Here s my (eighteenth) monthly update about the activities I ve done in the F/L/OSS world.
Debian
This was my 27th month of active contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
This month was a bit exhausting; lots of moving parts. With the financial year ending, it was even more crazy, with me running around to banks, CA, et al.
Anyway, with now working on Ubuntu full-time, I did little of Debian this month. Here are the following things I worked on:
Filed bug #985314 against asterisk (systemd misconfiguration) and added a patch as well.
Filed bug #985421 against at (add DEP8 tests) and added a patch as well.
Other $things:
Attended the Debian LTS team meeting.
Mentoring for newcomers.
Moderation of -project mailing list.
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my eighteenth month as a Debian LTS and ninth month as a Debian ELTS paid contributor.
I was assigned 60.00 hours for LTS and 39.00 hours for ELTS and worked on the following things:
LTS CVE Fixes and Announcements:
Issued DLA 2580-1, fixing CVE-2021-21311, for adminer.
For Debian 9 stretch, these problems have been fixed in version 4.2.5-3+deb9u2.
Issued DLA 2581-1, fixing CVE-2021-27803, for wpa.
For Debian 9 stretch, these problems have been fixed in version 2:2.4-1+deb9u9.
Issued DLA 2585-1, fixing CVE-2020-13848, for libupnp.
For Debian 9 stretch, these problems have been fixed in version 1:1.6.19+git20160116-1.2+deb9u1.
Issued DLA 2589-2, fixing regression caused by DLA 2589-1, for mupdf.
For Debian 9 stretch, these problems have been fixed in version 1.9a+ds1-4+deb9u7.
Issued DLA 2598-1, fixing CVE-2020-25097, for squid3.
For Debian 9 stretch, these problems have been fixed in version 3.5.23-5+deb9u6.
Marked CVE-2021-21330/python-aiohttp as not-affected for stretch.
Marked CVE-2021-20233, CVE-2021-20225, CVE-2020-27779, CVE-2020-27778, CVE-2020-27749, CVE-2020-27748, CVE-2020-25647, CVE-2020-25632, CVE-2020-25631, and CVE-2020-14372, affecting grub2, as ignored for stretch and jessie.
Marked CVE-2020-27842/openjpeg2 as no-dsa for jessie.
Marked CVE-2020-27843/openjpeg2 as no-dsa for jessie.
Marked CVE-2021-28041/openssh as not-affect for jessie.
Marked CVE-2020-3552 3,4 /tiff as no-dsa for jessie.
Marked CVE-2021-20201/spice as no-dsa for jessie.
Marked CVE-2020-11988/xmlgraphics-commons as postponed for jessie.
Marked CVE-2020-11987/batik as postponed for jessie.
Marked CVE-2020-12695/libupnp as no-dsa for stretch.
Marked CVE-2021-25122/tomcat7 as not-affected for stretch.
Marked CVE-2021-25329/tomcat7 as ignored for stretch.
Marked CVE-2021-28116/squid3 as postponed for stretch and jessie.
Marked CVE-2021-3449/openssl as not-affected for stretch.
Document extra notes for grub2 for LTS and co-ordinate with the sec-team.
Document extra notes for pillow about piled-up issues in jessie.
Issued DLA-2593-1 for ca-certificates on Microsoft s request; co-ordinating w/ them.
Co-ordinating w/ maintainer of courier-authlib for stretch and jessie update.
Fixing build failures of ELTS security tracker and re-ordering entries in data/CVE-EXTENDED-LTS/list file.
Answer queries of dupondje and mikap about openssl on IRC; and it being not-affected for stretch.
Help review the status of CVE-2021-3121/golang-github-gogo-protobuf-dev for Ola.
Co-ordinating w/ Noah for cloud-init and setuptools.
Auto EOL ed mongodb, linux, guacamole-client, node-xmlhttprequest, newlib, neutron, privoxy, glpi, and zabbix for jessie.
Attended monthly meeting for Debian LTS.
Answered questions (& discussions) on IRC (#debian-lts and #debian-elts).
Here s my (seventeenth) monthly update about the activities I ve done in the F/L/OSS world.
Debian
This was my 26th month of active contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
This month was a nice mix of amusement, excitement, nervousness, and craziness. More on it below.
Anyway, whilst I was super-insanely busy this month, I still did some Debian stuff here and there. Here are the following things I worked on:
Sponsored ruby-rspec-stubbed-env for C dric Boutillier, heh :P
Interesting Bits!
Last month, I wrote:
Besides, there s something more that is in the pipelines. Can t talk about it now, shh. But
hopefully very sooooooon!
And now I can talk about it! So here it is..
I ve joined Canonical as a SDE to work on Ubuntu, full time!!! \o/
Fully remote + dream job/work + most of the work is in the open-source domain + the beessstttt co-workers one could ever ask for!
It s been an amazing time so far and I ll talk more about it later this month.
But for now, here s our team monitor selfie (with Rick missing because of his secret plan ! ) We ll soon e-meet them in a more detailed manner in the next blog post, that is, later this month!
In another exciting news, I got 2 more CVEs assigned!!! \o/
No, it is not something that I found, it was discovered by Tavis Ormandy. I just assigned
them a CVE ID, CVE-2021-26937
for screen and CVE-2021-27135 for xterm.
This is my 2nd and 3rd, so I am (still) very excited about this! ^_^
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my sixteenth month as a Debian LTS and seventh month as a Debian ELTS paid contributor.
I was assigned 60.00 hours for LTS and 60.00 hours for ELTS and worked on the following things:
(however, I had overworked for 9 hours for both, LTS and ELTS, last month so I had to work for 51 hours for both this month!)
Here s my (sixteenth) monthly update about the activities I ve done in the F/L/OSS world.
Debian
This was my 25th month of contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
This month was bat-shit crazy. Why? We ll come to it later, probably 15th of this month?
Anyway, besides being crazy, hectic, adventerous, and the first of 2021, this month I was super-insanely busy. With what? Hm, more about this later this month! ^_^
However, I still did some Debian stuff here and there. Here are the following things I worked on:
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my sixteenth month as a Debian LTS and seventh month as a Debian ELTS paid contributor.
I was assigned 26.00 hours for LTS and 36.75 hours for ELTS and worked on the following things:
(however, I worked extra for 9 hours for LTS and 9 hours for ELTS this month, which I intend to balance from the next month!)
LTS CVE Fixes and Announcements:
Issued DLA 2518-1, fixing CVE-2020-35492, for cairo.
For Debian 9 Stretch, these problems have been fixed in version 1.14.8-1+deb9u1.
Prepared DSA 4831-1, fixing CVE-2020-26298, for ruby-redcarpet.
For Debian 10 Buster, these problems have been fixed in version 3.4.0-4+deb10u1. The announcement was released by the Security Team.
This January, on 23rd and 24th, we had Mini DebConf India 2021 online.
I had a talk as well, titled, Why Point Releases are important and how you can help
prepare them?".
