Freexian Meetup, by Stefano Rivera, Utkarsh Gupta, et al. During DebConf, Freexian organized a meetup for its collaborators and those interested in learning more about Freexian and its services. It was well received and many people interested in Freexian showed up. Some developers who were interested in contributing to LTS came to get more details about joining the project. And some prospective customers came to get to know us and ask questions. Sadly, the tragic loss of Abraham shook DebConf, both individually and structurally. The meetup got rescheduled to a small room without video coverage. With that, we still had a wholesome interaction and here s a quick picture from the meetup taken by Utkarsh (which is also why he s missing!).

Debusine, by Rapha l Hertzog, et al. Freexian has been investing into debusine for a while, but development speed is about to increase dramatically thanks to funding from SovereignTechFund.de. Rapha l laid out the 5 milestones of the funding contract, and filed the issues for the first milestone. Together with Enrico and Stefano, they established a workflow for the expanded team. Among the first steps of this milestone, Enrico started to work on a developer-friendly description of debusine that we can use when we reach out to the many Debian contributors that we will have to interact with. And Rapha l started the design work of the autopkgtest and lintian tasks, i.e. what s the interface to schedule such tasks, what behavior and what associated options do we support? At this point you might wonder what debusine is supposed to be let us try to answer this: Debusine manages scheduling and distribution of Debian-related build and QA tasks to a network of worker machines. It also manages the resulting artifacts and provides the results in an easy to consume way. We want to make it easy for Debian contributors to leverage all the great QA tools that Debian provides. We want to build the next generation of Debian s build infrastructure, one that will continue to reliably do what it already does, but that will also enable distribution-wide experiments, custom package repositories and custom workflows with advanced package reviews. If this all sounds interesting to you, don t hesitate to watch the project on salsa.debian.org and to contribute.

lpr/lpd in Debian, by Thorsten Alteholz During Debconf23, Till Kamppeter presented CPDB (Common Print Dialog Backend), a new way to handle print queues. After this talk it was discussed whether the old lpr/lpd based printing system could be abandoned in Debian or whether there is still demand for it. So Thorsten asked on the debian-devel email list whether anybody uses it. Oddly enough, these old packages are still useful:

• Within a small network it is easier to distribute a printcap file, than to properly configure cups clients.
• One of the biggest manufacturers of WLAN router and DSL boxes only supports raw queues when attaching an USB printer to their hardware. Admittedly the CPDB still has problems with such raw queues.
• The Pharos printing system at MIT is still lpd-based.

As a result, the lpr/lpd stuff is not yet ready to be abandoned and Thorsten will adopt the relevant packages (or rather move them under the umbrella of the debian-printing team). Though it is not planned to develop new features, those packages should at least have a maintainer. This month Thorsten adopted rlpr, an utility for lpd printing without using /etc/printcap. The next one he is working on is lprng, a lpr/lpd printer spooling system. If you know of any other package that is also needed and still maintained by the QA team, please tell Thorsten.

/usr-merge, by Helmut Grohne Discussion about lifting the file move moratorium has been initiated with the CTTE and the release team. A formal lift is dependent on updating debootstrap in older suites though. A significant number of packages can automatically move their systemd unit files if dh_installsystemd and systemd.pc change their installation targets. Unfortunately, doing so makes some packages FTBFS and therefore patches have been filed. The analysis tool, dumat, has been enhanced to better understand which upgrade scenarios are considered supported to reduce false positive bug filings and gained a mode for local operation on a .changes file meant for inclusion in salsa-ci. The filing of bugs from dumat is still manual to improve the quality of reports. Since September, the moratorium has been lifted.

Miscellaneous contributions

• Rapha l updated Django s backport in bullseye-backports to match the latest security release that was published in bookworm. Tracker.debian.org is still using that backport.
• Helmut Grohne sent 13 patches for cross build failures.
• Helmut Grohne performed a maintenance upload of debvm enabling its use in autopkgtests.
• Helmut Grohne wrote an API-compatible reimplementation of autopkgtest-build-qemu. It is powered by mmdebstrap, therefore unprivileged, EFI-only and will soon be included in mmdebstrap.
• Santiago continued the work regarding how to make it easier to (automatically) test reverse dependencies. An example of the ongoing work was presented during the Salsa CI BoF at DebConf 23.
  In fact, omniorb-dfsg test pipelines as the above were used for the omniorb-dfsg 4.3.0 transition, verifying how the reverse dependencies (tango, pytango and omnievents) were built and how their autopkgtest jobs run with the to-be-uploaded omniorb-dfsg new release.
• Utkarsh and Stefano attended and helped run DebConf 23. Also continued winding up DebConf 22 accounting.
• Anton Gladky did some science team uploads to fix RC bugs.

Debian LTS contributors In September, 21 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 10.0h (out of 0h assigned and 14.0h from previous period), thus carrying over 4.0h to the next month.
• Adrian Bunk did 7.0h (out of 17.0h assigned), thus carrying over 10.0h to the next month.
• Anton Gladky did 9.5h (out of 7.5h assigned and 7.5h from previous period), thus carrying over 5.5h to the next month.
• Bastien Roucari s did 16.0h (out of 15.5h assigned and 1.5h from previous period), thus carrying over 1.0h to the next month.
• Ben Hutchings did 17.0h (out of 17.0h assigned).
• Chris Lamb did 17.0h (out of 17.0h assigned).
• Emilio Pozuelo Monfort did 30.0h (out of 30.0h assigned).
• Guilhem Moulin did 18.25h (out of 18.25h assigned).
• Helmut Grohne did 10.0h (out of 10.0h assigned).
• Lee Garrett did 17.0h (out of 16.5h assigned and 0.5h from previous period).
• Markus Koschany did 40.0h (out of 40.0h assigned).
• Ola Lundqvist did 4.5h (out of 0h assigned and 24.0h from previous period), thus carrying over 19.5h to the next month.
• Roberto C. S nchez did 5.0h (out of 12.0h assigned), thus carrying over 7.0h to the next month.
• Santiago Ruano Rinc n did 7.75h (out of 16.0h assigned), thus carrying over 8.25h to the next month.
• Sean Whitton did 7.0h (out of 7.0h assigned).
• Sylvain Beucler did 10.5h (out of 17.0h assigned), thus carrying over 6.5h to the next month.
• Thorsten Alteholz did 14.0h (out of 14.0h assigned).
• Tobias Frost did 13.25h (out of 16.0h assigned), thus carrying over 2.75h to the next month.

Evolution of the situation In September, we have released 44 DLAs. The month of September was a busy month for the LTS Team. A notable security issue fixed in September was the high-severity CVE-2023-4863, a heap buffer overflow that allowed remote attackers to perform an out-of-bounds memory write via a crafted WebP file. This CVE was covered by the three DLAs of different packages: firefox-esr, libwebp and thunderbird. The libwebp backported patch was sent to upstream, who adapted and applied it to the 0.6.1 branch. It is also worth noting that LTS contributor Markus Koschany included in his work updates to packages in Debian Bullseye and Bookworm, that are under the umbrella of the Security Team: xrdp, jetty9 and mosquitto. As every month, there was important behind-the-scenes work by the Front Desk staff, who triaged, analyzed and reviewed dozens of vulnerabilities, to decide if they warrant a security update. This is very important work, since we need to trade-off between the frequency of updates and the stability of the LTS release.

Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 97 months)
  • Civil Infrastructure Platform (CIP) (for 65 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 108 months)
  • Linode (for 102 months)
  • Babiel GmbH (for 91 months)
  • Plat Home (for 91 months)
  • University of Oxford (for 47 months)
  • Deveryware (for 34 months)
  • VyOS Inc (for 29 months)
  • EDF SA (for 18 months)
• Silver sponsors:
  • Domeneshop AS (for 112 months)
  • Nantes M tropole (for 106 months)
  • Univention GmbH (for 98 months)
  • Universit Jean Monnet de St Etienne (for 98 months)
  • Ribbon Communications, Inc. (for 92 months)
  • Exonet B.V. (for 82 months)
  • Leibniz Rechenzentrum (for 76 months)
  • CINECA (for 65 months)
  • Minist re de l Europe et des Affaires trang res (for 59 months)
  • Cloudways Ltd (for 49 months)
  • Dinahosting SL (for 47 months)
  • Bauer Xcel Media Deutschland KG (for 41 months)
  • Platform.sh (for 41 months)
  • Moxa Inc. (for 35 months)
  • sipgate GmbH (for 32 months)
  • OVH US LLC (for 30 months)
  • Tilburg University (for 30 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 21 months)
  • Soliton Systems K.K. (for 19 months)
• Bronze sponsors:
  • Evolix (for 113 months)
  • Seznam.cz, a.s. (for 113 months)
  • Linuxhotel GmbH (for 110 months)
  • Intevation GmbH (for 109 months)
  • Daevel SARL (for 108 months)
  • Bitfolk LTD (for 107 months)
  • Megaspace Internet Services GmbH (for 107 months)
  • Greenbone AG (for 106 months)
  • NUMLOG (for 106 months)
  • WinGo AG (for 106 months)
  • Ecole Centrale de Nantes - LHEEA (for 102 months)
  • Entr ouvert (for 97 months)
  • Adfinis AG (for 94 months)
  • GNI MEDIA (for 89 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 89 months)
  • Tesorion (for 89 months)
  • Bearstech (for 80 months)
  • LiHAS (for 80 months)
  • Catalyst IT Ltd (for 75 months)
  • Supagro (for 70 months)
  • Demarcq SAS (for 69 months)
  • Universit Grenoble Alpes (for 55 months)
  • TouchWeb SAS (for 47 months)
  • SPiN AG (for 44 months)
  • CoreFiling (for 39 months)
  • Institut des sciences cognitives Marc Jeannerod (for 34 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 31 months)
  • Tem Innovations GmbH (for 25 months)
  • WordFinder.pro (for 25 months)
  • CNRS DT INSU R sif (for 24 months)
  • Alter Way (for 17 months)
  • Institut Camille Jordan (for 6 months)

• I triaged and closed a bunch of bug reports and started packaging labwc, a Wayland compositor heavily inspired by Openbox.
• J r me did some work on Clojure libraries that broke when Java 21 became supported in Sid.
• Gabriel worked on the libinfluxdb-http-perl library.
• Tiago and Tassia continued their work on the new DC Sources project and Tiago applied for a debian.net VM for this service.

Debian LTS contributors In August, 19 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 0.0h (out of 12.0h assigned and 2.0h from previous period), thus carrying over 14.0h to the next month.
• Adrian Bunk did 18.5h (out of 18.5h assigned).
• Anton Gladky did 7.5h (out of 5.0h assigned and 10.0h from previous period), thus carrying over 7.5h to the next month.
• Bastien Roucari s did 17.0h (out of 15.5h assigned and 3.0h from previous period), thus carrying over 1.5h to the next month.
• Ben Hutchings did 18.5h (out of 9.0h assigned and 9.5h from previous period).
• Chris Lamb did 18.0h (out of 18.0h assigned).
• Emilio Pozuelo Monfort did 18.5h (out of 18.25h assigned and 0.25h from previous period).
• Guilhem Moulin did 24.0h (out of 22.5h assigned and 1.5h from previous period).
• Jochen Sprickerhof did 2.5h (out of 8.5h assigned and 10.0h from previous period), thus carrying over 16.0h to the next month.
• Lee Garrett did 18.0h (out of 9.25h assigned and 9.25h from previous period), thus carrying over 0.5h to the next month.
• Markus Koschany did 28.5h (out of 28.5h assigned).
• Ola Lundqvist did 0.0h (out of 0h assigned and 24.0h from previous period), thus carrying over 24.0h to the next month.
• Roberto C. S nchez did 18.5h (out of 13.0h assigned and 5.5h from previous period).
• Santiago Ruano Rinc n did 18.5h (out of 18.25h assigned and 0.25h from previous period).
• Sean Whitton did 7.0h (out of 10.0h assigned), thus carrying over 3.0h to the next month.
• Sylvain Beucler did 18.5h (out of 9.75h assigned and 8.75h from previous period).
• Thorsten Alteholz did 14.0h (out of 14.0h assigned).
• Tobias Frost did 16.0h (out of 16.0h assigned).
• Utkarsh Gupta did 12.25h (out of 0h assigned and 12.25h from previous period).

Evolution of the situation In August, we have released 42 DLAs. The month of August turned out to be a rather quiet month for the LTS team. Three notable updates were to bouncycastle, openssl, and zabbix. In the case of bouncycastle a flaw allowed for the possibility of LDAP injection and the openssl update corrected a resource exhaustion bug that could result in a denial of service. Zabbix, while not widely used, was the subject of several vulnerabilities which while not individually severe did combine to result in the zabbix update being of particular note. Apart from those, the LTS team continued the always ongoing work of triaging, investigating, and fixing vulnerabilities, as well as making contributions to the broader Debian and Free Software communities.

Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 96 months)
  • Civil Infrastructure Platform (CIP) (for 64 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 107 months)
  • Linode (for 101 months)
  • Babiel GmbH (for 90 months)
  • Plat Home (for 90 months)
  • University of Oxford (for 46 months)
  • Deveryware (for 33 months)
  • VyOS Inc (for 28 months)
  • EDF SA (for 17 months)
• Silver sponsors:
  • Domeneshop AS (for 111 months)
  • Nantes M tropole (for 105 months)
  • Univention GmbH (for 97 months)
  • Universit Jean Monnet de St Etienne (for 97 months)
  • Ribbon Communications, Inc. (for 91 months)
  • Exonet B.V. (for 81 months)
  • Leibniz Rechenzentrum (for 75 months)
  • CINECA (for 64 months)
  • Minist re de l Europe et des Affaires trang res (for 58 months)
  • Cloudways Ltd (for 48 months)
  • Dinahosting SL (for 46 months)
  • Bauer Xcel Media Deutschland KG (for 40 months)
  • Platform.sh (for 40 months)
  • Moxa Inc. (for 34 months)
  • sipgate GmbH (for 31 months)
  • OVH US LLC (for 29 months)
  • Tilburg University (for 29 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 20 months)
  • Soliton Systems K.K. (for 18 months)
• Bronze sponsors:
  • Evolix (for 112 months)
  • Seznam.cz, a.s. (for 112 months)
  • Linuxhotel GmbH (for 109 months)
  • Intevation GmbH (for 108 months)
  • Daevel SARL (for 107 months)
  • Bitfolk LTD (for 106 months)
  • Megaspace Internet Services GmbH (for 106 months)
  • Greenbone AG (for 105 months)
  • NUMLOG (for 105 months)
  • WinGo AG (for 105 months)
  • Ecole Centrale de Nantes - LHEEA (for 101 months)
  • Entr ouvert (for 96 months)
  • Adfinis AG (for 93 months)
  • GNI MEDIA (for 88 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 88 months)
  • Tesorion (for 88 months)
  • Bearstech (for 79 months)
  • LiHAS (for 79 months)
  • Catalyst IT Ltd (for 74 months)
  • Supagro (for 69 months)
  • Demarcq SAS (for 68 months)
  • Universit Grenoble Alpes (for 54 months)
  • TouchWeb SAS (for 46 months)
  • SPiN AG (for 43 months)
  • CoreFiling (for 38 months)
  • Institut des sciences cognitives Marc Jeannerod (for 33 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 30 months)
  • Tem Innovations GmbH (for 24 months)
  • WordFinder.pro (for 24 months)
  • CNRS DT INSU R sif (for 23 months)
  • Alter Way (for 16 months)
  • Institut Camille Jordan (for 5 months)

