Here s my (thirty-first) monthly but brief update about the activities I ve done in the F/L/OSS world.
Debian
This was my 40th month of actively contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
There s a bunch of things I did this month but mostly non-technical, now that DC22 is around the corner. Here are the things I did:
Debian Uploads
Helped Andrius w/ FTBFS for php-text-captcha, reported via #977403.
I fixed the samed in Ubuntu a couple of months ago and they copied over the patch here.
Other $things:
Volunteering for DC22 Content team.
Leading the Bursary team w/ Paulo.
Answering a bunch of questions of referees and attendees around bursary.
Ubuntu
This was my 15th month of actively contributing to Ubuntu.
Now that I joined Canonical to work on Ubuntu full-time, there s a bunch of things I do! \o/
I mostly worked on different things, I guess.
I was too lazy to maintain a list of things I worked on so there s
no concrete list atm. Maybe I ll get back to this section later or
will start to list stuff from the fall, as I was doing before. :D
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my thirty-first month as a Debian LTS and twentieth month as a Debian ELTS paid contributor.
I worked for 23.25 hours for LTS and 20.00 hours for ELTS.
LTS CVE Fixes and Announcements:
Issued DLA 2976-1, fixing CVE-2022-1271, for gzip.
For Debian 9 stretch, these problems have been fixed in version 1.6-5+deb9u1.
Issued DLA 2977-1, fixing CVE-2022-1271, for xz-utils.
For Debian 9 stretch, these problems have been fixed in version 5.2.2-1.2+deb9u1.
Working on src:tiff and src:mbedtls to fix the issues, still waiting for more issues to be reported, though.
Looking at src:mutt CVEs. Haven t had the time to complete but shall roll out next month.
ELTS CVE Fixes and Announcements:
Issued ELA 593-1, fixing CVE-2022-1271, for gzip.
For Debian 8 jessie, these problems have been fixed in version 1.6-4+deb8u1.
Issued ELA 594-1, fixing CVE-2022-1271, for xz-utils.
For Debian 8 jessie, these problems have been fixed in version 5.1.1alpha+20120614-2+deb8u1.
Working on src:tiff and src:beep to fix the issues, still waiting for more issues to be reported for src:tiff and src:beep is a bit of a PITA, though. :)
Here s my (twenty-ninth) monthly but brief update about the activities I ve done in the F/L/OSS world.
Debian
This was my 38th month of actively contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
I had been sick this month, so most of the time I spent away from system, recovering, et al,
and also went through the huge backlog that I had, which is starting to get smaller. :D
Anyway, I did the following stuff in Debian:
Uploads and bug fixes:
at (3.4.4-1) - Adding a DEP8 test for the package, fixing bug #985421.
Other $things:
Mentoring for newcomers.
Moderation of -project mailing list.
Ubuntu
This was my 13th month of actively contributing to Ubuntu.
Now that I joined Canonical to work on Ubuntu full-time, there s a bunch of things I do! \o/
I mostly worked on different things, I guess.
I was too lazy to maintain a list of things I worked on so there s
no concrete list atm. Maybe I ll get back to this section later or
will start to list stuff from the fall, as I was doing before. :D
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my twenty-ninth month as a Debian LTS and eighteenth month as a Debian ELTS paid contributor.
Whilst I was assigned 42.75 hours for LTS and 45.25 hours for ELTS, I could only work a little due to being sick and so
I spent 15.75 hours on LTS and 9.25 hours on ELTS and worked on the following things:
LTS CVE Fixes and Announcements:
Issued DLA 2909-1, fixing CVE-2021-45079, for strongswan.
For Debian 9 stretch, these problems have been fixed in version 5.5.1-4+deb9u6.
Here s my (twenty-seventh) monthly but brief update about the activities I ve done in the F/L/OSS world.
Debian
This was my 36th month of actively contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
Just churning through the backlog again this month. Ugh.
Anyway, I did the following stuff in Debian:
Uploads and bug fixes:
ruby2.7 (2.7.5-1) - New upstream version fixing 3 new CVEs.
Other $things:
Mentoring for newcomers.
Moderation of -project mailing list.
Ubuntu
This was my 11th month of actively contributing to Ubuntu.
Now that I ve joined Canonical to work on Ubuntu full-time, there s a bunch of things I do! \o/
I mostly worked on different things, I guess.
I was too lazy to maintain a list of things I worked on so there s
no concrete list atm. Maybe I ll get back to this section later or
will start to list stuff from next year onward, as I was doing before. :D
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my twenty-seventh month as a Debian LTS and eighteenth month as a Debian ELTS paid contributor.
I was assigned 40.00 hours for LTS and 60.00 hours for ELTS and worked on the following things:
(since I had a 3-week vacation, I wanted to wrap things up that were pending and so I worked for 20h more for LTS, which I ll compensate the next month!)
Issued DLA 2854-1, fixing CVE-2017-18635, for novnc.
For Debian 9 stretch, these problems have been fixed in version 1:0.4+dfsg+1+20131010+gitf68af8af3d-6+deb9u1.
Issued ELA 536-1, fixing CVE-2021-43818, for lxml.
For Debian 8 jessie, these problems have been fixed in version Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain.
Started working on src:samba for CVE-2020-25717 to CVE-2020-25722 and CVE-2021-23192 for jessie and stretch, both.
The version difference b/w the suites are a bit too much for the patch(es) to be easily backported. I ve talked to Anton to work something out. \o/
Found the problem w/ libjdom1-java. Will have to roll the regression upload.
I ve prepared the patch but needs some testing to be finally rolled out. Same for stretch.
Other (E)LTS Work:
Front-desk duty from 29-11 to 05-12 and 20-12 to 26-12 for both LTS and ELTS.
Here s my (twenty-sixth) monthly but brief update about the activities I ve done in the F/L/OSS world.
Debian
This was my 35th month of actively contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
Just churning through the backlog again this month. Ugh.
Anyway, I did the following stuff in Debian:
Uploads and bug fixes:
rails (2:6.1.4.1+dfsg-3) - No-change rebuild for unstable.
Other $things:
Mentoring for newcomers.
Moderation of -project mailing list.
Ubuntu
This was my 10th month of actively contributing to Ubuntu.
Now that I ve joined Canonical to work on Ubuntu full-time, there s a bunch of things I do! \o/
I mostly worked on different things, I guess.
I was too lazy to maintain a list of things I worked on so there s
no concrete list atm. Maybe I ll get back to this section later or
will start to list stuff from next year onward, as I was doing before. :D
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my twenty-sixth month as a Debian LTS and seventeenth month as a Debian ELTS paid contributor.
I was assigned 30.00 hours for LTS and 45.00 hours for ELTS and worked on the following things:
Issued DLA 2836-1, fixing CVE-2021-43527, for nss.
For Debian 9 stretch, these problems have been fixed in version 2:3.26.2-1.1+deb9u3.
Started working on src:samba for CVE-2020-25717 to CVE-2020-25722 and CVE-2021-23192 for jessie and stretch, both.
The version difference b/w the suites are a bit too much for the patch(es) to be easily backported. I ve talked to Anton to work something out. \o/
Found the problem w/ libjdom1-java. Will have to roll the regression upload.
I ve prepared the patch but needs some testing to be finally rolled out. Same for jessie.
Issued ELA 524-1, fixing CVE-2021-43618, for gmp.
For Debian 8 jessie, these problems have been fixed in version 2:6.0.0+dfsg-6+deb8u1.
Issued ELA 525-1, fixing CVE-2021-43527, for nss.
For Debian 8 jessie, these problems have been fixed in version 2:3.26-1+debu8u14.
