Debian LTS August marked the sixteenth month I contributed to Debian LTS under the Freexian umbrella. I spent 9 hours (of allocated 8) mostly on Rails related CVEs which resulted in DLA-603-1 and DLA-604-1 fixing 6 CVEs and marking others as not affecting the packages. The hardest part was proper testing since the split packages in Wheezy don't allow to run the upstream test suite as is. There's still CVE-2016-0753 which I need to check if it affects activerecord or activesupport. Additionally I had one relatively quiet week of LTS frontdesk work triaging 10 CVEs. Other Debian stuff

• I uploaded git-buildpackage 0.8.2 to experimental and 0.8.3 to unstable. The later bringing all the enhanements and bugfixes since Debconf 16 to sid and testing.
• The usual bunch of libvirt related uploads

Debian LTS August marked the sixteenth month I contributed to Debian LTS under the Freexian umbrella. I spent 9 hours (of allocated 8) mostly on Rails related CVEs which resulted in DLA-603-1 and DLA-604-1 fixing 6 CVEs and marking others as not affecting the packages. The hardest part was proper testing since the split packages in Wheezy don't allow to run the upstream test suite as is. There's still CVE-2016-0753 which I need to check if it affects activerecord or activesupport. Additionally I had one relatively quiet week of LTS frontdesk work triaging 10 CVEs. Other Debian stuff

• I uploaded git-buildpackage 0.8.2 to experimental and 0.8.3 to unstable. The later bringing all the enhanements and bugfixes since Debconf 16 to sid and testing.
• The usual bunch of libvirt related uploads

Gathering from some recent discussions it seems to be not that well known that Foreman (a lifecycle tool for your virtual machines) does not only integrate well with Puppet but also with ansible. This is a list of tools I find useful in this regard:

• The ansible-module-foreman ansible module allows you to setup all kinds of resources like images, compute resources, hostgroups, subnets, domains within Foreman itself via ansible using Foreman's REST API. E.g. creating a hostgroup looks like:

  - foreman_hostgroup:
      name: AHostGroup
      architecture: x86_64
      domain: a.domain.example.com
      foreman_host: "  foreman_host  "
      foreman_user: "  foreman_user  "
      foreman_pass: "  foreman_pw  "
  

• The foreman_ansible plugin for Foreman allows you to collect reports and facts from ansible provisioned hosts. This requires an additional hook in your ansible config like:

  [defaults]
  callback_plugins = path/to/foreman_ansible/extras/
  

  The hook will report to Foreman back after a playbook finished.
• There are several options for creating hosts in Foreman via the ansible API. I'm currently using ansible_foreman_module tailored for image based installs. This looks in a playbook like:

  - name: Build 10 hosts
    foremanhost:
      name: "  item  "
      hostgroup: "a/host/group"
      compute_resource: "hopefully_not_esx"
      subnet: "webservernet"
      environment: "  env default(omit)  "
      ipv4addr:   from_ipam default(omit)  "
      # Additional params to tag on the host
      params:
          app: varnish
          tier: web
          color: green
      api_user: "  foreman_user  "
      api_password: "  foreman_pw  "
      api_url: "  foreman_url  "
    with_sequence:  start=1 end=10 format="newhost%02d"
  

• The foreman_ansible_inventory is a dynamic inventory script for ansible that fetches all your hosts and groups via the Foreman REST APIs. It automatically groups hosts in ansible from Foreman's hostgroups, environments, organizations and locations and allows you to build additional groups based on any available host parameter (and combinations thereof). So using the above example and this configuration:

  [ansible]
  group_patterns = [" app - tier ",
                    " color "]
  

  it would build the additional ansible groups varnish-web, green and put the above hosts into them. This way you can easily select the hosts for e.g. blue green deployments. You don't have to pass the parameters during host creation, if you have parameters on e.g. domains or hostgroups these are available too for grouping via group_patterns.
• If you're grouping your hosts via the above inventory script and you use lots of parameters than having these displayed in the detail page can be useful. You can use the foreman_params_tab plugin for that.

There's also support for triggering ansible runs from within Foreman itself but I've not used that so far.

Like each month, here comes a report about the work of paid contributors to Debian LTS. Individual reports In July, 136.6 work hours have been dispatched among 11 paid contributors. Their reports are available:

• Antoine Beaupr has been allocated 4 hours again but in the end he put back his 8 pending hours in the pool for the next months.
• Balint Reczey did 18 hours (out of 7 hours allocated + 2 remaining, thus keeping 2 extra hours for August).
• Ben Hutchings did 15 hours (out of 14.7 hours allocated + 1 remaining, keeping 0.7 extra hour for August).
• Brian May did 14.7 hours.
• Chris Lamb did 14 hours (out of 14.7 hours, thus keeping 0.7 hours for next month).
• Emilio Pozuelo Monfort did 13 hours (out of 14.7 hours allocated, thus keeping 1.7 hours extra hours for August).
• Guido G nther did 8 hours.
• Markus Koschany did 14.7 hours.
• Ola Lundqvist did 14 hours (out of 14.7 hours assigned, thus keeping 0.7 extra hours for August).
• Santiago Ruano Rinc n did 14 hours (out of 14.7h allocated + 11.25 remaining, the 11.95 extra hours will be put back in the global pool as Santiago is stepping down).
• Thorsten Alteholz did 14.7 hours.

