• django-macaddress (fixing use of pkg_resources)
• fsspec (fixing a build failure with Python 3.14)
• ipyparallel
• pycodestyle
• pyflakes (fixing a build failure with Python 3.14)
• pyroma
• pytest-golden (fixing a regression that broke markdown-callouts, which I reported upstream)
• pytest-runner
• python-auditwheel
• python-b2sdk (fixing a build failure with Python 3.14)
• python-certifi
• python-django-imagekit (fixing a build failure with Python 3.14)
• python-flake8 (fixing a build failure with a new pyflakes version)
• python-ibm-cloud-sdk-core (contributed supporting fix upstream)
• python-openapi-core (fixing a build failure with Python 3.14)
• python-pdoc (fixing a build failure with Python 3.14)
• python-pyfunceble
• python-pytest-run-parallel
• python-pytokens
• python-weblogo (fixing use of pkg_resources)
• python-wheezy.template
• smart-open
• sphinx-togglebutton
• sqlobject
• supervisor (fixing use of pkg_resources)
• vcr.py (fixing a build failure with Python 3.14)
• zope.interface (including a fix for a Python 3.14 failure in python-klein, which I contributed upstream)
• zope.testrunner (fixing a build failure with Python 3.14)

• pdfposter (contributed upstream)
• pexpect
• poetry
• pyhamcrest
• pylint-gitlab
• python-astor
• python-easydev (contributed upstream)
• python-forbiddenfruit
• python-ibm-cloud-sdk-core
• python-iniparse
• python-libusb1
• python-marshmallow-dataclass (contributed upstream)
• python-marshmallow (NMU)
• python-opentracing
• python-opt-einsum-fx
• python-spdx-tools
• python-stopit
• rich (NMU, also requiring an NMU of textual)
• scikit-build-core
• seqdiag
• uncertainties
• yarsync (contributed upstream, along with a supporting fix)

• pyee (contributed upstream)
• python-django-celery-beat (contributed upstream)
• python-overrides

• beaker
• coreapi
• cppy (no-change rebuild to remove a spurious dependency)
• depthcharge-tools (contributed upstream)
• errbot
• gajim-antispam (removed unused dependency)
• gajim-lengthnotifier (removed unused dependency)
• gajim-openpgp (removed unused dependency)
• gajim-pgp (removed unused dependency)
• gajim-triggers (removed unused dependency)
• grapefruit
• impacket (contributed upstream)
• jupyter-packaging (no-change rebuild to remove a spurious dependency)
• khal
• pipenv (no-change rebuild to remove a spurious dependency)
• pyroma
• pytest-runner
• pytest-tornado
• python-airr
• python-aptly
• python-docxcompose
• python-hatch-mypyc (no-change rebuild to remove a spurious dependency)
• python-pyfunceble
• python-stopit
• python-ttfautohint-py (removed unused dependency)
• setuptools-scm (no-change rebuild to remove a spurious dependency)
• slimit (removed unused dependency)
• sphinx-togglebutton
• topplot (contributed upstream)
• valinor

• audioop-lts: FTBFS: ValueError: major component is required
• basemap: Tries to access Internet during build
• celery: FTBFS: FAILED t/unit/backends/test_mongodb.py::test_MongoBackend::test_store_result (contributed upstream)
• django-allauth: FTBFS: AttributeError: module fido2.features has no attribute webauthn_json_mapping
• django-tastypie
• m2crypto: FTBFS on armhf: AssertionError: 64 != 32
• magicgui
• pytest-mypy-testing
• python-asttokens
• python-distutils-extra: FTBFS: dpkg-buildpackage: error: debian/rules binary subprocess failed with exit status 2
• python-django-extensions: FTBFS: FAILED tests/templatetags/test_highlighting.py::HighlightTagTests::test_should_highlight_python_syntax_with_name
• python-gmpy2: FTBFS: ModuleNotFoundError: No module named gmpy2
• python-jpype: FTBFS on i386, armhf: test/jpypetest/test_buffer.py:394: TypeError (contributed upstream)
• python-maturin: Upcoming target-lexicon update
• traitlets (contributed upstream)
• unattended-upgrades: FTBFS: F824 global logged_msgs is unused: name is never assigned in scope (NMU)

• aiozmq
• mkdocstrings-python-legacy
• python-djantic

• magicgui: Directly Depends and Build-Depends on dbus
• python3-netsnmpagent: Rebuild for libsnmp45

• netcfg: Support SSIDs with /, write correct wifi to /etc/network/interfaces (merged and uploaded)
• openssh: [INTL:zh] Chinese debconf templates translations (merged)
• pymongo (sponsored upload for Aryan Karamtoth)
• python-streamz (sponsored upload for Aryan Karamtoth)
• smart-open: Please make the build reproducible (fixed in a different way)
• uvloop: FTBFS on riscv64 with Python 3.14 as supported (uploaded)

> library(chronometre)
> demo("chronometre", ask=FALSE)


        demo(chronometre)
        ---- ~~~~~~~~~~~

> #!/usr/bin/env r
> 
> stopifnot("Demo requires 'reticulate'" = requireNamespace("reticulate", quietly=TRUE))

> stopifnot("Demo requires 'RcppSpdlog'" = requireNamespace("RcppSpdlog", quietly=TRUE))

> stopifnot("Demo requires 'xptr'" = requireNamespace("xptr", quietly=TRUE))

> library(reticulate)

> ## reticulate and Python in general these days really want a venv so we will use one,
> ## the default value is a location used locally; if needed create one
> ## check for existing virtualenv to use, or else set one up
> venvdir <- Sys.getenv("CHRONOMETRE_VENV", "/opt/venv/chronometre")

> if (dir.exists(venvdir))  
+ >     use_virtualenv(venvdir, required = TRUE)
+ >   else  
+ >     ## create a virtual environment, but make it temporary
+ >     Sys.setenv(RETICULATE_VIRTUALENV_ROOT=tempdir())
+ >     virtualenv_create("r-reticulate-env")
+ >     virtualenv_install("r-reticulate-env", packages = c("chronometre"))
+ >     use_virtualenv("r-reticulate-env", required = TRUE)
+ >  


> sw <- RcppSpdlog::get_stopwatch()                   # we use a C++ struct as example

> Sys.sleep(0.5)                                      # imagine doing some code here

> print(sw)                                           # stopwatch shows elapsed time
0.501220 

> xptr::is_xptr(sw)                                   # this is an external pointer in R
[1] TRUE

> xptr::xptr_address(sw)                              # get address, format is "0x...."
[1] "0x58adb5918510"

> sw2 <- xptr::new_xptr(xptr::xptr_address(sw))       # cloned (!!) but unclassed

> attr(sw2, "class") <- c("stopwatch", "externalptr") # class it .. and then use it!

> print(sw2)                                          #  xptr  allows us close and use
0.501597 

> sw3 <- ch$Stopwatch(  xptr::xptr_address(sw) )      # new Python object via string ctor

> print(sw3$elapsed())                                # shows output via Python I/O
datetime.timedelta(microseconds=502013)

> cat(sw3$count(), "\n")                              # shows double
0.502657 

> print(sw)                                           # object still works in R
0.502721 
> 

Changes in version 0.0.2 (2026-02-05)

• Removed replaced unconditional virtualenv use in demo given preceding conditional block
• Updated README.md with badges and an updated demo

Changes in version 0.0.1 (2026-01-25)

• Initial version and CRAN upload

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. If you like this or other open-source work I do, you can sponsor me at GitHub.

