Like each month, have a look at the work funded by
Freexian s Debian LTS offering.
Debian LTS contributors
In March, 19 contributors have been paid to work on Debian
LTS, their reports are available:
- Abhijith PA
did 0.0h (out of 10.0h assigned and 4.0h from previous period), thus carrying over 14.0h to the next month.
- Adrian Bunk
did 59.5h (out of 47.5h assigned and 52.5h from previous period), thus carrying over 40.5h to the next month.
- Bastien Roucari s
did 22.0h (out of 20.0h assigned and 2.0h from previous period).
- Ben Hutchings
did 9.0h (out of 2.0h assigned and 22.0h from previous period), thus carrying over 15.0h to the next month.
- Chris Lamb
did 18.0h (out of 18.0h assigned).
- Daniel Leidert
did 12.0h (out of 12.0h assigned).
- Emilio Pozuelo Monfort
did 0.0h (out of 3.0h assigned and 57.0h from previous period), thus carrying over 60.0h to the next month.
- Guilhem Moulin
did 22.5h (out of 7.25h assigned and 15.25h from previous period).
- Holger Levsen
did 0.0h (out of 0.5h assigned and 11.5h from previous period), thus carrying over 12.0h to the next month.
- Lee Garrett
did 0.0h (out of 0.0h assigned and 60.0h from previous period), thus carrying over 60.0h to the next month.
- Markus Koschany
did 40.0h (out of 40.0h assigned).
- Ola Lundqvist
did 19.5h (out of 24.0h assigned), thus carrying over 4.5h to the next month.
- Roberto C. S nchez
did 9.25h (out of 3.5h assigned and 8.5h from previous period), thus carrying over 2.75h to the next month.
- Santiago Ruano Rinc n
did 19.0h (out of 16.5h assigned and 2.5h from previous period).
- Sean Whitton
did 4.5h (out of 4.5h assigned and 1.5h from previous period), thus carrying over 1.5h to the next month.
- Sylvain Beucler
did 25.0h (out of 24.5h assigned and 35.5h from previous period), thus carrying over 35.0h to the next month.
- Thorsten Alteholz
did 14.0h (out of 14.0h assigned).
- Tobias Frost
did 12.0h (out of 12.0h assigned).
- Utkarsh Gupta
did 19.5h (out of 0.0h assigned and 48.75h from previous period), thus carrying over 29.25h to the next month.
Evolution of the situation
In March, we have released 31 DLAs.
Adrian Bunk was responsible for updating gtkwave not only in LTS, but also in unstable, stable, and old-stable as well. This update involved an upload of a new upstream release of gtkwave to each target suite to address 82 separate CVEs. Guilhem Moulin prepared an update of libvirt which was particularly notable, as it fixed multiple vulnerabilities which would lead to denial of service or information disclosure.
In addition to the normal security updates, multiple LTS contributors worked at getting various packages updated in more recent Debian releases, including gross for bullseye/bookworm (by Adrian Bunk), imlib2 for bullseye, jetty9 and tomcat9/10 for bullseye/bookworm (by Markus Koschany), samba for bullseye, py7zr for bullseye (by Santiago Ruano Rinc n), cacti for bullseye/bookwork (by Sylvain Beucler), and libmicrohttpd for bullseye (by Thorsten Alteholz). Additionally, Sylvain actively coordinated with cacti upstream concerning an incomplete fix for CVE-2024-29894.
Like each month, have a look at the work funded by
Freexian s Debian LTS offering.
Debian LTS contributors
In February, 18 contributors have been paid to work on Debian
LTS, their reports are available:
- Abhijith PA
did 10.0h (out of 14.0h assigned), thus carrying over 4.0h to the next month.
- Adrian Bunk
did 13.5h (out of 24.25h assigned and 41.75h from previous period), thus carrying over 52.5h to the next month.
- Bastien Roucari s
did 20.0h (out of 20.0h assigned).
- Ben Hutchings
did 2.0h (out of 14.5h assigned and 9.5h from previous period), thus carrying over 22.0h to the next month.
- Chris Lamb
did 18.0h (out of 18.0h assigned).
- Daniel Leidert
did 10.0h (out of 10.0h assigned).
- Emilio Pozuelo Monfort
did 3.0h (out of 28.25h assigned and 31.75h from previous period), thus carrying over 57.0h to the next month.
- Guilhem Moulin
did 7.25h (out of 4.75h assigned and 15.25h from previous period), thus carrying over 12.75h to the next month.
- Holger Levsen
did 0.5h (out of 3.5h assigned and 8.5h from previous period), thus carrying over 11.5h to the next month.
- Lee Garrett
did 0.0h (out of 18.25h assigned and 41.75h from previous period), thus carrying over 60.0h to the next month.
- Markus Koschany
did 40.0h (out of 40.0h assigned).
- Roberto C. S nchez
did 3.5h (out of 8.75h assigned and 3.25h from previous period), thus carrying over 8.5h to the next month.
- Santiago Ruano Rinc n
did 13.5h (out of 13.5h assigned and 2.5h from previous period), thus carrying over 2.5h to the next month.
- Sean Whitton
did 4.5h (out of 0.5h assigned and 5.5h from previous period), thus carrying over 1.5h to the next month.
- Sylvain Beucler
did 24.5h (out of 27.75h assigned and 32.25h from previous period), thus carrying over 35.5h to the next month.
- Thorsten Alteholz
did 14.0h (out of 14.0h assigned).
- Tobias Frost
did 12.0h (out of 12.0h assigned).
- Utkarsh Gupta
did 11.25h (out of 26.75h assigned and 33.25h from previous period), thus carrying over 48.75 to the next month.
Evolution of the situation
In February, we have released 17 DLAs.
The number of DLAs published during February was a bit lower than usual, as there was much work going on in the area of triaging CVEs (a number of which turned out to not affect Debia buster, and others which ended up being duplicates, or otherwise determined to be invalid). Of the packages which did receive updates, notable were sudo (to fix a privilege management issue), and iwd and wpa (both of which suffered from authentication bypass vulnerabilities).
While this has already been already announced in the Freexian blog, we would like to mention here the start of the Long Term Support project for Samba 4.17. You can find all the important details in that post, but we would like to highlight that it is thanks to our LTS sponsors that we are able to fund the work from our partner, Catalyst, towards improving the security support of Samba in Debian 12 (Bookworm).
Like each month, have a look at the work funded by
Freexian s Debian LTS offering.
Debian LTS contributors
In January, 16 contributors have been paid to work on Debian
LTS, their reports are available:
- Abhijith PA
did 14.0h (out of 7.0h assigned and 7.0h from previous period).
- Bastien Roucari s
did 22.0h (out of 16.0h assigned and 6.0h from previous period).
- Ben Hutchings
did 14.5h (out of 8.0h assigned and 16.0h from previous period), thus carrying over 9.5h to the next month.
- Chris Lamb
did 18.0h (out of 18.0h assigned).
- Daniel Leidert
did 10.0h (out of 10.0h assigned).
- Emilio Pozuelo Monfort
did 10.0h (out of 14.75h assigned and 27.0h from previous period), thus carrying over 31.75h to the next month.
- Guilhem Moulin
did 9.75h (out of 25.0h assigned), thus carrying over 15.25h to the next month.
- Holger Levsen
did 3.5h (out of 12.0h assigned), thus carrying over 8.5h to the next month.
- Markus Koschany
did 40.0h (out of 40.0h assigned).
- Roberto C. S nchez
did 8.75h (out of 9.5h assigned and 2.5h from previous period), thus carrying over 3.25h to the next month.
- Santiago Ruano Rinc n
did 13.5h (out of 8.25h assigned and 7.75h from previous period), thus carrying over 2.5h to the next month.
- Sean Whitton
did 0.5h (out of 0.25h assigned and 5.75h from previous period), thus carrying over 5.5h to the next month.
- Sylvain Beucler
did 9.5h (out of 23.25h assigned and 18.5h from previous period), thus carrying over 32.25h to the next month.
- Thorsten Alteholz
did 14.0h (out of 14.0h assigned).
- Tobias Frost
did 12.0h (out of 10.25h assigned and 1.75h from previous period).