Evolution of the situation The number of sponsored hours jumped to 159 hours per month thanks to GitHub joining as our second platinum sponsor (funding 3 days of work per month)! Our funding goal is getting closer but it s not there yet. The security tracker currently lists 22 packages with a known CVE and the dla-needed.txt file likewise. That s a sharp decline compared to last month. Thanks to our sponsors New sponsors are in bold.

• Platinum sponsors:
• TOSHIBA (for 10 months)
• GitHub
• Gold sponsors:
• The Positive Internet (for 26 months)
• Blablacar (for 25 months)
• Linode LLC (for 15 months)
• Babiel GmbH (for 4 months)
• Plat Home (for 4 months)
• Silver sponsors:
• Domeneshop AS (for 25 months)
• Universit Lille 3 (for 25 months)
• Trollweb Solutions (for 23 months)
• Nantes M tropole (for 19 months)
• University of Luxembourg (for 17 months)
• Dalenys (for 16 months)
• Univention GmbH (for 11 months)
• Universit Jean Monnet de St Etienne (for 11 months)
• Sonus Networks (for 5 months)
• Bronze sponsors:
• David Ayers IntarS Austria (for 26 months)
• Evolix (for 26 months)
• Offensive Security (for 26 months)
• Seznam.cz, a.s. (for 26 months)
• Freeside Internet Service (for 25 months)
• MyTux (for 25 months)
• Linuxhotel GmbH (for 23 months)
• Intevation GmbH (for 22 months)
• Daevel SARL (for 21 months)
• Bitfolk LTD (for 20 months)
• Megaspace Internet Services GmbH (for 20 months)
• Greenbone Networks GmbH (for 19 months)
• NUMLOG (for 19 months)
• WinGo AG (for 18 months)
• Ecole Centrale de Nantes LHEEA (for 15 months)
• Sig-I/O (for 12 months)
• Entr ouvert (for 10 months)
• Adfinis SyGroup AG (for 7 months)
• Laboratoire LEGI UMR 5519 / CNRS
• Quarantainenet BV
• GNI MEDIA

2 comments Liked this article? Click here. My blog is Flattr-enabled.

Debian LTS July marked the fifteenth month I contributed to Debian LTS under the Freexian umbrella. As usual I spent the 8 hours working on these LTS things:

• Updated QEMU and QEMU-KVM packages to fix CVE-2016-5403, CVE-2016-4439, CVE-2016-4020, CVE-2016-2857 and CVE-2015-5239 resulting in DLA-573-1 and DLA-574-1
• Updated icedove to 45.2.0 fixing CVE-2016-2818 resulting in DLA-574-1
• Reviewed and uploaded xen 4.1.6.lts1-1. The update itself was prepared by Bastian Blank.
• The little bit of remaining time I spent on further work the ruby-active model,record -3.2 and ruby-actionpack-3.2 (aka rails) CVEs. Although I have fixes for most of the CVEs already there are still some left where I'm not yet clear if the packages are affected.
• Added some trivial autopkgtest for qemu-img (#832982) (on non LTS time)

Other Debian stuff

• Fixed CVE-2016-5008 by uploading libvirt 2.0.0 to sid and 1.2.9-9+deb8u3 to stable-p-u
• Uploaded libvirt 2.1.0~rc1 to experimental
• Uploaded libvirt-python 2.0.0 to sid
• Uploaded libosinfo 0.3.1 to sid preparing for the upcoming upstream package split
• Uploaded virt-manager 1.4.0 to sid
• Uploaded network-manager-iodine 1.2.0 to sid
• Uploaded cups-pk-helper 0.2.6 to sid
• Triaged apparmor related bugs in libvirt most notably the one affecting hotplugging of disks (#805002) which turned out to be rooted in the kernel not reloading profiles properly.
• Uploaded git-buildpackage 0.8.0, 0.8.1 to experimental adding additional tarball support to gbp import-orig among other things

DebConf 16 in Capetown/South Africa was fantastic for many reasons. My Capetown/South Africa/Culture/Flight related lessons:

• Avoid flying on Sundays (especially in/from Austria where plenty of hotlines are closed on Sundays or at least not open when you need them)
• Actually turn back your seat on the flight when trying to sleep and not forget that this option exists *cough*
• While UCT claims to take energy saving quite serious (e.g. turn off the lights mentioned at many places around the campus), several toilets flush all their water, even when trying to do just small business and also two big lights in front of a main building seem to be shining all day long for no apparent reason
• There doesn t seem to be a standard for the side of hot vs. cold water-taps
• Soap pieces and towels on several toilets
• For pedestrians there s just a very short time of green at the traffic lights (~2-3 seconds), then red blinking lights show that you can continue walking across the street (but *should* not start walking) until it s fully red again (but not many people seem to care about the rules anyway :))
• Warning lights of cars are used for saying thanks (compared to hand waving in e.g. Austria)
• The 40km/h speed limit signs on the roads seem to be showing the recommended minimum speed :-)
• There are many speed bumps on the roads
• Geese quacking past 11:00 p.m. close to a sleeping room are something I m also not used to :-)
• Announced downtimes for the Internet connection are something I m not used to
• WLAN in the dorms of UCT as well as in any other place I went to at UCT worked excellent (measured ~22-26 Mbs downstream in my room, around 26Mbs in the hacklab) (kudos!)
• WLAN is available even on top of the Table Mountain (WLAN working and being free without any registration)
• Number26 credit card is great to withdraw money from ATMs without any extra fees from common credit card companies (except for the fee the ATM itself charges but displays ahead on-site anyway)
• Splitwise is a nice way to share expenses on the road, especially with its mobile app and the money beaming using the Number26 mobile app

