In March I was assigned 16 hours of work by Freexian's Debian LTS initiative and carried over 8 hours from February. I worked 16 hours, and will carry over the remaining time to April. I backported the mitigations for Spectre-BHB (CVE-2022-0001, CVE-2022-0002) on x86 processors, to Linux 4.9. I worked together with Salvatore Bonaccorso in preparing the kernel updates that were needed in all suites, and writing advisory text. I uploaded both the linux (4.9) and linux-4.19 packages to stretch, and issued DLA-2940-1 and DLA-2941-1. I also triaged new issues that were reported later in the month.

Like each month, here comes a report about the work of paid contributors to Debian LTS. Individual reports In February, 226 work hours have been dispatched among 14 paid contributors. Their reports are available:

• Abhijith PA gave back 12 out of his assigned 14h, thus he is carrying over 2h for March.
• Ben Hutchings did 19.25h (out of 20h assigned), thus carrying over 0.75h to March.
• Brian May did 10h (out of 10h assigned).
• Chris Lamb did 18h (out of 18h assigned).
• Dylan A ssi did 5.5h (out of 4h assigned and 1.5h from January).
• Emilio Pozuelo Monfort did 29h (out of 20h assigned and 15.75h from January), thus carrying over 6.75h to March.
• Hugo Lefeuvre gave back the 12h he got assigned.
• Markus Koschany did 10h (out of 20h assigned and 8.75h from January), thus carrying over 18.75h to March.
• Mike Gabriel did 5.75h (out of 20h assigned) and gave 12h back to the pool, thus he is carrying over 2.25h to March.
• Ola Lundqvist did 10h (out of 8h assigned and 4.5h from January), thus carrying over 2.5h to March.
• Roberto C. S nchez did 20.25h (out of 20h assigned and 13h from January) and gave back 12.75h to the pool.
• Sylvain Beucler did 20h (out of 20h assigned).
• Thorsten Alteholz did 20h (out of 20h assigned).
• Utkarsh Gupta did 20h (out of 20h assigned).

Evolution of the situation February began as rather calm month and the fact that more contributors have given back unused hours is an indicator of this calmness and also an indicator that contributing to LTS has become more of a routine now, which is good. In the second half of February Holger Levsen (from LTS) and Salvatore Bonaccorso (from the Debian Security Team) met at SnowCamp in Italy and discussed tensions and possible improvements from and for Debian LTS. The security tracker currently lists 25 packages with a known CVE and the dla-needed.txt file has 21 packages needing an update. Thanks to our sponsors New sponsors are in bold.

• Platinum sponsors:
• TOSHIBA (for 54 months)
• GitHub (for 44 months)
• Civil Infrastructure Platform (CIP) (for 22 months)
• Gold sponsors:
• Blablacar (for 69 months)
• Roche Diagnostics International AG (for 65 months)
• Linode (for 59 months)
• Babiel GmbH (for 48 months)
• Plat Home (for 47 months)
• University of Oxford (for 4 months)
• Silver sponsors:
• The Positive Internet Company (for 70 months)
• Domeneshop AS (for 69 months)
• Nantes M tropole (for 63 months)
• Univention GmbH (for 55 months)
• Universit Jean Monnet de St Etienne (for 55 months)
• Ribbon Communications, Inc. (for 49 months)
• Exonet B.V. (for 38 months)
• Leibniz Rechenzentrum (for 32 months)
• CINECA (for 22 months)
• Minist re de l Europe et des Affaires trang res (for 16 months)
• Cloudways Ltd (for 5 months)
• Dinahosting SL (for 3 months)
• Bronze sponsors:
• Seznam.cz, a.s. (for 70 months)
• Evolix (for 69 months)
• MyTux (for 69 months)
• Linuxhotel GmbH (for 67 months)
• Intevation GmbH (for 66 months)
• Daevel SARL (for 65 months)
• Bitfolk LTD (for 64 months)
• Megaspace Internet Services GmbH (for 64 months)
• Greenbone Networks GmbH (for 63 months)
• NUMLOG (for 63 months)
• WinGo AG (for 62 months)
• Ecole Centrale de Nantes LHEEA (for 59 months)
• Sig-I/O (for 56 months)
• Entr ouvert (for 54 months)
• Adfinis SyGroup AG (for 51 months)
• Laboratoire LEGI UMR 5519 / CNRS (for 46 months)
• Tesorion (for 46 months)
• GNI MEDIA (for 45 months)
• Bearstech (for 37 months)
• LiHAS (for 37 months)
• People Doc (for 33 months)
• Catalyst IT Ltd (for 32 months)
• Supagro (for 27 months)
• Demarcq SAS (for 25 months)
• TrapX Security (for 22 months)
• Universit Grenoble Alpes (for 12 months)
• TouchWeb SAS (for 4 months)
• SPiN AG

No comment Liked this article? Click here. My blog is Flattr-enabled.

Debian devscripts Before deciding to take an indefinite hiatus from devscripts, I prepared one more upload merging various contributed patches and a bit of last minute cleanup.

• build-rdeps
  • Updated build-rdeps to work with compressed apt indices. (Debian bug #698240)
  • Added support for Build-Arch- Conflicts,Depends to build-rdeps. (adc87981)
  • Merged Andreas Henriksson's patch for setting remote.<name>.push-url when using debcheckout to clone a git repository. (Debian bug #753838)
• debsign
  • Updated bash completion for gpg keys to use gpg --with-colons, instead of manually parsing gpg -K output. Aside from being the Right Way to get machine parseable information out of gpg, it fixed completion when gpg is a 2.x version. (Debian bug #837380)

I also setup integration with Travis CI to hopefully catch issues sooner than "while preparing an upload", as was typically the case before. Anyone with push access to the Debian/devscripts GitHub repo can take advantage of this to test out changes, or keep the development branches up to date. In the process, I was able to make some improvements to travis.debian.net, namely support for DEB_BUILD_PROFILES and using a separate, minimal docker image for running autopkgtests. unibilium

• Packaged the new upstream release (1.2.1)
• Basic package maintenance (-dbgsym package, policy update, enabled hardening flags).
• Uploaded 1.2.1-1

neovim

• Attempted to nudge lua-nvim's builds along on a couple architectures where they were waiting for neovim to be installable
  • x32: Temporarily removed lua-nvim Build-Depends to break the BD-Uninstallable cycle between lua-nvim and neovim.
  • powerpcspe: Temporarily removed luajit Build-Depends, reducing test scope, to fix the build.
    • If memory serves, the test failures are fixed upstream for the next release.
• Uploaded 0.2.0-4

Oddly, the mips64el builds were in BD-Uninstallable state, even though luajit's buildd status showed it was built. Looking further, I noticed the libluajit-5.1 ,-dev binary packages didn't have the mips64el architecture enabled, so I asked for it to be enabled. msgpack-c There were a few packages left which would FTBFS if I uploaded msgpack-c 2.x to unstable.

