17.25h assigned and 2.5h from April).
• Brian May did 10h (out of 10h assigned).
• Chris Lamb did 17.25h (out of 17.25h assigned).
• Dylan A ssi gave back the assigned 6h and declared himself inactive.
• Emilio Pozuelo Monfort did not manage to work LTS in May and now reported 5h work in April (out of 17.25h assigned plus 46h from April), thus is carrying over 58.25h for June.
• Markus Koschany did 25.0h (out of 17.25h assigned and 56h from April), thus carrying over 48.25h to June.
• Mike Gabriel did 14.50h (out of 8h assigned and 6.5h from April).
• Ola Lundqvist did 11.5h (out of 12h assigned and 7h from April), thus carrying over 7.5h to June.
• Roberto C. S nchez did 17.25h (out of 17.25h assigned).
• Sylvain Beucler did 17.25h (out of 17.25h assigned).
• Thorsten Alteholz did 17.25h (out of 17.25h assigned).
• Utkarsh Gupta did 17.25h (out of 17.25h assigned).

Evolution of the situation In May 2020 we had our second (virtual) contributors meeting on IRC, Logs and minutes are available online. Then we also moved our ToDo from the Debian wiki to the issue tracker on salsa.debian.org.
Sadly three contributors went inactive in May: Adrian Bunk, Anton Gladky and Dylan A ssi. And while there are currently still enough active contributors to shoulder the existing work, we like to use this opportunity that we are always looking for new contributors. Please mail Holger if you are interested.
Finally, we like to remind you for a last time, that the end of Jessie LTS is coming in less than a month!
In case you missed it (or missed to act), please read this post about keeping Debian 8 Jessie alive for longer than 5 years. If you expect to have Debian 8 servers/devices running after June 30th 2020, and would like to have security updates for them, please get in touch with Freexian. The security tracker currently lists 6 packages with a known CVE and the dla-needed.txt file has 30 packages needing an update. Thanks to our sponsors New sponsors are in bold. With the upcoming start of Jessie ELTS, we are welcoming a few new sponsors and others should join soon.

• Platinum sponsors:
• TOSHIBA (for 57 months)
• GitHub (for 47 months)
• Civil Infrastructure Platform (CIP) (for 25 months)
• Gold sponsors:
• Blablacar (for 72 months)
• Roche Diagnostics International AG (for 68 months)
• Linode (for 62 months)
• Babiel GmbH (for 51 months)
• Plat Home (for 50 months)
• University of Oxford (for 7 months)
• Silver sponsors:
• The Positive Internet Company (for 73 months)
• Domeneshop AS (for 72 months)
• Nantes M tropole (for 66 months)
• Univention GmbH (for 58 months)
• Universit Jean Monnet de St Etienne (for 58 months)
• Ribbon Communications, Inc. (for 52 months)
• Exonet B.V. (for 41 months)
• Leibniz Rechenzentrum (for 36 months)
• CINECA (for 25 months)
• Minist re de l Europe et des Affaires trang res (for 19 months)
• Cloudways Ltd (for 8 months)
• Dinahosting SL (for 6 months)
• Platform.sh
• Bauer Xcel Media Deutschland KG
• Bronze sponsors:
• Evolix (for 73 months)
• Seznam.cz, a.s. (for 73 months)
• MyTux (for 72 months)
• Linuxhotel GmbH (for 70 months)
• Intevation GmbH (for 69 months)
• Daevel SARL (for 68 months)
• Bitfolk LTD (for 67 months)
• Megaspace Internet Services GmbH (for 67 months)
• Greenbone Networks GmbH (for 66 months)
• NUMLOG (for 66 months)
• WinGo AG (for 65 months)
• Ecole Centrale de Nantes LHEEA (for 62 months)
• Sig-I/O (for 59 months)
• Entr ouvert (for 57 months)
• Adfinis AG (for 54 months)
• Laboratoire LEGI UMR 5519 / CNRS (for 49 months)
• Tesorion (for 49 months)
• GNI MEDIA (for 48 months)
• Bearstech (for 40 months)
• LiHAS (for 40 months)
• People Doc (for 36 months)
• Catalyst IT Ltd (for 35 months)
• Supagro (for 30 months)
• Demarcq SAS (for 29 months)
• Universit Grenoble Alpes (for 15 months)
• TouchWeb SAS (for 7 months)
• SPiN AG (for 3 months)

No comment Liked this article? Click here. My blog is Flattr-enabled.

Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor. In May, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 17.25h for LTS (out of 30 max; all done) and 9.25h for ELTS (out of 20 max; all done). A survey will be published very shortly to gather feedback from all parties involved in LTS (users, other Debian teams...) -- let us know what you think, so we start the forthcoming new (Stretch) LTS cycle in the best conditions Discussion is progressing on funding & governance of larger LTS-related projects. Who should decide: contributors, Freexian, sponsors? Do we fund with a percentage or by capping resources allocated on security updates? I voiced concerns over funding these at the expense of smaller, more organic, more recurrent tasks that are less easy to specify but greatly contribute to the overall quality nevertheless. ELTS - Wheezy

• mysql-connector-java: upgrade to 5.1.49, refresh patches, document/run test suite, prepare upload, prepare upgrade path (+ see LTS)
• CVE-2020-3810/apt: triage (affected), enquire about failing test, run testsuite, security upload ELA 228-1

LTS - Jessie

• ansible: global triage: finish last month's triage, fix affected versions, provide reproducer
• ansible: backport patches to early version, security upload DLA 2202-1
• mysql-connector-java: propose 5.1.49 update to all dists (+ see ELTS)
• CVE-2019-20637/varnish: global triage: ping upstream, get PoC, determine status for all Debian dists, jessie not-affected
• public IRC team meeting

Documentation/Scripts

• LTS/TestsSuites/mysql-connector-java: first version
• LTS/Development: what to tidy/not-tidy in data/CVE/list after an upload
• LTS/Development: clarify CVE triaging following internal discussion
• Answer request wrt. openstack/keystone support
• dsa-needed.txt: fix stale entry, check on affected LTS developer's well being

Like each month, here comes a report about the work of paid contributors to Debian LTS. Individual reports In April, 284.5 work hours have been dispatched among 14 paid contributors. Their reports are available:

• Abhijith PA did 10.0h (out of 14h assigned), thus carrying over 4h to May.
• Adrian Bunk did nothing (out of 28.75h assigned), thus is carrying over 28.75h for May.
• Ben Hutchings did 26h (out of 20h assigned and 8.5h from March), thus carrying over 2.5h to May.
• Brian May did 10h (out of 10h assigned).
• Chris Lamb did 18h (out of 18h assigned).
• Dylan A ssi did 6h (out of 6h assigned).
• Emilio Pozuelo Monfort did not report back about their work so we assume they did nothing (out of 28.75h assigned plus 17.25h from March), thus is carrying over 46h for May.
• Markus Koschany did 11.5h (out of 28.75h assigned and 38.75h from March), thus carrying over 56h to May.
• Mike Gabriel did 1.5h (out of 8h assigned), thus carrying over 6.5h to May.
• Ola Lundqvist did 13.5h (out of 12h assigned and 8.5h from March), thus carrying over 7h to May.
• Roberto C. S nchez did 28.75h (out of 28.75h assigned).
• Sylvain Beucler did 28.75h (out of 28.75h assigned).
• Thorsten Alteholz did 28.75h (out of 28.75h assigned).
• Utkarsh Gupta did 24h (out of 24h assigned).

Evolution of the situation In April we dispatched more hours than ever and another was new too, we had our first (virtual) contributors meeting on IRC! Logs and minutes are available and we plan to continue doing IRC meetings every other month.
Sadly one contributor decided to go inactive in April, Hugo Lefeuvre.
Finally, we like to remind you, that the end of Jessie LTS is coming in less than two months!
In case you missed it (or missed to act), please read this post about keeping Debian 8 Jessie alive for longer than 5 years. If you expect to have Debian 8 servers/devices running after June 30th 2020, and would like to have security updates for them, please get in touch with Freexian. The security tracker currently lists 4 packages with a known CVE and the dla-needed.txt file has 25 packages needing an update. Thanks to our sponsors New sponsors are in bold.