Started working on src:samba for CVE-2020-25717 to CVE-2020-25722 and CVE-2021-23192 for jessie and stretch, both.
The version difference b/w the suites are a bit too much for the patch(es) to be easily backported. I ve talked to Anton to work something out. \o/
Found the problem w/ libjdom1-java. Will have to roll the regression upload.
I ve prepared the patch but needs some testing to be finally rolled out. Same for stretch.
Other (E)LTS Work:
Front-desk duty from 29-11 to 05-12 for both LTS and ELTS.
Here s my (twenty-third) monthly but brief update about the activities I ve done in the F/L/OSS world.
Debian
This was my 32nd month of actively contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
Tough month but I mostly spent on it churning through the immense backlog. But that
somewhat backfired and I have even more backlog than ever. :D
Anyway, I did the following stuff in Debian:
Ubuntu
This was my 7th month of actively contributing to Ubuntu.
Now that I ve joined Canonical to work on Ubuntu full-time, there s a bunch of things I do! \o/
I mostly worked on different things, I guess. But mostly on packaging keylime and some Google Agents upload(s) and SRU(s). Also did a lot of reviewing, et al.
I was too lazy to maintain a list of things I worked on so there s no concrete list atm. Maybe I ll get back to this section later or will start to list stuff from next month onward, as I ve been doing before. :D
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my twenty-third month as a Debian LTS and eleventh month as a Debian ELTS paid contributor.
I was assigned 23.75 hours for LTS and 40.00 hours for ELTS and worked on the following things:
(however, I only worked for 23.75h on ELTS work, thereby, carrying the rest to next month)
Noticed that there s a fallout of CVE-2021-3185, where an update was issued for gst-plugins-bad1.0, however, not for gst-plugins-bad0.10.
Thanks to Sylvain s script, this came up and I prepped an update for that.
Started to work on libjdom1-java s regression.
Other (E)LTS Work:
Front-desk duty from 26-07 until 01-08 and from 30-08 until 05-09 for both LTS and ELTS.
Mark CVE-2021-39240/haproxy as not-affected for stretch and jessie.
Mark CVE-2021-39241/haproxy as not-affected for stretch and jessie.
Mark CVE-2021-39242/haproxy as not-affected for stretch and jessie.
Mark CVE-2021-33582/cyrus-imapd as no-dsa for stretch.
Mark CVE-2020-18771/exiv2 as no-dsa for exiv2 for stretch.
Mark CVE-2020-18899/exiv2 as no-dsa for exiv2 for stretch.
Mark CVE-2021-38171/ffmpeg as postponed for stretch.
Mark CVE-2021-40330/git as no-dsa for stretch and jessie.
Mark CVE-2020-19481/gpac as ignored for stretch.
Mark CVE-2021-40491/inetutils as no-dsa for stretch.
Mark CVE-2021-36370/mc as no-dsa for stretch and jessie.
Mark CVE-2021-35368/modsecurity-crs as no-dsa for stretch.
Mark CVE-2021-23434/node-object-path as end-of-life for stretch.
Mark CVE-2021-32610/php-pear as no-dsa for stretch.
Mark CVE-2017-9525/systemd-cron as no-dsa for stretch.
Mark CVE-2021-37701/node-tar as end-of-life for stretch.
Mark CVE-2021-37712/node-tar as end-of-life in stretch.
Mark CVE-2021-3750/qemu as postponsed for jessie.
Mark CVE-2021-27511/prototypejs as postponsed for jessie.
Mark CVE-2021-23437/pillow as postponed for stretch and jessie.
Auto EOL ed gpac, cacti, openscad, cgal, cyrus-imapd-2.4, libsolv, mosquitto, atomicparsley, gtkpod, node-tar, libapache2-mod-auth-openidc, neutron, inetutils and linux for jessie.
Drop cpio from ela-needed; open issues don t warrant an ELA.
Attended monthly Debian LTS meeting.
Answered questions (& discussions) on IRC (#debian-lts and #debian-elts).
Here s my (twentieth) monthly update about the activities I ve done in the F/L/OSS world.
Debian
This was my 29th month of actively contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
Interesting month, surprisingly. Lots of things happening and lots of moving parts; becoming the new normal , I believe.
Anyhow, working on Ubuntu full-time has its own advantage and one of them is being able to work on Debian stuff!
So whilst I couldn t upload a lot of packages because of the freeze, here s what I worked on:
Mentoring for newcomers and assisting people in BSP.
Moderation of -project mailing list.
Ubuntu
This was my 4th month of actively contributing to Ubuntu.
Now that I ve joined Canonical to work on Ubuntu full-time, there s a bunch of things I do! \o/
This month, by all means, was dedicated mostly to PHP 8.0, transitioning from PHP 7.4 to 8.0.
Naturally, it had so many moving parts and moments of utmost frustration, shared w/ Bryce. :D
So even though I can t upload anything, I worked on the following stuff & asked for sponsorship.
But before, I d like to take a moment to stress how kind and awesome Gianfranco Costamagna,
a.k.a. LocutusOfBorg is! He s been sponsoring a
bunch of my things & helping with re-triggers, et al. Thanks a bunch, Gianfranco; beers on me
whenever we meet!
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my twentieth month as a Debian LTS and eleventh month as a Debian ELTS paid contributor.
I was assigned 29.75 hours for LTS and 40.00 hours for ELTS and worked on the following things:
LTS CVE Fixes and Announcements:
Issued DLA 2654-1, fixing CVE-2021-29472, for composer.
For Debian 9 stretch, these problems have been fixed in version 1.2.2-1+deb9u1.
Issued DLA 2662-1, fixing CVE-2021-32027 and CVE-2021-32028, for postgresql-9.6.
For Debian 9 stretch, these problems have been fixed in version 9.6.22-0+deb9u1. This update for done by the maintainer, Christoph Berg. I just took care of announcing and publishing the update.
Uploaded ruby-rack-cors to buster-security, fixing CVE-2019-18978.
For Debian 10 buster, these problems have been fixed in version 1.0.2-1+deb10u1.
Here s my (nineteenth) monthly update about the activities I ve done in the F/L/OSS world.
Debian
This was my 28th month of actively contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
Crazy month, as always. Lots of things happening and lots of moving parts.
Now that I am working on Ubuntu-full time, I barely get much time to do any extra stuff. Then the massive COVID wave that has plunged India had made this month further crazier. More on that later, maybe. IDK.
Anyway, I did some Debian stuff, thanks to Salzburg BSP (more down below). I worked on the following stuff:
Mentoring for newcomers and assisting people in BSP.
Moderation of -project mailing list.
Salzburg BSP 2021
This was my first virtual BSP and the first BSP in Salzburg and it was absolutely amazing!
Many kudos to Bernd Zeimetz for organizing it so smoothly and wonderfully, for real! \o/
We had a bunch of amazing sessions, besides hacking, of course, like:
yoga,
sports,
games, and
datacenter tour -> which was super!
We also had lots of things happening at #debian-bsp-2021-szg and did a lot of work.
Whilst everything we did is available on the pad, I work on the following things:
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my nineteenth month as a Debian LTS and tenth month as a Debian ELTS paid contributor.
I was assigned 60.00 hours for LTS and 60.00 hours for ELTS and worked on the following things:
Issued DLA 2639-1, fixing CVE-2020-12460, for opendmarc.
For Debian 9 stretch, these problems have been fixed in version 1.3.2-2+deb9u3.
Uploaded fluidsynth to sid, fixing CVE-2021-28421.
For Debian sid, these problems have been fixed in version 2.1.7-1.1. Thanks to Reiner Herrmann for their work.