• autobahn-cpp
• libdata-messagepack-perl
• ring

All of the bug reports had either trivial work arounds (i.e., forcing use of the v1 C++ API) or trivial patches. However, I didn't want to continue waiting for the packages to get fixed since I knew other people had expressed interest in the new msgpack-c. Trying to avoid making other packages insta-buggy, I NMUed autobahn-cpp with the v1 work around. That didn't go over well, partly because I didn't send a finalized "Hey, I'd like to get this done and here's my plan to NMU" email. Based on that feedback, I decided to bump the remaining bugs to "serious" instead of NMUing and upload msgpack-c. Thanks to Jonas Smedegaard for quickly integrating my proposed fix for libdata-messagepack-perl. Hopefully, upstream has some time to review the PR soon. vim

• Used the powerpc porterbox to debug and fix a 32-bit integer overflow that was causing test failures.
• Asked the vim-perl folks about getting updated runtime files to Bram, after Jakub Wilk filed Debian bug #873755. This had been fixed 4+ years earlier, but not yet merged back into Vim. Thanks to Rob Hoelz for pulling things together and sending the updates to Bram.
• I've continued to receive feedback from Debian users about their frustration with Vim's new "defaults.vim", both in regards to the actual default settings and its interaction with the system-wide vimrc file. While I still don't intend to deviate from upstream's behavior, I did push back some more on the existing behavior. I appreciate Christian Brabandt's effort, as always, to understand the issue at hand and have constructive discussions. His final suggestion seems like it will resolve the system vimrc interaction, so hopefully Bram is receptive to it.
• Uploaded 2:8.0.1144-1
• Thanks to a nudge from Salvatore Bonaccorso and Moritz M hlenhoff, I uploaded 2:8.0.0197-4+deb9u1 which fixes CVE-2017-11109. I had intended to do this much sooner, but it fell through the cracks. Due to Adam Barratt's quick responses, this should make it into the upcoming Stretch 9.2 release.

subversion

• Started work on updating the packaging
  • Converted to 3.0 (quilt) source format
  • Updated to debhelper 10 compat
  • Initial attempts at converting to a dh rules file
    • Running into various problems here and still trying to figure out whether they're in the upstream build system, Debian's patches, or both.

---

neovim

• Worked with Niko Dittmann to fix build failures Niko was experiencing on OpenBSD 6.1 #7298
• Merged upstream Vim patches into neovim from various contributors
  • Young Jean Han - #7233
  • KunMing Xie - #7258, #7311, #7309, #7310
  • James McCoy - #7325
• Discussed focus detection behavior after a recent change in the implementation (#7221)
  • While testing focus detection in various terminal emulators, I noticed pangoterm didn't support this. I submitted a merge request on libvterm to provide an API for reporting focus changes. If that's merged, it will be trivial for pangoterm to notify applications when the terminal has focus.
• Fixed a bug in our tooling around merging Vim patches, which was causing it to incorrectly drop certain files from the patches. #7328

My monthly report covers what I have been doing for Debian. I write it for Debian s Long Term Support sponsors but also for the wider free software community in the hope that it might inspire people to get more involved with Debian or free software in general. Debian Android

• We (the Android Tools Maintainers and our three GSoC students) started our regular IRC meetings on Thursday.
• I am mostly involved in answering packaging questions, reviewing package updates and uploading them to the archive.
• I sponsored new versions of android-platform-build, android-platform-external-libselinux, android-platform-external-libunwind, android-platform-frameworks-base, android-platform-system-core and android-platform-system-extras.
• I sponsored a new revision of apktool prepared by Chirayu Desai and myself that fixed the decoding issue from last month and three other bugs. Thanks to Paul Wise for the reports and Chirayu for fixing two bugs and creating a separate android-framework-res binary package on which we could depend on. It seems decoding works now as intended but we still need to tackle the building problem.

Debian Games

• I packaged CaveExpress and CavePacker for Debian. CaveExpress is a remake of the old Amiga classic Ugh! In this game you control a pedal-powered flying machine and pick up packages from your clients. An interesting aspect of CaveExpress is its physics-based gameplay. The packages must be delivered to a collection point and their movement is quite realistic thanks to the excellent Box2d physics engine. The other game, CavePacker, based on the same engine as CaveExpress is a Sokoban-like game. Both games feature dozens of levels and if you have nothing better to do, you should definitely check them out.
• This month I also packaged a new upstream release of Netpanzer. Apparently there is new upstream activity.
• Blockattack 2.0 was released and is now available in Debian.
• I also updated the following packages: kball, pathogen, ceferino, slimevolley, pangzero and airstrike.
• I adopted abe, berusky and berusky-data, updated the packages to use modern debian helpers and also packaged version 1.7 of berusky, a great Sokoban-like game by the way.
• June also saw a new release of debian-games, several metapackages that make it much easier to install a subset of games or even the finest.
• I sponsored RC-bug fixes for parsec47, tumiki-fighters, mu-cade and tatan all prepared by Peter De Wachter who keeps our D (yes, that s a language) games alive. But we will face more issues in the post Stretch future. Apparently the D language people intend to remove parts of their API and of course all our D-based games are affected. Peter has announced more information about that. I think all these games are pretty unique and real gems. If you know a little D and want to help out, please get involved.

Debian Java

• I sponsored a new package for Tobias Ilte, stegosuite, a steganography tool to hide information in image files.
• I packaged new upstream releases of jboss-logmanager, jboss-modules, jboss-xnio, activemq and undertow.
• Together with Emmanuel Bourg I prepared a security update for Tomcat 8 fixing 8 CVEs. (DSA-3609-1)
• I backported the lastest stable release of mysql-connector-java to Jessie to fix CVE-2015-2575. A DSA is pending.
• I blogged about the default Java switch in Wheezy.