My technical lessons from DebConf16:

• ran into way too many yak-shaving situations, some of them might warrant separate blog posts
• finally got my hands on gbp-pq (manage quilt patches on patch queue branches in git): very nice to be able to work with plain git and then get patches for your changes, also having upstream patches (like cherry-picks) inside debian/patches/ and the debian specific changes inside debian/patches/debian/ is a lovely idea, this can be easily achieved via Gbp-Pq: Topic debian with gbp s pq and is used e.g. in pkg-systemd, thanks to Michael Biebl for the hint and helping hand
• David Bremner s gitpkg/git-debcherry is something to also be aware of (thanks for the reminder, gregoa)
• autorevision: extracts revision metadata from your VCS repository (thanks to pabs)
• blhc: build log hardening check
• Guido s gbp skills exchange session reminded me once again that I should use gbp import-dsc download $URL_TO_DSC more often
• sources.debian.net features specific copyright + patches sections (thanks, Matthieu Caneill)
• dpkg-mergechangelogs(1) for 3-way merge of debian/changelog files (thanks, buxy)
• meta-git from pkg-perl is always worth a closer look
• ifupdown2 (its current version is also available in jessie-backports!) has some nice features, like ifquery running $interface to get the life configuration of a network interface, json support ( ifquery format=json ) and makotemplates support to generate configuration for plenty of interfaces

BTW, thanks to the video team the recordings from the sessions are available online.

Like each month, here comes a report about the work of paid contributors to Debian LTS. Individual reports In June, 158.25 work hours have been dispatched among 11 paid contributors. Their reports are available:

• Antoine Beaupr has been allocated 4 hours but did not publish his report yet.
• Balint Reczey did 3 hours (out of 16 hours allocated, thus keeping 13 extra hours for July).
• Ben Hutchings did 19 hours (out of 15 hours allocated + 5 remaining, keeping 1 extra hour for July).
• Brian May did 15 hours.
• Chris Lamb did 18 hours.
• Emilio Pozuelo Monfort did 16 hours.
• Guido G nther did 8 hours.
• Markus Koschany did 19.75 hours (out of 18.75 hours allocated + 1 remaining).
• Ola Lundqvist did 10 hours.
• Santiago Ruano Rinc n did 15.5 hours (out of 18.75h allocated + 8 remaining, thus keeping 11.25 extra hours for July).
• Thorsten Alteholz did 18.75 hours.

DebConf 16 Presentation If you want to know more about how the LTS project is organized, you can watch the presentation I gave during DebConf 16 in Cape Town. Evolution of the situation The number of sponsored hours increased a little bit at 135 hours per month thanks to 3 new sponsors (Laboratoire LEGI UMR 5519 / CNRS, Quarantainenet BV, GNI MEDIA). Our funding goal is getting closer but it s not there yet. The security tracker currently lists 40 packages with a known CVE and the dla-needed.txt file lists 38 packages awaiting an update. Thanks to our sponsors New sponsors are in bold.

• Platinum sponsors:
• TOSHIBA (for 9 months)
• Gold sponsors:
• The Positive Internet (for 25 months)
• Blablacar (for 24 months)
• Linode LLC (for 14 months)
• Babiel GmbH (for 3 months)
• Plat Home
• Silver sponsors:
• Domeneshop AS (for 24 months)
• Universit Lille 3 (for 24 months)
• Trollweb Solutions (for 22 months)
• Nantes M tropole (for 18 months)
• University of Luxembourg (for 16 months)
• Dalenys (for 15 months)
• Univention GmbH (for 10 months)
• Universit Jean Monnet de St Etienne (for 10 months)
• Sonus Networks (for 4 months)
• Bronze sponsors:
• David Ayers IntarS Austria (for 25 months)
• Evolix (for 25 months)
• Offensive Security (for 25 months)
• Seznam.cz, a.s. (for 25 months)
• Freeside Internet Service (for 24 months)
• MyTux (for 24 months)
• Linuxhotel GmbH (for 22 months)
• Intevation GmbH (for 21 months)
• Daevel SARL (for 20 months)
• Bitfolk LTD (for 19 months)
• Megaspace Internet Services GmbH (for 19 months)
• Greenbone Networks GmbH (for 18 months)
• NUMLOG (for 18 months)
• WinGo AG (for 17 months)
• Ecole Centrale de Nantes LHEEA (for 14 months)
• Sig-I/O (for 11 months)
• Entr ouvert (for 9 months)
• Adfinis SyGroup AG (for 6 months)
• Laboratoire LEGI UMR 5519 / CNRS
• Quarantainenet BV
• GNI MEDIA

No comment Liked this article? Click here. My blog is Flattr-enabled.

Debian LTS June marked the fourteenth month I contributed to Debian LTS under the Freexian umbrella. I spent the 8 hours working on these LTS things:

• Reviewed and tested libxml2 2.8.0+dfsg1-7+wheezy6
• Fixed #825508 in mozilla-devscripts to prepare for the Icedove update resulting in DLA-518-1.
• Rebased the proposed Wheezy Icedove update against the Jessie version and uploaded resulting in DLA-519-1.
• Sent out the DLA-521-1 for Iceweasel, the upload was all done by Mike Hommey.
• Rebuilt enigmail with the fixed mozilla-devscripts so it can still be used in Wheezy, resulting in DLA-523-1.
• continue to work on updates for CVE-2016-0753 for ruby-active record,support -3.2 - not yet finished.
• Looked into open qemu-kvm and qemu CVEs marking CVE-2015-8666 as no-dsa and fixing CVE-2016-3710 and CVE-2016-3712 via DLA-540-1 and DLA-539-1.