Uploaded fluidsynth to buster-pu, fixing CVE-2021-28421.
For Debian sid, these problems have been fixed in version 2.1.7-1.1. Thanks to Reiner Herrmann for their work.
ELTS CVE Fixes and Announcements:
Issued ELA 396-1, fixing CVE-2021-23358, for underscore.
For Debian 8 jessie, these problems have been fixed in version 1.7.0~dfsg-1+deb8u1.
Issued ELA 397-1, fixing CVE-2020-1946, for spamassassin.
For Debian 8 jessie, these problems have been fixed in version 3.4.2-0+deb8u4.
Help issued ELA 401-1, fixing CVE-2021-25329 and CVE-2020-9484, for tomcat7, along with Markus.
For Debian 8 jessie, these problems have been fixed in version 7.0.56-3+really7.0.100-1+deb8u3.
Mark CVE-2021-20297/network-manager as not-affected for jessie.
Mark CVE-2021-22890/curl as not-affected for jessie and stretch.
Mark CVE-2020-7760/codemirror-js as not-affected for jessie.
Mark CVE-2021-25122/tomcat8 as not-affected for jessie.
Mark CVE-2021-XXXX/plinth as no-dsa for stretch.
Mark CVE-2021-29424/libnet-netmask-perl as no-dsa for stretch.
Mark CVE-2021-28374/courier-authlib as fixed in 0.58-3.1 for jessie.
Mark CVE-2021-1252/clamav as not-affected for jessie.
Mark CVE-2021-1404/clamav as not-affected for jessie.
Mark CVE-2020-4051/dojo as no-dsa for jessie.
Mark CVE-2021-29447/wordpress as not-affected for jessie.
Mark CVE-2021-29450/wordpress as not-affected for jessie.
Mark CVE-2019-20920/libjs-handlebars as ignored for stretch and jessie.
Mark CVE-2021-23369/libjs-handlebars as ignored for stretch and jessie.
Mark CVE-2020-4051/dojo as fixed in 1.15.4+dfsg1-1 for sid and bullseye.
Mark CVE-2021-28965/ruby2.7 fixed in 2.7.3-1 for sid.
Mark CVE-2020-12272/opendmarc as postponed for jessie.
Mark CVE-2021-20296, CVE-2021-3475, CVE-2021-3476, CVE-2021-3477, CVE-2021-3478, and CVE-2021-3479, affecting openexr, as no-dsa for jessie and stretch.
Here s my (eighteenth) monthly update about the activities I ve done in the F/L/OSS world.
Debian
This was my 27th month of active contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
This month was a bit exhausting; lots of moving parts. With the financial year ending, it was even more crazy, with me running around to banks, CA, et al.
Anyway, with now working on Ubuntu full-time, I did little of Debian this month. Here are the following things I worked on:
Filed bug #985314 against asterisk (systemd misconfiguration) and added a patch as well.
Filed bug #985421 against at (add DEP8 tests) and added a patch as well.
Other $things:
Attended the Debian LTS team meeting.
Mentoring for newcomers.
Moderation of -project mailing list.
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my eighteenth month as a Debian LTS and ninth month as a Debian ELTS paid contributor.
I was assigned 60.00 hours for LTS and 39.00 hours for ELTS and worked on the following things:
LTS CVE Fixes and Announcements:
Issued DLA 2580-1, fixing CVE-2021-21311, for adminer.
For Debian 9 stretch, these problems have been fixed in version 4.2.5-3+deb9u2.
Issued DLA 2581-1, fixing CVE-2021-27803, for wpa.
For Debian 9 stretch, these problems have been fixed in version 2:2.4-1+deb9u9.
Issued DLA 2585-1, fixing CVE-2020-13848, for libupnp.
For Debian 9 stretch, these problems have been fixed in version 1:1.6.19+git20160116-1.2+deb9u1.
Issued DLA 2589-2, fixing regression caused by DLA 2589-1, for mupdf.
For Debian 9 stretch, these problems have been fixed in version 1.9a+ds1-4+deb9u7.
Issued DLA 2598-1, fixing CVE-2020-25097, for squid3.
For Debian 9 stretch, these problems have been fixed in version 3.5.23-5+deb9u6.
Marked CVE-2021-21330/python-aiohttp as not-affected for stretch.
Marked CVE-2021-20233, CVE-2021-20225, CVE-2020-27779, CVE-2020-27778, CVE-2020-27749, CVE-2020-27748, CVE-2020-25647, CVE-2020-25632, CVE-2020-25631, and CVE-2020-14372, affecting grub2, as ignored for stretch and jessie.
Marked CVE-2020-27842/openjpeg2 as no-dsa for jessie.
Marked CVE-2020-27843/openjpeg2 as no-dsa for jessie.
Marked CVE-2021-28041/openssh as not-affect for jessie.
Marked CVE-2020-3552 3,4 /tiff as no-dsa for jessie.
Marked CVE-2021-20201/spice as no-dsa for jessie.
Marked CVE-2020-11988/xmlgraphics-commons as postponed for jessie.
Marked CVE-2020-11987/batik as postponed for jessie.
Marked CVE-2020-12695/libupnp as no-dsa for stretch.
Marked CVE-2021-25122/tomcat7 as not-affected for stretch.
Marked CVE-2021-25329/tomcat7 as ignored for stretch.
Marked CVE-2021-28116/squid3 as postponed for stretch and jessie.
Marked CVE-2021-3449/openssl as not-affected for stretch.
Document extra notes for grub2 for LTS and co-ordinate with the sec-team.
Document extra notes for pillow about piled-up issues in jessie.
Issued DLA-2593-1 for ca-certificates on Microsoft s request; co-ordinating w/ them.
Co-ordinating w/ maintainer of courier-authlib for stretch and jessie update.
Fixing build failures of ELTS security tracker and re-ordering entries in data/CVE-EXTENDED-LTS/list file.
Answer queries of dupondje and mikap about openssl on IRC; and it being not-affected for stretch.
Help review the status of CVE-2021-3121/golang-github-gogo-protobuf-dev for Ola.
Co-ordinating w/ Noah for cloud-init and setuptools.
Auto EOL ed mongodb, linux, guacamole-client, node-xmlhttprequest, newlib, neutron, privoxy, glpi, and zabbix for jessie.
Attended monthly meeting for Debian LTS.
Answered questions (& discussions) on IRC (#debian-lts and #debian-elts).
Here s my (seventeenth) monthly update about the activities I ve done in the F/L/OSS world.
Debian
This was my 26th month of active contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
This month was a nice mix of amusement, excitement, nervousness, and craziness. More on it below.
Anyway, whilst I was super-insanely busy this month, I still did some Debian stuff here and there. Here are the following things I worked on:
Sponsored ruby-rspec-stubbed-env for C dric Boutillier, heh :P
Interesting Bits!
Last month, I wrote:
Besides, there s something more that is in the pipelines. Can t talk about it now, shh. But
hopefully very sooooooon!
And now I can talk about it! So here it is..
I ve joined Canonical as a SDE to work on Ubuntu, full time!!! \o/
Fully remote + dream job/work + most of the work is in the open-source domain + the beessstttt co-workers one could ever ask for!
It s been an amazing time so far and I ll talk more about it later this month.
But for now, here s our team monitor selfie (with Rick missing because of his secret plan ! ) We ll soon e-meet them in a more detailed manner in the next blog post, that is, later this month!
In another exciting news, I got 2 more CVEs assigned!!! \o/
No, it is not something that I found, it was discovered by Tavis Ormandy. I just assigned
them a CVE ID, CVE-2021-26937
for screen and CVE-2021-27135 for xterm.
