Antoine Beaupr : My free software activities, October 2016
Debian Long Term Support (LTS)
This is my 7th month working on Debian LTS, started by
Raphael Hertzog at Freexian, after a long pause during the
summer.
I have worked on the following packages and CVEs:
- tre: CVE-2016-8859
- graphicsmagick: CVE-2016-7448, CVE-2016-7996, CVE-2016-7997,
CVE-2016-8682, CVE-2016-8683, CVE-2016-8684
- tar: CVE-2016-6321
I have also helped review work on the following packages:
- imagemagick: reviewed BenH's work to figure out what was
done. unfortunately, I forgot to officially take on the package and
Roberto started working on it in the meantime. I nevertheless took
time to review Roberto's work and outline possible issues
with the original patchset suggested
- tiff: reviewed Raphael's work on the hairy
TIFFTAG_*
issues, all
the gory details in this email
The work on ImageMagick and GraphicsMagick was particularly
intriguing. Looking at the source of those programs makes me wonder
why were are still using them at all: it's a tangled mess of C code
that is bound to bring up more and more vulnerabilities, time after
time. It seems there's always an "Magick" vulnerability waiting to be
fixed out there... I somehow hoped that the fork would bring more
stability and reliability, but it seems they are suffering from
similar issues because, fundamentally, they haven't rewritten
ImageMagick...
It looks this is something that affects all image programs. The review
I have done on the tiff suite give me the same shivering sensation as
reviewing the "Magick" code. It feels like all image libraries are
poorly implemented and then bound to be exploited
somehow... Nevertheless, if I had to use a library of the sort in my
software, I would stay away from the "Magick" forks and try something
like imlib2 first...
Finally, I also did some minor work on the user and developer
LTS documentation and some triage work on samba, xen and libass. I
also looked at the dreaded CVE-2016-7117 vulnerability in the
Linux kernel to verify its impact on wheezy users. I also looked at
implementing a --lts
flag for dch
(see bug #762715).
It was difficult to get back to work after such a long pause, but I am
happy I was able to contribute a significant number of hours. It's a
bit difficult to find work sometimes in LTS-land, even if there's
actually always a lot of work to be done. For example, I used to be
one of the people doing frontdesk work, but those duties are now
assigned until the end of the year, so it's unlikely I will be doing
any of that for the forseable future. Similarly, a lot of packages
were assigned when I started looking at the available packages. There
was an interesting discussion on the internal mailing list regarding
unlocking package ownership, because some people had packages locked
for weeks, sometimes months, without significant activity. Hopefully
that situation will improve after that discussion.
Another interesting discussion I participated in is the question
of whether the LTS team should be waiting for unstable to be fixed
before publishing fixes in oldstable. It seems the consensus right now
is that it shouldn't be mandatory to fix issues in unstable before we
fix security isssues in oldstable and stable. After all, security
support for testing and unstable is limited. But I was happy to learn
that working on brand new patches is part of our mandate as part of
the LTS work. I did work on such a patch for tar which ended up
being adopted by the original reporter, although upstream ended up
implementing our recommendation in a better way.
It's coincidentally the first time since I start working on LTS that I
didn't get the number of requested hours, which means that there are
more people working on LTS. That is a good thing, but I am worried it
may also mean people are more spread out and less capable of focusing
for longer periods of time on more difficult problems. It also means
that the team is growing faster than the funding, which is
unfortunate: now is a good time as any to remind you to see if you can
make your company fund the LTS project if you are still running
Debian wheezy.
Other free software work
It seems like forever that I did such a report, and while I was on
vacation, a lot has happened since the last report.
Monkeysign
I have done extensive work on Monkeysign, trying to bring it kicking
and screaming in the new world of GnuPG 2.1. This was the objective of
the 2.1 release, which collected about two years of work and
patches, including arbitrary MUA support (e.g. Thunderbird), config
files support, and a release on PyPI. I have had to release about 4
more releases to try and fix the build chain, ship the test suite with
the program and have a primitive preferences panel. The
2.2 release also finally features Tor suport!
I am also happy to have moved more documentation to
Read the docs, part of which I mentionned in
in a previous article. The git
repositories and issues were also moved to a Gitlab instance which
will hopefully improve the collaboration workflow, although we still
have issues in streamlining the merge request workflow.
All in all, I am happy to be working on Monkeysign, but it has been a
frustrating experience. In the last years, I have been maintaining the
project largely on my own: although there are about
20 contributors in Monkeysign, I have committed over 90% of the
commits in the code. New contributors recently showed up, and I hope
this will release some pressure on me being the sole maintainer, but I
am not sure how viable the project is.