Debian LTS This was my fifth month as a paid contributor and I have been paid to work 19,75 hours on Debian LTS. In that time I did the following:

• DLA-501-1. Salvatore Bonaccorso from Debian s Security Team discovered that the original fix for CVE-2015-7552 (DLA-450-1) was incomplete. I prepared and uploaded a new revision of gdk-pixbuf and issued the DLA.
• DLA-502-1. Issued a security update for graphicsmagick fixing 1 CVE.
• DLA-504-1. Issued a security update for libxstream-java fixing 1 CVE which was prepared by Emmanuel Bourg.
• DLA-505-1. Issued a security update for libpdfbox-java fixing 1 CVE.
• DLA-508-1. Issued a security update for expat fixing 2 CVE.
• DLA-511-1. Issued a security update for libtorrent-rasterbar fixing 1 CVE.
• DLA-526-1. Issued a security update for mysql-connector-java fixing 1 CVE. I also prepared the update for Jessie which is still pending to be reviewed by the Security Team.
• DLA-528-1. Issued a security update for libcommons-fileupload-java fixing 1 CVE.
• DLA-529-1. Issued a security update for tomcat7 fixing 1 CVE.
• DLA-530-1. As previously announced I switched the default Java implementation from OpenJDK 6 to OpenJDK 7.
• DLA-537-1. Issued a security update for roundcube fixing 1 CVE. I triaged CVE-2016-5103, CVE-2015-2180 and CVE-2015-2181 and marked them as not-vulnerable .
• I triaged 22 CVEs for libarchive and marked two of them as not-vulnerable . You can find my preliminary work for libarchive on the wheezy branch in Debian s git repository. I expect a security update very soon.
• From 13 June to 19. June I was responsible for Wheezy s LTS frontdesk. It was a rather calm week on the debian-lts mailing list and in our IRC channel. I triaged CVE-2016-4970 (netty), CVE-2016-3189 (bzip2), CVE-2016-1621 (libvpx) and CVE-2016-4493, CVE-2016-4492, CVE-2016-4491, CVE-2016-4490, CVE-2016-4489, CVE-2016-4488, CVE-2016-4487, CVE-2016-2226 which were all minor issues in developer tools or in the gcc toolchain.
• I commented on Ola s question about open security issues in phpmyadmin.

QA uploads

• I fixed pygccxml that threatened to remove spring.
• I completely overhauled gl-117, fixed four bugs and closed two obsolete ones. gl-117 always reminds me a little of the Falcon series from the early 90ies.

What happened in the reproducible builds effort between March 6th and March 12th:

Packages fixed The following packages have become reproducible due to changes in their build dependencies: dfc, gap-openmath, gnubik, gplanarity, iirish, iitalian, monajat, openimageio, plexus-digest, ruby-fssm, vdr-plugin-dvd, vdr-plugin-spider. The following packages became reproducible after getting fixed:

• adduser/3.114 by Niels Thykier.
• bsdmainutils/9.0.7 by Michael Meskes.
• criu/2.0-1 by Salvatore Bonaccorso.
• genometools/1.5.8+ds-2 by Sascha Steinbiss.
• gfs2-utils/3.1.8-1 uploaded by Bastian Blank, fix by Christoph Berg.
• gmerlin/1.2.0~dfsg+1-5 by IOhannes m zm lnig.
• heroes/0.21-14 by Stephen Kitt.
• kmc/2.3+dfsg-3 by Sascha Steinbiss.
• polyml/5.6-3 by James Clarke.
• sed/4.2.2-7.1 by Niels Thykier.
• snpomatic/1.0-3 by Sascha Steinbiss.
• tantan/13-4 by Sascha Steinbiss.

Some uploads fixed some reproducibility issues, but not all of them:

• apg/2.2.3.dfsg.1-3 uploaded by Marc Haber, original patch by Chris Lamb.
• elastix/4.8-4 uploaded by Gert Wollny, reported by akira.

Patches submitted which have not made their way to the archive yet:

• #817979 on modernizr by Sascha Steinbiss: sort list of files included in feature-detects.js.
• #818027 on snapper by Sascha Steinbiss: always use /bin/sh as shell.

tests.reproducible-builds.org Always use all cores on armhf builders. (h01ger) Improve the look of Debian dashboard. (h01ger)

Package reviews 118 reviews have been removed, 114 added and 15 updated in the previous week. 15 FTBFS have been filled by Chris Lamb. New issues: xmlto_txt_output_locale_specific.

Misc. Lunar seeks new maintainers for diffoscope, several mailing lists, and these very weekly reports.

I spent much of my Debian time in the last few weeks triaging and fixing bugs in initramfs-tools. All of the important bugs should be fixed, except for two where I needed more information from the submitter. Due to the scope of these changes and potential for regressions, I've made a release candidate, version 0.121~rc2, rather than a full release. This is now available in experimental, and I would appreciate real-world testing feedback in the next few weeks. (If you're wondering what happened to rc1, that had 'unstable' as the distribution, which I didn't notice until after pushing the tag.) From the release announcement, the major changes are:

• Split initramfs-tools binary package into core and automation hooks, to allow for coinstallation of the core with other initramfs builders
• Fail at build-time if busybox is wanted but not found
• Rewrite build-time block device sysfs lookup to be generic
• Include modules for all components of a multi-disk device
• Use blkid to resolve LABEL=, UUID=, PARTLABEL= and PARTUUID= block device IDs at boot time, and do this much later
• Change file copying to distinguish executables from other file types and to preserve symlinks
• Run panic scripts just before dropping to a shell

Thanks to Andy Whitcroft, Boris Egorov, Laurent Bigonville, Roger Leigh, Roger Shimizu and Salvatore Bonaccorso for their patches which I applied in this version.

