I ran my little analysis program written last year to provide a nice map on the DebConf17 key signing party, based on the . What will you find if you go there?

• A list of all the people that will take part of the KSP
• Your key's situation relative to the KSP keyring

As an example, here is my location on the map (click on the graph to enlarge): Its main use? It will help you find what clusters are you better linked with - And who you have not cross-signed with. Some people have signed you but you didn't sign them? Or the other way around? Whom should you approach to make the keyring better connected? Can you spot some attendees who are islands and can get some help getting better connected to our keyring? Please go ahead and do it! PS There are four keys that are mentioned in the DebConf17 Keysigning Party Names file I used to build this from: 0xE8446B4AC8C77261, 0x485E1BD3AE76CB72, 0x4618E4C700000173, E267B052364F028D. The public keyserver network does not know about them. If you control one of those keys and you want me to run my script again to include it, please send it to the keyservers and mail me. If your key is not in the keyservers, nobody will be able to sign it!

There are about 15 Netfilter packages in Debian, and they are maintained by separate people. Yersterday, I contacted the maintainers of the main packages to propose the creation of a pkg-netfilter team to maintain all the packages together. The benefits of maintaining packages in a team is already known to all, and I would expect to rise the overall quality of the packages due to this movement. By now, the involved packages and maintainers are:

• maintained or co-maintained by Laurence J. Lane:
  • iptables
  • nfacct
  • libnetfilter-acct
• maintained by Chris Boot:
  • ulogd2
• maintained or co-maintained by Alexander Wirt:
  • conntrack-tools
  • libnetfilter-conntrack
  • libnetfilter-cthelper
  • libnetfilter-cttimeout
  • libnetfilter-log
  • libnetfilter-queue
  • libnfnetlink
• maintained or co-maintained by Neutron Soutmun:
  • ipset
  • libmnl
• maintained or co-maintained by Anibal Monsalve Salazar:
  • libmnl
• maintained or co-maintained by myself:
  • iptables
  • nftables
  • libnftnl
  • conntrack-tools
  • libnetfilter-conntrack

We should probably ping Jochen Friedrich as well who maintains arptables and ebtables. Also, there are some other non-official Netfilter packages, like iptables-persistent. I m undecided to what to do with them, as my primary impulse is to only put in the team upstream packages. Given the release of Stretch is just some months ahead, the creation of this packaging team will happen after the release, so we don t have any hurry moving things now.

Debian is quite probably the project that most uses a OpenPGP implementation (that is, GnuPG, or gpg) for many of its internal operations, and that places most trust in it. PGP is also very widely used, of course, in many other projects and between individuals. It is regarded as a secure way to do all sorts of crypto (mainly, encrypting/decrypting private stuff, signing public stuff, certifying other people's identities). PGP's lineage traces back to Phil Zimmerman's program, first published in 1991 By far, not a newcomer PGP is secure, as it was 25 years ago. However, some uses of it might not be so. We went through several migrations related to algorithmic weaknesses (i.e. v3 keys using MD5; SHA1 is strongly discouraged, although not yet completely broken, and it should be avoided as well) or to computational complexity (as the migration away from keys smaller than 2048 bits, strongly prefering 4096 bits). But some vulnerabilities are human usage (that is, configuration-) related. Today, Enrico Zini gave us a heads-up in the #debian-keyring IRC channel, and started a thread in the debian-private mailing list; I understand the mail to a private list was partly meant to get our collective attention, and to allow for potentially security-relevant information to be shared. I won't go into details about what is, is not, should be or should not be private, but I'll post here only what's public information already. What are short and long key IDs? I'll start by quoting Enrico's mail:

there are currently at least 3 ways to refer to a gpg key: short key ID (last 8 hex digits of fingerprint), long key ID (last 16 hex digits) and full fingerprint. The short key ID used to be popular, and since 5 years it is known that it is computationally easy to generate a gnupg key with an arbitrary short key id. A mitigation to this is using "keyid-format long" in gpg.conf, and a better thing to do, especially in scripts, is to use the full fingerprint to refer to a key, or just ship the public key for verification and skip the key servers. Note that in case of keyid collision, gpg will download and import all the matching keys, and will use all the matching keys for verifying signatures.

