FTP master
This month I accepted 85 and rejected 6 packages. The overall number of packages that got accepted was only 88. Yeah, Debian is frozen but hopefully will unfreeze soon.
Debian LTS
This was my eighty-third month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.
This month my all in all workload has been 29.75h. During that time I did LTS and normal security uploads of:
[DLA 2650-1] exim4 security update for 17 CVEs
[DLA 2665-1] ring security update one CVE
[DLA 2669-1] libxml2 security update one CVE
the fix for tnef/CVE-2019-18849 had been approved and I could do the PU-upload
I also made some progress with gpac and struggle with dozens of issues here.
Last but not least I did some days of frontdesk duties, which for whatever reason was rather time-consuming this month.
Debian ELTS
This month was the thirty-fifth ELTS month.
During my allocated time I uploaded:
ELA-420-1 for exim4
ELA-435-1 for python2.7
ELA-436-1 for libxml2
I also made some progress with python3.4
Last but not least I did some days of frontdesk duties.
Other stuff
On my neverending golang challenge I again uploaded some packages either for NEW or as source upload.
Last but not least I adopted gnucobol.
Like each month, have a look at the work funded by Freexian s Debian LTS offering.
Debian project funding
In April, we put aside 5775 EUR to fund Debian projects. There was no proposals for new projects received, thus we re looking forward to receive more projects from various Debian teams! Please do not hesitate to submit a proposal, if there is a project that could benefit from the funding!
Debian LTS contributors
In April, 11 contributors have been paid to work on Debian LTS, their reports are available:
Abhijith PA did 14.0h (out of 14h assigned and 12h from March), thus carrying over 12h to May.
Evolution of the situation
In April we released 33 DLAs and held a LTS team meeting using video conferencing.
The security tracker currently lists 53 packages with a known CVE and the dla-needed.txt file has 26 packages needing an update.
We are please to welcome VyOS as a new gold sponsor!
Thanks to our sponsors
Sponsors that joined recently are in bold.
Recently, Raphael Hertzog published ideas [1] about how to make Debian more attractive for big enterprises. One missing key stone here is the possibility to sign up for an enterprise support subscription scheme. Another question tackles how to provide such a support scheme within Debian, without disturbing the current flow of how Debian is developed these days.
And, there are likely more questions to asks, riddles to solve, and hurdles to overcome.
We want to discuss this topic, brainstorm on it, collect new ideas and also hear your concerns on a public channel. Over the past weeks there already have been mail exchanges off-list.
We want to reboot this privately started discussion now in public (as that's where it belongs) starting +/- at the end of the coming week via the currently quite inactive Debian mailing list 'debian-enterprise' [2]. Please join the discussion (and the mailing list) [3] if interested in this topic.
light & love
Mike (aka sunweaver)
[1] https://raphaelhertzog.com/2021/03/30/challenging-times-for-freexian-1/
(also read parts 2-4)
[2] debian-enterprise@lists.debian.org
[3] https://lists.debian.org/debian-enterprise
FTP master
This month I accepted 103 and rejected 10 packages, which is again an increase compared to last month. The overall number of packages that got accepted was only 107.
Debian LTS
This was my eighty-second month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.
This month my all in all workload has been 30h. During that time I did LTS and normal security uploads of:
[DLA 2629-1] libebml security update for one CVE
debdiff for libebml/buster
[DLA 2636-1] pjproject security update for one CVE
I also created debdiffs of tnef and ring for other suites, which did not result in any upload yet. Further I started to work on gpac and struggle with dozens of issues here.
Last but not least I did some days of frontdesk duties.
Debian ELTS
This month was the thirty-fourth ELTS month.
Unfortunately my work on python2.7 and python3.4 did not result in an upload before the end of the month.
Last but not least I did some days of frontdesk duties.
Other stuff
On my neverending golang challenge I again uploaded lots of packages either for NEW or as source upload.
Last but not least I voted.
Like each month, have a look at the work funded by Freexian s Debian LTS offering.
Debian project funding
In March, we put aside 3225 EUR to fund Debian projects but sadly nobody picked up anything, so this one of the many reasons Raphael posted as series of blog posts titled Challenging times for Freexian , posted in 4 parts on the last two days of March and the first two of April. [Part one, two, three and four]
So we re still looking forward to receive more projects from various Debian teams! Learn more about the rationale behind this initiative in this article!