What happened in the reproducible builds effort this week: Toolchain fixes

• Robert Luberda uploaded ispell/3.4.00-4 which fixes another issue with uninitialized memory in ispell hashes. Original patch by Valentin Lorentz.
• Robert Luberda uploaded man2html/1.6g-8 which adds support for SOURCE_DATE_EPOCH. Original patch by akira.
• gregor herrmann uploaded libdebian-copyright-perl/0.2-3 which sorts copyright files for deterministic ordering. Original patch by Reiner Herrmann.
• Rafael Laboissiere uploaded octave-pkg-dev/1.3.2 which normalizes the name of the temporary build directory. This doesn't seem to be enough to make Octave packages reproducible just yet, though.
• Nicolas Boulenguez uploaded gprbuild/2015-1 which sets a deterministic date to the generated source.

Packages fixed The following packages became reproducible due to changes in their build dependencies: maven-plugin-tools, norwegian, ocaml-melt, python-biom-format, rivet. The following packages became reproducible after getting fixed:

• apache2/2.4.17-1 by Stefan Fritsch.
• autogen/1:5.18.6-3 by Andreas Metzler.
• debian-timeline/37 by Chris Lamb.
• fonty-rg/0.6 uploaded by Radovan Garab k, original patch by Chris Lamb.
• foxeye/0.10.2-2 by Andriy Grytsenko.
• hsqldb/2.3.3+dfsg2-1 by Markus Koschany.
• jasperreports/6.1.1+dfsg-1 uploaded by Markus Koschany, fix by Emmanuel Bourg.
• libmath-base-convert-perl/0.11-2 uploaded by Salvatore Bonaccorso, original patch by Reiner Herrmann.
• libsdl2-gfx/1.0.1+dfsg-2 uploaded by Manuel A. Fernandez Montecelo, original patch by Reiner Herrmann.
• libsdl2/2.0.2+dfsg1-8 uploaded by Gianfranco Costamagna, patch by Reiner Herrmann.
• linux/4.2.5-1 by Ben Hutchings.
• litl/0.1.7+dfsg-1 by Samuel Thibault, original patch by Chris Lamb.
• python-keystoneclient/1:1.7.1-4 by Thomas Goirand.
• sphinxbase/0.8+5prealpha-1 by Samuel Thibault.
• tatan/1.0.dfsg1-6 uploaded by Markus Koschany, original patch by Reiner Herrmann.
• v4l2loopback/0.9.1-4 uploaded by IOhannes m zm lnig, original patch.
• yadifa/2.1.4-2 uploaded by Markus Schade, original patch by Reiner Herrmann.

Some uploads fixed some reproducibility issues but not all of them:

• lcov/1.12-2 by Alastair McKinstry, original patch by Reiner Herrmann.
• libsdl1.2/1.2.15-12 uploaded by Manuel A. Fernandez Montecelo, original patch by Reiner Herrmann.
• metview/4.5.7-1 by Alastair McKinstry.
• mumble/1.2.10-2 by Christopher Knadle.

The following package is currently failing to build from source but should now be reproducible:

• p4vasp/0.3.29+dfsg-2 uploaded by Graham Inggs, original patch by Reiner Herrmann.

Patches submitted which have not made their way to the archive yet:

• #803501 on fdroidserver by Reiner Herrmann: add support for SOURCE_DATE_EPOCH to docs/gendocs.sh and normalizes tarball permissions. Sent upstream.
• #803547 on bbswitch by Reiner Herrmann: tell tar to normalize the permissions.
• #803583 on ndiswrapper by Reiner Herrmann: tell tar to normalize the permissions.
• #803601 on xtables-addons by Reiner Herrmann: tell tar to normalize the permissions.
• #803603 on usb-modeswitch-data by Reiner Herrmann: tell tar to normalize the permissions.

reproducible.debian.net A quick update on current statistics: testing is at 85% of packages tested reproducible with our modified packages, unstable on armhf caught up with amd64 with 80%. The schroot name used for running diffoscope when testing OpenWrt, NetBSD, Coreboot, and Arch Linux has been fixed. (h01ger, Mattia Rizzolo) Documentation update Paul Gevers documented timestamps in unit files created by the Free Pascal Compiler. reproducible-builds.org is now live. It contains a comprehensive documentation on all aspects that have been identified so far of what we call reproducible builds . It makes room for pointers to projects working on reproducible builds, news, dedicated tools, and community events. Package reviews 206 reviews have been removed, 171 added and 196 updated this week. Chris Lamb reported 28 failing to build from source issues. New issues identified this week: timestamps_in_pdf_content, different_encoding_in_html_by_docbook_xsl, timestamps_in_ppu_generated_by_fpc, method_may_never_be_called_in_documentation_generated_by_javadoc. Misc. Andrei Borzenkov has proposed a fix for uninitialized memory in GRUB's mkimage. Uninitialized memory is one source of hard to track down reproducibility errors. Holger Levsen presented the efforts on reproduible builds at Festival de Software Libre in Puerto Vallarta, Mexico.

What happened in the reproducible builds effort this week: Toolchain fixes

• Niels Thykier uploaded debhelper/9.20151004 which exports SOURCE_DATE_EPOCH when running dh_auto_* (patch by Dhole). dh now also calls dh_strip_nondeterminism during build (patch by Andrew Ayer). The only remaining change regarding reproducibility in the custom debhelper is related to mtimes in data.tar which might be fixed directly in dpkg instead.
• Niels Thykier made another upload of debhelper/9.20151005 the next day to sort Build IDs added by dh_strip in control files.

Scott Kitterman fixed an issue with non-deterministic Depends generated by dh-python identified by Santiago Vila and Chris Lamb. Lunar updated the patch against dpkg which makes the order of files in control.tar.gz deterministic using the new --sort=name option available in GNU Tar 1.28. josch released sbuild version 0.66.0-1 with several fixes and improvements. The most notable one for reproducible builds is the new --build-path option and $build_path configuration variable added by akira which allows to explicitly chose a given build path. Reiner Herrmann wrote a new patch for dh-systemd to sort the list of unit files in the generated maintainer scripts. Packages fixed The following packages became reproducible due to changes in their build dependencies: aoeui, apron, camlmix, cudf, findlib, glpk-java, hawtjni, haxe, java-atk-wrapper, llvm-py, misery, mtasc, ocamldsort, optcomp, spamoracle. The following packages became reproducible after getting fixed:

• classified-ads/0.08-1 uploaded by Antti J rvinen, fix merged upstream, original patch by Reiner Herrmann.
• criu/1.7-3 uploaded by Salvatore Bonaccorso, original patch by Chris Lamb.
• doomsday/1.15.4-1 by Michael Gilbert.
• ejabberd/15.07-1~exp1 by Philipp Huebner.
• libxbean-java/4.4-1 by Emmanuel Bourg.
• markdown/1.0.1-8 uploaded by Matt Kraai, original patches by Chris Lamb (#776925) and akira (#793701).
• nedit/1:5.6a-3 by Paul Gevers.
• nvidia-settings/340.93-1 uploaded by Andreas Beckmann, original patch by Lunar.
• ocaml/4.02.3-2 by St phane Glondu.
• polygen/1.0.6.ds2-14 uploaded by Mehdi Dogguy, original patch by Chris Lamb.
• stsci.distutils/0.3.7-4 by Aurelien Jarno.
• vdr/2.2.0-4 by Tobias Grimm.
• vdr-plugin-xineliboutput/1.1.0+cvs20150907-3 by Tobias Grimm.
• w3c-markup-validator/1.3+dfsg-3 by Santiago Vila.
• xcolorsel/1.1a-19 by Santiago Vila.
• xmoto/0.5.11+dfsg-3 by Stephen Kitt.

Some uploads fixed some reproducibility issues but not all of them:

• ognl/2.7.3-6 by Emmanuel Bourg.
• enblend-enfuse/4.1.4+dfsg-2 by Andreas Metzler.

Untested

• nvidia-xconfig/340.93-1 by Andreas Beckmann.
• nvidia-settings-legacy-304xx/304.128-1 by Andreas Beckmann.

Patches submitted which have not made their way to the archive yet:

• #801212 on unicode-data by Esa Peuha: set TZ=UTC when calling unzip.

reproducible.debian.net ProfitBricks once again increased their support for reproducible builds in Debian and in other free software projects by adding 58 new cores and 138 GiB of RAM to the already existing setup. Two new amd64 build nodes and 16 new amd64 build jobs have been added which doubles the build capacity per day and allows us to spot many kind of problems earlier. The size of the tmpfs where builds are performed has also been increased from 70 to 200 GiB on all amd64 build nodes. Huge thanks! When examining a package, a link now points to a table listing all previous recorded tests for the same package. (Mattia) The menu on the package pages has also been improved. (h01ger) Packages in the depwait state are now rescheduled automatically after five days. (h01ger) Links to documentation and other projects being tested have been made more visible on the landing page. (h01ger) To reduce noise on the team IRC channel five different types of notifications have been turned into mail notifications. The remaining ones have been shortened and the status changes have been limited to unstable and experimental. (h01ger) Maintainer notifications about status changes in a package will only be sent out once per day, and not on each status change. (h01ger) diffoscope development Some more experiments of concurrent processing have been made. None were good and reliable enough to be shared, though. Package reviews 48 reviews have been removed, 189 added and 23 updated this week. 9 FTBFS bugs were reported by Chris Lamb. Misc. h01ger met with Levente Polyak to discuss testing Arch Linux on Debian continuous test system with an easily extensible framework. The idea is to also allow testing of other distributions, and provide a nice package based view like the one for Debian.

Thorsten Glaser reported Debian bug #780000 on Saturday March 7th 2015, against the gcc-4.9 package. Bug #770000 was reported as of November 18th so there have been 10,000 bugs in about 3.5 months, which was significantly slower than earlier. Salvatore Bonaccorso reported Debian bug #790000 on Friday June 26th 2015, against the pcre3 package. Thus, there have been 10,000 bugs in 3.5 months again. It seems that the bug report rate stabilized again. Sorry for missing bug #780000 annoucement. I'm doing this since....November 2007 for bug #450000 and it seems that this lack of attention is somehow significant wrt my involvment in Debian. Still, this involvment is still here and I'll try to "survive" in the project until we reach bug #1000000...:-) See you for bug #800000 annoucement and the result of the bets we placed on the date it would happen.

Well, here are the stats for the final week of the DUCK challenge as well as DebConf15:

• Yao Wei uploaded big-cursor
• Denis Briand abook
• Salvatore Bonaccorso uploaded libtext-simpletable-perl, libstring-bufferstack-perl and libcarp-clan-perl
• Sandro Tois uploaded dot2txt
• Florian Schlichting uploaded libxml-dom-perl, libtie-array-sorted-perl, libvalidate-net-perl and libtext-typography-perl
• Enrico Tassi uploaded lua-sec
• Bas Couwenberg uploaded modestmaps-py
• Riku Voipo uploaded device-tree-compiler
• Lucas Kanashiro uploaded libclass-gomor-perl and libclass-c3-adopt-perl
• Bernd Zeimez uploaded lua-json
• Olivier Sallou uploaded biojava4-live
• Kari Pahula uploaded gearhead
• Gregor Hermann uploaded libnet-tclink-perl
• Jakub Wilk uploaded pebl

So we had 21 packages fixed and uploaded by 14 different uploaders. People were really working hard on this during DebConf. A big "Thank You" to you!! Since the start of this challenge, a total of 89 packages, were fixed. Here is a quick overview:

	Week 1	Week 2	Week 3	Week 4	Week 5	Week 6	Week 7
# Packages	10	15	10	14	10	9	21
Total	10	25	35	49	59	68	89

Thank you all for participating - either on purpose or "accidentially": Some people were really surprised as i sneaked up on them at DebConf15, confronting them with a green lighter! I just tried to put even more fun into Debian, i hope this worked out Pevious articles are here: Week 1, Week 2, Week 3, Week 4, Week 5,Week 6.