• Platinum sponsors:
• TOSHIBA (for 56 months)
• GitHub (for 46 months)
• Civil Infrastructure Platform (CIP) (for 24 months)
• Gold sponsors:
• Blablacar (for 71 months)
• Roche Diagnostics International AG (for 67 months)
• Linode (for 61 months)
• Babiel GmbH (for 50 months)
• Plat Home (for 49 months)
• University of Oxford (for 6 months)
• Silver sponsors:
• The Positive Internet Company (for 72 months)
• Domeneshop AS (for 71 months)
• Nantes M tropole (for 65 months)
• Univention GmbH (for 57 months)
• Universit Jean Monnet de St Etienne (for 57 months)
• Ribbon Communications, Inc. (for 51 months)
• Exonet B.V. (for 40 months)
• Leibniz Rechenzentrum (for 34 months)
• CINECA (for 24 months)
• Minist re de l Europe et des Affaires trang res (for 18 months)
• Cloudways Ltd (for 7 months)
• Dinahosting SL (for 5 months)
• Bronze sponsors:
• Seznam.cz, a.s. (for 72 months)
• Evolix (for 71 months)
• MyTux (for 71 months)
• Linuxhotel GmbH (for 69 months)
• Intevation GmbH (for 68 months)
• Daevel SARL (for 67 months)
• Bitfolk LTD (for 66 months)
• Megaspace Internet Services GmbH (for 66 months)
• Greenbone Networks GmbH (for 65 months)
• NUMLOG (for 65 months)
• WinGo AG (for 64 months)
• Ecole Centrale de Nantes LHEEA (for 61 months)
• Sig-I/O (for 58 months)
• Entr ouvert (for 56 months)
• Adfinis SyGroup AG (for 53 months)
• Laboratoire LEGI UMR 5519 / CNRS (for 48 months)
• Tesorion (for 48 months)
• GNI MEDIA (for 47 months)
• Bearstech (for 39 months)
• LiHAS (for 39 months)
• People Doc (for 35 months)
• Catalyst IT Ltd (for 33 months)
• Supagro (for 29 months)
• Demarcq SAS (for 27 months)
• Universit Grenoble Alpes (for 14 months)
• TouchWeb SAS (for 6 months)
• SPiN AG

No comment Liked this article? Click here. My blog is Flattr-enabled.

Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor. In April, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 28.75h for LTS (out of 30 max; all done) and 7.75h for ELTS (out of 20 max; I did 2.75). Escalation procedures were (internally) documented with a focus on discussing issues with team coordinator(s) first. Debian LTS had its first team meeting through IRC and lots of workflow question were discussed. This should help discuss questions that are a bit hard to bring up, and ensure everybody participates. There were lots of topics and it was a bit rushed, but this is something we want to repeat monthly now, possibly with audio/video in a couple months. Remarks from last month's report were discussed, strengthening the Front-Desk role. 10% of the global funding is now reserved for infrastructure work. What kind of work, and who (LTS or external) will do the work, will be discussed further. A fellow DD suggested (in a private conversation) that LTS may be taking time from the Debian Security team, due to additional commits to review. Conversely, this is another opportunity to mention all the global, non-LTS-specific work that LTS provides, which I usually highlight in my reports, and maybe I should be even more ELTS - Wheezy

• CVE-2020-11612/netty: triage: ignored (deceptively hard to backport, OOM mitigation only)
• mysql-connector-java: triage: in-progress (subscription-only update from Oracle, attempt to find more detail, waiting for public version)
• CVE-2020-11868/ntp: global triage: identify and reference missing patch, coordinate with uploader

LTS - Jessie

• netty, mysql-connector-java, ntp: common triage (see above)
• CVE-2019-20637/varnish: global triage: attempt to reproduce, attempt to get PoC/vulnerable versions from upstream, update BTS
• ansible: jessie triage: reset ignore->no-dsa old vulnerabilites after discussing with initial triager
• ansible: global triage: identify more affected version ranges, locate more patches
• ansible: prepare jessie upload (work-in-progress)
• tiff: suites harmonization: offer to work on a tiff/stretch update, follow-up on maintainer's questions, who eventually did the update
• dsa-needed.txt: identify stale entries from inactive LTS contributor, check for status
• team meeting: see minutes

Documentation/Scripts

• LTS/Development: reference relevant sections of the Developer Reference
• LTS/Development: element on whether BTS numbers can be referenced in a LTS changelog

Like each month, here comes a report about the work of paid contributors to Debian LTS. Individual reports In March, 252 work hours have been dispatched among 14 paid contributors. Their reports are available:

• Abhijith PA did 16.0h (out of 14h assigned and 2h from February).
• Ben Hutchings did 12.25h (out of 20h assigned and 0.75h from February), thus carrying over 8.5h to April.
• Brian May did 10h (out of 10h assigned).
• Chris Lamb did 18h (out of 18h assigned).
• Dylan A ssi did 6h (out of 6h assigned).
• Emilio Pozuelo Monfort did 19.5h (out of 30h assigned and 6.75h from February), thus carrying over 17.25h to April.
• Hugo Lefeuvre gave back the 12h he got assigned.
• Markus Koschany did 10h (out of 30h assigned and 18.75h from February), thus carrying over 38.75h to April.
• Mike Gabriel did 10.25h (out of 8h assigned and 2.25h from February).
• Ola Lundqvist did 6h (out of 12h assigned and 2.5h from February), thus carrying over 8.5h to April.
• Roberto C. S nchez did 6.25h (out of 8h assigned), and gave back the remaining 1.75h.
• Sylvain Beucler did 30h (out of 30h assigned).
• Thorsten Alteholz did 30h (out of 30h assigned).
• Utkarsh Gupta did 24h (out of 24h assigned).

Evolution of the situation March was a strange month for many people all over the globe. Here we ll just express our hopes that you are and will be well! LTS gained a new contributor in March, Anton Gladky, however he then decided to become active later this year. Similarly Hugo Lefeuvre notified us that he ll be inactive in April. In case you missed it (or missed to act), please read this post about keeping Debian 8 Jessie alive for longer than 5 years. If you expect to have Debian 8 servers/devices running after June 30th 2020, and would like to have security updates for them, please get in touch with Freexian. Hurry up: the end of Jessie LTS is coming in less than three months! The security tracker currently lists 25 packages with a known CVE and the dla-needed.txt file has 23 packages needing an update. Thanks to our sponsors New sponsors are in bold.

• Platinum sponsors:
• TOSHIBA (for 55 months)
• GitHub (for 45 months)
• Civil Infrastructure Platform (CIP) (for 22 months)
• Gold sponsors:
• Blablacar (for 70 months)
• Roche Diagnostics International AG (for 65 months)
• Linode (for 59 months)
• Babiel GmbH (for 49 months)
• Plat Home (for 48 months)
• University of Oxford (for 4 months)
• Silver sponsors:
• The Positive Internet Company (for 71 months)
• Domeneshop AS (for 70 months)
• Nantes M tropole (for 64 months)
• Univention GmbH (for 56 months)
• Universit Jean Monnet de St Etienne (for 56 months)
• Ribbon Communications, Inc. (for 49 months)
• Exonet B.V. (for 39 months)
• Leibniz Rechenzentrum (for 33 months)
• CINECA (for 23 months)
• Minist re de l Europe et des Affaires trang res (for 17 months)
• Cloudways Ltd (for 6 months)
• Dinahosting SL (for 4 months)
• Bronze sponsors:
• Seznam.cz, a.s. (for 71 months)
• Evolix (for 70 months)
• MyTux (for 70 months)
• Intevation GmbH (for 67 months)
• Linuxhotel GmbH (for 67 months)
• Daevel SARL (for 66 months)
• Bitfolk LTD (for 65 months)
• Megaspace Internet Services GmbH (for 65 months)
• Greenbone Networks GmbH (for 64 months)
• NUMLOG (for 64 months)
• WinGo AG (for 63 months)
• Ecole Centrale de Nantes LHEEA (for 59 months)
• Sig-I/O (for 57 months)
• Entr ouvert (for 54 months)
• Adfinis SyGroup AG (for 52 months)
• GNI MEDIA (for 46 months)
• Laboratoire LEGI UMR 5519 / CNRS (for 46 months)
• Tesorion (for 46 months)
• Bearstech (for 38 months)
• LiHAS (for 38 months)
• People Doc (for 34 months)
• Catalyst IT Ltd (for 32 months)
• Supagro (for 28 months)
• Demarcq SAS (for 26 months)
• TrapX Security (for 23 months)
• Universit Grenoble Alpes (for 12 months)
• TouchWeb SAS (for 4 months)
• SPiN AG

No comment Liked this article? Click here. My blog is Flattr-enabled.

Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor. In March, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 30h for LTS (out of 30 max; all done) and 20h for ELTS (out of 20 max; I did 0). Most contributors claimed vulnerabilities by performing early CVE monitoring/triaging on their own, making me question the relevance of the Front-Desk role. It could be due to a transient combination of higher hours volume and lower open vulnerabilities. Working as a collective of hourly paid freelancers makes it more likely to work in silos, resulting in little interaction when raising workflow topics on the mailing list. Maybe we're reaching a point where regular team meetings will be benefical. As previously mentioned, I structure my work keeping the global Debian security in mind. It can be stressful though, and I believe current communication practices may deter such initiatives. ELTS - Wheezy

• No work. ELTS has few sponsors right now and few vulnerabilities to fix, hence why I could not work on it this month. I gave back my hours at the end of the month.

