Chris Lamb: Free software activities in August 2017
Here is my monthly update covering what I have been doing in the free software world in August 2017 (previous month):
- Created ZeroCoolOS, a live operating system that plays the film Hackers (1995) on a continuous loop.
- Sent a patch for pristine-tar to allow storage of detached upstream signatures. (#871809)
- Worked more on Lintian, a static analysis tool for Debian packages, reporting on various errors, omissions and quality-assurance issues to the maintainer (previous changes):
- Fix an apache2-unparsable-dependency false positive by allowing periods in dependency names. (#873701)
- Ignore "repacked" packages when checking for upstream source tarball signatures as they will never match.
- Downgrade the severity of orig-tarball-missing-upstream-signature. (#870722)
- From a suggestion by Theodore Ts'o, expand the explanation of orig-tarball-missing-upstream-signature to include the location of where dpkg-source looks.
- Address a number of issues in the copyright-year-in-future tag including preventing false positives in port numbers, email addresses, ISO standard numbers and street addresses (#869788), as well as "meta" or testing statements (#873323). In addition, report all violating years in a line and expand the testsuite.
- Don't match quoted "FIXME" variants of file-contains-fixme-placeholder (#870199), avoid checking copyright_hints files (#872843) and downgrade the tag's severity.
- Apply a patch from Alex Muntada to recommend "substr" over of "substring" in mentions-deprecated-usr-lib-perl5-directory. (#871767)
- Prevent missing-build-dependency-for-dh_-command false positives exposed by following the advice in useless-autoreconf-build-depends. (#869541)
- Ensure readme-debian-contains-debmake-template also checks for files containing "Automatically generated by debmake".
- Check python3-foo packages have a Section: python, not just python2-foo. (#870272)
- Check for packages shipping compiled Java class files. (#873211)
- Additionally consider .cljc files to avoid codeless-jar warnings. (#870649)
- Prevent desktop-entry-lacks-keywords-entry false positives for Link and Directory-style .desktop files. (#873702)
- Split out Python checks from checks/scripts.pm check to a new, source check of type source.
- Check for python-foo without a corresponding python3-foo package. (#870681)
- Complain about packages that Build-Depend on python-sphinx only. (#870730)
- Warn about packages that alternatively Build-Depend on the Python 2 and Python 3 versions of Sphinx. (#870758)
- Check for packages that depend on Python 2.x. (#870822)
- Correct false positives in unconditional-use-of-dpkg-statoverride by detecting "if !" as a shell prefix. (#869587)
- Alert on for missing calls to dpkg-maintscript-helper(1) in maintainer scripts. (#872042)
- Check for packages using sensible-utils without declaring a dependency after splitting from debianutils. (#872611)
- Warn about scripts using nodejs as an interpreter now that the nodejs script provides /usr/bin/node. (#873096)
- Remove recommendations to add a Testsuite: autopkgtest field to debian/control and emit a new tag the package if it does so. (#865531)
- Recognise autopkgtest-pkg-elpa as a valid test suite. (#873458)
- Add note to /etc/bash_completion.d's obsolete path warning output regarding stricter filename requirements. (#814599)
- Add 4.0.1 and 4.1.0 as known Policy standards versions.
- Apply a patch from Maia Everett to avoid British spellings under the en_US locale. (#868897)
- Stop emitting maintainer,uploader -address-causes-mail-loops for @packages.debian.org addresses. (#871575)
- Modify Lintian::Data's all subroutine to always return keys in insertion order.
- Apply a patch from Steve Langasek to accomodate binutils outputting symbols in a different format on the ppc64el architecture. (#869750)
- Add an explicit test for packages including external fonts via the Google Font and TypeKit APIs. (#873434)
- Add missing entries in internal Test-For fields to make development/testing workflow less error-prone.
- Sent three pull requests to git-buildpackage, a tool to assist in Debian packaging from Git repositories:
- Make pq --abbrev= configurable. (#872351)
- Use build profiles to avoid installation of test dependencies. (#31)
- Correct "allow to" grammar. (#30)
- Updated travis.debian.net (my hosted service for projects that host their Debian packaging on GitHub to use the Travis CI continuous integration platform for testing):
- Move away from deb.debian.org; Travis appears to be using a HTTP proxy that strips SRV records. (commit)
- Highlight double quotes are required for TRAVIS_DEBIAN_EXTRA_REPOSITORY. (commit)
- Use force-unsafe-io. (commit)
- Clarify docs when upstream already has a travis.yml file. (#46)
- Make documentation easier to copy-paste. (commit)
- Merged a pull request in django-slack, my library to easily post messages to the Slack group-messaging utility, where instantiation of a SlackException was failing. (#71)
- Assigned two pull requests to the Redis key-value database store to correct "did not received" and "faield" typos. (#4216 & #4215).