Other Debian stuff Besides the usual bunch of libvirt* uploads I addressed several bugs in git-buildpackage, upload pending.

Like each month, here comes a report about the work of paid contributors to Debian LTS. Individual reports In May, 166 work hours have been dispatched among 9 paid contributors. Their reports are available:

• Antoine Beaupr did 20h.
• Ben Hutchings did 10 hours (out of 15 hours allocated, keeping 5 extra hours for June).
• Brian May did 15 hours.
• Chris Lamb did 18 hours.
• Guido G nther did 17.25 hours (out of 8 hours allocated + 9.25 remaining hours).
• Markus Koschany did 30 hours (out of 31 hours allocated, thus keeping one extra hour for June).
• Santiago Ruano Rinc n did 20 hours (out of 20h allocated + 8 remaining, thus keeping 8 extra hours for June).
• 8 hours that were initially affected to Scott Kitterman have been put back in the June pool after he resigned.
• Thorsten Alteholz did 31 hours.

Evolution of the situation The number of sponsored hours stayed the same over May but will likely increase a little bit the next month as we have two new Bronze sponsors being processed. The security tracker currently lists 36 packages with a known CVE and the dla-needed.txt file lists 36 packages awaiting an update. Despite the higher than usual number of work hours dispatched in May, we still have more open CVE than we used to have at the end of the squeeze LTS period. So more support is always needed Thanks to our sponsors New sponsors are in bold.

• Platinum sponsors:
• TOSHIBA (for 8 months)
• Gold sponsors:
• The Positive Internet (for 24 months)
• Blablacar (for 23 months)
• Linode LLC (for 13 months)
• Babiel GmbH
• Plat Home
• Silver sponsors:
• Domeneshop AS (for 23 months)
• Universit Lille 3 (for 23 months)
• Trollweb Solutions (for 21 months)
• Nantes M tropole (for 17 months)
• University of Luxembourg (for 15 months)
• Dalenys (for 13 months)
• Univention GmbH (for 9 months)
• Universit Jean Monnet de St Etienne (for 9 months)
• Sonus Networks (for 3 months)
• Bronze sponsors:
• David Ayers IntarS Austria (for 24 months)
• Offensive Security (for 24 months)
• Seznam.cz, a.s. (for 24 months)
• Evolix (for 23 months)
• Freeside Internet Service (for 23 months)
• MyTux (for 23 months)
• Linuxhotel GmbH (for 21 months)
• Intevation GmbH (for 20 months)
• Daevel SARL (for 19 months)
• Bitfolk LTD (for 18 months)
• Megaspace Internet Services GmbH (for 18 months)
• Greenbone Networks GmbH (for 17 months)
• NUMLOG (for 17 months)
• WinGo AG (for 16 months)
• Ecole Centrale de Nantes LHEEA (for 13 months)
• Sig-I/O (for 10 months)
• Entr ouvert (for 8 months)
• Adfinis SyGroup AG (for 5 months)

No comment Liked this article? Click here. My blog is Flattr-enabled.

Debian LTS May marked the thirteenth month I contributed to Debian LTS under the Freexian umbrella. I spent the 17.25 hours working on these LTS things:

• Fixed CVE-2014-7210 in pdns resulting in DLA-492-1
• Fixed the build failure of Icedove on armhf resulting in DLA 472-2
• Forward ported our nss, nspr enhancements to to the current versions in testing to continue the discussion on the same nss and nspr versions in all suites including some ABI compliance research (thanks abi-compliance-tester!), resulting in 824872.
• Backported Icedve 45 and Enigmail to wheezy to check if we can continue to support it - we can with a minor tweaks. Upload will happen in June.
• While at that added some autpkgtests for Icedove 45 resulting in 809723 (already applied).
• Released DLA-498-1 for ruby-active-model-3.2 to address CVE-2016-0753.
• Reviewed the Updates of ruby-active-record-3.2 for CVE-2015-7577 and eglibc.

Other Debian stuff

• Uploaded libvirt 1.3.4 to sid, 1.3.5~rc1 to experimental
• Uploaded libosinfo 0.3.0 to sid
• Uploaded git-buildpackage 0.7.4 to sid including experimental multiple tarball support for gbp buildpackage

Like each month, here comes a report about the work of paid contributors to Debian LTS. Individual reports In April, 116.75 work hours have been dispatched among 9 paid contributors. Their reports are available:

• Antoine Beaupr did 16h.
• Ben Hutchings did 12.25 hours (out of 15 hours allocated + 5.50 extra hours remaining, he returned the remaining 8.25h to the pool).
• Brian May did 10 hours.
• Chris Lamb did nothing (instead of the 16 hours he was allocated, his hours have been redispatched to other contributors over May).
• Guido G nther did 2 hours (out of 8 hours allocated + 3.25 remaining hours, leaving 9.25 extra hours for May).
• Markus Koschany did 16 hours.
• Santiago Ruano Rinc n did 7.50 hours (out of 12h allocated + 3.50 remaining, thus keeping 8 extra hours for May).
• Scott Kitterman posted a report for 6 hours made in March but did nothing in April. His 18 remaining hours have been returned to the pool. He decided to stop doing LTS work for now.
• Thorsten Alteholz did 15.75 hours.