This is my 2nd and 3rd, so I am (still) very excited about this! ^_^
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my sixteenth month as a Debian LTS and seventh month as a Debian ELTS paid contributor.
I was assigned 60.00 hours for LTS and 60.00 hours for ELTS and worked on the following things:
(however, I had overworked for 9 hours for both, LTS and ELTS, last month so I had to work for 51 hours for both this month!)
Here s my (sixteenth) monthly update about the activities I ve done in the F/L/OSS world.
Debian
This was my 25th month of contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
This month was bat-shit crazy. Why? We ll come to it later, probably 15th of this month?
Anyway, besides being crazy, hectic, adventerous, and the first of 2021, this month I was super-insanely busy. With what? Hm, more about this later this month! ^_^
However, I still did some Debian stuff here and there. Here are the following things I worked on:
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my sixteenth month as a Debian LTS and seventh month as a Debian ELTS paid contributor.
I was assigned 26.00 hours for LTS and 36.75 hours for ELTS and worked on the following things:
(however, I worked extra for 9 hours for LTS and 9 hours for ELTS this month, which I intend to balance from the next month!)
LTS CVE Fixes and Announcements:
Issued DLA 2518-1, fixing CVE-2020-35492, for cairo.
For Debian 9 Stretch, these problems have been fixed in version 1.14.8-1+deb9u1.
Prepared DSA 4831-1, fixing CVE-2020-26298, for ruby-redcarpet.
For Debian 10 Buster, these problems have been fixed in version 3.4.0-4+deb10u1. The announcement was released by the Security Team.
This January, on 23rd and 24th, we had Mini DebConf India 2021 online.
I had a talk as well, titled, Why Point Releases are important and how you can help
prepare them?".
It was a fun and a very short talk, where I just list out the reasons and ways to help in
the preparation of point releases . I did some experimentation with this talk, figuring
out what works for the audience and what doesn t and where can I improve for the next time
I talk about this topic! \o/
You can listen to the talk here
and let me know if you have any feedback!
Anyway, the conference lasted for 2 days and I also did some volunteering (talk director,
talk miester) in Hindi and English, both! It was all so fun and new. Anyway, here s the picture we took:
In another exciting news, I got my first CVE assigned!!! \o/
No, it is not something that I found, it was discovered by Tavis Ormandy. I just assigned
this a CVE ID, CVE-2021-3181.
This is my first, so I am very excited about this! ^_^
Besides, there s something more that is in the pipelines. Can t talk about it now, shh. But
hopefully very sooooooon!
Other $things! \o/
This month was tiresome, with most of the time being spent on the Debian stuff, I did
very little work outside it, really. The issues and patches that I sent are:
Issue #700 for redcarpet, asking for a reproducer for CVE-2020-26298 and some additional patch related queries.
Issue #7 for in-parallel, asking them to not use relative paths for tests.
Issue #8 for in-parallel, reporting a test failure for the library.
Issue #2 for rake-ant, asking them to bump their dependencies to a newer version.
PR #3 for rake-ant, bumping the dependencies to a newer version, fixing the above issue, heh.
Issue #4 for rake-ant, requesting to drop git from their gemspec.
PR #5 for rake-ant, dropping git from gemspec, fixing the above issue, heh.
Issue #95 for WavPack, asking for a review of past security vulnerabilites wrt v4.70.0.
Reviewed PR #128 for ruby-openid, addressing the past regression with CVE fix merge.
Reviewed PR #63 for cocoapods-acknowledgements, updating redcarpet to v3.5.1, as a safety measure due to recently discovered vulnerability.
Issue #1331 for bottle, asking for relevant commits for CVE-2020-28473 and clarifying other things.
Issue #5 for em-redis, reporting test failures on IPv6-only build machines.
Issue #939 for eventmachine, reporting test failures for em-redis on IPv6-only build machines.
Here s my (fifteenth) monthly update about the activities I ve done in the F/L/OSS world.
Debian
This was my 24th month of contributing to Debian.
I became a DM in late March last year and a DD last Christmas! \o/
Amongs a lot of things, this was month was crazy, hectic, adventerous, and the last of 2020 more on some parts later this month.
I finally finished my 7th semester (FTW!) and moved onto my last one! That said, I had been busy with other things but still did a bunch of Debian stuff
Here are the following things I did this month:
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my fifteenth month as a Debian LTS and sixth month as a Debian ELTS paid contributor.
I was assigned 26.00 hours for LTS and 38.25 hours for ELTS and worked on the following things:
LTS CVE Fixes and Announcements:
Issued DLA 2474-1, fixing CVE-2020-28928, for musl.
For Debian 9 Stretch, these problems have been fixed in version 1.1.16-3+deb9u1.
Issued DLA 2484-1, fixing #969126, for python-certbot.
For Debian 9 Stretch, these problems have been fixed in version 0.28.0-1~deb9u3.
Issued DLA 2487-1, fixing CVE-2020-27350, for apt.
For Debian 9 Stretch, these problems have been fixed in version 1.4.11. The update was prepared by the maintainer, Julian.
Issued DLA 2488-1, fixing CVE-2020-27351, for python-apt.
For Debian 9 Stretch, these problems have been fixed in version 1.4.2. The update was prepared by the maintainer, Julian.
Issued DLA 2495-1, fixing CVE-2020-17527, for tomcat8.
For Debian 9 Stretch, these problems have been fixed in version 8.5.54-0+deb9u5.
Issued DLA 2488-2, for python-apt.
For Debian 9 Stretch, these problems have been fixed in version 1.4.3. The update was prepared by the maintainer, Julian.
Issued DLA 2508-1, fixing CVE-2020-35730, for roundcube.
For Debian 9 Stretch, these problems have been fixed in version 1.2.3+dfsg.1-4+deb9u8. The update was prepared by the maintainer, Guilhem.
ELTS CVE Fixes and Announcements:
Issued ELA 324-1, fixing CVE-2020-28928, for musl.
For Debian 8 Jessie, these problems have been fixed in version 1.1.5-2+deb8u2.
Issued ELA 325-1, fixing CVE-2020-28896, for mutt.
For Debian 8 Jessie, these problems have been fixed in version 1.5.23-3+deb8u4.
Marked CVE-2020-17527/tomcat8 as not-affected for jessie.
Marked CVE-2020-28052/bountycastle as not-affected for jessie.
Marked CVE-2020-14394/qemu as postponed for jessie.
Marked CVE-2020-35738/wavpack as not-affected for jessie.
Marked CVE-2020-3550 3-6 /qemu as postponed for jessie.
Marked CVE-2020-3550 3-6 /qemu as postponed for stretch.
Marked CVE-2020-16093/lemonldap-ng as no-dsa for stretch.
Marked CVE-2020-27837/gdm3 as no-dsa for stretch.
Marked CVE-2020- 13987, 13988, 17437 /open-iscsi as no-dsa for stretch.
Marked CVE-2020-35450/gobby as no-dsa for stretch.
Marked CVE-2020-35728/jackson-databind as no-dsa for stretch.
Marked CVE-2020-28935/nsd as no-dsa for stretch.
Auto EOL ed libpam-tacplus, open-iscsi, wireshark, gdm3, golang-go.crypto, jackson-databind, spotweb, python-autobahn, asterisk, nsd, ruby-nokogiri, linux, and motion for jessie.
Bugs and Patches
Well, I did report some bugs and issues and also sent some patches:
Issue #44 for github-activity-readme, asking for a feature request to set custom committer s email address.
Issue #711 for git2go, reporting build failure for the library.
PR #89 for rubocop-rails_config, bumping RuboCop::Packaging to v0.5.
