Here s my 68th monthly but brief update about the activities I ve done in the F/L/OSS world.
Debian
This was my 77th month of actively contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
This month I ve just been sort of MIA, mostly because of a combination of the Canonical engineering sprints in Frankfurt, a bit of vacation in Italy, and then being sick. So didn t really get much done in Debian this month.
Ubuntu
This was my 53rd month of actively contributing to Ubuntu.
I joined Canonical to work on Ubuntu full-time back in February 2021.
Whilst I can t give a full, detailed list of things I did (there s so much and some of it might not be public yet!), here s a quick TL;DR of what I did:
Prepared for the engineering sprints in Frankfurt.
Delivered the Ubuntu knowledge sharing session during the sprints.
Released the first monthly snapshot of Ubuntu 25.10.
Got a recognition award for driving the Plucky Puffin release, nominated by Florent. \o/
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the buster, stretch, and jessie release (+2 years after LTS support).
This was my 68th month as a Debian LTS and 55th month as a Debian ELTS paid contributor.
Due to a combination of the Canonical engineering sprints in Frankfurt, a bit of vacation in Italy, and then being sick, I was barely able to do (E)LTS work. So this month, I worked for only 1.00 hours for LTS and 0 hours for ELTS.
I did the following things:
[LTS] Attended the hourly LTS meeting on IRC. Summary here.
Evolution of the situation
In April, we released 46 DLAs.
Notable security updates:
jetty9, prepared by Markus Koschany, fixes an information disclosure and potential remote code execution vulnerability
zabbix, prepared by Tobias Frost, fixes several vulnerabilities, encompassing denial of service, information disclosure or remote code inclusion
glibc, prepared by Sean Whitton, fixes a buffer overflow vulnerability
Notable non-security updates:
tzdata, prepared by Emilio Pozuelo Monfort, brings the latest timezone database release
php-horde-editor and php-horde-imp, prepared by Sylvain Beucler, have been updated to switch from CKEditor v3, which is EOL, to CKEditor v4; this builds upon work done last month by Sylvain and Bastien for the complete removal of ckeditor3
distro-info-data, prepared by Stefano Rivera, adds information concerning future Debian and Ubuntu releases
The LTS team continues to welcome the collaboration of maintainers and other interested parties from outside the regular team. In April, we had external updates contributed by: Yadd - lemonldap-ng and Moritz Schlarb - libapache2-mod-auth-openidc
A point release of the current stable Debian 12 (codename bookworm ) is planned for mid-May and several LTS contributors have prepared packages for this update, many of them prepared in conjunction with related LTS updates of the same packages:
glib2.0, haproxy, imagemagick, poppler, and python-h11, prepared by Adrian Bunk
rubygems, prepared by Lucas Kanashiro
ruby3.1 (in collaboration with Lucas Kanashiro), twitter-bootstrap3, twitterboot-strap4, wpa, and erlang, prepared by Bastien Roucari s (corresponding updates of twitter-bootstrap3 and twitter-bootstrap4 were also uploaded to Debian unstable)
abseil, prepared by Tobias Frost (a corresponding update was also uploaded to Debian unstable)
vips, prepared by Guilhem Moulin
Additional updates of ruby3.3 and rubygems were prepared for Debian unstable by Lucas Kanashiro.
And finally, a highlight of our continued commitment to enhancing long term support efforts in upstream projects. Freexian, as the primary entity behind the management and execution of the LTS project, has partnered with Invisible Things Lab to extend the upstream security support of Xen 4.17, which is shipped in Debian 12 bookworm (the current stable release). This partnership will result in significantly improved lifecycle support for users of Xen on bookworm, and members of the LTS team will play a part in this endeavour. The Freexian announcement has additional details.
Thanks to our sponsors
Sponsors that joined recently are in bold.
Here s my 67th monthly but brief update about the activities I ve done in the F/L/OSS world.
Debian
This was my 76th month of actively contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
There s a bunch of things I do, both, technical and non-technical. Here s what I did:
Updating Matomo to v5.3.1.
Lots of bursary stuff for DC25. We rolled out the results for the first batch.
Helping Andreas Tille with and around FTP team bits.
Mentoring for newcomers.
Moderation of -project mailing list.
Ubuntu
This was my 51st month of actively contributing to Ubuntu.
I joined Canonical to work on Ubuntu full-time back in February 2021.
Whilst I can t give a full, detailed list of things I did (there s so much and some of it might not be public yet!), here s a quick TL;DR of what I did:
Jon, VP of Engineering, asked me to lead the Canonical Release team - that was definitely not something I saw coming. :)
We re now doing Ubuntu monthly releases for the devel releases - I ll be the tech lead for the project.
Preparing for the May sprints - too many new things and new responsibilities. :)
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the stretch and jessie release (+2 years after LTS support).
This was my 67th month as a Debian LTS and 54th month as a Debian ELTS paid contributor.
Due to DC25 bursary work, Ubuntu 25.04 release, and other travel bits, I only worked for 2.00 hours for LTS and 4.50 hours for ELTS.
I did the following things:
[ELTS] Had already backported patches for adminer for the following CVEs:
As the same CVEs are affected LTS, we decided to release for LTS first and then for ELTS but since I had no hours for LTS, I decided to do a bit more of testing for ELTS to make sure things don t regress in buster.
Will prepare LTS (and also s-p-u, sigh) updates this month and get back to ELTS thereafter.
[LTS] Started to prepare the LTS update for adminer for the same CVEs as for ELTS:
Haven t fully backported the patch yet but this is what I intend to do for this month (now that I have hours :D).
[LTS] Partially attended the LTS meeting on Jitsi. Summary here.
Partially because I was fighting SSO auth issues with Jitsi. Looks like there were some upstream issues/activity and it was resulting in gateway crashes but all good now.
I was following the running notes and keeping up with things as much as I could. :)
Evolution of the situation
In March, we have released 31 DLAs.
Notable security updates:
linux-6.1 (12)and linux, prepared by Ben Hutchings, fixed an extensive list of vulnerabilities
firefox-esr, prepared by Emilio Pozuelo Monfort, fixed a variety of vulnerabilities
intel-microcode, prepared by Tobias Frost, fixed
several local privilege escalation, denial of service, and information disclosure vulnerabilities
vim, prepared by Sean Whitton, fixed a multitude of vulnerabilities, including many application crashes, buffer overflows, and out-of-bounds reads
The recent trend of contributions from contributors external to the formal LTS team has continued. LTS contributor Sylvain Beucler reviewed and facilitated an update to openvpn proposed by Aquila Macedo, resulting in the publication of DLA 4079-1. Thanks a lot to Aquila for preparing the update.
