Here s my (thirty-ninth) monthly but brief update about the activities I ve done in the F/L/OSS world.
Debian
This was my 48th month of actively contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
There s a bunch of things I do, both, technical and non-technical. Here are the things I did this month:
Some DebConf work.
Sponsoring stuff for non-DDs.
Mentoring for newcomers.
Moderation of -project mailing list.
Ubuntu
This was my 23rd month of actively contributing to Ubuntu.
Now that I joined Canonical to work on Ubuntu full-time, there s a bunch of things I do! \o/
I mostly worked on different things, I guess.
I was too lazy to maintain a list of things I worked on so there s
no concrete list atm. Maybe I ll get back to this section later or
will start to list stuff from the fall, as I was doing before. :D
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the stretch and jessie release (+2 years after LTS support).
This was my thirty-ninth month as a Debian LTS and thirtieth month as a Debian ELTS paid contributor.
I worked for 51.50 hours for LTS and 22.50 hours for ELTS.
LTS CVE Fixes and Announcements:
Issued DLA 3224-1, fixing CVE-2020-8287, for http-parser.
For Debian 10 buster, these problems have been fixed in version 2.8.1-1+deb10u3.
Issued DLA 3225-1, fixing CVE-2022-46391, for awstats.
For Debian 10 buster, these problems have been fixed in version 7.6+dfsg-2+deb10u2.
Helped facilitate Erlang s and RabbitMQ s update; cf: ELA 754-1.
Looked through python3.4 s FTBFS on armhf. Even diff d with Ubuntu. No luck. Inspected the traces, doesn t give a lot of hint either. Will continue to look later next month or so but it s a rabbit hole. (:
Inspected joblib s security update upon Helmut s investigation and see what went wrong there.
Started to look at other set of packages: dropbear, tiff, et al.
Utkarsh Gupta
did 41.0h (out of 32.5h assigned and 25.0h from previous period), thus carrying over 16.5h to the next month.
Evolution of the situation
In November, we released 43 DLAs, fixing 183 CVEs.
We currently have 63 packages in dla-needed.txt that are waiting for updates, which is 19 fewer than the previous month.
We re excited to announce that two Debian Developers Tobias Frost
and Guilhem Moulin, have completed the on-boarding process
and will begin contributing to LTS as of December 2022. Welcome aboard!
Thanks to our sponsors
Sponsors that joined recently are in bold.
Here s my (thirty-eighth) monthly but brief update about the activities I ve done in the F/L/OSS world.
Debian
This was my 47th month of actively contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
There s a bunch of things I do, both, technical and non-technical. Here are the things I did this month:
Ubuntu
This was my 22nd month of actively contributing to Ubuntu.
Now that I joined Canonical to work on Ubuntu full-time, there s a bunch of things I do! \o/
I mostly worked on different things, I guess.
I was too lazy to maintain a list of things I worked on so there s
no concrete list atm. Maybe I ll get back to this section later or
will start to list stuff from the fall, as I was doing before. :D
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the stretch and jessie release (+2 years after LTS support).
This was my thirty-eighth month as a Debian LTS and twenty-nine month as a Debian ELTS paid contributor.
I worked for 41.00 hours for LTS and 30.25 hours for ELTS.
LTS CVE Fixes and Announcements:
Issued DLA 3187-1, fixing CVE-2021-36369, for dropbear.
For Debian 10 buster, these problems have been fixed in version 2018.76-5+deb10u2.
Issued DLA 3189-1 for a minor LTS version update of postgresql-11.
For Debian 10 buster, the package has been updated to version 11.18-0+deb10u1.
Issued DLA 3215-1, fixing CVE-2022-3328, for snapd.
For Debian 10 buster, these problems have been fixed in version 2.37.4-1+deb10u2.
Issued DLA 3216-1, fixing CVE-2022-41325, for vlc.
For Debian 10 buster, these problems have been fixed in version 3.0.17.4-0+deb10u2.
Issued DLA 3217-1, fixing CVE-2022-46338, for g810-led.
For Debian 10 buster, these problems have been fixed in version 0.3.3-2+deb10u1.
