On day four the transition to Ruby 2.7 and Rails 6 went on. Minor transitions took place too, for example the upload of ruby-faraday 1.0 or the upload of bundler 2.1 featuring the (first) contributions by bundler s upstream Deivid (yeah!). Further Red Hat s (and Debian s) Marc Dequ nes (Duck) joined us. We are proud to report, that updating and/or uploading the Kali packages is almost done. Most are in NEW or have already been accepted. The Release team was contacted to start the Ruby 2.7 transition and we already have a transition page. However, the Python 3.8 one is ongoing (almost finished) and the Release team does not want overlaps. So hopefully we can upload ruby-defaults to Debian Unstable soon. In the evening we got together for a well earned collective drink at Brewberry Bar and dinner, joined by local Debian colleague Nicolas Dandrimont (olasd).

Group photo of the Ruby Team in Brewberry Bar (Paris 2020)

The evening ended at Paris famous (but heavily damaged) Notre-Dame cathedral.

The following contributors got their Debian Developer accounts in the last two months:

• Nicholas D. Steeves (sten)
• Nilesh Patra (nilesh)
• David Su rez Rodr guez (deiv)
• Pierre Gruet (pgt)

The following contributors were added as Debian Maintainers in the last two months:

• Antonio Valentino
• Boian Nikolaev Bonev
• Filip Hroch
• Maarten L. Hekkelman
• Xialei Qin
• Xiang Gao

Congratulations!

Here s my (eleventh) monthly update about the activities I ve done in the F/L/OSS world.

Debian

This was my 20th month of contributing to Debian. I became a DM in late March last year and a DD last Christmas! \o/ Well, this month we had DebConf! \o/
(more about this later this week!) Anyway, here are the following things I did in Debian this month:

Uploads and bug fixes:

• rubocop (0.89.1+dfsg-1) - New upstream version for RuboCop::Packaging.
• ruby-rubocop-ast (0.3.0+dfsg-1) - New upstream version for RuboCop's latest version.
• ruby-rubocop-packaging (0.3.0-1) - Shouldn t check lib/ and gemspec file.
• bidi-clojure (2.1.3-1) - New upstream version for Puppet6.
• Source-only uploads for ruby-anima, ruby-uniform-notifier, ruby-unparser, ruby-morpher, and ruby-path-expander.

Other $things:

• Mentoring for newcomers.
• FTP Trainee reviewing.
• Moderation of -project mailing list.
• Sponsored php-dasprid-enum and php-bacon-baconqrcode for William and ruby-unparser, ruby-morpher, and ruby-path-exapander for Cocoa.

---

Goodbye GSoC! \o/ In May, I got selected as a Google Summer of Code student for Debian again! \o/
I am working on the Upstream-Downstream Cooperation in Ruby project. The other 5 blogs can be found here:

• GSoC Phase 1 (part 1).
• GSoC Phase 1 (part 2).
• GSoC Phase 2 (part 1).
• GSoC Phase 2 (part 2).
• GSoC Phase 3 (part 1).
• And this is GSoC Phase 3 (part 2).

Also, I log daily updates at gsocwithutkarsh2102.tk. Since this is a wrap and whilst the daily updates are already available at the above site^, I ll quickly mention the important points and links here.

• The git repository is hosted on GitHub: https://github.com/utkarsh2102/rubocop-packaging.
• It is a linter, an extension of RuboCop, focused on enforcing upstream best practices and coding conventions.
• There have been 5 releases in all, including 4 cops and other bug fixes (including false-positives and false-negatives).
• The entire source code is documented with a separate docs/ directory, which is hosted at https://docs.rubocop.org/rubocop-packaging.
• The packaging style guide is hosted at https://packaging.rubystyle.guide.
• At the time of writing this, it is being used by around 30 other projects ^.^
• Not only could you install this via gem install rubocop-packaging, but also via apt install ruby-rubocop-packaging.
• The total work consists of around 85 commits with 15 PRs, contributed by 4 amazing people (including me :P) in the last 3 months (June 20 to August 20).
• And finally, many thanks to two amazing people (the mentors for this project), Antonio Terceiro and David Rodr guez!