• Debian Package - Daniel Pimentel
• Attacking Linux EDRs for Fun and Profit - Tiago Peixoto
• Docker: Introdu o ao mundo dos containers - Baltazar
• Hardening, Debian e CIS Benchmarks - Moises
• Carreira e Software Livre em Cyber Security - Edo
• O Software Livre j pode pagar minhas contas? - Gilberto Martins

• Debian Package - Daniel Pimentel
• Attacking Linux EDRs for Fun and Profit - Tiago Peixoto
• Docker: Introdu o ao mundo dos containers - Baltazar
• Hardening, Debian e CIS Benchmarks - Moises
• Carreira e Software Livre em Cyber Security - Edo
• O Software Livre j pode pagar minhas contas? - Gilberto Martins

/usr-merge work, by Helmut Grohne, et al. Given that we now have consensus on moving forward by moving aliased files from / to /usr, we will also run into the problems that the file move moratorium was meant to prevent. The way forward is detecting them early and applying workarounds on a per-package basis. Said detection is now automated using the Debian Usr Merge Analysis Tool. As problems are reported to the bug tracking system, they are connected to the reports if properly usertagged. Bugs and patches for problem categories DEP17-P2 and DEP17-P6 have been filed. After consensus has been reached on the bootstrapping matters, debootstrap has been changed to swap the initial unpack and merging to avoid unpack errors due to pre-existing links. This is a precondition for having base-files install the aliasing symbolic links eventually. It was identified that the root filesystem used by the Debian installer is still unmerged and a change has been proposed. debhelper was changed to recognize systemd units installed to /usr. A discussion with the CTTE and release team on repealing the moratorium has been initiated.

Salsa CI work, by Santiago Ruano Rinc n August was a busy month in the Salsa CI world. Santiago reviewed and merged a bunch of MRs that have improved the project in different aspects: The aptly job got two MRs from Philip Hands. With the first one, the aptly now can export a couple of variables in a dotenv file, and with the second, it can include packages from multiple artifact directories. These MRs bring the base to improve how to test reverse dependencies with Salsa CI. Santiago is working on documenting this. As a result of the mass bug filing done in August, Salsa CI now includes a job to test how a package builds twice in a row. Thanks to the MRs of Sebastiaan Couwenberg and Johannes Schauer Marin Rodrigues. Last but not least, Santiago helped Johannes Schauer Marin Rodrigues to complete the support for arm64-only pipelines.

DebConf23 lead-up, by Stefano Rivera Stefano wears a few hats in the DebConf organization and in the lead up to the conference in mid-September, they ve all been quite busy. As one of the treasurers of DebConf 23, there has been a final budget update, and quite a few payments to coordinate from Debian s Trusted Organizations. We try to close the books from the previous conference at the next one, so a push was made to get DebConf 22 account statements out of TOs and record them in the conference ledger. As a website developer, we had a number of registration-related tasks, emailing attendees and trying to estimate numbers for food and accommodation. As a conference committee member, the job was mostly taking calls and helping the local team to make decisions on urgent issues. For example, getting conference visas issued to attendees required getting political approval from the Indian government. We only discovered the full process for this too late to clear some complex cases, so this required some hard calls on skipping some countries from the application list, allowing everyone else to get visas in time. Unfortunate, but necessary.

Miscellaneous contributions

• Rapha l Hertzog updated gnome-shell-extension-hamster to a new upstream git snapshot that is compatible with GNOME Shell 44 that was recently uploaded to Debian unstable/testing. This extension makes it easy to start/stop tracking time with Hamster Time Tracker. Very handy for consultants like us who are billing their work per hour.
• Rapha l also updated zim to the latest upstream release (0.74.2). This is a desktop wiki that can be very useful as a note-taking tool to build your own personal knowledge base or even to manage your personal todo lists.
• Utkarsh reviewed and sponsored some uploads from mentors.debian.net.
• Utkarsh helped the local team and the bursary team with some more DebConf activities and helped finalize the data.
• Thorsten tried to update package hplip. Unfortunately upstream added some new compressed files that need to appear uncompressed in the package. Even though this sounded like an easy task, which seemed to be already implemented in the current debian/rules, the new type of files broke this implementation and made the package no longer buildable. The problem has been solved and the upload will happen soon.
• Helmut sent 7 patches for cross build failures. Since dpkg-buildflags now defaults to issue arm64-specific compiler flags, more care is needed to distinguish between build architecture flags and host architecture flags than previously.
• Stefano pushed the final bit of the tox 4 transition over the line in Debian, allowing dh-python and tox 4 to migrate to testing. We got caught up in a few unusual bugs in tox and the way we run it in Debian package building (which had to change with tox 4). This resulted in a couple of patches upstream.
• Stefano visited Haifa, Israel, to see the proposed DebConf 24 venue and meet with the local team. While the venue isn t committed yet, we have high hopes for it.

Debian LTS contributors In July, 18 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 0.0h (out of 0h assigned and 2.0h from previous period), thus carrying over 2.0h to the next month.
• Adrian Bunk did 24.75h (out of 18.25h assigned and 6.5h from previous period).
• Anton Gladky did 5.0h (out of 5.0h assigned and 10.0h from previous period), thus carrying over 10.0h to the next month.
• Bastien Roucari s did 17.0h (out of 17.0h assigned and 3.0h from previous period), thus carrying over 3.0h to the next month.
• Ben Hutchings did 14.0h (out of 24.0h assigned), thus carrying over 9.5h to the next month.
• Chris Lamb did 18.0h (out of 18.0h assigned).
• Emilio Pozuelo Monfort did 24.0h (out of 24.75h assigned), thus carrying over 0.25h to the next month.
• Guilhem Moulin did 23.25h (out of 24.75h assigned), thus carrying over 1.5h to the next month.
• Jochen Sprickerhof did 10.0h (out of 20.0h assigned), thus carrying over 10.0h to the next month.
• Lee Garrett did 16.0h (out of 9.75h assigned and 15.5h from previous period), thus carrying over 9.25h to the next month.
• Markus Koschany did 24.75h (out of 24.75h assigned).
• Ola Lundqvist did 0.0h (out of 13.0h assigned and 11.0h from previous period), thus carrying over 24.0h to the next month.
• Roberto C. S nchez did 19.25h (out of 14.75h assigned and 10.0h from previous period), thus carrying over 5.5h to the next month.
• Santiago Ruano Rinc n did 25.5h (out of 10.5h assigned and 15.25h from previous period), thus carrying over 0.25h to the next month.
• Sylvain Beucler did 16.0h (out of 21.25h assigned and 3.5h from previous period), thus carrying over 8.75h to the next month.
• Thorsten Alteholz did 14.0h (out of 14.0h assigned).
• Tobias Frost did 16.0h (out of 16.0h assigned).
• Utkarsh Gupta did 1.5h (out of 0h assigned and 13.75h from previous period), thus carrying over 12.25h to the next month.

Evolution of the situation In July, we have released 35 DLAs. LTS contributor Lee Garrett, has continued his hard work to prepare a testing framework for Samba, that can now provision bootable VMs with little effort, both for Debian and for Windows. This work included the introduction of a new package to Debian, rhsrvany, which allows turning any Windows program or script into a Windows service. As the Samba testing framework matures it will be possible to perform functional tests which cannot be performed with other available test mechanisms and aspects of this framework will be generalizable to other package ecosystems beyond Samba. July included a notable security update of bind9 by LTS contributor Chris Lamb. This update addressed a potential denial of service attack in this critical network infrastructure component.

Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 95 months)
  • Civil Infrastructure Platform (CIP) (for 63 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 106 months)
  • Linode (for 100 months)
  • Babiel GmbH (for 89 months)
  • Plat Home (for 89 months)
  • University of Oxford (for 45 months)
  • Deveryware (for 32 months)
  • VyOS Inc (for 27 months)
  • EDF SA (for 16 months)
• Silver sponsors:
  • Domeneshop AS (for 110 months)
  • Nantes M tropole (for 104 months)
  • Univention GmbH (for 96 months)
  • Universit Jean Monnet de St Etienne (for 96 months)
  • Ribbon Communications, Inc. (for 90 months)
  • Exonet B.V. (for 80 months)
  • Leibniz Rechenzentrum (for 74 months)
  • CINECA (for 63 months)
  • Minist re de l Europe et des Affaires trang res (for 57 months)
  • Cloudways Ltd (for 47 months)
  • Dinahosting SL (for 45 months)
  • Bauer Xcel Media Deutschland KG (for 39 months)
  • Platform.sh (for 39 months)
  • Moxa Inc. (for 33 months)
  • sipgate GmbH (for 30 months)
  • OVH US LLC (for 28 months)
  • Tilburg University (for 28 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 20 months)
  • Soliton Systems K.K. (for 17 months)
• Bronze sponsors:
  • Evolix (for 111 months)
  • Seznam.cz, a.s. (for 111 months)
  • Intevation GmbH (for 108 months)
  • Linuxhotel GmbH (for 108 months)
  • Daevel SARL (for 106 months)
  • Bitfolk LTD (for 105 months)
  • Megaspace Internet Services GmbH (for 105 months)
  • Greenbone AG (for 104 months)
  • NUMLOG (for 104 months)
  • WinGo AG (for 104 months)
  • Ecole Centrale de Nantes - LHEEA (for 100 months)
  • Entr ouvert (for 95 months)
  • Adfinis AG (for 92 months)
  • GNI MEDIA (for 87 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 87 months)
  • Tesorion (for 87 months)
  • Bearstech (for 78 months)
  • LiHAS (for 78 months)
  • Catalyst IT Ltd (for 73 months)
  • Supagro (for 68 months)
  • Demarcq SAS (for 67 months)
  • Universit Grenoble Alpes (for 53 months)
  • TouchWeb SAS (for 45 months)
  • SPiN AG (for 42 months)
  • CoreFiling (for 37 months)
  • Institut des sciences cognitives Marc Jeannerod (for 32 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 29 months)
  • Tem Innovations GmbH (for 24 months)
  • WordFinder.pro (for 23 months)
  • CNRS DT INSU R sif (for 22 months)
  • Alter Way (for 15 months)
  • Institut Camille Jordan (for 4 months)

tracker.debian.org work by Rapha l Hertzog Rapha l spent some time during his vacation to update distro-tracker to be fully compatible with Django 3.2 so that the codebase and the whole testsuite can run on Debian 12. There s one exception though with the functional test suite that still needs further work to cope with the latest version of Selenium. By dropping support of Django 2.2, Rapha l could also start to work toward support of Django 4.2 since Django helpfully emits deprecation warnings of things that will break in future versions. All the warnings have been fixed but the codebase still fails its testsuite in Django 4.2 because we have to get rid of the python3-django-jsonfield dependency (that is rightfully dead upstream since Django has native support nowadays). All the JSONField have been converted to use Django s native field, but the migration system still requires that dependency at this point. This will require either some fresh reboot of the migration history, or some other trickery to erase the jsonfield dependency from the history of migrations. If you have experience with that, don t hesitate to share it (mail at hertzog@debian.org, or reach out to buxy on IRC). At this point, tracker.debian.org runs with Django 3.2 on Debian 11 since Debian System Administrators are not yet ready to upgrade debian.org hosts to Debian 12.

DebConf 23 bursary work by Utkarsh Gupta Utkarsh led the bursary team this year. The bursary team got a ton of requests this time. Rolling out the results in 4 batches, the bursary team catered over 165 bursary requests - which is superb! The team managed to address all the requests and answered a bit over 120 emails in the process. With that, the bursaries are officially closed for DebConf 2023. The team also intends to roll out some of the statistics closer to DebConf.

Miscellaneous contributions

• Stefano implemented meson support in pybuild, the tool for building Python packages in Debian against multiple Python versions.
• Santiago did some work on Salsa CI to enhance the ARM support on the autopkgtest job and make Josch s branch work. MR to come soon.
• Helmut sent patches for 6 cross build failures.
• Stefano has been preparing for DebConf 23: Working on the website, and assisting the local teams.
• Stefano attended the DebConf Video team sprint in Paris, mostly looking at new hardware and software options for video capture and live-mixing. Full sprint report.

Debian LTS contributors In June, 17 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 12.0h (out of 6.0h assigned and 8.0h from previous period), thus carrying over 2.0h to the next month.
• Adrian Bunk did 28.0h (out of 0h assigned and 34.5h from previous period), thus carrying over 6.5h to the next month.
• Anton Gladky did 5.0h (out of 6.0h assigned and 9.0h from previous period), thus carrying over 10.0h to the next month.
• Bastien Roucari s did 17.0h (out of 17.0h assigned and 3.0h from previous period), thus carrying over 3.0h to the next month.
• Ben Hutchings did 24.0h (out of 16.5h assigned and 7.0h from previous period).
• Chris Lamb did 18.0h (out of 18.0h assigned).
• Emilio Pozuelo Monfort did 24.0h (out of 21.0h assigned and 2.5h from previous period).
• Guilhem Moulin did 20.0h (out of 20.0h assigned).
• Lee Garrett did 25.0h (out of 0h assigned and 40.5h from previous period), thus carrying over 15.5h to the next month.
• Markus Koschany did 23.5h (out of 23.5h assigned).
• Ola Lundqvist did 13.0h (out of 0h assigned and 24.0h from previous period), thus carrying over 11.0h to the next month.
• Roberto C. S nchez did 13.5h (out of 9.75h assigned and 13.75h from previous period), thus carrying over 10.0h to the next month.
• Santiago Ruano Rinc n did 8.25h (out of 23.5h assigned), thus carrying over 15.25h to the next month.
• Sylvain Beucler did 20.0h (out of 23.5h assigned), thus carrying over 3.5h to the next month.
• Thorsten Alteholz did 14.0h (out of 14.0h assigned).
• Tobias Frost did 16.0h (out of 16.0h assigned).
• Utkarsh Gupta did 0.0h (out of 0h assigned and 25.5h from previous period), thus carrying over 25.5h to the next month.