Issued DLA 3218-1, fixing CVE-2022-41946, for libpgjava.
For Debian 10 buster, these problems have been fixed in version 42.2.5-2+deb10u3.
Issued DLA 3220-1 for a new upstream version update of clamav.
For Debian 10 buster, the package has been updated to version 0.103.7+dfsg-0+deb10u1.
Started to look at other set of packages.
ELTS CVE Fixes and Announcements:
Issued ELA 731-1, fixing CVE-2022-39377, for sysstat.
For Debian 9 stretch, these problems have been fixed in version 11.4.3-2+deb9u1.
For Debian 8 jessie, these problems have been fixed in version 11.0.1-1+deb8u1.
Issued ELA 749-1, fixing CVE-2022-41325, for vlc.
For Debian 9 stretch, these problems have been fixed in version 3.0.17.4-0+deb9u2.
Issued ELA 750-1 for a new upstream version update of clamav.
For Debian 9 stretch, the package has been updated to version 0.103.7+dfsg-0+deb9u1.
For Debian 8 jessie, the package has been updated to version 0.103.7+dfsg-0+deb8u1.
Started to look at other set of packages.
Other (E)LTS Work:
Front desk duty from 21-11 until 27-11 for both, LTS and ELTS.
Utkarsh Gupta
did 35.0h (out of 38.0h assigned and 22.0h from previous period), thus carrying over 25.0h to the next month.
Evolution of the situation
In October, we have released 42 DLAs, closing 106 CVEs.
At the moment we have 82 packages in dla-needed.txt, waiting for update.
We are continuously working on updating our infrastructure, trying to document all of our changes in the git-repo. Most of packages there are having continuous integration (CI) pipelines.
Thanks to our sponsors
Sponsors that joined recently are in bold.
Here s my (thirty-seventh) monthly but brief update about the activities I ve done in the F/L/OSS world.
Debian
This was my 46th month of actively contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
There s a bunch of things I do, both, technical and non-technical. Here are the things I did this month:
Debian Uploads
ruby-espeak (1.1.0-1) - New upstream version, v1.1.0.
Ubuntu
This was my 21st month of actively contributing to Ubuntu.
Now that I joined Canonical to work on Ubuntu full-time, there s a bunch of things I do! \o/
I mostly worked on different things, I guess.
I was too lazy to maintain a list of things I worked on so there s
no concrete list atm. Maybe I ll get back to this section later or
will start to list stuff from the fall, as I was doing before. :D
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my thirty-seventh month as a Debian LTS and twenty-eighth month as a Debian ELTS paid contributor.
I worked for 35.00 hours for LTS and 25.00 hours for ELTS.
Uploaded dropbear to fix CVE-2021-36369 in buster. Waiting for ELTS upload to issue the DLA. But will do soon now.
src:joblib is a bit painful - having to backport patches to Py2. :/
Started to look at other set of packages.
ELTS CVE Fixes and Announcements:
Issued ELA 715-1, fixing CVE-2022-43680, for expat.
For Debian 9 stretch, these problems have been fixed in version 2.2.0-2+deb9u7.
For Debian 8 jessie, these problems have been fixed in version 2.1.0-6+deb8u10.
Here s my (thirty-sixth) monthly but brief update about the activities I ve done in the F/L/OSS world.
Debian
This was my 45th month of actively contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
There s a bunch of things I do, both, technical and non-technical. Here are the things I did this month:
Debian Uploads
rails (2:6.1.6.1+dfsg-2) - Add patch to allow Symbols in YAML columns, fixes #1018934.
rails (2:6.1.6.1+dfsg-3) - Add patch to remove active_record.yaml initializers.
rails (2:6.1.6.1+dfsg-4) - Add patch to allow Date, Time, ActiveSupport::HashWithIndifferentAccess in YAML columns.
ruby-arbre (1.4.0-2) - Add patch to use selector to detect authenticity token input.
Ubuntu
This was my 20th month of actively contributing to Ubuntu.
Now that I joined Canonical to work on Ubuntu full-time, there s a bunch of things I do! \o/
I mostly worked on different things, I guess.