Debian LTS contributors
In March, 11 contributors have been paid to work on Debian LTS, their reports are available:
Abhijith PA did 9.0h (out of 9h assigned and 12h from February), thus carrying over 12h to April.
Evolution of the situation
In March we released 28 DLAs and held our second LTS team meeting for 2021 on IRC, with the next public IRC meeting coming up at the end of May.
At that meeting Holger announced that after 2.5 years he wanted to step back from his role helping Rapha l in coordinating/managing the LTS team. We would like to thank Holger for his continuous work on Debian LTS (which goes back to 2014) and are happy to report that we already found a successor which we will introduce in the upcoming April report from Freexian.
Finally, we would like to remark once again that we are constantly looking for new contributors. For a last time, please contact Holger if you are interested!
The security tracker currently lists 42 packages with a known CVE and the dla-needed.txt file has 28 packages needing an update.
We are also pleased to report that we got 4 new sponsors over the last 2 months : thanks to sipgate GmbH, OVH US LLC, Tilburg University and Observatoire des Sciences de l Univers de Grenoble !
Thanks to our sponsors
Sponsors that joined recently are in bold.
FTP master
Things never turn out the way you expect, so this month I was only able to accept 38 packages and rejected none. Due to the freeze, the overall number of packages that got accepted was 88.
Debian LTS
This was my eighty-first month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.
This month my all in all workload has been 30h. During that time I did LTS and normal security uploads of:
[DLA 2606-1] lxml security update for one CVE
[DSA 4880-1] lxml security update for one CVE
[DLA 2611-1] ldb security update for two CVEs
[DLA 2612-1] leptonlib security update for four CVEs
I also prepared debdiffs for unstable and/or buster for leptonlib and libebml, which for one reason or another did not result in an upload yet.
Last but not least I did some days of frontdesk duties.
Debian ELTS
This month was the thirty-third ELTS month.
During my allocated time I uploaded:
ELA-388-1 for zeromq3
ELA-390-1 for lxml
ELA-391-1 for jasper
ELA-393-1 for ldb
ELA-394-1 for leptonlib
Last but not least I did some days of frontdesk duties.
Other stuff
On my neverending golang challenge I uploaded (or sponsored for thola dependencies): golang-github-tombuildsstuff-giovanni, golang-github-apparentlymart-go-userdirs, golang-github-apparentlymart-go-shquot, golang-github-likexian-gokit, olang-gopkg-mail.v2, golang-gopkg-redis.v5, golang-github-facette-natsort, golang-github-opentracing-contrib-go-grpc, golang-github-felixge-fgprof, golang-ithub-gogo-status, golang-github-leanovate-gopter, golang-github-opentracing-basictracer-go, golang-github-lightstep-lightstep-tracer-common, golang-github-o-sourcemap-sourcemap, golang-github-igm-pubsub, golang-github-igm-sockjs-go, golang-github-centrifugal-protocol, golang-github-mna-redisc, golang-github-fzambia-eagle, golang-github-centrifugal-centrifuge, golang-github-chromedp-sysutil, golang-github-client9-misspell, golang-github-knq-snaker, cdproto-gen, golang-github-mattermost-xml-roundtrip-validator, golang-github-crewjam-saml, ssllabs-scan, golang-uber-automaxprocs, golang-uber-goleak, golang-github-k0kubun-go-ansi, golang-github-schollz-progressbar, golang-github-komkom-toml, golang-github-labstack-echo, golang-github-inexio-go-monitoringplugin
Note: This is the continuation of part 1, part 2 and part 3. You can get the full document as a single PDF. Feel free to share this document to anyone that might be interested to work towards the goals outlined.