---

Continuation of GSoC for other Ruby related stuff!

Whilst working on Rubocop::Packaging, I contributed to more Ruby projects, refactoring their library a little bit and mostly fixing RuboCop issues and fixing issues that the Packaging extension reports as offensive .
Following are the PRs that I raised:

• PR #170 for autoprefixer-rails to drop git ls-files in gemspec.
• PR #479 for cucumber-rails to update RuboCop and RuboCop::Packaging.
• PR #1465 for cucumber-ruby for updating RuboCop to v0.89.
• PR #208 for cucumber-ruby-core to fix .rubocop.yml and add RuboCop::Packaging as a development dependency.
• PR #178 for webdrivers to update the RuboCop and RuboCop::RSpec version to the latest.
• PR #179 for webdrivers to drop git ls-files in gemspec.

---

Debian (E)LTS

Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success. And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support). This was my eleventh month as a Debian LTS and my second as a Debian ELTS paid contributor.
I was assigned 21.75 hours for LTS and 14.25 hours for ELTS and worked on the following things:

LTS CVE Fixes and Announcements:

• Issued DLA 2304-1, fixing CVE-2015-9542, for libpam-radius-auth.
  For Debian 9 Stretch, these problems have been fixed in version 1.3.16-5+deb9u1.
• Issued DLA 2305-1, fixing CVE-2018-10756, for transmission.
  For Debian 9 Stretch, these problems have been fixed in version 2.92-2+deb9u2.
• Issued DLA 2307-1, fixing CVE-2018-1000544, for ruby-zip.
  For Debian 9 Stretch, these problems have been fixed in version 1.2.0-1.1+deb9u1.
• Issued DLA 2308-1, fixing CVE-2019-17113, for libopenmpt.
  For Debian 9 Stretch, these problems have been fixed in version 0.2.7386~beta20.3-3+deb9u4.
• Issued DLA 2317-1, fixing CVE-2020-10177, for pillow.
  For Debian 9 Stretch, these problems have been fixed in version 4.0.0-4+deb9u2.
• Issued DLA 2318-1, fixing CVE-2019-10064 and CVE-2020-12695, for wpa.
  For Debian 9 Stretch, these problems have been fixed in version 2:2.4-1+deb9u7.
• Started working on uwsgi update for CVE-2020-11984. It seems that src:apache2 wasn t affected by that, but src:uwsgi was.

ELTS CVE Fixes and Announcements:

• Issued ELA 255-1, fixing CVE-2020-14344, for libx11.
  For Debian 8 Jessie, these problems have been fixed in version 2:1.6.2-3+deb8u3.
• Issued ELA 259-1, fixing CVE-2020-10177, for pillow.
  For Debian 8 Jessie, these problems have been fixed in version 2.6.1-2+deb8u5.
• Issued ELA 269-1, fixing CVE-2020-11985, for apache2.
  For Debian 8 Jessie, these problems have been fixed in version 2.4.10-10+deb8u17.
• Started working on clamAV update, it s a major bump from v0.101.5 to v0.102.4. There were lots of movings parts. Contacted upstream maintainers to help reduce the risk of regression. Came up with a patch to loosen the libcurl version requirement. Hopefully, the update could be rolled out soon!

Other (E)LTS Work:

• I spent an additional 11.15 hours working on compiling the responses of the LTS survey and preparing a gist of it for its presentation during the Debian LTS BoF at DebConf20.
• Triaged qemu, pillow, gupnp, clamav, apache2, and uwsgi.
• Marked CVE-2020-11538/pillow as not-affected for Stretch.
• Marked CVE-2020-11984/apache2 as not-affected for Stretch.
• Marked CVE-2020-10378/pillow as not-affected for Jessie.
• Marked CVE-2020-11538/pillow as not-affected for Jessie.
• Marked CVE-2020-3481/clamav as not-affected for Jessie.
• Marked CVE-2020-11984/apache2 as not-affected for Jessie.
• Marked CVE-2020- 9490,11993 /apache2 as not-affected for Jessie.
• Hosted Debian LTS BoF at DebConf20. Recording here.
• General discussion on LTS private and public mailing list.