• [DLA 4449-1] zvbi security update to fix five CVEs related to uninitialized pointers and integer overflows.
• [DLA 4450-1] taglib security update to fix one CVE related to a segmentation violation.
• [DLA 4451-1] shapelib security update to fix one CVE related to a double free.
• [DLA 4454-1] libuev security update to fix one CVE related to a buffer overrun.
• [ELA-1620-1] zvbi security update to fix five CVEs in Buster and Stretch related to uninitialized pointers and integer overflows.
• [ELA-1621-1] taglib security update to fix one CVE in Buster and Stretch related to a segmentation violation.
• [#1126167] bookworm-pu bug for zvbi to fix five CVEs in Bookworm.
• [#1126273] bookworm-pu bug for taglib to fix one CVE in Bookworm.
• [#1126370] bookworm-pu bug for libuev to fix one CVE in Bookworm.

• supernovas to unstable (sponsored upload).
• libahp-xc to unstable.
• c-munipack to unstable.

• liburjtag to unstable.

Welcome to the first monthly report in 2026 from the Reproducible Builds project! These reports outline what we ve been up to over the past month, highlighting items of news from elsewhere in the increasingly-important area of software supply-chain security. As ever, if you are interested in contributing to the Reproducible Builds project, please see the Contribute page on our website.

1. Flathub now testing for reproducibility
2. Reproducibility identifying projects that will fail to build in 2038
3. Distribution work
4. Tool development
5. Two new academic papers
6. Upstream patches

Flathub now testing for reproducibility Flathub, the primary repository/app store for Flatpak-based applications, has begun checking for build reproducibility. According to a recent blog post:

We have started testing binary reproducibility of x86_64 builds targeting the stable repository. This is possible thanks to flathub-repro-checker, a tool doing the necessary legwork to recreate the build environment and compare the result of the rebuild with what is published on Flathub. While these tests have been running for a while now, we have recently restarted them from scratch after enabling S3 storage for diffoscope artifacts.

The test results and status is available on their reproducible builds page.

Reproducibility identifying software projects that will fail to build in 2038 Longtime Reproducible Builds developer Bernhard M. Wiedemann posted on Reddit on Y2K38 commemoration day T-12 that is to say, twelve years to the day before the UNIX Epoch will no longer fit into a signed 32-bit integer variable on 19th January 2038. Bernhard s comment succinctly outlines the problem as well as notes some of the potential remedies, as well as links to a discussion with the GCC developers regarding adding warnings for int time_t conversions . At the time of publication, Bernard s topic had generated 50 comments in response.

Distribution work Conda is language-agnostic package manager which was originally developed to help Python data scientists and is now a popular package manager for Python and R. conda-forge, a community-led infrastructure for Conda recently revamped their dashboards to rebuild packages straight to track reproducibility. There have been changes over the past two years to make the conda-forge build tooling fully reproducible by embedding the lockfile of the entire build environment inside the packages.
In Debian this month:

• Scott Talbert uploaded a new version of dh-haskell (0.6.13), reverting parallel support as it broke reproducibility, thereby fixing Debian bug #1125000.
• Vagrant Cascadian posted to our mailing list on the topic of Duplicate Debian packages with matching name-version-arch problem . The issue is that .buildinfo files only record the package name, version and architecture of the build-dependencies (and perhaps a bit more), but there are corner cases where multiple artifacts have the same name, version and architecture . This generated some discussion on the mailing list as well as elsewhere in Debian.
• Roland Clobus also posted to our mailing list regarding Building Debian Live images from snapshot.debian.org. This surfaced an issue regarding the timestamps of the .deb file, leading to Roland filing Debian bug #1126000 to liaise with the developers of the snapshot.debian.org service.
• A change was made to migrate away from using the results from tests.reproducible-builds.org in deciding whether a package is a suitable candidate for the Debian testing distribution (the staging area for the next stable Debian release) to use the results from reproduce.debian.net instead. This was, according to Paul Gevers merge request, because the former service does so by building twice in a row with varying build environment. What we are actually interested in is if the binaries that we ship can be reproduced . The information provided by reproduce.debian.net in future will be used to delay or speed up packages migration time based on their reproducibility status, and further in the future shall be used to block unreproducible packages from migrating entirely.
• 41 reviews of Debian packages were added, 7 were updated and 37 were removed this month adding to our knowledge about identified issues. Chris Lamb identified and added a new source_date_epoch_affected_by_timezone_by_d_compiler_gdc issue type, as well as timezone_variant_in_argparse_manpage.

In NixOS this month, it was announced that the GNU Guix Full Source Bootstrap was ported to NixOS as part of Wire Jansen bachelor s thesis (PDF). At the time of publication, this change has landed in NiX stdev distribution.
Lastly, Bernhard M. Wiedemann posted another openSUSE monthly update for his work there.

Tool development diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made the following changes, including preparing and uploading versions, 310 and 311 to Debian.

• Fix test compatibility with u-boot-tools version 2026-01. [ ]
• Drop the implied Rules-Requires-Root: no entry in debian/control. [ ]
• Bump Standards-Version to 4.7.3. [ ]
• Reference the Debian ocaml package instead of ocaml-nox. (#1125094)
• Apply a patch by Jelle van der Waa to adjust a test fixture match new lines. [ ]
• Also the drop implied Priority: optional from debian/control. [ ]

In addition, Holger Levsen uploaded two versions of disorderfs, first updating the package from FUSE 2 to FUSE 3 as described in last months report, as well as updating the packaging to the latest Debian standards. A second upload (0.6.2-1) was subsequently made, with Holger adding instructions on how to add the upstream release to our release archive and incorporating changes by Roland Clobus to set _FILE_OFFSET_BITS on 32-bit platforms, fixing a build failure on 32-bit systems. Vagrant Cascadian updated diffoscope in GNU Guix to version 311-2-ge4ec97f7 and disorderfs to 0.6.2.

Two new academic papers Julien Malka, Stefano Zacchiroli and Th o Zimmermann of T l com Paris in-house research laboratory, the Information Processing and Communications Laboratory (LTCI) published a paper this month titled Docker Does Not Guarantee Reproducibility:

[ ] While Docker is frequently cited in the literature as a tool that enables reproducibility in theory, the extent of its guarantees and limitations in practice remains under-explored. In this work, we address this gap through two complementary approaches. First, we conduct a systematic literature review to examine how Docker is framed in scientific discourse on reproducibility and to identify documented best practices for writing Dockerfiles enabling reproducible image building. Then, we perform a large-scale empirical study of 5,298 Docker builds collected from GitHub workflows. By rebuilding these images and comparing the results with their historical counterparts, we assess the real reproducibility of Docker images and evaluate the effectiveness of the best practices identified in the literature.

A PDF of their paper is available online.
Quentin Guilloteau, Antoine Waehren and Florina M. Ciorba of the University of Basel in Sweden also published a Docker-related paper, theirs called Longitudinal Study of the Software Environments Produced by Dockerfiles from Research Artifacts:

The reproducibility crisis has affected all scientific disciplines, including computer science (CS). To address this issue, the CS community has established artifact evaluation processes at conferences and in journals to evaluate the reproducibility of the results shared in publications. Authors are therefore required to share their artifacts with reviewers, including code, data, and the software environment necessary to reproduce the results. One method for sharing the software environment proposed by conferences and journals is to utilize container technologies such as Docker and Apptainer. However, these tools rely on non-reproducible tools, resulting in non-reproducible containers. In this paper, we present a tool and methodology to evaluate variations over time in software environments of container images derived from research artifacts. We also present initial results on a small set of Dockerfiles from the Euro-Par 2024 conference.