Conclusion
I m very excited by the perspective that I outlined in this document. It really resonates with my own mission statement as a Debian developer (written a long time ago):
My main role in Debian is to help Debian to evolve so that it s always able to face the new challenges that are showing up.My approach is both corrective and proactive, I work to solve current problems and prepare for tomorrow s. This requires to remain sufficiently involved to identify new trends, see the deficiencies and be a force of proposition.Most of the changes require to interact with many people, and problems are often more relational than technical. I will ensure to follow the habits of interdependence (Think Win-Win, Seek First to Understand, Then to be Understood, Synergize) to find a solution acceptable to all and to inspire others to do the same.The easiest changes to implement are technical (such as improvements to distro-tracker) and require little interaction. This work is used to recharge me by offering me an immediate reward for my efforts.Finally, and this is a substantive effort, I want to create in the project working conditions that allow all contributors to give their best. It starts with developing a common vision
But I can t achieve this alone, I need help from passionate individuals sharing this vision. Let me know if you want to be one of those persons.
Note: This is the continuation of part 1 and part 2.
Going forward: growing Freexian
Part 2: Extending the team
By all accounts, Freexian is still a small company which relies largely on me in many aspects. The growth of its business is however providing enough financial margin to allow looking into ways to recruit external help, be it through direct hiring (for French residents) or via long term contracting (for people based in other countries). If you believe you could be the right person for one of the roles listed below, or if you know someone that we should contact, please reach out to raphael@freexian.com.
Project manager
I m looking for someone that cares about Debian and that has the following skills:
knows how to manage developers and software projects
bonus points for any experience in environments mixing volunteers and paid contributors
is fluent and experienced enough in Python to be able to do software design and code reviews
bonus points for experience with: Django, Test Driven Development
That person would handle (some of) the following tasks:
lead the Debian project funding initiative to a success
find useful projects to fund, for example by
discussing with various Debian teams / contributors (including the DPL)
running a survey among Debian developers
doing your own analysis
help with drafting and specifying the various projects
help to find someone to implement and review the projects
coordinate with those persons during execution
manage other free software projects that Freexian would like to pursue
debusine: a software factory tailored for Debian packages
participate in design discussions, set milestones and goals
start with the short term needs of Freexian
but take into account the needs of Debian so that it can replace some aging infrastructure within Debian
coordinate with contractors, possibly implement some parts
maybe coordinate the team of paid LTS/ELTS contributors
Debian/Python Developer
While the current priority is on the above role, there could also be room for a developer role with the following tasks:
Creation and maintenance of Debian packages
Technical support
Software development in Python (debusine, internal infrastructure)
Security support (contributor to Debian LTS)
Sales manager / sales representative
Up until now, the growth of Freexian has mostly been organic, through word of mouth and increased awareness of Debian LTS within the Debian community. We never spent a single euro on advertising, except for one promotional video and for Debconf sponsorship (with a flyer and stickers).
But if we can manage to make a positive impact on Debian through the funding that Freexian brings, then I m interested to grow the company so that we can pay more people to work on Debian. That growth likely would have to go through some more active sales work. At the same time, it is an opportunity for me to delegate (some of) the administrative work that lies solely on my shoulders (invoicing, day to day customer relationship, etc.).
I assume it will be hard to find a member of the Debian community that has an interest in those areas, but who knows
This article is to be continued in an upcoming post. Stay tuned!
Note: This is the continuation of part 1 where I presented Freexian and its purpose.
Going forward: growing Freexian
Part 1: From Debian LTS to Debian for the Enterprise
Freexian s Debian LTS service has so far been entirely successful, with a steady growth over the years. Thanks to this, and even if there are always new challenges, it is fair to say that the Debian LTS team has met its goal in the last few years.
While this started from the desire to make LTS a reality, many sponsors are only looking for a way to give back to Debian through their company, and to make sure that Debian fits their needs.
But if you look at the bigger picture outside of this small LTS area, you will easily find many issues that need to be addressed if we want Debian to meet the needs of corporate users. Those issues can have widely different types and complexity. They can be as simple as missing the latest upstream version for an important package because the maintainer disappeared and nobody noticed before it was too late (i.e. the release was frozen); or a somewhat basic piece of software not yet packaged at all; or a release critical bug that was left unattended. On the other end of the spectrum, some corporate requirements will prove tougher to solve, for instance for large software suites that are complex to package, or could potentially have an impact elsewhere in Debian.