---

Until next time.
:wq for today.

Hello, In early May, I got selected as a Google Summer of Code student for Debian to work on a project which is to write a linter (an extension to RuboCop).
This tool is mostly to help the Debian Ruby team. And that is the best part, I love working in/for/with the Ruby team!
(I ve been an active part of the team for 19 months now :)) More details about the project can be found here, on the wiki.
And also, I have got the best mentors I could ve possibly asked for: Antonio Terceiro and David Rodr guez So, the program began on 1st June and I ve been working since then. I log my daily updates at gsocwithutkarsh2102.tk.
The blog for the first part of phase 1 can be found here and that of second part of phase 1 can be found here. Whilst the daily updates are available at the above site^, I ll breakdown the important parts here:

• After the, what I d like to call, successful Phase 1, whilst using this extension on GitLab s omnibus-gitlab repository, I discovered a bug (as reported via issue #5), which basically threw the following error:

  An error occurred while Packaging/GemspecGit cop was inspecting /home/utkarsh/github/omnibus-gitlab/files/gitlab-cookbooks/gitlab/recipes/bootstrap_disable.rb.
  To see the complete backtrace run rubocop -d.

  which was not good.
• This bug was a false-negative and the fix turned out to be simple, which was raised via PR #6.
  Since the extension was now working fine against omnibus-gitlab (which is quite huge!), I rolled out a v0.1.1 release!
• Next, I implemented the 2nd cop, fixing require and require_relative calls which map from spec(s)/test(s) to the lib directory.
  This was raised via a WIP PR #4.
• We had our meeting where we discussed that it would rather make sense to split these cops into two parts and also, thanks to David s elaborative comment on the situation.
  With this, we decided to split the cops into two.
• Then I worked on:
  • Splitting the cops via commit @6765fec8.
  • Dropping Ruby2.4 support via commit @3681e9a3.
  • Diversifying tests via commit @335a14e2.
• At this point, we hit yet another obstacle. Correctly determining the root directory of a project at runtime. This is tricky. Not impossible (of course) but tricky.
  So my homework was to find such a thing that does that by default.
• For the next 4 days, I tried to find something that could do this bit. But unfortunately, I couldn t.
  So I wrote one myself. I wrote get_root, which solves this problem.
  The only thing that one needs to take care while using get_root is that it has to be a git repository. That s a trade-off.
• In the next meeting, we discussed that this is a bit of an overkill. get_root should ve been written as a helper function and not as another library, which David and Antonio pointed out correctly. But it was already too late :P
  I had already made a v 0.1.0 release.
  (So in case you re a Rubyist and want to find the root directory of a git repository, consider using this :P)
  Besides, Antonio also pointed out that it should take another arguement as to from point from where the file is being inspected. Hm, unsure how to do that..
• Meanwhile, I exported get_root as a helper function, David solved all the problem altogether at once via rubocop s PR #8314.
  This introduced a new (public) method #project_root which superseeded get_root and one could now get the root directory via RuboCop::ConfigLoader.project_root. Ain t he amazing!? \o/
• This also means, I reverted those changes altogether and tweaked my WIP PR to inculcate these changes via commit @b06a8f86.
  However, the specs fail. But that doesn t mean that the changes aren t correct :P
  They are pretty much right and working fine. To make that sure, I locally installed this library and used on other projects to make sure that it indeed is working alright, as it should! \o/
• And here I am on the 15th day :)

Well, the best part yet?
rubocop-packaging is being used by batalert, arbre, rspec-stubbed_env, rspec-pending_for, ISO8601, get_root ( ), gir_ffi, linter, and cucumber-rails. Whilst it has been a lot of fun so far, my plate has started to almost overflow. It seems that I ve got a lot of things to work on (and already things that are due!).
From my major project, college *stuff to my GSoC project, Debian (E)LTS, and a lot *more. Thanks to Antonio for helping me out with *other things (which maps back to his sayings in Paris \o/).