A PDF of their paper is available online.

Miscellaneous news On our mailing list this month:

• kpcyrd started a thread after they noticed that SWHID (also known as ISO/IEC 18670:2025) was published 1.0 in 2022 and ISO standardized in 2025, but uses the insecure SHA-1 as core cryptographic primitive , asking whether there have been any attempts to upgrade this to SHA-256 or similar.
• Jan-Benedict Glaw asked about the Reproducibility for Libreoffice [when performing] ODT to PDF conversion after they observed that simply calling libreoffice --convert-to pdf some.odt results in unreproducible output PDF. After some replies, Jan-Benedict wrote back to observe that it may be an issue with both timestamps and embedded fonts.

Lastly, kpcyrd added a Rust section to the Stable order for outputs page on our website. [ ]

Upstream patches The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:

• Bernhard M. Wiedemann:
  • clamav
  • kf6-kuserfeedback
  • libaom
  • Nim
  • otp
  • Switcheroo (by Khaleel Al-Adhami)
  • uwsm
  • ZEO
• Chris Lamb:
  • #1124697 filed against sqlalchemy-i18n.
  • #1125671 filed against tea-cli.
  • #1125725 filed against libimage-librsvg-perl.
  • #1125727 filed against seer.
  • #1125729 filed against grabix.
  • #1126038 filed against hovercraft.
  • #1126039 filed against lomiri-location-service.
  • #1126092 filed against argparse-manpage.
  • #1126454 filed against xarray-safe-rcm.
  • #1126512 filed against gcc-15 (forwarded upstream).
• Jochen Sprickerhof:
  • #1124951 filed against rsyslog.
  • #1125000 filed against dh-haskell.

Finally, if you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:

• IRC: #reproducible-builds on irc.oftc.net.
• Mastodon: @reproducible_builds@fosstodon.org
• Mailing list: rb-general@lists.reproducible-builds.org

• Debian packages:
  • dracut:
    • Bugs:
      • replied to and reassigned #1124400: update-initramfs no longer includes /lib/modules/<kver>/updates directory
  • flash-kernel:
    • Bugs:
      • closed #1102690: A higher version ( ) is still installed, no reflashing required
      • closed #1125327: since linux 6.18, flash-kernel fails to find dtbs in /usr/lib/linux-image-*
    • Uploads:
      • uploaded version 3.110 to unstable
      • uploaded version 3.110~bpo13+1 to trixie-backports
  • kernel-sec:
    • Merge requests:
      • opened !30: scripts/import-korg-vulns: Ignore issues in unsupported architectures
  • libvirt:
    • Bugs:
      • (LTS) opened and replied to #1124549: libvirt passes invalid flags for network interface deletion
  • linux:
    • Bugs:
      • replied to #1123750: linux: regression: virtual consoles 2-12 unusable
      • closed #1125287: linux-image-6.12.63+deb13-amd64: Misleading error message x2apic: IRQ remapping doesn t support X2APIC mode
      • replied to #1126015: linux-image-6.17.13+deb14-rt-amd64: ethtool -x <sfc-net-driver-ifname> causes: rtmutex deadlock detected
    • Merge requests:
      • reviewed !1784: Add breaks on reform-tools and flash-kernel versions before support for
    • (LTS) updated the bullseye-security branch to 5.10.248, but did not upload it
  • (LTS) linux-6.1:
    • uploaded version 6.1.159-1~deb11u1 to bullseye-security
  • linux-base:
    • Bugs:
      • replied to #1111052: Please increase default UDP receive buffer size (rmem_max)
      • replied to #1111657: Please increase default UDP send buffer size (wmem_max)
      • closed #1121366: linux-run-hooks uses wrong directory name for headers postinst
      • closed #1124409: linux-base: [INTL:zh] Chinese debconf templates translations
    • Uploads:
      • uploaded version 4.12.1 to trixie
      • uploaded version 4.15 to unstable
  • ministat:
    • Bugs:
      • closed #1123854: ministat: Packaging vcs doesn t work, upstream vcs unspecified
      • closed #1123856: ministat: ministat crashes given all-inf input
    • Uploads:
      • uploaded version 20251113-1 to unstable
      • uploaded version 20251113-2 to unstable
  • wireless-regdb:
    • Merge requests:
      • merged !7: Drop unnecessary B-D m2crypto (Closes: #1126431)
• Debian non-package bugs:
  • release.debian.org:
    • opened #1126020: trixie-pu: package linux-base/4.12.1
• Mailing lists:
  • debian-kernel:
    • posted Agenda items for kernel-team meeting on 2026-01-07
    • replied to Questions on debdiff for linux-signed- amd64,arm64 in trixie-backports
    • (LTS) replied to [regression 5.10.y] Libvirt can no longer delete macvtap devices
    • posted cpp-httplib FTBFS in unstable
    • (LTS) replied to kernel 5.10.0-28-amd64: linux-headers needed
  • debian-lts:
    • posted and replied to Regression update for libvirt in bullseye?
  • debian-lts-announce:
    • posted [SECURITY] [DLA 4436-1] linux-6.1 security update
  • stable:
    • (LTS) posted [5.10] net/sched: act_ife: convert comma to semicolon
    • (LTS) posted [5.10] regression: virtual consoles 2-12 unusable
    • (LTS) reviewed and replied to various patches for 5.10

YouTube Video version I ve also recorded a video version of this article. If you prefer a video, you can find it here.

Debian

Whilst I didn t get a chance to do much, here are still a few things that I worked on:

• A few discussions with the new DFSG team, et al.
• Assited a few folks in getting their patches submitted via Salsa.
• Reviewing pyenv MR for Ujjwal.
• Mentoring for newcomers.
• Moderation of -project mailing list.

---

Ubuntu

I joined Canonical to work on Ubuntu full-time back in February 2021. Whilst I can t give a full, detailed list of things I did, here s a quick TL;DR of what I did:

• Successfully released Resolute Snapshot 3!
  • This one was also done without the ISO tracker and cdimage access.
  • We also worked very hard to build and promote all the image in due time.
• Worked further on the whole artifact signing story for cdimage.
• Assisted a bunch of folks with my Archive Admin and Release team hats to:
  • Helped in EOL ing Plucky.
  • Starting to help with the upcoming 24.04.4 release.
• With that, the mid-cycle sprints are around the corner, so quite busy preparing for that.