So... What is this about? We humans are quite bad at recognizing and remembering randomly-generated strings with no inherent patterns in them. Every GPG key can be uniquely identified by its fingerprint, a 128-bit string, usually encoded as ten blocks of four hexadecimal characters (this allows for 160 bits; I guess there's space for a checksum in it). That is, my (full) key's signature is:

AB41 C1C6 8AFD 668C A045  EBF8 673A 03E4 C1DB 921F

However, it's quite hard to recognize such a long string, let alone memorize it! So, we often do what humans do: Given that strong cryptography implies a homogenous probability distribution, people compromised on using just a portion of the key the last portion. The short key ID. Mine is then the last two blocks (shown in boldface): C1DB921F. We can also use what's known as the long key ID, that's twice as long: 64 bits. However, while I can speak my short key ID on a single breath (and maybe even expect you to remember and note it down), try doing so with the long one (shown in italics above): 673A03E4C1DB921F. Nah. Too much for our little, analog brains. This short and almost-rememberable number has then 32 bits of entropy I have less than one in 4,000,000,000 chance of generating a new key with this same short key ID. Besides, key generation is a CPU-intensive operation, so it's quite unlikely we will have a collision, right? Well, wrong. Previous successful attacks on short key IDs Already five years ago, Asheesh Laroia migrated his 1024D key to a 4096R. And, as he describes in his always-entertaining fashion, he made his computer sweat until he was able to create a new key for which the short key ID collided with the old one. It might not seem like a big deal, as he did this non-maliciously, but this easily should have spelt game over for the usage of short key IDs. After all, being able to generate a collision is usually the end for cryptographic systems. Asheesh specifically mentioned in his posting how this could be abused. But we didn't listen. Short key IDs are just too convenient! Besides, they allow us to have fun, can be a means of expression! I know of at least two keys that would qualify as vanity: Obey Arthur Liu's 0x29C0FFEE (created in 2009) and Keith Packard's 0x00000011 (created in 2012). Then we got the Evil 32 project. They developed Scallion, started (AFAICT) in 2012. Scallion automates the search for a 32-bit collision using GPUs; they claim that it takes only four seconds to find a collision. So, they went through the strong set of the public PGP Web of Trust, and created a (32-bit-)colliding key for each of the existing keys. And what happened now? What happened today? We still don't really know, but it seems we found a first potentially malicious collision that is, the first "nonacademic" case. Enrico found two keys sharing the 9F6C6333 short ID, apparently belonging to the same person (as would be the case of Asheesh, mentioned above). After contacting Gustavo, though, he does not know about the second That is, it can be clearly regarded as an impersonation attempt. Besides, what gave away this attempt are the signatures it has: Both keys are signed by what appears to be the same three keys: B29B232A, F2C850CA and 789038F2. Those three keys are not (yet?) uploaded to the keyservers, though... But we can expect them to appear at any point in the future. We don't know who is behind this, or what his purpose is. We just know this looks very evil. Now, don't panic: Gustavo's key is safe. Same for his certifiers, Marga, Agust n and Maxy. It's just a 32-bit collision. So, in principle, the only parties that could be cheated to trust the attacker are humans, right? Nope. Enrico tested on the PGP pathfinder & key statistics service, a keyserver that finds trust paths between any two arbitrary keys in the strong set. Surprise: The pathfinder works on the short key IDs, even when supplied full fingerprints. So, it turns out I have three faked trust paths into our impostor. What next? There are several things this should urge us to do.

• First of all, configure your local GPG to never show you short IDs. This is done by adding the line keyid-format 0xlong to ~/.gnupg/gpg.conf.
  • I just checked both in /usr/share/gnupg/options.skel and /usr/share/gnupg2/gpg-conf.skel, and that setting is not yet part of the packages' defaults. I'll check a bit deeper and file bugs right away if needed!
• Have you written or maintained any program that deals with GPG keys in any way? Make sure it specifies --keyid-format long or 0xlong in any relevant call. It might even be better to use the machine-oriented representation instead: --with-colons.
  • ...Of course, your computer will not feel tired or confused at comparing 160-bit full fingerprints instead of 64-bit long IDs, so it's better if our scripts use the full version for everything.
• Only sign somebody else's key if you see and verify its full fingerprint (this is not a new issue, but given we are talking about it, and that DebConf is around the corner, and that we will have a KSP as usual...)

And there are surely many other important recommendations. But this is a good set of points to start with. [update] I was pointed at Daniel Kahn Gillmor's 2013 blog post, OpenPGP Key IDs are not useful. Daniel argues, in short, that cutting a fingerprint in order to get a (32- or 64-bit) short key ID is the worst of all worlds, and we should rather target either always showing full fingerprints, or not showing it at all (and leaving all the crypto-checking bits to be done by the software, as comparing 160-bit strings is not natural for us humans). [update] This post was picked up by LWN.net. A very interesting discussion continues in their comments.

This week I've entered the Debian NM process to move from Debian Maintainer (DM) to Debian Developer (DD).

But, what have I been doing for Debian lastly?

I've been DM for the last year, after a couple of years maintaining packages with sponsors.

Since 2015 until this time of the 2016 year, I've done roughly 33 package uploads, opened 67 bugs and contributed to many others. I maintain and co-maintain now 9 packages, most of them Netfilter-related.