The LTS Team continues to make contributions to the current stable Debian release, Debian 12 (codename bookworm ). LTS contributor Bastien Roucari s prepared a stable upload of krb5 to ensure that fixes made in the LTS release, Debian 11 (codename bullseye ) were also made available to stable users. Additional stable updates, for tomcat10 and jetty9, were prepared by LTS contributor Markus Koschany. And, finally, LTS contributor Utkarsh Gupta prepared stable updates for rails and ruby-rack.
LTS contributor Emilio Pozuelo Monfort has continued his ongoing improvements to the Debian security tracker and its associated tooling, making the data contained in the tracker more reliable and easing interaction with it.
The ckeditor3 package, which has been EOL by upstream for some time, is still depended upon by the PHP Horde packages in Debian. Sylvain, along with Bastien, did monumental work in coordinating with maintainers, security team fellows, and other Debian teams, to formally declare the EOL of the ckeditor3 package in Debian 11 and in Debian 12. Additionally, as a result of this work Sylvain has worked towards the removal of ckeditor3 as a dependency by other packages in order to facilitate the complete removal of ckeditor3 from all future Debian releases.
Thanks to our sponsors
Sponsors that joined recently are in bold.
Here s my 66th monthly but brief update about the activities I ve done in the F/L/OSS world.
Debian
This was my 75th month of actively contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
There s a bunch of things I do, both, technical and non-technical. Here s what I did:
Updating Rails to v7.2.2.1 for Trixie.
Updating Redmine to v6.0.4 for Trixie.
Kickstarting the bursary team for DC25.
Mentoring for newcomers.
Moderation of -project mailing list.
Ubuntu
This was my 50th month of actively contributing to Ubuntu.
Now that I joined Canonical to work on Ubuntu full-time, there s a bunch of things I do! \o/
I mostly worked on different things, I guess.
I was too lazy to maintain a list of things I worked on so there s
no concrete list atm. Maybe I ll get back to this section later or
will start to list stuff from the fall, as I was doing before. :D
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the stretch and jessie release (+2 years after LTS support).
This was my 66th month as a Debian LTS and 53rd month as a Debian ELTS paid contributor.
I worked for 15.00 hours for LTS and 7.50 hours for ELTS.
I did the following things:
Debian LTS
This was my hundred-twenty-eighth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian. During my allocated time I uploaded or worked on:
[DLA 4072-1] xorg-server security update to fix eight CVEs related to possible privilege escalation in X.
[DLA 4073-1] ffmpeg security update to fix three CVEs related to out-of-bounds read, assert errors and NULL pointer dereferences. This was the second update that I announced last month.
Last but not least I did some days of FD this month and attended the monthly LTS/ELTS meeting.
Debian ELTS
This month was the seventy-ninth ELTS month. During my allocated time I uploaded or worked on:
[ELA-1337-1] xorg-server security update to fix eight CVEs in Buster, Stretch and Jessie, related to possible privilege escalation in X.
[ELA-882-2] amanda regression update to improve a fix for privilege escalation. This old regression was detected by Beuc during his work as FD and now finally fixed.
Last but not least I did some days of FD this month and attended the monthly LTS/ELTS meeting.
Debian Printing
This month I uploaded new packages or new upstream or bugfix versions of:
hplip to fix some bugs and let hplip migrate to testing again.
This work is generously funded by Freexian!
Debian Matomo
This month I uploaded new packages or new upstream or bugfix versions of:
Finally matomo was uploaded. Thanks a lot to Utkarsh Gupta and William Desportes for doing most of the work to make this happen.
This work is generously funded by Freexian!
Debian Astro
Unfortunately I didn t found any time to upload packages.Have you ever heard of poliastro? It was a package to do calculations related to astrodynamics and orbital mechanics? It was archived by upstream end of 2023. I am now trying to revive it under the new name boinor and hope to get it back into Debian over the next months.
This is almost the last month that Patrick, our Outreachy intern for the Debian Astro project, is handling his tasks. He is working on automatic updates of the indi 3rd-party driver.
Debian IoT
Unfortunately I didn t found any time to work on this topic.
Debian Mobcom
This month I uploaded new packages or new upstream or bugfix versions of:
misc
Unfortunately I didn t found any time to work on this topic.
FTP master
This month I accepted 437 and rejected 64 packages. The overall number of packages that got accepted was 445.
Last Updated on 15/11/2024.
List of public mirrors in India. Location discovered basis personal knowledge, traces or GeoIP. Mirrors which aren t accessible outside their own ASN are excluded.
Dear Debian community,
this are my bits from DPL written at my last day at another great
DebConf.
DebConf attendance
At the beginning of July, there was some discussion with the bursary and
content team about sponsoring attendees. The discussion continued at
DebConf.
I do not have much experience with these discussions. My summary is that
while there is an honest attempt to be fair to everyone, it did not seem to
work for all, and some critical points for future discussion remained. In
any case, I'm thankful to the bursary team for doing such a time-draining
and tedious job.
Popular packages not yet on Salsa at all
Otto Kek l inen did some interesting investigation about
Popular packages not yet on Salsa at all.
I think I might provide some more up to date list soon by some UDD query
which considers more recent uploads than the trends data soon. For
instance wget was meanwhile moved to Salsa (thanks to No l K the for this).
Keep on contacting more teams
I kept on contacting teams in July. Despite I managed to contact way
less teams than I was hoping I was able to present some conclusions in
the Debian Teams exchange BoF and Slide 16/23 of my
Bits from the DPL talk.
I intend to do further contacts next months.
Nominating Jeremy B cha for GNOME Advisory Board
I've nominated Jeremy B cha to
GNOME Advisory Board.
Jeremy has volunteered to represent Debian at
GUADEC in Denver.
DebCamp / DebConf
I attended DebCamp starting from 22 July evening and had a lot of fun with
other attendees. As always DebConf is some important event nearly
every year for me. I enjoyed Korean food, Korean bath, nature at the
costline and other things.
