• Christos Zaulas wrote a blog post entitled "NetBSD fully reproducible builds" which generated some discussion on Hacker News and was mentioned on DistroWatch.
• Christos also reported that that NetBSD's base system is now 100.0% reproducible in our current test framework. Whilst we do less variations than in Debian here, this is highly commendable.
• Microsoft requires reproducible binaries for signing shim code for secure boot.
• Thanks to Ed Maste, FreeBSD base system reached 99.6% too, after he'd seen the news about NetBSD. This too has been achieved using non-default settings and is to be considered merely as a "hey we can do that too" (though Ed is slightly sad they missed 100%). The real plan is still to achieve 100% reproducibility with default settings.

• #855674 filed against sugar-physics-activity.
• #855909 filed against publicsuffix.

• Chris Lamb (4)

• diffoscope 77 was unblocked by the release team for stretch.
• Mattia Rizzolo uploaded 77~bpo8+1 to jessie-backports.

• Chris Lamb:
  • Drop orphaned binary package instances.
  • Install to /usr/share with dh-virtualenv 1.0
  • Drop Installed-Build-Depends to recover diskspace.

• Holger Levsen:
  • Add link to https://blog.netbsd.org/tnf/entry/netbsd_fully_reproducible_builds

• Ed Maste made the upcoming FreeBSD release almost 100% reproducible (see above).
• Holger Levsen added the number of configured and running builder jobs to the performance stats page.
• Holger Levsen improved the scheduler, so that untested packages and versions are tried sooner.
• Holger added logging for submitting .buildinfo files to buildinfo.debian.net and added notification about this failure.
• Holger also made some minor improvements to the generated HTML.

(autoload 'qsoas-mode "$HOME/Prog/QSoas/misc/qsoas-mode.el" nil t)
(add-to-list 'auto-mode-alist '("\\.cmds$" . qsoas-mode))

• I improved apktool s wrapper script and replaced 1.apk with a symlink to the already existing framework-res.apk file. (#827646)
• For Kai-Chung I sponsored new upstream releases of android-platform-external-jsilver, android-platform-frameworks-data-binding and android-platform-libcore.
• I fixed two FTBFS bugs in android-platform-tools-base which were caused by a new upstream version of libhttpcore-java and a behavioral change in Gradle.
• I packaged a new upstream release of libsmali-java.

• This month GCC-6 bugs became release critical. I fixed and triaged those kind of bugs in games like supertransball2, berusky2, freeorion, bloboats, armagetronad and megaglest.
• I packaged new upstream releases of scorched3d, bzflag, spring, springlobby, freeorion, freeciv and extremetuxracer.
• Freeciv, one of the best strategy games ever by the way, also got a new binary package freeciv-client-gtk3. This package will eventually become the new default client to play the game in the future. You are welcome to test it.
• I packaged a new upstream release of adonthell and adonthell-data. This game is built with Python 3 and SDL 2 now and also uses the latest version of swig to generate its sources. We will probably see only one other future upstream release of adonthell because the main developer has decided to move on after more than 15 years of development.
• I fixed another RC bug in minetest, updated whichwayisup for this release cycle and moved the package to Git.

• My work in the Java Team this month was basically divided into two parts. I started with fixing RC bugs in httpcomponents-asyncclient, httpcomponents-client, libnb-platform18-java, jackrabbit, openjpa, libphonenumber (another GCC-6 RC-bug), osgi-compendium, commons-javaflow, apache-curator, assertj-core and avro-java.
• The second part revolved around jflex, a lexical analyzer generator for Java. Due to my work with gradle-jflex-plugin and libsmali-java, jflex got my attention and since it hasn t been updated in the last seven years, I felt that I had to do it now because it s always good being up-to-date. As usual in the Java world if you touch one package then you are almost always doomed to work on several follow up patches and updates. Of course the new upstream release of jflex broke several packages, so I fixed FTBFS bugs in gradle-jflex-plugin, libsmali-java, qdox, qdox2, cup and jhighlight.
• Rather relaxing was updating libcodesize-java for this release cycle and packaging a new upstream release of activemq.
• I sponsored jacoco for Kai-Chung.