It was a fun and a very short talk, where I just list out the reasons and ways to help in
the preparation of point releases . I did some experimentation with this talk, figuring
out what works for the audience and what doesn t and where can I improve for the next time
I talk about this topic! \o/
You can listen to the talk here
and let me know if you have any feedback!
Anyway, the conference lasted for 2 days and I also did some volunteering (talk director,
talk miester) in Hindi and English, both! It was all so fun and new. Anyway, here s the picture we took:
In another exciting news, I got my first CVE assigned!!! \o/
No, it is not something that I found, it was discovered by Tavis Ormandy. I just assigned
this a CVE ID, CVE-2021-3181.
This is my first, so I am very excited about this! ^_^
Besides, there s something more that is in the pipelines. Can t talk about it now, shh. But
hopefully very sooooooon!
Other $things! \o/
This month was tiresome, with most of the time being spent on the Debian stuff, I did
very little work outside it, really. The issues and patches that I sent are:
Issue #700 for redcarpet, asking for a reproducer for CVE-2020-26298 and some additional patch related queries.
Issue #7 for in-parallel, asking them to not use relative paths for tests.
Issue #8 for in-parallel, reporting a test failure for the library.
Issue #2 for rake-ant, asking them to bump their dependencies to a newer version.
PR #3 for rake-ant, bumping the dependencies to a newer version, fixing the above issue, heh.
Issue #4 for rake-ant, requesting to drop git from their gemspec.
PR #5 for rake-ant, dropping git from gemspec, fixing the above issue, heh.
Issue #95 for WavPack, asking for a review of past security vulnerabilites wrt v4.70.0.
Reviewed PR #128 for ruby-openid, addressing the past regression with CVE fix merge.
Reviewed PR #63 for cocoapods-acknowledgements, updating redcarpet to v3.5.1, as a safety measure due to recently discovered vulnerability.
Issue #1331 for bottle, asking for relevant commits for CVE-2020-28473 and clarifying other things.
Issue #5 for em-redis, reporting test failures on IPv6-only build machines.
Issue #939 for eventmachine, reporting test failures for em-redis on IPv6-only build machines.
Here s my (fifteenth) monthly update about the activities I ve done in the F/L/OSS world.
Debian
This was my 24th month of contributing to Debian.
I became a DM in late March last year and a DD last Christmas! \o/
Amongs a lot of things, this was month was crazy, hectic, adventerous, and the last of 2020 more on some parts later this month.
I finally finished my 7th semester (FTW!) and moved onto my last one! That said, I had been busy with other things but still did a bunch of Debian stuff
Here are the following things I did this month:
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my fifteenth month as a Debian LTS and sixth month as a Debian ELTS paid contributor.
I was assigned 26.00 hours for LTS and 38.25 hours for ELTS and worked on the following things:
LTS CVE Fixes and Announcements:
Issued DLA 2474-1, fixing CVE-2020-28928, for musl.
For Debian 9 Stretch, these problems have been fixed in version 1.1.16-3+deb9u1.
Issued DLA 2484-1, fixing #969126, for python-certbot.
For Debian 9 Stretch, these problems have been fixed in version 0.28.0-1~deb9u3.
Issued DLA 2487-1, fixing CVE-2020-27350, for apt.
For Debian 9 Stretch, these problems have been fixed in version 1.4.11. The update was prepared by the maintainer, Julian.
Issued DLA 2488-1, fixing CVE-2020-27351, for python-apt.
For Debian 9 Stretch, these problems have been fixed in version 1.4.2. The update was prepared by the maintainer, Julian.
Issued DLA 2495-1, fixing CVE-2020-17527, for tomcat8.
For Debian 9 Stretch, these problems have been fixed in version 8.5.54-0+deb9u5.
Issued DLA 2488-2, for python-apt.
For Debian 9 Stretch, these problems have been fixed in version 1.4.3. The update was prepared by the maintainer, Julian.
Issued DLA 2508-1, fixing CVE-2020-35730, for roundcube.
For Debian 9 Stretch, these problems have been fixed in version 1.2.3+dfsg.1-4+deb9u8. The update was prepared by the maintainer, Guilhem.
ELTS CVE Fixes and Announcements:
Issued ELA 324-1, fixing CVE-2020-28928, for musl.
For Debian 8 Jessie, these problems have been fixed in version 1.1.5-2+deb8u2.
Issued ELA 325-1, fixing CVE-2020-28896, for mutt.
For Debian 8 Jessie, these problems have been fixed in version 1.5.23-3+deb8u4.
Marked CVE-2020-17527/tomcat8 as not-affected for jessie.
Marked CVE-2020-28052/bountycastle as not-affected for jessie.
Marked CVE-2020-14394/qemu as postponed for jessie.
Marked CVE-2020-35738/wavpack as not-affected for jessie.
Marked CVE-2020-3550 3-6 /qemu as postponed for jessie.
Marked CVE-2020-3550 3-6 /qemu as postponed for stretch.
Marked CVE-2020-16093/lemonldap-ng as no-dsa for stretch.
Marked CVE-2020-27837/gdm3 as no-dsa for stretch.
Marked CVE-2020- 13987, 13988, 17437 /open-iscsi as no-dsa for stretch.
Marked CVE-2020-35450/gobby as no-dsa for stretch.
Marked CVE-2020-35728/jackson-databind as no-dsa for stretch.
Marked CVE-2020-28935/nsd as no-dsa for stretch.
Auto EOL ed libpam-tacplus, open-iscsi, wireshark, gdm3, golang-go.crypto, jackson-databind, spotweb, python-autobahn, asterisk, nsd, ruby-nokogiri, linux, and motion for jessie.
Bugs and Patches
Well, I did report some bugs and issues and also sent some patches:
Issue #44 for github-activity-readme, asking for a feature request to set custom committer s email address.
Issue #711 for git2go, reporting build failure for the library.
PR #89 for rubocop-rails_config, bumping RuboCop::Packaging to v0.5.
Issue #36 for rubocop-packaging, asking to try out mutant :)
PR #212 for cucumber-ruby-core, bumping RuboCop::Packaging to v0.5.
PR #213 for cucumber-ruby-core, enabling RuboCop::Packaging.
Issue #19 for behance, asking to relax constraints on faraday and faraday_middleware.
PR #37 for rubocop-packaging, enabling tests against ruby3.0! \o/
PR #489 for cucumber-rails, bumping RuboCop::Packaging to v0.5.
Issue #362 for nheko, reporting a crash when opening the application.
PR #1282 for paper_trail, adding RuboCop::Packaging amongst other used extensions.
Bug #978640 for nheko Debian package, reporting a crash, as a result of libfmt7 regression.
Misc and Fun
Besides squashing bugs and submitting patches, I did some other things as well!
Participated in my first Advent of Code event! :)
Whilst it was indeed fun, I didn t really complete it. No reason, really. But I ll definitely come back stronger next year, heh! :)
All the solutions thus far could be found here.
Did a couple of reviews for some PRs and triaged some bugs here and there, meh.