LTS - Jessie

• lua-cgi: global triage: CVE-2014-10399,CVE-2014-10400/lua-cgi not-affected, CVE-2014-2875/lua-cgi referenced in BTS
• libpcap: global triage: request CVE-2018-16301 rejection as upstream failed to; got MITRE to reject (not "dispute") a CVE for the first time!
• nfs-utils: suites harmonization: CVE-2019-3689: ping upstream again, locate upstream'd commit, reference it at BTS and MITRE; close MR which had been ignored and now redone following said referencing
• slurm-llnl: re-add; create CVE-2019-12838 reproducer, test abhijith's pending upload; reference patches; witness regression in CVE-2019-19728, get denied access to upstream bug, triage as ignored (minor issue + regression); security upload DLA 2143-1
• xerces-c: global triage progress: investigate ABI-(in)compatibility of hle's patch direction; initiate discussion at upstream and RedHat; mark postponed
• nethack: jessie triage fix: mark end-of-life
• tor: global triage fix: CVE-2020-10592,CVE-2020-10593: fix upstream BTS links, fix DSA reference
• php7.3: embedded copies: removed from unstable (replaced with php7.4); checked whether libonig is still bundled (no, now properly unbundled at upstream level); jessie still not-affected
• okular: CVE-2020-9359: reference PoC, security upload DLA 2159-1

Documentation/Scripts

• data/dla-needed.txt: tidy/refresh pending packages status
• LTS/Development: DLA regression numbering when a past DLA affects a different package
• LTS/FAQ: document past LTS releases archive location following a user request; trickier than expected, 3 contributors required to find the answer
• Question aggressive package claims; little feedback
• embedded-copies: libvncserver: reference various state of embedded copies in italc/ssvnc/tightvnc/veyon/vncsnapshot; builds on initial research from sunweaver
• Attempt to progress on libvncserver embedded copies triaging; technical topic not anwered, organizational topic ignored
• phppgadmin: provide feedback on CVE-2019-10784
• Answer general workflow question about vulnerability severity
• Answer GPAC CVE information request from a PhD student at CEA, following my large security update

Like each month, here comes a report about the work of paid contributors to Debian LTS. Individual reports In February, 226 work hours have been dispatched among 14 paid contributors. Their reports are available:

• Abhijith PA gave back 12 out of his assigned 14h, thus he is carrying over 2h for March.
• Ben Hutchings did 19.25h (out of 20h assigned), thus carrying over 0.75h to March.
• Brian May did 10h (out of 10h assigned).
• Chris Lamb did 18h (out of 18h assigned).
• Dylan A ssi did 5.5h (out of 4h assigned and 1.5h from January).
• Emilio Pozuelo Monfort did 29h (out of 20h assigned and 15.75h from January), thus carrying over 6.75h to March.
• Hugo Lefeuvre gave back the 12h he got assigned.
• Markus Koschany did 10h (out of 20h assigned and 8.75h from January), thus carrying over 18.75h to March.
• Mike Gabriel did 5.75h (out of 20h assigned) and gave 12h back to the pool, thus he is carrying over 2.25h to March.
• Ola Lundqvist did 10h (out of 8h assigned and 4.5h from January), thus carrying over 2.5h to March.
• Roberto C. S nchez did 20.25h (out of 20h assigned and 13h from January) and gave back 12.75h to the pool.
• Sylvain Beucler did 20h (out of 20h assigned).
• Thorsten Alteholz did 20h (out of 20h assigned).
• Utkarsh Gupta did 20h (out of 20h assigned).

Evolution of the situation February began as rather calm month and the fact that more contributors have given back unused hours is an indicator of this calmness and also an indicator that contributing to LTS has become more of a routine now, which is good. In the second half of February Holger Levsen (from LTS) and Salvatore Bonaccorso (from the Debian Security Team) met at SnowCamp in Italy and discussed tensions and possible improvements from and for Debian LTS. The security tracker currently lists 25 packages with a known CVE and the dla-needed.txt file has 21 packages needing an update. Thanks to our sponsors New sponsors are in bold.