• DLA-554-1. I spent most of the time this month on completing my work on libarchive. I issued DLA-554-1 and fixed 18 CVE plus another issue which was later assigned CVE-2016-6250.
• DLA-555-1. Issued a security update for python-django fixing 1 CVE.
• DLA-561-1. Issued a security update for uclibc fixing 3 CVE.
• DLA-562-1. Issued a security update for gosa fixing 1 CVE. I could triage another open CVE as not-affected after confirming that the issue had already been fixed two years ago.
• DLA-568-1. Issued a security update for wordpress fixing 6 CVE. I decided to go ahead with this update because I could not find any regressions. Unfortunately this wasn t true for my intended fix for CVE-2015-8834. The database upgrade did not succeed hence I decided to postpone the fix for CVE-2015-8834 until we can narrow down the issue.
• DLA-576-1. Issued a security update for libdbd-mysql-perl fixing 2 CVE.
• From 04. July to 10. July I was in charge of our LTS frontdesk. I triaged CVEs in librsvg, bind9, trn, pdns and drupal7 and answered questions on the debian-lts mailing list.

• I fixed another GCC-6 bug in wbar, a light and fast launch bar.
• Childsplay and gvrng were orphaned last month. I updated both of them, fixed the RC-bug in childsplay (non-free font) and moved the packages to the Debian QA Group.

• Presented "Reproducible Builds status update" at DebConf16, the annual Debian GNU/Linux developer conference.
• Attended a Core Infrastricture Initiative summit meeting. The CII was set up in the wake of the Heartbleed SSL vulnerability to support software projects that are critical to the functioning of the internet.

• Ensured that the Webconverger web kiosk operating system builds reproducibly. I may rework some of the patches to libisoburn and libisofs before sending them upstream. This work was sponsored by Webconverger.
• Proposed a pull request for Regex Replace (a Chrome extension to automatically replace text on webpages) to ensure that the rules were correctly HTML encoded on the options page. (#3)
• Proposed a change to ronn, a documentation generator that "is the opposite of roff", to make the output reproducible. (#98)
• Fixed an issue in django-enumfield, a custom Django web development field for type-safe named constants, to make the Enum.get interface more consistent. (#36)
• Proposed a change to txt2tags to make the output use SOURCE_DATE_EPOCH and non-timezone timestamps. (#204).

• Modified LetsEncrypt's "certbot" tool (previously the Let's Encrypt Client) to ensure that the documentation is built reproducibly. The issue was that a Python default keyword argument was non-deterministic and was appearing in documentation with the function's definition. (#3005)
• Sent a pull request to Mailvelope, a browser extension for GPG/OpenPGP encryption with webmail services, to ensure that passphrase field is cleared when entered incorrectly. (#385)
• Proposed an optional addition to django-enumfield, a custom Django web development field for type-safe named constants, that automatically enumerations to the template context to save DRY violations in views, etc. (#33)
• Fixed an issue in the cdist configuration management's build system to ensure that the documentation builds reproducibly. It was previously including various documentation sections non-deterministically depending on the filesystem ordering. (#437)
• Various improvements to django-slack, my library to easily post messages to the Slack group-messaging utility from projects using the Django web development framework:
  • Raise more specific exception types (instead of the more generic ValueError) wherever possible so that clients can detect specific error conditions. (#45)
  • Pass through arbitrary Python keyword arguments to the backend, allowing custom behaviour for special case. (#46)
  • Ensure that the backend result is returned by the Celery distributed task queue wrapper. (#47)
• Updated my Strava Enhancement Suite, a Chrome extension that improves and fixes annoyances in the web interface of the Strava cycling and running tracker, to hide more internal advertisements. (#49)
• Sent a pull request to the build system for gtk-gnutella (a server/client for the Gnutella peer-to-peer network) to ensure the build is reproducible if the SOURCE_DATE_EPOCH environment variable is available. (#17)
• Updated the SSL certificate for try.diffoscope.org, a hosted version of the diffoscope in-depth and content-aware diff utility. Thanks to Bytemark for sponsoring the hardware.

Browsing Protection The main part of the Safe Browsing system is the one that watches for bad URLs as you're browsing. Browsing protection currently protects users from:

• malware sites,
• deceptive sites (including phishing and social engineering sites), and
• sites hosting potentially unwanted software.