---

Until next time.
:wq for today.

Here s my (ninth) monthly update about the activities I ve done in the F/L/OSS world.

Debian

This was my 16th month of contributing to Debian. I became a DM in late March last year and a DD last Christmas! \o/ This month was a little intense. I did a lot of different kinds of things in Debian this month. Whilst most of my time went on doing security stuff, I also sponsored a bunch of packages. Here are the following things I did this month:

Uploads and bug fixes:

• rails (2:5.2.4.3+dfsg-1) - fix a bunch of CVEs in Sid and Bullseye.
• ruby-json (2.1.0+dfsg-2+deb10u1) - backport CVE-2020-10663 fix to Buster.
• ruby-json (2.0.1+dfsg-3+deb9u1) - backport CVE-2020-10663 fix to Stretch.
• ruby-kaminari (1.0.1-6) - add patch to fix CVE-2020-11082.
• ruby2.3 (2.3.3-1+deb9u8) - backport CVE-2020-10663 fix to Stretch.
• python-libusb1 (1.8-1.1) - NMU for a source-only upload.
• pry (0.13.1-1) - Fix failing tests & new upstream version.
• ruby-rubocop-packaging (0.1.0-1) - NEW (#963016).
• batalert (0.4.0-1) - fixes against RuboCop.
• json-schema-test-suite (2.0.0-1.1) - NMU for a source-only upload on request.
• ruby-ahoy-email (1.1.0-1) - Disable tests temporarily (#959060).
• micro (2.0.6-1) - fix crashing at startup (#961853).
• golang-github-zyedidia-tcell (1.4.8-1) - new upstream version.
• micro (2.0.6-1~bpo10+1) - backport the fix for (#961853).
• micro (2.0.6-2) - fix the reintroduced versioning issue (#953400).
• ruby-whitequark-parser (2.7.1.4-1) - new upstream version.

Other $things:

• Hosted Ruby team meeting. Logs here.
• Mentoring for newcomers.
• FTP Trainee reviewing.
• Moderation of -project mailing list.
• Sponsored ruby-ast for Abraham, libexif for Hugh, djangorestframework-gis and karlseguin-ccache for Nilesh, and twig-extensions, twig-i18n-extension, and mariadb-mysql-kbs for William.

---

GSoC Phase 1, Part 2! Last month, I got selected as a Google Summer of Code student for Debian again! \o/
I am working on the Upstream-Downstream Cooperation in Ruby project. The first half of the first month is blogged here, titled, GSoC Phase 1.
Also, I log daily updates at gsocwithutkarsh2102.tk. Whilst the daily updates are available at the above site^, I ll breakdown the important parts of the later half of the first month here:

• Documented the first cop, GemspecGit via PR #2.
• Made an initial release, v0.1.0!
• Spread the word/usage about this tool/library via adding them in the official RuboCop docs.
• We had our third weekly meeting where we discussed the next steps and the things that are supposed to be done for the next set of cops.
• Wrote more tests so as to cover different aspects of the GemspecGit cop.
• Opened PR #4 for the next Cop, RequireRelativeToLib.
• Introduced rubocop-packaging to the outer world and requested other upstream projects to use it! It is being used by 6 other projects already
• Had our fourth weekly meeting where we pair-programmed (and I sucked :P) and figured out a way to make the second cop work.
• Found a bug, reported at issue #5 and raised PR #6 to fix it.
• And finally, people loved the library/tool (and it s outcome):
  
  
  
  (for those who don t know, @bbatsov is the author of RuboCop, @lienvdsteen is an amazing fullstack engineer at GitLab, and @pboling is the author of some awesome Ruby tools and libraries!)

---

Continuation of GSoC for other Ruby related stuff!