Bringing those facts together, we would like to have Freexian s Debian LTS/ELTS offering evolve into a more general Debian Software Assurance offering, where you commit to a yearly budget for Debian sponsorship in the larger sense. That budget would fund different projects and the allocation between those projects would vary over time depending on the desires and needs of the sponsors/customers:
Technical support: the budget would always ensure that you have a few spare hours of technical support available in case you need them
Debian LTS: we want this to continue!
Debian ELTS: when the customer has not managed to migrate their Debian servers in time, they should be able to reallocate their budget towards ELTS and ensure their servers are secure until the migration has taken place.
Debian for the enterprise
Make sure that the packages used by sponsors are in good shape in Debian Testing/Unstable so that they are in the best shape for the next stable release.
Package new software that are relevant for corporate users. Offer to pool the maintenance work.
Fix bugs that customers are hitting.
Etc.
Debian project funding: that s the variable part of the budget (and would have a minimum of 10% like we do for Debian LTS right now). When the other projects do not consume the whole budget, we invest the remaining money into generic Debian improvements.
This major shift in our offering would also be an ideal opportunity to build a professional, free-software based infrastructure aimed at sustaining this business, making it easier to administer the various aspects of this work, and easily allowing many more sponsors to join (individuals included!).
On a more pragmatic/operational note, this shift will bring a lot of challenges to the table, and those can hardly be handled with the current resources of Freexian: if we hope to properly implement this new strategy, we ll need some additional help.
This article is to be continued in an upcoming post. Stay tuned!
TLDR: Freexian s success means that we have resources to invest into Debian projects. Plainly offering money has not worked so far, so I am looking to hire a project manager whose work would be to help spend that money in useful ways. At the same time, Freexian needs to adapt to cope with the growth: with new employees, with new infrastructure and a new offering. I want to give an idea of where we are headed, to try to inspire persons that share our values and our desire to improve Debian. Read on if you are interested.
Note: The original text has been split into 4 blog posts that will be published over a few days.
Introduction
Freexian is an IT service company specialized in Debian. We provide technical support by email on Debian, we create and maintain Debian packages requested by our customers, we also help organizations run an entire Debian derivative (Kali Linux being the most notable one).
On top of this, it runs the commercial part of the Debian LTS service : Freexian invoices many sponsors that need long term support, and uses the money to pay Debian contributors (about 12 currently) to make sure that Debian releases are supported for 5 years instead of 3. With the Extended LTS service, we push that further to 7 years, however only for a smaller subset of packages and in a repository that is hosted outside of debian.org.
Freexian s purpose
When I created Freexian, it was out of a desire to be paid to work on Debian, and to be able to contribute during work time to the project that was so important to me. That goal has been met a long time ago.
But ultimately what I strive to achieve for Debian is not entirely aligned with the work that Freexian s customers are requesting. That s why, in the long term projects of Freexian, I always kept find a business model that can fund the Debian projects that I would like to do , as well as if that model works for me, build something so that other can benefit from it too . The first occasion to experiment something appeared when Debian discussed Long Term Support and when I stepped up to setup a commercial offer to pay Debian contributors.
Step 1: Paying Debian contributors for LTS work
When we started the Debian LTS service, I voluntarily opted to use an hourly rate that was rather high so that any Debian developer regardless of their geographical location, could participate and not earn (much) less than what they would have from working on other tasks. This choice did imply paying a very high rate for some countries, but I didn t see that as a problem, quite the contrary: if a Debian developer can earn enough money to cover their cost of living with 15h of Debian LTS, and then spend the rest of their month contributing on Debian, all the better! I m not sure if anyone made this choice, but that was a dream of my younger self
From a personal standpoint, the launch of Debian LTS has meant less free time, more administrative work, new duties to coordinate a team of paid contributors, more communication with many Debian-using companies, and many new opportunities too! This ultimately resulted in the launch of Extended LTS and PHP LTS, both of which have been rather successful so far.
Step 2: Funding Debian projects
With the growth of the Debian LTS service, and given that we have reached the required funding level, we decided to put a small share of the revenues aside and use that to fund useful Debian projects, typically in areas that were affected by our Debian LTS work. This effort was fully formalized in the project-funding git repository. We announced this process in November 2020, and we have kept mentioning it in our monthly LTS reports ever since, but so far only a single project has benefited from this.