This is a graph of bugs assigned to my packages in the last natural year:


I was supported to start the process by Anibal Monsalve, and Vincent Cheng intermediately become by advocate.

The duration of the NM process can vary depending on a number of factors, from a couple of months to a couple of years.

BTW, I got my opened bug statistics with this small script: deb_bugs_years.sh

What happened in the reproducible builds effort between February 14th and February 20th 2016:

Toolchain fixes Yaroslav Halchenko uploaded cython/0.23.4+git4-g7eed8d8-1 which makes its output deterministic. Original patch by Chris Lamb. Didier Raboud uploaded pyppd/1.0.2-3 to experimental which now serialize PPD deterministically. Lunar submitted two patches for lcms to add a way for clients to set the creation date/time in profile headers and initialize all bytes when writing named colors.

Packages fixed The following packages have become reproducible due to changes in their build dependencies: dbconfig-common, dctrl-tools, dvdwizard, ekg2, expeyes, galternatives, gpodder, icewm, latex-mk, libiio, lives, navit, po4a, tasksel, tilda, vdr-plugin-infosatepg, xaos. The following packages became reproducible after getting fixed:

• calendarserver/7.0+dfsg-1 uploaded by Rahul Amaram, issue fixed upstream, obsolete patch by Esa Peuha.
• charybdis/3.5.0-1 uploaded by Antoine Beaupr , fixed upstream.
• cpio/2.11+dfsg-5 uploaded by Anibal Monsalve Salazar, patch by Lunar.
• fdroidserver/0.6.0-1 uploaded by Hans-Christoph Steiner, original patch by Reiner Herrmann.
• filter/2.6.3+ds1-2 by Axel Beckert.
• foxyproxy/4.5.5-debian-1 uploaded by David Pr vot, patch by Dhole.
• fpga-icestorm/0~20151006git103e6fd-3 by Ruben Undheim.
• gutenprint/5.2.11~pre1-1 uploaded by Didier Raboud, fixed upstream.
• juce/4.1.0+repack-2 by IOhannes m zm lnig.
• libjxp-java/1.6.1-6 by Emmanuel Bourg.
• libpgm/5.2.122~dfsg-2 uploaded by Laszlo Boszormenyi, patch by Lunar.
• modello/1.8.3-2 by Emmanuel Bourg.
• python-hypothesis/3.0.2-1 by Tristan Seligmann, fixed upstream.
• tcsh/6.18.01-4 uploaded by Thomas Lange, original patch by Reiner Herrmann.

Some uploads fixed some reproducibility issues, but not all of them:

• astroquery/0.3.1+dfsg-1 uploaded by Vincent Prat, original patch by Juan Picca.
• vtk-dicom/0.7.4-1 by Gert Wollny.

Unknown status:

• tomcat7/7.0.68-1 by Emmanuel Bourg (test suite fails in test environment).

Patches submitted which have not made their way to the archive yet:

• #814840 on tor by Petter Reinholdtsen: use the UTC timezone when calling asciidoc.
• #815082 on arachne-pnr by Dhole: use the C locale to format the changelog date.
• #815192 on manpages-de by Reiner Herrmann: tell grep to always treat the input as text so that it works with non-UTF-8 locales.
• #815193 on razorqt by Reiner Herrmann: tell grep to always treat the input as text so that it works with non-UTF-8 locales.
• #815250 on jacal by Reiner Herrmann: use the C locale to format the build date.
• #815252 on colord by Lunar: remove extra timestamps when generating CMF and spectra and implement support for SOURCE_DATE_EPOCH.

reproducible.debian.net Two new package sets have been added: freedombox and freedombox_build-depends. (h01ger)

diffoscope development diffoscope version 49 was released on February 17th. It continues to improve handling of debug symbols for ELF files. Their content will now be compared separately to make them more readable. The search for matching debug packages is more efficient by looking only for .deb files in the same parent directory. Alongside more bug fixes, support for ICC profiles has been added, and libarchive is now also used to read metadata for ar archives.

strip-nondeterminism development Reiner Herrmann added support to normalize Gettext .mo files.

Package reviews 170 reviews have been removed, 172 added and 54 updated in the previous week. 34 new FTBFS bugs have been opened by Chris Lamb, h01ger and Reiner Herrmann. New issues added this week: lxqt_translate_desktop_binary_file_matched_under_certain_locales, timestamps_in_manpages_generated_by_autogen. Improvements to the prebuilder script: avoid ccache, skip disorderfs hook if device nodes cannot be created, compatibility with grsec trusted path execution (Reiner Herrmann), code cleanup (Esa Peuha).