- Utkarsh Gupta
did 8.5h (out of 35.75h assigned), thus carrying over 24.75h to the next month.
Evolution of the situation
In January, we have released 25 DLAs.
A variety of particularly notable packages were updated during January. Among those updates were the Linux kernel (both versions 5.10 and 4.19), mariadb-10.3, openjdk-11, firefox-esr, and thunderbird.
In addition to the many other LTS package updates which were released in January, LTS contributors continue their efforts to make impactful contributions both within the Debian community.
Like each month, have a look at the work funded by
Freexian s Debian LTS offering.
Debian LTS contributors
In December, 18 contributors have been paid to work on Debian
LTS, their reports are available:
- Abhijith PA
did 7.0h (out of 7.0h assigned and 7.0h from previous period), thus carrying over 7.0h to the next month.
- Adrian Bunk
did 16.0h (out of 26.25h assigned and 8.75h from previous period), thus carrying over 19.0h to the next month.
- Bastien Roucari s
did 16.0h (out of 16.0h assigned and 4.0h from previous period), thus carrying over 4.0h to the next month.
- Ben Hutchings
did 8.0h (out of 7.25h assigned and 16.75h from previous period), thus carrying over 16.0h to the next month.
- Chris Lamb
did 18.0h (out of 18.0h assigned).
- Emilio Pozuelo Monfort
did 8.0h (out of 26.75h assigned and 8.25h from previous period), thus carrying over 27.0h to the next month.
- Guilhem Moulin
did 25.0h (out of 18.0h assigned and 7.0h from previous period).
- Holger Levsen
did 5.5h (out of 5.5h assigned).
- Jochen Sprickerhof
did 0.0h (out of 0h assigned and 10.0h from previous period), thus carrying over 10.0h to the next month.
- Lee Garrett
did 0.0h (out of 25.75h assigned and 9.25h from previous period), thus carrying over 35.0h to the next month.
- Markus Koschany
did 35.0h (out of 35.0h assigned).
- Roberto C. S nchez
did 9.5h (out of 5.5h assigned and 6.5h from previous period), thus carrying over 2.5h to the next month.
- Santiago Ruano Rinc n
did 8.255h (out of 3.26h assigned and 12.745h from previous period), thus carrying over 7.75h to the next month.
- Sean Whitton
did 4.25h (out of 3.25h assigned and 6.75h from previous period), thus carrying over 5.75h to the next month.
- Sylvain Beucler
did 16.5h (out of 21.25h assigned and 13.75h from previous period), thus carrying over 18.5h to the next month.
- Thorsten Alteholz
did 14.0h (out of 14.0h assigned).
- Tobias Frost
did 10.25h (out of 12.0h assigned), thus carrying over 1.75h to the next month.
- Utkarsh Gupta
did 18.75h (out of 11.25h assigned and 13.5h from previous period), thus carrying over 6.0h to the next month.
Evolution of the situation
In December, we have released 29 DLAs.
A particularly notable update in December was prepared by LTS contributor
Santiago Ruano Rinc n for the openssh package. The updated produced
DLA-3694-1 and included a
fix for the Terrapin Attack (CVE-2023-48795), which was a rather serious flaw in
the SSH protocol itself. The package bluez was the subject of another notable
update by LTS contributor Chris Lamb, which resulted in
DLA-3689-1 to address an
insecure default configuration which allowed attackers to inject keyboard
commands over Bluetooth without first authenticating.
The LTS team continues its efforts to have a positive impact beyond the
boundaries of LTS. Several contributors worked on packages, preparing LTS
updates, but also preparing patches or full updates which were uploaded to the
unstable, stable, and oldstable distributions, including: Guilhem Moulin s
update of tinyxml (uploads to LTS and unstable and patches submitted to the
security team for stable and oldstable); Guilhem Moulin s update of xerces-c
(uploads to LTS and unstable and patches submitted to the security team for
oldstable); Thorsten Alteholz s update of libde265 (uploads to LTS and stable
and additional patches submitted to the maintainer for stable and oldstable);
Thorsten Alteholz s update of cjson (upload to LTS and patches submitted to the
maintainer for stable and oldstable); and Tobias Frost s update of opendkim
(sponsor maintainer-prepared upload to LTS and additionally prepared updates for
stable and oldstable).
Going beyond Debian and looking to the broader community, LTS contributor
Bastien Roucari s was contacted by SUSE concerning an update he had prepared for
zbar. He was able to assist by coordinating with the former organization of the
original zbar author to secure for SUSE access to information concerning the
exploits. This has enabled another distribution to benefit from the work done in
support of LTS and from the assistance of Bastien in coordinating the access to
information.
Finally, LTS contributor Santiago Ruano Rinc n continued work relating to how
updates for packages in statically-linked language ecosystems (e.g., Go, Rust,
and others) are handled. The work is presently focused on more accurately and
reliably identifying which packages are impacted in a given update scenario to
enable notifications to be published so that users will be made aware of these
situations as they occur. As the work continues, it will eventually result in
improvements to Debian infrustructure so that the LTS team and Security team are
able to manage updates of this nature in a more consistent way.
Like each month, have a look at the work funded by
Freexian s Debian LTS offering.
Some notable fixes which were made in LTS during the month of November include the
gnutls28 cryptographic library and the
freerdp2 Remote Desktop Protocol client/server implementation. The gnutls28 update was prepared by LTS contributor Markus Koschany and dealt with a timing attack which could be used to compromise a cryptographic system, while the freerdp2 update was prepared by LTS contributor Tobias Frost and is the result of work spanning 3 months to deal with dozens of vulnerabilities.
In addition to the many ordinary LTS tasks which were completed (CVE triage, patch backports, package updates, etc), there were several contributions by LTS contributors for the benefit of Debian stable and old-stable releases, as well as for the benefit of upstream projects. LTS contributor Abhijith PA uploaded an update of the puma package to unstable in order to fix a vulnerability in that package while LTS contributor Thosten Alteholz sponsored an upload to unstable of libde265 and himself made corresponding uploads of libde265 to Debian stable and old-stable. LTS contributor Bastien Roucari s developed patches for vulnerabilities in zbar and audiofile which were then provided to the respective upstream projects. Updates to packages in Debian stable were made by Markus Koschany to deal with security vulnerabilities and by Chris Lamb to deal with some non-security bugs.
As always, the LTS strives to provide high quality updates to packages under the direct purview of the LTS team while also rendering assistance to maintainers, the stable security team, and upstream developers whenever practical.
Debian LTS contributors
In November, 18 contributors have been paid to work on Debian
LTS, their reports are available:
- Abhijith PA
did 7.0h (out of 0h assigned and 14.0h from previous period), thus carrying over 7.0h to the next month.
- Adrian Bunk
did 15.0h (out of 14.0h assigned and 9.75h from previous period), thus carrying over 8.75h to the next month.
- Anton Gladky
did 10.0h (out of 9.5h assigned and 5.5h from previous period), thus carrying over 5.0h to the next month.
- Bastien Roucari s
did 16.0h (out of 18.25h assigned and 1.75h from previous period), thus carrying over 4.0h to the next month.
- Ben Hutchings
did 12.0h (out of 16.5h assigned and 12.25h from previous period), thus carrying over 16.75h to the next month.
- Chris Lamb
did 18.0h (out of 17.25h assigned and 0.75h from previous period).
- Emilio Pozuelo Monfort
did 15.5h (out of 23.5h assigned and 0.25h from previous period), thus carrying over 8.25h to the next month.
- Guilhem Moulin
did 13.0h (out of 12.0h assigned and 8.0h from previous period), thus carrying over 7.0h to the next month.
- Lee Garrett
did 14.5h (out of 16.75h assigned and 7.0h from previous period), thus carrying over 9.25h to the next month.
- Markus Koschany
did 30.0h (out of 30.0h assigned).
- Ola Lundqvist
did 6.5h (out of 8.25h assigned and 15.5h from previous period), thus carrying over 17.25h to the next month.
- Roberto C. S nchez
did 5.5h (out of 12.0h assigned), thus carrying over 6.5h to the next month.