I had a small event without video coverage
Creating web galleries including maps from a geo-tagged photo collection.
At least two attendees of this workshop confirmed success in creating their
own web galleries.
I used DebCamp and DebConf for several discussions. My main focus was on
discussions with FTP master team members Luke Faraone, Sean Whitton, and
Utkarsh Gupta. I'm really happy that the four of us absolutely agree on
some proposed changes to the structure of the FTP master team, as well
as changes that might be fruitful for the work of the FTP master team
itself and for Debian developers regarding the processing of new
packages.
My explicit thanks go to Luke Faraone, who gave a great introduction to
FTP master work in their
BoF.
It was very instructive for the attending developers to understand how the
FTP master team checks licenses and copyright and what workflow is used
for accepting new packages.
In the first days of DebConf, I talked to representatives of DebConf
platinum sponsor WindRiver, who announced the derivative
eLxr. I warmly welcome
this new derivative and look forward to some great cooperation. I also
talked to the representative of our gold sponsor, Microsoft.
My first own event was the
Debian Med BoF.
I'd like to repeat that it might not only be interesting for people
working in medicine and microbiology but always contains some hints how
to work together in a team.
As said above I was trying to summarise some first results of my team
contacts and got some further input from other teams in the
Debian Teams exchange BoF.
Finally, I had my
Bits from DPL talk.
I received positive responses from attendees as well as from remote
participants, which makes me quite happy. For those who were not able to
join the events on-site or remotely, the videos of all events will be
available on the DebConf site soon. I'd like to repeat the explicit need
for some volunteers to join the Lintian team. I'd also like to point out
the "Tiny tasks" initiative I'd like to start (see below).
BTW, if someone might happen to solve my quiz for the background images
there is a
summary page
in my slides which might help to assign every slide to some DebConf. I
could assume that if you pool your knowledge you can solve more than just
the simple ones. Just let me know if you have some solution. You can add
numbers to the rows and letters to the columns and send me:
2000/2001: Uv + Wx 2002: not attended 2003: Yz 2004: not attended 2005: 2006: not attended 2007: ... 2024: A1
This list provides some additional information for DebConfs I did not
attend and when no video stream was available. It also reminds you about
the one I uncovered this year and that I used two images from 2001 since
I did not have one from 2000. Have fun reassembling good memories.
Tiny tasks: Bug of the day
As I mentioned in my
Bits from DPL talk,
I'd like to start a "Tiny tasks" effort within Debian. The first type of
tasks will be the
Bug of the day
initiative. For those who would like to join, please join the corresponding
Matrix channel. I'm
curious to see how this might work out and am eager to gain some initial
experiences with newcomers. I won't be available until next Monday, as I'll
start traveling soon and have a family event (which is why I need to leave
DebConf today after the formal dinner).
Kind regards from DebConf in Busan
Andreas.
DebConf Bursary updates, by Utkarsh Gupta
Utkarsh is the bursaries team lead for DebConf 24. Bursary
requests are dispatched to a
team of volunteers to review. The results are collated, adjusted and merged to
produce priority lists of requests to fund. Utkarsh raised the team,
coordinated the review, and issued bursaries to attendees.
/usr-move, by Helmut Grohne
More and more, the /usr-move transition is being carried out by multiple
contributors and many performed around a hundred of the requested uploads. Of
these, Helmut contributed five patches and two uploads. As a result, there are
less than 350 packages left to be converted, and all of the non-trivial cases
have patches. We started with three times that number. Thanks to everyone
involved for supporting this effort.
For people interested in background information of this transition,
Helmut gave a presentation at MiniDebConf Berlin
2024
(slides).
sbuild, by Helmut Grohne
While unshare mode of sbuild has existed for quite a while, it is
now getting significant use in Debian, and new problems are popping up.
Helmut looked into an apparmor-related
failure and provided a diagnosis.
While relevant code would detect the chroot nature of a schroot
backend and skip apparmor tests, the unshare environment would be
just good enough to run and fail the test. As sbuild exposes fewer
special kernel filesystems, the tests will be skipped again.
Another problem popped up when gobject-introspection added a
dependency on the host architecture Python interpreter in a cross build
environment. sbuild would prefer installing (and failing) a host
architecture Python to installing the qemu alternative. Attempts to
fix this would result in systemd killing
sbuild. ischroot as used by
libc6.postinst would not classify the unshare environment as a
chroot. Therefore libc6.postinst would run telinit which would kill
the build process. This is a complex interaction problem that shall
eventually be solved by providing triggers from libc6 to be
implemented by affected init systems.
Salsa CI updates, by Santiago Ruano Rinc n
Several issues arose about Salsa CI last month, and it is probably worth
mentioning part of the challenges of defining its framework in YAML.
With the upcoming end-of-support of Debian 10 buster as LTS, armel was
removed from deb.debian.org, making the jobs that build images for
buster/armel to fail. While the removal of buster/armel from the
repositories is a natural change, it put some light on the flaws in
the Salsa CI design regarding the support of the different Debian
releases. Currently, the images are defined like these (from
.images-debian.yml):
Evidently, this increases duplication of the release support data, which
is of course not optimal and it is error prone when changing the data
about supported releases. A better approach would be to have two
different YAML lists, such as:
# releases that have partial support. E.g.: buster is transitioning to# Debian LTS, and buster armel is no longer found in deb.debian.org.old-releases: &old-releases - stretch - buster.currently-supported-releases: ¤tly-supported-releases - bullseye - bullseye-backports - bookworm - bookworm-backports - trixie - sid - experimental
that could be used in the matrix of the jobs that build all the images
available in the pipeline container registry.
However, due to limitations in
GitLab,
it is not possible to expand the variables or mapping values in a
parallel:matrix context. At least not in an elegant fashion.
This is the kind of issue that recently arose and that Santiago is
currently working to solve, in the simplest possible way.
Astute readers would notice that stretch is listed in the fully
supported releases. And there is no problem with stretch, because it is
built from archive.debian.org. Otto actually has tried to
fix
the broken image build job doing the same, but it is still incorrect,
because the security repository is not (yet) available in archive.debian.org.
Additionally, Santiago has also worked on other merge requests, such as:
Archiving DebConf Websites, by Stefano Rivera
DebConf, the annual Debian conference, has its own new website every
year. These are typically complex dynamic web applications (featuring
registration, call for papers, scheduling, etc.) Once the conference is
over, there is no need to keep maintaining these applications, so we
archive the sites off as static HTML, and serve them from Debian s
static CDN.