Misc. Steven Chamberlain highlighted reproducibility problems due to differences in how Linux and FreeBSD handle permissions for symlinks. Some possible ways forward have been discussed on the reproducible-builds mailing list. Bernhard M. Wiedemann reported on some reproducibility tests made on OpenSuse mentioning the growing support for SOURCE_DATE_EPOCH. If you are eligible for Outreachy or Google Summer of Code, consider spending the summer working on reproducible builds!

What happened in the reproducible builds effort between January 10th and January 16th:

Toolchain fixes Benjamin Drung uploaded mozilla-devscripts/0.43 which sorts the file list in preferences files. Original patch by Reiner Herrmann. Lunar submitted an updated patch series to make timestamps in packages created by dpkg deterministic. To ensure that the mtimes in data.tar are reproducible, with the patches, dpkg-deb uses the --clamp-mtime option added in tar/1.28-1 when available. An updated package has been uploaded to the experimental repository. This removed the need for a modified debhelper as all required changes for reproducibility have been merged or are now covered by dpkg.

Packages fixed The following packages have become reproducible due to changes in their build dependencies: angband-doc, bible-kjv, cgoban, gnugo, pachi, wmpuzzle, wmweather, wmwork, xfaces, xnecview, xscavenger, xtrlock, virt-top. The following packages became reproducible after getting fixed:

• dist/1:3.5-36.0001-1 uploaded by Manoj Srivastava, original patch by Reiner Herrmann.
• grib-api/1.14.4-4 by Alastair McKinstry.
• gui-apt-key/0.4-2.1 by Axel Beckert, original patch by Chris Lamb.
• kiki-the-nano-bot/1.0.2+dfsg1-6 by Peter De Wachter, original patch by Chris Lamb.
• ldapvi/1.7-10 by Rhonda D'Vine, original patches (#777490, #793702) by Chris Lamb and akira.
• libf2c2/20090411-3 by Barak A. Pearlmutter.
• liquidsoap/1.1.1-7.1 by Mattia Rizzolo.
• marsshooter/0.7.6-1 uploaded by Markus Koschany, fixed upstream.
• offlineimap/6.6.1+dfsg1-2 by Ilias Tsitsimpis.
• pgbouncer/1.7-1 by Christoph Berg.
• python-requests-toolbelt/0.5.1-4 by Petter Reinholdtsen.
• shorewall-core/5.0.3.1-1 uploaded by Roberto C. Sanchez, fixed upstream, obsolete patch by Chris Lamb.
• slrnface/2.1.1-7 by Rhonda D'Vine, original patches (#777425, #793722) by Chris Lamb and akira.
• tetradraw/2.0.3-9 by Rhonda D'Vine, original patches (#777426, #793727) by Chris Lamb and akira.
• xblast-tnt-images/20050106-3 by Rhonda D'Vine, original patch by Chris Lamb.
• xblast-tnt/2.10.4-4 by Rhonda D'Vine, original patch by Chris Lamb.
• xtrkcad/1:4.2.2-1 uploaded by Daniel E. Markle, fixed upstream, obsolete patch by Chris Lamb.

Some uploads fixed some reproducibility issues, but not all of them:

• apt/1.2 uploaded by Julian Andres Klode, original patch by Mattia Rizzolo.
• ecere-sdk/0.44.14-1 by Jerome St-Louis.
• epubcheck/4.0.1-2 by Eugene Zhukov.
• hplip/3.15.11+repack0-1 by Didier Raboud.
• irsim/9.7.93-1 uploaded by Roland Stigge, original patch by Chris Lamb.
• julia/0.4.3-1 uploaded by Peter Colberg, fix by Graham Inggs.
• magics++/2.26.2-1 by Alastair McKinstry.
• mailagent/1:3.1-81-1 by Manoj Srivastava.
• nasm/2.11.08-1 uploaded by Anibal Monsalve Salazar, original patch by Valentin Lorentz.
• ns3/3.22+dfsg-2 uploaded by Martin Quinson, original patch by Juan Picca.
• shotwell/0.22.0-3 by J rg Frings-F rst.

Untested changes:

• firmware-nonfree/20160110-1 by Ben Hutchings (non-free).
• nvidia-graphics-drivers-legacy-304xx/304.131-3 by Andreas Beckmann (non-free).
• nvidia-graphics-drivers-legacy-340xx/340.96-2 by Andreas Beckmann (non-free).
• nvidia-graphics-drivers/340.96-4 by Andreas Beckmann (non-free).

reproducible.debian.net Once again, Vagrant Cascadian is providing another armhf build system, allowing to run 6 more armhf builder jobs, right there. (h01ger) Stop requiring a modified debhelper and adapt to the latest dpkg experimental version by providing a predetermined identifier for the .buildinfo filename. (Mattia Rizzolo, h01ger) New X.509 certificates were set up for jenkins.debian.net and reproducible.debian.net using Let's Encrypt!. Thanks to GlobalSign for providing certificates for the last year free of charge. (h01ger)

Package reviews 131 reviews have been removed, 85 added and 32 updated in the previous week. FTBFS issues filled: 29. Thanks to Chris Lamb, Mattia Rizzolo, and Niko Tyni. New issue identified: timestamps_in_manpages_added_by_golang_cobra.