Many contributors did not use all their allocated hours. This is partly explained by the fact that in April Wheezy was still under the responsibility of the security team and they were not able to drive updates from start to finish. In any case, this means that they have more hours available over May and since the LTS period started, they should hopefully be able to make a good dent in the backlog of security updates. Evolution of the situation The number of sponsored hours reached a new record with 132 hours per month, thanks to two new gold sponsors (Babiel GmbH and Plat Home). Plat Home s sponsorship was aimed to help us maintain Debian 7 Wheezy on armel and armhf (on top of already supported amd64 and i386). Hopefully the trend will continue so that we can reach our objective of funding the equivalent of a full-time position. The security tracker currently lists 45 packages with a known CVE and the dla-needed.txt file lists 44 packages awaiting an update. This is a bit more than the 15-20 open entries that we used to have at the end of the Debian 6 LTS period. Thanks to our sponsors New sponsors are in bold.

• Platinum sponsors:
• TOSHIBA (for 7 months)
• Gold sponsors:
• The Positive Internet (for 23 months)
• Blablacar (for 22 months)
• Linode LLC (for 12 months)
• Babiel GmbH
• Plat Home
• Silver sponsors:
• Domeneshop AS (for 22 months)
• Universit Lille 3 (for 22 months)
• Trollweb Solutions (for 20 months)
• Nantes M tropole (for 16 months)
• University of Luxembourg (for 14 months)
• Dalenys (for 13 months)
• Univention GmbH (for 8 months)
• Universit Jean Monnet de St Etienne (for 8 months)
• Sonus Networks
• Bronze sponsors:
• David Ayers IntarS Austria (for 23 months)
• Evolix (for 23 months)
• Offensive Security (for 23 months)
• Seznam.cz, a.s. (for 23 months)
• Freeside Internet Service (for 22 months)
• MyTux (for 22 months)
• Linuxhotel GmbH (for 20 months)
• Intevation GmbH (for 19 months)
• Daevel SARL (for 18 months)
• Bitfolk LTD (for 17 months)
• Megaspace Internet Services GmbH (for 17 months)
• Greenbone Networks GmbH (for 16 months)
• NUMLOG (for 16 months)
• WinGo AG (for 15 months)
• Ecole Centrale de Nantes LHEEA (for 12 months)
• Sig-I/O (for 9 months)
• Entr ouvert (for 7 months)
• Adfinis SyGroup AG (for 4 months)

No comment Liked this article? Click here. My blog is Flattr-enabled.

Debian LTS April marked the twelfth month I contributed to Debian LTS under the Freexian umbrella. I only spent 2 hours (instead of expected 11,25) working on LTS things:

• Uploaded gtk+3.0 to wheezy-proposed-updates to fix CVE-2013-7447 (#818090).
• Further work on figuring out how to support Xen and QEMU in Wheezy LTS including writing up a summary and a interview with one prospective company
• Prepared a patch for Jessie's nss to fix CVE-2016-1950, CVE-2016-1979, CVE-2016-1978, CVE-2016-1938 based on Antiones work for Wheezy. This is currently pending review by the security team.
• Started to look into CVE-2014-7210 in pdns

The missing hours will be caught up during May - hopefully also by working on a QEMU/libvirt update in Wheezy should there be any interest - so I've you're relying on QEMU/KVM in wheezy now would be a good time to comment on it. Other Debian things

• Attended the 9th Debian Groupware Meeting in the LinuxHotel in Essen resulting in a new upload of calypso to unstable.
• Uploded libvirt and python-libvirt 1.3.3, virt-sandbox 0.5.1+git20151113-3 and virt-manager 1.3.2-3 to unstable and libvirt 1.3.4~rc1 to experimental

Like each month, here comes a report about the work of paid contributors to Debian LTS. Individual reports In February, 111.75 work hours have been dispatched among 10 paid contributors. Their reports are available:

• Antoine Beaupr did 8h.
• Ben Hutchings did 12.75 hours (out of 11 hours allocated + 7.25 extra hours remaining, meaning that he still has 5.50 extra hours to do over April).
• Brian May did 10 hours.
• Chris Lamb did 7 hours (instead of the 14.25 hours he was allocated +, compensating the extra hours he did last month).
• Damyan Ivanov did nothing out of the 7.25 remaining hours he had, he opted to give them back and come back to LTS work later.
• Guido G nther did 13 hours (out of 12 hours allocated + 4.25 remaining hours, leaving 3.25 extra hours for April).
• Markus Koschany did 14.25 hours.
• Mike Gabriel did nothing and opted to give back the 8 hours allocated. He will stop LTS work for now as he has other projects taking all his time.
• Santiago Ruano Rinc n did 10 hours (out of 12h allocated + 1.50 remaining, thus keeping 3.50 extra hours for April).
• Scott Kitterman did a few hours but was not able to provide his report in time due to sickness. His next report will cover two months.
• Thorsten Alteholz did 14.25 hours.

Evolution of the situation The number of sponsored hours started to increase for April (116.75 hours, thanks to Sonus Networks) and should increase even further for May (with a new Gold sponsor currently joining us, Babiel GmbH). Hopefully the trend will continue so that we can reach our objective of funding the equivalent of a full-time position. At the end of the month the LTS team will be fully responsible of all Debian 7 Wheezy updates. For now paid contributors are still helping the security team by fixing packages that were fixed in squeeze already but that are still outstanding in wheezy. They are also looking for ways to ensure that some of the most complicated packages can be supported over the wheezy LTS timeframe. It is likely that we will seek external help (possibly from credativ which is already handling support of PostgreSQL) for the maintenance of Xen and that some other packages (like libav, vlc, maybe qemu?) will be upgraded to newer versions which are still maintained (either upstream or in Debian Jessie by the Debian maintainers). Thanks to our sponsors New sponsors are in bold.