---

Debian (E)LTS

This month I have worked 59 hours on Debian Long Term Support (LTS) and on its sister Extended LTS project and did the following things:

Released Security Updates

• adminer: Server-side request forgery and redirection vulnerabilities in HTTP drivers.
  • [ELTS]: Fixed CVE-2023-45195 and CVE-2023-45196 via 4.7.1-1+deb10u2 for buster. This has been released as ELA 1605-1.
• u-boot: Improper sanity checks in FAT filesystem handling.
  • [ELTS]: Fixed CVE-2025-24857 via 2016.11+dfsg1-4+deb9u2 for stretch. This has been released as ELA 1608-1.
• ruby-rmagick: Memory leak in Magick::Draw with ImageMagick 6.
  • [LTS]: Fixed CVE-2023-5349 via 2.16.0-7+deb11u1 for bullseye. This has been released as DLA 4433-1.
• libsodium: Invalid point validation in Ed25519 implementation.
  • [LTS]: Fixed CVE-2025-69277 via 1.0.18-1+deb11u1 for bullseye. This has been released as DLA 4435-1.
  • [ELTS]: Fixed CVE-2025-69277 via 1.0.17-1+deb10u1 for buster. This has been released as ELA 1631-1.
• ceph: Improper validation of HTTP_X_AMZ_COPY_SOURCE header.
  • [LTS]: Fixed CVE-2024-47866 and CVE-2022-0670 via 14.2.21-1+deb11u2 for bullseye. This has been released as DLA 4460-1.
  • [ELTS]: Fixed CVE-2024-47866 via 12.2.11+dfsg1-2.1+deb10u3 for buster and 10.2.11-2+deb9u4 for stretch. This has been released as ELA 1632-1.
• modsecurity-apache: Invalid request handling vulnerability.
  • [ELTS]: Fixed CVE-2025-54571 via 2.9.1-2+deb9u5 for stretch. This has been released as ELA 1633-1.
• pyasn1: Improper continuation octet limits in OID decoder.
  • [LTS]: Fixed CVE-2026-23490 via 0.4.8-1+deb11u1 for bullseye. This has been released as DLA 4463-1.
  • [ELTS]: Fixed CVE-2026-23490 via 0.4.2-3+deb10u1 for buster and 0.1.9-2+deb9u1 for stretch. This has been released as ELA 1634-1.
• node-lodash: Prototype pollution in baseUnset function.
  • [unstable]: Fixed CVE-2025-13465 via 4.17.21+dfsg+~cs8.31.198.20210220-10. This has been uploaded to unstable. DLA to follow once this has settled in sid and stable releases.

Work in Progress

• knot-resolver: Affected by CVE-2023-26249, CVE-2023-46317, and CVE-2022-40188, leading to Denial of Service.
  • [LTS]: Some back and forth discussion with maintainers on the best way to proceed for the bullseye upload.
    • Git repository for bullseye: https://salsa.debian.org/lts-team/packages/knot-resolver/-/tree/debian/bullseye.
• ruby-rack: There were multiple vulnerabilities reported in Rack, leading to DoS (memory exhaustion) and proxy bypass.
  • [ELTS]: After completing the work for LTS myself, Bastien picked it up for ELTS and reached out about an upstream regression and we ve been doing some exchanges. Bastien has done most of the work backporting the patches but needs a review and help backporting CVE-2025-61771. Haven t made much progress since last month and will carry it over.
• node-lodash: Affected by CVE-2025-13465, lrototype pollution in baseUnset function.
  • [stable]: The patch for trixie and bookworm are ready but haven t been uploaded yet as I d like for the unstable upload to settle a bit before I proceed with stable uploads.
  • [LTS]: The bullseye upload will follow once the stable uploads are in and ACK d by the SRMs.
• xrdp: Affected by CVE-2025-68670, leading to a stack-based buffer overflow.
  • [LTS]: Start to prep the work for bullseye and uploaded to Debusine: https://debusine.debian.net/debian/developers/work-request/367666. ELTS to follow.

Other Activities

• [ELTS] Helped Bastien Roucaries debug a tomcat9 regression for buster.
  • I spent quite a lot of time trying to help Bastien (with Markus and Santiago involved via mail thread) by reproducing the regression that the user(s) reported.
  • I also helped suggest a path forward by vendoring everything, which I was then requested to also help perform.
  • Whilst doing that, I noticed circular dependency hellhole and suggested another path forward by backporting bnd and its dependencies as separate NEW packages.
  • Bastien liked the idea and is going to work on that but preferred to revert the update to remedy the immediate regressions reported. I further helped him in reviewing his update. This conversation happened on #debian-elts IRC channel.
• [LTS] Assisted Ben Hutchings with his question about the next possible steps with a plausible libvirt regression caused by the Linux kernel update. This was a thread on debian-lts@ mailing list.
• [LTS] Attended the monthly LTS meeting on IRC. Summary here.
• [E/LTS] Monitored discussions on mailing lists, IRC, and all the documentation updates.

---

Until next time.
:wq for today.

Part
3: Building the Keystone Dataproc Custom Images for Secure Boot &
GPUs In Part 1, we established a secure, proxy-only network. In Part 2, we
explored the enhanced install_gpu_driver.sh initialization
action. Now, in Part 3, we ll focus on using the LLC-Technologies-Collier/custom-images
repository (branch proxy-exercise-2025-11) to build the
actual custom Dataproc images embedded with NVIDIA drivers signed for
Secure Boot, all within our proxied environment.

Why Custom Images? To run NVIDIA GPUs on Shielded VMs with Secure Boot enabled, the
NVIDIA kernel modules must be signed with a key trusted by the VM s EFI
firmware. Since standard Dataproc images don t include these
custom-signed modules, we need to build our own. This process also
allows us to pre-install a full stack of GPU-accelerated software.

The
custom-images Toolkit
(examples/secure-boot) The examples/secure-boot directory within the
custom-images repository contains the necessary scripts and
configurations, refined through significant development to handle proxy
and Secure Boot challenges. Key Components & Development Insights:

• env.json: The central configuration
  file (as used in Part 1) for project, network, proxy, and bucket
  details. This became the single source of truth to avoid configuration
  drift.
• create-key-pair.sh: Manages the Secure
  Boot signing keys (PK, KEK, DB) in Google Secret Manager, essential for
  the module signing.
• build-and-run-podman.sh: Orchestrates
  the image build process in an isolated Podman container. This was
  introduced to standardize the build environment and encapsulate
  dependencies, simplifying what the user needs to install locally.
• pre-init.sh: Sets up the build
  environment within the container and calls
  generate_custom_image.py. It crucially passes metadata
  derived from env.json (like proxy settings and Secure Boot
  key secret names) to the temporary build VM.
• generate_custom_image.py: The core
  Python script that automates GCE VM creation, runs the customization
  script, and creates the final GCE image.
• gce-proxy-setup.sh: This script from
  startup_script/ is vital. It s injected into the temporary
  build VM and runs first to configure the OS, package
  managers (apt, dnf), tools (curl, wget, GPG), Conda, and Java to use the
  proxy settings passed in the metadata. This ensures the entire build
  process is proxy-aware.
• install_gpu_driver.sh: Used as the
  --customization-script within the build VM. As detailed in
  Part 2, this script handles the driver/CUDA/ML stack installation and
  signing, now able to function correctly due to the proxy setup by
  gce-proxy-setup.sh.

Layered Image Strategy: The pre-init.sh script employs a layered approach:

1. secure-boot Image: Base image with
   Secure Boot certificates injected.
2. tf Image: Based on
   secure-boot, this image runs the full
   install_gpu_driver.sh within the proxy-configured build VM
   to install NVIDIA drivers, CUDA, ML libraries (TensorFlow, PyTorch,
   RAPIDS), and sign the modules. This is the primary target image for our
   use case.

(Note: secure-proxy and proxy-tf layers
were experiments, but the -tf image combined with runtime
metadata emerged as the most effective solution for 2.2-debian12). Build Steps:

1. Clone Repos & Configure
   env.json: Ensure you have the
   custom-images and cloud-dataproc repos and a
   complete env.json as described in Part 1.
2. Run the Build:
   bash # Example: Build a 2.2-debian12 based image set # Run from the custom-images repository root bash examples/secure-boot/build-and-run-podman.sh 2.2-debian12
   This command will build the layered images, leveraging the proxy
   settings from env.json via the metadata injected into the
   build VM. Note the final image name produced (e.g.,
   dataproc-2-2-deb12-YYYYMMDD-HHMMSS-tf).