Misc. Most of the minutes from the meetings held in Athens in December 2015 are now available to the public.

Good news. Many things happened since my last report (8 months ago), some of them very interesting :-)

debian maintainer

Back in April 2015 I applied to become Debian Maintainer (DM). I was supported by several Debian Developers (DD), including Ana Guerrero, Anibal Monsalve, Michael Prokop and Vicent Cheng. They are people I have been somehow involved with in the last times (developing, in-person meetings, other talks...).

After a month or two, my PGP key was added to the debian keyring.

And what means this? If a DD gives me the corresponding authorization, I can now upload packages directly to the archive without the need for a sponsor.

I have been maintaining packages as a standard contributor since early 2014. From 2014 to 2015 I've learned many many things about Debian. That knowledge was key to become DM.

Google Summer of Code 2015

This is my 3 year in GSoC. In 2013 and 2014 I was involved with the Netfilter Project, but this time I'm contributing to the Debian project.
In concrete, my project is "Improve the Debian port mipsel".

Most of the software is developed to run in common CPU architectures like amd64 and i386. However, Debian can run in a large variety of arches (not so many operating systems have this power). Developers tend to consider these arches 'exotic' and don't pay much attention to them.
The mips/mipsel architecture is somewhat similar to arm: its mainly intended for small devices.

My tasks consist mainly into fixing bugs and FTBFS errors in the mipsel architecture.

Roughly speaking, this can be done in two ways: emulating the mipsel arch using qemu, or using a physical mipsel machine. The qemu way is very very slow. Fortunately, as part of my GSoC involvement, I was given a ci20 mipsel board by Imagination Technologies. I have been using this board for all my GSoC work.

Detailing my work during this GSoC deserves his own blog post. However, the Debian workflow for GSoC'15 requires a weekly report, and here are mine:

1. week 1
2. week 2
3. week 3
4. week 4
5. week 5
6. week 6
7. week 7
8. week 8
9. week 9
10. week 10
11. week 11
12. week 12

other debian sutff

Regarding packaging, it worth mention my latest new package: liquidprompt. For people who get their hands dirty with the CLI, I recommend it :-)
I made lot of updates to the other packages as well.

The nftables package is now in jessie-backports. Debian includes now Linux v4 in jessie-backports as well, which mean you can start playing with a full-featured nftables right now :-)
I'm looking forward to package the following version of upstream nftables, which is to include new exciting changes.

best regards!

What happened in the reproducible builds effort this week: Toolchain fixes

• St phane Glondu uploaded dh-ocaml/1.0.10 which now generates *.info with a deterministic order. Original patch by Chris Lamb. St phane also uploaded ocaml/4.02.3-1 to experimental which enables ocamldoc to build reproducible manpages using a patch by Valentin Lorentz.
• Paul Gevers uploaded pasdoc/0.14.0-1 with upstream changes which should make the generated documentation reproducible by default.
• Osamu Aoki uploaded debiandoc-sgml/1.2.31-1 adding spport for a DEBIANDOC_DATE environment variable to override the content of the <date> tag.
• Dmitry Shachnev uploaded sphinx/1.3.1-4 which fixes many reproducibility issues and add support for SOURCE_DATE_EPOCH.

Valentin Lorentz sent a patch for ispell to initialize memory structures before dumping their content. In our experimental repository, qt4-x11 has been rebased on the latest version (Dhole), as was doxygen (akira). Packages fixed The following packages became reproducible due to changes in their build dependencies: backup-manager, cheese, coinor-csdp, coinor-dylp, ebook-speaker, freefem, indent, libjbcrypt-java, qtquick1-opensource-src, ruby-coffee-script, ruby-distribution, schroot, twittering-mode. The following packages became reproducible after getting fixed:

• abook/0.6.0~pre2-5 by Denis Briand.
• ada-reference-manual/1:2012.2-6 by Nicolas Boulenguez.
• aegisub/3.2.2+dfsg-1 uploaded by Sebastian Reichel, original patch by Juan Picca.
• casablanca/2.5.0-1 uploaded by Gianfranco Costamagna, fix by Mattia Rizzolo.
• dpatch/2.0.37 by Gergely Nagy.
• ganeti/2.14.1-1~exp1 by Apollon Oikonomopoulos.
• gperf/3.0.4-2 by Hilko Bengen, report by akira.
• htdig/1:3.2.0b6-14 uploaded by Ralf Treinen, original patch by Chris Lamb.
• icedove/38.1.0-1 uploaded by Christoph Goehre, report by Lunar.
• kamailio/4.3.1-2 by Victor Seva.
• leveldb/1.18-3 uploaded by Laszlo Boszormenyi, original patch by Reiner Herrmann.
• librostlab-blast/1.0.1-5 uploaded by Andreas Tille, original patch by Chris Lamb.
• linux-tools/4.1.4-1 by Ben Hutchings.
• nitpic/0.1-16 uploaded by Ralf Treinen, patches by Chris Lamb (#777492) and akira (#793708).
• openscad/2015.03-1+dfsg-1 uploaded by Christian M. Ams ss, fixed upstream.
• pciutils/1:3.3.1-1 uploaded by Anibal Monsalve Salazar, origial patch by Reiner Herrmann.
• pyepr/0.9.3-1 uploaded by Antonio Valentino, original patch by Juan Picca.
• pytables/3.2.1-1 by Antonio Valentino.
• python-xlib/0.14+20091101-3 by Andrew Shadura, report by akira.
• rrdtool/1.5.4-3 by Jean-Michel Vourg re.
• sgmltools-lite/3.0.3.0.cvs.20010909-18 uploaded by Ralf Treinen, patches by Chris Lamb (#777011) and akira (#793720).
• uhd/3.8.5-2 by A. Maitland Bottoms.
• xfireworks/1.3-10 uploaded by Yukiharu YABUKI, original patch by Chris Lamb.

Some uploads fixed some reproducibility issues but not all of them:

• ben/0.7.1 uploaded by Mehdi Dogguy, original patch by Reiner Herrmann.
• debiandoc-sgml-doc/1.1.24 uploaded by Osamu Aoki, initial patch by Dhole.
• ifrench-gut/1:1.0-31 uploaded by Lionel Elie Mamane, original patch by Valentin Lorentz.
• qdjango/0.6.0-1 uploaded by Jeremy Lain , fixed upstream, original patch by akira.
• spectacle/0.25-1 assembled by Philippe Coval, original patch by Chris Lamb.

Patches submitted which have not made their way to the archive yet:

• #795203 on xlsx2csv by Dhole: set PODDATE to the date of the latest debian/changelog entry.
• #795392 on blkreplay by Dhole: tell pod2man to use the date of the latest debian/changelog entry.
• #795394 on libitpp by Dhole: use SOURCE_DATE_EPOCH as source for the manpage date instead of the currentdate.
• #795395 on adblock-plus by Dhole: set TZ to UTC when using zip.
• #795438 on wims-extra by Chris Lamb: ask grep to cope with non-UTF8 files.
• #795441 on aprx by Chris Lamb: use SOURCE_DATE_EPOCH as source for the manpage date instead of the currentdate.
• #795462 on ogre-1.9 by Chris Lamb: removes timestamps from the documentation system.
• #795484 on ruby-rmagick by Chris Lamb: patch the bindings to allow the PRNG seed to be set, and set it to a fixed value when generating examples.
• #795562 on htp by Chris Lamb: export TZ=UTC in debian/rules.

akira found another embedded code copy of texi2html in maxima. reproducible.debian.net Work on testing several architectures has continued. (Mattia/h01ger) Package reviews 29 reviews have been removed, 187 added and 34 updated this week. 172 new FTBFS reports were filled, 137 solely by Chris West (Faux). josch spent time investigating the issue with fonts in PDF files. Chris Lamb documented the issue affecting documentation generated by ocamldoc. Misc. Lunar presented a general Reproducible builds HOWTO talk at the Chaos Communication Camp 2015 in Germany on August 13th. Recordings are already available, as well as slides and script. h01ger and Lunar also used CCCamp15 as an opportunity to have discussions with members of several different projects about reproducible builds. Good news should be coming soon.

Printing a 2965 lines text file

Let us image I have a reason https://people.debian.org/~anibal/ksp-dc15/ksp-dc15.html to print a text file that is 2965 lines long, is encoded in utf-8 (so a2ps and enscript don't work) and I don't want to destroy a whole forest for it.

I've started by using xelatex to get a nicely typeset A5 page with my file in a monospaced font: partecipants.tex

\documentclass[a5paper] article
\usepackage fontspec
\usepackage[left=1cm,right=1cm,top=0.8cm,bottom=1cm,foot=0.2cm] geometry
\usepackage listings

\lstset %
basicstyle=\ttfamily\scriptsize,
frame=none,
keepspaces=true,


\begin document
\lstinputlisting ksp-dc15.txt
\end document


This gets compiled into partecipants.pdf with


$ xelatex partecipants.tex


And resulted in 44 pages, 4 less than the 48 needed by a2ps, and printable on just 11 A4 sheets.