Stefano archived the websites for the last two DebConfs.
The schedule system behind DebConf 14
and 15 s websites was a derivative of
Canonical s summit
system. This was only used for a couple of years before migrating to
wafer, the current system. Archiving
summit content has been on the nice to have list for years, but nobody
has ever tackled it. The machine that served the sites went away a
couple of years ago. After much digging, a backup of the database was
found, and Stefano got this code running on an ancient Python 2.7.
Recently Stefano put this all together and hooked in an archive export
to finally get this content preserved.
Python 3.x and pypy3 security bug triage, by Stefano Rivera
Stefano Rivera triaged all the open security bugs against the Python 3.x
and PyPy3 packages for Debian s stable and LTS releases. Several had
been fixed but this wasn t recorded in the security tracker.
Linux livepatching support for Debian, by Santiago Ruano Rinc n
In collaboration with Emmanuel Arias, Santiago filed ITP bug
#1070494.
As stated in the bug, more than an Intent to Package, it is an Intent to
Design and Implement live patching support for the Linux kernel in
Debian. For now, Emmanuel and Santiago have done exploratory work and
they are working to understand the different possibilities to implement
livepatching. One possible direction is to rely on
kpatch, and the other is to
package the modules using regular packaging tools. Also, it is needed
to evaluate if it is possible to rely on distributing the modules via
packages, or instead as a service, as it is done by some commercial
distributions.
Miscellaneous contributions
Thorsten Alteholz uploaded cups-bjnp to improve packaging.
Colin Watson tracked down a baffling CI issue in openssh to unblock several merge requests, removed the user_readenv=1 option from its PAM configuration, and started on the first stage of his plan to split out GSS-API key exchange support to separate packages.
Colin did his usual routine work on the Python team, upgrading 26 packages to new upstream versions, and cherry-picking an upstream PR to fix a pytest 8 incompatibility in ipywidgets.
Colin NMUed a couple of packages to reduce the need for explicit overrides in Packages-arch-specific, and removed some other obsolete entries from there.
Emilio managed various library transitions, and helped finish a few of the remaining t64 transitions.
Helmut sent patches for 7 cross build failures, 6 other debian bugs and fixed an infrastructure problem in crossqa.debian.net.
Nicholas worked on a sponsored package upload, and discovered the blhc tool for diagnosing build hardening.
Stefano Rivera started and completed the re2 transition. The release team suggested moving to a virtual package scheme that includes the absl ABI (as re2 now depends on it). Adopted this.
Stefano continued to work on DebConf 24 planning.
Santiago continued to work on DebConf24 Content tasks as well as Debconf25 organisation.
Tobias Frost
did 10.0h (out of 12.0h assigned), thus carrying over 2.0h to the next month.
Utkarsh Gupta
did 3.25h (out of 28.5h assigned and 29.25h from previous period), thus carrying over 54.5h to the next month.
Evolution of the situation
In April, we have released 28 DLAs.
During the month of April, there was one particularly notable security update made in LTS. Guilhem Moulin prepared DLA-3782-1 for util-linux (part of the set of base packages and containing a number of important system utilities) in order to address a possible information disclosure vulnerability.
Additionally, several contributors prepared updates for oldstable (bullseye), stable (bookworm), and unstable (sid), including:
ruby-rack: prepared for oldstable, stable, and unstable by Adrian Bunk
wpa: prepared for oldstable, stable, and unstable by Bastien Roucari s
zookeeper: prepared for stable by Bastien Roucari s
libjson-smart: prepared for unstable by Bastien Roucari s
ansible: prepared for stable and unstable, including autopkgtest fixes to increase future supportability, by Lee Garrett
wordpress: prepared for oldstable and stable by Markus Koschany
emacs and org-mode: prepared for oldstable and stable by Sean Whitton
qtbase-opensource-src: prepared for oldstable and stable by Thorsten Alteholz
libjwt: prepared for oldstable by Thorsten Alteholz
libmicrohttpd: prepared for oldstable by Thorsten Alteholz
These fixes were in addition to corresponding updates in LTS.
Another item to highlight in this month s report is an update to the distro-info-data database by Stefano Rivera. This update ensures that Debian buster systems have the latest available information concerning the end-of-life dates and other related information for all releases of Debian and Ubuntu.
As announced on the debian-lts-announce
mailing list, it is worth to point out that we are getting close to
the end of support of Debian 10 as LTS. After June 30th, no new
security updates will be made available on security.debian.org.
However, Freexian and its team of paid Debian contributors will continue
to maintain Debian 10 going forward for the customers of the
Extended LTS offer. If you still have Debian 10
servers to keep secure, it s time to subscribe!
Thanks to our sponsors
Sponsors that joined recently are in bold.
Contributing to Debian
is part of Freexian s mission. This article
covers the latest achievements of Freexian and their collaborators. All of this
is made possible by organizations subscribing to our
Long Term Support contracts and
consulting services.
P.S. We ve completed over a year of writing these blogs. If you have any
suggestions on how to make them better or what you d like us to cover, or any
other opinions/reviews you might have, et al, please let us know by dropping
an email to us. We d be
happy to hear your thoughts. :)
Salsa CI updates & GSoC candidacy, by Santiago Ruano Rincon
In the context of Google Summer of Code (GSoC), Santiago continued the
mentoring work, following the applications of three of the candidates. This
work started in March, but
Aquila Macedo,
Ahmed Siam and
Piyush Raj continued in April to propose and
review MRs. For example,
Update CI pipeline to utilize specific blhc image per release
and Remove references to buster-backports
by Aquila, or the reviews the candidates made to
Document the structure of the different components of the pipeline
(see below).
Unfortunately, the Salsa CI project didn t get any slot from the GSoC program
in the end.
Along with the Salsa CI related work, Santiago improved the documentation of
Salsa CI, to make it easier for newcomers (as the GSoC candidates) or people
willing to fork the project to understand its internals. Documentation is an
aspect where a lot of improvements can be made.