Issue #36 for rubocop-packaging, asking to try out mutant :)
PR #212 for cucumber-ruby-core, bumping RuboCop::Packaging to v0.5.
PR #213 for cucumber-ruby-core, enabling RuboCop::Packaging.
Issue #19 for behance, asking to relax constraints on faraday and faraday_middleware.
PR #37 for rubocop-packaging, enabling tests against ruby3.0! \o/
PR #489 for cucumber-rails, bumping RuboCop::Packaging to v0.5.
Issue #362 for nheko, reporting a crash when opening the application.
PR #1282 for paper_trail, adding RuboCop::Packaging amongst other used extensions.
Bug #978640 for nheko Debian package, reporting a crash, as a result of libfmt7 regression.
Misc and Fun
Besides squashing bugs and submitting patches, I did some other things as well!
Participated in my first Advent of Code event! :)
Whilst it was indeed fun, I didn t really complete it. No reason, really. But I ll definitely come back stronger next year, heh! :)
All the solutions thus far could be found here.
Did a couple of reviews for some PRs and triaged some bugs here and there, meh.
Also did some cloud debugging, not so fun if you ask me, but cool enough to make me want to do it again! ^_^
Worked along with pollo, zigo, ehashman, rlb, et al for puppet and puppetserver in Debian. OMG, they re so lovely! <3
Ordered some interesting books to read January onward. New year resolution? Meh, not really. Or maybe. But nah.
Also did some interesting stuff this month but can t really talk about it now. Hopefully sooooon.
After an unexpectedly short discussion on debian-project, we re moving forward with this new initiative. The Debian security team submitted a project proposal requesting some improvements to tracker.debian.org, and since nobody of the security team wants to be paid to implement the project, we have opened a request for bids to find someone to implement this on a contractor basis.
If you can code in Python following test-driven development and know the Django framework, feel free to submit a bid! Ideally you have some experience with the security tracker too but that s not a strong requirement.
About the project
If you haven t read the discussion on debian-project, Freexian is putting aside part of the money collected for Debian LTS to use it to fund generic Debian development projects. The goal is two-fold:
First, the LTS work necessarily had an impact on other Debian teams that made the project possible (security team, DSA, buildd, ftpmasters, debian-www mainly) and we wanted to be able to give back to those teams by funding improvements to their infrastructure.
We have always allowed paid contributors to go beyond just preparing security updates for the LTS release. They can pick tasks that improve the LTS project at large (we try to collect such tasks here: https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues) but they should not go over 25% of their allocated monthly hours so this limits their ability to tackle bigger projects and we would like to be able to tackle bigger projects that can have a meaningful impact on the LTS project and/or Debian in general.
We have tried to formalize a process to follow from project submission up to its implementation in this salsa project: https://salsa.debian.org/freexian-team/project-funding https://salsa.debian.org/freexian-team/project-funding/-/blob/master/Rules-LTS.md
We highly encourage the above-mentioned Debian teams to make proposals. A member of those teams can implement the project and be paid for it. Or they can decide to let someone else implement it (we expect some of the paid LTS contributors to be willing to implement such projects), and just play the reviewer role driving the person doing the work in the right direction. Contrary to Google s Summer of code and other similar projects, we put the focus on the results (and not in recruiting new volunteers), so we expect to work with experienced persons to implement the project. But if the reviewer is happy to be a mentor and spend more time, then it s OK for us too. The reviewer is (usually) not a paid position.
If you re not among those teams, but if you have a project that can have a positive impact on Debian LTS (even if only indirectly in the distant future), feel free to try your chance and to submit a proposal.
Here s my (fourteenth) monthly update about the activities I ve done in the F/L/OSS world.
Debian
This was my 23rd month of contributing to Debian.
I became a DM in late March last year and a DD last Christmas! \o/
Apart from doing a bunch of activities like attending KubeCon + RubyConf (blog to follow!), et al and simultaneously giving
my undergrad exams, I did (relatively) more work than I had really anticipated!
Here are the following things I did in Debian this month:
micro (2.0.8-1) - New upstream version, v2.0.8. Finally! \o/
ruby-zeitwerk (2.4.2-1) - New upstream version, v2.4.2.
Other $things:
Attended the Debian Ruby team meeting.
Mentoring for newcomers.
FTP Trainee reviewing.
Moderation of -project mailing list.
Sponsored phpmyadmin for William and libexif for Hugh.
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my fourteenth month as a Debian LTS and fourth month as a Debian ELTS paid contributor.
I was assigned 22.75 hours for LTS and 45.00 hours for ELTS and worked on the following things:
(for ELTS, I worked for 5.25 hours last month, so I had to work for 39.75 (+1 extra) hours this month)
(also, I did over-work by 5.00 hours for LTS this month, but I ll re-compensate it later to avoid so much fuss!)
LTS CVE Fixes and Announcements:
Issued DLA 2425-1, fixing CVE-2020-25692, for openldap.
For Debian 9 Stretch, these problems have been fixed in version 2.4.44+dfsg-5+deb9u5.
Issued DLA 2427-1, fixing CVE-2020-14355, for spice.
For Debian 9 Stretch, these problems have been fixed in version 0.12.8-2.1+deb9u4.
Issued DLA 2428-1, fixing CVE-2020-14355, for spice-gtk.
For Debian 9 Stretch, these problems have been fixed in version 0.33-3.3+deb9u2.
Issued DLA 2430-1, fixing CVE-2020-15238, for blueman.
For Debian 9 Stretch, these problems have been fixed in version 2.0.4-1+deb9u1.
Issued DLA 2439-1, fixing CVE-2020-0452, for libexif.
For Debian 9 Stretch, these problems have been fixed in version 0.6.21-2+deb9u5.
Issued DLA 2443-1, fixing CVE-2020-15166, for zeromq3.
For Debian 9 Stretch, these problems have been fixed in version 4.2.1-4+deb9u3.
Issued DLA 2444-1, fixing CVE-2020-8037, for tcpdump.
For Debian 9 Stretch, these problems have been fixed in version 4.9.3-1~deb9u2.
ELTS CVE Fixes and Announcements:
Issued ELA 306-1, fixing CVE-2020-25692, for openldap.
For Debian 8 Jessie, these problems have been fixed in version 2.4.40+dfsg-1+deb8u7.
Issued ELA 310-1, fixing CVE-2020-0452, for libexif.
For Debian 8 Jessie, these problems have been fixed in version 0.6.21-2+deb8u5.
Issued ELA 311-1, fixing CVE-2020-8037, for tcpdump.
For Debian 8 Jessie, these problems have been fixed in version 4.9.3-1~deb8u2.
Issued ELA 312-1, backporting a new upstream release, 2020d, for tzdata.
For Debian 8 Jessie, these problems have been fixed in version 2020d-0+deb8u1.
Issued ELA 313-1, fixing CVE-2020-15166, for zeromq3.
For Debian 8 Jessie, these problems have been fixed in version 4.0.5+dfsg-2+deb8u3.
Prepared a debdiff for lxml (3.4.0-1+deb8u2) upload, which Emilio completed and rolled out later.
Other (E)LTS Work:
Front-desk duty from 26-10 until 01-10 and from 23-11 until 29-11 for both LTS and ELTS.
Here s my (thirteenth) monthly update about the activities I ve done in the F/L/OSS world.
Debian
This was my 22nd month of contributing to Debian.
I became a DM in late March last year and a DD last Christmas! \o/
Whilst busy with my undergrad, I could still take some time out for contributing to Debian (I always do!).
Here are the following things I did in Debian this month:
Sponsored phpmyadmin, php-bacon-baconqrcode, twig, php-dasprid-enum, sql-parser, and mariadb-mysql-kbs for William.