I was too lazy to maintain a list of things I worked on so there s
no concrete list atm. Maybe I ll get back to this section later or
will start to list stuff from the fall, as I was doing before. :D
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my thirty-sixth month as a Debian LTS and twenty-seventh month as a Debian ELTS paid contributor.
I worked for 38.00 hours for LTS and 27.00 hours for ELTS.
Looked at src:mbedtls which has about 18 CVEs opened in buster (including no-dsa).
Also, spoke to the maintainer - they said they d be uncomfortable doing or reviewing the backport (although they initially said they d be happy to help).
Fixed src:rails regression via 2:6.1.6.1+dfsg-2, 2:6.1.6.1+dfsg-3, and 2:6.1.6.1+dfsg-4 for sid.
CVE-2022-32224 broke the entire world. :)
Helped Abhijith figure out the regression fix for CVE-2022-32224.
Also got that verified by the people who reported regression, Raphael, Sven, and Jude. The whole thread is on debian-lts@.
ELTS CVE Fixes and Announcements:
Rolled out announcemnet for src:ruby-tzinfo.
Rolled out announcemnet for src:grubt.
Issued ELA 682-1, fixing CVE-2022-31676, for open-vm-tools.
For Debian 9 stretch, these problems have been fixed in version 2:10.1.5-5055683-4+deb9u3.
Issued ELA 691-1, fixing CVE-2020-21365, for wkhtmltopdf.
For Debian 8 jessie, these problems have been fixed in version 0.12.1-2+deb8u1.
For Debian 9 stretch, these problems have been fixed in version 0.12.3.2-3+deb9u1.
Issued ELA 692-1, fixing CVE-2022-37452, for exim4.
For Debian 8 jessie, these problems have been fixed in version 4.84.2-2+deb8u9.
For Debian 9 stretch, these problems have been fixed in version 4.89-2+deb9u9.
Started to look at src:tiff again. Has a lot of open issues. Haven t claimed the package officially yet, though. :)
Like each month, have a look at the work funded by Freexian s Debian LTS offering.
Debian project funding
No any major updates on running projects. Two 1, 2 projects are in the pipeline now. Tryton project is in a review phase. Gradle projects is still fighting in work.
In July, we put aside 2389 EUR to fund Debian projects.
We re looking forward to receive more projects from various Debian teams! Learn more about the rationale behind this initiative in this article.
Debian LTS contributors
In July, 14 contributors have been paid to work on Debian LTS, their reports are available:
Abhijith PA did 0.00h (out of 14.00h assigned, thus carrying over 14.00h to the next month).
Andreas R nnquist did 0.00h (out of 0.00h assigned and 10.50h from previous period, thus carrying over 10.50h to the next month).
Anton Gladky did 23.00h (out of 25.00h assigned, thus carrying over 2.00h to the next month).
Ben Hutchings did 3.00h (out of 24.00h assigned, thus carrying over 21.00h to the next month).
Dominik George did 0.00h (out of 0.00h assigned and 22.17h from previous period, thus carrying over 22.17h to the next month).
Utkarsh Gupta did not report back about their work so we assume they did nothing (out of 35.75 available hours, thus carrying them over to the next month).
Evolution of the situation
In July, we have released 3 DLAs. July was the period, when the Debian Stretch had already ELTS status, but Debian Buster was still in the hands of security team. Many member of LTS used this time to update internal infrastructure, documentation and some internal tickets. Now we are ready to take the next release in our hands: Buster!
Thanks to our sponsors
Sponsors that joined recently are in bold.
Like each month, have a look at the work funded by Freexian s Debian LTS offering.
Debian project funding
No any major updates on running projects. Two 1, 2 projects are in the pipeline now. Tryton project is in a review phase. Gradle projects is still fighting in work.
In June, we put aside 2254 EUR to fund Debian projects.
We re looking forward to receive more projects from various Debian teams! Learn more about the rationale behind this initiative in this article.