If a Firefox user attempts to visit one of these sites, a warning page will show up instead, which you can see for yourself here:

• fake malware page
• fake unwanted software page
• fake phishing page

The first two warnings can be toggled using the browser.safebrowsing.malware.enabled preference (in about:config) whereas the last one is controlled by browser.safebrowsing.enabled.

List updates It would be too slow (and privacy-invasive) to contact a trusted server every time the browser wants to establish a connection with a web server. Instead, Firefox downloads a list of bad URLs every 30 minutes from the server (browser.safebrowsing.provider.google.updateURL) and does a lookup against its local database before displaying a page to the user. Downloading the entire list of sites flagged by Safe Browsing would be impractical due to its size so the following transformations are applied:

1. each URL on the list is canonicalized,
2. then hashed,
3. of which only the first 32 bits of the hash are kept.

The lists that are requested from the Safe Browsing server and used to flag pages as malware/unwanted or phishing can be found in urlclassifier.malwareTable and urlclassifier.phishTable respectively. If you want to see some debugging information in your terminal while Firefox is downloading updated lists, turn on browser.safebrowsing.debug. Once downloaded, the lists can be found in the cache directory:

• ~/.cache/mozilla/firefox/XXXX/safebrowsing/ on Linux
• ~/Library/Caches/Firefox/Profiles/XXXX/safebrowsing/ on Mac
• C:\Users\XXXX\AppData\Local\mozilla\firefox\profiles\XXXX\safebrowsing\ on Windows

Resolving partial hash conflicts Because the Safe Browsing database only contains partial hashes, it is possible for a safe page to share the same 32-bit hash prefix as a bad page. Therefore when a URL matches the local list, the browser needs to know whether or not the rest of the hash matches the entry on the Safe Browsing list. In order resolve such conflicts, Firefox requests from the Safe Browsing server (browser.safebrowsing.provider.mozilla.gethashURL) all of the hashes that start with the affected 32-bit prefix and adds these full-length hashes to its local database. Turn on browser.safebrowsing.debug to see some debugging information on the terminal while these "completion" requests are made. If the current URL doesn't match any of these full hashes, the load proceeds as normal. If it does match one of them, a warning interstitial page is shown and the load is canceled.

Download Protection The second part of the Safe Browsing system protects users against malicious downloads. It was launched in 2011, implemented in Firefox 31 on Windows and enabled in Firefox 39 on Mac and Linux. It roughly works like this:

1. Download the file.
2. Check the main URL, referrer and redirect chain against a local blocklist (urlclassifier.downloadBlockTable) and block the download in case of a match.
3. On Windows, if the binary is signed, check the signature against a local whitelist (urlclassifier.downloadAllowTable) of known good publishers and release the download if a match is found.
4. If the file is not a binary file then release the download.
5. Otherwise, send the binary file's metadata to the remote application reputation server (browser.safebrowsing.downloads.remote.url) and block the download if the server indicates that the file isn't safe.

Blocked downloads can be unblocked by right-clicking on them in the download manager and selecting "Unblock". While the download protection feature is automatically disabled when malware protection (browser.safebrowsing.malware.enabled) is turned off, it can also be disabled independently via the browser.safebrowsing.downloads.enabled preference. Note that Step 5 is the only point at which any information about the download is shared with Google. That remote lookup can be suppressed via the browser.safebrowsing.downloads.remote.enabled preference for those users concerned about sending that metadata to a third party.

Types of malware The original application reputation service would protect users against "dangerous" downloads, but it has recently been expanded to also warn users about unwanted software as well as software that's not commonly downloaded. These various warnings can be turned on and off in Firefox through the following preferences:

• browser.safebrowsing.downloads.remote.block_dangerous
• browser.safebrowsing.downloads.remote.block_dangerous_host
• browser.safebrowsing.downloads.remote.block_potentially_unwanted
• browser.safebrowsing.downloads.remote.block_uncommon

and tested using Google's test page. If you want to see how often each "verdict" is returned by the server, you can have a look at the telemetry results for Firefox Beta.