- Santiago Ruano Rinc n
did 3.25h (out of 13.62h assigned and 2.375h from previous period), thus carrying over 12.745h to the next month.
- Sean Whitton
did 3.25h (out of 10.0h assigned), thus carrying over 6.75h to the next month.
- Sylvain Beucler
did 10.0h (out of 13.5h assigned and 10.25h from previous period), thus carrying over 13.75h to the next month.
- Thorsten Alteholz
did 14.0h (out of 14.0h assigned).
- Tobias Frost
did 12.0h (out of 12.0h assigned).
- Utkarsh Gupta
did 0.0h (out of 6.0h assigned and 17.75h from previous period), thus carrying over 23.75h to the next month.
Evolution of the situation
In November, we have released 35 DLAs.
Like each month, have a look at the work funded by
Freexian s Debian LTS offering.
Debian LTS contributors
In October, 18 contributors have been paid to work on Debian
LTS, their reports are available:
- Adrian Bunk
did 8.0h (out of 7.75h assigned and 10.0h from previous period), thus carrying over 9.75h to the next month.
- Anton Gladky
did 9.5h (out of 9.5h assigned and 5.5h from previous period), thus carrying over 5.5h to the next month.
- Bastien Roucari s
did 16.0h (out of 16.75h assigned and 1.0h from previous period), thus carrying over 1.75h to the next month.
- Ben Hutchings
did 8.0h (out of 17.75h assigned), thus carrying over 9.75h to the next month.
- Chris Lamb
did 17.0h (out of 17.75h assigned), thus carrying over 0.75h to the next month.
- Emilio Pozuelo Monfort
did 17.5h (out of 17.75h assigned), thus carrying over 0.25h to the next month.
- Guilhem Moulin
did 9.75h (out of 17.75h assigned), thus carrying over 8.0h to the next month.
- Helmut Grohne
did 1.5h (out of 10.0h assigned), thus carrying over 8.5h to the next month.
- Lee Garrett
did 10.75h (out of 17.75h assigned), thus carrying over 7.0h to the next month.
- Markus Koschany
did 30.0h (out of 30.0h assigned).
- Ola Lundqvist
did 4.0h (out of 0h assigned and 19.5h from previous period), thus carrying over 15.5h to the next month.
- Roberto C. S nchez
did 12.0h (out of 5.0h assigned and 7.0h from previous period).
- Santiago Ruano Rinc n
did 13.625h (out of 7.75h assigned and 8.25h from previous period), thus carrying over 2.375h to the next month.
- Sean Whitton
did 13.0h (out of 6.0h assigned and 7.0h from previous period).
- Sylvain Beucler
did 7.5h (out of 11.25h assigned and 6.5h from previous period), thus carrying over 10.25h to the next month.
- Thorsten Alteholz
did 14.0h (out of 14.0h assigned).
- Tobias Frost
did 16.0h (out of 9.25h assigned and 6.75h from previous period).
- Utkarsh Gupta
did 0.0h (out of 0.75h assigned and 17.0h from previous period), thus carrying over 17.75h to the next month.
Evolution of the situation
In October, we have released 49 DLAs.
Of particular note in the month of October, LTS contributor Chris Lamb issued DLA 3627-1 pertaining to Redis, the popular key-value database similar to Memcached, which was vulnerable to an authentication bypass vulnerability. Fixing this vulnerability involved dealing with a race condition that could allow another process an opportunity to establish an otherwise unauthorized connection. LTS contributor Markus Koschany was involved in the mitigation of CVE-2023-44487, which is a protocol-level vulnerability in the HTTP/2 protocol. The impacts within Debian involved multiple packages, across multiple releases, with multiple advisories being released (both DSA for stable and old-stable, and DLA for LTS). Markus reviewed patches and security updates prepared by other Debian developers, investigated reported regressions, provided patches for the aforementioned regressions, and issued several security updates as part of this.
Additionally, as MariaDB 10.3 (the version originally included with Debian buster) passed end-of-life earlier this year, LTS contributor Emilio Pozuelo Monfort has begun investigating the feasibility of backporting MariaDB 10.11. The work is in early stages, with much testing and analysis remaining before a final decision can be made, as this only one of several available potential courses of action concerning MariaDB.
Finally, LTS contributor Lee Garrett has invested considerable effort into the development the Functional Test Framework here. While so far only an initial version has been published, it already has several features which we intend to begin leveraging for testing of LTS packages. In particular, the FTF supports provisioning multiple VMs for the purposes of performing functional tests of network-facing services (e.g., file services, authentication, etc.). These tests are in addition to the various unit-level tests which are executed during package build time. Development work will continue on FTF and as it matures and begins to see wider use within LTS we expect to improve the quality of the updates we publish.
Like each month, have a look at the work funded by
Freexian s Debian LTS offering.
Debian LTS contributors
In September, 21 contributors have been paid to work on Debian
LTS, their reports are available:
- Abhijith PA
did 10.0h (out of 0h assigned and 14.0h from previous period), thus carrying over 4.0h to the next month.
- Adrian Bunk
did 7.0h (out of 17.0h assigned), thus carrying over 10.0h to the next month.
- Anton Gladky
did 9.5h (out of 7.5h assigned and 7.5h from previous period), thus carrying over 5.5h to the next month.
- Bastien Roucari s
did 16.0h (out of 15.5h assigned and 1.5h from previous period), thus carrying over 1.0h to the next month.
- Ben Hutchings
did 17.0h (out of 17.0h assigned).
- Chris Lamb
did 17.0h (out of 17.0h assigned).
- Emilio Pozuelo Monfort
did 30.0h (out of 30.0h assigned).
- Guilhem Moulin
did 18.25h (out of 18.25h assigned).
- Helmut Grohne
did 10.0h (out of 10.0h assigned).
- Lee Garrett
did 17.0h (out of 16.5h assigned and 0.5h from previous period).
- Markus Koschany
did 40.0h (out of 40.0h assigned).
- Ola Lundqvist
did 4.5h (out of 0h assigned and 24.0h from previous period), thus carrying over 19.5h to the next month.
- Roberto C. S nchez
did 5.0h (out of 12.0h assigned), thus carrying over 7.0h to the next month.
- Santiago Ruano Rinc n
did 7.75h (out of 16.0h assigned), thus carrying over 8.25h to the next month.
- Sean Whitton
did 7.0h (out of 7.0h assigned).
- Sylvain Beucler
did 10.5h (out of 17.0h assigned), thus carrying over 6.5h to the next month.
- Thorsten Alteholz
did 14.0h (out of 14.0h assigned).
- Tobias Frost
did 13.25h (out of 16.0h assigned), thus carrying over 2.75h to the next month.
Evolution of the situation
In September, we have released 44 DLAs.
The month of September was a busy month for the LTS Team.
A notable security issue fixed in September was the high-severity
CVE-2023-4863,
a heap buffer overflow that allowed remote attackers to perform an out-of-bounds
memory write via a crafted WebP file.
This CVE was covered by the three DLAs of different packages:
firefox-esr,
libwebp and
thunderbird.
The libwebp backported patch was sent to upstream, who adapted and applied it
to the
0.6.1 branch.
It is also worth noting that LTS contributor Markus Koschany included in his
work updates to packages in Debian Bullseye and Bookworm, that are under the
umbrella of the Security Team:
xrdp,
jetty9 and
mosquitto.
As every month, there was important behind-the-scenes work by the Front Desk
staff, who triaged, analyzed and reviewed dozens of vulnerabilities, to decide
if they warrant a security update.
This is very important work, since we need to trade-off between the frequency
of updates and the stability of the LTS release.
Like each month, have a look at the work funded by
Freexian s Debian LTS offering.
Debian LTS contributors
In August, 19 contributors have been paid to work on Debian
LTS, their reports are available:
- Abhijith PA
did 0.0h (out of 12.0h assigned and 2.0h from previous period), thus carrying over 14.0h to the next month.
- Adrian Bunk
did 18.5h (out of 18.5h assigned).
- Anton Gladky
did 7.5h (out of 5.0h assigned and 10.0h from previous period), thus carrying over 7.5h to the next month.
- Bastien Roucari s
did 17.0h (out of 15.5h assigned and 3.0h from previous period), thus carrying over 1.5h to the next month.