Debian LTS contributors
In June, 15 contributors have been paid to work on Debian LTS, their reports are available:
Utkarsh Gupta did not report back about their work so we assume they did nothing (out of 30.25 available hours, thus carrying them over to the next month).
Evolution of the situation
In June we released 27 DLAs.
This is a special month, where we have two releases (stretch and jessie) as ELTS and NO release as LTS. Buster is still handled by the security team and will probably be given in LTS hands at the beginning of the August. During this month we are updating the infrastructure, documentation and improve our internal processes to switch to a new release. Many developers have just returned back from Debconf22, hold in Prizren, Kosovo! Many (E)LTS members could meet face-to-face and discuss some technical and social topics! Also LTS BoF took place, where the project was introduced (link to video).
Thanks to our sponsors
Sponsors that joined recently are in bold. We are pleased to welcome Alter Way where their support of Debian is publicly acknowledged at the higher level, see this French quote of Alterway s CEO.
Like each month, have a look at the work funded by Freexian s Debian LTS offering.
Debian project funding
Two [1, 2] projects are in the pipeline now. Tryton project is in a final phase. Gradle projects is fighting with technical difficulties.
In May, we put aside 2233 EUR to fund Debian projects.
We re looking forward to receive more projects from various Debian teams! Learn more about the rationale behind this initiative in this article.
Debian LTS contributors
In May, 14 contributors have been paid to work on Debian LTS, their reports are available:
Utkarsh Gupta did 35h (out of 19h assigned and 30h from April), thus carrying over 14h to June.
Evolution of the situation
In May we released 49 DLAs. The security tracker currently lists 71 packages with a known CVE and the dla-needed.txt file has 65 packages needing an update.
The number of paid contributors increased significantly, we are pleased to welcome our latest team members: Andreas R nnquist, Dominik George, Enrico Zini and Stefano Rivera.
It is worth pointing out that we are getting close to the end of the LTS period for Debian 9. After June 30th, no new security updates will be made available on security.debian.org. We are preparing to overtake Debian 10 Buster for the next two years and to make this process as smooth as possible.
But Freexian and its team of paid Debian contributors will continue to maintain Debian 9 going forward for the customers of the Extended LTS offer. If you have Debian 9 servers to keep secure, it s time to subscribe!
You might not have noticed, but Freexian formalized a mission statement where we explain that our purpose is to help improve Debian. For this, we want to fund work time for the Debian developers that recently joined Freexian as collaborators. The Extended LTS and the PHP LTS offers are built following a model that will help us to achieve this if we manage to have enough customers for those offers. So consider subscribing: you help your organization but you also help Debian!
Thanks to our sponsors
Sponsors that joined recently are in bold.
Like each month, have a look at the work funded by Freexian s Debian LTS offering.
Debian project funding
Two projects are currently in the pipeline: Gradle enterprise and Tryton update. Progress is quite slow on the Gradle one, there are technical difficulties. The tryton one was stalled because the developer had not enough time but seems to progress smoothly in the last weeks.
In April, we put aside 2635 EUR to fund Debian projects.
We re looking forward to receive more projects from various Debian teams! Learn more about the rationale behind this initiative in this article.
Debian LTS contributors
In April, 11 contributors have been paid to work on Debian LTS, their reports are available:
Utkarsh Gupta did 23.25h out of 51.5h assigned and 1.75h from March, thus carrying over 30h to May
Evolution of the situation
In April we released 30 DLAs and we were glad to welcome a new customer with Alter Way.
The security tracker currently lists 72 packages with a known CVE and the dla-needed.txt file has 71 packages needing an update.
It is worth pointing out that we are getting close to the end of the LTS period for Debian 9. After June 30th, no new security updates will be made available on security.debian.org.
But Freexian and its team of paid Debian contributors will continue to maintain Debian 9 going forward for the customers of the Extended LTS offer. If you have Debian 9 servers to keep secure, it s time to subscribe!
You might not have noticed, but Freexian formalized a mission statement where we explain that our purpose is to help improve Debian. For this, we want to fund work time for the Debian developers that recently joined Freexian as collaborators. The Extended LTS and the PHP LTS offers are built following a model that will help us to achieve this if we manage to have enough customers for those offers. So consider subscribing: you help your organization but you also help Debian!