This is really the dream offer that I wish had existed when I was younger and was still struggling to get enough customers: hence I don t really understand this lack of interest. You can find some discussions over the reasons why this offer has not (yet) found its target audience in this debian-vote thread.
I was hoping that spending money would be easy, but I now realize I was wrong! I m positive that I could find dozens of useful projects to fund, but I just don t have the time for this extra effort on top of my regular Freexian duties. I still really want to put this money to good use, which is why I m looking into some solutions.
This article is to be continued in another upcoming post, stay tuned!
Like each month, have a look at the work funded by Freexian s Debian LTS offering.
Debian project funding
In February, we put aside 5475 EUR to fund Debian projects.
The first project from this initiative was finished and thus Carles Pina was able to issue the first invoice!
We are looking forward to receive more projects from various
Debian teams and contributors. Learn more about the rationale behind this initiative in this article.
Debian LTS contributors
In February, 12 contributors have been paid to work on Debian LTS, their reports are available:
Abhijith PA did 19.0h (out of 7h assigned and 12h from January).
Ben Hutchings did 19h (out of 16h assigned and 15.25h from January), thus carrying over 12.25h to March.
Emilio Pozuelo Monfort did not report back about their work so for now we assume they did nothing (out of 28h assigned plus 35.5h from January), thus is carrying over 63.5h for March.
Holger Levsen did 6h coordinating/managing the LTS team.
Evolution of the situation
In February we released 28 DLAs (including one regression update) and we held an internal team meeting using video chat. Finally, as every month we would like to remark once again that we are constantly looking for new contributors. Please contact Holger if you are interested!
The security tracker currently lists 46 packages with a known CVE and the dla-needed.txt file has 34 packages needing an update.
Thanks to our sponsors
Sponsors that joined recently are in bold.
FTP master
This month I accepted 162 and rejected 28 packages, which is again a small increase compared to last month. The overall number of packages that got accepted was 291.
Debian LTS
This was my eightieth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.
This month my all in all workload has been 30h. During that time I did LTS and normal security uploads of:
[DLA 2551-1] slirp security update two CVEs
[DLA 2552-1] connman security update two CVEs
[DLA 2567-1] unrar-free security update three CVEs
[DLA 2566-1] libbsd security update one CVE
[DLA 2571-1] openvswitch security update six CVEs
[DLA 2572-1] wpa security update for one CVE
I also prepared debdiffs for golang-github-appc-cni, wpa and libbsd, which for one reason or another did not result in a DLA yet.
Moreover I did some NEW processing and other stuff on security-master.
Last but not least I did some days of frontdesk duties.
Debian ELTS
This month was the thirty-second ELTS month.
During my allocated time I uploaded:
ELA-367-1 for libbsd
ELA-368-1 for unrar-free
ELA-370-1 for wpa
Last but not least I did some days of frontdesk duties.
Other stuff
This month I uploaded new upstream versions of:
Like each month, have a look at the work funded by Freexian s Debian LTS offering.
Debian project funding
In January, we put aside 2175 EUR to fund Debian projects.
As part of this Carles Pina i Estany started to work on
better no-dsa support for the PTS
which recently resulted in two
mergerequests which will hopefully be deployed soon.
We re looking forward to receive more projects from various
Debian teams! Learn more about the rationale behind this initiative in this article.
Debian LTS contributors
In January, 13 contributors have been paid to work on Debian LTS, their reports are available:
Abhijith PA did 9.0h (out of 14h assigned and 7h from December), thus carrying over 12h to February.
Adrian Bunk did 14h (out of 26h assigned), thus carrying over 12h to February, which he then gave back.
Ben Hutchings did 0.25h (out of 7h assigned and 8.5h from December), thus carrying over 15.25h to February.
Emilio Pozuelo Monfort did not report back about their work so we assume they did nothing (out of 26h assigned plus 9.5h from December), thus is carrying over 35.5h for February.
Holger Levsen did 6.5h coordinating/managing the LTS team..
Markus Koschany did 36.75h (out of 26h assigned and 10.75h from December).
Ola Lundqvist did 2.5h (out of 10.5h assigned and 11.5h from December) and gave back 9.5 hours, thus carrying over 10h to February.