- Ben Hutchings
did 18.5h (out of 9.0h assigned and 9.5h from previous period).
- Chris Lamb
did 18.0h (out of 18.0h assigned).
- Emilio Pozuelo Monfort
did 18.5h (out of 18.25h assigned and 0.25h from previous period).
- Guilhem Moulin
did 24.0h (out of 22.5h assigned and 1.5h from previous period).
- Jochen Sprickerhof
did 2.5h (out of 8.5h assigned and 10.0h from previous period), thus carrying over 16.0h to the next month.
- Lee Garrett
did 18.0h (out of 9.25h assigned and 9.25h from previous period), thus carrying over 0.5h to the next month.
- Markus Koschany
did 28.5h (out of 28.5h assigned).
- Ola Lundqvist
did 0.0h (out of 0h assigned and 24.0h from previous period), thus carrying over 24.0h to the next month.
- Roberto C. S nchez
did 18.5h (out of 13.0h assigned and 5.5h from previous period).
- Santiago Ruano Rinc n
did 18.5h (out of 18.25h assigned and 0.25h from previous period).
- Sean Whitton
did 7.0h (out of 10.0h assigned), thus carrying over 3.0h to the next month.
- Sylvain Beucler
did 18.5h (out of 9.75h assigned and 8.75h from previous period).
- Thorsten Alteholz
did 14.0h (out of 14.0h assigned).
- Tobias Frost
did 16.0h (out of 16.0h assigned).
- Utkarsh Gupta
did 12.25h (out of 0h assigned and 12.25h from previous period).
Evolution of the situation
In August, we have released 42 DLAs.
The month of August turned out to be a rather quiet month for the LTS team.
Three notable updates were to
bouncycastle,
openssl,
and zabbix.
In the case of bouncycastle a flaw allowed for the possibility of LDAP injection
and the openssl update corrected a resource exhaustion bug that could result in
a denial of service. Zabbix, while not widely used, was the subject of several
vulnerabilities which while not individually severe did combine to result in the
zabbix update being of particular note.
Apart from those, the LTS team continued the always ongoing work of triaging,
investigating, and fixing vulnerabilities, as well as making contributions to
the broader Debian and Free Software communities.
Like each month, have a look at the work funded by
Freexian s Debian LTS offering.
Debian LTS contributors
In July, 18 contributors have been paid to work on
Debian LTS, their reports are available:
- Abhijith PA
did 0.0h (out of 0h assigned and 2.0h from previous period), thus carrying over 2.0h to the next month.
- Adrian Bunk
did 24.75h (out of 18.25h assigned and 6.5h from previous period).
- Anton Gladky
did 5.0h (out of 5.0h assigned and 10.0h from previous period), thus carrying over 10.0h to the next month.
- Bastien Roucari s
did 17.0h (out of 17.0h assigned and 3.0h from previous period), thus carrying over 3.0h to the next month.
- Ben Hutchings
did 14.0h (out of 24.0h assigned), thus carrying over 9.5h to the next month.
- Chris Lamb
did 18.0h (out of 18.0h assigned).
- Emilio Pozuelo Monfort
did 24.0h (out of 24.75h assigned), thus carrying over 0.25h to the next month.
- Guilhem Moulin
did 23.25h (out of 24.75h assigned), thus carrying over 1.5h to the next month.
- Jochen Sprickerhof
did 10.0h (out of 20.0h assigned), thus carrying over 10.0h to the next month.
- Lee Garrett
did 16.0h (out of 9.75h assigned and 15.5h from previous period), thus carrying over 9.25h to the next month.
- Markus Koschany
did 24.75h (out of 24.75h assigned).
- Ola Lundqvist
did 0.0h (out of 13.0h assigned and 11.0h from previous period), thus carrying over 24.0h to the next month.
- Roberto C. S nchez
did 19.25h (out of 14.75h assigned and 10.0h from previous period), thus carrying over 5.5h to the next month.
- Santiago Ruano Rinc n
did 25.5h (out of 10.5h assigned and 15.25h from previous period), thus carrying over 0.25h to the next month.
- Sylvain Beucler
did 16.0h (out of 21.25h assigned and 3.5h from previous period), thus carrying over 8.75h to the next month.
- Thorsten Alteholz
did 14.0h (out of 14.0h assigned).
- Tobias Frost
did 16.0h (out of 16.0h assigned).
- Utkarsh Gupta
did 1.5h (out of 0h assigned and 13.75h from previous period), thus carrying over 12.25h to the next month.
Evolution of the situation
In July, we have released 35 DLAs.
LTS contributor Lee Garrett, has continued his hard work to prepare a testing
framework for Samba, that can now provision bootable VMs with little effort,
both for Debian and for Windows.
This work included the introduction of a new package to Debian,
rhsrvany, which
allows turning any Windows program or script into a Windows service. As the
Samba testing framework matures it will be possible to perform functional tests
which cannot be performed with other available test mechanisms and aspects of
this framework will be generalizable to other package ecosystems beyond Samba.
July included a notable security
update of bind9
by LTS contributor Chris Lamb.
This update addressed a potential denial of service attack in this critical
network infrastructure component.
Like each month, have a look at the work funded by
Freexian s Debian LTS offering.
Debian LTS contributors
In June, 17 contributors have been paid to work on Debian
LTS, their reports are available:
- Abhijith PA
did 12.0h (out of 6.0h assigned and 8.0h from previous period), thus carrying over 2.0h to the next month.
- Adrian Bunk
did 28.0h (out of 0h assigned and 34.5h from previous period), thus carrying over 6.5h to the next month.
- Anton Gladky
did 5.0h (out of 6.0h assigned and 9.0h from previous period), thus carrying over 10.0h to the next month.
- Bastien Roucari s
did 17.0h (out of 17.0h assigned and 3.0h from previous period), thus carrying over 3.0h to the next month.
- Ben Hutchings
did 24.0h (out of 16.5h assigned and 7.0h from previous period).
- Chris Lamb
did 18.0h (out of 18.0h assigned).
- Emilio Pozuelo Monfort
did 24.0h (out of 21.0h assigned and 2.5h from previous period).
- Guilhem Moulin
did 20.0h (out of 20.0h assigned).
- Lee Garrett
did 25.0h (out of 0h assigned and 40.5h from previous period), thus carrying over 15.5h to the next month.
- Markus Koschany
did 23.5h (out of 23.5h assigned).
- Ola Lundqvist
did 13.0h (out of 0h assigned and 24.0h from previous period), thus carrying over 11.0h to the next month.
- Roberto C. S nchez
did 13.5h (out of 9.75h assigned and 13.75h from previous period), thus carrying over 10.0h to the next month.
- Santiago Ruano Rinc n
did 8.25h (out of 23.5h assigned), thus carrying over 15.25h to the next month.
- Sylvain Beucler
did 20.0h (out of 23.5h assigned), thus carrying over 3.5h to the next month.
- Thorsten Alteholz
did 14.0h (out of 14.0h assigned).
- Tobias Frost
did 16.0h (out of 16.0h assigned).
- Utkarsh Gupta
did 0.0h (out of 0h assigned and 25.5h from previous period), thus carrying over 25.5h to the next month.
Evolution of the situation
In June, we have released 40 DLAs.
Notable security updates in June included mariadb-10.3, openssl, and golang-go.crypto. The mariadb-10.3 package was synchronized with the latest upstream maintenance release, version 10.3.39. The openssl package was patched to correct several flaws with certificate validation and with object identifier parsing. Finally, the golang-go.crypto package was updated to address several vulnerabilities, and several associated Go packages were rebuilt in order to properly incorporate the update.
LTS contributor Sylvain has been hard at work with some behind-the-scenes improvements to internal tooling and documentation. His efforts are helping to improve the efficiency of all LTS contributors and also helping to improve the quality of their work, making our LTS updates more timely and of higher quality.
LTS contributor Lee Garrett began working on a testing framework specifically for Samba. Given the critical role which Samba plays in many deployments, the tremendous impact which regressions can have in those cases, and the unique testing requirements of Samba, this work will certainly result in increased confidence around our Samba updates for LTS.