The package mime-support is installed by default on Debian systems. It has two roles: first to provide the file /etc/mime.types that associates media types (formerly called MIME types) to suffixes of file names, and second to provide the mailcap system that associates media types with programs. I adopted this package at the end of the development cycle of Wheezy. Changes since Wheezy. The version distributed in Jessie brings a few additions in /etc/mime.types. Among them, application/vnd.debian.binary-package and text/vnd.debian.copyright, which as their name suggest describe two file formats designed by Debian. I registered these types to the IANA, which is more open to the addition of new types since the RFC 6838. The biggest change is the automatic extraction of the associations between programs and media types that are declared in the menu files in FreeDesktop format. Before, it was the maintainer of the Debian package who had to extract this information and translate it in mailcap format by hand. The automation is done via dpkg triggers. A big thank you to Kevin Ryde who gave me a precious help for the developments and corrections to the run-mailcap program, and to all the other contributors. Your help is always welcome! Security updates. In December, Debian has been contacted by Timothy D. Morgan, who found that an attacker could get run-mailcap to execute commands by inserting them in file names (CVE-2014-7209). This first security update for me went well, thanks to the help and instructions of Salvatore Bonaccorso from the Security team. The problem is solved in Wheezy, Jessie and Sid, as well as in Squeeze through its long term support. One of the consequences of this security update is that run-mailcap will systematically use the absolute path to the files to open. For harmless files, this is a bit ugly. This will perhaps be improved after Jessie is released. Future projects The file /etc/mime.types is kept up to date by hand; this is slow and inefficient. The package shared-mime-info contains similar information, that could be used to autogenerate this file, but that would require to parse a XML source that is quite complex. For the moment, I am considering to import Fedora's mailcap package, where the file /etc/mime.types is very well kept up to date. I have not yet decided how to do it, but maybe just by moving that file from one package to the other. In that case, we would have the mime-support package that would provide mailcap support, and the package whose source is Fedora's mailcap package who would provide /etc/mime.types. Perhaps it will be better to use clearer names, such as mailcap-support for the first and media-types for the second? Separating the two main functionalities of mime-support would have an interesting consequence: the possibility of not installing the support for the mailcap system, or to make it optional, and instead to use the FreeDesktop sytem (xdg-open), from the package xdg-utils. Something to keep in mind...

Debian LTS - feedback about the feedback from my LTS talk at DebConf14 So, I'm more or less back from dc14 and today, five days later, I think I might have mostly overcome jetlag. Probably... So, at DebConf14 I gave a talk about LTS and while I'm sorry that I was that tired, I'm more or less happy how the talk went. Thankfully at least I was calm and relaxed... There are a couple of things I learned from the talk: a.) LTS has been really really perceived well b.) it fits a demand c.) people already take it for granted (eg plan for Wheezy LTS) d.) people expect the same non-intrusive changes as currently done for security updates. To explain the last point: when I explained the - so far - rather theoretical problem that ''squeeze-lts'' has no gatekeeper mechanisms whatsoever (eg no ''proposed-updates'', no NEW queue..) the reaction in the audience was basically "something like this should exist, else how can we deploy this in large scale / on important setup?!". Also currently there is no, well-documented, easily to be found policy for what kind of updates are acceptable. I said that we basically follow the same rules as there are for debian-security updates, but this should really be documented properly. This doesn't seem very hard to fix, just like many things it "just" needs someone to do the work. IOW: we explain how to use LTS, we explain how to contribute to LTS (through uploads or financially) but we lack a simple explaination what LTS is and what kind of updates to expect. It's kinda self evident, but only kinda. So since giving the talk I changed one thing in my personal usage of LTS: I don't use my personal LTS repo anymore, where I made sure only good packages got in. This is for two reasons: a.) I had too add new packages too often and b.) if it really is a problem that LTS has no gatekeeping mechanism (which I'm not sure anymore it is, after all, the updates are prepared by reasonable people with a common goal...) then I want to suffer this first hand, so I can build solutions which benefit everyone, not just me. That personal LTS repo only helped me. On the technical side I prepared five DLAs, for lzo2, libwpd, squid3, lua5.1 and bind9. Not much to see here, they all were very smooth. I still enjoyed the challenge of digging in unknown sourcecode, as described in my previous post. Then more interestingly, and with the help of Raphael Geissert and Salvatore Bonaccorso I fixed the security-tracker to also know about oldstable, after waiting for more than 8 weeks to someone else doing it. I'm very glad that this is done now, as without it was really tedious to check which issues were applying to oldstable. Oh, and another afterthought from giving the talk: currently at least parts of the security-tracker codebase assume that there won't ever be support for oldoldstable, but once jessie has been released this won't be true anymore. Then we will support stable, oldstable and oldoldstable. And oldstable will be wheezy, not squeeze. We have something like 6 months to fix this, hopefully we won't have much more time... Oh, and surely there are other places than just the security-tracker which will need to be taught about this.

Debian LTS - feedback about the feedback from my LTS talk at DebConf14 So, I'm more or less back from dc14 and today, five days later, I think I might have mostly overcome jetlag. Probably... So, at DebConf14 I gave a talk about LTS and while I'm sorry that I was that tired, I'm more or less happy how the talk went. Thankfully at least I was calm and relaxed. There are a couple of things I learned from the talk: a.) LTS has been really really perceived well b.) it fits a demand c.) people already take it for granted (eg plan for Wheezy LTS) d.) people expect the same non-intrusive changes as currently done for security updates. To explain the last point: when I explained the - so far - rather theoretical problem that ''squeeze-lts'' has no gatekeeper mechanisms whatsoever (eg no ''proposed-updates'', no NEW queue..) the reaction in the audience was basically "something like this should exist, else how can we deploy this in large scale / on important setup?!". Also currently there is no, well-documented, easily to be found policy for what kind of updates are acceptable. I said that we basically follow the same rules as there are for debian-security updates, but this should really be documented properly. This doesn't seem very hard to fix, just like many things it "just" needs someone to do the work. IOW: we explain how to use LTS, we explain how to contribute to LTS (through uploads or financially) but we lack a simple explaination what LTS is and what kind of updates to expect. It's kinda self evident, but only kinda. So since giving the talk I changed one thing in my personal usage of LTS: I don't use my personal LTS repo anymore, where I made sure only good packages got in. This is for two reasons: a.) I had too add new packages too often and b.) if it really is a problem that LTS has no gatekeeping mechanism (which I'm not sure anymore it is, after all, the updates are prepared by reasonable people with a common goal...) then I want to suffer this first hand, so I can build solutions which benefit everyone, not just me. That personal LTS repo only helped me. On the technical side I prepared five DLAs, for lzo2, libwpd, squid3, lua5.1 and bind9. Not much to see here, they all were very smooth. I still enjoyed the challenge of digging in unknown sourcecode, as described in my previous post. Then more interestingly, and with the help of Raphael Geissert and Salvatore Bonaccorso I fixed the security-tracker to also know about oldstable, after waiting for more than 8 weeks to someone else doing it. I'm very glad that this is done now, as without it was really tedious to check which issues were applying to oldstable. Oh, and another afterthought from giving the talk: currently at least parts of the security-tracker codebase assume that there won't ever be support for oldoldstable, but once jessie has been released this won't be true anymore. Then we will support stable, oldstable and oldoldstable. And oldstable will be wheezy, not squeeze. We have something like 6 months to fix this, hopefully we won't have much more time... Oh, and surely there are other places than just the security-tracker which will need to be taught about this.