• Platinum sponsors:
• TOSHIBA (for 6 months)
• Gold sponsors:
• The Positive Internet (for 22 months)
• Blablacar (for 21 months)
• Linode LLC (for 11 months)
• Silver sponsors:
• Domeneshop AS (for 21 months)
• Universit Lille 3 (for 21 months)
• Trollweb Solutions (for 19 months)
• Nantes M tropole (for 15 months)
• University of Luxembourg (for 13 months)
• Dalenys (for 11 months)
• Univention GmbH (for 7 months)
• Universit Jean Monnet de St Etienne (for 7 months)
• Sonus Networks
• Bronze sponsors:
• David Ayers IntarS Austria (for 22 months)
• Offensive Security (for 22 months)
• Seznam.cz, a.s. (for 22 months)
• Evolix (for 21 months)
• Freeside Internet Service (for 21 months)
• MyTux (for 21 months)
• Linuxhotel GmbH (for 19 months)
• Intevation GmbH (for 18 months)
• Daevel SARL (for 17 months)
• Bitfolk LTD (for 16 months)
• Megaspace Internet Services GmbH (for 16 months)
• Greenbone Networks GmbH (for 15 months)
• NUMLOG (for 15 months)
• WinGo AG (for 14 months)
• Ecole Centrale de Nantes LHEEA (for 11 months)
• Sig-I/O (for 8 months)
• Entr ouvert (for 6 months)
• Adfinis SyGroup AG (for 3 months)

No comment Liked this article? Click here. My blog is Flattr-enabled.

Debian LTS March was the eleventh month I contributed to Debian LTS under the Freexian umbrella. In total I spent 13 hours (of allocated 11.00 + 5.25h from last month) working on preparing for wheezy-lts:

• Uploaded aptdaemon to old-, stable-proposed-updates (#818006, #818007)
• Fix CVE-2012-6700, CVE-2012-6769 CVE-2012-6768, in Wheezy's dhcpcd resulting in DSA-3534
• Reach out to Debian's Xen and KVM maintainers, Xen's community manager and several company to asses LTS maintainability
• Research and propose a possible way forward for QEMU and libvirt
• Upload a backport of libvirt to wheezy-backports for that
• Prepare a fix for Wheezy's gtk+3.0 for CVE-2013-7447 (#818090) and propose it for oldstable-p-u (#819362)
• Looked into Wheezy's lxc and CVE-2015-1335 specifically and marking it as no-dsa after discussion with the security-team.
• Make bin/support-ended.py support EOL dates
• Review Antiones nss work for Wheezy and work on the corresponding update for Jessie in order (to be finished this month).

Other Debian things

• Uploaded several libvirt related packages like ruby-libvirt 0.6.0, libvirt-glib 0.2.3 and libvirt-sandbox 0.5.1+git20151113, libvirt 1.3.3~rc1
• Uploaded git-buildpackage 0.7.3
• Preparations for the 9th Debian Groupware Meeting

More sandboxing When working on untrusted code or data it's impossible to predict what happens when one does a:

bundle install --path=vendor

or

npm install

Does this phone out your private SSH and GPG keys? Does a

evince Downloads/justdownloaded.pdf

try to exploit the PDF viewer? While you can run stuff in separate virtual machines this can get cumbersome. libvirt-sandbox to the rescue! It allows to sandbox applications using libvirt's virtualization drivers. It took us a couple of years (The ITP is from 2012) but we finally have it in Debian's NEW queue. When libvirt-sandbox creates a sandbox it uses your root filesystem mounted read only by default so you have access to all installed programs (this can be changed with the --root option though). It can use either libvirt's QEMU or LXC drivers. We're using the later in the examples below: So in order to make sure the above bundler call has no access to your $HOME you can use:

sudo virt-sandbox \
   -m ram:/tmp=10M \
   -m ram:$HOME=10M \
   -m ram:/var/run/screen=1M \
   -m host-bind:/path/to/your/ruby-stuff=/path/to/your/ruby-stuff \
   -c lxc:/// \
   -S $USER \
   -n rubydev-sandbox \
   -N dhcp,source=default \
   /bin/bash

This will make your $HOME unaccessible by mounting a tmpfs over it and using separate network, ipc, mount, pid and utc namespaces allowing you to invoke bundler with less worries. /path/to/your/ruby-stuff is bind mounted read-write into the sandbox so you can change files there. Bundler can fetch new gems using libvirt's default network connection. And for the PDF case:

sudo virt-sandbox \
  -m ram:$HOME=10M \
  -m ram:/dev/shm=10M \
  -m host-bind:$HOME/Downloads=$HOME/Downloads \
  -c lxc:/// \
  -S $USER \
  -n evince-sandbox \
  --env="DISPLAY=:0" \
  --env="XAUTHORITY=$XAUTHORITY" \
  /usr/bin/evince Downloads/justdownloaded.pdf

Note that the above example shares /tmp with the sandbox in order to give it access to the X11 socket. A better isolation can probably be achieved using xpra or xvnc but I haven't looked into this yet. Besides the command line program virt-sandbox there's also the library libvirt-sandbox which makes it simpler to build new sandboxing applications. We're not yet shipping virt-sandbox-service (a tool to provision sandboxed system services) in the Debian packages since it's RPM distro specific. Help on porting this to Debian is greatly appreciated.