Evolution of the situation In June, we have released 40 DLAs. Notable security updates in June included mariadb-10.3, openssl, and golang-go.crypto. The mariadb-10.3 package was synchronized with the latest upstream maintenance release, version 10.3.39. The openssl package was patched to correct several flaws with certificate validation and with object identifier parsing. Finally, the golang-go.crypto package was updated to address several vulnerabilities, and several associated Go packages were rebuilt in order to properly incorporate the update. LTS contributor Sylvain has been hard at work with some behind-the-scenes improvements to internal tooling and documentation. His efforts are helping to improve the efficiency of all LTS contributors and also helping to improve the quality of their work, making our LTS updates more timely and of higher quality. LTS contributor Lee Garrett began working on a testing framework specifically for Samba. Given the critical role which Samba plays in many deployments, the tremendous impact which regressions can have in those cases, and the unique testing requirements of Samba, this work will certainly result in increased confidence around our Samba updates for LTS. LTS contributor Emilio Pozuelo Monfort has begun preparatory work for the upcoming Firefox ESR version 115 release. Firefox ESR (and the related Thunderbird ESR) requires special work to maintain up to date in LTS. Mozilla do not release individual patches for CVEs, and our policy is to incorporate new ESR releases from Mozilla into LTS. Most updates are minor updates, but once a year Mozilla will release a major update as they move to a new major version for ESR. The update to a new major ESR version entails many related updates to toolchain and other packages. The preparations that Emilio has begun will ensure that once the 115 ESR release is made, updated packages will be available in LTS with minimal delay. Another highlight of behind-the-scenes work is our Front Desk personnel. While we often focus on the work which results in published package updates, much work is also involved in reviewing new vulnerabilities and triaging them (i.e., determining if they affect one or more packages in LTS and then determining the severity of those which are applicable). These intrepid contributors (Emilio Pozuelo Monfort, Markus Koschany, Ola Lundqvist, Sylvain Beucler, and Thorsten Alteholz for the month of June) reviewed dozens of vulnerabilities and made decisions about how those vulnerabilities should be dealt with.

Thanks to our sponsors

• Platinum sponsors:
  • TOSHIBA (for 94 months)
  • Civil Infrastructure Platform (CIP) (for 62 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 105 months)
  • Linode (for 99 months)
  • Babiel GmbH (for 88 months)
  • Plat Home (for 88 months)
  • University of Oxford (for 44 months)
  • Deveryware (for 31 months)
  • VyOS Inc (for 26 months)
  • EDF SA (for 15 months)
• Silver sponsors:
  • Domeneshop AS (for 109 months)
  • Nantes M tropole (for 103 months)
  • Univention GmbH (for 95 months)
  • Universit Jean Monnet de St Etienne (for 95 months)
  • Ribbon Communications, Inc. (for 89 months)
  • Exonet B.V. (for 79 months)
  • Leibniz Rechenzentrum (for 73 months)
  • CINECA (for 62 months)
  • Minist re de l Europe et des Affaires trang res (for 56 months)
  • Cloudways Ltd (for 46 months)
  • Dinahosting SL (for 44 months)
  • Bauer Xcel Media Deutschland KG (for 38 months)
  • Platform.sh (for 38 months)
  • Moxa Inc. (for 32 months)
  • sipgate GmbH (for 29 months)
  • OVH US LLC (for 27 months)
  • Tilburg University (for 27 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 18 months)
  • Soliton Systems K.K. (for 16 months)
• Bronze sponsors:
  • Evolix (for 110 months)
  • Seznam.cz, a.s. (for 110 months)
  • Intevation GmbH (for 107 months)
  • Linuxhotel GmbH (for 107 months)
  • Daevel SARL (for 105 months)
  • Bitfolk LTD (for 104 months)
  • Megaspace Internet Services GmbH (for 104 months)
  • Greenbone AG (for 103 months)
  • NUMLOG (for 103 months)
  • WinGo AG (for 103 months)
  • Ecole Centrale de Nantes - LHEEA (for 99 months)
  • Entr ouvert (for 94 months)
  • Adfinis AG (for 91 months)
  • GNI MEDIA (for 86 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 86 months)
  • Tesorion (for 86 months)
  • Bearstech (for 77 months)
  • LiHAS (for 77 months)
  • Catalyst IT Ltd (for 72 months)
  • Supagro (for 67 months)
  • Demarcq SAS (for 66 months)
  • Universit Grenoble Alpes (for 52 months)
  • TouchWeb SAS (for 44 months)
  • SPiN AG (for 41 months)
  • CoreFiling (for 36 months)
  • Institut des sciences cognitives Marc Jeannerod (for 31 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 28 months)
  • Tem Innovations GmbH (for 22 months)
  • WordFinder.pro (for 22 months)
  • CNRS DT INSU R sif (for 21 months)
  • Alter Way (for 14 months)
  • Institut Camille Jordan (for 3 months)

/usr-merge, by Helmut Grohne, et al The work on /usr-merge continues from May. The lengthy discussion was condensed into a still lengthy rewrite of DEP17 listing all known problems and proposed mitigations. An initial consensus call did not resolve all questions, but we now have rough consensus on finalizing the transition without relying on major changes to dpkg. Other questions still have diverging opinions and some matters such as how to not break backports are still missing satisfying answers.

DebConf Bursary prep, by Utkarsh Gupta DebCamp and DebConf is happening from 03rd September to 17th September in Kochi, India, and the DebConf Bursary team is gearing up for that. After extending the bursary deadline (catering to the requests coming in from various people), we ve finally managed to clock over 260 bursary requests. The team is set up and we re starting to review the applications. The team intends to roll out the result as soon as possible.

debci, by Helmut Grohne As Freexian is working on deploying autopkgtests for the LTS and ELTS services, debci and autopkgtests were improved in Debian to better deal with derivatives (e.g. by better supporting external package signing keyrings). Other aspects that are not deployed on ci.debian.net such as the qemu backend were also improved. We express thanks to the relevant maintainers Antonio Terceiro, Paul Gevers and Simon McVittie for their timely reviews and merges of our changes.

Miscellaneous contributions

• Following the release of Debian 12, Rapha l Hertzog updated tracker.debian.org to be aware of trixie. He also pushed some fixes to distro-tracker (the software powering tracker.debian.org) and released version 1.2.0 (since the former release was lacking fixes to run on Debian 12 bookworm).
• Following the release of Debian 12, Helmut Grohne updated crossqa.debian.net systems. He also sent 7 patches for cross build failures and continued adapting rebootstrap to changes in unstable.
• Santiago Ruano Rinc n started to work on how to improve the robustness of Salsa CI s pipeline for some jobs failing frequently.
• Thorsten Alteholz did security updates of cpdb-libs in Unstable and Bookworm.
• Stefano Rivera upgraded pixelfed.debian.social to bookworm.
• Stefano started an re2 library transition, and started preparation for the next transition.
• Helmut Grohne updated debvm in unstable releasing changes that accumulated during the freeze.
• Stefano did some work on the website and infrastructure for DebConf 23.
• Utkarsh Gupta helped review and fix open redmine bugs and fix them all in unstable.

/usr-merge, by Helmut Grohne, et al Towards the end of April, the discussion on DEP 17 on debian-devel@l.d.o initiated by Helmut Grohne took off, trying to deal with the fact that while Debian bookworm has a merged /usr, files are still being distributed to / and /usr in Debian binary packages, and moving them currently has some risk of breakage. Most participants of the discussion agreed that files should be moved, and there are several competing design ideas for doing it safely. Most of the time was spent understanding the practical implications of lifting the moratorium and moving all the files from / to /usr in a coordinated effort. With help from Emilio Pozuelo Monfort, Enrico Zini, and Raphael Hertzog, Helmut Grohne performed extensive analysis of the various aspects, including quantitative analysis of the original file move problem, analysis of effects on dpkg-divert, dpkg-statoverride, and update-alternatives, analysis of effects on filesystem bootstrapping tools. Most of the problematic cases spawned plausible workarounds, such as turning Breaks into Conflicts in selected cases or adding protective diversions for the symbolic links that enable aliasing. Towards the end of May, Andreas Beckmann reported a new failure scenario which may cause shared resources to inadvertently disappear, such as directories and even regular files in case of Multi-Arch packages, and our work on analyzing these problems and proposing mitigations is on-going. While the quantitative analysis is funded by Freexian, we wouldn t be here without the extensive feedback and ideas of many voluntary contributors from multiple areas of Debian, which are too many to name here. Thank you.