OpenSSH option review, by Colin Watson
In light of last month s xz-utils backdoor,
Colin did an extensive
review of some
of the choices in Debian s OpenSSH packaging. Some work on this has already
been done
(removing uses of libsystemd
and reducing tcp-wrappers linkage); the next
step is likely to be to start work on the plan to split out GSS-API key
exchange again.
Miscellaneous contributions
Utkarsh Gupta started to put together and kickstart the bursary team ahead of
DebConf 24, to be held in Busan, South Korea.
Utkarsh Gupta reviewed some MRs and docs for the bursary team for the DC24 website.
Helmut Grohne sent patches for 19 cross build failures and submitted a gcc
patch removing LIMITS_H_TESTupstream.
Helmut sent 8 bug reports with 3 patches related to the /usr-move.
Helmut diagnosed why /dev/stdout is
not accessible in sbuild --mode=unshare.
Thorsten Alteholz uploaded foo2zjs and fixed two bugs, one related to
/usr-merge. Likewise the upload of cups-filters (from the 1.x branch) fixed
three bugs. In order to fix an RC bug in cpdb-backends-cups, which was
updated to the 2.x branch, the new package libcupsfilters has been
introduced. Last but not least an upload of hplip fixed one RC bug and an
upload of gutenprint fixed two of them. All of these RC bugs were more or
less related to the time_t transition.
Santiago continued to work in the DebConf organization tasks, including some
for the DebConf 24 Content Team, and looking to build a local community for
DebConf 25.
Stefano Rivera made a couple of uploads of dh-python to Debian, and a few
other general package update uploads.
Stefano did some winding up of DebConf 23 finances, including closing bursary
claims and recording the amounts spent on travel bursaries.
Stefano opened DebConf 24 registration, which always requires some
last-minute work on the website.
Contributing to Debian
is part of Freexian s mission. This article
covers the latest achievements of Freexian and their collaborators. All of this
is made possible by organizations subscribing to our
Long Term Support contracts and
consulting services.
P.S. We ve completed over a year of writing these blogs. If you have any
suggestions on how to make them better or what you d like us to cover, or any
other opinions/reviews you might have, et al, please let us know by dropping an
email to us. We d be
happy to hear your thoughts. :)
SSO Authentication for jitsi.debian.social, by Stefano Rivera
Debian.social s jitsi instance has been getting
some abuse by (non-Debian) people sharing sexually explicit content on the
service. After playing whack-a-mole with this for a month, and shutting the
instance off for another month, we opened it up again and the abuse immediately
re-started.
Stefano sat down and wrote an
SSO Implementation
that hooks into Jitsi s existing JWT SSO support. This requires everyone using
jitsi.debian.social to have a Salsa account.
With only a little bit of effort, we could change this in future, to only
require an account to open a room, and allow guests to join the call.
/usr-move, by Helmut Grohne
The biggest task this month was sending mitigation patches for all of the
/usr-move issues arising from package renames due to the 2038 transition. As a
result, we can now say that every affected package in unstable can either be
converted with dh-sequence-movetousr or has an open bug report. The package
set relevant to debootstrap except for the set that has to be uploaded
concurrently has been moved to /usr and is awaiting migration. The move of
coreutils happened to affect piuparts which hard codes the location of
/bin/sync and received multiple updates as a result.
Miscellaneous contributions
Stefano Rivera uploaded a stable release update to python3.11 for bookworm,
fixing a use-after-free crash.
Stefano uploaded a new version of python-html2text, and updated
python3-defaults to build with it.
In support of Python 3.12, Stefano dropped distutils as a Build-Dependency
from a few packages, and uploaded a complex set of patches to python-mitogen.
Stefano landed some merge requests to clean up dead code in dh-python,
removed the flit plugin, and uploaded it.
Stefano uploaded new upstream versions of twisted, hatchling,
python-flexmock, python-authlib, python mitogen, python-pipx, and xonsh.
Stefano requested removal of a few packages supporting the Opsis HDMI2USB
hardware that DebConf Video team used to use for HDMI capture, as they are
not being maintained upstream. They started to FTBFS, with recent sdcc
changes.
DebConf 24 is getting ready to open registration, Stefano spent some time
fixing bugs in the website, caused by infrastructure updates.
Stefano reviewed all the DebConf 23 travel reimbursements, filing requests
for more information from SPI where our records mismatched.
Roberto C. S nchez worked on facilitating the transfer of upstream
maintenance responsibility for the dormant Shorewall project to a new team
led by the current maintainer of the Shorewall packages in Debian.
Colin Watson fixed build failures in celery-haystack-ng, db1-compat,
jsonpickle, libsdl-perl, kali, knews, openssh-ssh1,
python-json-log-formatter, python-typing-extensions, trn4, vigor, and
wcwidth. Some of these were related to the 64-bit time_t transition, since
that involved enabling -Werror=implicit-function-declaration.
Colin fixed an
off-by-one error in neovim,
which was already causing a build failure in Ubuntu and would eventually have
caused a build failure in Debian with stricter toolchain settings.
Colin added an sshd@.service template to
openssh to help newer systemd versions make containers and VMs SSH-accessible
over AF_VSOCK sockets.
Following the xz-utils backdoor, Colin
spent some time testing and discussing OpenSSH upstream s proposed
inline systemd notification patch,
since the current implementation via libsystemd was part of the attack vector
used by that backdoor.
Utkarsh reviewed and sponsored some Go packages for Lena Voytek and Rajudev.
Utkarsh also helped Mitchell Dzurick with the adoption of pyparted package.
Helmut sent 10 patches for cross build failures.
Helmut partially fixed architecture cross bootstrap tooling to deal with
changes in linux-libc-dev and the recent gcc-for-host changes and also
fixed a 64bit-time_t FTBFS in libtextwrap.
Thorsten Alteholz uploaded several packages from debian-printing: cjet,
lprng, rlpr and epson-inkjet-printer-escpr were affected by the newly enabled
compiler switch -Werror=implicit-function-declaration. Besides fixing these
serious bugs, Thorsten also worked on other bugs and could fix one or the
other.
Carles updated simplemonitor and python-ring-doorbell packages with new
upstream versions.
Santiago also reviewed applications for the
improving Salsa CI in Debian
GSoC 2024 project. We received applications from four very talented
candidates. The selection process is currently ongoing. A huge thanks to all
of them!
As part of the DebConf 24 organization, Santiago has taken part in the
Content team discussions.