Like each month, here comes a report about the work of paid contributors to Debian LTS. Individual reports In February, 112.50 work hours have been dispatched among 11 paid contributors. Their reports are available:

• Antoine Beaupr did 8h.
• Ben Hutchings did 14 hours (out of 11.25 hours allocated + 10 extra hours remaining, meaning that he still has 7.25 extra hours to do over March).
• Brian May did 10 hours.
• Chris Lamb did 18 hours (instead of the 11.25 hours he was allocated, he will work less in March).
• Damyan Ivanov did 4 hours (out of 11.25 hours allocated, leaving 7.25 extra hours for March).
• Guido G nther did 7 hours (out of 11.25 hours allocated, leaving 4.25 extra hours for March).
• Markus Koschany did 11.25 hours.
• Mike Gabriel did 8 hours.
• Santiago Ruano Rinc n did 12 hours (out of 11h allocated + 2.50 remaining, thus keeping 1.50 extra hours for March).
• Scott Kitterman did 8 hours.
• Thorsten Alteholz did 11.25 hours.

Evolution of the situation The number of sponsored hours continued to decrease a little bit. It s not worrisome yet but we should try to get back to a positive slope if we want to be able to do an outstanding job for wheezy LTS. On the positive side, TOSHIBA renewed their platinum sponsorship for another 6 months at least and we have some contacts for new sponsors, though they are far from being concluded yet. We are now in transition between squeeze LTS and wheezy LTS. The paid contributors are helping the security team by fixing packages that were fixed in squeeze already but that are still outstanding in wheezy. They are also taking generic measures to prepare wheezy LTS (for example to ensure all packages work with OpenJDK 7.x since support for 6.x will be dropped in the LTS period). Thanks to our sponsors New sponsors are in bold (none this month).

• Platinum sponsors:
• TOSHIBA (for 5 months)
• Gold sponsors:
• The Positive Internet (for 21 months)
• Blablacar (for 20 months)
• Linode LLC (for 10 months)
• Silver sponsors:
• Domeneshop AS (for 20 months)
• Universit Lille 3 (for 20 months)
• Trollweb Solutions (for 18 months)
• Nantes M tropole (for 14 months)
• University of Luxembourg (for 12 months)
• Dalenys (for 10 months)
• Univention GmbH (for 6 months)
• Universit Jean Monnet de St Etienne (for 6 months)
• Bronze sponsors:
• David Ayers IntarS Austria (for 21 months)
• Offensive Security (for 21 months)
• Seznam.cz, a.s. (for 21 months)
• Evolix (for 20 months)
• Freeside Internet Service (for 20 months)
• MyTux (for 20 months)
• Linuxhotel GmbH (for 18 months)
• Intevation GmbH (for 17 months)
• Daevel SARL (for 16 months)
• Bitfolk LTD (for 15 months)
• Megaspace Internet Services GmbH (for 15 months)
• Greenbone Networks GmbH (for 14 months)
• NUMLOG (for 14 months)
• WinGo AG (for 13 months)
• Ecole Centrale de Nantes LHEEA (for 9 months)
• Sig-I/O (for 7 months)
• Entr ouvert (for 5 months)
• Adfinis SyGroup AG

No comment Liked this article? Click here. My blog is Flattr-enabled.

As a follow up to calendar synchronisation with calypso, syncevolution and the N900 running maemo I finally added contacts to the mix: on the phone When you have the calendar sync already running it's as simple as: First start ssh on the n900 to ease typing:

apt-get install dropbear
echo /bin/sh >> /etc/shells
cd /etc/dropbear && ./run

SSH into the phone and configure contacts synchronization:

cat <<EOF > ~/.config/syncevolution/webdav/sources/addressbook/config.ini
backend = CardDAV
database = https://carddav.example.com/contacts/username
EOF

And perform the initial sync:

syncevolution --sync slow webdav addressbook

From there on you can sync contacts and calendars in one go with:

syncevoluton webdav

Looking at the calypso logs on the server it seems that syncevoluton does not always generate an FN entry and so the card gets skipped. This doesn't harm the overall sync, but I need to have a look how to fix this. on the laptop In order to use the contacts im mutt there's pycarddav packaged in Debian. This is basically following upstreams documentation.

sudo apt-get install pycarddav
mkdir -p ~/.config/pycard
cp /usr/share/doc/pycarddav/examples/pycard.conf.sample ~/.config/pycard/pycard.conf
# Edit file as needed
cat ~/.config/pycard/pycard.conf
[Account username]
user: username
resource: https://carddav.example.com/
write_support = YesPleaseIDoHaveABackupOfMyData
[query]
where: vcard
[sqlite]
[default]
debug: False

To use the entries in mutt add the just extend your .muttrc:

cat <<EOF >>~/.muttrc
set query_command="pc_query -m %s"
macro index,pager B "<pipe-message>pycard-import<enter>" "add sender address to pycardsyncer"
EOF

This allows you to query contacts using Q and add new conatcs with CTRL-B in mutt's index and pager. Calypso Changes We recently moved calypso's git repository to alioth and started to merge several out of tree patches. More will happen during this years Debian Groupware Meeting including a new upload to Debian.