LTS contributor Emilio Pozuelo Monfort has begun preparatory work for the upcoming Firefox ESR version 115 release. Firefox ESR (and the related Thunderbird ESR) requires special work to maintain up to date in LTS. Mozilla do not release individual patches for CVEs, and our policy is to incorporate new ESR releases from Mozilla into LTS. Most updates are minor updates, but once a year Mozilla will release a major update as they move to a new major version for ESR. The update to a new major ESR version entails many related updates to toolchain and other packages. The preparations that Emilio has begun will ensure that once the 115 ESR release is made, updated packages will be available in LTS with minimal delay.
Another highlight of behind-the-scenes work is our Front Desk personnel. While we often focus on the work which results in published package updates, much work is also involved in reviewing new vulnerabilities and triaging them (i.e., determining if they affect one or more packages in LTS and then determining the severity of those which are applicable). These intrepid contributors (Emilio Pozuelo Monfort, Markus Koschany, Ola Lundqvist, Sylvain Beucler, and Thorsten Alteholz for the month of June) reviewed dozens of vulnerabilities and made decisions about how those vulnerabilities should be dealt with.
Like each month, have a look at the work funded by
Freexian s Debian LTS offering.
Debian LTS contributors
In May, 18 contributors have been paid to work on Debian
LTS, their reports are available:
- Abhijith PA
did 6.0h (out of 6.0h assigned and 8.0h from previous period), thus carrying over 8.0h to the next month.
- Anton Gladky
did 6.0h (out of 8.0h assigned and 7.0h from previous period), thus carrying over 9.0h to the next month.
- Bastien Roucari s
did 17.0h (out of 17.0h assigned and 3.0h from previous period), thus carrying over 3.0h to the next month.
- Ben Hutchings
did 17.0h (out of 16.0h assigned and 8.0h from previous period), thus carrying over 7.0h to the next month.
- Chris Lamb
did 18.0h (out of 18.0h assigned).
- Daniel Leidert
did 0.0h (out of 0h assigned and 12.0h from previous period), thus carrying over 12.0h to the next month.
- Dominik George
did 0.0h (out of 0h assigned and 20.34h from previous period), thus carrying over 20.34h to the next month.
- Emilio Pozuelo Monfort
did 32.0h (out of 18.5h assigned and 16.0h from previous period), thus carrying over 2.5h to the next month.
- Guilhem Moulin
did 20.0h (out of 8.5h assigned and 11.5h from previous period).
- Holger Levsen
did 0.0h (out of 0h assigned and 10.0h from previous period), thus carrying over 10.0h to the next month.
- Lee Garrett
did 0.0h (out of 0h assigned and 40.5h from previous period), thus carrying over 40.5h to the next month.
- Markus Koschany
did 34.5h (out of 34.5h assigned).
- Roberto C. S nchez
did 18.25h (out of 20.5h assigned and 11.5h from previous period), thus carrying over 13.75h to the next month.
- Scarlett Moore
did 20.0h (out of 20.0h assigned).
- Sylvain Beucler
did 34.5h (out of 29.0h assigned and 5.5h from previous period).
- Thorsten Alteholz
did 14.0h (out of 14.0h assigned).
- Tobias Frost
did 16.0h (out of 15.0h assigned and 1.0h from previous period).
- Utkarsh Gupta
did 5.5h (out of 5.0h assigned and 26.0h from previous period), thus carrying over 25.5h to the next month.
Evolution of the situation
In May, we have released 34 DLAs.
Several of the DLAs constituted notable security updates to LTS during the month of May. Of particular note were the linux (4.19) and linux-5.10 packages, both of which addressed a considerable number of CVEs. Additionally, the postgresql-11 package was updated by synchronizing it with the 11.20 release from upstream.
Notable non-security updates were made to the distro-info-data database and the timezone database. The distro-info-data package was updated with the final expected release date of Debian 12, made aware of Debian 14 and Ubuntu 23.10, and was updated with the latest EOL dates for Ubuntu releases. The tzdata and libdatetime-timezone-perl packages were updated with the 2023c timezone database. The changes in these packages ensure that in addition to the latest security updates LTS users also have the latest information concerning Debian and Ubuntu support windows, as well as the latest timezone data for accurate worldwide timekeeping.
LTS contributor Anton implemented an improvement to the Debian Security Tracker Unfixed vulnerabilities in unstable without a filed bug view, allowing for more effective management of CVEs which do not yet have a corresponding bug entry in the Debian BTS.
LTS contributor Sylvain concluded an audit of obsolete packages still supported in LTS to ensure that new CVEs are properly associated. In this case, a package being obsolete means that it is no longer associated with a Debian release for which the Debian Security Team has direct responsibility. When this occurs, it is the responsibility of the LTS team to ensure that incoming CVEs are properly associated to packages which exist only in LTS.
Finally, LTS contributors also contributed several updates to packages in unstable/testing/stable to fix CVEs. This helps package maintainers, addresses CVEs in current and future Debian releases, and ensures that the CVEs do not remain open for an extended period of time only for the LTS team to be required to deal with them much later in the future.
Like each month, have a look at the work funded by
Freexian s Debian LTS offering.
Debian LTS contributors
In April, 18 contributors have been paid to work on Debian
LTS, their reports are available:
- Abhijith PA
did 6.0h (out of 0h assigned and 14.0h from previous period), thus carrying over 8.0h to the next month.
- Adrian Bunk
did 18.0h (out of 16.5h assigned and 24.0h from previous period), thus carrying over 22.5h to the next month.
- Anton Gladky
did 8.0h (out of 9.5h assigned and 5.5h from previous period), thus carrying over 7.0h to the next month.
- Bastien Roucari s
did 17.0h (out of 17.0h assigned and 3.0h from previous period), thus carrying over 3.0h to the next month.
- Ben Hutchings
did 16.0h (out of 12.0h assigned and 12.0h from previous period), thus carrying over 8.0h to the next month.
- Chris Lamb
did 18.0h (out of 18.0h assigned).
- Dominik George
did 0.0h (out of 0h assigned and 20.34h from previous period), thus carrying over 20.34h to the next month.
- Emilio Pozuelo Monfort
did 4.5h (out of 11.0h assigned and 9.5h from previous period), thus carrying over 16.0h to the next month.
- Guilhem Moulin
did 8.5h (out of 8.0h assigned and 12.0h from previous period), thus carrying over 11.5h to the next month.
- Helmut Grohne
did 5.0h (out of 2.5h assigned and 7.5h from previous period), thus carrying over 5.0h to the next month.
- Lee Garrett
did 0.0h (out of 31.5h assigned and 9.0h from previous period), thus carrying over 40.5h to the next month.
- Markus Koschany
did 40.0h (out of 40.0h assigned).
- Ola Lundqvist
did 12.5h (out of 0h assigned and 24.0h from previous period), thus carrying over 11.5h to the next month.
- Roberto C. S nchez
did 8.5h (out of 4.75h assigned and 15.25h from previous period), thus carrying over 11.5h to the next month.
- Stefano Rivera
did 1.0h (out of 0h assigned and 28.0h from previous period), thus carrying over 27.0h to the next month.
- Sylvain Beucler
did 35.0h (out of 40.5h assigned), thus carrying over 5.5h to the next month.
- Thorsten Alteholz
did 14.0h (out of 14.0h assigned).
- Tobias Frost
did 15.0h (out of 15.0h assigned and 1.0h from previous period), thus carrying over 1.0h to the next month.
- Utkarsh Gupta
did 3.5h (out of 11.0h assigned and 18.5h from previous period), thus carrying over 26.0h to the next month.
Evolution of the situation
In April, we have released 35 DLAs.
The LTS team would like to welcome our newest sponsor, Institut Camille Jordan, a French research lab. Thanks to the support of the many LTS sponsors, the entire Debian community benefits from direct security updates, as well as indirect improvements and collaboration with other members of the Debian community.
As part of improving the efficiency of our work and the quality of the security updates we produce, the LTS has continued improving our workflow. Improvements include more consistent tagging of release versions in Git and broader use of continuous integration (CI) to ensure packages are tested thoroughly and consistently. Sponsors and users can rest assured that we work continuously to maintain and improve the already high quality of the work that we do.
