Like each month, here comes a report about the work of paid contributors to Debian LTS. Individual reports In November, 114.50 work hours have been dispatched among 8 paid contributors. Their reports are available:

• Ben Hutchings did 5 hours only (out of 15 hours allocated + 5 extra hours remaining, meaning that he has 15 extra hours to do over December).
• Chris Lamb did 13 hours (12h allocated + 1h remaining).
• Guido G nther did 10 hours (out of 8 hours allocated + 4 remaining, thus keeping 2 extra hours for December).
• Mike Gabriel did 6.5 hours only (out of 8 hours allocated + 8 hours remaining, the 9.5 unused extra hours have been dispatched to others for December).
• Rapha l Hertzog did 21.25 hours.
• Santiago Ruano Rinc n did 19 hours (out of 21h allocated, thus keeping 2 extra hours for December).
• Scott Kitterman did 8 hours.
• Thorsten Alteholz did 21.25 hours.

Evolution of the situation We lost one hour of funding for December due to a sponsor not renewing, and we don t have any new sponsor lined up right now. There s another sponsor who will reduce his sponsorship starting with 2016. While the situation is relatively healthy right now, we should continue the efforts to find new sponsors, both to ensure we can cover more software in wheezy and to better share the costs: having many small sponsors is more resilient than relying on a few big ones. And we still haven t reached our second goal of funding the equivalent of a full-time position. In terms of security updates waiting to be handled, the situation is close to last month: the dla-needed.txt file lists 19 packages awaiting an update (2 less than last month), the list of open vulnerabilities in Squeeze shows about 22 affected packages in total (1 less than last month). Thanks to our sponsors The new sponsors are in bold.

• Platinum sponsors:
• TOSHIBA
• Gold sponsors:
• The Positive Internet (for 18 months already)
• Blablacar (for 17 months already)
• Linode LLC (for 7 months already)
• Silver sponsors:
• David Ayers IntarS Austria (for 18 months already)
• Domeneshop AS (for 17 months already)
• Universit Lille 3 (for 17 months already)
• Trollweb Solutions (for 15 months already)
• Gandi SAS (for 12 months already)
• University of Luxembourg (for 9 months already)
• Rentabiliweb Group (for 7 months already)
• Univention GmbH (for 3 months already)
• Universit Jean Monnet de St Etienne (for 3 months already)
• Bronze sponsors:
• Offensive Security (for 18 months already)
• Seznam.cz, a.s. (for 18 months already)
• Evolix (for 17 months already)
• Freeside Internet Service (for 17 months already)
• MyTux (for 17 months already)
• Linuxhotel GmbH (for 15 months already)
• Intevation GmbH (for 14 months already)
• Daevel SARL (for 13 months already)
• Bitfolk LTD (for 12 months already)
• Megaspace Internet Services GmbH (for 12 months already)
• Gree, Inc. (for 11 months already)
• Greenbone Networks GmbH (for 11 months already)
• NUMLOG (for 11 months already)
• WinGo AG (for 10 months already)
• Ecole Centrale de Nantes LHEEA (for 6 months already)
• Sig-I/O (for 4 months already)
• Entr ouvert

No comment Liked this article? Click here. My blog is Flattr-enabled.

This was my seventh month as a Freexian sponsored LTS contributor. I was assigned 8 hours for the month of November. As I did last month, I worked on review and testing of the proposed MySQL 5.5 packages for squeeze-lts and did a bit more work on Quassel. It has been suggested that maybe we ought to just EOL Quassel since backporting the necessary fixes is so complicated. I think they may be right, but I haven t quite given up yet. I reviewed CVE-2015-6360 for SRTP and my assessment was that squeeze-lts was not affected (same for the other Debian releases while I was at it). I published one security update, it was for libphp-snoopy. This resolves the outstanding security issues by updating to the newest version as was done for all other Debian releases. Finally, in the interest of getting better support in tools for Debian LTS, I came up with a patch for the pull-debian-source[1] script in ubuntu-dev-tools so that it will download Debian LTS packages correctly. Although it took a bit of investigating, the patch turned out to be very simple. I filed bug #806749. I also started looking at the distro-info package (thinking I d need it updated to fix pull-debian-source, which turned out not to be the case), but didn t finish it yet. I plan to work on that this month. [1] Even though this is in ubuntu-dev-tools and not devscripts, there s really nothing Ubuntu specific about it.

Like each month, here comes a report about the work of paid contributors to Debian LTS. Individual reports In September, 85.50 work hours have been dispatched among 8 paid contributors. Their reports are available:

• Ben Hutchings did 14 hours (13.5h allocated, thus only catching up 0.5 hours out of the 5.5 extra hours he had left from former month).
• Chris Lamb did 11 hours (12h allocated, he will catch up later).
• Guido G nther did 4 hours (out of 8 hours allocated, thus keeping 4 extra hours for November).
• Mike Gabriel did nothing (out of 8 hours allocated, he will catch up in November).
• Rapha l Hertzog did 13.25 hours.
• Santiago Ruano Rinc n did 13.5 hours.
• Scott Kitterman did 8 hours (4 hours allocated and 4 hours remaining from September)
• Thorsten Alteholz did 13.25 hours.

Evolution of the situation November crossed a new record with 114.5 hours funded. This is mainly thanks to our first Platinum sponsor: TOSHIBA (through Toshiba Software Development Vietnam). They don t know yet if they can sponsor us in the long term (they hope so), but it s still a nice news as we jumped from 50% to 65% of the objective of the equivalent of a full-time position with a single new sponsor. Currently no change is expected for next month as we don t have any other new sponsor in the process of joining us. We still need more support to be able to support all the packages we could not afford to support during the squeeze cycle. We are currently discussing which package we can or cannot support on the LTS list, see the thread Unsupported packages for Wheezy LTS for the current situation. In terms of security updates waiting to be handled, the situation is close to last month: the dla-needed.txt file lists 21 packages awaiting an update (6 more than last month), the list of open vulnerabilities in Squeeze shows about 23 affected packages in total (exactly like last month). Thanks to our sponsors The new sponsors are in bold.