Debian LTS February was the tenth month I contributed to Debian LTS under the Freexian umbrella. In total I spent 7 hours (of allocated 11.15 hours) working on squeeze-lts:

• Triage of 17 CVEs for squeeze-lts. I misread the calendar and thought I was on front-desk duty for a couple of days. Fortunately no duplicate work was done.
• Prepared and released DLA-427-1 for nss fixing CVE-2016-1938 after checking that nss is not affected by CVE-2015-7575 since MD5 signatures never got disabled - another good reason why we should have the same nss in all suites.

and to make sure we have fewer issues that are fixed in squeeze-lts but affect wheezy

• I prepared patches for CVE-2015-8036 and CVE-2015-5291 for polarssl for jessie including some autpkgtests (wheezy already happened in January) resulting in DSA-3468-1.
• Prepared patches for CVE-2015-1323 affecting apt-daemon (789162) for jessie and wheezy waiting for a review.

On non LTS time I cooked up a script to make it simpler to check if a package has security support in a certain release. Now that squeeze-lts is history I'd like to thank the Debian Security Team for their help and answers to all the questions related to security tracker, DSAs, DLAs and whatnot. I'm looking forward to wheezy-lts now Other Debian stuff

• Uploaded libvirt-python 1.3.1 to unstable.
• Uploaded virt-manager 1.3.2 to experimental.
• Uploaded libvirt 1.3.2-2 to unstable dropping the libvirt-bin transitional package after NMUing gnome-boxes and virt-goodies to remove the dependency.
• Uploaded whatmaps to experimental switching to Python3

Like each month, here comes a report about the work of paid contributors to Debian LTS. Individual reports In December, 113.50 work hours have been dispatched among 9 paid contributors. Their reports are available:

• Antoine Beaupr did 11.5h.
• Ben Hutchings did 15 hours (out of 15 hours allocated + 10 extra hours remaining, meaning that he still has 10 extra hours to do over February).
• Chris Lamb did 18 hours.
• Guido G nther did 13 hours (out of 12 hours allocated + 1 remaining).
• Mike Gabriel did 16 hours (8 hours allocated + 8h remaining).
• Santiago Ruano Rinc n did 18 hours (out of 12h allocated + 8.50 remaining, thus keeping 2.50 extra hours for February).
• Scott Kitterman did 8 hours.
• Thorsten Alteholz did 30 hours.

Evolution of the situation As expected, we had a small drop in the amount of hours sponsored. New sponsors (re-)joined but others stopped too (Gree this time) mostly balancing the result. We only lost 2 hours of sponsored work. It would be nice if we could invert that curve and actually start again to get closer to our objective of funding the equivalent of a full time position. Let s hope that the switch to wheezy as the version supported by the LTS team will motivate many companies relying on Debian 7 in their IT system. In terms of security updates waiting to be handled, the situation is close to last month(17 packages in dla-needed.txt, 27 in the list of CVE). It looks like that having about 20 packages needing an update is the normal situation and that we can t really get further down given the time required to process some updates (sometimes we wait until the upstream authors provides a patch, and so on). Thanks to our sponsors New sponsors are in bold.

• Platinum sponsors:
• TOSHIBA (for 4 months)
• Gold sponsors:
• The Positive Internet (for 20 months)
• Blablacar (for 19 months)
• Linode LLC (for 9 months)
• Silver sponsors:
• Domeneshop AS (for 19 months)
• Universit Lille 3 (for 19 months)
• Trollweb Solutions (for 17 months)
• Nantes M tropole (for 13 months, renewal after a small break)
• University of Luxembourg (for 11 months)
• Dalenys (for 9 months)
• Univention GmbH (for 5 months)
• Universit Jean Monnet de St Etienne (for 5 months)
• Bronze sponsors:
• David Ayers IntarS Austria (for 20 months)
• Offensive Security (for 20 months)
• Seznam.cz, a.s. (for 20 months)
• Evolix (for 19 months)
• Freeside Internet Service (for 19 months)
• MyTux (for 19 months)
• Linuxhotel GmbH (for 17 months)
• Intevation GmbH (for 16 months)
• Daevel SARL (for 15 months)
• Bitfolk LTD (for 14 months)
• Megaspace Internet Services GmbH (for 14 months)
• Greenbone Networks GmbH (for 13 months)
• NUMLOG (for 13 months)
• WinGo AG (for 12 months)
• Ecole Centrale de Nantes LHEEA (for 8 months)
• Sig-I/O (for 6 months)
• Entr ouvert (for 4 months)
• Adfinis SyGroup AG

No comment Liked this article? Click here. My blog is Flattr-enabled.

Debian LTS January was the ninth month I contributed to Debian LTS under the Freexian umbrella. In total I spent 13 hours working on:

• LTS Frontdesk duties like the triaging of 34 CVEs. That was about twice as much CVEs coming as during December's frontdesk work.
• I looked into what needs to be done DLA wise when we move from Squeeze to Wheezy. For that I added a script do find discrepancies between Squeeze LTS and Wheezy.
• I uploaded giflib to squeeze-lts(DLA-389-1), wheezy(#812363) and jessie(#812362) proposed updates.
• I forward ported the fix for CVE-2015-5291 for polarssl to Wheezy adding autopkgtests on the way (#812420) (forward port to Jessie happend in February)
• I forward ported a patch for freetype fixing CVE-2014-9674 to wheezy(DSA-3461-1) - Jessie being not affected.
• Finally I added some basic autopkgtests to icu (#813338).

There was no progress on using the same nss in all suites. This will continue in February as does the Squeeze-lts Wheezy forward porting. Other Debian stuff

• I uploaded libvirt 1.3.1~rc1 and 1.3.1~rc2 to experimental and 1.3.1 final to unstable.
• Released git-buildpackage 0.7.2