Reproducible builds
Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users.
The motivation behind the Reproducible Builds effort is to allow verification that no flaws have been introduced either maliciously or accidentally during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
I have generously been awarded a grant from the Core Infrastructure Initiative to fund my work in this area.
This month I:
I also made the following changes to our tooling:
- Presented a status update at Debconf17 in Montr al, Canada alongside Holger Levsen, Maria Glukhova, Steven Chamberlain, Vagrant Cascadian, Valerie Young and Ximin Luo.
- I worked on the following issues upstream:
- Within Debian:
- My work as Debian Project Leader (DPL) is covered in my monthly Bits from the DPL email to debian-devel-announce.
- Created isdebianreproducibleyet.com.
- Sent a patch to dpkg to sort the "unused substitution" warnings. (#870221)
- Added a script to devscripts to report on reproducibility status of installed packages. (#872514)
- Modified the Debian archive tools (dak) to automatically reject packages which do not bump their date in debian/changelog. (debian-devel post)
- Fixed an QA issue in snappy that was caught by the reproducible builds continuous integration framework. (#872226)
- I submitted three patches to fix specific reproducibility issues in grap, isa-support & python-numpy.
- Finally, I also performed two non-maintainer uploads (NMUs) for jsmath-fonts (#792319) and xvier (#777330) to make their builds reproducible.
- Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.
- Worked on publishing our weekly reports. (#118, #119, #120, #121 & #122)
diffoscope
diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.
- Use name attribute over path to avoid leaking comparison full path in output. (commit)
- Add missing skip_unless_module_exists import. (commit)
- Tidy diffoscope.progress and the XML comparator (commit, commit)
Debian
Patches contributed
- openssh: Quote the IP address in ssh-keygen -f suggestions. (#872643)
- libgfshare:
- devscripts:
- Enable hardening buildflags for /usr/bin/debpkg. (#873379)
- Add missing scripts/debc to .gitignore. (#873381)
- memcached: Add hardening to systemd .service file. (#871610)
- googler: Tidy long and short package descriptions. (#872461)
- gnome-split: Homepage points to domain-parked website. (#873037)
Uploads
Finally, I reviewed and sponsored uploads of astral, inflection, more-itertools, trollius-redis & wolfssl.
- python-django 1:1.11.4-1 New upstream release.
- redis:
- 4:4.0.1-3 Drop yet more non-deterministic tests.
- 4:4.0.1-4 Tighten systemd/seccomp hardening.
- 4:4.0.1-5 Drop even more tests with timing issues.
- 4:4.0.1-6 Don't install completions to /usr/share/bash-completion/completions/debian/bash_completion/.
- 4:4.0.1-7 Don't let sentinel integration tests fail the build as they use too many timers to be meaningful. (#872075)
- python-gflags 1.5.1-3 If SOURCE_DATE_EPOCH is set, either use that as a source of current dates or the UTC-version of the file's modification time (#836004), don't call update-alternatives --remove in postrm. update debian/watch/Homepage & refresh/tidy the packaging.
- bfs 1.1.1-1 New upstream release, tidy autopkgtest & patches, organising the latter with Pq-Topic.
- python-daiquiri 1.2.2-1 New upstream release, tidy autopkgtests & update travis.yml from travis.debian.net.
- aptfs 2:0.10-2 Add upstream signing key, refer to /usr/share/common-licenses/GPL-3 in debian/copyright & tidy autopkgtests.
- adminer 4.3.1-2 Add a simple autopkgtest & don't install the Selenium-based tests in the binary package.
- zoneminder (1.30.4+dfsg-2) Prevent build failures with GCC 7 (#853717) & correct example /etc/fstab entries in README.Debian (#858673).
Debian LTS
This month I have been paid to work 18 hours on Debian Long Term Support (LTS). In that time I did the following:
- "Frontdesk" duties, triaging CVEs, etc.
- Issued DLA 1049-1 for libsndfile preventing a remote denial of service attack.
- Issued DLA 1052-1 against subversion to correct an arbitrary code execution vulnerability.