• Platinum sponsors:
• TOSHIBA
• Gold sponsors:
• The Positive Internet (for 17 months already)
• Blablacar (for 16 months already)
• Linode LLC (for 6 months already)
• Silver sponsors:
• David Ayers IntarS Austria (for 17 months already)
• Domeneshop AS (for 16 months already)
• Universit Lille 3 (for 16 months already)
• Trollweb Solutions (for 14 months already)
• Gandi SAS (for 11 months already)
• University of Luxembourg (for 8 months already)
• Rentabiliweb Group (for 6 months already)
• Univention GmbH
• Universit Jean Monnet de St Etienne
• Bronze sponsors:
• Offensive Security (for 17 months already)
• Seznam.cz, a.s. (for 17 months already)
• Evolix (for 16 months already)
• Freeside Internet Service (for 16 months already)
• MyTux (for 16 months already)
• Linuxhotel GmbH (for 14 months already)
• Intevation GmbH (for 13 months already)
• Daevel SARL (for 12 months already)
• Bitfolk LTD (for 11 months already)
• Megaspace Internet Services GmbH (for 11 months already)
• Gree, Inc. (for 10 months already)
• Greenbone Networks GmbH (for 10 months already)
• NUMLOG (for 10 months already)
• WinGo AG (for 9 months already)
• Ecole Centrale de Nantes LHEEA (for 5 months already)
• Sig-I/O (for 3 months already)
• Entr ouvert

No comment Liked this article? Click here. My blog is Flattr-enabled.

This was my sixth month as a Freexian sponsored LTS contributor. I was assigned 4 hours for the month of October and I had 4 unused hours from September for a total of 8. With that time I started working on backporting security fixes for Quassel, but it s turned into a major project. The commit message for one of the commits between what s in squeeze-lts and what I was trying to backport is Reformat ALL the source! . That s never a good sign. I set that aside and focused instead on reviewing the MySQL 5.5 packages that the LTS team is working on. They are getting there, but we need to make sure we have it all right as we don t want to break existing installations. This month I hope to continue the work on both these packages.

What happened in the reproducible builds effort this week: Toolchain fixes

• Scott Kitterman uploaded python3-defaults/3.4.3-7 which changes py3versions to list versions in a consistent order. Issue reported by Santiago Vila with a tentative patch by Chris Lamb. Sadly, it appears the problem is not entirely solved.
• Martin Pitt uploaded init-system-helpers/1.24 which makes the order of unit files in maintainer scripts stable. Original patch by Reiner Herrmann.
• Niko Tyni uploaded libextutils-xsbuilder-perl/0.28-3 which makes the generated XS code reproducible.

Niko Tyni wrote a new patch adding support for SOURCE_DATE_EPOCH in Pod::Man. This would complement or replace the previously implemented POD_MAN_DATE environment variable in a more generic way. Niko Tyni proposed a fix to prevent mtime variation in directories due to debhelper usage of cp --parents -p. Packages fixed The following 119 packages became reproducible due to changes in their build dependencies: aac-tactics, aafigure, apgdiff, bin-prot, boxbackup, calendar, camlmix, cconv, cdist, cl-asdf, cli-common, cluster-glue, cppo, cvs, esdl, ess, faucc, fauhdlc, fbcat, flex-old, freetennis, ftgl, gap, ghc, git-cola, globus-authz-callout-error, globus-authz, globus-callout, globus-common, globus-ftp-client, globus-ftp-control, globus-gass-cache, globus-gass-copy, globus-gass-transfer, globus-gram-client, globus-gram-job-manager-callout-error, globus-gram-protocol, globus-gridmap-callout-error, globus-gsi-callback, globus-gsi-cert-utils, globus-gsi-credential, globus-gsi-openssl-error, globus-gsi-proxy-core, globus-gsi-proxy-ssl, globus-gsi-sysconfig, globus-gss-assist, globus-gssapi-error, globus-gssapi-gsi, globus-net-manager, globus-openssl-module, globus-rsl, globus-scheduler-event-generator, globus-xio-gridftp-driver, globus-xio-gsi-driver, globus-xio, gnome-control-center, grml2usb, grub, guilt, hgview, htmlcxx, hwloc, imms, kde-l10n, keystone, kimwitu++, kimwitu-doc, kmod, krb5, laby, ledger, libcrypto++, libopendbx, libsyncml, libwps, lprng-doc, madwimax, maria, mediawiki-math, menhir, misery, monotone-viz, morse, mpfr4, obus, ocaml-csv, ocaml-reins, ocamldsort, ocp-indent, openscenegraph, opensp, optcomp, opus, otags, pa-bench, pa-ounit, pa-test, parmap, pcaputils, perl-cross-debian, prooftree, pyfits, pywavelets, pywbem, rpy, signify, siscone, swtchart, tipa, typerep, tyxml, unison2.32.52, unison2.40.102, unison, uuidm, variantslib, zipios++, zlibc, zope-maildrophost. The following packages became reproducible after getting fixed:

• autoconf2.13/2.13-67 uploaded by Ben Pfaff, original patch by Santiago Vila.
• ding/1.8-3 by Roland Rosenfeld.
• dropbear/2015.68-1 by Guilhem Moulin. First set of patches (#777324, #793006) by Chris Lamb and akira.
• nvram-wakeup/1.1-3 by Tobias Grimm.
• original-awk/2012-12-20-5 by Santiago Vila.
• resiprocate/1:1.10.0-1 uploaded by Daniel Pocock, patch by Reiner Herrmann merged upstream.
• sbuild/0.66.0-5 by Johannes Schauer, reported by Jakub Wilk.
• scribus/1.4.5+dfsg1-4 by Mattia Rizzolo.
• sgmltools-lite/3.0.3.0.cvs.20010909-19 by Santiago Vila.
• unicode-data/8.0-2 uploaded by Alastair McKinstry, original patch by Esa Peuha.
• xmoto/0.5.11+dfsg-3 by Stephen Kitt.

Packages which could not be tested:

• mp4h/1.3.1-11 by Axel Beckert (shared memory issue on reproducible.debian.net).
• nvidia-graphics-drivers-legacy-304xx/304.128-5 by Andreas Beckmann (non-free).