Like each month, have a look at the work funded by
Freexian s Debian LTS offering.
Debian LTS contributors
In February, 15 contributors have been paid to work on Debian LTS, their reports are available:
- Adrian Bunk
did 22.0h (out of 32.25h assigned), thus carrying over 10.25h to the next month.
- Anton Gladky
did 9.75h (out of 11.5h assigned and 3.5h from previous period), thus carrying over 5.25h to the next month.
- Ben Hutchings
did 8.0h (out of 8.0h assigned and 16.0h from previous period), thus carrying over 16.0h to the next month.
- Chris Lamb
did 18.0h (out of 18.0h assigned).
- Emilio Pozuelo Monfort
did 26.25h (out of 0h assigned and 35.0h from previous period), thus carrying over 8.75h to the next month.
- Guilhem Moulin
did 20.0h (out of 20.0h assigned).
- Helmut Grohne
did 5.0h (out of 5.0h assigned and 5.0h from previous period), thus carrying over 5.0h to the next month.
- Lee Garrett
did 26.75h (out of 19.75h assigned and 12.5h from previous period), thus carrying over 5.5h to the next month.
- Markus Koschany
did 32.25h (out of 32.25h assigned).
- Ola Lundqvist
did 11.5h (out of 12.5h assigned and 11.5h from previous period), thus carrying over 12.5h to the next month.
- Roberto C. S nchez
did 5.0h (out of 9.5h assigned and 22.5h from previous period), thus carrying over 27.0h to the next month.
- Sylvain Beucler
did 32.0h (out of 17.25h assigned and 15.0h from previous period), thus carrying over 0.25h to the next month.
- Thorsten Alteholz
did 8.0h (out of 14.0h assigned), thus carrying over 6.0h to the next month.
- Tobias Frost
did 16.0h (out of 16.0h assigned).
- Utkarsh Gupta
did 24.25h (out of 49.25h assigned), thus carrying over 8.0h to the next month.
Evolution of the situation
In February, we have released 44 DLAs, which resolved 156 CVEs.
We are glad to welcome some new contributors who will hopefully help us fix CVEs in the supported release even faster.
However, we also experienced some setbacks as a few sponsors have stopped (or decreased) their support. If your company ever hesitated to sponsor Debian LTS, now might be a good time to join to ensure that we can continue this important work without having to scale down on the number of packages that we are able to support.
Like each month, have a look at the work funded by
Freexian s Debian LTS offering.
This is the first monthly report in 2023.
Debian LTS contributors
In January, 17 contributors have been paid to work on Debian
LTS. which is possibly the highest number of active contributors per month!
Their reports are available:
- Abhijith PA
did 0.0h (out of 3.0h assigned and 11.0h from previous period), thus carrying over 14.0h to the next month.
- Adrian Bunk
did 26.25h (out of 26.25h assigned).
- Anton Gladky
did 11.5h (out of 8.0h assigned and 7.0h from previous period), thus carrying over 3.5h to the next month.
- Ben Hutchings
did 8.0h (out of 24.0h assigned), thus carrying over 16.0h to the next month.
- Chris Lamb
did 18.0h (out of 18.0h assigned).
- Emilio Pozuelo Monfort
did 8.0h (out of 0h assigned and 43.0h from previous period), thus carrying over 35.0h to the next month.
- Guilhem Moulin
did 20.0h (out of 17.5h assigned and 2.5h from previous period).
- Helmut Grohne
did 10.0h (out of 15.0h assigned), thus carrying over 5.0h to the next month.
- Lee Garrett
did 7.5h (out of 20.0h assigned), thus carrying over 12.5h to the next month.
- Markus Koschany
did 26.25h (out of 26.25h assigned).
- Ola Lundqvist
did 4.5h (out of 10.0h assigned and 6.0h from previous period), thus carrying over 11.5h to the next month.
- Roberto C. S nchez
did 3.75h (out of 18.75h assigned and 7.5h from previous period), thus carrying over 22.5h to the next month.
- Stefano Rivera
did 4.5h (out of 0h assigned and 32.5h from previous period), thus carrying over 28.0h to the next month.
- Sylvain Beucler
did 23.5h (out of 0h assigned and 38.5h from previous period), thus carrying over 15.0h to the next month.
- Thorsten Alteholz
did 14.0h (out of 10.0h assigned and 4.0h from previous period).
- Tobias Frost
did 19.0h (out of 19.0h assigned).
- Utkarsh Gupta
did 43.25h (out of 26.25h assigned and 17.0h from previous period).
Evolution of the situation
Furthermore, we released 46 DLAs in January,
which resolved 146 CVEs. We are working diligently to reduce the number of packages listed in dla-needed.txt,
and currently, we have 55 packages listed.
We are constantly growing and seeking new contributors. If you are a Debian Developer and want to join the LTS team,
please contact us.
Like each month, have a look at the work funded by
Freexian s Debian LTS offering.
Debian LTS contributors
In December, 17 contributors have been paid to work on Debian
LTS, their reports are available:
- Abhijith PA
did 3.0h (out of 0h assigned and 14.0h from previous period), thus carrying over 11.0h to the next month.
- Anton Gladky
did 8.0h (out of 6.0h assigned and 9.0h from previous period), thus carrying over 7.0h to the next month.
- Ben Hutchings
did 24.0h (out of 9.0h assigned and 15.0h from previous period).
- Chris Lamb
did 18.0h (out of 18.0h assigned).
- Dominik George
did 0.0h (out of 10.0h assigned and 14.0h from previous period), thus carrying over 24.0h to the next month.
- Emilio Pozuelo Monfort
did 8.0h in December, 8.0h in November (out of 1.5h assigned and 49.5h from previous period), thus carrying over 43.0h to the next month.
- Enrico Zini
did 0.0h (out of 0h assigned and 8.0h from previous period), thus carrying over 8.0h to the next month.
- Guilhem Moulin
did 17.5h (out of 20.0h assigned), thus carrying over 2.5h to the next month.
- Helmut Grohne
did 15.0h (out of 15.0h assigned, 2.5h were taken from the extra-budget and worked on).
- Markus Koschany
did 40.0h (out of 40.0h assigned).
- Ola Lundqvist
did 10.0h (out of 7.5h assigned and 8.5h from previous period), thus carrying over 6.0h to the next month.
- Roberto C. S nchez
did 24.5h (out of 20.25h assigned and 11.75h from previous period), thus carrying over 7.5h to the next month.
- Stefano Rivera
did 2.5h (out of 20.5h assigned and 14.5h from previous period), thus carrying over 32.5h to the next month.
- Sylvain Beucler
did 20.5h (out of 37.0h assigned and 22.0h from previous period), thus carrying over 38.5h to the next month.
- Thorsten Alteholz
did 10.0h (out of 14.0h assigned), thus carrying over 4.0h to the next month.
- Tobias Frost
did 16.0h (out of 16.0h assigned).
- Utkarsh Gupta
did 51.5h (out of 42.5h assigned and 9.0h from previous period).
Evolution of the situation
In December, we have released 47 DLAs, closing 232 CVEs.
In the same year, in total we released 394 DLAs, closing 1450 CVEs.
We are constantly growing and seeking new contributors. If you are a Debian Developer and want to join the LTS team,
please contact us.
Like each month, have a look at the work funded by
Freexian s Debian LTS offering.
Debian LTS contributors
In November, 15 contributors have been paid to work on Debian
LTS, their reports are available:
- Abhijith PA
did 0.0h (out of 14.0h assigned), thus carrying over 14.0h to the next month.
- Anton Gladky
did 6.0h (out of 15.0h assigned), thus carrying over 9.0h to the next month.
- Ben Hutchings
did 9.0h (out of 24.0h assigned), thus carrying over 15.0h to the next month.
- Chris Lamb
did 18.0h (out of 18.0h assigned).
- Dominik George
did 10.0h (out of 0h assigned and 24.0h from previous period), thus carrying over 14.0h to the next month.
- Emilio Pozuelo Monfort
did 0.0h (out of 38.0h assigned and 19.5h from previous period), thus carrying over 57.5h to the next month.