Preparing for the tox 4 transition, by Stefano Rivera While Debian was in freeze for the bookworm release, tox 4 has landed in Debian experimental, and some packages are starting to require it, upstream. It has some backwards-incompatible behavior that breaks many packages using tox through pybuild. So Stefano had to make some changes to pybuild and to many packages that run build-time tests with tox. The easy bits of this transition are now completed in git / experimental, but a few packages that integrate deeply into tox need upstream work.

Debian Printing, by Thorsten Alteholz Just before the release of Bookworm, lots of QA tools were used to inspect packages. One of these tools found a systemd service file in a wrong directory. So, Thorsten did another upload of package lprint to correct this. Thanks a lot to all the hardworking people who run such tools and file bugs. Thorsten also participated in discussions about the new Common Printing Dialog Backends (CPDB) that will be introduced in Trixie and hopefully can replace the current printing architecture in Forky.

Miscellaneous contributions

• DebConf 23 preparations by Stefano Rivera. Some work on the website, video team planning, accounting, and team documentation.
• Utkarsh Gupta started to prep the work on the bursary team s side for DC23.
• Stefano spun up a website for the Hamburg mini-DebConf so that the video team could have a machine-readable schedule and a place to stream video from the event.
• Santiago Ruano Rinc n reviewed and sponsored four python packages of a prospective Debian member.
• Helmut Grohne supported Timo Roehling and Jochen Sprickerhof to improve cross building in 15 ROS packages.
• Helmut Grohne supported Jochen Sprickerhof with diagnosing an e2fsprogs RC bug.
• Helmut Grohne continued to maintain rebootstrap and located an issue with lto in gcc-13.
• Anton Gladky fixed some RC-Bugs and uploaded a new stravalib python library.

• [1] https://tinyurl.com/yeppy78q
• [2] https://tinyurl.com/28yt5wbg
• [3] https://onezero.medium.com/rubber-hoses-fd685385dcd4
• [4] https://tinyurl.com/2ztqaw9a
• [5] https://tinyurl.com/2kv68veo
• [6] https://en.culturess.com/view/?id=santiago-genoves-experiment-cul
• [7] https://mjg59.dreamwidth.org/59479.html
• [8] https://tinyurl.com/yy8pyg65
• [9] https://tinyurl.com/2qr9evgb
• [10] https://tinyurl.com/2ngytzuh
• [11] https://tinyurl.com/2qjffrt3
• [12] https://tinyurl.com/2ote6mw7
• [13] https://tinyurl.com/yxe75yel
• [14] https://tinyurl.com/y23lbw2n

• DDPO
• Desde agosto de 2022
• Cidade de resid ncia: Curitiba - PR

• DDPO
• Desde maio de 2021
• Cidade de resid ncia: Curitiba - PR

• DDPO
• Desde maio de 2020
• Cidade de resid ncia: Campinas - SP

• DDPO
• Desde maio de 2020
• Cidade de resid ncia: Campinas - SP

• DDPO
• Desde fevereiro de 2019
• Cidade de resid ncia: Bras lia - DF

• DDPO
• Desde janeiro de 2019
• Cidade de resid ncia: Curitiba - PR

• DDPO
• Desde abril de 2018
• Cidade de resid ncia: Curitiba - PR

• DDPO
• Desde mar o de 2018
• Cidade de resid ncia: Toronto - Canad

• DDPO
• Desde maio de 2017
• Cidade de resid ncia: Curitiba - PR

• DDPO
• Desde dezembro de 2016
• Cidade de resid ncia: Po o Fundo - MG

• Desde agosto de 2016
• Cidade de resid ncia: Novo Hamburgo - RS

• DDPO
• Desde agosto de 2016
• Cidade de resid ncia: Campinas - SP

• DDPO
• Desde junho de 2016
• Cidade de resid ncia: Bras lia - DF

• DDPO
• Desde junho de 2016
• Cidade de resid ncia: Rio de Janeiro RJ

• DDPO
• Desde abril de 2022
• Cidade de resid ncia: Campo Mour o - PR

• DDPO
• Desde janeiro de 2022
• Cidade de resid ncia: Bras lia - DF

• DDPO
• Desde novembro de 2021
• Cidade de resid ncia: S o Vicente - SP

• DDPO
• Desde novembro de 2021
• Cidade de resid ncia: Bras lia - DF

• DDPO
• Desde agosto de 2020
• Cidade de resid ncia: Santa Maria - RS

• DDPO
• Desde dezembro de 2019
• Cidade de resid ncia: Curitiba - PR

• DDPO
• Desde maio de 2016
• Cidade de resid ncia: Belo Horizonte - MG

1. Esta lista ser atualizada quando o time de publicidade do Debian publicar novas listas com DMs e DDs e tiver brasileiros.
2. Para ver a lista completa de Mantenedores(as) e Desenvolvedores(as) Debian, inclusive outros(as) brasileiros(as) antes de julho de 2015 acesse: https://nm.debian.org/public/people

• DDPO
• Desde agosto de 2022
• Cidade de resid ncia: Curitiba - PR

• DDPO
• Desde maio de 2021
• Cidade de resid ncia: Curitiba - PR

• DDPO
• Desde maio de 2020
• Cidade de resid ncia: Campinas - SP

• DDPO
• Desde maio de 2020
• Cidade de resid ncia: Campinas - SP

• DDPO
• Desde fevereiro de 2019
• Cidade de resid ncia: Bras lia - DF

• DDPO
• Desde janeiro de 2019
• Cidade de resid ncia: Curitiba - PR

• DDPO
• Desde abril de 2018
• Cidade de resid ncia: Curitiba - PR

• DDPO
• Desde mar o de 2018
• Cidade de resid ncia: Toronto - Canad

• DDPO
• Desde maio de 2017
• Cidade de resid ncia: Curitiba - PR

• DDPO
• Desde dezembro de 2016
• Cidade de resid ncia: Po o Fundo - MG

• Desde agosto de 2016
• Cidade de resid ncia: Novo Hamburgo - RS

• DDPO
• Desde agosto de 2016
• Cidade de resid ncia: Campinas - SP

• DDPO
• Desde junho de 2016
• Cidade de resid ncia: Bras lia - DF

• DDPO
• Desde junho de 2016
• Cidade de resid ncia: Rio de Janeiro RJ

• DDPO
• Desde abril de 2022
• Cidade de resid ncia: Campo Mour o - PR

• DDPO
• Desde janeiro de 2022
• Cidade de resid ncia: Bras lia - DF

• DDPO
• Desde novembro de 2021
• Cidade de resid ncia: S o Vicente - SP

• DDPO
• Desde novembro de 2021
• Cidade de resid ncia: Bras lia - DF

• DDPO
• Desde agosto de 2020
• Cidade de resid ncia: Santa Maria - RS

• DDPO
• Desde dezembro de 2019
• Cidade de resid ncia: Curitiba - PR

• DDPO
• Desde maio de 2016
• Cidade de resid ncia: Belo Horizonte - MG

1. Esta lista ser atualizada quando o time de publicidade do Debian publicar novas listas com DMs e DDs e tiver brasileiros.
2. Para ver a lista completa de Mantenedores(as) e Desenvolvedores(as) Debian, inclusive outros(as) brasileiros(as) antes de julho de 2015 acesse: https://nm.debian.org/public/people

source=("git+https://github.com/vimeo/psalm.git#commit=$ _commit "
        "composer.lock")

 prepare()  
   cd $ pkgname 
   cp ../composer.lock .
 
updlockfiles()  
  cd $ pkgname 
  rm -f composer.lock
  composer update
  cp composer.lock "$ outdir /"
 

updlockfiles

Thanks This work is currently crowd-funded on github sponsors. I d like to thank @SantiagoTorres, @repi and @rgacogne for their support in particular.