Some uploads fixed some reproducibility issues but not all of them:

• libvirt/1.2.20-1 by Guido G nther.
• libgpars-groovy-java/1.2.1-4 by Emmanuel Bourg.

Patches submitted which have not made their way to the archive yet:

• #801520 on libapache2-mod-perl2 by Niko Tyni: sort the list of files used to build the documentation.
• #801523 on perl by Niko Tyni: sort the list of input files in PPPort_xs.PL. Forwarded upstream.
• #801864 on ncurses by Esa Peuha: use C locale when sorting the list of keys.
• #802042 on libchado-perl by Niko Tyni: sort keys in installed configuration file.

Lunar reported that test strings depend on default character encoding of the build system in ongl. reproducible.debian.net The 189 packages composing the Arch Linux core repository are now being tested. No packages are currently reproducible, but most of the time the difference is limited to metadata. This has already gained some interest in the Arch Linux community. An explicit log message is now visible when a build has been killed due to the 12 hours timeout. (h01ger) Remote build setup has been made more robust and self maintenance has been further improved. (h01ger) The minimum age for rescheduling of already tested amd64 packages has been lowered from 14 to 7 days, thanks to the increase of hardware resources sponsored by ProfitBricks last week. (h01ger) diffoscope development diffoscope version 37 has been released on October 15th. It adds support for two new file formats (CBFS images and Debian .dsc files). After proposing the required changes to TLSH, fuzzy hashes are now computed incrementally. This will avoid reading entire files in memory which caused problems for large packages. New tests have been added for the command-line interface. More character encoding issues have been fixed. Malformed md5sums will now be compared as binary files instead of making diffoscope crash amongst several other minor fixes. Version 38 was released two days later to fix the versioned dependency on python3-tlsh. strip-nondeterminism development strip-nondeterminism version 0.013-1 has been uploaded to the archive. It fixes an issue with nonconformant PNG files with trailing garbage reported by Roland Rosenfeld. disorderfs development disorderfs version 0.4.1-1 is a stop-gap release that will disable lock propagation, unless --share-locks=yes is specified, as it still is affected by unidentified issues. Documentation update Lunar has been busy creating a proper website for reproducible-builds.org that would be a common location for news, documentation, and tools for all free software projects working on reproducible builds. It's not yet ready to be published, but it's surely getting there. Package reviews 103 reviews have been removed, 394 added and 29 updated this week. 72 FTBFS issues were reported by Chris West and Niko Tyni. New issues: random_order_in_static_libraries, random_order_in_md5sums.

Like each month, here comes a report about the work of paid contributors to Debian LTS. Individual reports In September, 71.50 work hours have been dispatched among 7 paid contributors. Their reports are available:

• Ben Hutchings did 9 hours (out of the 14.5 hours that he had allocated, he will catch up in October).
• Guido G nther did 8 hours.
• Mike Gabriel did 16 hours (8 assigned + 8 remaining from month before).
• Rapha l Hertzog did 8 hours.
• Santiago Ruano Rinc n did 14.5 hours.
• Scott Kitterman did nothing out of the 4 hours allocated. He will catch up in October.
• Thorsten Alteholz did 14.50 hours.

Evolution of the situation October is back to the highest level of funding with 85.5 hours funded. The late sponsors have all caught up now. And next month will again rise to a new record with multiple sponsors having joined up. So far we already have two new silver sponsors (Universit Jean Monnet de Saint- tienne and Univention GmbH) and a new bronze sponsor (Entr ouvert). Many thanks to them! With those sponsors we crossed the 50% mark that was our first objective. \o/ But we still need more support to reach our second goal of funding the equivalent of a full time position. That said the increased level of support already allows us to do a better job in some areas that have been neglected : I asked the paid contributors to work towards providing mysql-5.5 in squeeze since version 5.1 is no longer supported by Oracle. We need beta testers to test the upgrade, see this message on the mailling list. In terms of security updates waiting to be handled, the situation is close to last month: the dla-needed.txt file lists 15 packages awaiting an update (3 less than last month), the list of open vulnerabilities in Squeeze shows about 23 affected packages in total (7 less than last month). Thanks to our sponsors The new sponsors are in bold.

• Gold sponsors:
• The Positive Internet (for 16 months already)
• Blablacar (for 15 months already)
• Linode LLC (for 5 months already)
• Silver sponsors:
• David Ayers IntarS Austria (for 16 months already)
• Domeneshop AS (for 15 months already)
• Universit Lille 3 (for 15 months already)
• Trollweb Solutions (for 13 months already)
• Gandi SAS (for 10 months already)
• University of Luxembourg (for 7 months already)
• Rentabiliweb Group (for 5 months already)
• Univention GmbH
• Universit Jean Monnet de St Etienne
• Bronze sponsors:
• Offensive Security (for 16 months already)
• Seznam.cz, a.s. (for 16 months already)
• Evolix (for 15 months already)
• Freeside Internet Service (for 15 months already)
• MyTux (for 15 months already)
• Linuxhotel GmbH (for 13 months already)
• Intevation GmbH (for 12 months already)
• Daevel SARL (for 11 months already)
• FOSSter (for 11 months already)
• Bitfolk LTD (for 10 months already)
• Megaspace Internet Services GmbH (for 10 months already)
• Gree, Inc. (for 9 months already)
• Greenbone Networks GmbH (for 9 months already)
• NUMLOG (for 9 months already)
• WinGo AG (for 8 months already)
• Ecole Centrale de Nantes LHEEA (for 5 months already)
• Sig-I/O
• Entr ouvert

No comment Liked this article? Click here. My blog is Flattr-enabled.

What happened in the reproducible builds effort this week: Toolchain fixes

• Niels Thykier uploaded debhelper/9.20151004 which exports SOURCE_DATE_EPOCH when running dh_auto_* (patch by Dhole). dh now also calls dh_strip_nondeterminism during build (patch by Andrew Ayer). The only remaining change regarding reproducibility in the custom debhelper is related to mtimes in data.tar which might be fixed directly in dpkg instead.
• Niels Thykier made another upload of debhelper/9.20151005 the next day to sort Build IDs added by dh_strip in control files.