Yesterday I spent a while looking at the Debian code search site, an enormously useful service allowing you to search the code contained in the Debian archives. The end result was three trivial bug reports:

#756565 - lives

Insecure usage of temporary files. A CVE-identifier should be requested.

#756566 - libxml-dt-perl

Insecure usage of temporary files. A CVE-identifier has been requested by Salvatore Bonaccorso, and will be added to my security log once allocated.

756600 - xcfa

Insecure usage of temporary files. A CVE-identifier should be requested.

Finding these bugs was a simple matter of using the code-search to look for patterns like "system.*>.*%2Ftmp". Perhaps tomorrow somebody else would like to have a go at looking for backtick-related operations (" "), or the usage of popen. Tomorrow I will personally be swimming in a loch, which is more fun than wading in code..

Michael Stapelberg recently posted a blog post about looking into the number of Debian Developers actively working on RC bugs for the upcoming wheezy release. In this blog post I analyze the data shared by Michael and provide the R commands used to generate the plots & findings. If you are interested into looking into the data yourself, but don t like R, I suggest using ipython notebook + numpy instead.

Analysis After parsing the data file we typically want to get an understanding of the data, by using summary(bugs) we get the minimum(1), median(5), mean(15.4), max(716) and quantiles of the data. This shows that the number of messages is wide-spread and a few people contribute a lot. To visualize the dispersion of the data we can create a box plot showing the range of messages: As the first and third quantile are close together we can assume that the majority of the work is done by a few, especially since the second quantile is 5. This is supported by the histogram below, where the x axis is the number of recorded messages and y is the number of developers.

Top 10 contributors The TOP 10 contributors, according to the dataset, are:

1. Lucas Nussbaum - 716 messages
2. Gregor Herrmann - 270 messages
2. Jakub Wilk - 270 messages
4. Andreas Beckmann - 225 messages
5. Julien Cristau - 205 messages
6. Cyril Brulebois - 169 messages
7. Moritz Muehlenhoff - 162 messages
8. Michael Biebl - 159 messages
9. Salvatore Bonaccorso - 158 messages
10. Christoph Egger - 142 messages

r commands These are the commands used to generate the plots and information in this plot:

bugs <- read.csv("by-msg.csv")
summary(bugs)
boxplot(bugs$rcbugmsg, log='y', range=0, ylab="# bugs")
quantile(bugs$rcbugmsg)
0%  25%  50%  75% 100%
1    2    5   12  716
# create histogram
llibrary('ggplot2')
ggplot(bugs, aes(x=rcbugmsg)) + geom_histogram(binwidth=.5, colour="black", fill="black") + scale_x_sqrt()
top10 <- tail(bugs[order(bugs$rcbugmsg),], 10)
top10

Michael Stapelberg recently posted a blog post about looking into the number of Debian Developers actively working on RC bugs for the upcoming wheezy release. In this blog post I analyze the data shared by Michael and provide the R commands used to generate the plots & findings. If you are interested into looking into the data yourself, but don t like R, I suggest using ipython notebook + numpy instead.

Analysis After parsing the data file we typically want to get an understanding of the data, by using summary(bugs) we get the minimum(1), median(5), mean(15.4), max(716) and quantiles of the data. This shows that the number of messages is wide-spread and a few people contribute a lot. To visualize the dispersion of the data we can create a box plot showing the range of messages: As the first and third quantile are close together we can assume that the majority of the work is done by a few, especially since the second quantile is 5. This is supported by the histogram below, where the x axis is the number of recorded messages and y is the number of developers.

Top 10 contributors The TOP 10 contributors, according to the dataset, are:

1. Lucas Nussbaum - 716 messages
2. Gregor Herrmann - 270 messages
2. Jakub Wilk - 270 messages
4. Andreas Beckmann - 225 messages
5. Julien Cristau - 205 messages
6. Cyril Brulebois - 169 messages
7. Moritz Muehlenhoff - 162 messages
8. Michael Biebl - 159 messages
9. Salvatore Bonaccorso - 158 messages
10. Christoph Egger - 142 messages

r commands These are the commands used to generate the plots and information in this plot:

bugs <- read.csv("by-msg.csv")
summary(bugs)
boxplot(bugs$rcbugmsg, log='y', range=0, ylab="# bugs")
quantile(bugs$rcbugmsg)
0%  25%  50%  75% 100%
1    2    5   12  716
# create histogram
llibrary('ggplot2')
ggplot(bugs, aes(x=rcbugmsg)) + geom_histogram(binwidth=.5, colour="black", fill="black") + scale_x_sqrt()
top10 <- tail(bugs[order(bugs$rcbugmsg),], 10)
top10

Big release notes since 1.0: We ve got a new list dput-ng-maint@lists.alioth.debian.org feel free to subscribe!

1.3:
  * Avoid failing on upload if a pre/post upload hook is missing from the
    Filesystem.
  * Fix "dcut raises FtpUploadException" by correctly initializing the uploader
    classes from dcut (Closes: #696467)
1.2:
  * Add bash completions for dput-ng (Closes: #695412).
  * Add in a script to set the default profile depending on the building
    distro (Ubuntu support)
  * Fix a bug where meta-class info won't be loaded if the config file has the
    same name.
  * Add an Ubuntu upload target.
  * Added .udeb detection to the check debs hook.
  * Catch the correct exception falling out of bin/dcut
  * Fix the dput manpages to use --uid rather then the old --dm flag.
  * Fix the CLI flag registration by setting required=True
    in cancel and upload.
  * Move make_delayed_upload above the logging call for sanity's sake.
  * Fix "connects to the host even with -s" (Closes: #695347)

Thanks to everone who s contributed!