Funding free software work
More and more, I wonder how to sustain my contributions to free
software. As a previous article has shown,
I work a lot on the computer, even when I am not on a full-time
job. Monkeysign has been a significant time drain in the last months,
and I have done this work on a completely volunteer basis. I wouldn't
mind so much except that there is a lot of work I do on a volunteer
basis. This means that I sometimes must prioritize paid consulting
work, at the expense of those volunteer projects. While most of my
paid work usually revolves around free sofware, the benefits of paid
work are not always immediately obvious, as the primary objective is
to deliver to the customer, and the community as a whole is somewhat
of a side-effect.
I have watched with interest joeyh's adventures into crowdfunding
which seems to be working pretty well for him. Unfortunately, I cannot
claim the incredible (and well-deserved) reputation Joey has, and even
if I could, I can't live with 500$ a month.
I would love to hear if people would be interested in funding my work
in such a way. I am hesitant in launching a crowdfunding campaign
because it is difficult to identify what exactly I am working on
from one month to the next. Looking back at
earlier reports shows that I am all over the place:
one month I'll work on a Perl Wiki (Ikiwiki), the next one I'll be
hacking at a multimedia home cinema (Kodi). I can hardly think of how
to fund those things short of "just give me money to work on anything
I feel like", which I can hardly ask for of anyone. Even worse, it
feels like the audience here is either friends or colleagues. It would
make little sense for me to seek funding from those people: colleagues
have the same funding problems I do, and I don't want to empoverish my
friends...
So far I have taken the approach of trying to get funding for work I
am doing, bit by bit. For example, I have recently been told that
LWN actually pays for contributed articles and have started
running articles by them before publishing them here. This is
looking good: they will publish an article I wrote about the Omnia
router I have recently received. I give them exclusive rights on the
article for two weeks, but I otherwise retain full ownership over the
article and will publish them after the exclusive period here.
Hopefully, I will be able to find more such projects that pays for the
work I do on a day to day basis.
Open Street Map editing
I have ramped up my OpenStreetMap contributions, having
(temporarily) moved to a different location. There are lots of things
to map here: trails, gaz stations and lots of other things are missing
from the map. Sometimes the effort looks a bit ridiculous,
reminding me of my early days of editing OSM. I have registered to
OSM Live, a project to fund OSM editors that, I must admit,
doesn't help much with funding my work: with the hundreds of edits I
did in October, I received the equivalent of 1.80$CAD in
Bitcoins. This may be the lowest hourly salary I have ever received,
probably going at a rate of 10 per hour!
Still, it's interesting to be able to point people to the project if
someone wants to contribute to OSM mappers. But mappers should have no
illusions about getting a decent salary from this effort, I am sorry
to say.
Bounties
I feel this is similar to the "bounty" model used by the Borg project:
I claimed around $80USD in that project for what probably amounts to
tens of hours of work, yet another salary that would qualify as
"poor".
Another example is a feature I would like to implement in Borg:
support for protocols other than SSH. There is currently no bounty
on this, but a similar feature, S3 support has one of the largest
bounties Borg has ever seen: $225USD. And the claimant for the bounty
hasn't actually implemented the feature, instead backing up to S3, the
patch (to a third-party tool) actually enables support for Amazon
Cloud Drive, a completely different API.
Even at $225, I wouldn't be able to complete any of those features and
get a decent salary. As well explained by the Snowdrift reviews,
bounties just don't work at all... The ludicrous 10% fee charged by
Bountysource made sure I would never do business with them ever again
anyways.
Other work
- fixed a bug in python's setuptools_scm that was a blocker for
Monkeysign's use of the package to avoid duplicating version numbers
everywhere...
- tried to figure out how activitypub was going to work with existing
social networking software (TL;DR: it won't)
- improved the sicherboot README so that others that come after me
will better understand how that secure boot system works
- more charybdis IRCd work: SIGABRT on jessie and
another segfault, still more issues pending here, even
- arbitrary source URL support for the Sphinx Alabaster theme
- a bunch of issues on unattended-upgrades:
raspbian configuration fails and point releases upgrades
There are probably more things I did recently, but I am having
difficulty keeping track of the last 5 months of on and off work, so
you will forgive that I am not as exhaustive as I usually am.
TIFFTAG_*
issues, all
the gory details in this email