Reproducible Builds summit 2022 Despite several delays, we are pleased to announce that registration is open for our in-person summit this year: November 1st November 3rd
The event will happen in Venice (Italy). We intend to pick a venue reachable via the train station and an international airport. However, the precise venue will depend on the number of attendees. Please see the announcement email for information about how to register.

Is reproducibility practical? Ludovic Court s published an informative blog post this month asking the important question: Is reproducibility practical?:

Our attention was recently caught by a nice slide deck on the methods and tools for reproducible research in the R programming language. Among those, the talk mentions Guix, stating that it is for professional, sensitive applications that require ultimate reproducibility , which is probably a bit overkill for Reproducible Research . While we were flattered to see Guix suggested as good tool for reproducibility, the very notion that there s a kind of reproducibility that is ultimate and, essentially, impractical, is something that left us wondering: What kind of reproducibility do scientists need, if not the ultimate kind? Is reproducibility practical at all, or is it more of a horizon?

The post goes on to outlines the concept of reproducibility, situating examples within the context of the GNU Guix operating system.

diffoscope diffoscope is our in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it can provide human-readable diffs from many kinds of binary formats. This month, Chris Lamb prepared and uploaded versions 218, 219 and 220 to Debian, as well as made the following changes:

• New features:
  • Support Haskell 9.x series files. [ ]
• Bug fixes:
  • Fix a regression introduced in version 207 where diffoscope would crash if one directory contained a directory that wasn t in the other. Thanks to Alderico Gallo for the testcase. [ ]
  • Don t traceback if we encounter an invalid Unicode character in Haskell versioning headers. [ ]
• Output improvements:
  • Improve output of Markdown and reStructuredText to use code blocks with highlighting. [ ]
• Codebase improvements:
  • Space out a file a little. [ ]
  • Update various copyright years. [ ]

Mailing list On our mailing list this month:

• Roland Clobus posted his Eleventh status update about reproducible [Debian] live-build ISO images, noting amongst many other things! that all major desktops build reproducibly with bullseye, bookworm and sid.
• Santiago Torres-Arias announced a Call for Papers (CfP) for a new SCORED conference, an academic workshop around software supply chain security . As Santiago highlights, this new conference invites reviewers from industry, open source, governement and academia to review the papers [and] I think that this is super important to tackle the supply chain security task .

Upstream patches The Reproducible Builds project attempts to fix as many currently-unreproducible packages as possible. This month, however, we submitted the following patches:

• Bernhard M. Wiedemann
  • openSUSE monthly report
  • acarsdec (embeds CPU info with march=native)
  • casacore (embeds CPU info with march=native)
  • kubernetes (uses random name of temporary directory)
  • setuptools/python-brotlicffi (toolchain, filesys/readdir)
  • sysstat (FTBFS in single CPU mode)
  • sundials (FTBFS in single CPU mode)
  • nim (FTBFS in single CPU mode)
  • doxygen/libzypp (toolchain readdir)
  • python-pyquil (build failure)
  • openssl-1_0_0 (build failure)
  • jsonrpc-glib (FTBFS in single CPU mode)
  • slurm (Link-Time Optimisation and .tar issues)
  • wasi-libc (sort the output from find)
• Chris Lamb:
  • #1015245 filed against libshumate.
  • #1015246 filed against zeal.
  • #1016186 filed against gappa.
• Philip Rinn:
  • #1014877 filed against cxref.
• Vagrant Cascadian:
  • #1014426 filed against cldump.
  • #1014428 filed against xmacro.
  • #1014559 filed against libloki.
  • #1014560 filed against ygl.
  • #1014561 filed against clp.
  • #1014564 filed against tvtime.
  • #1014789 filed against rdiff-backup-fs.

Reprotest reprotest is the Reproducible Builds project s end-user tool to build the same source code twice in widely and deliberate different environments, and checking whether the binaries produced by the builds have any differences. This month, the following changes were made:

• Holger Levsen:
  • Uploaded version 0.7.21 to Debian unstable as well as mark 0.7.22 development in the repository [ ].
  • Make diffoscope dependency unversioned as the required version is met even in Debian buster. [ ]
  • Revert an accidentally committed hunk. [ ]
• Mattia Rizzolo:
  • Apply a patch from Nick Rosbrook to not force the tests to run only against Python 3.9. [ ]
  • Run the tests through pybuild in order to run them against all supported Python 3.x versions. [ ]
  • Fix a deprecation warning in the setup.cfg file. [ ]
  • Close a new Debian bug. [ ]

Reproducible builds website A number of changes were made to the Reproducible Builds website and documentation this month, including:

• Arnout Engelen:
  • Add a link to recent May Contain Hackers 2022 conference talk slides. [ ]
• Chris Lamb:
  • Correct some grammar. [ ]
• Holger Levsen:
  • Add talk from FOSDEM 2015 presented by Holger and Lunar. [ ]
  • Show date of presentations if we have them. [ ][ ]
  • Add my presentation from DebConf22 [ ] and from Debian Reunion Hamburg 2022 [ ].
  • Add dhole to the speakers of the DebConf15 talk. [ ]
  • Add raboof s talk Reproducible Builds for Trustworthy Binaries from May Contain Hackers. [ ]
  • Drop some Debian-related suggested ideas which are not really relevant anymore. [ ]
  • Add a link to list of packages with patches ready to be NMUed. [ ]
• Mattia Rizzolo:
  • Add information about our upcoming event in Venice. [ ][ ][ ][ ]

Testing framework The Reproducible Builds project runs a significant testing framework at tests.reproducible-builds.org, to check packages and other artifacts for reproducibility. This month, Holger Levsen made the following changes:

• Debian-related changes:
  • Create graphs displaying existing .buildinfo files per each Debian suite/arch. [ ][ ]
  • Fix a typo in the Debian dashboard. [ ][ ]
  • Fix some issues in the pkg-r package set definition. [ ][ ][ ]
  • Improve the builtin-pho HTML output. [ ][ ][ ][ ]
  • Temporarily disable all live builds as our snapshot mirror is offline. [ ]
• Automated node health checks:
  • Detect dpkg failures. [ ]
  • Detect files with bad UNIX permissions. [ ]
  • Relax a regular expression in order to detect Debian Live image build failures. [ ]
• Misc changes:
  • Test that FreeBSD virtual machine has been updated to version 13.1. [ ]
  • Add a reminder about powercycling the armhf-architecture mst0X node. [ ]
  • Fix a number of typos. [ ][ ]
  • Update documentation. [ ][ ]
  • Fix Munin monitoring configuration for some nodes. [ ]
  • Fix the static IP address for a node. [ ]

In addition, Vagrant Cascadian updated host keys for the cbxi4pro0 and wbq0 nodes [ ] and, finally, node maintenance was also performed by Mattia Rizzolo [ ] and Holger Levsen [ ][ ][ ].