Scott Kitterman fixed an issue with non-deterministic Depends generated by dh-python identified by Santiago Vila and Chris Lamb. Lunar updated the patch against dpkg which makes the order of files in control.tar.gz deterministic using the new --sort=name option available in GNU Tar 1.28. josch released sbuild version 0.66.0-1 with several fixes and improvements. The most notable one for reproducible builds is the new --build-path option and $build_path configuration variable added by akira which allows to explicitly chose a given build path. Reiner Herrmann wrote a new patch for dh-systemd to sort the list of unit files in the generated maintainer scripts. Packages fixed The following packages became reproducible due to changes in their build dependencies: aoeui, apron, camlmix, cudf, findlib, glpk-java, hawtjni, haxe, java-atk-wrapper, llvm-py, misery, mtasc, ocamldsort, optcomp, spamoracle. The following packages became reproducible after getting fixed:

• classified-ads/0.08-1 uploaded by Antti J rvinen, fix merged upstream, original patch by Reiner Herrmann.
• criu/1.7-3 uploaded by Salvatore Bonaccorso, original patch by Chris Lamb.
• doomsday/1.15.4-1 by Michael Gilbert.
• ejabberd/15.07-1~exp1 by Philipp Huebner.
• libxbean-java/4.4-1 by Emmanuel Bourg.
• markdown/1.0.1-8 uploaded by Matt Kraai, original patches by Chris Lamb (#776925) and akira (#793701).
• nedit/1:5.6a-3 by Paul Gevers.
• nvidia-settings/340.93-1 uploaded by Andreas Beckmann, original patch by Lunar.
• ocaml/4.02.3-2 by St phane Glondu.
• polygen/1.0.6.ds2-14 uploaded by Mehdi Dogguy, original patch by Chris Lamb.
• stsci.distutils/0.3.7-4 by Aurelien Jarno.
• vdr/2.2.0-4 by Tobias Grimm.
• vdr-plugin-xineliboutput/1.1.0+cvs20150907-3 by Tobias Grimm.
• w3c-markup-validator/1.3+dfsg-3 by Santiago Vila.
• xcolorsel/1.1a-19 by Santiago Vila.
• xmoto/0.5.11+dfsg-3 by Stephen Kitt.

Some uploads fixed some reproducibility issues but not all of them:

• ognl/2.7.3-6 by Emmanuel Bourg.
• enblend-enfuse/4.1.4+dfsg-2 by Andreas Metzler.

Untested

• nvidia-xconfig/340.93-1 by Andreas Beckmann.
• nvidia-settings-legacy-304xx/304.128-1 by Andreas Beckmann.

Patches submitted which have not made their way to the archive yet:

• #801212 on unicode-data by Esa Peuha: set TZ=UTC when calling unzip.

reproducible.debian.net ProfitBricks once again increased their support for reproducible builds in Debian and in other free software projects by adding 58 new cores and 138 GiB of RAM to the already existing setup. Two new amd64 build nodes and 16 new amd64 build jobs have been added which doubles the build capacity per day and allows us to spot many kind of problems earlier. The size of the tmpfs where builds are performed has also been increased from 70 to 200 GiB on all amd64 build nodes. Huge thanks! When examining a package, a link now points to a table listing all previous recorded tests for the same package. (Mattia) The menu on the package pages has also been improved. (h01ger) Packages in the depwait state are now rescheduled automatically after five days. (h01ger) Links to documentation and other projects being tested have been made more visible on the landing page. (h01ger) To reduce noise on the team IRC channel five different types of notifications have been turned into mail notifications. The remaining ones have been shortened and the status changes have been limited to unstable and experimental. (h01ger) Maintainer notifications about status changes in a package will only be sent out once per day, and not on each status change. (h01ger) diffoscope development Some more experiments of concurrent processing have been made. None were good and reliable enough to be shared, though. Package reviews 48 reviews have been removed, 189 added and 23 updated this week. 9 FTBFS bugs were reported by Chris Lamb. Misc. h01ger met with Levente Polyak to discuss testing Arch Linux on Debian continuous test system with an easily extensible framework. The idea is to also allow testing of other distributions, and provide a nice package based view like the one for Debian.

What happened in the reproducible builds effort this week: Toolchain fixes

• Barry Warsaw uploaded wheel/0.26.0-1 which now uses SOURCE_DATE_EPOCH instead of WHEEL_FORCE_TIMESTAMP and uses time.gmtime() to avoid timezone issues. Patches by Chris Lamb and Reiner Herrmann.

Andreas Metzler uploaded autogen/1:5.18.6-1 in experimental with several patches for reproducibility issues written by Valentin Lorentz. Groovy upstream has merged a change proposed by Emmanuel Bourg to remove timestamps generated by groovydoc. Ben Hutchings submitted a patch to add support for SOURCE_DATE_EPOCH in linux-kbuild as an alternate way to specify the build timestamp. Reiner Herrman has sent a patch adding support for SOURCE_DATE_EPOCH in docbook-utils. Packages fixed The following packages became reproducible due to changes in their build dependencies: commons-csv. fest-reflect, sunxi-tools, xfce4-terminal, The following packages became reproducible after getting fixed:

• httpcomponents-client/4.5.1-1 by Emmanuel Bourg.
• jhead/1:3.00-2 by Ludovic Rousseau.
• libvigraimpex/1.10.0+dfsg-10 by Daniel Stender.
• linux/4.2-1~exp1 by Ben Hutchings.
• maelstrom/1.4.3-L3.0.6+main-7 by Santiago Vila.
• nedit/1:5.6a-3 by Paul Gevers.
• pitivi/0.94-4 by Sebastian Dr ge, reported by Scott Kitterman.
• procenv/0.40-2 by James Hunt.
• seyon/2.20c-32 by Santiago Vila.
• slib/3b1-5 by Santiago Vila.
• spock/0.7-groovy-2.0-1 by Emmanuel Bourg.
• u-boot/2015.10~rc4+dfsg1-1 by Vagrant Cascadian.
• vdr-plugin-remote/0.7.0-1 by Tobias Grimm.

Some uploads fixed some reproducibility issues but not all of them:

• dutch/1:2.10-4 uploaded by Thijs Kinkhorst, original patch by Chris Lamb.