Whilst I have already mentioned it multiple times but it s still not enough to stress how amazing Antonio Terceiro and David Rodr guez are!
They re more than just mentors to me! Well, only they know how much I trouble them with different things, which are not only related to my GSoC project but also extends to the projects they maintain! :P
David maintains rubygems and bundler and Antonio maintains debci. So on days when I decide to hack on rubygems or debci, only I know how kind and nice David and Anotonio are to me!
They very patiently walk me through with whatever I am stuck on, no matter what and no matter when. Thus, with them around, I contributed to these two projects and more, with regards to working on rubocop-packaging.
Following are a few things that I raised:

• PR #3731 for rubygems/bundler to ship default .rubocop.yml file.
• PR #2140 for pry to fix bundler_spec test.
• PR #3740 for rubygems/bundler to fix all RuboCop offenses.
• MR #114 for debci to show package details on the retry page.
• Issue #356 against rake to request to support all gitignore rule patterns in rake/file_list.
• PR #9 for fast_ignore to use fast_ignore instead of git ls-files.
• PR #3748 for rubygems/bundler to add actions to automatically bump man page month.
• PR #8160 for rubocop to add rubocop-packaging as a known extension.
• PR #3754 for rubygems/bundler to constrain the shipped RuboCop s version.
• Issue #8 against fast_ignore to clarify the strange behavior of include_files.
• PR #3765 for rubygems/bundler to fix remaining RuboCop issues and add tests.

---

Debian LTS

Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success. This was my ninth month as a Debian LTS paid contributor. I was assigned 30.00 hours and worked on the following things:

CVE Fixes and Announcements:

• Issued DLA 2215-1, fixing CVE-2020-3327 and CVE-2020-3341, for clamav.
  For Debian 8 Jessie , these problems have been fixed in version 0.101.5+dfsg-0+deb8u2.
• Issued DLA 2216-1, fixing CVE-2020-8161, for ruby-rack.
  For Debian 8 Jessie , this problem has been fixed in version 1.5.2-3+deb8u3.
• Issued DLA 2234-1, fixing CVE-2005-1513, CVE-2005-1514, CVE-2005-1515, CVE-2020-3811, and CVE-2020-3812, for netqmail.
  For Debian 8 Jessie , these problems have been fixed in version 1.06-6.2~deb8u1.
• Uploaded a fix for CVE-2020-8162, CVE-2020-8164, CVE-2020-8165, CVE-2020-8166, and CVE-2020-8167, for rails. This upload was for Sid and Bullseye and these CVE(s) were fixed in version 2:5.2.4.3+dfsg-1.
• Uploaded a fix for CVE-2020-11082, for ruby-kaminari. This upload was for Sid and Bullseye and this CVE was fixed in version 1.0.1-6.
• Uploaded a fix for CVE-2020-10663, for ruby-json, ruby2.1, and ruby2.5. These uploads were for Stretch and Buster and were fixed in the version 2.3.3-1+deb9u8, 2.1.0+dfsg-2+deb10u1, 2.3.3-1+deb9u8, and 2.5.5-3+deb10u2.
• Issued DLA 2237-1, fixing CVE-2019-8842 and CVE-2020-3898, for cups.
  For Debian 8 Jessie , these problems have been fixed in version 1.7.5-11+deb8u8.
• Issued DLA 2246-1, fixing CVE-2020-13696, for xawtv.
  For Debian 8 Jessie , this problem has been fixed in version 3.103-3+deb8u1.
• Issued DLA 2248-1, fixing CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, for intel-microcode.
  For Debian 8 Jessie , these problems have been fixed in version 3.20200609.2~deb8u1.
• Issued DLA 2249-1, fixing CVE-2020-0182 and CVE-2020-0198, for libexif.
  For Debian 8 Jessie , these problems have been fixed in version 0.6.21-2+deb8u4.

Other LTS Work:

• Triaged sympa, apache2, qemu, and coturn.
• Add fix for CVE-2020-0198/libexif.
• Requested CVE for bug#60251 against apache2 and prodded further.
• Raised issue #947 against sympa reporting an incomplete patch for CVE-2020-10936. More discussions internally.
• Created the LTS Survey on the self-hosted LimeSurvey instance.
• Attended the third LTS meeting. Logs here.
• General discussion on LTS private and public mailing list.