Contact As ever, if you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:

• IRC: #reproducible-builds on irc.oftc.net.
• Twitter: @ReproBuilds
• Mailing list: rb-general@lists.reproducible-builds.org

source=("git+https://github.com/alacritty/alacritty.git#tag=v$ pkgver ?signed")
validpgpkeys=('4DAA67A9EA8B91FCC15B699C85CDAE3C164BA7B4'
              'A56EF308A9F1256C25ACA3807EA8F8B94622A6A9')
sha256sums=('SKIP')

• authentication: verify the git tag was signed by one of the two trusted keys.
• pinning: the source code is not pinned and git tags are not immutable, upstream could create a new signed git tag with an identical name and arbitrarily change the source code without the PKGBUILD noticing.

source=($pkgname-$pkgver.tar.gz::https://github.com/alacritty/alacritty/archive/refs/tags/v$pkgver.tar.gz)
sha256sums=('e48d4b10762c2707bb17fd8f89bd98f0dcccc450d223cade706fdd9cfaefb308')

• authentication: there s no signature, so this PKGBUILD doesn t cryptographically verify authorship.
• pinning: the source code is cryptographically pinned, it s addressing the source code by it s content. There s nothing upstream can do to silently change the code used by this PKGBUILD.

makedepends=('auth-tarball-from-git')
source=($pkgname-$pkgver.tar.gz::https://github.com/alacritty/alacritty/archive/refs/tags/v$pkgver.tar.gz
        chrisduerr.pgp
        kchibisov.pgp)
sha256sums=('e48d4b10762c2707bb17fd8f89bd98f0dcccc450d223cade706fdd9cfaefb308'
            '19573dc0ba7a2f003377dc49986867f749235ecb45fe15eb923a74b2ab421d74'
            '5b866e6cb791c58cba2e7fc60f647588699b08abc2ad6b18ba82470f0fd3db3b')
prepare()  
  cd "$pkgname-$pkgver"
  auth-tarball-from-git --keyring ../chrisduerr.pgp --keyring ../kchibisov.pgp \
    --tag v$pkgver --prefix $pkgname-$pkgver \
    https://github.com/alacritty/alacritty.git ../$pkgname-$pkgver.tar.gz
 

• authentication: auth-tarball-from-git verifies the signed git tag and then verifies the tarball has been built from the commit the tag is pointing to.
• pinning: the source code and the files containing the public keys are cryptographically pinned.

Thanks This work is currently crowd-funded on github sponsors. I d like to thank @SantiagoTorres, @repi and @rgacogne for their support in particular.

[ ] implemented what we call package multi-versioning for C/C++ software that lacks function multi-versioning and run-time dispatch [ ]. It is another way to ensure that users do not have to trade reproducibility for performance. (full PDF)

It is one thing to talk about reproducible builds and how they strengthen software supply chain security, but it s quite another to effectively configure a reproducible build. Concrete steps for specific languages are a far larger topic than can be covered in a single blog post, but today we ll be talking about some guiding principles when designing reproducible builds. [ ]

Events There will be an in-person Debian Reunion in Hamburg, Germany later this year, taking place from 23 30 May. Although this is a Debian event, there will be some folks from the broader Reproducible Builds community and, of course, everyone is welcome. Please see the event page on the Debian wiki for more information. Bernhard M. Wiedemann posted to our mailing list about a meetup for Reproducible Builds folks at the openSUSE conference in Nuremberg, Germany. It was also recently announced that DebConf22 will take place this year as an in-person conference in Prizren, Kosovo. The pre-conference meeting (or Debcamp ) will take place from 10 16 July, and the main talks, workshops, etc. will take place from 17 24 July.

Misc news Holger Levsen updated the Reproducible Builds website to improve the documentation for the SOURCE_DATE_EPOCH environment variable, both by expanding parts of the existing text [ ][ ] as well as clarifying meaning by removing text in other places [ ]. In addition, Chris Lamb added a Twitter Card to our website s metadata too [ ][ ][ ]. On our mailing list this month:

• Early in the month, Mattia Rizzolo posted to our mailing list asking for early thoughts about running an in-person Reproducible Builds event later in 2022.
• Chris Lamb then posted to our mailing list with a call for real-world instances where reproducibility practices have flagged something legitimately bad . Although no public, concrete examples were cited, the resulting discussion was interesting and wide-ranging.
• Marc Haber also posted to our mailing list with an interesting problem where building Debian packages with libfaketime yields different results when run outside of libfaketime.

Distribution work In Debian this month:

• Johannes Schauer Marin Rodrigues posted to the debian-devel list mentioning that he exploited the property of reproducibility within Debian to demonstrate that automatically converting a large number of packages to a new internal source version did not change the resulting packages. The proposed change could therefore be applied without causing breakage:

So now we have 364 source packages for which we have a patch and for which we can show that this patch does not change the build output. Do you agree that with those two properties, the advantages of the 3.0 (quilt) format are sufficient such that the change shall be implemented at least for those 364? [ ]

• 144 reviews of Debian packages were added, 241 were updated and 20 were removed this month, significantly adding to our knowledge about identified issues. A number of issue types were updated too, including buildpath_in_postgres_opcodes, captures_kernel_version_via_CMAKE_SYSTEM, build_id_differences_only, etc.
• Lukas Puehringer updated both the python-securesystemslib package to version 0.22.0-1 and the in-toto package to 1.2.0-1.

In openSUSE, Bernhard M. Wiedemann posted his usual monthly reproducible builds status report.

Tooling diffoscope is our in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it can provide human-readable diffs from many kinds of binary formats. This month, Chris Lamb prepared and uploaded versions 207, 208 and 209 to Debian unstable, as well as made the following changes to the code itself:

• Update minimum version of Black to prevent test failure on Ubuntu jammy. [ ]
• Updated the R test fixture for the 4.2.x series of the R programming language. [ ]

Brent Spillner also worked on adding graceful handling for UNIX sockets and named pipes to diffoscope. [ ][ ][ ]. Vagrant Cascadian also updated the diffoscope package in GNU Guix. [ ][ ] reprotest is the Reproducible Build s project end-user tool to build the same source code twice in widely different environments and checking whether the binaries produced by the builds have any differences. This month, Santiago Ruano Rinc n added a new --append-build-command option [ ], which was subsequently uploaded to Debian unstable by Holger Levsen.

Upstream patches The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:

• Bernhard M. Wiedemann:
  • epub2txt2 (filesystem-related issue)
  • fdupes (toolchain issue)
  • grep (ASLR-related issue)
  • hello (PGO-related issue)
  • osdlyrics (date-related regression regression)
  • texlive (GZip modification time issue)
  • tuigreet (ordering issue)
• Huong Nguyenthi:
  • #1006646 filed against sgml-base.
• Chris Lamb:
  • #1007232 filed against python-ara.
  • #1007757 filed against nbformat.
  • #1007760 filed against chemical-structures.
  • #1007908 filed against fiat.
• Vagrant Cascadian:
  • #1006844 filed against intel-mediasdk.
  • #1006858 filed against libao.
  • #1006860 & #1006861 filed against pcp.
  • #1006863 filed against tevent.
  • #1006864 filed against pcp.
  • #1006865 filed against apr-util.
  • #1006979 filed against liggghts.
  • #1007094 filed against kristall.
  • #1007095 filed against lmod.
  • #1007137 filed against libranlip.
  • #1007184 filed against xrt.
  • #1007185 filed against btrfsmaintenance.

Testing framework The Reproducible Builds project runs a significant testing framework at tests.reproducible-builds.org, to check packages and other artifacts for reproducibility. This month, the following changes were made:

• Holger Levsen:
  • Replace a local copy of the dsa-check-running-kernel script with a packaged version. [ ]
  • Don t hide the status of offline hosts in the Jenkins shell monitor. [ ]
  • Detect undefined service problems in the node health check. [ ]
  • Update the sources.lst file for our mail server as its still running Debian buster. [ ]
  • Add our mail server to our node inventory so it is included in the Jenkins maintenance processes. [ ]
  • Remove the debsecan package everywhere; it got installed accidentally via the Recommends relation. [ ]
  • Document the usage of the osuosl174 host. [ ]

Regular node maintenance was also performed by Holger Levsen [ ], Vagrant Cascadian [ ][ ][ ] and Mattia Rizzolo.
If you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:

• IRC: #reproducible-builds on irc.oftc.net.
• Twitter: @ReproBuilds
• Mailing list: rb-general@lists.reproducible-builds.org