Thanks to our sponsors
Sponsors that joined recently are in bold.
This is the report for the Debian Clojure Team remote sprint
that took place on May 13-14th.
Looking at my previous blog entries, this was my first Debian sprint since
July 2020! Crazy how fast time flies...
Many thanks to those who participated, namely:
Rob Browning (rlb)
Elana Hashman (ehashman)
J r me Charaoui (lavamind)
Leandro Doctors (allentiak)
Louis-Philippe V ronneau (pollo)
Sadly, Utkarsh Gupta although having planned on participating ended up not
being able to and worked on DebConf Bursary paperwork instead.
rlb
Rob mostly worked on creating a dh-clojure tool to help make packaging
Clojure libraries easier.
At the moment, most of the packaging is done manually, by invoking build
tools by hand. Having a tool to automate many of the steps required to build
Clojure packages would go a long way in making them more uniform.
His work (although still very much a WIP) can be found here:
https://salsa.debian.org/rlb/dh-clojure/
ehashman
Elana:
Finished the Java Team VCS migration to the Clojure Team namespace.
lavamind
It was J r me's first time working on Clojure packages, and things went great!
During the sprint, he:
Joined the Clojure Team on salsa.
Identified missing dependencies to update puppetdb to the 7.x release.
Learned how to package Clojure libraries in Debian.
Packaged murphy-clojure, truss-clojure and encore-clojure and uploaded
them to NEW.
Began to package nippy-clojure.
allentiak
Leandro joined us on Saturday, since he couldn't get off work on Friday. He
mostly continued working on replacing our in-house scripts for
/usr/bin/clojure by upstream's, a task he had already started during GSoC
2021.
Sadly, none of us were familiar with Debian's mechanism for alternatives. If you
(yes you, dear reader) are familiar with it, I'm sure he would warmly welcome
feedback on his development branch.
pollo
As for me, I:
Fixed a classpath bug in core-async-clojure that was breaking other
libraries.
Added meaningful autopkgtests to core-async-clojure.
Uploaded new versions of tools-analyzer-clojure and
trapperkeeper-clojure with autopkgtests.
Updated pomegranate-clojure and nrepl-clojure to the latest upstream
version and revamped the way they were packaged.
Assisted lavamind with Clojure packaging.
Overall, it was quite a productive sprint!
Thanks to Debian for sponsoring our food during the sprint. It was nice to be
able to concentrate on fixing things instead of making food :)
Here's a bonus picture of the nice sushi platter I ended up getting for dinner
on Saturday night:
Here s my (thirty-first) monthly but brief update about the activities I ve done in the F/L/OSS world.
Debian
This was my 40th month of actively contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
There s a bunch of things I did this month but mostly non-technical, now that DC22 is around the corner. Here are the things I did:
Debian Uploads
Helped Andrius w/ FTBFS for php-text-captcha, reported via #977403.
I fixed the samed in Ubuntu a couple of months ago and they copied over the patch here.
Other $things:
Volunteering for DC22 Content team.
Leading the Bursary team w/ Paulo.
Answering a bunch of questions of referees and attendees around bursary.
Ubuntu
This was my 15th month of actively contributing to Ubuntu.
Now that I joined Canonical to work on Ubuntu full-time, there s a bunch of things I do! \o/
I mostly worked on different things, I guess.
I was too lazy to maintain a list of things I worked on so there s
no concrete list atm. Maybe I ll get back to this section later or
will start to list stuff from the fall, as I was doing before. :D
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my thirty-first month as a Debian LTS and twentieth month as a Debian ELTS paid contributor.
I worked for 23.25 hours for LTS and 20.00 hours for ELTS.
LTS CVE Fixes and Announcements:
Issued DLA 2976-1, fixing CVE-2022-1271, for gzip.
For Debian 9 stretch, these problems have been fixed in version 1.6-5+deb9u1.
Issued DLA 2977-1, fixing CVE-2022-1271, for xz-utils.
For Debian 9 stretch, these problems have been fixed in version 5.2.2-1.2+deb9u1.