- Issued DLA 1054-1 for the libgxps XML Paper Specification library to prevent a remote denial of service attack.
- Issued DLA 1056-1 for cvs to prevent a command injection vulnerability.
- Issued DLA 1059-1 for the strongswan VPN software to close a denial of service attack.
Debian bugs filed
- wget: Please hash the hostname in ~/.wget-hsts files. (#870813)
- debian-policy: Clarify whether mailing lists in Maintainers/Uploaders may be moderated. (#871534)
- git-buildpackage: "pq export" discards text within square brackets. (#872354)
- qa.debian.org: Escape HTML in debcheck before outputting. (#872646)
- pristine-tar: Enable multithreaded compression in pristine-xz. (#873229)
- tryton-meta: Please combine tryton-modules-* into a single source package with multiple binaries. (#873042)
- azure-cli:
- fwupd-tests: Don't ship test files to generic /usr/share/installed-tests dir. (#872458)
- libvorbis: Maintainer fields points to a moderated mailing list. (#871258)
- rmlint-gui: Ship a rmlint-gui binary. (#872162)
- template-glib: debian/copyright references online source without quotation. (#873619)
FTP Team
As a Debian FTP assistant I ACCEPTed 147 packages: abiword, adacgi, adasockets, ahven, animal-sniffer, astral, astroidmail, at-at-clojure, audacious, backdoor-factory, bdfproxy, binutils, blag-fortune, bluez-qt, cheshire-clojure, core-match-clojure, core-memoize-clojure, cypari2, data-priority-map-clojure, debian-edu, debian-multimedia, deepin-gettext-tools, dehydrated-hook-ddns-tsig, diceware, dtksettings, emacs-ivy, farbfeld, gcc-7-cross-ports, git-lfs, glewlwyd, gnome-recipes, gnome-shell-extension-tilix-dropdown, gnupg2, golang-github-aliyun-aliyun-oss-go-sdk, golang-github-approvals-go-approval-tests, golang-github-cheekybits-is, golang-github-chzyer-readline, golang-github-denverdino-aliyungo, golang-github-glendc-gopher-json, golang-github-gophercloud-gophercloud, golang-github-hashicorp-go-rootcerts, golang-github-matryer-try, golang-github-opentracing-contrib-go-stdlib, golang-github-opentracing-opentracing-go, golang-github-tdewolff-buffer, golang-github-tdewolff-minify, golang-github-tdewolff-parse, golang-github-tdewolff-strconv, golang-github-tdewolff-test, golang-gopkg-go-playground-validator.v8, gprbuild, gsl, gtts, hunspell-dz, hyperlink, importmagic, inflection, insighttoolkit4, isa-support, jaraco.itertools, java-classpath-clojure, java-jmx-clojure, jellyfish1, lazymap-clojure, libblockdev, libbytesize, libconfig-zomg-perl, libdazzle, libglvnd, libjs-emojify, libjwt, libmysofa, libundead, linux, lua-mode, math-combinatorics-clojure, math-numeric-tower-clojure, mediagoblin, medley-clojure, more-itertools, mozjs52, openssh-ssh1, org-mode, oysttyer, pcscada, pgsphere, poppler, puppetdb, py3status, pycryptodome, pysha3, python-cliapp, python-coloredlogs, python-consul, python-deprecation, python-django-celery-results, python-dropbox, python-fswrap, python-hbmqtt, python-intbitset, python-meshio, python-parameterized, python-pgpy, python-py-zipkin, python-pymeasure, python-thriftpy, python-tinyrpc, python-udatetime, python-wither, python-xapp, pythonqt, r-cran-bit, r-cran-bit64, r-cran-blob, r-cran-lmertest, r-cran-quantmod, r-cran-ttr, racket-mode, restorecond, rss-bridge, ruby-declarative, ruby-declarative-option, ruby-errbase, ruby-google-api-client, ruby-rash-alt, ruby-representable, ruby-test-xml, ruby-uber, sambamba, semodule-utils, shimdandy, sjacket-clojure, soapysdr, stencil-clojure, swath, template-glib, tools-analyzer-jvm-clojure, tools-namespace-clojure, uim, util-linux, vim-airline, vim-airline-themes, volume-key, wget2, xchat, xfce4-eyes-plugin & xorg-gtest.
I additionally filed 6 RC bugs against packages that had incomplete debian/copyright files against: gnome-recipes, golang-1.9, libdazzle, poppler, python-py-zipkin & template-glib.