Roberto C. S nchez did 6h (out of 26h assigned), thus carrying over 20h to February, which he then gave back.
Evolution of the situation
In January we released 28 DLAs
and held our first
LTS team meeting for 2021 on IRC, with the next public IRC meeting coming up at the end of March.
During that meeting Utkarsh shared that after he rolled out the python-certbot update (on December 8th 2020) the maintainer told him: I just checked with Let s Encrypt, and the stats show that you just saved 142,500 people from having their certificates start failing next month. I didn t know LTS was still that used!
Finally, we would like to welcome sipgate GmbH as a new silver sponsor. Also remember that we are constantly looking
for new contributors. Please contact Holger
if you are interested.
The security tracker currently lists 43 packages with a known CVE and the dla-needed.txt file has 23 packages needing an update.
Thanks to our sponsors
Sponsors that joined recently are in bold.
FTP master
This month I could increase my activities in NEW again and accepted 132 packages. Unfortunately I also had to reject 12 packages. The overall number of packages that got accepted was 374.
Debian LTS
This was my seventy-ninth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.
This month my all in all workload has been 26h. During that time I did LTS and normal security uploads of:
[DSA 4823-1] influxdb security update for one CVE
[DLA 2536-1] libsdl2 security update for nine CVEs
With the buster upload of highlight.js I could finish to fix CVE-2020-26237 in all releases.
I also tried to fix one or the other CVE for golang packages, to be exact: golang-github-russellhaering-goxmldsig, golang-github-tidwall-match, golang-github-tidwall-gjson and golang-github-antchfx-xmlquery. The version in unstable is easily done by uploading a new upstream version after checking with ratt that all reverse-build-dependencies are still working. The next step will be to really upload all reverse-build-dependencies that need a new build. As the number of reverse-build-dependencies might be rather large, this needs to be done automatically somehow. The problem I am struggling with at the moment are packages that need to be rebuilt but the version in git already increased
Another problem with golang packages are packages that are referenced by a Built-Using: line, but whose sources are not yet available on security-master. If this happens, the uploaded package will be automatically rejected. Unfortunately the rejection-email only contains the first missing package. So in order to reduce the hassle with such uploads, please send me the Built-Using:-line before the upload and I will import everything. In December/January this affected the uploads of influxdb and snapd.
Last but not least I did some days of frontdesk duties.
Debian ELTS
This month was the thirty-first ELTS month.
During my allocated time I uploaded:
ELA-351-1 for sudo
ELA-352-1 for dbus
ELA-353-1 for libsdl2
Last but not least I did some days of frontdesk duties.
Other stuff
This month I uploaded new upstream versions of:
I switched my main computer and this time I opted for Lenovo s Thinkpad T14 that comes with an AMD Processor. It s the first time that I have 8 cores in my laptop with this AMD Ryzen 7 PRO 4750U CPU and it gives a real performance boost together with the 32GB of RAM.
Despite the fact that it s a laptop I use it mainly on my desktop where it s now connected to the USB-C Dock Gen2 so that I can connect it with a single USB-C cable to power/ethernet/keyboard/mouse and two external displays. I use the display port output and I had some hiccups with the HDMI output where the screen would become blank for a few seconds
The Linux support of this hardware is rather good so far but I went through a few hiccups when I started using it, in particular I m not sure what made the external display work as they were not working after the initial install but they ended up working after installing all the packages that I had on my former computer. But the suspend/resume works fine even when you unplug the laptop from the dock with the lid closed. It might be seen as a given but the suspend/resume was broken on my old X260 (at least on recent kernels, I was able to keep using Linux 4.19 where it worked).
I tried to document relevant information in the wiki, have a look at https://wiki.debian.org/InstallingDebianOn/Thinkpad/T14 and I have uploaded a Linux hardware database probe if you want to look the gory details including the firmware version that I upgraded to before starting any setup.
Like each month, have a look at the work funded by Freexian s Debian LTS offering.
Debian project funding
In December, we put aside 2100 EUR to fund Debian projects. The first project proposal (a tracker.debian.org improvement for the security team) was received and quickly approved by the paid contributors, then we opened a request for bids and the bid winner was announced today (it was easy, we had only one candidate). Hopefully this first project will be completed until our next report.