Working on src:tiff and src:mbedtls to fix the issues, still waiting for more issues to be reported, though.
Looking at src:mutt CVEs. Haven t had the time to complete but shall roll out next month.
ELTS CVE Fixes and Announcements:
Issued ELA 593-1, fixing CVE-2022-1271, for gzip.
For Debian 8 jessie, these problems have been fixed in version 1.6-4+deb8u1.
Issued ELA 594-1, fixing CVE-2022-1271, for xz-utils.
For Debian 8 jessie, these problems have been fixed in version 5.1.1alpha+20120614-2+deb8u1.
Working on src:tiff and src:beep to fix the issues, still waiting for more issues to be reported for src:tiff and src:beep is a bit of a PITA, though. :)
There was no new activity in Debian project funding in the two existing projects. However, there was a survey run with hundreds of Debian Developers and Debian contributors. The survey results are being collated and we will use the anonymized data to further develop the Freexian project funding initiative.
We are preparing to more broadly announce additional support for Debian 8 Jessie and Debian 9 Stretch. Now, Debian 8 can be supported until June 2025 and Debian 9 until June 2027. More information on ELTS support is available.
Learn more about the rationale behind this initiative in this article.
Debian LTS contributors
In March, 11 contributors were paid to work on Debian LTS, their reports are available below. If you re interested in participating in the LTS or ELTS teams, we welcome participation from the Debian community. Simply get in touch with Jeremiah or Rapha l if you are if you are interested in participating.
Utkarsh Gupta did 57.75h out of 59.5h assigned, carrying over 1.75 hours.
Evolution of the situation
In March we released 42 DLAs.
The security tracker currently lists 81 packages with a known CVE and the dla-needed.txt file has 52 packages needing an update.
We re glad to welcome a few new sponsors such as lectricit de France (Gold sponsor), Telecats BV and Soliton Systems.
Thanks to our sponsors
Sponsors that joined recently are in bold.
In February Rapha l and the LTS worked on a survey of Debian developers meant to solicit ideas for improvements in the Debian project at large. You can see the results of the initial discussion here in the list of ideas of which there are already over 30.
The full survey is due to be emailed to Debian Developers shortly.
Debian LTS contributors
In February, 12 contributors were paid to work on Debian LTS, their reports are available below. If you re interested in participating in the LTS or ELTS teams, we welcome participation from the Debian community. Simply get in touch with Jeremiah or Rapha l if you are if you are interested in participating.
Utkarsh Gupta did 15.75h (out of 42.75h available), thus carrying over 27h to March.
Evolution of the situation
In February we released 24 DLAs.
The security tracker currently lists 61 packages with a known CVE and the dla-needed.txt file has 26 packages needing an update.
You can find out more about the Debian LTS project via the following video:
Thanks to our sponsors
Sponsors that joined recently are in bold.
Here s my (twenty-ninth) monthly but brief update about the activities I ve done in the F/L/OSS world.
Debian
This was my 38th month of actively contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
I had been sick this month, so most of the time I spent away from system, recovering, et al,
and also went through the huge backlog that I had, which is starting to get smaller. :D
Anyway, I did the following stuff in Debian:
Uploads and bug fixes:
at (3.4.4-1) - Adding a DEP8 test for the package, fixing bug #985421.
Other $things:
Mentoring for newcomers.
Moderation of -project mailing list.
Ubuntu
This was my 13th month of actively contributing to Ubuntu.
Now that I joined Canonical to work on Ubuntu full-time, there s a bunch of things I do! \o/
I mostly worked on different things, I guess.
I was too lazy to maintain a list of things I worked on so there s
no concrete list atm. Maybe I ll get back to this section later or
will start to list stuff from the fall, as I was doing before. :D
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my twenty-ninth month as a Debian LTS and eighteenth month as a Debian ELTS paid contributor.
Whilst I was assigned 42.75 hours for LTS and 45.25 hours for ELTS, I could only work a little due to being sick and so
I spent 15.75 hours on LTS and 9.25 hours on ELTS and worked on the following things:
LTS CVE Fixes and Announcements:
Issued DLA 2909-1, fixing CVE-2021-45079, for strongswan.