I wanted it to be easily manageable while walking around, taking notes into it while standing, so I decided to arrange it in booklet form:


$ pdfbook partecipants.pdf


The result, partecipants-book.pdf was printed (two sided, of course) folded and stitched in the middle.

I could have arranged it into signatures, but this would have required an additional sheet to bring the number of pages to a multiple of 16.

I know that there are electronic alternatives around, and I've also considered just carrying around the file and adding notes (to a copy?) with vim, but I'd trust a paper copy more.

This weekend we'll be having the 4th version of the Colombian Mini-Debconf. It will be held in the Otraparte Museum, in the city of Medellin. The cool thing this year is that we'll be having mostly Debian contributors than just users, with the kind participation of Anibal Monsalve, who is currently in the country.

There will be several 10-min lightening talks, followed by a key signing party and some actual work in packaging, and of course we'll be having some beers with Debian friends.

More info (in Spanish): http://wiki.debian.org/DebianColombia/MiniDebconf2011

The beginning of this Google Summer of Code has been busy and pretty cool. Not a lot of code was produced but I did learn a lot of things.

During this GSoC I will work on the next generation JDK. This means that I will (and I already have) compile the JDK. That s pretty awesome but it requires a lot of power. That s why Tom Marble created me an account on his 8 CPUs machine to help me.
Since I m probably going to sign some packages, I created a new GPG key with a 4096 RSA strength.
My old key was:

pub 1024D/F144A319 2008-10-18

And the new key is:

pub 4096R/EE2BBBC7 2011-05-03

I cross signed my keys using this great tutorial.

I read some documentation about Jigsaw and watched Tom s talk at DebConf 10.
I have spent a little more than a week to understand the current OpenJDK packaging to be able to rebuild it. I have learnt from where do the sources come from. The current packaging is a little hard to understand. There are sources that come from IcedTea, OpenJDK, and more.

After being able to rebuild the OpenJDK 6 package, I have downloaded the source of the OpenJDK 8 and Jigsaw. I used the Mercurial forest to get the sources.

For OpenJDK 8:
hg clone http://hg.openjdk.java.net/jdk8/jdk8 jdk8
cd jdk8 && sh get_sources.sh

For Jigsaw:
hg clone http://hg.openjdk.java.net/jigsaw/jigsaw jigsaw
cd jigsaw && sh get_sources.sh

I have managed to build the sources of OpenJDK 8 and Jigsaw using the same steps:
cd jigsaw
. jigbuild
. jdk/make/jdk_generic_profile.sh
export ALLOW_DOWNLOADS=true
make sanity
make all

Jigsaw specific:
make modules-sanity
make modules

Each build took several minutes. But they were successful. Tom helped me a lot to build OpenJDK 8 and Jigsaw by giving me a solution. For example, after getting the Mercurial forest, there were still missing source files and the build failed. Tom told me that I needed to export a environement variable: ALLOW_DOWNLOADS=true.
After building Jigsaw, I was able to see that the version string is not legal in Debian and that is a real problem.
I have written some simple Hello World examples to compile and run with Jigsaw. To modularize a program, it needs to contain a module-info.java files. This file includes the modules needed to run the program and the main class to run. For a classic hello world, the module-info.java files looks like:

module test.hello @ 1
requires jdk.base @ 7-ea;
class test.hello.Main;


Tom gave me some packages to build: jtharness and jtreg. I succesfully built jtharness using CDBS and its Ant helper but I ll have to repackage it to use javahelper instead of CDBS. I still didn t try to build jtreg because it requires jtharness.

My next plan is to get jtharness and jtreg packaged with javahelper soon and understand what modules does what in Jigsaw. Understaning modules will help me to write some more complex examples. I hope to start working on Jigsaw a little more soon (when I my internship will end [next week]).

My humble RC bug squashing efforts for this week. I've saved them all up, because I don't want to spam Planet Debian too much... or alternatively, because I've been feeling ill Thursday/Friday and didn't do anything at all.

• #598619 in x11vnc NMU'd, after one false start, but at least I learnt something.
• #586849 and #586838 in mgltools- utpackages,geomutils confirmed fixed.
• Patch written for #592417 in mgltools-utpackages.
• Verified and NMU'd patch for #410130 in cryptonit.
• #590383 in rabbitmq-server confirmed fixed.
• Investigated why #589194 in openclipart hadn't been closed, although it was Anibal who eventually sponsored the patch.
• #599988 in lwjgl fixed and uploaded.
• Confirmed #599959 in sawfish closed from last week, after it got binNMUs.
• Patch finally written for #593856 in gnucash.