Patches submitted which have not made their way to the archive yet:

• #800776 on cluster-glue: exports SOURCE_DATE_EPOCH in debian/rules.

Tomasz Rybak uploaded pycuda/2015.1.3-1 which should fix reproducibility issues. The package has not been tested as it is in contrib. akira found an embedded code copy of texi2html in fftw. reproducible.debian.net Email notifications are now only sent once a day per package, instead of on each status change. (h01ger) disorderfs has been temporarily disabled to see if it had any impact on the disk space issues. (h01ger) When running out of disk space, build nodes will now automatically detect the problem. This means test results will not be recorded as FTBFS and the problem will be reported to Jenkins maintainers. (h01ger) The navigation menu of package pages has been improved. (h01ger) The two amd64 builders now use two different kernel versions: 3.16 from stable and 4.1 from backports on the other. (h01ger) We now graph the number of packages which needs to be fixed. (h01ger) Munin now creates graphs on how many builds were performed by build nodes (example). (h01ger) A migration plan has been agreed with DSA on how to turn Jenkins into an official Debian service. A backport of jenkins-job-builder for Jessie is currently missing. (h01ger) Package reviews 119 reviews have been removed, 103 added and 45 updated this week. 16 fail to build from source issues were reported by Chris Lamb and Mattia Rizzolo. New issue this week: timestamps_in_manpages_generated_by_docbook_utils. Misc. Allan McRae has submitted a patch to make ArchLinux pacman record a .BUILDINFO file.

What happened in the reproducible builds effort this week: Toolchain fixes

• Ben Hutchings uploaded linux-tools/4.2-1 which makes the tarball generated by genorig.py reproducible.

Packages fixed The following 22 packages became reproducible due to changes in their build dependencies: breathe, cdi-api, geronimo-jpa-2.0-spec, geronimo-validation-1.0-spec, gradle-propdeps-plugin, jansi, javaparser, libjsr311-api-java, mac-widgets, mockito, mojarra, pastescript, plexus-utils2, powerline, python-psutil, python-sfml, python-tldap, pythondialog, tox, trident, truffle, zookeeper. The following packages became reproducible after getting fixed:

• cloudprint/0.14-1 uploaded by David Steele, original patch by Chris Lamb.
• cpl-plugin-sinfo/2.6.5+dfsg-2 by Ole Streicher.
• fonts-stix/1.1.1-4 uploaded by Hugo Lefeuvre, original patch by Dhole.
• gstreamermm-1.0/1.4.3+dfsg-5 by Philip Rinn.
• hspell/1.2-3 uploaded by Tzafrir Cohen, original patch by Reiner Herrmann.
• libmodule-extractuse-perl/0.33-2 by gregor herrmann.
• mariadb-10.0/10.0.21-1 by Otto Kek l inen.
• mkvtoolnix/8.4.0-1 uploaded by Christian Marillat, fixed upstream.
• mlpack/1.0.12-5 by Barak A. Pearlmutter.
• module-assistant/0.11.8 by Andreas Beckmann.
• pitivi/0.94-4 uploaded by Sebastian Dr ge, reported by Scott Kitterman.
• privoxy/3.0.23-4 by Roland Rosenfeld.
• qtop/2.3.1-1 uploaded by Hugo Lefeuvre, fixed upstream.
• seyon/2.20c-32 by Santiago Vila.
• subvertpy/0.9.3-2 by Jelmer Vernooij.
• twitter-bootstrap/2.0.2+dfsg-8 by Santiago Vila, reported by Chris Lamb.
• vdr-plugin-remote/0.7.0-1 by Tobias Grimm.

Some uploads fixed some reproducibility issues but not all of them:

• fldigi/3.23.01-1 by Kamal Mostafa.

Patches submitted which have not made their way to the archive yet:

• #799871 on console-data by Chris Lamb: grep all keymap files as text.
• #800007 on anarchism by Holger Levsen: use C locale when converting HTML to text files.
• #800107 on dutch by Chris Lamb: grep wordlist files as text.

diffoscope development The changes to make diffoscope run under Python 3, along with many small fixes, entered the archive with version 35 on September 21th. Another release was made the very next day fixed two encoding-related issues discovered when running diffoscope on more Debian packages. strip-nondeterminism development Version 0.12.0 now preserves file permissions on modified zip files and dh_strip_nondeterminism has been made compatible with older debhelper. disorderfs development Version 0.3.0 implemented a multi-user mode that was required to build Debian packages using disorderfs. It also added command line options to control the ordering of files in directory (either shuffled or reversed) and another to do arbitrary changes to the reported space used by files on disk. A couple days later, version 0.4.0 was released to support locks, flush, fsync, fsyncdir, read_buf, and write_buf. Almost all known issues have now been fixed. reproducible.debian.net disorderfs is now used during the second build. This makes file ordering issue very easy to identify as such. (h01ger) Work has been done on making the distributed build setup more reliable. (h01ger) Documentation update Matt Kraii fixed the example on how to fix issues related to dates in Sphinx. Recent Sphinx versions should also be compatible with SOURCE_DATE_EPOCH. Package reviews 53 reviews have been removed, 85 added and 13 updated this week. 46 packages failing to build from source has been identified by Chris Lamb, Chris West, and Niko Tyni. Chris Lamb was the lucky reporter of bug #800000 on vdr-plugin-prefermenu. Issues related to disorderfs are being tracked with a new issue.

Like each month, here comes a report about the work of paid contributors to Debian LTS. Individual reports In August, 71.50 work hours have been dispatched among 7 paid contributors. Their reports are available:

• Ben Hutchings did 15 hours.
• Guido G nther did 4 hours.
• Mike Gabriel was assigned 8 hours but did not do them. He will catch up in September.
• Rapha l Hertzog did 6.5 hours.
• Santiago Ruano Rinc n did 17 hours.
• Scott Kitterman did 4 hours.
• Thorsten Alteholz did 17 hours.