Also did some cloud debugging, not so fun if you ask me, but cool enough to make me want to do it again! ^_^
Worked along with pollo, zigo, ehashman, rlb, et al for puppet and puppetserver in Debian. OMG, they re so lovely! <3
Ordered some interesting books to read January onward. New year resolution? Meh, not really. Or maybe. But nah.
Also did some interesting stuff this month but can t really talk about it now. Hopefully sooooon.
After an unexpectedly short discussion on debian-project, we re moving forward with this new initiative. The Debian security team submitted a project proposal requesting some improvements to tracker.debian.org, and since nobody of the security team wants to be paid to implement the project, we have opened a request for bids to find someone to implement this on a contractor basis.
If you can code in Python following test-driven development and know the Django framework, feel free to submit a bid! Ideally you have some experience with the security tracker too but that s not a strong requirement.
About the project
If you haven t read the discussion on debian-project, Freexian is putting aside part of the money collected for Debian LTS to use it to fund generic Debian development projects. The goal is two-fold:
First, the LTS work necessarily had an impact on other Debian teams that made the project possible (security team, DSA, buildd, ftpmasters, debian-www mainly) and we wanted to be able to give back to those teams by funding improvements to their infrastructure.
We have always allowed paid contributors to go beyond just preparing security updates for the LTS release. They can pick tasks that improve the LTS project at large (we try to collect such tasks here: https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues) but they should not go over 25% of their allocated monthly hours so this limits their ability to tackle bigger projects and we would like to be able to tackle bigger projects that can have a meaningful impact on the LTS project and/or Debian in general.
We have tried to formalize a process to follow from project submission up to its implementation in this salsa project: https://salsa.debian.org/freexian-team/project-funding https://salsa.debian.org/freexian-team/project-funding/-/blob/master/Rules-LTS.md
We highly encourage the above-mentioned Debian teams to make proposals. A member of those teams can implement the project and be paid for it. Or they can decide to let someone else implement it (we expect some of the paid LTS contributors to be willing to implement such projects), and just play the reviewer role driving the person doing the work in the right direction. Contrary to Google s Summer of code and other similar projects, we put the focus on the results (and not in recruiting new volunteers), so we expect to work with experienced persons to implement the project. But if the reviewer is happy to be a mentor and spend more time, then it s OK for us too. The reviewer is (usually) not a paid position.
If you re not among those teams, but if you have a project that can have a positive impact on Debian LTS (even if only indirectly in the distant future), feel free to try your chance and to submit a proposal.
Here s my (fourteenth) monthly update about the activities I ve done in the F/L/OSS world.
Debian
This was my 23rd month of contributing to Debian.
I became a DM in late March last year and a DD last Christmas! \o/
Apart from doing a bunch of activities like attending KubeCon + RubyConf (blog to follow!), et al and simultaneously giving
my undergrad exams, I did (relatively) more work than I had really anticipated!
Here are the following things I did in Debian this month:
micro (2.0.8-1) - New upstream version, v2.0.8. Finally! \o/
ruby-zeitwerk (2.4.2-1) - New upstream version, v2.4.2.
Other $things:
Attended the Debian Ruby team meeting.
Mentoring for newcomers.
FTP Trainee reviewing.
Moderation of -project mailing list.
Sponsored phpmyadmin for William and libexif for Hugh.
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my fourteenth month as a Debian LTS and fourth month as a Debian ELTS paid contributor.
I was assigned 22.75 hours for LTS and 45.00 hours for ELTS and worked on the following things:
(for ELTS, I worked for 5.25 hours last month, so I had to work for 39.75 (+1 extra) hours this month)
(also, I did over-work by 5.00 hours for LTS this month, but I ll re-compensate it later to avoid so much fuss!)
LTS CVE Fixes and Announcements:
Issued DLA 2425-1, fixing CVE-2020-25692, for openldap.
For Debian 9 Stretch, these problems have been fixed in version 2.4.44+dfsg-5+deb9u5.
Issued DLA 2427-1, fixing CVE-2020-14355, for spice.
For Debian 9 Stretch, these problems have been fixed in version 0.12.8-2.1+deb9u4.
Issued DLA 2428-1, fixing CVE-2020-14355, for spice-gtk.
For Debian 9 Stretch, these problems have been fixed in version 0.33-3.3+deb9u2.
Issued DLA 2430-1, fixing CVE-2020-15238, for blueman.
For Debian 9 Stretch, these problems have been fixed in version 2.0.4-1+deb9u1.
Issued DLA 2439-1, fixing CVE-2020-0452, for libexif.
For Debian 9 Stretch, these problems have been fixed in version 0.6.21-2+deb9u5.
Issued DLA 2443-1, fixing CVE-2020-15166, for zeromq3.
For Debian 9 Stretch, these problems have been fixed in version 4.2.1-4+deb9u3.
Issued DLA 2444-1, fixing CVE-2020-8037, for tcpdump.
For Debian 9 Stretch, these problems have been fixed in version 4.9.3-1~deb9u2.
ELTS CVE Fixes and Announcements:
Issued ELA 306-1, fixing CVE-2020-25692, for openldap.
For Debian 8 Jessie, these problems have been fixed in version 2.4.40+dfsg-1+deb8u7.
Issued ELA 310-1, fixing CVE-2020-0452, for libexif.
For Debian 8 Jessie, these problems have been fixed in version 0.6.21-2+deb8u5.
Issued ELA 311-1, fixing CVE-2020-8037, for tcpdump.
For Debian 8 Jessie, these problems have been fixed in version 4.9.3-1~deb8u2.
Issued ELA 312-1, backporting a new upstream release, 2020d, for tzdata.
For Debian 8 Jessie, these problems have been fixed in version 2020d-0+deb8u1.
Issued ELA 313-1, fixing CVE-2020-15166, for zeromq3.
For Debian 8 Jessie, these problems have been fixed in version 4.0.5+dfsg-2+deb8u3.
Prepared a debdiff for lxml (3.4.0-1+deb8u2) upload, which Emilio completed and rolled out later.
Other (E)LTS Work:
Front-desk duty from 26-10 until 01-10 and from 23-11 until 29-11 for both LTS and ELTS.
Here s my (thirteenth) monthly update about the activities I ve done in the F/L/OSS world.
Debian
This was my 22nd month of contributing to Debian.
I became a DM in late March last year and a DD last Christmas! \o/
Whilst busy with my undergrad, I could still take some time out for contributing to Debian (I always do!).
Here are the following things I did in Debian this month:
Sponsored phpmyadmin, php-bacon-baconqrcode, twig, php-dasprid-enum, sql-parser, and mariadb-mysql-kbs for William.
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my thirteenth month as a Debian LTS and fourth month as a Debian ELTS paid contributor.
I was assigned 20.75 hours for LTS and 30.00 hours for ELTS and worked on the following things:
(for ELTS, I worked for 5.25 hours extra, so my total hours this month for ELTS were 35.25!)