Utkarsh Gupta
did 19.5h (out of 0.0h assigned and 48.75h from previous period), thus carrying over 29.25h to the next month.
Evolution of the situation
In March, we have released 31 DLAs.
Adrian Bunk was responsible for updating gtkwave not only in LTS, but also in unstable, stable, and old-stable as well. This update involved an upload of a new upstream release of gtkwave to each target suite to address 82 separate CVEs. Guilhem Moulin prepared an update of libvirt which was particularly notable, as it fixed multiple vulnerabilities which would lead to denial of service or information disclosure.
In addition to the normal security updates, multiple LTS contributors worked at getting various packages updated in more recent Debian releases, including gross for bullseye/bookworm (by Adrian Bunk), imlib2 for bullseye, jetty9 and tomcat9/10 for bullseye/bookworm (by Markus Koschany), samba for bullseye, py7zr for bullseye (by Santiago Ruano Rinc n), cacti for bullseye/bookwork (by Sylvain Beucler), and libmicrohttpd for bullseye (by Thorsten Alteholz). Additionally, Sylvain actively coordinated with cacti upstream concerning an incomplete fix for CVE-2024-29894.
Thanks to our sponsors
Sponsors that joined recently are in bold.
Utkarsh Gupta
did 11.25h (out of 26.75h assigned and 33.25h from previous period), thus carrying over 48.75 to the next month.
Evolution of the situation
In February, we have released 17 DLAs.
The number of DLAs published during February was a bit lower than usual, as there was much work going on in the area of triaging CVEs (a number of which turned out to not affect Debia buster, and others which ended up being duplicates, or otherwise determined to be invalid). Of the packages which did receive updates, notable were sudo (to fix a privilege management issue), and iwd and wpa (both of which suffered from authentication bypass vulnerabilities).
While this has already been already announced in the Freexian blog, we would like to mention here the start of the Long Term Support project for Samba 4.17. You can find all the important details in that post, but we would like to highlight that it is thanks to our LTS sponsors that we are able to fund the work from our partner, Catalyst, towards improving the security support of Samba in Debian 12 (Bookworm).
Thanks to our sponsors
Sponsors that joined recently are in bold.
/usr-move, by Helmut Grohne
Much of the work was spent on handling interaction with time time64 transition
and sending patches for mitigating fallout. The set of packages relevant to
debootstrap is mostly converted and the patches for glibc and base-files
have been refined due to feedback from the upload to Ubuntu noble. Beyond this,
he sent patches for all remaining packages that cannot move their files with
dh-sequence-movetousr and packages using dpkg-divert in ways that dumat
would not recognize.
Upcoming improvements to Salsa CI, by Santiago Ruano Rinc n
Last month, Santiago Ruano Rinc n started the work on integrating sbuild into
the Salsa CI pipeline. Initially, Santiago used sbuild with the unshare
chroot mode. However, after discussion with josch, jochensp and helmut (thanks
to them!), it turns out that the unshare mode is not the most suitable for the
pipeline, since the level of isolation it provides is not needed, and some test
suites would fail (eg: krb5). Additionally, one of the requirements of the
build job is the use of ccache, since it is needed by some C/C++ large projects
to reduce the compilation time. In the preliminary work with unshare last
month, it was not possible to make ccache to work.
Finally, Santiago changed the chroot mode, and now has a couple of POC (cf:
1
and 2)
that rely on the schroot and sudo, respectively. And the good news is that
ccache is successfully used by sbuild with schroot!
The image here comes from an example of building grep. At the end of the
build, ccache -s shows the statistics of the cache that it used, and so a
little more than half of the calls of that job were cacheable. The most
important pieces are in place to finish the integration of sbuild into the
pipeline.
Other than that, Santiago also reviewed the very useful
merge request !346,
made by IOhannes zm lnig to autodetect the release from debian/changelog. As
agreed with IOhannes, Santiago is preparing a merge request to include the
release autodetection use case in the very own Salsa CI s CI.
Packaging simplemonitor, by Carles Pina i Estany
Carles started using simplemonitor in
2017, opened a
WNPP bug in 2022
and started packaging simplemonitor dependencies in October 2023. After
packaging five direct and indirect dependencies, Carles finally uploaded
simplemonitor to unstable in February.
During the packaging of simplemonitor, Carles reported
a few issues
to upstream. Some of these were to make the simplemonitor package build and run
tests reproducibly. A reproducibility issue was reprotest overriding the
timezone, which broke simplemonitor s tests. There have been discussions on
resolving this upstream in simplemonitor and
in reprotest,
too.
Carles also started upgrading or improving some of simplemonitor s dependencies.
Miscellaneous contributions
Stefano Rivera spent some time doing admin on debian.social infrastructure.
Including dealing with a spike of abuse on the Jitsi server.
Stefano started to prepare a new release of dh-python, including cleaning out
a lot of old Python 2.x related code. Thanks to Niels Thykier (outside
Freexian) for spear-heading this work.
DebConf 24 planning is beginning. Stefano discussed venues and finances with
the local team and remotely supported a site-visit by Nattie (outside
Freexian).
Also in the DebConf 24 context, Santiago took part in discussions and
preparations related to the Content Team.
A JIT bug was
reported against pypy3 in Debian Bookworm. Stefano bisected the upstream
history to find the patch (it was already resolved upstream) and released an
update to pypy3 in bookworm.
Enrico participated in /usr-merge discussions with Helmut.
Colin dug into a cluster of celery build failures and tracked the hardest bit
down to a Python 3.12 regression, now
fixed in unstable. celery should be back in testing once the 64-bit time_t
migration is out of the way.
Thorsten Alteholz uploaded a new upstream version of cpdb-libs. Unfortunately
upstream changed the naming of their release tags, so updating the watch file
was a bit demanding. Anyway this version 2.0 is a huge step towards
introduction of the new Common Print Dialog Backends.
Helmut send patches for 48 cross build failures.
Helmut changed debvm to use mkfs.ext4 instead of genext2fs.
Helmut sent a
debci MR
for improving collector robustness.
In preparation for DebConf 25, Santiago worked on the Brest Bid.
Tobias Frost
did 12.0h (out of 10.25h assigned and 1.75h from previous period).
Utkarsh Gupta
did 8.5h (out of 35.75h assigned), thus carrying over 24.75h to the next month.
Evolution of the situation
In January, we have released 25 DLAs.