- Enrico Zini
did 0.0h (out of 0h assigned and 8.0h from previous period), thus carrying over 8.0h to the next month.
- Helmut Grohne
did 17.5h (out of 20.0h assigned).
- Markus Koschany
did 40.0h (out of 40.0h assigned).
- Ola Lundqvist
did 7.5h (out of 11.0h assigned and 5.0h from previous period), thus carrying over 8.5h to the next month.
- Roberto C. S nchez
did 20.25h (out of 0.75h assigned and 31.25h from previous period), thus carrying over 11.75h to the next month.
- Stefano Rivera
did 2.5h (out of 0h assigned and 17.0h from previous period), thus carrying over 14.5h to the next month.
- Sylvain Beucler
did 35.5h (out of 23.0h assigned and 34.5h from previous period), thus carrying over 22.0h to the next month.
- Thorsten Alteholz
did 14.0h (out of 14.0h assigned).
- Utkarsh Gupta
did 41.0h (out of 32.5h assigned and 25.0h from previous period), thus carrying over 16.5h to the next month.
Evolution of the situation
In November, we released 43 DLAs, fixing 183 CVEs.
We currently have 63 packages in dla-needed.txt that are waiting for updates, which is 19 fewer than the previous month.
We re excited to announce that two Debian Developers Tobias Frost
and Guilhem Moulin, have completed the on-boarding process
and will begin contributing to LTS as of December 2022. Welcome aboard!
What happened in the
Reproducible
Builds effort between Sunday October 9 and Saturday October 15 2016:
Media coverage
- despinosa wrote a blog post on Vala and reproducibility
- h01ger and lynxis gave a talk called "From Reproducible Debian builds to
Reproducible OpenWrt, LEDE" (video, slides) at the OpenWrt Summit
2016 held in Berlin, together with ELCE,
held by the Linux Foundation.
- A discussion on debian-devel@ resulted in a
nice quotable
comment
from Paul Wise: "(Reproducible) builds from source (with continuous
rechecking) is the only way to have enough confidence that a Debian user has
the freedoms promised to them by the Debian social contract."
- Chris Lamb will present a talk at Software Freedom Kosovo on reproducible builds on Saturday 22nd October.
Documentation update
After discussions with HW42, Steven Chamberlain, Vagrant Cascadian, Daniel
Shahaf, Christopher Berg, Daniel Kahn Gillmor and others, Ximin Luo has started
writing up more concrete and detailed design plans for
setting SOURCE_ROOT_DIR for reproducible debugging symbols,
buildinfo security semantics
and
buildinfo security infrastructure.
Toolchain development and fixes
Dmitry Shachnev noted that our patch for
#831779 has been temporarily
rejected by
docutils upstream; we
are trying to persuade them again.
Tony Mancill uploaded
javatools/0.59 to unstable containing
original patch by Chris Lamb. This fixed an issue where documentation Recommends:
substvars would not be reproducible.
Ximin Luo filed
bug 77985
to GCC as a pre-requisite for future patches to make debugging symbols
reproducible.
Packages reviewed and fixed, and bugs filed
The following updated packages have become reproducible - in our current test
setup - after being fixed:
The following updated packages appear to be reproducible now, for reasons we
were not able to figure out. (Relevant changelogs did not mention reproducible
builds.)
- aodh/3.0.0-2 by Thomas Goirand.
- eog-plugins/3.16.5-1 by Michael Biebl.
- flam3/3.0.1-5 by Daniele Adriana Goulart Lopes.
- hyphy/2.2.7+dfsg-1 by Andreas Tille.
- libbson/1.4.1-1 by A. Jesse Jiryu Davis.
- libmongoc/1.4.1-1 by A. Jesse Jiryu Davis.
- lxc/1:2.0.5-1 by Evgeni Golov.
- spice-gtk/0.33-1 by Liang Guo.
- spice-vdagent/0.17.0-1 by Liang Guo.
- tnef/1.4.12-1 by Kevin Coyner.
Some uploads have addressed some reproducibility issues, but not all of them:
Some uploads have addressed nearly all reproducibility issues, except for build path issues:
Patches submitted that have not made their way to the archive yet:
Reviews of unreproducible packages
101 package reviews have been added, 49 have been updated and 4 have been
removed in this week, adding to our knowledge about
identified
issues.
3 issue types have been updated:
Weekly QA work
During of reproducibility testing, some FTBFS bugs have been detected and
reported by:
- Anders Kaseorg (1)
- Chris Lamb (18)
tests.reproducible-builds.org
Debian:
- h01ger has turned off the "Scheduled in testing+unstable+experimental" regular IRC notifications and turned them into emails to those running jenkins.d.n.
- Re-add opi2a armhf node and 3 new builder jobs for a total of 60 build jobs for armhf. (h01ger and vagrant)
- vagrant suggested to add a variation of init systems effecting the build, and h01ger added it to the TODO list.
- Steven Chamberlain submitted a patch so that now all buildinfo files are collected (unsigned yet) at submit@buildinfo.kfreebsd.eu.
- Holger enabled CPU type variation (Intel Haswell or AMD Opteron 62xx) for i386. Thanks to Profitbricks.com for their great and continued support!
Openwrt/LEDE/NetBSD/coreboot/Fedora/archlinux:
- Increase memory on the 2 build nodes from 12 to 16gb, thanks to profitbricks.com
Misc.
We are
running a poll to find a good time for an IRC meeting.
This week's edition was written by Ximin Luo, Holger Levsen & Chris Lamb and
reviewed by a bunch of Reproducible Builds folks on IRC.
This month I've worked on the following things for Debian:
To begin with that, I've set up a Debhelper sequencer script for dh-buildinfo, this
add-on now can be used with dh $@ --with buildinfo in deb/rules instead of having to
explicitly call it somewhere in an override.
Debops
I've set up initial Debian packages of Debops, a collection of fine crafted
Ansible roles and playbooks especially for Debian servers, shipped with a couple
of convenience and wrapper scripts in Python.
There are two binary packages, one for the toolset (debops), and the other for the
playbooks and roles of the project (debops-playbooks).
The application is easy to use, just initialize a new project with debops-init foo
and add your server(s) to foo/ansible/inventory/hosts belonging to groups representing
services and things you want to employ on them.
Like the group [debops_gitlab] automatically installs a complete running Gitlab setup
on one or a multitude of servers in the same run with the debops command.
Use other groups like [debops_mariadb_server] accordingly in the same host inventory.
Ansible runs agent less, so you don't have to prepare freshly setup servers with nothing
special to use that tool randomly (like on localhost).
The list of things you could deploy with Debops is quite amazing and you've got dozens
of services at your hand.
The new packages are currently in experimental because they need some more fine
tuning, like there are a couple of minor error messages which recently occur using it,
but it works well.
The (early staged) documentation unfortunately couldn't be packaged because of the
scattered resp. collective nature of the project (all parts have their own Github repositories),
and also how to generate the upstream tarball remains a bit of a challenge (currently,
it's the outcome of debops-init).
I'll have this package in unstable soon. More info on Debops is coming up, then.
Hashicorp's Packer
I'm very glad to announce that Packer is ready being available in unstable,
and the two year old RFP bug could be finally closed.
It's another great and much convenient devops tool which does a lot of different
things in an automated fashion using only a single "one-argument" CLI tool in combination
with a couple of lines in a configuration script (thanks to Yaroslav Halchenko for the tip).
Packer helps creating machine images for different platforms.
This is like when you use e.g. Debian installations in a Qemu box for testing or development
purposes.
Instead of setting up a new virtual machine manually like installing Debian on
another computer this process could be automated with Packer, like I've written about
in this blog entry here.
You just need a template containing instructions for the included Qemu-builder and a preseeding
script for the Debian installer, and there you go drinking your coffee while Packer does all
the work for you: downloading the installation ISO image, creating the new virtual harddrive,
booting the emulator, running the whole installation process automatically like answering questions,
selecting things, rebooting without ISO image to complete the installation etc.
A couple of minutes and you have a new pre-baked virtual machine image like from a vendoring
machine, a fresh one everytime you need it.