Here s my (twelfth) monthly update about the activities I ve done in the F/L/OSS world.
Debian
This was my 21st month of contributing to Debian.
I became a DM in late March last year and a DD last Christmas! \o/
I ve been busy with my undergraduation stuff but I still squeezed out some time for the regular Debian work.
Here are the following things I did in Debian this month:
Sponsored trace-cmd for Sudip, ruby-asset-sync for Nilesh, and mariadb-mysql-kbs for William.
RuboCop::Packaging - Helping the Debian Ruby team! \o/
This Google Summer of Code, I worked on writing a linter that could flag offenses for lines of code
that are very troublesome for Debian maintainers while trying to package and maintain Ruby libraries and applications!
Whilst the GSoC period is over, I ve been working on improving that tool and have extended that linter to now auto-correct these offenses
by itself! \o/
You can now just use the -A flag and you re done! Boom! The ultimate game-changer!
Here s a quick demo for this feature:
A few quick updates on RuboCop::Packaging:
Has 4 cops, solving 4 different issues.
3 of them support auto-correction. Just use the -A flag.
I ve also spent a considerable amount of time in raising awareness about this and in more general sense, about downstream maintenance.
As a result, I raised a bunch of PRs which got really good response. I got all of the 20 PRs merged upstream,
fixing these issues.
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my twelfth month as a Debian LTS and third month as a Debian ELTS paid contributor.
I was assigned 19.75 hours for LTS and 15.00 hours for ELTS and worked on the following things:
(for LTS, I over-worked for 11 hours last month on the survey so only had 8.75 hours this month!)
LTS CVE Fixes and Announcements:
Issued DLA 2362-1, fixing CVE-2020-11984, for uwsgi.
For Debian 9 Stretch, these problems have been fixed in version 2.0.14+20161117-3+deb9u3.
Issued DLA 2363-1, fixing CVE-2020-17446, for asyncpg.
For Debian 9 Stretch, these problems have been fixed in version 0.8.4-1+deb9u1.
Issued ELA 274-1, fixing CVE-2020-11984, for uwsgi.
For Debian 8 Jessie, these problems have been fixed in version 2.0.7-1+deb8u3.
Issued ELA 275-1, fixing CVE-2020-14363, for libx11.
For Debian 8 Jessie, these problems have been fixed in version 2:1.6.2-3+deb8u4.
Issued ELA 278-1, fixing CVE-2020-8184, for ruby-rack.
For Debian 8 Jessie, these problems have been fixed in version 1.5.2-3+deb8u4.
Also worked on updating the version of clamAV from v0.101.5 to v0.102.4.
This was a bit tricky package to work on since it involved an ABI/API change and was more or less a transition.
Super thanks to Emilio for his invaluable help and him taking over the package, finishing, and uploading it in the end.
Other (E)LTS Work:
Front-desk duty from 31-08 to 06-09 and from 28-09 onward for both LTS and ELTS.
Welcome to the August 2020 report from the Reproducible Builds project.
In our monthly reports, we summarise the things that we have been up to over the past month. The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced from the original free software source code to the pre-compiled binaries we install on our systems. If you re interested in contributing to the project, please visit our main website.
This month, Jennifer Helsby launched a new reproduciblewheels.com website to address the lack of reproducibility of Python wheels.
To quote Jennifer s accompanying explanatory blog post:
One hiccup we ve encountered in SecureDrop development is that not all Python wheels can be built reproducibly. We ship multiple (Python) projects in Debian packages, with Python dependencies included in those packages as wheels. In order for our Debian packages to be reproducible, we need that wheel build process to also be reproducible
Reproducible builds at DebConf20
There were a number of talks at the recent online-only DebConf20 conference on the topic of reproducible builds.
Holger gave a talk titled Reproducing Bullseye in practice , focusing on independently verifying that the binaries distributed from ftp.debian.org are made from their claimed sources. It also served as a general update on the status of reproducible builds within Debian. The video (145 MB) and slides are available.
There were also a number of other talks that involved Reproducible Builds too. For example, the Malayalam language mini-conference had a talk titled , ? ( I want to join Debian, what should I do? ) presented by Praveen Arimbrathodiyil, the Clojure Packaging Team BoF session led by Elana Hashman, as well as Where is Salsa CI right now? that was on the topic of Salsa, the collaborative development server that Debian uses to provide the necessary tools for package maintainers, packaging teams and so on.
Jonathan Bustillos (Jathan) also gave a talk in Spanish titled Un camino verificable desde el origen hasta el binario ( A verifiable path from source to binary ). (Video, 88MB)
Development work
After many years of development work, the compiler for the Rust programming language now generates reproducible binary code. This generated some general discussion on Reddit on the topic of reproducibility in general.
Paul Spooren posted a request for comments to OpenWrt s openwrt-devel mailing list asking for clarification on when to raise the PKG_RELEASE identifier of a package. This is needed in order to successfully perform rebuilds in a reproducible builds context.
In openSUSE, Bernhard M. Wiedemann published his monthly Reproducible Builds status update.
Chris Lamb provided some comments and pointers on an upstream issue regarding the reproducibility of a Snap / SquashFS archive file. []
Debian
Holger Levsen identified that a large number of Debian .buildinfo build certificates have been tainted on the official Debian build servers, as these environments have files underneath the /usr/local/sbin directory []. He also filed against bug for debrebuild after spotting that it can fail to download packages from snapshot.debian.org [].
This month, several issues were uncovered (or assisted) due to the efforts of reproducible builds.
For instance, Debian bug #968710 was filed by Simon McVittie, which describes a problem with detached debug symbol files (required to generate a traceback) that is unlikely to have been discovered without reproducible builds. In addition, Jelmer Vernooij called attention that the new Debian Janitor tool is using the property of reproducibility (as well as diffoscope when applying archive-wide changes to Debian:
New merge proposals also include a link to the diffoscope diff between a vanilla build and the build with changes. Unfortunately these can be a bit noisy for packages that are not reproducible yet, due to the difference in build environment between the two builds. []
56 reviews of Debian packages were added, 38 were updated and 24 were removed this month adding to our knowledge about identified issues. Specifically, Chris Lamb added and categorised the nondeterministic_version_generated_by_python_param and the lessc_nondeterministic_keys toolchain issues. [][]
Holger Levsen sponsored Lukas Puehringer s upload of the python-securesystemslib pacage, which is a dependency of in-toto, a framework to secure the integrity of software supply chains. []
Lastly, Chris Lamb further refined his merge request against the debian-installer component to allow all arguments from sources.list files (such as [check-valid-until=no]) in order that we can test the reproducibility of the installer images on the Reproducible Builds own testing infrastructure and sent a ping to the team that maintains that code.