A variety of particularly notable packages were updated during January. Among those updates were the Linux kernel (both versions 5.10 and 4.19), mariadb-10.3, openjdk-11, firefox-esr, and thunderbird.
In addition to the many other LTS package updates which were released in January, LTS contributors continue their efforts to make impactful contributions both within the Debian community.
Thanks to our sponsors
Sponsors that joined recently are in bold.
Upcoming Improvements to Salsa CI, by Santiago Ruano Rinc n
Santiago started picking up the work made by Outreachy Intern, Enock Kashada (a
big thanks to him!), to solve some long-standing issues in Salsa CI. Currently,
the first job in a Salsa CI pipeline is the extract-source job, used to
produce a debianize source tree of the project. This job was introduced to make
it possible to build the projects on different architectures, on the subsequent
build jobs. However, that extract-source approach is sub-optimal: not only it
increases the execution time of the pipeline by some minutes, but also projects
whose source tree is too large are not able to use the pipeline. The debianize
source tree is passed as an artifact to the build jobs, and for those large
projects, the size of their source tree exceeds the Salsa s limits. This is
specific issue is documented as
issue #195, and
the proposed solution is to get rid of the extract-source job, relying on
sbuild in the very build job (see
issue #296).
Switching to sbuild would also help to improve the build source job,
solving issues such as
#187 and
#298.
The
current work-in-progress
is very preliminary, but it has already been possible to run the build (amd64),
build-i386 and build-source job using sbuild with the unshare mode. The image
on the right shows a pipeline that builds grep. All the test jobs use the
artifacts of the new build job. There is a lot of remaining work, mainly making
the integration with ccache work. This change could break some things, it will
also be important to test how the new pipeline works with complex projects.
Also, thanks to Emmanuel Arias, we are proposing a
Google Summer of Code 2024 project
to improve Salsa CI. As part of the ongoing work in preparation for the GSoC
2024 project, Santiago has proposed a
merge request
to make more efficient how contributors can test their changes on the Salsa CI
pipeline.
/usr-move, by Helmut Grohne
In January, we sent most of the moving patches for the set of packages involved
with debootstrap. Notably missing is glibc, which turns out
harder than anticipated via dumat, because
it has Conflicts between different architectures, which dumat does not analyze.
Patches for diversion mitigations have been updated in a way to not exhibit any
loss anymore.
The main change here is that packages which are being diverted now support the
diverting packages in transitioning their diversions. We also supported a few
packages with non-trivial changes such as
netplan.io. dumat has been enhanced to
better support derivatives such as Ubuntu.
Miscellaneous contributions
Python 3.12 migration trundles on. Stefano Rivera helped port several new
packages to support 3.12.
Stefano updated the Sphinx configuration of DebConf Video Team s
documentation, which was broken by Sphinx 7.
Stefano published the videos from the Cambridge MiniDebConf to YouTube and
PeerTube.
DebConf 24 planning has begun, and Stefano & Utkarsh have started work on
this.
Utkarsh re-sponsored the upload of
golang-github-prometheus-community-pgbouncer-exporter for Lena.
Colin discovered Perl::Critic and
used it to tidy up some poor practices in several of his packages, including debconf.
Colin did some overdue debconf maintenance, mainly around tidying up error
message handling in several places (1,
2, 3).
Colin figured out how to update the mirror size documentation in debmirror,
last updated in 2010. It should now be much easier to keep it up to date
regularly.
Colin issued a
man-db buster update
to clean up some irritations due to strict sandboxing.
Thorsten Alteholz adopted two more packages, magicfilter and ifhp, for the
debian-printing team. Those packages are the last ones of the latest round of
adoptions to preserve the old printing protocol within Debian. If you know of
other packages that should be retained, please don t hesitate to contact
Thorsten.
Enrico participated in /usr-merge discussions with Helmut.
Helmut sent patches for 16 cross build failures.
Helmut supported Matthias Klose (not affiliated with Freexian) with adding
-for-host support to gcc-defaults.
Helmut uploaded dput-ng enabling dcut migrate and merging two MRs of Ben
Hutchings.
Santiago took part in the discussions relating to the EU Cyber Resilience
Act (CRA) and the Debian public statement that was published last year. He
participated in a meeting with Members of the European Parliament (MEPs),
Marcel Kolaja and Karen Melchior, and their teams to clarify some points
about the impact of the CRA and Debian and downstream projects, and the
improvements in the last version of the proposed regulation.
LXD/Incus backend bug in autopkgtest by Stefano Rivera
While working on the Python 3.12 transition, Stefano repeatedly ran into
a bug in autopkgtest when using LXD (or in
the future Incus), that caused it to hang when running cython s multi-hour
autopkgtests. After some head-banging, the bug turned out to be fairly
straightforward: LXD didn t shut down on receiving a SIGTERM, so when a
testsuite timed out, it would hang forever. A simple
fix has
been applied.
/usr-merge, by Helmut Grohne
Thanks to Christian Hofstaedtler and others, the effort is moving into a
community effort and the work funded by Freexian becomes more difficult to
separate from non-funded work. In particular, since the community fully handled
all issues around lost udev rules, dh_installudev now installs rules to
/usr.
The story around diversions took another detour. We learned that
conflicts do not reliably prevent concurrent unpack
and the reiterated mitigation for molly-guard triggered this. After a bit of
back and forth and consultation with the developer mailing list, we concluded
that avoiding the problematic behavior when using apt or an apt-based
upgrader combined with a loss mitigation would be good enough. The involved
packages bfh-container, molly-guard, progress-linux-container and
systemd have since been uploaded to unstable and the matter seems finally
solved except that it
doesn t quite work with sysvinit yet. The
same approach is now being proposed for the diversions of
zutils for
gzip. We thank involved maintainers for
their timely cooperation.
gcc-for-host, by Helmut Grohne
Since forever, it has been difficult to correctly express a toolchain build
dependency. This can be seen in the Build-Depends of the linux source
package for instance. While this has been solved for binutils a while back,
the patches for gcc have been unfinished. With lots of constructive feedback
from gcc package maintainer Matthias Klose, Helmut worked on finalizing and
testing these patches. Patch stacks are now available for
gcc-13 and
gcc-14 and
Matthias already included parts of them in test builds for Ubuntu noble.