Conclusion of Part 3 Through an iterative process, we ve developed a robust workflow
within the custom-images repository to build Secure
Boot-compatible GPU images in a proxy-only environment. The key was
isolating the build in Podman, ensuring the build VM is fully
proxy-aware using gce-proxy-setup.sh, and leveraging the
enhanced install_gpu_driver.sh from Part 2. In Part 4, we ll bring it all together, deploying a Dataproc cluster
using this custom -tf image within the secure network, and
verifying the end-to-end functionality.

Tweet

• Activist Checklist: Install the latest software updates
• Consumer Reports: Update your Mac, Windows PC, Chromebook, Android phone, iOS device
• Apple: Obsolete products (obsolete devices do not receive security updates)
• Google: How long you'll get Pixel updates
• Samsung: Devices that receive security updates
• Other brands: check the manufacturer's website

• Activist Checklist: Use Signal
• Activist Checklist: Turn on disappearing messages
• Electronic Frontier Foundation: How to use Signal
• Consumer Reports: Communicate privately with Signal
• Signal: Enabling Incognito Keyboard (Android) to provide slightly more privacy

• Electronic Frontier Foundation: Creating strong passwords
• Electronic Frontier Foundation: Remove fingerprint or face unlock
• How-To Geek: Temporarily disable biometric unlock on Android and iOS
• Electronic Frontier Foundation: How to encrypt your Windows, Mac, or Linux computer, your iPhone, Android Privacy and Security settings
• Consumer Reports: Protect your Mac, Windows PC, Android phone, iPhone devices with encryption

• Consumer Reports: Add an ad blocker
• uBlock Origin, a highly recommended browser-based ad blocker (Firefox, Chrome)
• AdGuard Ad Blocker is multi-platform and also supports Mac/iOS

• Consumer Reports: Set Up HTTPS-Only Mode on your browser

1. They generate secure passwords with ease. You don't need to worry about getting your digits and special characters just right; the app will do it for you, and generate long, secure passwords.
2. They remember all your passwords for you, and you just need to remember one password to access all of them. The most common reason people's accounts get hacked online is because they used the same password across multiple websites, and one of the websites had all their passwords leaked. When you use a unique password on every website, it doesn't matter if your password gets leaked!
3. They autofill passwords based on the website you're visiting. This is important because it helps prevent you from getting phished. If you're tricked into visiting an evil lookalike site, your password manager will refuse to fill the password.

• Activist Checklist: Use a password manager
• Electronic Frontier Foundation: An animated overview of password managers
• Electronic Frontier Foundation: Choosing a password manager
• Consumer Reports: Get a password manager

• Activist Checklist: Enable two-factor authentication
• Electronic Frontier Foundation: How to enable two-factor authentication
• Consumer Reports: Set up multifactor authentication
• Apps: There are many different choices available. The linked guides recommend the open source app Ente. Other options include Google and Microsoft Authenticator, Duo, etc.
• Hardware tokens: Common choices include Yubikey and Google's Titan Security Key

• Consumer Reports: Remove your contact information from people-search sites
• Electronic Frontier Foundation: Manage your digital footprint
• Big Ass Data Broker Opt Out List (BADBOOL), maintained by Yael Grauer
• State-specific tools for residents of: California, Oregon

• Threat modelling, which you can get started with by reading the EFF's or VCW's guides
• Browser addons for privacy, which Consumer Reports has a tip for
• Secure DNS, which you can read more about here

$ sudo pro attach aabbcc112233aabbcc112233
Enabling default service esm-apps
Updating package lists
Ubuntu Pro: ESM Apps enabled
Enabling default service esm-infra
Updating package lists
Ubuntu Pro: ESM Infra enabled
Enabling default service livepatch
Installing canonical-livepatch snap
Canonical livepatch enabled.
Unable to determine current instance-id
This machine is now attached to 'Ubuntu Pro Desktop'

$ sudo pro status --all
SERVICE ENTITLED STATUS DESCRIPTION
anbox-cloud yes disabled Scalable Android in the cloud
cc-eal yes n/a Common Criteria EAL2 Provisioning Packages
esm-apps yes enabled Expanded Security Maintenance for Applications
esm-infra yes enabled Expanded Security Maintenance for Infrastructure
fips yes n/a NIST-certified FIPS crypto packages
fips-preview yes n/a Preview of FIPS crypto packages undergoing certification with NIST
fips-updates yes disabled FIPS compliant crypto packages with stable security updates
landscape yes enabled Management and administration tool for Ubuntu
livepatch yes disabled Canonical Livepatch service
realtime-kernel yes disabled Ubuntu kernel with PREEMPT_RT patches integrated
  generic yes disabled Generic version of the RT kernel (default)
  intel-iotg yes n/a RT kernel optimized for Intel IOTG platform
  raspi yes n/a 24.04 Real-time kernel optimised for Raspberry Pi
ros yes n/a Security Updates for the Robot Operating System
ros-updates yes n/a All Updates for the Robot Operating System
usg yes disabled Security compliance and audit tools
Enable services with: pro enable <service>
Account: Otto Kekalainen
Subscription: Ubuntu Pro Desktop
Valid until: Thu Mar 3 08:08:38 2026 PDT
Technical support level: essential

$ sudo pro security-status
2828 packages installed:
2143 packages from Ubuntu Main/Restricted repository
660 packages from Ubuntu Universe/Multiverse repository
13 packages from third parties
12 packages no longer available for download
To get more information about the packages, run
pro security-status --help
for a list of available options.
This machine is receiving security patching for Ubuntu Main/Restricted
repository until 2029.
This machine is attached to an Ubuntu Pro subscription.
Ubuntu Pro with 'esm-infra' enabled provides security updates for
Main/Restricted packages until 2034.
Ubuntu Pro with 'esm-apps' enabled provides security updates for
Universe/Multiverse packages until 2034. You have received 26 security
updates.

Experiences from using Ubuntu Pro for over a year Personally I have been using it on two laptop systems for well over a year now and everything seems to have worked well. I see apt is downloading software updates from https://esm.ubuntu.com/apps/ubuntu, but other than that there aren t any notable signs of Ubuntu Pro being in use. That is a good thing after all one is paying for assurance that everything works with minimum disruptions, so the system that enables smooth sailing should stay in the background and not make too much noise of itself.

Using Landscape to manage multiple Ubuntu laptops Landscape.canonical.com is a fleet management system that shows information like security update status and resource utilization for the computers you administer. Ubuntu Pro attached systems under one s account are not automatically visible in Landscape, but have to be enrolled in it. To enroll an Ubuntu Pro attached desktop/laptop to Landscape, first install the required package with sudo apt install landscape-client and then run sudo landscape-config --account-name <account name> to start the configuration wizard. You can find your account name in the Landscape portal. On the last wizard question Request a new registration for this computer now? [y/N] hit y to accept. If successful, the new computer will be visible on the Landscape portal page Pending computers , from where you can click to accept it. If I had a large fleet of computers, Landscape might come in useful. Also it is obvious Landscape is intended primarily for managing server systems. For example, the default alarm trigger on systems being offline, which is common for laptops and desktop computers, is an alert-worthy thing only on server systems. It is good to know that Landscape exists, but on desktop systems I would probably skip it, and only stick to the security updates offered by Ubuntu Pro without using Landscape.

Landscape is evolving The screenshots above are from the current Landscape portal which I have been using so far. Recently Canonical has also launched a new web portal, with a fresh look: This shows Canonical is actively investing in the service and it is likely going to sit at the center of their business model for years to come.