Packer supports a number of builders for different target platforms
(desktop virtualization solutions as much as public cloud providers and private cloud software),
can build in parallel, and also the full range of common provisioners can be employed
in the process to equip the newly installed OSs.
Vagrant boxes could be generated by one of the included postprocessors.
I'll write more on Packer here on this blog, soon.
There were more then two dozens of packages missing to complete Packer, which is
the achievement of combined forces within the pkg-go group. Much thanks esp. to Alexandre
Viau who have worked on the most of the needed new packages.
Thanks also to the FTP-masters which were always very quick in reviewing the Go packages,
so that it could be proceeded to build and package the sub dependent new ones always consecutively.
Squirrel3
I've didn't had the most work with it and just sponsored this for Fabian Wolff, but want to
highlight here that there's a new package of Squirrel now available in
Debian.
Squirrel is a lightweight scripting language, somewhat comparable to Lua. It's
fully object-oriented and highly embeddable, it's used in a lot of commerical computer
games under the hood for implementing intelligence for bots next to other things,
but also for the Internet of Things (it's embedded in hardware from Electric Imp).
Squirrel functions could be called from C++.
I've filed an ITP bug for Squirrel already in 2011 (#651195), but always something else
got in the way, and it ended up being an RFP. I'm really glad that it got picked up
and completed.
misc
There were a couple of uploads on updated upstream tarballs and for fixing bugs,
namely afl/2.10b-1 and 2.11b-1,
python-afl/0.5.3-1, pyutilib/5.3.2-1, pyomo/4.3.11327-1,
libvigraimpex/1.10.0+git20160211.167be93dfsg-2 (fix of #820429, thanks for Tobias Frost),
and gamera/3.4.2+svn1454-1.
For the pkg-go group, I've set up a new package of github-mitchellh-ioprogress (which is
needed by the official DigitalOcean CLI tool doctl, now RFP #807956 instead of ITP
due to the lack of time - again facing a lot of missing packages),
and provided a little patch for dh-make-golang updating some standards.
For Packer I've also updated azure-go-autorest and azure-sdk as team upload (#821938, #821832),
but it came out that the project which is currently under heavy development towards
a new official release broke a lot in the past weeks (and no Git branching have been used),
so that Packer as a matter of fact needed a vendored snapshot, although there have been only a
couple of commits in between.
Docker-registry hat the same problem with the new package of azure-sdk/2.1.1~beta1, so that it
needed to be fixed, too (#822146).
By the way, the tool ratt comes very handy for automatically test building down all
reverse dependencies, not only for Go packages (thanks to Tianon Gravi for the tip).
Finally, I've posted the needed reverse depencies as RFP bugs for Terraform
(again quite a lot), Vuls, and cve-dictionary, which is needed for Vuls.
I'll let them rest a while waiting to get picked up before working anything down.
This month I've worked on the these things for Debian:
To begin with that, I've set up a Debhelper sequencer script for dh-buildinfo, this
add-on now can be used with dh $@ --with buildinfo in deb/rules instead of having to
explicitly call it somewhere in an override.
Debops
I've set up initial Debian packages of Debops, a collection of fine crafted
Ansible roles and playbooks especially for Debian servers (servers which run on Debian),
which are shipped with a couple of helper and wrapper scripts in Python.
There are two binary packages, one for the toolset (debops), and the other for the
playbooks and roles of the project (debops-playbooks).
The application is easy to use, just initialize a new project with debops-init foo
and add your server(s) to foo/ansible/inventory/hosts belonging to groups representing
services and things you want to employ on them.
For example, the group [debops_gitlab] automatically installs a complete running Gitlab setup
on one or a multitude of servers in the same run with the debops command.
Other groups like [debops_mariadb_server] could be used accordingly in the same host inventory.
Ansible works without agent, so you don't have to prepare freshly setup servers with nothing
special to use that tool randomly (like on localhost).
The list of things you could deploy with Debops is quite amazing and dozens
of services are at hand.
The new Debian packages are currently in experimental because they need some more fine
tuning, e.g. there are a couple of minor error messages which recently occur using it,
but it works well.
The (early staged) documentation unfortunately couldn't be packaged because of the
scattered resp. collective nature of the project (all parts have their own Github
repositories), and also how to generate the upstream tarball remains a bit of a
challenge (currently, it's the outcome of debops-init).
I'll have this package in unstable soon. More info on Debops is coming up, then.
HashiCorp's Packer
I'm very glad to announce that Packer is ready being available in unstable,
and the RFP bug could be finally closed after I've taken it over.
It's another great and much convenient devops tool which does a lot of different
things in an automated fashion using only a single "one-argument" CLI tool in combination
with a couple of lines in a configuration script (thanks to Yaroslav Halchenko for the tip).
Packer helps creating machine images for different platforms.
This is like when you use e.g. Debian installations in a Qemu box for testing or development
purposes.
Instead of setting up a new virtual machine manually the same way as installing Debian on
another computer this process can be completely automated with Packer, like I've written about
in this blog entry here.
You just need a template which contains instructions for the included Qemu builder and a
preseeding script for the Debian installer, and there you go drinking your coffee while
Packer does all the work:
download the ISO image for installation, create the new virtual harddrive, boot the
emulator, run the whole installation process automatically like with answering questions,
selecting things, reboot without ISO image to complete the installation etc.
A couple of minutes and you have a new pre-baked virtual machine image like from a vendoring
machine, another fresh one could be created anytime.
Packer supports a number of builders for different target platforms
(desktop virtualization solutions as much as public cloud providers and private cloud software),
can build in parallel, and also the full range of common provisioners can be employed
in the process to equip the newly installed OSs with services and programs.
Vagrant boxes could be generated by one of the included postprocessors.
I'll write more on Packer here on this blog, soon.
There were more then two dozens of packages missing to complete Packer, which is
the achievement of combined forces within the pkg-go group. Much thanks esp. to Alexandre
Viau who have worked on the most of the needed new packages.
Thanks also to the FTP masters which were always very quick in reviewing the Go packages,
so that it could be proceeded to build and package the sub dependent new ones always
consecutively.
Squirrel3
I've didn't had the major work of that and just sponsored this for Fabian Wolff, but want
to highlight here that there's a new package of Squirrel now available in
Debian.
Squirrel is a lightweight scripting language, somewhat comparable to Lua. It's
fully object-oriented and highly embeddable, it's used in a lot of commerical computer
games under the hood for implementing intelligence for bots next to other things,
but also for the Internet of Things (it's embedded in hardware from Electric Imp).
Squirrel functions could be called from C++.
I've filed an ITP bug for Squirrel already in 2011 (#651195), but always something else
had a higher priority, and it ended up being an RFP. I'm really glad that it got picked up
and completed quickly afterwards.
misc
There were a couple of uploads on updated upstream tarballs and for fixing bugs,
namely afl/2.10b-1 and 2.11b-1,
python-afl/0.5.3-1, pyutilib/5.3.2-1, pyomo/4.3.11327-1,
libvigraimpex/1.10.0+git20160211.167be93dfsg-2 (fix of #820429, thanks to Tobias Frost),
and gamera/3.4.2+svn1454-1.
For the pkg-go group, I've set up a new package of github-mitchellh-ioprogress (which is
needed by the official DigitalOcean CLI tool doctl, now RFP #807956 instead of ITP
due to the lack of time, again a lot of missing packages are missing for that),
and provided a little patch for dh-make-golang updating some standards.
For Packer I've also updated azure-go-autorest and azure-sdk as team upload (#821938, #821832),
but it came out that the project which is currently under heavy development towards
a new official release broke a lot in the past weeks (no Git branching have been used),
so that Packer as a matter of fact needed a vendored snapshot, although there have been only
a couple of commits in between.
Docker-registry has the same problem with the new package of azure-sdk/2.1.1~beta1, so that it
needed to be fixed, too (#822146).
By the way, the tool ratt comes very handy for automatically test building down all
reverse dependencies, not only for Go packages (thanks to Tianon Gravi for the tip).
Finally, I've posted the needed reverse depencies as RFP bugs for Terraform
(again quite a lot), Vuls, and cve-dictionary, which is needed for Vuls.
I'll let them rest a while waiting to get picked up before working anything down.