Evolution of the situation September is stable compared to August (71.50 hours per month) and has not caught up back to the level of July as I hoped. Again it s because 2 sponsors were not able to pay their renewal invoice on time (one of last month paid, but another bigger sponsor failed this month). Those sponsors will continue to support us and I would like to be able to say that things will be back to normal next month, but I can t say it since we have also been informed of the (hopefully temporary) defection of another bronze sponsor that will affect us next month. Fortunately there are also good news, we have 3 new sponsors in the pipe (2 silver, 1 platinum) who shall join the project soon. And Blablacar increased their support from Silver to Gold (from 4h/month to 8h/month). But we still need more support in particular since we would like to commit to support virtualization related packages in Wheezy: that s clearly an objective for us. I recently published the summary of the work session held during DebConf 15 in Heidelberg (video recording). It would be really nice if we could get closer to the goal of funding a full-time position. In terms of security updates waiting to be handled, the situation is close to last month: the dla-needed.txt file lists 18 packages awaiting an update (2 less than last month), the list of open vulnerabilities in Squeeze shows about 30 affected packages in total (8 more than last month). Thanks to our sponsors

• Gold sponsors:
• The Positive Internet (for 15 months already)
• Blablacar (for 14 months already)
• Linode LLC (for 4 months already)
• Silver sponsors:
• David Ayers IntarS Austria (for 15 months already)
• Domeneshop AS (for 14 months already)
• Universit Lille 3 (for 14 months already)
• Trollweb Solutions (for 12 months already)
• Gandi SAS (for 9 months already)
• University of Luxembourg (for 6 months already)
• Rentabiliweb Group (for 4 months already)
• Bronze sponsors:
• Offensive Security (for 15 months already)
• Seznam.cz, a.s. (for 15 months already)
• Evolix (for 14 months already)
• Freeside Internet Service (for 14 months already)
• MyTux (for 14 months already)
• Linuxhotel GmbH (for 12 months already)
• Intevation GmbH (for 11 months already)
• Daevel SARL (for 10 months already)
• FOSSter (for 10 months already)
• Bitfolk LTD (for 9 months already)
• Megaspace Internet Services GmbH (for 9 months already)
• Gree, Inc. (for 8 months already)
• Greenbone Networks GmbH (for 8 months already)
• NUMLOG (for 8 months already)
• WinGo AG (for 7 months already)
• Ecole Centrale de Nantes LHEEA (for 4 months already)
• Sig-I/O

No comment Liked this article? Click here. My blog is Flattr-enabled.

This was my fourth month as a Freexian sponsored LTS contributor. I was assigned 4 hours which was enough for me to release a fix for screen and review CVEs for libvpx and determine that they did not apply to squeeze-lts. The screen update is covered under DLA 305-1.

We have enough debate about are things required by policy in Debian that, in my opinion we sometimes lose track of why things are a good idea to begin with. I just had a conversation via GitHub with a potential upstream developer (I m looking into packaging something he developed) that reminded me about some of the reasons some of the non-code we try to ship are a good idea. This is a Python based project. References to MANIFEST.in (manifest) translate to extra files to put in the tarball and references to sdist mean the source tarball. UPSTREAM: Thanks for the pull request. Is there any place where I can find more information about this manifest file, and why it s important to have one? ME: There are two files (LICENSE and CHANGELOG) that it would be good to have in the sdist, each for their own reason:
We want LICENSE because since Debian distributes both source and binary we want a copy of the exact license for the code in our source distribution so the the requirements are clear and self-contained. I think this is a good general practice anyway.
We want CHANGELOG so we can ship it in the package documentation to enable users to see what has changed over time with the package. MANIFEST.in is just a way to add files to the sdist (it s the normal way in distutils). I m not that versed in setuptools myself, but I do know there are other ways to do it. What s important (at least from our point of view) isn t the MANIFEST.in file itself, but the added files it would add to the sdist. If the MANIFEST.in isn t shipped with the sdist, then a downstream distributor that modified the package might get a different result. I believe it s a good general practice to include all the components of a package build system when you ship it. That s probably way more information than you wanted

Like each month, here comes a report about the work of paid contributors to Debian LTS. Individual reports In July, 79.50 work hours have been dispatched among 7 paid contributors. Their reports are available:

• Ben Hutchings did 14.75 hours.
• Guido G nther did 8 hours.
• Mike Gabriel did 8 hours.
• Rapha l Hertzog did 15 hours.
• Santiago Ruano Rinc n did 14.75 hours.
• Scott Kitterman did 4 hours.
• Thorsten Alteholz did 15 hours.

Evolution of the situation August has seen a small decrease in terms of sponsored hours (71.50 hours per month) because two sponsors did not pay their renewal invoice on time. That said they reconfirmed their willingness to support us and things should be fixed after the summer. And we should be able to reach our first milestone of funding the equivalent of a half-time position, in particular since a new platinum sponsor might join the project. DebConf 15 happened this month and Debian LTS was featured in a talk and in a work session. Have a look at the video recordings:

• Debian Long Term Support: Past Present and Future (slides)
• Preparing for Wheezy LTS

In terms of security updates waiting to be handled, the situation is better than last month: the dla-needed.txt file lists 20 packages awaiting an update (4 less than last month), the list of open vulnerabilities in Squeeze shows about 22 affected packages in total (11 less than last month). The new LTS frontdesk ensures regular triage of CVE reports and the difference between both counts dropped significantly. That s good! Thanks to our sponsors Thanks to Sig-I/O, a new bronze sponsor, which joins our 35 other sponsors.

• Gold sponsors:
• The Positive Internet (for 14 months already)
• Linode LLC (for 3 months already)
• Silver sponsors:
• David Ayers IntarS Austria (for 14 months already)
• Blablacar (for 13 months already)
• Domeneshop AS (for 13 months already)
• Universit Lille 3 (for 13 months already)
• Trollweb Solutions (for 11 months already)
• Gandi SAS (for 8 months already)
• University of Luxembourg (for 5 months already)
• Rentabiliweb Group (for 4 months already)
• Bronze sponsors:
• Evolix (for 14 months already)
• Offensive Security (for 14 months already)
• Seznam.cz, a.s. (for 14 months already)
• Freeside Internet Service (for 13 months already)
• MyTux (for 13 months already)
• Intevation GmbH (for 11 months already)
• Linuxhotel GmbH (for 11 months already)
• Nantes M tropole (for 11 months already)
• Daevel SARL (for 9 months already)
• FOSSter (for 9 months already)
• Bitfolk LTD (for 8 months already)
• Megaspace Internet Services GmbH (for 8 months already)
• Gree, Inc. (for 7 months already)
• Greenbone Networks GmbH (for 7 months already)
• NUMLOG (for 7 months already)
• WinGo AG (for 7 months already)
• Ecole Centrale de Nantes LHEEA (for 3 months already)
• Sig-I/O

One comment Liked this article? Click here. My blog is Flattr-enabled.