Upstream patches
The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of these patches, including:
diffoscopediffoscope is our in-depth and content-aware diff utility that can not only locate and diagnose reproducibility issues, it provides human-readable diffs of all kinds. In August, Chris Lamb made the following changes to diffoscope, including preparing and uploading versions 155, 156, 157 and 158 to Debian:
New features:
Support extracting data of PGP signed data. (#214)
Try files named .pgp against pgpdump(1) to determine whether they are Pretty Good Privacy (PGP) files. (#211)
Support multiple options for all file extension matching. []
Bug fixes:
Don t raise an exception when we encounter XML files with <!ENTITY> declarations inside the Document Type Definition (DTD), or when a DTD or entity references an external resource. (#212)
pgpdump(1) can successfully parse some binary files, so check that the parsed output contains something sensible before accepting it. []
Temporarily drop gnumeric from the Debian build-dependencies as it has been removed from the testing distribution. (#968742)
Correctly use fallback_recognises to prevent matching .xsb binary XML files.
Correct identify signed PGP files as file(1) returns data . (#211)
Logging improvements:
Emit a message when ppudump version does not match our file header. []
Don t use Python s repr(object) output in Calling external command messages. []
Include the filename in the not identified by any comparator message. []
Codebase improvements:
Bump Python requirement from 3.6 to 3.7. Most distributions are either shipping with Python 3.5 or 3.7, so supporting 3.6 is not only somewhat unnecessary but also cumbersome to test locally. []
Drop some unused imports [], drop an unnecessary dictionary comprehensions [] and some unnecessary control flow [].
Correct typo of output in a comment. []
Release process:
Move generation of debian/tests/control to an external script. []
Add some URLs for the site that will appear on PyPI.org. []
Update author and author email in setup.py for PyPI.org and similar. []
Testsuite improvements:
Update PPU tests for compatibility with Free Pascal versions 3.2.0 or greater. (#968124)
Mark that our identification test for .ppu files requires ppudump version 3.2.0 or higher. []
Add an assert_diff helper that loads and compares a fixture output. [][][][]
Misc:
Duplicate docker instructions in the Get diffoscope section of the diffoscope website. []
In addition, Mattia Rizzolo documented in setup.py that diffoscope works with Python version 3.8 [] and Frazer Clews applied some Pylint suggestions [] and removed some deprecated methods [].
Clarify & fix a few entries on the who page [][] and ensure that images do not get to large on some viewports [].
Clarify use of a pronoun re. Conservancy. []
Use View all our monthly reports over View all monthly reports . []
Move a is a suffix out of the link target on the SOURCE_DATE_EPOCH age. []
In addition, Javier Jard n added the freedesktop-sdk project [] and Kushal Das added SecureDrop project [] to our projects page. Lastly, Michael P hn added internationalisation and translation support with help from Hans-Christoph Steiner [].
Testing framework
The Reproducible Builds project operate a Jenkins-based testing framework to power tests.reproducible-builds.org. This month, Holger Levsen made the following changes:
System health checks:
Improve explanation how the status and scores are calculated. [][]
Update and condense view of detected issues. [][]
Query the canonical configuration file to determine whether a job is disabled instead of duplicating/hardcoding this. []
Detect several problems when updating the status of reporting-oriented metapackage sets. []
Detect when diffoscope is not installable [] and failures in DNS resolution [].
Mark that the u-boot Universal Boot Loader should not build architecture independent packages on the arm64 architecture anymore. []
Finally, build node maintenance was performed by Holger Levsen [], Mattia Rizzolo [][] and Vagrant Cascadian [][][][]
Mailing list
On our mailing list this month, Leo Wandersleb sent a message to the list after he was wondering how to expand his WalletScrutiny.com project (which aims to improve the security of Bitcoin wallets) from Android wallets to also monitor Linux wallets as well:
If you think you know how to spread the word about reproducibility in the context of Bitcoin wallets through WalletScrutiny, your contributions are highly welcome on this PR []
Julien Lepiller posted to the list linking to a blog post by Tavis Ormandy titled You don t need reproducible builds. Morten Linderud (foxboron) responded with a clear rebuttal that Tavis was only considering the narrow use-case of proprietary vendors and closed-source software. He additionally noted that the criticism that reproducible builds cannot prevent against backdoors being deliberately introduced into the upstream source ( bugdoors ) are decidedly (and deliberately) outside the scope of reproducible builds to begin with.
Chris Lamb included the Reproducible Builds mailing list in a wider discussion regarding a tentative proposal to include .buildinfo files in .deb packages, adding his remarks regarding requiring a custom tool in order to determine whether generated build artifacts are identical in a reproducible context. []
Jonathan Bustillos (Jathan) posted a quick email to the list requesting whether there was a list of To do tasks in Reproducible Builds.
Lastly, Chris Lamb responded at length to a query regarding the status of reproducible builds for Debian ISO or installation images. He noted that most of the technical work has been performed but there are at least four issues until they can be generally advertised as such . He pointed that the privacy-oriented Tails operation system, which is based directly on Debian, has had reproducible builds for a number of years now. []
If you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:
Here s my (eleventh) monthly update about the activities I ve done in the F/L/OSS world.
Debian
This was my 20th month of contributing to Debian.
I became a DM in late March last year and a DD last Christmas! \o/
Well, this month we had DebConf! \o/
(more about this later this week!)
Anyway, here are the following things I did in Debian this month:
Uploads and bug fixes:
rubocop (0.89.1+dfsg-1) - New upstream version for RuboCop::Packaging.
ruby-rubocop-ast (0.3.0+dfsg-1) - New upstream version for RuboCop's latest version.
Also, I log daily updates at gsocwithutkarsh2102.tk.
Since this is a wrap and whilst the daily updates are already available at the above site^, I ll quickly mention the important points and links here.
Continuation of GSoC for other Ruby related stuff!
Whilst working on Rubocop::Packaging, I contributed to more Ruby projects, refactoring their library a little bit and mostly fixing RuboCop issues and fixing issues that the Packaging extension reports as offensive .
Following are the PRs that I raised:
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my eleventh month as a Debian LTS and my second as a Debian ELTS paid contributor.
I was assigned 21.75 hours for LTS and 14.25 hours for ELTS and worked on
the following things:
Started working on uwsgi update for CVE-2020-11984. It seems that src:apache2 wasn t affected by that, but src:uwsgi was.
ELTS CVE Fixes and Announcements:
Issued ELA 255-1, fixing CVE-2020-14344, for libx11.
For Debian 8 Jessie, these problems have been fixed in version 2:1.6.2-3+deb8u3.
Issued ELA 259-1, fixing CVE-2020-10177, for pillow.
For Debian 8 Jessie, these problems have been fixed in version 2.6.1-2+deb8u5.
Issued ELA 269-1, fixing CVE-2020-11985, for apache2.
For Debian 8 Jessie, these problems have been fixed in version 2.4.10-10+deb8u17.
Started working on clamAV update, it s a major bump from v0.101.5 to v0.102.4. There were lots of movings parts. Contacted upstream maintainers to help reduce the risk of regression. Came up with a patch to loosen the libcurl version requirement. Hopefully, the update could be rolled out soon!