For Debian 9 stretch, these problems have been fixed in version 5.5.1-4+deb9u6.
In January we saw a new funded project proposed. The project is meant to bring in a number of changes to the Tryton modules and packages in Debian. Tryton, a full featured, entirely open source business software platform, is supported by its own foundation. You can track the current status of all our funded projects at its dedicated web page.
Folks continue to add to the Grow Your Ideas project page, that s great.
We continue to looking forward to hearing about Debian project proposals from various Debian stakeholders. This month has seen work on a survey that will go out to Debian Developers to gather feedback on what they think should be the priorities for funding in the project. Learn more about the rationale behind this initiative in this article.
Debian LTS contributors
In January, 13 contributors were paid to work on Debian LTS, their reports are available below. If you re interested in participating in the LTS or ELTS teams, we welcome participation from the Debian community. Simply get in touch with Jeremiah or Rapha l.
Utkarsh Gupta worked 58.25 hours out of 58.25 available.
Evolution of the situation
In January we released 34 DLAs.
The security tracker currently lists 39 packages with a known CVE and the dla-needed.txt file has 20 packages still needing an update.
Thanks to our sponsors
Sponsors that joined recently are in bold.
Here s my (twenty-seventh) monthly but brief update about the activities I ve done in the F/L/OSS world.
Debian
This was my 36th month of actively contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
Just churning through the backlog again this month. Ugh.
Anyway, I did the following stuff in Debian:
Uploads and bug fixes:
ruby2.7 (2.7.5-1) - New upstream version fixing 3 new CVEs.
Other $things:
Mentoring for newcomers.
Moderation of -project mailing list.
Ubuntu
This was my 11th month of actively contributing to Ubuntu.
Now that I ve joined Canonical to work on Ubuntu full-time, there s a bunch of things I do! \o/
I mostly worked on different things, I guess.
I was too lazy to maintain a list of things I worked on so there s
no concrete list atm. Maybe I ll get back to this section later or
will start to list stuff from next year onward, as I was doing before. :D
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my twenty-seventh month as a Debian LTS and eighteenth month as a Debian ELTS paid contributor.
I was assigned 40.00 hours for LTS and 60.00 hours for ELTS and worked on the following things:
(since I had a 3-week vacation, I wanted to wrap things up that were pending and so I worked for 20h more for LTS, which I ll compensate the next month!)
Issued DLA 2854-1, fixing CVE-2017-18635, for novnc.
For Debian 9 stretch, these problems have been fixed in version 1:0.4+dfsg+1+20131010+gitf68af8af3d-6+deb9u1.
Issued ELA 536-1, fixing CVE-2021-43818, for lxml.
For Debian 8 jessie, these problems have been fixed in version Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain.
Started working on src:samba for CVE-2020-25717 to CVE-2020-25722 and CVE-2021-23192 for jessie and stretch, both.
The version difference b/w the suites are a bit too much for the patch(es) to be easily backported. I ve talked to Anton to work something out. \o/
Found the problem w/ libjdom1-java. Will have to roll the regression upload.
I ve prepared the patch but needs some testing to be finally rolled out. Same for stretch.
Other (E)LTS Work:
Front-desk duty from 29-11 to 05-12 and 20-12 to 26-12 for both LTS and ELTS.
Our project funding work continues with an active bid on the work of packaging a recent gradle in Debian. This month the bidder has been estimating the scope of the entire project.
The Grow Your Ideas project page also has some ambitious initiatives that may evolve into a funded project. The project ideas on that page range from a new wiki for Debian, a more efficient reimbursement process, and the implementation of PPAs for Debian.
We continue to looking forward to hearing about Debian project proposals from various Debian stakeholders. This month has seen work on a survey that will go out to Debian Developers to gather feedback on what they think should be the priorities for funding in the project.
Learn more about the rationale behind this initiative in this article.
Debian LTS contributors
In November 13 contributors were paid to work on Debian LTS, their reports are available below. If you re interested in participating in the LTS or ELTS teams, we welcome participation from the Debian community. Simply get in touch with Jeremiah if you are interested in participating.