Privacy One of the most persistent misunderstandings about Safe Browsing is the idea that the browser needs to send all visited URLs to Google in order to verify whether or not they are safe. While this was an option in version 1 of the Safe Browsing protocol (as disclosed in their privacy policy at the time), support for this "enhanced mode" was removed in Firefox 3 and the version 1 server was decommissioned in late 2011 in favor of version 2 of the Safe Browsing API which doesn't offer this type of real-time lookup. Google explicitly states that the information collected as part of operating the Safe Browsing service "is only used to flag malicious activity and is never used anywhere else at Google" and that "Safe Browsing requests won't be associated with your Google Account". In addition, Firefox adds a few privacy protections:

• Query string parameters are stripped from URLs we check as part of the download protection feature.
• Cookies set by the Safe Browsing servers to protect the service from abuse are stored in a separate cookie jar so that they are not mixed with regular browsing/session cookies.
• When requesting complete hashes for a 32-bit prefix, Firefox throws in a number of extra "noise" entries to obfuscate the original URL further.

On balance, we believe that most users will want to keep Safe Browsing enabled, but we also make it easy for users with particular needs to turn it off.

Learn More If you want to learn more about how Safe Browsing works in Firefox, you can find all of the technical details on the Safe Browsing and Application Reputation pages of the Mozilla wiki or you can ask questions on our mailing list. Google provides some interesting statistics about what their systems detect in their transparency report and offers a tool to find out why a particular page has been blocked. Some information on how phishing sites are detected is also available on the Google Security blog, but for more detailed information about all parts of the Safe Browsing system, see the following papers:

• All Your IFrames Are Belong to Us
• Content-Agnostic Malware Protection
• Ghost in the Browser

• Various improvements to django-slack, a library to easily post messages to the Slack group-messaging utility from projects using the Django web development framework:
  • Added explicit support to send messages asynchronously via the Celery distributed task queue. (#29)
  • Worked with Patrick Clope to add an escapeslack template filter to ensure the correct characters for Slack's API are escaped using Django's built-in safe is too invasive. (#36)
  • Corrected an issue where custom endpoints and channel names were incompatible. (#27)
  • Overhaul of the field/option/block parsing. (49ff3c4)
  • Moved away from using a django.template.Context instance, preventing a deprecation warning. (#31)
• Added a create-folders subcommand to my tickle-me-email Getting Things Done (GTD) email toolbox to create numbered folders for the rotate "tickler" functionality. (#3)
• Wrote and released a Django template tag to collapse multiple whitespace/newline characters in order to correctly format, for example, plaintext emails that make extensive use of for-loops. These would normally require careful and fragile placement of the % for .. % and % endfor % tags. (Repo)
• Pushed a number of updates to my Strava Enhancement Suite, a Chrome extension that improves and fixes annoyances in the web interface of the Strava cycling and running tracker:
  • Fix unit conversion where the element was wrapped in an another HTML element. (#48)
  • Hide premium indicator from top-level navigation. (#45)
  • Correct matching of the "shop" link in top-level navigation and footer module. (#47 & #46)
  • Remove "premium" pages on Club pages. (#44)
• Added a security-oriented warning to Ansible's documentation regarding the behaviour if an UFW firewall application profile is added and subsequently removed. (#1740)
• Added support to my django-staticfiles-dotd "staticfiles" library which concatenates Javascript and CSS files from .d-style directories to support an arbitrary file rendering method. This allows the use of media pre-processors such as SASS within such directories. (#1)
• Corrected my Chrome extension for the FastMail web interface to correctly hook into the internal "send" mechanism. (#2)
• Moved my stravabot IRC bot to use dh-virtualenv and systemd, improving security and reliability. (1c48709)
• Updated django-pedantic-http-methods a tool to raise an exception during development when attempting to perform side effects in GET and HEAD HTTP methods to support the latest version of Django. (#1)

• Changed Django's project/app templates to use a py-tpl suffix to workaround the 1.9 release series shipping invalid .py files that are used as templates. (#5735)
• Pushed a number of updates to my Strava Enhancement Suite Chrome extension:
  • Added the ability to sort starred segments first. (#42)
  • Added an option to display hidden segments by default. (#34)
  • Also hide "Yearly Goals" as part of hiding upcoming data. (#41)
  • Removed more "premium" badges. (#43)
  • Fixed an issue where removing feed entries didn't correctly cleanup subsequently-empty date headers. (commit)
• Released a work-in-progress django.contrib.staticfiles library to recursively transparently concatenate Javascript and CSS files using "Debian-style" .d directories. I had previously been doing this manually via the various release processes and bespoke views during development as the idea pre-dated the existence of the staticfiles framework. (Repo)
• Updated travis.debian.net, a hosted script to easily test and build Debian packages on Travis CI, to support the wheezy distribution and to improve error-handling in general. (Repo)
• Ensured that try.diffoscope.org, a hosted version of the diffoscope in-depth and content aware diff utility, periodically cleans up containers.
• Moved my personal music library to use dh-virtualenv and to deploy to its own server via Ansible. I also updated the codebase to the latest version of Django at the same time, taking advantage of a large number of new features and recommendations.
• Fixed a strange issue with empty IMAP messages in my tickle-me-email GTD email toolbox.
• It was also a month of significant bug reports and feature requests being sent to my private email.