Other (E)LTS Work:
I spent an additional 11.15 hours working on compiling the responses of the LTS survey and preparing a gist of it for its presentation during the Debian LTS BoF at DebConf20.
Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor.
In August, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 21.75h for LTS (out of my 30 max; all done) and 14.25h for ELTS (out of my 20 max; all done).
We had a Birds of a Feathervideoconfsession at DebConf20, sadly with varying quality for participants (from very good to unusable), where we shared the first results of the LTS survey.
There were also discussions about evaluating our security reactivity, which proved surprisingly hard to estimate (neither CVE release date and criticality metrics are accurate nor easily available), and about when it is appropriate to use public naming in procedures.
Interestingly ELTS gained new supported packages, thanks to a new sponsor -- so far I'd seen the opposite, because we were close to the EOL.
As always, there were opportunities to de-dup work through mutual cooperation with the Debian Security team, and LTS/ELTS similar updates.
ELTS - Jessie
Fresh build VMs
rails/redmine: investigate issue, initially no-action as it can't be reproduced on Stretch and isn't supported in Jessie; follow-up when it's supported again
ghostscript: global triage: identify upstream fixed version, distinguish CVEs fixed within a single patch, bisect non-reproducible CVEs, reference missing commit (including at MITRE)
Here s my (tenth) monthly update about the activities I ve done in the F/L/OSS world.
Debian
This was my 17th month of contributing to Debian.
I became a DM in late March last year and a DD last Christmas! \o/
Well, this month I didn t do a lot of Debian stuff, like I usually do, however, I did a lot of things related to Debian (indirectly via GSoC)!
Anyway, here are the following things I did this month:
Also, I log daily updates at gsocwithutkarsh2102.tk.
Whilst the daily updates are available at the above site^, I ll breakdown the important parts of the later half of the second month here:
Marc Andre, very kindly, helped in fixing the specs that were failing earlier this month. Well, the problem was with the specs, but I am still confused how so. Anyway..
Finished documentation of the second cop and marked the PR as ready to be reviewed.
David reviewed and suggested some really good changes and I fixed/tweaked that PR as per his suggestion to finally finish the last bits of the second cop, RelativeRequireToLib.
Merged the PR upon two approvals and released it as v0.2.0!
We had our next weekly meeting where we discussed the next steps and the things that are supposed to be done for the next set of cops.
Introduced rubocop-packaging to the outer world and requested other upstream projects to use it! It is being used by 13 other projects already!
Started to work on packaging-style-guide but I didn t push anything to the public repository yet.
Worked on refactoring the cops_documentation Rake task which was broken by the new auto-corrector API. Opened PR #7 for it. It ll be merged after the next RuboCop release as it uses CopsDocumentationGenerator class from the master branch.
Whilst working on autoprefixer-rails, I found something unusual. The second cop shouldn t really report offenses if the require_relative calls are from lib to lib itself. This is a false-positive. Opened issue #8 for the same.
Continuation of GSoC for other Ruby related stuff!
Whilst working on rubocop-packaging, I contributed to more Ruby projects, refactoring their library a little bit and mostly fixing RuboCop issues and fixing issues that the Packaging extension reports as offensive .
Following are the PRs that I raised:
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my tenth month as a Debian LTS and my first as a Debian ELTS paid contributor.
I was assigned 25.25 hours for LTS and 13.25 hours for ELTS and worked on
the following things:
Other(s)
Sometimes it gets hard to categorize work/things into a particular category.
That s why I am writing all of those things inside this category.
This includes two sub-categories and they are as follows.
Personal:
This month I did the following things:
Released v0.2.0 of rubocop-packaging on RubyGems!
It s open-sourced and the repository is here.
Bug reports and pull requests are welcomed!
Released v0.1.0 of get_root on RubyGems!
It s open-sourced and the repository is here.
Wrote max-word-frequency, my Rails C1M2 programming assignment.
And made it pretty neater & cleaner!
Refactored my lts-dla and elts-ela scripts entirely and wrote them in Ruby so that there are no issues and no false-positives!
Check lts-dla here and elts-ela here.
And finally, built my first Rails (mini) web-application!
The repository is here. This was also a programming assignment (C1M3).
And furthermore, hosted it at Heroku.
Open Source:
Again, this contains all the things that I couldn t categorize earlier.
Opened several issues and PRs:
Issue #8273 against rubocop, reporting a false-positive auto-correct for Style/WhileUntilModifier.
Issue #615 against http reporting a weird behavior of a flaky test.
PR #3791 for rubygems/bundler to remove redundant bundler/setup require call from spec_helper generated by bundle gem.
Issue #3831 against rubygems, reporting a traceback of undefined method, rubyforge_project=.
Issue #238 against nheko asking for enhancement in showing the font name in the very font itself.
PR #2307 for puma to constrain rake-compiler to v0.9.4.
And finally, I joined the Cucumber organization! \o/
Thank you for sticking along for so long :)
Until next time. :wq for today.
Here s my (ninth) monthly update about the activities I ve done in the F/L/OSS world.
Debian
This was my 16th month of contributing to Debian.
I became a DM in late March last year and a DD last Christmas! \o/
This month was a little intense. I did a lot of different kinds of things in Debian this month. Whilst most of my time went on doing security stuff, I also sponsored a bunch of packages.
Here are the following things I did this month:
Uploads and bug fixes:
rails (2:5.2.4.3+dfsg-1) - fix a bunch of CVEs in Sid and Bullseye.
Sponsored ruby-ast for Abraham, libexif for Hugh, djangorestframework-gis and karlseguin-ccache for Nilesh, and twig-extensions, twig-i18n-extension, and mariadb-mysql-kbs for William.
GSoC Phase 1, Part 2!
Last month, I got selected as a Google Summer of Code student for Debian again! \o/
I am working on the Upstream-Downstream Cooperation in Ruby project.
The first half of the first month is blogged here, titled, GSoC Phase 1.
Also, I log daily updates at gsocwithutkarsh2102.tk.
Whilst the daily updates are available at the above site^, I ll breakdown the important parts of the later half of the first month here:
Spread the word/usage about this tool/library via adding them in the official RuboCop docs.
We had our third weekly meeting where we discussed the next steps and the things that are supposed to be done for the next set of cops.
Wrote more tests so as to cover different aspects of the GemspecGit cop.
Opened PR #4 for the next Cop, RequireRelativeToLib.
Introduced rubocop-packaging to the outer world and requested other upstream projects to use it! It is being used by 6 other projects already
Had our fourth weekly meeting where we pair-programmed (and I sucked :P) and figured out a way to make the second cop work.
Found a bug, reported at issue #5 and raised PR #6 to fix it.
And finally, people loved the library/tool (and it s outcome):
(for those who don t know, @bbatsov is the author of RuboCop, @lienvdsteen is an amazing fullstack engineer at GitLab, and @pboling is the author of some awesome Ruby tools and libraries!)
Continuation of GSoC for other Ruby related stuff!