Other offerings by Canonical for individual users Canonical, the company behind the world s most popular desktop Linux distribution Ubuntu, has been offering various commercial support services for corporate customers since the company launched back in 2005, but there haven t been any offerings available to individual users since Ubuntu One, with file syncing, a music store and more, was wound down back in 2014. Canonical and the other major Linux companies, Red Hat and SUSE, have always been very enterprise-oriented, presumably because achieving economies of scale is much easier when maintaining standardized corporate environments compared to dealing with a wide range of custom configurations that individual consumer customers might have. I remember some years ago Canonical offered desktop support under the Ubuntu Advantage product name, but the minimum subscription was for 5 desktop systems, which typically isn t an option for a regular home consumer. I am glad to see Ubuntu Pro is now available and I honestly hope people using Ubuntu will opt into it. The more customers it has, the more it incentivizes Canonical to develop and maintain features that are important for desktop and home users.

Pay for Linux because you can, not because you have to Open source is a great software development model for rapid innovation and adoption, but I don t think the business models in the space are yet quite mature. Users who get long-term value should participate more in funding open source maintenance work. While some donation platforms like GitHub Sponsors, OpenCollective and the like have gained popularity in recent years, none of them seem to generate recurring revenue comparable to the scale of how popular open source software is now in 2026. I welcome more paid schemes, such as Ubuntu Pro, as I believe it is beneficial for the whole ecosystem. I also expect more service providers to enter this space and experiment with different open source business models and various forms of decentralized funding. Linux and open source are primarily free as in speech, but as a side effect license fees are hard to enforce and many use Linux without paying for it. The more people, corporations and even countries rely on it to stay sovereign in the information society, the more users should think about how they want to use Linux and who they want to pay to maintain it and other critical parts of the open source ecosystem.

• [1] https://furilabs.com/shop/flx1s/
• [2] https://droidian.org/
• [3] https://wiki.debian.org/InstallingDebianOn/PINE64/PinePhonePro
• [4] https://wiki.debian.org/MobileApps
• [5] https://www.graphhopper.com/
• [6] https://etbe.coker.com.au/2026/01/05/phone-charging-speeds/

Activity summary During the month of December, 18 contributors have been paid to work on Debian LTS (links to individual contributor reports are located below). The team released 41 DLAs fixing 252 CVEs. The team currently focuses on preparing security updates for Debian 11 bullseye , but also looks for contributing with updates for Debian 12 bookworm , Debian 13 trixie and even Debian unstable. Notable security updates:

• libsoup2.4 (DLA-4398-1), prepared by Andreas Henrikson, fixing several vulnerabilities.
• glib2.0 (DLA-4412-1), published by Emilio Pozuelo Monfort, addressing multiple issues.
• lasso (DLA-4397-1), prepared by Sylvain Beucler, addressing multiple issues, including a critical remote code execution (RCE) vulnerability (CVE-2025-47151)
• roundcube (DLA 4415-1), prepared by Guilhem Moulin, fixing a cross-site-scripting (XSS) (CVE-2025-68461) and an information disclosure (CVE-2025-68460) vulnerabilities
• mediawiki (DLA 4428-1), published by Guilhem, fixing multiple vulnerabilities could lead to information disclosure, denial of service or privilege escalation.
• While the DLA has not been published yet, Charles Henrique Melara proposed upstream fixes for seven CVEs in ffmpeg: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21275.
• python-apt (DLA 4408-1), prepared by Utkarsh Gupta, in coordination with the Debian Security Team and Julian Andres Klode, the apt s maintainer.
• libpng1.6 (DLA-4396-1), published by Tobias Frost, completing the work started the previous month.

Notable non-security updates:

• tzdata (DLA-4403-1), prepared by Emilio, including the latest changes to the leap second list and its expiry date, which was set for the end of December.

Contributions from outside the LTS Team:

• Christoph Berg, co-maintainer of PostgreSQL in Debian, prepared a postgresql-13 update, released as DLA-4420-1

The LTS Team has also contributed with updates to the latest Debian releases:

• Andreas proposed trixie and bookworm point updates for pgbouncer
• Abhijith PA prepared a bookworm point update for php-dompdf
• Thorsten Alteholz prepared an unstable update and a trixie point update for libcoap3
• Thorsten prepared or completed different updates for unstable, trixie and bookworm for packages related to cups: an unstable update of cups to fix several issues related to the latest security update, a trixie point update for libcupsfilters, and trixie and bookworm point updates for cups-filter.
• Bastien Roucari s prepared unstable, trixie and bookworm point updates for imagemagick
• Bastien completed the bookworm point update for angular.js and the bookworm point update for squid.
• Charles completed the bookworm point update for gdk-pixbuf.
• Utkarsh prepared a trixie update for wordpress, that was released as DSA-6091-1.
• Tobias prepared bookworm and trixie updates for libpng1.6, released as DSA-6076-1.
• Tobias prepared sogo updates targeting unstable, and point updates of trixie and bookworm

Individual Debian LTS contributor reports

• Abhijith PA
• Andreas Henriksson
• Andrej Shadura
• Bastien Roucari s
• Ben Hutchings
• Carlos Henrique Lima Melara
• Chris Lamb
• Daniel Leidert
• Emilio Pozuelo Monfort
• Guilhem Moulin
• Jochen Sprickerhof
• Markus Koschany
• Roberto C. S nchez
• Santiago Ruano Rinc n
• Sylvain Beucler
• Thorsten Alteholz
• Tobias Frost
• Utkarsh Gupta

Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • Toshiba Corporation (for 123 months)
  • Civil Infrastructure Platform (CIP) (for 91 months)
  • VyOS Inc (for 55 months)
• Gold sponsors:
  • F. Hoffmann-La Roche AG (for 133 months)
  • CONET Deutschland GmbH (for 117 months)
  • Plat Home (for 116 months)
  • University of Oxford (for 73 months)
  • EDF SA (for 45 months)
  • Dataport A R (for 20 months)
  • CERN (for 18 months)
• Silver sponsors:
  • Domeneshop AS (for 138 months)
  • Nantes M tropole (for 132 months)
  • Akamai - Linode (for 128 months)
  • Univention GmbH (for 124 months)
  • Universit Jean Monnet de St Etienne (for 124 months)
  • Ribbon Communications, Inc. (for 118 months)
  • Exonet B.V. (for 108 months)
  • Leibniz Rechenzentrum (for 102 months)
  • Minist re de l Europe et des Affaires trang res (for 86 months)
  • Dinahosting SL (for 73 months)
  • Upsun Formerly Platform.sh (for 67 months)
  • Deveryware (for 61 months)
  • Moxa Inc. (for 61 months)
  • sipgate GmbH (for 59 months)
  • OVH US LLC (for 57 months)
  • Tilburg University (for 57 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 48 months)
  • THINline s.r.o. (for 21 months)
  • Copenhagen Airports A/S (for 15 months)
  • Conseil D partemental de l Is re
• Bronze sponsors:
  • Seznam.cz, a.s. (for 139 months)
  • Evolix (for 138 months)
  • Intevation GmbH (for 135 months)
  • Linuxhotel GmbH (for 135 months)
  • Daevel SARL (for 134 months)
  • Megaspace Internet Services GmbH (for 133 months)
  • Greenbone AG (for 132 months)
  • NUMLOG (for 132 months)
  • WinGo AG (for 131 months)
  • Entr ouvert (for 123 months)
  • Adfinis AG (for 120 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 115 months)
  • Tesorion (for 115 months)
  • Bearstech (for 106 months)
  • LiHAS (for 106 months)
  • Catalyst IT Ltd (for 101 months)
  • Demarcq SAS (for 95 months)
  • Universit Grenoble Alpes (for 81 months)
  • TouchWeb SAS (for 73 months)
  • SPiN AG (for 70 months)
  • CoreFiling (for 66 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 57 months)
  • Tem Innovations GmbH (for 52 months)
  • WordFinder.pro (for 52 months)
  • CNRS DT INSU R sif (for 50 months)
  • Soliton Systems K.K. (for 46 months)
  • Alter Way (for 43 months)
  • Institut Camille Jordan (for 33 months)
  • SOBIS Software GmbH (for 18 months)
  • Tuxera Inc. (for 9 months)
  • OPM-OP AS