A few days ago, fellow Qt/KDE team member Lisandro gave an update on the situation with migration to Plasma 5 in Debian Testing (AKA Stretch). It s changed again. All of Plasma 5 is now in Testing. The upgrade probably won t be entirely smooth, which we ll work on that after the gcc5 transition is done, but it will be much better than the half KDE4 SC half Kf5/Plasma 5 situation we ve had for the last several days. The issues with starting kwin should be resolved once users upgrade to Plasma 5. To use the current kwin with KDE SC 4, you will need to add a symlink from /usr/bin/kwin to /usr/bin/kwin_x11. That will be included in the next upload after gcc5. Systemsettings and plasma-nm now work. In my initial testing, I didn t see anything major that was broken. One user reported an issue with sddm starting automatically, but it worked fine for me. During the upgrade you should get a debconf prompt asking if you want to use kdm or sddm. Pick sddm. When I tried to dist-upgrade, apt wanted to remove task-kde-desktop. I let it remove it and some other packages and then in a second step did apt-get install task-kde-desktop. That pulled it back in successfully along with adding and removing a reasonably large stack of packages. Obviously we need to make that work better before Stretch is released, but as long as you don t restart KDE in between those two steps it should be fine. Lastely, I used apt-get autoremove to clear out a lot of no longer needed KDE4 things (when it asks if you want to stop the running kdm, say no). Here are a few notes on terminology and what I understand of the future plans: What used to be called KDE is now three different things (in part because KDE is now the community of people, not the software): KDE Frameworks 5 (Kf5): This is a group of several dozen small libraries that as a group, roughly equate to what used to be kdelibs. Plasma (Workspaces) 5: This is the desktop that we ve just transitioned to. Applications: These are a mix of kdelibs and Kf5 based applications. Currently in Testing there are some of both and this will evolve over time based on upstream development. As an example, the Kf5 based version of konsole is in Unstable and should transition to Testing shortly. Finally, thanks to Maximiliano Curia (maxy on IRC) for doing virtually all of the packaging of Kf5, Plasma 5, and applications. He did the heavy lifting, the rest of us just nibbled around the edges to keep it moving towards testing.

Like each month, here comes a report about the work of paid contributors to Debian LTS. Individual reports In June, 73.50 work hours have been dispatched among 7 paid contributors. Their reports are available:

• Ben Hutchings did 14.75 hours.
• Guido G nther did 10 hours.
• Mike Gabriel did 8 hours.
• Rapha l Hertzog did 14.5 hours.
• Santiago Ruano Rinc n did 14.75 hours.
• Scott Kitterman did 4 hours.
• Thorsten Alteholz did 14.5 hours.

Evolution of the situation July has seen a nice increase in terms of sponsored hours (79.50 hours per month) but the trend is unlikely to continue for the next month, worse it might be negative. While most sponsors who joined us last year in July will renew their support, there are a few where I have no confirmation yet. Many thanks to those who confirmed early: Universit Lille 3, MyTux. Our first milestone of funding the equivalent of a half-time position is unlikely to be reached before DebConf or even this summer. If you want to prove me wrong, it s time to get in touch with your management and convince your company to contribute a small amount. In terms of security updates waiting to be handled, the situation is similar to last month: the dla-needed.txt file lists 24 packages awaiting an update (5 more than last month), the list of open vulnerabilities in Squeeze shows about 33 affected packages in total (3 less than last month). Thanks to our sponsors There are no new sponsors this month. But I decided to include the number of months that the sponsor has been with us. Since we value long-lasting relations, it seemed quite natural to add this.

• Gold sponsors:
• The Positive Internet (for 13 months already)
• Linode LLC
• Silver sponsors:
• David Ayers IntarS Austria (for 13 months already)
• Blablacar (for 12 months already)
• Domeneshop AS (for 12 months already)
• Universit Lille 3 (for 12 months already)
• Trollweb Solutions (for 10 months already)
• Gandi SAS (for 7 months already)
• University of Luxembourg (for 4 months already)
• Rentabiliweb Group
• Bronze sponsors:
• Offensive Security (for 13 months already)
• Seznam.cz, a.s. (for 13 months already)
• Evolix (for 12 months already)
• Freeside Internet Service (for 12 months already)
• MyTux (for 12 months already)
• Linuxhotel GmbH (for 10 months already)
• Nantes M tropole (for 10 months already)
• Intevation GmbH (for 9 months already)
• Daevel SARL (for 8 months already)
• FOSSter (for 8 months already)
• Bitfolk LTD (for 7 months already)
• Megaspace Internet Services GmbH (for 7 months already)
• Gree, Inc. (for 6 months already)
• Greenbone Networks GmbH (for 6 months already)
• NUMLOG (for 6 months already)
• WinGo AG (for 5 months already)
• Ecole Centrale de Nantes LHEEA

No comment Liked this article? Click here. My blog is Flattr-enabled.

This was my second month as a Freexian sponsored LTS contributor. I was assigned 4 hours which was enough for me to update libclamunrar to the latest version we have, 0.98.5. This aligns libclamunrar with last month s clamav update and resolved a potentially concerning double free error. This is consistent with the way clamav and its components are updated for Debian supported releases through proposed-updates. This is covered under DLA 250-1. This update took longer than expected due to time spent wrestling with the git repository for the packaging, but that s resolved now, so if future updates are needed, it should be much easier.

This was my first month as a Freexian sponsored LTS contributor. I was assigned 4 hours which was enough for me to update clamav to the current upstream version, 0.98.7. This resolves a stack of CVEs and enables LTS users to take advantage of the latest anti-virus signatures and features clamav offers. This is consistent with the way clamav is updated for Debian supported releases through proposed-updates. This is covered under DLA 233-1.