Whilst I have already mentioned it multiple times but it s still not enough to stress how amazing Antonio Terceiro and David Rodr guez are!
They re more than just mentors to me!
Well, only they know how much I trouble them with different things, which are not only related to my GSoC project but also extends to the projects they maintain! :P
David maintains rubygems and bundler and Antonio maintains debci.
So on days when I decide to hack on rubygems or debci, only I know how kind and nice David and Anotonio are to me!
They very patiently walk me through with whatever I am stuck on, no matter what and no matter when.
Thus, with them around, I contributed to these two projects and more, with regards to working on rubocop-packaging.
Following are a few things that I raised:
Debian LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases
to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group
of volunteers and companies interested in making it a success.
This was my ninth month as a Debian LTS paid contributor. I was assigned 30.00 hours and worked on
the following things:
Uploaded a fix for CVE-2020-11082, for ruby-kaminari.
This upload was for Sid and Bullseye and this CVE was fixed in version 1.0.1-6.
Uploaded a fix for CVE-2020-10663, for ruby-json, ruby2.1, and ruby2.5.
These uploads were for Stretch and Buster and were fixed in the version 2.3.3-1+deb9u8, 2.1.0+dfsg-2+deb10u1, 2.3.3-1+deb9u8, and 2.5.5-3+deb10u2.
Other(s)
Sometimes it gets hard to categorize work/things into a particular category.
That s why I am writing all of those things inside this category.
This includes two sub-categories and they are as follows.
Personal:
This month I did the following things:
Wrote and published v0.1.0 of rubocop-packaging on RubyGems!
It s open-sourced and the repository is here.
Bug reports and pull requests are welcomed!
Integrated a tiny (yet a powerful) hack to align images in markdown for my blog.
Commit here.
Here s my (eighth) monthly update about the activities I ve done in the F/L/OSS world.
Debian
This month marks my 15 months of contributing to Debian.
And 6th month as a DD! \o/
Whilst I love doing Debian stuff, I have started spending more time on the programming
side now. And I hope to keep it this for some time now.
Of course, I ll keep doing the Debian stuff, but just lesser in amount.
Anyway, the following are the things I did in May.
Experimenting and improving Ruby libraries FTW!
I have been very heavily involved with the Debian Ruby team for over an year now.
Thanks to Antonio Terceiro (and GSoC), I ve started experimenting and taking more
interest in upstream development and improvement of these libraries.
This has the sole purpose of learning. It has gotten fun since I ve started doing Ruby.
And I hope it stays this way.
This month, I opened some issues and proposed a few pull requests. They are:
Issue #802 against whenever for Ruby2.7 test failures.
Issue #8 against aggregate asking upstream for a release on rubygems.
Issue #104 against irb for asking more about Array.join("\n").
Issue #1391 against mail asking upstream to cut a new release.
Issue #1655 against rack reporting test failures in the CVE fix.
Debian LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases
to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group
of volunteers and companies interested in making it a success.
This was my eighth month as a Debian LTS paid contributor. I was assigned 17.25 hours and worked on
the following things:
CVE Fixes and Announcements:
Issued DLA 2191-1, fixing CVE-2020-10683, for dom4j.
For Debian 8 Jessie , this problem has been fixed in version 1.6.1+dfsg.3-2+deb8u2.
Issued DLA 2192-1, fixing CVE-2020-10663, for ruby2.1.
For Debian 8 Jessie , this problem has been fixed in version 2.1.5-2+deb8u10.
Issued DLA 2210-1, fixing CVE-2020-3810, for apt.
This update was prepared by the maintainer, Julian. I just took care of the paperwork.
For Debian 8 Jessie , this problem has been fixed in version 1.0.9.8.6.
Other(s)
Sometimes it gets hard to categorize work/things into a particular category.
That s why I am writing all of those things inside this category.
This includes two sub-categories and they are as follows.
Personal:
This month I could get the following things done:
Wrote and published my first Ruby gem/library/tool on RubyGems!
It s open-sourced and the repository is here.
Bug reports and pull requests are welcomed!
Wrote a small Ruby script (available here) to install Ruby gems from Gemfile(.lock).
Needed this when I hit a bug while using ruby-standalone, which Antonio fixed pretty quickly!
Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor.
In April, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 28.75h for LTS (out of 30 max; all done) and 7.75h for ELTS (out of 20 max; I did 2.75).
Escalation procedures were (internally) documented with a focus on discussing issues with team coordinator(s) first.
Debian LTS had its first team meeting through IRC and lots of workflow question were discussed. This should help discuss questions that are a bit hard to bring up, and ensure everybody participates. There were lots of topics and it was a bit rushed, but this is something we want to repeat monthly now, possibly with audio/video in a couple months.
Remarks from last month's report were discussed, strengthening the Front-Desk role.
10% of the global funding is now reserved for infrastructure work. What kind of work, and who (LTS or external) will do the work, will be discussed further.
A fellow DD suggested (in a private conversation) that LTS may be taking time from the Debian Security team, due to additional commits to review. Conversely, this is another opportunity to mention all the global, non-LTS-specific work that LTS provides, which I usually highlight in my reports, and maybe I should be even more ELTS - Wheezy
CVE-2020-11612/netty: triage: ignored (deceptively hard to backport, OOM mitigation only)
mysql-connector-java: triage: in-progress (subscription-only update from Oracle, attempt to find more detail, waiting for public version)
CVE-2020-11868/ntp: global triage: identify and reference missing patch, coordinate with uploader
LTS - Jessie
netty, mysql-connector-java, ntp: common triage (see above)
CVE-2019-20637/varnish: global triage: attempt to reproduce, attempt to get PoC/vulnerable versions from upstream, update BTS
ansible: jessie triage: reset ignore->no-dsa old vulnerabilites after discussing with initial triager
ansible: global triage: identify more affected version ranges, locate more patches
ansible: prepare jessie upload (work-in-progress)
tiff: suites harmonization: offer to work on a tiff/stretch update, follow-up on maintainer's questions, who eventually did the update
dsa-needed.txt: identify stale entries from inactive LTS contributor, check for status
Here s my (seventh) monthly update about the activities I ve done in the F/L/OSS world.
Debian
It s been 14 months since I ve started contributing to Debian.
And 4 months since I ve been a Debian Developer. And in this beautiful time,
I had this opprotunity to do and learn lots of new and interesting things. And most
importantly, meet and interact with lots of lovely people!
Debian is $home.
Sponsored a lot of uploads for William Desportes and Adam Cecile.
Mentoring for newcomers.
FTP Trainee reviewing.
Moderation of -project mailing list.
Applied for DUCI project for Google Summer of Code 2020.
Ruby2.7 Migration:
Ruby2.7 was recently released on 25th December, 2019. Santa s gift. Believe it or not.
We, the Debian Ruby team, have been trying hard to make it migrate to testing. And it finally happened.
The default version in testing is ruby2.7. Here s the news! \o/
Here s what I worked on this month for this transition.