This post is an unpublished review for The Innovation Engine Government-funded Academic Research

• RISC (Reduced Instruction Set Computing): Microprocessor architecture that reduces the complexity and power consumption of CPUs, yielding much smaller and more efficient processors.
• RAID (Redundant Array of Inexpensive Disks): Patterson experimented with a way to present a series of independent hard drive units as if they were a single, larger one, leading to increases in capacity and reliability beyond what the industry could provide in single drives, for a fraction of the price.
• NOW (Network Of Workstations): Introduced what we now know as computer clusters (in contrast of large-scale massively multiprocessed cache-coherent systems known as supercomputers ), which nowadays power over 80% of the Top500 supercomputer list and are the computer platform of choice of practically all data centers.
• RAD Lab (Reliable Adaptive Distributed Systems Lab): Pursued the technology for data centers to be self-healing and self-managing, testing and pushing early cloud-scalability limits
• ParLab (Parallel Computing Lab): Given the development of massively parallel processing inside even simple microprocessors, this lab explores how to improve designs of parallel software and hardware, presenting the ground works that proved that inherently parallel GPUs were better than CPUs at machine learning tasks. It also developed the RISC-V open instruction set architecture.

Secrets Manager for Homelab For a few years, I ve been managing the configuration of a bunch of self-hosted services using Ansible Playbooks. Each playbook needed at least one secret the sudo password. Many of them needed to manage more (e.g. SMTP credentials for email notifications). Because I ve always been paranoid about security, I stored most of those secrets in Ansible Vault, the password for which is stored in only one location my memory. Therefore, each time I ran any of those playbooks, I d have to enter two passwords interactively: the sudo password and the Ansible Vault password.

What is FOSS anyway? To my friends and family: Free and Open Source Software (FOSS) refers to software that anyone can freely use, modify, and share. Think of it as a community garden, instead of one company owning the food, people from all over the world contribute, improve, and maintain it so everyone can benefit from it for free.

To the Aspiring Contributors Contributing to an open source project isn t just about writing code. It could involve going over a ton of documentation and understanding a specific coding style. You have to set up your environment and learn to treat documentation as a source of truth, even if it s something you help modify and improve later. Where I come from, this world is fairly unknown, and it seemed quite scary at first. However, I ve learned that asking questions and communicating are your best tools. Don t be afraid to do your part by investigating and reading, but remember that the community is there to help you grow.

Why Quality Matters For the past few weeks, I ve seen the importance of checking software quality before a release. Imagine you download a new desktop environment, try to open the calculator or the clock, and it crashes or refuses to start. How annoying is that? Or worse, you download software and can t even install it successfully. My work on creating tests for Debian using openQA is aimed at preventing these experiences. We simulate real user actions to make sure that when someone clicks Open, the application actually works.

Closing Thoughts In general, FOSS has empowered people to access and build technology freely. Whether you are here to use the software or you have the expertise to modify and explore it, there is a place for you in this community. I m writing this for you, whichever audience you belong to, to show that complex systems become less intimidating when you begin by asking questions.

• aiosmtplib
• astroid (fixing a build failure with Python 3.14, as I wrote about recently in Preparing a transition in Debusine)
• billiard (fixing a syntax warning with Python 3.14)
• celery (contributed follow-up fix upstream)
• cloudpickle (fixing a build failure with Python 3.14)
• csvkit
• deepdiff (fixing a build failure with Python 3.14)
• django-auditlog
• django-phonenumber-field
• flake8-builtins
• flufl.lock
• kombu
• peewee
• psycopg2
• pydantic-extra-types
• pygments (prepared transition in Debusine with diff-cover, pydata-sphinx-theme, pymdown-extensions, python-readme-renderer, and python-stack-data; contributed python-stack-data fix upstream)
• pylint (fixing a build failure with Python 3.14)
• pymdown-extensions
• python-aiojobs (fixing a build failure)
• python-aiostream
• python-asttokens (fixing a build failure with astroid 4)
• python-auditwheel
• python-blockbuster
• python-boolean.py
• python-confluent-kafka
• python-django-crispy-forms
• python-django-pgbulk
• python-django-pgtransaction
• python-django-pgtrigger (fixing a build failure with mkdocstrings-python-handlers >= 2)
• python-evalidate
• python-exchangelib (fixing a build failure with Python 3.14)
• python-holidays
• python-lsp-server
• python-lz4
• python-mashumaro (fixing many build failures in other packages with Python 3.14)
• python-moto
• python-persistent
• python-pytest-run-parallel
• python-roman
• python-rx (fixing a build failure with Python 3.14)
• python-telethon
• python-uvicorn (fixing a test failure with current uvloop)
• python-wheezy.template
• python-wslink
• rpds-py
• sphinx-autoapi
• sqlparse
• zope.testing (fixing a build failure with Python 3.14)

• actdiag s autopkgtests failed when there are multiple supported Python versions
• khard: FTBFS: dh_auto_test: error: pybuild test -i python version -p 3.14 3.13 returned exit code 13 (contributed upstream)
• pydantic-settings: FTBFS: example.py: error: unrecognized arguments: bad-arg (forwarded upstream and cherry-picked their fix)
• pydantic: FTBFS: dh_auto_test: error: pybuild test test-pytest -i python version -p 3.14 3.13 returned exit code 13
• pygame: FTBFS with Python 3.14: sys.getrefcount() AssertionError
• python-auditwheel: FTBFS: dh_auto_test: error: pybuild test test-pytest -i python version -p 3.14 3.13 returned exit code 13 (contributed upstream)
• python-charset-normalizer could silently build without support for some supported Python versions
• python-confluent-kafka: FTBFS with Python 3.14: Segmentation fault in test_create_topics_api (forwarded upstream and fixed after a debugging hint from them)
• python-django: FTBFS with Python 3.14 (also fixing many build failures in other packages)
• python-memray: FTBFS with Python 3.14: Segmentation fault (some initial debugging; upstream has since got a lot further)
• python-telethon: FTBFS: dh_auto_test: error: pybuild test test-pytest -i python version -p 3.14 3.13 returned exit code 13 (contributed upstream)
• python-typing-extensions: FTBFS: dh_auto_test: error: pybuild test -i python version -p 3.14 3.13 returned exit code 13
• python-wheezy.template: FTBFS with Python 3.14 (contributed upstream, although they opted for doing it a bit differently)
• storm (made an upstream release with Python 3.14 support)
• twisted: Autopkgtests fail with Python 3.14: builtins.RuntimeError: There is no current event loop in thread MainThread (forwarded upstream and cherry-picked their fix)
• zope.proxy and zope.security had a bootstrapping loop when adding new supported Python versions; I broke this loop so it shouldn t bother us again in the future.