Finishing this work would enable us to resolve around 1000 cross build
dependency satisfiability issues in unstable.
Miscellaneous contributions
Stefano continued work on the Python 3.12 transition, including uploads of
cython, pycxx, numpy, python-greenlet, twisted, foolscap and dh-python.
Stefano reviewed and selected from a new round of DebConf 24 bids, as part
of the DebConf Committee. Busan, South Korea
was selected.
For debian-printing Thorsten uploaded hplip to unstable to fix a /usr-merge
bug and cups to Bookworm to fix bugs related to printing in color.
Utkarsh helped newcomers in mentoring and reviewing their packaging;
eg: golang-github-prometheus-community-pgbouncer-exporter.
Helmut sent patches for 42 cross build failures unrelated to the
gcc-for-host work.
Helmut continues to maintain rebootstrap. In December, blt started
depending on libjpeg and this poses a
dependency loop. Ideally, Python would
stop depending on blt. Also linux-libc-dev having become
Multi-Arch: foreign poses non-trivial issues that are not fully resolved
yet.
Enrico participated in /usr-merge discussions with Helmut.
Tobias Frost
did 10.25h (out of 12.0h assigned), thus carrying over 1.75h to the next month.
Utkarsh Gupta
did 18.75h (out of 11.25h assigned and 13.5h from previous period), thus carrying over 6.0h to the next month.
Evolution of the situation
In December, we have released 29 DLAs.
A particularly notable update in December was prepared by LTS contributor
Santiago Ruano Rinc n for the openssh package. The updated produced
DLA-3694-1 and included a
fix for the Terrapin Attack (CVE-2023-48795), which was a rather serious flaw in
the SSH protocol itself. The package bluez was the subject of another notable
update by LTS contributor Chris Lamb, which resulted in
DLA-3689-1 to address an
insecure default configuration which allowed attackers to inject keyboard
commands over Bluetooth without first authenticating.
The LTS team continues its efforts to have a positive impact beyond the
boundaries of LTS. Several contributors worked on packages, preparing LTS
updates, but also preparing patches or full updates which were uploaded to the
unstable, stable, and oldstable distributions, including: Guilhem Moulin s
update of tinyxml (uploads to LTS and unstable and patches submitted to the
security team for stable and oldstable); Guilhem Moulin s update of xerces-c
(uploads to LTS and unstable and patches submitted to the security team for
oldstable); Thorsten Alteholz s update of libde265 (uploads to LTS and stable
and additional patches submitted to the maintainer for stable and oldstable);
Thorsten Alteholz s update of cjson (upload to LTS and patches submitted to the
maintainer for stable and oldstable); and Tobias Frost s update of opendkim
(sponsor maintainer-prepared upload to LTS and additionally prepared updates for
stable and oldstable).
Going beyond Debian and looking to the broader community, LTS contributor
Bastien Roucari s was contacted by SUSE concerning an update he had prepared for
zbar. He was able to assist by coordinating with the former organization of the
original zbar author to secure for SUSE access to information concerning the
exploits. This has enabled another distribution to benefit from the work done in
support of LTS and from the assistance of Bastien in coordinating the access to
information.
Finally, LTS contributor Santiago Ruano Rinc n continued work relating to how
updates for packages in statically-linked language ecosystems (e.g., Go, Rust,
and others) are handled. The work is presently focused on more accurately and
reliably identifying which packages are impacted in a given update scenario to
enable notifications to be published so that users will be made aware of these
situations as they occur. As the work continues, it will eventually result in
improvements to Debian infrustructure so that the LTS team and Security team are
able to manage updates of this nature in a more consistent way.
Thanks to our sponsors
Sponsors that joined recently are in bold.
Like each month, have a look at the work funded by Freexian s Debian LTS offering.
Some notable fixes which were made in LTS during the month of November include the gnutls28 cryptographic library and the freerdp2 Remote Desktop Protocol client/server implementation. The gnutls28 update was prepared by LTS contributor Markus Koschany and dealt with a timing attack which could be used to compromise a cryptographic system, while the freerdp2 update was prepared by LTS contributor Tobias Frost and is the result of work spanning 3 months to deal with dozens of vulnerabilities.
In addition to the many ordinary LTS tasks which were completed (CVE triage, patch backports, package updates, etc), there were several contributions by LTS contributors for the benefit of Debian stable and old-stable releases, as well as for the benefit of upstream projects. LTS contributor Abhijith PA uploaded an update of the puma package to unstable in order to fix a vulnerability in that package while LTS contributor Thosten Alteholz sponsored an upload to unstable of libde265 and himself made corresponding uploads of libde265 to Debian stable and old-stable. LTS contributor Bastien Roucari s developed patches for vulnerabilities in zbar and audiofile which were then provided to the respective upstream projects. Updates to packages in Debian stable were made by Markus Koschany to deal with security vulnerabilities and by Chris Lamb to deal with some non-security bugs.
As always, the LTS strives to provide high quality updates to packages under the direct purview of the LTS team while also rendering assistance to maintainers, the stable security team, and upstream developers whenever practical.
Debian LTS contributors
In November, 18 contributors have been paid to work on Debian
LTS, their reports are available:
Abhijith PA
did 7.0h (out of 0h assigned and 14.0h from previous period), thus carrying over 7.0h to the next month.
Adrian Bunk
did 15.0h (out of 14.0h assigned and 9.75h from previous period), thus carrying over 8.75h to the next month.
Anton Gladky
did 10.0h (out of 9.5h assigned and 5.5h from previous period), thus carrying over 5.0h to the next month.
Bastien Roucari s
did 16.0h (out of 18.25h assigned and 1.75h from previous period), thus carrying over 4.0h to the next month.
Ben Hutchings
did 12.0h (out of 16.5h assigned and 12.25h from previous period), thus carrying over 16.75h to the next month.
Chris Lamb
did 18.0h (out of 17.25h assigned and 0.75h from previous period).
Emilio Pozuelo Monfort
did 15.5h (out of 23.5h assigned and 0.25h from previous period), thus carrying over 8.25h to the next month.
Guilhem Moulin
did 13.0h (out of 12.0h assigned and 8.0h from previous period), thus carrying over 7.0h to the next month.
Lee Garrett
did 14.5h (out of 16.75h assigned and 7.0h from previous period), thus carrying over 9.25h to the next month.