Adrian Bunk did 62h out of 56h assigned for November and 6h from October.
Jeremiah Foster is coordinating/managing the LTS team did 29h (out of 10h assigned and 10h from October for LTS administration), and spent 9 hours on Projects funded directly through the project funding program.
Lee Garrett did 9 hours out 60 assigned and carried over 51h into December
Utkarsh Gupta did 30 (out of 40h assigned), thus carrying over 10h to December.
Evolution of the situation
In November we released 31 DLAs.
The security tracker currently lists 23 packages with a known CVE and the dla-needed.txt file has 16 packages needing an update.
Thanks to our sponsors
Sponsors that joined recently are in bold.
Here s my (twenty-sixth) monthly but brief update about the activities I ve done in the F/L/OSS world.
Debian
This was my 35th month of actively contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
Just churning through the backlog again this month. Ugh.
Anyway, I did the following stuff in Debian:
Uploads and bug fixes:
rails (2:6.1.4.1+dfsg-3) - No-change rebuild for unstable.
Other $things:
Mentoring for newcomers.
Moderation of -project mailing list.
Ubuntu
This was my 10th month of actively contributing to Ubuntu.
Now that I ve joined Canonical to work on Ubuntu full-time, there s a bunch of things I do! \o/
I mostly worked on different things, I guess.
I was too lazy to maintain a list of things I worked on so there s
no concrete list atm. Maybe I ll get back to this section later or
will start to list stuff from next year onward, as I was doing before. :D
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my twenty-sixth month as a Debian LTS and seventeenth month as a Debian ELTS paid contributor.
I was assigned 30.00 hours for LTS and 45.00 hours for ELTS and worked on the following things:
Issued DLA 2836-1, fixing CVE-2021-43527, for nss.
For Debian 9 stretch, these problems have been fixed in version 2:3.26.2-1.1+deb9u3.
Started working on src:samba for CVE-2020-25717 to CVE-2020-25722 and CVE-2021-23192 for jessie and stretch, both.
The version difference b/w the suites are a bit too much for the patch(es) to be easily backported. I ve talked to Anton to work something out. \o/
Found the problem w/ libjdom1-java. Will have to roll the regression upload.
I ve prepared the patch but needs some testing to be finally rolled out. Same for jessie.
Issued ELA 524-1, fixing CVE-2021-43618, for gmp.
For Debian 8 jessie, these problems have been fixed in version 2:6.0.0+dfsg-6+deb8u1.
Issued ELA 525-1, fixing CVE-2021-43527, for nss.
For Debian 8 jessie, these problems have been fixed in version 2:3.26-1+debu8u14.
Started working on src:samba for CVE-2020-25717 to CVE-2020-25722 and CVE-2021-23192 for jessie and stretch, both.
The version difference b/w the suites are a bit too much for the patch(es) to be easily backported. I ve talked to Anton to work something out. \o/
Found the problem w/ libjdom1-java. Will have to roll the regression upload.
I ve prepared the patch but needs some testing to be finally rolled out. Same for stretch.
Other (E)LTS Work:
Front-desk duty from 29-11 to 05-12 for both LTS and ELTS.
Our project funding work continues with an active bid on the work of packaging gradle in Debian. The next steps are reviewing the bid and formal approval.
We re looking forward to receiving more projects from various Debian teams! Learn more about the rationale behind this initiative in this article.
Debian LTS contributors
In October 12 contributors were paid to work on Debian LTS, their reports are available below.
Adrian Bunk did 40.5h in October (out of 28.5h assigned and 18h remaining, thus keeping 6h for November).
Evolution of the situation
In October we released 34 DLAs.
Also, we would like to remark once again that we are constantly looking for new contributors. Please contact Jeremiah if you are interested!
The security tracker currently lists 37 packages with a known CVE and the dla-needed.txt file has 22 packages needing an update.
Thanks to our sponsors
Sponsors that joined recently are in bold.
Like each month, have a look at the work funded by 
This is the report for the 