Spending yesterday mostly away from the computer screen, I was shocked this morning when I read about the Ubuntu Community Council s request for Jonathan Ridell to step down from the Kubuntu Council. I knew that things have been rough lately and honestly there were some situations that Jonathan could have handled better, but I didn t expect anything as drastic and sudden as this without seeing any warning signs. Looking at the mails that Scott Kitterman posted sent by the Kubuntu Council, it seems like it s been a surprise to KC as well. I m disappointed in the way the Ubuntu Community Council has handled this and I think the way they treated Jonathan is appalling, even taking into account that he could ve communicated his grievances better. I m also unconvinced that the Ubuntu Community Council is as beneficial to the Ubuntu community in its current form as it could be. The way it is structured and reports to the SABDFL makes that it will always favour Canonical when there s a conflict of interest. I brought this up with two different CC members last year who both provided shruggy answers in the vein of Sorry, but we have a framework that s set up on how we can work in here and there s just so much we can do about it. they seem to fear the leadership too much to question it, and it s a pity, because everyone makes mistakes. This request to step down is probably going to sour the Ubuntu project s relationship with Jonathan Ridell even more, which is especially sad because he s one of the really good community guys left that keeps both the CoC and the original Ubuntu manifesto ethos in high regard while striving for technical excellence. On top of that, it seems like it may result in at least another such person leaving. I hope that the CC also takes this opportunity to take a step back and re-avaluate it s structure and purpose, instead of just shrugging it off with a corporate-sounding statement. I d also urge them to retract their statement to Jonathan Ridell and attempt to find a more amicable solution.

Like each month, here comes a report about the work of paid contributors to Debian LTS. Individual reports In April, 81.75 work hours have been dispatched among 5 paid contributors (20.75 hours where unused hours of Ben and Holger that were re-dispatched to other contributors). Their reports are available:

• Ben Hutchings did 16 hours.
• Holger Levsen did 3 hours (of 5 hours assigned).
• Mike Gabriel did 8 hours.
• Rapha l Hertzog did 26.25 hours.
• Thorsten Alteholz did 26.5 hours.

Evolution of the situation May has seen a small increase in terms of sponsored hours (66.25 hours per month) and June is going to do even better with at least a new gold sponsor. We will have no problems sustaining the increased workload it implies since three Debian developers joined the team of contributors paid by Freexian (Antoine Beaupr , Santiago Ruano Rinc n, Scott Kitterman). The Jessie release probably shed some light on the Debian LTS project since we announced that Jessie will benefit from 5 years of support. Let s hope that the trend will continue in the following months and that we reach our first milestone of funding the equivalent of a half-time position. In terms of security updates waiting to be handled, the situation is a bit contrasted: the dla-needed.txt file lists 28 packages awaiting an update (12 less than last month), the list of open vulnerabilities in Squeeze shows about 60 affected packages in total (4 more than last month). The extra hours helped to make a good stride in the packages awaiting an update but there are many new vulnerabilities waiting to be triaged. Thanks to our sponsors The new sponsors of the month are in bold.

• Gold sponsors:
• The Positive Internet
• Silver sponsors:
• Blablacar
• David Ayers IntarS Austria
• Domeneshop AS
• Gandi SAS
• Rentabiliweb Group
• Trollweb Solutions
• University of Luxembourg
• Universit Lille 3
• Bronze sponsors:
• Bitfolk LTD
• Daevel SARL
• Evolix
• FOSSter
• Freeside Internet Service
• Gree, Inc.
• Greenbone Networks GmbH
• Intevation GmbH
• Linuxhotel GmbH
• Megaspace Internet Services GmbH
• MyTux
• NUMLOG
• Nantes M tropole
• Offensive Security
• Seznam.cz, a.s.
• WinGo AG

No comment Liked this article? Click here. My blog is Flattr-enabled.

Like each month, here comes a report about the work of paid contributors to Debian LTS. Individual reports In April, 81.75 work hours have been dispatched among 5 paid contributors (20.75 hours where unused hours of Ben and Holger that were re-dispatched to other contributors). Their reports are available:

• Ben Hutchings did 16 hours.
• Holger Levsen did 3 hours (of 5 hours assigned).
• Mike Gabriel did 8 hours.
• Rapha l Hertzog did 26.25 hours.
• Thorsten Alteholz did 26.5 hours.

Evolution of the situation May has seen a small increase in terms of sponsored hours (66.25 hours per month) and June is going to do even better with at least a new gold sponsor. We will have no problems sustaining the increased workload it implies since three Debian developers joined the team of contributors paid by Freexian (Antoine Beaupr , Santiago Ruano Rinc n, Scott Kitterman). The Jessie release probably shed some light on the Debian LTS project since we announced that Jessie will benefit from 5 years of support. Let s hope that the trend will continue in the following months and that we reach our first milestone of funding the equivalent of a half-time position. In terms of security updates waiting to be handled, the situation is a bit contrasted: the dla-needed.txt file lists 28 packages awaiting an update (12 less than last month), the list of open vulnerabilities in Squeeze shows about 60 affected packages in total (4 more than last month). The extra hours helped to make a good stride in the packages awaiting an update but there are many new vulnerabilities waiting to be triaged. Thanks to our sponsors The new sponsors of the month are in bold.

• Gold sponsors:
• The Positive Internet
• Silver sponsors:
• Blablacar
• David Ayers IntarS Austria
• Domeneshop AS
• Gandi SAS
• Rentabiliweb Group
• Trollweb Solutions
• University of Luxembourg
• Universit Lille 3
• Bronze sponsors:
• Bitfolk LTD
• Daevel SARL
• Evolix
• FOSSter
• Freeside Internet Service
• Gree, Inc.
• Greenbone Networks GmbH
• Intevation GmbH
• Linuxhotel GmbH
• Megaspace Internet Services GmbH
• MyTux
• NUMLOG
• Nantes M tropole
• Offensive Security
• Seznam.cz, a.s.
• WinGo AG

No comment Liked this article? Click here. My blog is Flattr-enabled.