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my thirteenth month as a Debian LTS and fourth month as a Debian ELTS paid contributor.
I was assigned 20.75 hours for LTS and 30.00 hours for ELTS and worked on the following things:
(for ELTS, I worked for 5.25 hours extra, so my total hours this month for ELTS were 35.25!)
Here s my (twelfth) monthly update about the activities I ve done in the F/L/OSS world.
Debian
This was my 21st month of contributing to Debian.
I became a DM in late March last year and a DD last Christmas! \o/
I ve been busy with my undergraduation stuff but I still squeezed out some time for the regular Debian work.
Here are the following things I did in Debian this month:
Sponsored trace-cmd for Sudip, ruby-asset-sync for Nilesh, and mariadb-mysql-kbs for William.
RuboCop::Packaging - Helping the Debian Ruby team! \o/
This Google Summer of Code, I worked on writing a linter that could flag offenses for lines of code
that are very troublesome for Debian maintainers while trying to package and maintain Ruby libraries and applications!
Whilst the GSoC period is over, I ve been working on improving that tool and have extended that linter to now auto-correct these offenses
by itself! \o/
You can now just use the -A flag and you re done! Boom! The ultimate game-changer!
Here s a quick demo for this feature:
A few quick updates on RuboCop::Packaging:
Has 4 cops, solving 4 different issues.
3 of them support auto-correction. Just use the -A flag.
I ve also spent a considerable amount of time in raising awareness about this and in more general sense, about downstream maintenance.
As a result, I raised a bunch of PRs which got really good response. I got all of the 20 PRs merged upstream,
fixing these issues.
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my twelfth month as a Debian LTS and third month as a Debian ELTS paid contributor.
I was assigned 19.75 hours for LTS and 15.00 hours for ELTS and worked on the following things:
(for LTS, I over-worked for 11 hours last month on the survey so only had 8.75 hours this month!)
LTS CVE Fixes and Announcements:
Issued DLA 2362-1, fixing CVE-2020-11984, for uwsgi.
For Debian 9 Stretch, these problems have been fixed in version 2.0.14+20161117-3+deb9u3.
Issued DLA 2363-1, fixing CVE-2020-17446, for asyncpg.
For Debian 9 Stretch, these problems have been fixed in version 0.8.4-1+deb9u1.
Issued ELA 274-1, fixing CVE-2020-11984, for uwsgi.
For Debian 8 Jessie, these problems have been fixed in version 2.0.7-1+deb8u3.
Issued ELA 275-1, fixing CVE-2020-14363, for libx11.
For Debian 8 Jessie, these problems have been fixed in version 2:1.6.2-3+deb8u4.
Issued ELA 278-1, fixing CVE-2020-8184, for ruby-rack.
For Debian 8 Jessie, these problems have been fixed in version 1.5.2-3+deb8u4.
Also worked on updating the version of clamAV from v0.101.5 to v0.102.4.
This was a bit tricky package to work on since it involved an ABI/API change and was more or less a transition.
Super thanks to Emilio for his invaluable help and him taking over the package, finishing, and uploading it in the end.
Other (E)LTS Work:
Front-desk duty from 31-08 to 06-09 and from 28-09 onward for both LTS and ELTS.
Welcome to the August 2020 report from the Reproducible Builds project.
In our monthly reports, we summarise the things that we have been up to over the past month. The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced from the original free software source code to the pre-compiled binaries we install on our systems. If you re interested in contributing to the project, please visit our main website.
This month, Jennifer Helsby launched a new reproduciblewheels.com website to address the lack of reproducibility of Python wheels.
To quote Jennifer s accompanying explanatory blog post:
One hiccup we ve encountered in SecureDrop development is that not all Python wheels can be built reproducibly. We ship multiple (Python) projects in Debian packages, with Python dependencies included in those packages as wheels. In order for our Debian packages to be reproducible, we need that wheel build process to also be reproducible
Reproducible builds at DebConf20
There were a number of talks at the recent online-only DebConf20 conference on the topic of reproducible builds.
Holger gave a talk titled Reproducing Bullseye in practice , focusing on independently verifying that the binaries distributed from ftp.debian.org are made from their claimed sources. It also served as a general update on the status of reproducible builds within Debian. The video (145 MB) and slides are available.
There were also a number of other talks that involved Reproducible Builds too. For example, the Malayalam language mini-conference had a talk titled , ? ( I want to join Debian, what should I do? ) presented by Praveen Arimbrathodiyil, the Clojure Packaging Team BoF session led by Elana Hashman, as well as Where is Salsa CI right now? that was on the topic of Salsa, the collaborative development server that Debian uses to provide the necessary tools for package maintainers, packaging teams and so on.
Jonathan Bustillos (Jathan) also gave a talk in Spanish titled Un camino verificable desde el origen hasta el binario ( A verifiable path from source to binary ). (Video, 88MB)
Development work
After many years of development work, the compiler for the Rust programming language now generates reproducible binary code. This generated some general discussion on Reddit on the topic of reproducibility in general.
Paul Spooren posted a request for comments to OpenWrt s openwrt-devel mailing list asking for clarification on when to raise the PKG_RELEASE identifier of a package. This is needed in order to successfully perform rebuilds in a reproducible builds context.
In openSUSE, Bernhard M. Wiedemann published his monthly Reproducible Builds status update.
Chris Lamb provided some comments and pointers on an upstream issue regarding the reproducibility of a Snap / SquashFS archive file. []
Debian
Holger Levsen identified that a large number of Debian .buildinfo build certificates have been tainted on the official Debian build servers, as these environments have files underneath the /usr/local/sbin directory []. He also filed against bug for debrebuild after spotting that it can fail to download packages from snapshot.debian.org [].
This month, several issues were uncovered (or assisted) due to the efforts of reproducible builds.
For instance, Debian bug #968710 was filed by Simon McVittie, which describes a problem with detached debug symbol files (required to generate a traceback) that is unlikely to have been discovered without reproducible builds. In addition, Jelmer Vernooij called attention that the new Debian Janitor tool is using the property of reproducibility (as well as diffoscope when applying archive-wide changes to Debian:
New merge proposals also include a link to the diffoscope diff between a vanilla build and the build with changes. Unfortunately these can be a bit noisy for packages that are not reproducible yet, due to the difference in build environment between the two builds. []
56 reviews of Debian packages were added, 38 were updated and 24 were removed this month adding to our knowledge about identified issues. Specifically, Chris Lamb added and categorised the nondeterministic_version_generated_by_python_param and the lessc_nondeterministic_keys toolchain issues. [][]
Holger Levsen sponsored Lukas Puehringer s upload of the python-securesystemslib pacage, which is a dependency of in-toto, a framework to secure the integrity of software supply chains. []
Lastly, Chris Lamb further refined his merge request against the debian-installer component to allow all arguments from sources.list files (such as [check-valid-until=no]) in order that we can test the reproducibility of the installer images on the Reproducible Builds own testing infrastructure and sent a ping to the team that maintains that code.
Upstream patches
The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of these patches, including:
diffoscopediffoscope is our in-depth and content-aware diff utility that can not only locate and diagnose reproducibility issues, it provides human-readable diffs of all kinds. In August, Chris Lamb made the following changes to diffoscope, including preparing and uploading versions 155, 156, 157 and 158 to Debian:
New features:
Support extracting data of PGP signed data. (#214)
Try files named .pgp against pgpdump(1) to determine whether they are Pretty Good Privacy (PGP) files. (#211)
Support multiple options for all file extension matching. []
Bug fixes:
Don t raise an exception when we encounter XML files with <!ENTITY> declarations inside the Document Type Definition (DTD), or when a DTD or entity references an external resource. (#212)
pgpdump(1) can successfully parse some binary files, so check that the parsed output contains something sensible before accepting it. []
Temporarily drop gnumeric from the Debian build-dependencies as it has been removed from the testing distribution. (#968742)
Correctly use fallback_recognises to prevent matching .xsb binary XML files.