Upstream:
Opened several issues and proposed patches (in the form of PRs):
Issue #35 against encryptor for Ruby2.7 test failures.
Issue #28 against image_science for removing relative paths.
Issue #106 against ffi-yajl for Ruby2.7 test failures.
Debian LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases
to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group
of volunteers and companies interested in making it a success.
This was my seventh month as a Debian LTS paid contributor. I was assigned 24.00 hours and worked on
the following things:
Other(s)
Sometimes it gets hard to categorize work/things into a particular category.
That s why I am writing all of those things inside this category.
This includes two sub-categories and they are as follows.
Personal:
This month I could get the following things done:
Most importantly, I finally migrated to a new website. Huge UI imporvement! \o/
From Jekyll to Hugo, it was not easy. But it was worth it! Many thanks to Luiz for writing hugo-coder, Clement, and Samyak!
If you find any flaws, issues and pull requests are welcomed at utkarsh2102/utkarsh2102.com
Wrote battery-alert, a mini-project of my own to show battery alerts at <10% and >90%.
Written in shell, it brings me all the satisfaction as it has saved my life on many occasions.
And guess what? It has more users than just myself!
Reviews and patches are welcomed \o/
Mentored in HackOn Hackathon. Thanks to Manvi for reaching out!
It was fun to see people developing some really nice projects.
Thanks to Ray and John, I became a GitLab Hero!
(I am yet to figure out my role and responibility though)
Atteneded Intro Sec Con and had the most fun!
Heard Ian s keynote and attended other talks and learned how to use WireShark!
Open Source:
Again, this contains all the things that I couldn t categorize earlier.
Opened several issues and pull requests:
Issue #297 against hugo-coder, asking to enable RSS feed for blogs.
PR #316 for hugo-coder for fixing the above issue myself.
Issue #173 against arbre for requesting a release.
Issue #104 against combustion, asking to relax dependency on rubocop. Fixed in this commit.
Issue #16 against ffi-compiler for requesting to fix homepage and license.
Issue #57 against gographviz for requesting a release.
Issue #14 against crb-blast, suggesting compatability with bio 2.0.x.
Issue #58 against uniform_notifier for asking to drop the use of ruby-growl.
PR #2072 for polybar, adding installation instructions on Debian systems.
Like each month, here comes a report about the work of paid contributors to Debian LTS.
Individual reports
In February, 226 work hours have been dispatched among 14 paid contributors. Their reports are available:
Abhijith PA gave back 12 out of his assigned 14h, thus he is carrying over 2h for March.
Ben Hutchings did 19.25h (out of 20h assigned), thus carrying over 0.75h to March.
Evolution of the situation
February began as rather calm month and the fact that more contributors have given back
unused hours is an indicator of this calmness and also an indicator that contributing
to LTS has become more of a routine now, which is good.
In the second half of February Holger Levsen (from LTS)
and Salvatore Bonaccorso (from the Debian Security Team)
met at SnowCamp in Italy and discussed
tensions and possible improvements from and for Debian LTS.
The security tracker currently lists 25 packages with a known CVE and the dla-needed.txt file has 21 packages needing an update.
Thanks to our sponsors
New sponsors are in bold.
Recently there was another bind9 security update released by the Debian Security Team. I thought that was odd, so I've scanned my mailbox:
11 January 2017
DSA-3758 - bind9
26 February 2017
DSA-3795-1 - bind9
14 May 2017
DSA-3854-1 - bind9
8 July 2017
DSA-3904-1 - bind9
So in the year to date there have been 7 months, in 3 of them nothing happened, but in 4 of them we had bind9 updates. If these trends continue we'll have another 2.5 updates before the end of the year.
I don't run a nameserver. The only reason I have bind-packages on my system is for the dig utility.
Rewriting a compatible version of dig in Perl should be trivial, thanks to the Net::DNS::Resolver module:
These are about the only commands I ever run:
dig -t a steve.fi +short
dig -t aaaa steve.fi +short
dig -t a steve.fi @8.8.8.8
Debian 9 Stretch , the latest stable version of the venerable Linux distribution, will be released in a few days. I pushed a last-minute change to get the latest security and feature update of WebKitGTK+ (packaged as webkit2gtk 2.16.3) in before release.
Carlos Garcia Campos discusses what s new in 2.16, but there are many, many more improvements since the 2.6 version in Debian 8.
Like many things in Debian, this was a team effort from many people. Thank you to the WebKitGTK+ developers, WebKitGTK+ maintainers in Debian, Debian Release Managers, Debian Stable Release Managers, Debian Security Team, Ubuntu Security Team, and testers who all had some part in making this happen.
As with Debian 8, there is no guaranteed security support for webkit2gtk for Debian 9. This time though, there is a chance of periodic security updates without needing to get the updates through backports.
If you would like to help test the next proposed update, please contact me so that I can help coordinate this.
My monthly report covers a large part of what I have been doing in the free software world. I write it for my donors (thanks to them!) but also for the wider Debian community because it can give ideas to newcomers and it s one of the best ways to find volunteers to work with me on projects that matter to me.
Debian LTS
I was allocated 10 hours to work on security updates for Debian 7 Wheezy and had 1.5 hours remaining from March. During this time I did the following:
I released DLA-905-1 on ghostscript fixing 3 CVE. I also triaged two other ghostscript CVE that were not relevant to the version in wheezy.
I started to look into CVE-2016-10209 for libarchive but was not able to reproduce the segfault and marked it as not worth an update (same decision as security team).
After many tries to get more details from upstream of libxml-twig-perl on CVE-2016-9180, I decided that the low severity of the issue was not worth spending more time on it (same decision as RedHat and Debian security team).
I released DLA-921-1 on slurm-llnl fixing 1 high-severity CVE.
I investigated CVE-2016-8686 on potrace and marked it as not requiring an update because the impact is very low. I documented the fact that it s fixed in unstable and asked the upstream author for the specific patch (no answer yet though).
Kali and pkg-security
I updated the britney instance that we are using in Kali and spotted two small documentation mistakes that I fixed.
We had a long-standing bug in Kali where extensions would stay visible on the lock screen. It was hard to reproduce and this month we finally managed to nail down the conditions required to reproduce it. It turns out that EasyScreenCast was the culprit. We paid Emilio Pozuelo Monfort to work on a patch and he fixed the problem in EasyScreenCast and also in gnome-shell, as a buggy extension should not have resulted in this behavior.
I responded to multiple queries of new contributors in the pkg-security team. The team is rather active and it would be great if we could have a few more Debian developers to help review and sponsor the work our enthusiastic new members.
Thanks
See you next month for a new summary of my activities. Hopefully, I will be more active again between kids vacations, French elections and Zelda Breadth of the Wild, I got very much distracted from Debian last month.
After an unexpectedly short 
This 
A few quick updates on 
ELTS - Wheezy
Like 
Recently there was another bind9 security update released by the Debian Security Team. I thought that was odd, so I've scanned my mailbox:
My monthly report covers a large part of what I have been doing in the free software world. I write it for 