There are four gunmen outside of my hotel. They are armed with automatic rifles and pistols. I am scared for my life having sneaked past them inside. Everyone else is acting as if everything is normal. Nobody is scared or running for cover. Nobody called the police. I've asked the reception to talk to the gunmen and ask them to leave. They looked at me as if I am mad. Maybe I am. Is this what shizophrenia feels like?! Can you see them on the picture?! Please help. There are four gunmen outside of my hotel. I am not in central Beirut, I am in central Brussels.

[...]
I wonder if there are any active members of the Debian linux-ha team.
[...]

• pacemaker: https://tracker.debian.org/pkg/pacemaker
• corosync: https://tracker.debian.org/pkg/corosync

# arndale
7004:telnet:0:'/dev/serial/by-path/pci-0000:00:1d.0-usb-0:1.8.1:1.0-port0':115200 8DATABITS NONE 1STOPBIT
# cubox
7005:telnet:0:/dev/serial/by-id/usb-Prolific_Technology_Inc._USB-Serial_Controller_D-if00-port0:115200 8DATABITS NONE 1STOPBIT
# sonic-screwdriver
7006:telnet:0:/dev/serial/by-id/usb-FTDI_FT230X_96Boards_Console_DAZ0KA02-if00-port0:115200 8DATABITS NONE 1STOPBIT

# Local services
arndale            7004/tcp
cubox              7005/tcp
sonic-screwdriver  7006/tcp

telnet localhost sonic-screwdriver

• Try to catch up with Debian Contributors development/news, adopt some data source (www.debian.org?), try to create some new data source (about translators, for example).
• Clean spam in the archive lists (now that I am DD I may help in not only Mark as spam , but actually remove the spam from the archive)
• Help in the review/updates of the Debian website (ongoing: /users; future: children-distros/derivatives, /partners).
• Try to get more involved in the Debian i18n team, at least in the part of internationalizing the Debian infrastructure (make translatable via PO files/templates many texts that used repetitively in the Debian website, for example) and in welcoming new members in translation teams or helping the weak ones (although I don t know many languages, the workflow and tools are common, so I think I could help new translators at least to get hands on the matter).
• Maybe some short screencasts/videos about the Debian infrastructure, for newcomers? (mailing lists, IRC, wiki, Alioth )

• Barry Warsaw uploaded wheel/0.26.0-1 which now uses SOURCE_DATE_EPOCH instead of WHEEL_FORCE_TIMESTAMP and uses time.gmtime() to avoid timezone issues. Patches by Chris Lamb and Reiner Herrmann.

• httpcomponents-client/4.5.1-1 by Emmanuel Bourg.
• jhead/1:3.00-2 by Ludovic Rousseau.
• libvigraimpex/1.10.0+dfsg-10 by Daniel Stender.
• linux/4.2-1~exp1 by Ben Hutchings.
• maelstrom/1.4.3-L3.0.6+main-7 by Santiago Vila.
• nedit/1:5.6a-3 by Paul Gevers.
• pitivi/0.94-4 by Sebastian Dr ge, reported by Scott Kitterman.
• procenv/0.40-2 by James Hunt.
• seyon/2.20c-32 by Santiago Vila.
• slib/3b1-5 by Santiago Vila.
• spock/0.7-groovy-2.0-1 by Emmanuel Bourg.
• u-boot/2015.10~rc4+dfsg1-1 by Vagrant Cascadian.
• vdr-plugin-remote/0.7.0-1 by Tobias Grimm.

• dutch/1:2.10-4 uploaded by Thijs Kinkhorst, original patch by Chris Lamb.

• #800776 on cluster-glue: exports SOURCE_DATE_EPOCH in debian/rules.