• Platinum sponsors:
• TOSHIBA (for 54 months)
• GitHub (for 44 months)
• Civil Infrastructure Platform (CIP) (for 22 months)
• Gold sponsors:
• Blablacar (for 69 months)
• Roche Diagnostics International AG (for 65 months)
• Linode (for 59 months)
• Babiel GmbH (for 48 months)
• Plat Home (for 47 months)
• University of Oxford (for 4 months)
• Silver sponsors:
• The Positive Internet Company (for 70 months)
• Domeneshop AS (for 69 months)
• Nantes M tropole (for 63 months)
• Univention GmbH (for 55 months)
• Universit Jean Monnet de St Etienne (for 55 months)
• Ribbon Communications, Inc. (for 49 months)
• Exonet B.V. (for 38 months)
• Leibniz Rechenzentrum (for 32 months)
• CINECA (for 22 months)
• Minist re de l Europe et des Affaires trang res (for 16 months)
• Cloudways Ltd (for 5 months)
• Dinahosting SL (for 3 months)
• Bronze sponsors:
• Seznam.cz, a.s. (for 70 months)
• Evolix (for 69 months)
• MyTux (for 69 months)
• Linuxhotel GmbH (for 67 months)
• Intevation GmbH (for 66 months)
• Daevel SARL (for 65 months)
• Bitfolk LTD (for 64 months)
• Megaspace Internet Services GmbH (for 64 months)
• Greenbone Networks GmbH (for 63 months)
• NUMLOG (for 63 months)
• WinGo AG (for 62 months)
• Ecole Centrale de Nantes LHEEA (for 59 months)
• Sig-I/O (for 56 months)
• Entr ouvert (for 54 months)
• Adfinis SyGroup AG (for 51 months)
• Laboratoire LEGI UMR 5519 / CNRS (for 46 months)
• Tesorion (for 46 months)
• GNI MEDIA (for 45 months)
• Bearstech (for 37 months)
• LiHAS (for 37 months)
• People Doc (for 33 months)
• Catalyst IT Ltd (for 32 months)
• Supagro (for 27 months)
• Demarcq SAS (for 25 months)
• TrapX Security (for 22 months)
• Universit Grenoble Alpes (for 12 months)
• TouchWeb SAS (for 4 months)
• SPiN AG

No comment Liked this article? Click here. My blog is Flattr-enabled.

Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor. In February, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 20h for LTS (out of 30 max; all done) and 8h for ELTS (out of 20 max; I did 7). Security work is never completely isolated, typically my work on nodejs impacted jessie/stretch/buster, and my work on netty affected wheezy/jessie/stretch ELTS - Wheezy

• netty: refine prior triages, write minimal test server, adapt 3 fixes, security upload: ELA-214
• Suggest redispatching hours from past month not given back in time, as team members only got 3.5h each; follow-up on the issue
• Contribute to exchanges about supporting libgd2 (unsupported dependency of a supported package, an inconsistency we'll try to detect earlier)

LTS - Jessie

• netty: refine prior triages, security upload DLA 2109-1
• netty-3.9: identify duplicate package, fix prior vulnerabilities, security upload DLA 2110-1
• nodejs: jessie/stretch/buster triage (3 CVEs), request access to not-yet-public hackerone reports
• nodejs: clarify support status, reclassify open vulnerabilities on nodejs ecosystem as EOL (end-of-life) for jessie & stretch
• http-parser: mark as affected by nodejs' CVE-2019-15605; jessie triage: ignored (invasive change with ABI breakage)
• wordpress: precise my past triage (2 CVEs): postponed (serialization vulnerabilities related to PHP itself currently not addressed at application/wordpress level)
• otrs2: security upload DLA 2118-1 (interestingly recent otrs2 is in non-free not due to licensing, but due to embedding specific versions of javascript dependencies)
• CVE-2019-10784/phppgadmin: answer request for comment
• xen: point out external support

Documentation/Scripts

• TestSuites/netty: instruction on how to find, compile and adapt server examples
• DLA-1993-1: update Debian website (was only published via mailing-list)
• embedded-code-copies: reference http-parser embedded in nodejs
• README.external-support: clean-up external support contact points

Following last week's .zed format reverse-engineered specification, Lo c Dachary contributed a POC extractor!
It's available at http://www.dachary.org/loic/zed/, it can list non-encrypted metadata without password, and extract files with password (or .pem file).
Leveraging on python-olefile and pycrypto, only 500 lines of code (test cases excluded) are enough to implement it