     7  Bernhard R. Link
     4  Ansgar Burchardt
     3  Luca Falavigna
     2  Michael Gilbert
     2  Salvatore Bonaccorso
     1  Benjamin Drung
     1  Gergely Nagy
     1  Jakub Wilk
     1  Jimmy Kaplowitz
     1  Luke Faraone
     1  Sandro Tosi

This has been your every-once-in-a-while dput-ng update. We re looking for more code contributions (to make sure everyone s happy), doc updates (etc) or ideas.

I just realized it's sunday again, so here goes my list of RC bugs I've worked on during the last week:

• #603428 snort-pgsql,snort-mysql: "snort: prompting due to modified conffiles which where not modified by the user"
  investigate with piuparts, later tagged/fixed by Salvatore Bonaccorso and Ivo De Decker
• #667995 python-cups: "cupsd configuration: "cupsdAuthorize: Empty Basic password!""
  backport fix from Fedora git, after Vagrant's test upload it to DELAYED/2
• #684732 release.debian.org: "unblock: nut/2.6.4-2.2"
  sponsor NMU prepared by Ivo De Decker, upload to DELAYED/1
• #694890 liblemonldap-ng-handler-perl: "liblemonldap-ng-handler-perl: fails to install: cp: cannot create regular file '/var/lib/lemonldap-ng/handler/MyHandler.pm': No such file or directory"
  upload package prepared by xguimard (pkg-perl)
• #696329 lemonldap-ng: "lemonldap-ng: CVE-2012-6426: SAML messages signatures are not verified"
  upload package prepared by xguimard (pkg-perl)

I just realized it's sunday again, so here goes my list of RC bugs I've worked on during the last week:

• #603428 snort-pgsql,snort-mysql: "snort: prompting due to modified conffiles which where not modified by the user"
  investigate with piuparts, later tagged/fixed by Salvatore Bonaccorso and Ivo De Decker
• #667995 python-cups: "cupsd configuration: "cupsdAuthorize: Empty Basic password!""
  backport fix from Fedora git, after Vagrant's test upload it to DELAYED/2
• #684732 release.debian.org: "unblock: nut/2.6.4-2.2"
  sponsor NMU prepared by Ivo De Decker, upload to DELAYED/1
• #694890 liblemonldap-ng-handler-perl: "liblemonldap-ng-handler-perl: fails to install: cp: cannot create regular file '/var/lib/lemonldap-ng/handler/MyHandler.pm': No such file or directory"
  upload package prepared by xguimard (pkg-perl)
• #696329 lemonldap-ng: "lemonldap-ng: CVE-2012-6426: SAML messages signatures are not verified"
  upload package prepared by xguimard (pkg-perl)

This is my monthly summary of my Debian related activities. If you re among the people who made a donation to support my work (227.83 , thanks everybody!), then you can learn how I spent your money. Otherwise it s just an interesting status update on my various projects. Dpkg Thanks to Guillem, dpkg with multiarch support is now available in Debian sid. The road has been bumpy, and it has again been delayed multiple times even after Guillem announced it on debian-devel-announce. Finally, the upload happened on March 19th. I did not appreciate his announce because it was not coordinated at all, and had I been involved from the start, we could have drafted it in a way that sounded less scary for people. In the end, I provided a script so that people can verify whether they were affected by one of the potential problems that Guillem pointed out. While real, most of them are rather unlikely for typical multiarch usage. Bernhard R. Link submitted a patch to add a new status command to dpkg-buildflags. This command would print all the information required to understand which flags are activated and why. It would typically be called during the build process by debian/rules to keep a trace of the build flags configuration. The goal is to help debugging and also to make it possible to extract that information automatically from build logs. I reviewed his patch and we made several iterations, it s mostly ready to be merged but there s one detail where Bernhard and I disagree and I solicited Guillem s opinion to try to take a decision. Unfortunately neither Guillem nor anyone else chimed in. On request of Alexander Wirt, I uploaded a new backport of dpkg where I dropped the DEB_HOST_MULTIARCH variable from dpkg-architecture to ensure multi-arch is never accidentally enabled in other backports. One last thing that I did not mention publicly at all yet, is that I contacted Lennart Poettering to suggest an improvement to the /etc/os-release file that he s trying to standardize across distributions. It occurred to me that this file could also replace our /etc/dpkg/origins/default file (and not only /etc/debian_version) provided that it could store ancestry information. After some discussions, he documented new official fields for that file (ID_LIKE, HOME_URL, SUPPORT_URL, BUG_REPORT_URL). Next step for me is to improve dpkg-vendor to support this file (as a fallback or as default, I don t know yet). Packaging I packaged quilt 0.60 (we re now down to 9 Debian-specific patches, from a whopping 26 in version 0.48!) and zim 0.55. In prevision of the next upstream version of Publican, I asked the Perl team to package a few Perl modules that Publican now requires. Less than two weeks after, all of them were in Debian Unstable. Congrats and many thanks to the Perl team (and Salvatore Bonaccorso in particular, which I happen to know because we were on the same plane during last Debconf!). On a side note, being the maintainer of nautilus-dropbox became progressively less fun over the last months, in particular because the upstream authors tried to override some of the (IMO correct) packaging decisions that I made and got in touch with Ubuntu community managers to try to have their way. Last but not least, I keep getting duplicates of a bug that is not in my package but in the official package and that Dropbox did not respond to my query. Book update The translation is finished and we re now reviewing the whole book. It takes a bit more time than expected because we re trying to harmonize the style and because it s difficult to coordinate the work of several volunteer reviewers. The book cover is now almost finalized (click on it to view it in higher definitions): We also made some progress on the interior design for the paperback. Unfortunately, I have nothing to show you yet. But it will be very nice and made with just a LaTeX stylesheet tailored for use with dblatex. The liberation fundraising slowed down with only 41 new supporters this month but it made a nice bump anyway thanks to a generous donation of 1000 EUR by Offensive security, the company behind Backtrack Linux. They will soon communicate on this, hopefully it will boost the operation. It would be really nice if we managed to raise the remaining 3000 EUR in the few weeks left until the official release of the book! The work on my book dominated the month and explains my relative inactivity on other fronts. I worked much more than usual, and my wife keeps telling me that I look tired and that I should go in bed earlier but I see the end of the tunnel: if everything goes well, the book should be released in a few weeks and I will be able to switch back to a saner lifestyle. Thanks See you next month for a new summary of my activities.

One comment Liked this article? Click here. My blog is Flattr-enabled.