---

Other(s)

Sometimes it gets hard to categorize work/things into a particular category.
That s why I am writing all of those things inside this category.
This includes two sub-categories and they are as follows.

Personal: This month I did the following things:

• Wrote and published v0.1.0 of rubocop-packaging on RubyGems!
  It s open-sourced and the repository is here.
  Bug reports and pull requests are welcomed!
• Integrated a tiny (yet a powerful) hack to align images in markdown for my blog.
  Commit here.
• Released v0.4.0 of batalert on RubyGems!

Open Source: Again, this contains all the things that I couldn t categorize earlier.
Opened several issues and PRs:

• Issue #9 against 100daysof, reporting some broken CSS.
• PR #10 for 100daysof, fixing the above issue^.
• Issue #133 against djangorestframework-api-key, asking to fix copyright years.
• PR #5 for rspec-stubbed_env, dropping git ls-files in gemspec.
• PR #70 for rspec-pending_for, dropping git ls-files in gemspec.
• Issue #74, issue #143, issue #164, and issue #767 against multiple projects, asking them to use RuboCop.
• PR #212 for arbre, dropping git ls-files in gemspec.
• Issue #1749 and issue #1750 against micro, asking for help as the Debian package fails to build in buster-backports.
• PR #1751 for micro, fixing the above issue^.
• Issue #348 against hugo-coder, clarifying the weird timing issue in the blog posts.
• Issue #356 against hugo-coder, reporting the weird display of images and missing twitter cards.
• MR #12 for linter, dropping git ls-files in gemspec.
• MR #13 for linter, doing so minor refactoring.

---

Thank you for sticking along for so long :) Until next time.
:wq for today.

Hello, Earlier last month, I got selected as a Google Summer of Code student for Debian again! \o/
And as Chandler would say,

Could I be any more happier?

Well, this time, my project is basically to write a linter (an extension to RuboCop). This tool is mostly to help the Debian Ruby team. And that is the best part, I love working in/for/with the Ruby team!
(I ve been an active part of the team for 18 months now :)) More details about the project can be found here, on the wiki.
And also, I have got the best mentors I could ve possibly asked for: Antonio Terceiro and David Rodr guez So, the program began on 1st June and I ve been working since then. I log my daily updates at gsocwithutkarsh2102.tk. Whilst the daily updates are available at the above site^, I ll breakdown the important parts here:

• During the first three days, I looked for a potential solution to the usage of git ls-files in the gemspec files. This has been the most problematic thing for us.
  • Apart from the option of using Dir or Dir.glob, the best (closest) possible solution (right now) is to use Rake::FileList which tries to respects the .gitignore file.
  • I stumbled upon this interesting gem, fast_ignore. It is the exact thing which we want to use but unfortunately, to use it inside other gemspec files, it should be vendored inside bundler s code.
• We had our first meeting on the fourth day and we decided to hold meetings every Thursday for the next 12 weeks.
• For the next five days, I learned more of Ruby and figured out what to do and how to do it.
  If you d like to know what exactly I did in these 5 days, I d suggest you to read the daily logs for those respective days.
• During the next to two days, the first part of the project, the GemspecGit Cop, was implemented.
  This cop will correctly determine the usage of git in the gemspec files and would tell the developers and the maintainers to replace them with pure Ruby alternatives with giving them a proper reason to do so. Much thanks to Dana for her help she took out time to pair-program with me!
• We had our second weekly meeting where I finally told Antonio and David that the first part is already done (\o/) and we discussed some things and even pair-programmed :D
• I took the weekend off (and something terrible happened) but anyways, I managed to get together some time and energy to document the source code and raised this PR #2.
• And here I am on the 15th day :)

It has been a lot of fun so far! Though I am little worried on how to implement the next part of the project as I am not sure how to check only a particalar directory for some relative require calls.
But I think, that s okay, somehow, something will work out. And I can always ask around others and check other cops to see how it s done! \( )/

---

Until next time.
:wq for today.