We re looking forward to receive more projects from various Debian teams! Learn more about the rationale behind this initiative in this article.
Debian LTS contributors
In December, 12 contributors have been paid to work on Debian LTS, their reports are available:
Abhijith PA did 7.0h (out of 14h assigned), thus carrying over 7h to January.
Ben Hutchings did 16.5h (out of 16h assigned and 9h from November), thus carrying over 8.5h to January.
Evolution of the situation
December was a quiet month as we didn t have a team meeting nor any other unusual activity and we released 43 DLAs.
The security tracker currently lists 30 packages with a known CVE and the dla-needed.txt file has 25 packages needing an update.
This month we are pleased to welcome Deveryware as new sponsor!
Thanks to our sponsors
Sponsors that joined recently are in bold.
FTP master
This month I only accepted 8 packages and like last month rejected 0. Despite the holidays 293 packages got accepted.
Debian LTS
This was my seventy-eighth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.
This month my all in all workload has been 26h. During that time I did LTS uploads of:
[DLA 2489-1] minidlna security update for two CVEs
[DLA 2490-1] x11vnc security update for one CVE
[DLA 2501-1] influxdb security update for one CVE
[DLA 2511-1] highlight.js security update for one CVE
Unfortunately package slirp has the same version in Stretch and Buster. So I first had to upload slirp/1:1.0.17-11 to unstable, in order to be allowed to fix the CVE in Buster and to finally upload a new version to Stretch. Meanwhile the fix for Buster has been approved by the Release Team and I am waiting for the next point release now.
I also prepared a debdiff for influxdb, which will result in DSA-4823-1 in January.
As there appeared new CVEs for openjpeg2, I did not do an upload yet. This is planned for January now.
Last but not least I did some days of frontdesk duties.
Debian ELTS
This month was the thirtieth ELTS month.
During my allocated time I uploaded:
ELA-341-1 for highlight.js
As well as for LTS, I did not finish work on all CVEs of openjpeg2, so the upload is postponed to January.
Last but not least I did some days of frontdesk duties.
Unfortunately I also had to give back some hours.
Other stuff
This month I uploaded new upstream versions of:
With these uploads I finished the libosmocom- and libctl-transitions.
The Debian Med Advent Calendar was again really successful this year. There was no new record, but with 109, the second most number of bugs has been closed.
year
number of bugs closed
2011
63
2012
28
2013
73
2014
5
2015
150
2016
95
2017
105
2018
81
2019
104
2020
109
Well done everybody who participated. It is really nice to see that Andreas is no longer a lone wolf.
Like each month, here comes a report about the work of paid contributors to Debian LTS.
Individual reports
In November, 239.25 work hours have been dispatched among 13 paid contributors. Their reports are available:
Evolution of the situation
In November we held the last
LTS team meeting for 2020 on IRC, with the next one coming up at the end of January.
We announced a new formalized initiative for
Funding Debian projects with money from Freexian s LTS service.
Finally, we would like to remark once again that we are constantly looking
for new contributors. Please contact Holger
if you are interested!
We re also glad to welcome two new sponsors, Moxa, a device manufacturer, and a French research lab (Institut des Sciences Cognitives Marc Jeannerod).
The security tracker currently lists 37 packages with a known CVE and the dla-needed.txt file has 40 packages needing an update.
Thanks to our sponsors
Sponsors that joined recently are in bold.
After an unexpectedly short discussion on debian-project, we re moving forward with this new initiative. The Debian security team submitted a project proposal requesting some improvements to tracker.debian.org, and since nobody of the security team wants to be paid to implement the project, we have opened a request for bids to find someone to implement this on a contractor basis.
If you can code in Python following test-driven development and know the Django framework, feel free to submit a bid! Ideally you have some experience with the security tracker too but that s not a strong requirement.
About the project
If you haven t read the discussion on debian-project, Freexian is putting aside part of the money collected for Debian LTS to use it to fund generic Debian development projects. The goal is two-fold:
First, the LTS work necessarily had an impact on other Debian teams that made the project possible (security team, DSA, buildd, ftpmasters, debian-www mainly) and we wanted to be able to give back to those teams by funding improvements to their infrastructure.