Correct identify signed PGP files as file(1) returns data . (#211)
Logging improvements:
Emit a message when ppudump version does not match our file header. []
Don t use Python s repr(object) output in Calling external command messages. []
Include the filename in the not identified by any comparator message. []
Codebase improvements:
Bump Python requirement from 3.6 to 3.7. Most distributions are either shipping with Python 3.5 or 3.7, so supporting 3.6 is not only somewhat unnecessary but also cumbersome to test locally. []
Drop some unused imports [], drop an unnecessary dictionary comprehensions [] and some unnecessary control flow [].
Correct typo of output in a comment. []
Release process:
Move generation of debian/tests/control to an external script. []
Add some URLs for the site that will appear on PyPI.org. []
Update author and author email in setup.py for PyPI.org and similar. []
Testsuite improvements:
Update PPU tests for compatibility with Free Pascal versions 3.2.0 or greater. (#968124)
Mark that our identification test for .ppu files requires ppudump version 3.2.0 or higher. []
Add an assert_diff helper that loads and compares a fixture output. [][][][]
Misc:
Duplicate docker instructions in the Get diffoscope section of the diffoscope website. []
In addition, Mattia Rizzolo documented in setup.py that diffoscope works with Python version 3.8 [] and Frazer Clews applied some Pylint suggestions [] and removed some deprecated methods [].
Clarify & fix a few entries on the who page [][] and ensure that images do not get to large on some viewports [].
Clarify use of a pronoun re. Conservancy. []
Use View all our monthly reports over View all monthly reports . []
Move a is a suffix out of the link target on the SOURCE_DATE_EPOCH age. []
In addition, Javier Jard n added the freedesktop-sdk project [] and Kushal Das added SecureDrop project [] to our projects page. Lastly, Michael P hn added internationalisation and translation support with help from Hans-Christoph Steiner [].
Testing framework
The Reproducible Builds project operate a Jenkins-based testing framework to power tests.reproducible-builds.org. This month, Holger Levsen made the following changes:
System health checks:
Improve explanation how the status and scores are calculated. [][]
Update and condense view of detected issues. [][]
Query the canonical configuration file to determine whether a job is disabled instead of duplicating/hardcoding this. []
Detect several problems when updating the status of reporting-oriented metapackage sets. []
Detect when diffoscope is not installable [] and failures in DNS resolution [].
Mark that the u-boot Universal Boot Loader should not build architecture independent packages on the arm64 architecture anymore. []
Finally, build node maintenance was performed by Holger Levsen [], Mattia Rizzolo [][] and Vagrant Cascadian [][][][]
Mailing list
On our mailing list this month, Leo Wandersleb sent a message to the list after he was wondering how to expand his WalletScrutiny.com project (which aims to improve the security of Bitcoin wallets) from Android wallets to also monitor Linux wallets as well:
If you think you know how to spread the word about reproducibility in the context of Bitcoin wallets through WalletScrutiny, your contributions are highly welcome on this PR []
Julien Lepiller posted to the list linking to a blog post by Tavis Ormandy titled You don t need reproducible builds. Morten Linderud (foxboron) responded with a clear rebuttal that Tavis was only considering the narrow use-case of proprietary vendors and closed-source software. He additionally noted that the criticism that reproducible builds cannot prevent against backdoors being deliberately introduced into the upstream source ( bugdoors ) are decidedly (and deliberately) outside the scope of reproducible builds to begin with.
Chris Lamb included the Reproducible Builds mailing list in a wider discussion regarding a tentative proposal to include .buildinfo files in .deb packages, adding his remarks regarding requiring a custom tool in order to determine whether generated build artifacts are identical in a reproducible context. []
Jonathan Bustillos (Jathan) posted a quick email to the list requesting whether there was a list of To do tasks in Reproducible Builds.
Lastly, Chris Lamb responded at length to a query regarding the status of reproducible builds for Debian ISO or installation images. He noted that most of the technical work has been performed but there are at least four issues until they can be generally advertised as such . He pointed that the privacy-oriented Tails operation system, which is based directly on Debian, has had reproducible builds for a number of years now. []
If you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:
Here s my (eleventh) monthly update about the activities I ve done in the F/L/OSS world.
Debian
This was my 20th month of contributing to Debian.
I became a DM in late March last year and a DD last Christmas! \o/
Well, this month we had DebConf! \o/
(more about this later this week!)
Anyway, here are the following things I did in Debian this month:
Uploads and bug fixes:
rubocop (0.89.1+dfsg-1) - New upstream version for RuboCop::Packaging.
ruby-rubocop-ast (0.3.0+dfsg-1) - New upstream version for RuboCop's latest version.
Also, I log daily updates at gsocwithutkarsh2102.tk.
Since this is a wrap and whilst the daily updates are already available at the above site^, I ll quickly mention the important points and links here.
Continuation of GSoC for other Ruby related stuff!
Whilst working on Rubocop::Packaging, I contributed to more Ruby projects, refactoring their library a little bit and mostly fixing RuboCop issues and fixing issues that the Packaging extension reports as offensive .
Following are the PRs that I raised:
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my eleventh month as a Debian LTS and my second as a Debian ELTS paid contributor.
I was assigned 21.75 hours for LTS and 14.25 hours for ELTS and worked on
the following things:
Started working on uwsgi update for CVE-2020-11984. It seems that src:apache2 wasn t affected by that, but src:uwsgi was.
ELTS CVE Fixes and Announcements:
Issued ELA 255-1, fixing CVE-2020-14344, for libx11.
For Debian 8 Jessie, these problems have been fixed in version 2:1.6.2-3+deb8u3.
Issued ELA 259-1, fixing CVE-2020-10177, for pillow.
For Debian 8 Jessie, these problems have been fixed in version 2.6.1-2+deb8u5.
Issued ELA 269-1, fixing CVE-2020-11985, for apache2.
For Debian 8 Jessie, these problems have been fixed in version 2.4.10-10+deb8u17.
Started working on clamAV update, it s a major bump from v0.101.5 to v0.102.4. There were lots of movings parts. Contacted upstream maintainers to help reduce the risk of regression. Came up with a patch to loosen the libcurl version requirement. Hopefully, the update could be rolled out soon!
Other (E)LTS Work:
I spent an additional 11.15 hours working on compiling the responses of the LTS survey and preparing a gist of it for its presentation during the Debian LTS BoF at DebConf20.
Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor.
In August, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 21.75h for LTS (out of my 30 max; all done) and 14.25h for ELTS (out of my 20 max; all done).
We had a Birds of a Feathervideoconfsession at DebConf20, sadly with varying quality for participants (from very good to unusable), where we shared the first results of the LTS survey.
There were also discussions about evaluating our security reactivity, which proved surprisingly hard to estimate (neither CVE release date and criticality metrics are accurate nor easily available), and about when it is appropriate to use public naming in procedures.
Interestingly ELTS gained new supported packages, thanks to a new sponsor -- so far I'd seen the opposite, because we were close to the EOL.
As always, there were opportunities to de-dup work through mutual cooperation with the Debian Security team, and LTS/ELTS similar updates.