Note that quite a few of these were "cheating" by just closing bugs that someone else had written a patch/comment for, and the mgltools-* ones are in non-free software, so they won't have the same impact on the RC bug stats. Also, I've mentioned the gnucash and sawfish ones before, but they'll definitely be counted in the stats now..

As part of the 11th Debian Conference in New York City, USA, there will be OpenPGP (pgp/gpg) keysignings. If you intend to participate in the DebConf10 keysignings, please send your ascii armored public key as explained no later than Tuesday 20th of July, 2010 at 23:59 UTC. If your mail to anibal@debian.org cannot get through, send it to anibal at v7w dot com but first try the debian.org email address, please. More (and up-to-date) information is available so keep watching that page. An bal Monsalve Salazar and the DebConf team

I just bought my tickets today to NYC and I am glady to say that I am going to Debconf 10. The tickets have this information:

• GRU->JFK: Departure: 2010-07-30, 21:25; Arrival: 2010-07-31, 6:10, Flight AA950
• JFK->GRU: Departure: 2010-08-09, 21:40; Arrival: 2010-08-10, 8:35, Flight AA951

This represents a personal milestone for me, as I have many plans for the conference. In fact, this will be a trip of many firsts for me:

• this will be my first international trip by airplaine.
• this will be my first DebConf ever (despite the fact that I could not apply for the DebConf Newbies initiative, due to my visa interview being delayed until the 7th of this month).
• this will be the first time to see many people with whom I work together for some years now, but have not yet had the opportunity to meet in person.
• this will be a nice opportunity to work hard on some issues that threaten the PowerPC port of Debian.
• this will be a nice opportunity to do some QA work with some packages that I would like to have sponsored; also to upload some of the fonts that I already packaged (or intend to take care) and that will be maintained under the Debian Fonts Task Force umbrella.
• this will be a very nice opportunity to get myself in a big strongly connected component of the Web-of-Trust with as many arcs as feasible, by means of the key signing party.
• and many, many other things that I would like to do for the project.

I am thankful for the DebConf team sponsoring both accomodation and food. It is highly appreciated. See you in NYC! Any hints that you may happen to have are warmly welcome.

Rubx, also known as Ruby Boobie, is a nice spoiled girlie bot that runs on Twitter. She listens when you talk to her and when you do, it'll better be with Ruby: She will interpret your tweet in Ruby and reply to you with what your code returns. How does it work? You send a message to her:

@rubx "The day I was born it was a " << Time.local(1984, "aug", 8).strftime("%A")

And @rubx will reply:

@damog "The day I was born it was a Wednesday"

Go see more about her (examples, FAQ, etc) on axiombox.com/rubx or on her Twitter profile. As we tested the hack, a bunch of people started interacting with Rubx too, some people calling her Twitter Line Interface Ruby Interpreter! :). See what other people has tried with her here.

following the traditional post.
I got an email today, telling me that I m a full Debian Developer now, I started my NM process on 2007-12-10 it took a bit more then a year, and now I m the first DD of El Salvador I have to thanks to all people that help me out, anibal, gregoa, dmn, mlt(Marcela), xerakko, twerner, benh and some more people that I don t remember.

Today anibal(thanks!) uploaded xscreensaver 5.05-3, this release fixes the XRandR issue that a lot of people reported since the introduce of sanity code in 5.05 for XRandR (that are some quite RCs and important bugs). 5.06 is out now but we couldn't wait more to get this RCs closed, in a week or two this new release will be ready and in the archive.

Now gkrellm works with kernels >=2.6.24, since where /proc/acpi has been deprecated in favor of /sys. The binaries packages for most of the archs debian supports most be available already in the debian archive since anibal upload it the saturday. Enjoy!

I recently wrote about the new version of xscreensaver and the new hacks but I just forgot to actually install them so now they're installed and thanks to my new co-maintainer Tormod Volden the packaging of xscreensaver is easier ans smooth, yet no in CDBS but easier at least, so the new release is 5.04-2 and right now I'm just waiting for damog to upload it (he's very fast BTW). I updated gkrellm with the new upstream version 2.3.1 fixing some bugs, I cleaned up all the patches and let only one for the gkrellmd.conf file, besides a made a clean up of the BTS of gkrellm, now there're less bugs remaining, the new release is 3.2.1-1 and is waiting for anibal to review it and upload it. Finally but not less important is pgpdump, a package that since a lot of time ago didn't get me any work, new upstream release 0.26 and the release 0.26-1 is waiting for anibal to review it and upload it. This last two were migrated to CDBS, so it's definitely easier to maintain, at least for me!