We have always allowed paid contributors to go beyond just preparing security updates for the LTS release. They can pick tasks that improve the LTS project at large (we try to collect such tasks here: https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues) but they should not go over 25% of their allocated monthly hours so this limits their ability to tackle bigger projects and we would like to be able to tackle bigger projects that can have a meaningful impact on the LTS project and/or Debian in general.
We have tried to formalize a process to follow from project submission up to its implementation in this salsa project: https://salsa.debian.org/freexian-team/project-funding https://salsa.debian.org/freexian-team/project-funding/-/blob/master/Rules-LTS.md
We highly encourage the above-mentioned Debian teams to make proposals. A member of those teams can implement the project and be paid for it. Or they can decide to let someone else implement it (we expect some of the paid LTS contributors to be willing to implement such projects), and just play the reviewer role driving the person doing the work in the right direction. Contrary to Google s Summer of code and other similar projects, we put the focus on the results (and not in recruiting new volunteers), so we expect to work with experienced persons to implement the project. But if the reviewer is happy to be a mentor and spend more time, then it s OK for us too. The reviewer is (usually) not a paid position.
If you re not among those teams, but if you have a project that can have a positive impact on Debian LTS (even if only indirectly in the distant future), feel free to try your chance and to submit a proposal.
Welcome to gambaru.de. Here is my monthly report (+ the first week in December) that covers what I have been doing for Debian. If you re interested in Java, Games and LTS topics, this might be interesting for you.
Debian Games
I updated ufoai, UFO: Alien Invasion, and had to remove its map editor uforadiant because it depends on obsolete GTK 2 libraries. This prevented the removal of the whole game from testing. Upstream is looking for help to port the editor to GTK 3.
ArmagetronAD, a light cycle game, was updated to version 0.2.9.0.1 and then to 0.2.9.1.0. Apparently the developers had some Corona related spare time and fixed various bugs.
I could fix a display error in bastet s highscore list, a ncurses falling block game. (#931550)
At the end of the release cycle I usually update all of my remaining packages which haven t been updated already. Most of the time I check if a package is still Policy compliant with the latest released version of the Debian Policy and I switch to the latest debhelper compatibility level and do some other polishing. This affected the following games: abe, amoebax, late, zangband, brainparty, dangen, and etw.
I also packaged new versions of berusky, a sokoban game, and freeciv, the famous strategy game and
sponsored a bug fix update of whichwayisup for Reiner Herrmann and
did a NMU for fonts-play, patch by Martin Erik Werner, to prevent the removal of Red Eclipse, a first person shooter, from testing.
Debian Java
Similar to games I also update the remaining Java packages at the end of the release cycle with focus on my own packages but also other team maintained packages which haven t seen updates for quite a long time. Hence I touched libjcommon-java, libjemmy2-java, libjfreechart-java, libcsv-java, electric and dbus-java. I dropped dbus-java-bin because it was of little value for users, the tools were not working as intended and buggy. The project itself is no longer actively developed but it appears there is a fork with new updates. As long as the reverse-dependencies of libdbus-java continue to function I don t plan to switch though.
Debian LTS
This was my 57. month as a paid contributor and I have been paid to work 12 hours on Debian LTS, a project started by Rapha l Hertzog. In that time I did the following:
DLA-2447-1. Issued a security update for libxstream-java fixing 1 CVE.
Triaged the open CVE in webcit as ignored in line with the latest version in Buster. The package was recently removed from Debian.
Completed the package upgrade of pacemaker. My local tests finished successfully but I will only upload it if I get positive feedback from the users who reported the previous regression. The update would fix all remaining security issues but as with any new version there is a risk of introducing regressions.
Continued the work on ansible.
ELTS
Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 8 Jessie . This was my 30. month and I have been paid to work 15 hours on ELTS.
ELA-326-1. Issued a security update for libxstream-java fixing 1 CVE.
ELA-329-1. Investigated the eight remaining CVE in jasper. I could fix four CVE. It looks the rest is either not security relevant or can only be observed when jasper is compiled with ASAN.
Investigated the remaining CVE in phpmyadmin and synced the fixes from Stretch with the released version in Jessie.