• celery (contributed upstream)
• pytest-pylint (contributed upstream)
• python-expandvars (contributed upstream)
• python-inline-snapshot

• dpath-python
• flask-bcrypt: FTBFS: E ValueError: password cannot be longer than 72 bytes, truncate manually if necessary (e.g. my_password[:72])
• python-aiosmtpd
• python-aiostream
• python-auditwheel on i386 (contributed upstream)
• python-auditwheel on riscv64 (contributed upstream)
• python-bcrypt: Accept pyo3 0.27
• python-django-crum
• python-django-guid
• python-inline-snapshot
• python-laspy
• python-mnemonic
• python-ncls on 32-bit architectures (contributed upstream)
• python-papermill
• python-phonenumbers
• python-pluggy
• python-pycddl: Accept pyo3 0.27
• python-sphinx-autodoc2 (contributed upstream)
• python-structlog
• python-wikkid: FTBFS: AttributeError: TestBaseParent object has no attribute assertEquals (contributed follow-up fix upstream)
• python-wslink

• python-bcrypt: ValueError: password cannot be longer than 72 bytes, truncate manually if necessary
• python-notify2: Directly Build-Depends on dbus
• python-packaging: Mark python3-packaging Multi-Arch: foreign
• python-pyproject-parser: python3-pyproject-parser needs a dependency on python3-consolekit
• sphinx: Please backport upstream s fix on roman-numerals

• db1-compat: Please remove/replace usage of dh_movetousr
• debmirror: Refresh mirror_size documentation
• groff: FTBFS randomly
• openssh: Misleading verbose output for local-to-local or standard remote-to-remote copies (upstreamed an improved version of a patch we ve been carrying since 2008)
• pcmciautils: Please remove/replace usage of dh_movetousr

• openssh: Fix binary name in ssh-askpass-gnome.desktop (still in discussion)
• python-lsp-server: Increase tests timeout further
• rope: New upstream version 1.14.0 (merged and uploaded)
• trn4: Update/add Catalan po-debconf translation (merged)

Conferences My first conference of the year was FOSDEM. I d submitted a talk proposal about system attestation in production environments for the attestation devroom, but they had a lot of good submissions and mine was a bit more this is how we do it rather than here s some neat Free Software that does it . I m still trying to work out how to make some of the bits we do more open, but the problem is a lot of the neat stuff is about taking internal knowledge about what should be running and making sure that s the case, and what you end up with if you abstract that is a toolkit that still needs a lot of work to get something useful. I d more luck at DebConf25 where I gave a talk (Don t fear the TPM) trying to explain how TPMs could be useful in a Debian context. Naturally the comments section descended into a discussion about UEFI Secure Boot, which is a separate, if related, thing. DebConf also featured the usual catch up with fellow team members, hanging out with folk I hadn t seen in ages, and generally feeling a bit more invigorated about Debian. Other conferences I considered, but couldn t justify, were All Systems Go! and the Linux Plumbers Conference. I ve no doubt both would have had a bunch of interesting and relevant talks + discussions, but not enough this year. I m going to have to miss FOSDEM this year, due to travel later in the month, and I m uncertain if I m going to make DebConf (for a variety of reasons). That means I don t have a Free Software conference planned for 2026. Ironically FOSSY moving away from Portland makes it a less appealing option (I have Portland friends it would be good to visit). Other than potential Debian MiniConfs, anything else European I should consider?

Debian I continue to try and keep RetroArch in shape, with 1.22.2+dfsg-1 (and, shortly after, 1.22.2+dfsg-2 - git-buildpackage in trixie seems more strict about Build-Depends existing in the outside environment, and I keep forgetting I need Build-Depends-Arch and Build-Depends-Indep to be pretty much the same with a minimal Build-Depends that just has enough for the clean target) getting uploaded in December, and 1.20.0+dfsg-1, 1.20+dfsg-2 + 1.20+dfsg-3 all being uploaded earlier in the year. retroarch-assets had 1.20.0+dfsg-1 uploaded back in April. I need to find some time to get 1.22.0 packaged. libretro-snes9x got updated to 1.63+dfsg-1. sdcc saw 4.5.0+dfsg-1, 4.5.0+dfsg-2, 4.5.0+dfsg-3 (I love major GCC upgrades) and 4.5.0-dfsg-4 uploads. There s an outstanding bug around a LaTeX error building the manual, but this turns out to be a bug in the 2.5 RC for LyX. Huge credit to Tobias Quathamer for engaging with this, and Pavel Sanda + J rgen Spitzm ller from the LyX upstream for figuring out the issue + a fix. Pulseview saw 0.4.2-4 uploaded to fix issues with the GCC 15 + CMake upgrades. I should probably chase the sigrok upstream about new releases; I think there are a bunch of devices that have gained support in git without seeing a tagged release yet. I did an Electronics Team upload for gputils 1.5.2-2 to fix compilation with GCC 15. While I don t do a lot with storage devices these days if I can help it I still pay a little bit of attention to sg3-utils. That resulted in 1.48-2 and 1.48-3 uploads in 2025. libcli got a 1.10.7-3 upload to deal with the libcrypt-dev split out. Finally I got more up-to-date versions of libtorrent (0.15.7-1) and rtorrent (also 0.15.7-1) uploaded to experimental. There s a ppc64el build failure in libtorrent, but having asked on debian-powerpc this looks like a flaky test/code and I should probably go ahead and upload to unstable. I sponsored some uploads for Michel Lind - the initial uploads of plymouth-theme-hot-dog, and the separated out pykdumpfile package. Recognising the fact I wasn t contributing in a useful fashion to the Data Protection Team I set about trying to resign in an orderly fashion - see Andreas call for volunteers that went out in the last week. Shout out to Enrico for pointing out in the past that we should gracefully step down from things we re not actually managing to do, to avoid the perception it s all fine and no one else needs to step up. Took me too long to act on it. The Debian keyring team continues to operate smoothly, maintaining our monthly release cadence with a 3 month rotation ensuring all team members stay familiar with the process, and ensure their setups are still operational (especially important after Debian releases). I handled the 2025.03.23, 2025.06.24, 2025.06.27, 2025.09.18, 2025.12.08 + 2025.12.26 pushes.

Linux TPM related fixes were the theme of my kernel contributions in 2025, all within a work context. Some were just cleanups, but several fixed real issues that were causing us issues. I ve also tried to be more proactive about reviewing diffs in the TPM subsystem; it feels like a useful way to contribute, as well as making me more actively pay attention to what s going on there.

Personal projects I did some work on onak, my OpenPGP keyserver. That resulted in a 0.6.4 release, mainly driven by fixes for building with more recent CMake + GCC versions in Debian. I ve got a set of changes that should add RFC9580 (v6) support, but there s not a lot of test keys out there at present for making sure I m handling things properly. Equally there s a plan to remove Berkeley DB from Debian, which I m completely down with, but that means I need a new primary backend. I ve got a draft of LMDB support to replace that, but I need to go back and confirm I ve got all the important bits implemented before publishing it and committing to a DB layout. I d also like to add sqlite support as an option, but that needs some thought about trying to take proper advantage of its features, rather than just treating it as a key-value store. (I know everyone likes to hate on OpenPGP these days, but I continue to be interested by the whole web-of-trust piece of it, which nothing else I m aware of offers.) That about wraps up 2025. Nothing particularly earth shaking in there, more a case of continuing to tread water on the various things I m involved. I highly doubt 2026 will be much different, but I think that s ok. I scratch my own itches, and if that helps out other folk too then that s lovely, but not the primary goal.