ELTS - Jessie
Fresh build VMs
rails/redmine: investigate issue, initially no-action as it can't be reproduced on Stretch and isn't supported in Jessie; follow-up when it's supported again
ghostscript: global triage: identify upstream fixed version, distinguish CVEs fixed within a single patch, bisect non-reproducible CVEs, reference missing commit (including at MITRE)
Here s my (tenth) monthly update about the activities I ve done in the F/L/OSS world.
Debian
This was my 17th month of contributing to Debian.
I became a DM in late March last year and a DD last Christmas! \o/
Well, this month I didn t do a lot of Debian stuff, like I usually do, however, I did a lot of things related to Debian (indirectly via GSoC)!
Anyway, here are the following things I did this month:
Also, I log daily updates at gsocwithutkarsh2102.tk.
Whilst the daily updates are available at the above site^, I ll breakdown the important parts of the later half of the second month here:
Marc Andre, very kindly, helped in fixing the specs that were failing earlier this month. Well, the problem was with the specs, but I am still confused how so. Anyway..
Finished documentation of the second cop and marked the PR as ready to be reviewed.
David reviewed and suggested some really good changes and I fixed/tweaked that PR as per his suggestion to finally finish the last bits of the second cop, RelativeRequireToLib.
Merged the PR upon two approvals and released it as v0.2.0!
We had our next weekly meeting where we discussed the next steps and the things that are supposed to be done for the next set of cops.
Introduced rubocop-packaging to the outer world and requested other upstream projects to use it! It is being used by 13 other projects already!
Started to work on packaging-style-guide but I didn t push anything to the public repository yet.
Worked on refactoring the cops_documentation Rake task which was broken by the new auto-corrector API. Opened PR #7 for it. It ll be merged after the next RuboCop release as it uses CopsDocumentationGenerator class from the master branch.
Whilst working on autoprefixer-rails, I found something unusual. The second cop shouldn t really report offenses if the require_relative calls are from lib to lib itself. This is a false-positive. Opened issue #8 for the same.
Continuation of GSoC for other Ruby related stuff!
Whilst working on rubocop-packaging, I contributed to more Ruby projects, refactoring their library a little bit and mostly fixing RuboCop issues and fixing issues that the Packaging extension reports as offensive .
Following are the PRs that I raised:
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my tenth month as a Debian LTS and my first as a Debian ELTS paid contributor.
I was assigned 25.25 hours for LTS and 13.25 hours for ELTS and worked on
the following things:
Other(s)
Sometimes it gets hard to categorize work/things into a particular category.
That s why I am writing all of those things inside this category.
This includes two sub-categories and they are as follows.
Personal:
This month I did the following things:
Released v0.2.0 of rubocop-packaging on RubyGems!
It s open-sourced and the repository is here.
Bug reports and pull requests are welcomed!
Released v0.1.0 of get_root on RubyGems!
It s open-sourced and the repository is here.
Wrote max-word-frequency, my Rails C1M2 programming assignment.
And made it pretty neater & cleaner!
Refactored my lts-dla and elts-ela scripts entirely and wrote them in Ruby so that there are no issues and no false-positives!
Check lts-dla here and elts-ela here.
And finally, built my first Rails (mini) web-application!
The repository is here. This was also a programming assignment (C1M3).
And furthermore, hosted it at Heroku.
Open Source:
Again, this contains all the things that I couldn t categorize earlier.
Opened several issues and PRs:
Issue #8273 against rubocop, reporting a false-positive auto-correct for Style/WhileUntilModifier.
Issue #615 against http reporting a weird behavior of a flaky test.
PR #3791 for rubygems/bundler to remove redundant bundler/setup require call from spec_helper generated by bundle gem.
Issue #3831 against rubygems, reporting a traceback of undefined method, rubyforge_project=.
Issue #238 against nheko asking for enhancement in showing the font name in the very font itself.
PR #2307 for puma to constrain rake-compiler to v0.9.4.
And finally, I joined the Cucumber organization! \o/
Thank you for sticking along for so long :)
Until next time. :wq for today.
Here s my (ninth) monthly update about the activities I ve done in the F/L/OSS world.
Debian
This was my 16th month of contributing to Debian.
I became a DM in late March last year and a DD last Christmas! \o/
This month was a little intense. I did a lot of different kinds of things in Debian this month. Whilst most of my time went on doing security stuff, I also sponsored a bunch of packages.
Here are the following things I did this month:
Uploads and bug fixes:
rails (2:5.2.4.3+dfsg-1) - fix a bunch of CVEs in Sid and Bullseye.
Sponsored ruby-ast for Abraham, libexif for Hugh, djangorestframework-gis and karlseguin-ccache for Nilesh, and twig-extensions, twig-i18n-extension, and mariadb-mysql-kbs for William.
GSoC Phase 1, Part 2!
Last month, I got selected as a Google Summer of Code student for Debian again! \o/
I am working on the Upstream-Downstream Cooperation in Ruby project.
The first half of the first month is blogged here, titled, GSoC Phase 1.
Also, I log daily updates at gsocwithutkarsh2102.tk.
Whilst the daily updates are available at the above site^, I ll breakdown the important parts of the later half of the first month here:
Spread the word/usage about this tool/library via adding them in the official RuboCop docs.
We had our third weekly meeting where we discussed the next steps and the things that are supposed to be done for the next set of cops.
Wrote more tests so as to cover different aspects of the GemspecGit cop.
Opened PR #4 for the next Cop, RequireRelativeToLib.
Introduced rubocop-packaging to the outer world and requested other upstream projects to use it! It is being used by 6 other projects already
Had our fourth weekly meeting where we pair-programmed (and I sucked :P) and figured out a way to make the second cop work.
Found a bug, reported at issue #5 and raised PR #6 to fix it.
And finally, people loved the library/tool (and it s outcome):
(for those who don t know, @bbatsov is the author of RuboCop, @lienvdsteen is an amazing fullstack engineer at GitLab, and @pboling is the author of some awesome Ruby tools and libraries!)
Continuation of GSoC for other Ruby related stuff!
Whilst I have already mentioned it multiple times but it s still not enough to stress how amazing Antonio Terceiro and David Rodr guez are!
They re more than just mentors to me!
Well, only they know how much I trouble them with different things, which are not only related to my GSoC project but also extends to the projects they maintain! :P
David maintains rubygems and bundler and Antonio maintains debci.
So on days when I decide to hack on rubygems or debci, only I know how kind and nice David and Anotonio are to me!
They very patiently walk me through with whatever I am stuck on, no matter what and no matter when.
Thus, with them around, I contributed to these two projects and more, with regards to working on rubocop-packaging.
Following are a few things that I raised:
Debian LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases
to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group
of volunteers and companies interested in making it a success.
This was my ninth month as a Debian LTS paid contributor. I was assigned 30.00 hours and worked on
the following things:
Uploaded a fix for CVE-2020-11082, for ruby-kaminari.
This upload was for Sid and Bullseye and this CVE was fixed in version 1.0.1-6.
Uploaded a fix for CVE-2020-10663, for ruby-json, ruby2.1, and ruby2.5.
These uploads were for Stretch and Buster and were fixed in the version 2.3.3-1+deb9u8, 2.1.0+dfsg-2+deb10u1, 2.3.3-1+deb9u8, and 2.5.5-3+deb10u2.
Other(s)
Sometimes it gets hard to categorize work/things into a particular category.
That s why I am writing all of those things inside this category.
This includes two sub-categories and they are as follows.
Personal:
This month I did the following things:
Wrote and published v0.1.0 of rubocop-packaging on RubyGems!
It s open-sourced and the repository is here.
Bug reports and pull requests are welcomed!
Integrated a tiny (yet a powerful) hack to align images in markdown for my blog.
Commit here.
After an unexpectedly short 
This 
A few quick updates on 
