Anarcat recently wrote about Qalculate, and I think I m a convert, even though I ve only barely scratched the surface. The thing I almost immediately started using it for is time calculations. When I started tracking my time, I quickly found that Timewarrior was good at keeping all the data I needed, but I often found myself extracting bits of it and reprocessing it in variously clumsy ways. For example, I often don t finish a task in one sitting; maybe I take breaks, or I switch back and forth between a couple of different tasks. The raw output of timew summary is a bit clumsy for this, as it shows each chunk of time spent as a separate row:

$ timew summary 2025-02-18 Debian
Wk Date       Day Tags                            Start      End    Time   Total
W8 2025-02-18 Tue CVE-2025-26465, Debian,       9:41:44 10:24:17 0:42:33
                  next, openssh
                  Debian, FTBFS with GCC-15,   10:24:17 10:27:12 0:02:55
                  icoutils
                  Debian, FTBFS with GCC-15,   11:50:05 11:57:25 0:07:20
                  kali
                  Debian, Upgrade to 0.67,     11:58:21 12:12:41 0:14:20
                  python_holidays
                  Debian, FTBFS with GCC-15,   12:14:15 12:33:19 0:19:04
                  vigor
                  Debian, FTBFS with GCC-15,   12:39:02 12:39:38 0:00:36
                  python_setproctitle
                  Debian, Upgrade to 1.3.4,    12:39:39 12:46:05 0:06:26
                  python_setproctitle
                  Debian, FTBFS with GCC-15,   12:48:28 12:49:42 0:01:14
                  python_setproctitle
                  Debian, Upgrade to 3.4.1,    12:52:07 13:02:27 0:10:20 1:44:48
                  python_charset_normalizer
                                                                         1:44:48

So I wrote this Python program to help me:

#! /usr/bin/python3
"""
Summarize timewarrior data, grouped and sorted by time spent.
"""
import json
import subprocess
from argparse import ArgumentParser, RawDescriptionHelpFormatter
from collections import defaultdict
from datetime import datetime, timedelta, timezone
from operator import itemgetter
from rich import box, print
from rich.table import Table
parser = ArgumentParser(
    description=__doc__, formatter_class=RawDescriptionHelpFormatter
)
parser.add_argument("-t", "--only-total", default=False, action="store_true")
parser.add_argument(
    "range",
    nargs="?",
    default=":today",
    help="Time range (usually a hint, e.g. :lastweek)",
)
parser.add_argument("tag", nargs="*", help="Tags to filter by")
args = parser.parse_args()
entries: defaultdict[str, timedelta] = defaultdict(timedelta)
now = datetime.now(timezone.utc)
for entry in json.loads(
    subprocess.run(
        ["timew", "export", args.range, *args.tag],
        check=True,
        capture_output=True,
        text=True,
    ).stdout
):
    start = datetime.fromisoformat(entry["start"])
    if "end" in entry:
        end = datetime.fromisoformat(entry["end"])
    else:
        end = now
    entries[", ".join(entry["tags"])] += end - start
if not args.only_total:
    table = Table(box=box.SIMPLE, highlight=True)
    table.add_column("Tags")
    table.add_column("Time", justify="right")
    for tags, time in sorted(entries.items(), key=itemgetter(1), reverse=True):
        table.add_row(tags, str(time))
    print(table)
total = sum(entries.values(), start=timedelta())
hours, rest = divmod(total, timedelta(hours=1))
minutes, rest = divmod(rest, timedelta(minutes=1))
seconds = rest.seconds
print(f"Total time:  hours:02 : minutes:02 : seconds:02 ")

$ summarize-time 2025-02-18 Debian
  Tags                                                     Time
  
  CVE-2025-26465, Debian, next, openssh                 0:42:33
  Debian, FTBFS with GCC-15, vigor                      0:19:04
  Debian, Upgrade to 0.67, python_holidays              0:14:20
  Debian, Upgrade to 3.4.1, python_charset_normalizer   0:10:20
  Debian, FTBFS with GCC-15, kali                       0:07:20
  Debian, Upgrade to 1.3.4, python_setproctitle         0:06:26
  Debian, FTBFS with GCC-15, icoutils                   0:02:55
  Debian, FTBFS with GCC-15, python_setproctitle        0:01:50
Total time: 01:44:48

Much nicer. But that only helps with some of my reporting. At the end of a month, I have to work out how much time to bill Freexian for and fill out a timesheet, and for various reasons those queries don t correspond to single timew tags: they sometimes correspond to the sum of all time spent on multiple tags, or to the time spent on one tag minus the time spent on another tag, or similar. As a result I quite often have to do basic arithmetic on time intervals; but that s surprisingly annoying! I didn t previously have good tools for that, and was reduced to doing things like str(timedelta(hours=..., minutes=..., seconds=...) + ...) in Python, which gets old fast. Instead:

$ qalc '62:46:30 - 51:02:42 to time'
(225990 / 3600)   (183762 / 3600) = 11:43:48

I also often want to work out how much of my time I ve spent on Debian work this month so far, since Freexian pays me for up to 20% of my work time on Debian; if I m under that then I might want to prioritize more Debian projects, and if I m over then I should be prioritizing more Freexian projects as otherwise I m not going to get paid for that time.

$ summarize-time -t :month Freexian
Total time: 69:19:42
$ summarize-time -t :month Debian
Total time: 24:05:30
$ qalc '24:05:30 / (24:05:30 + 69:19:42) to %'
(86730 / 3600) / ((86730 / 3600) + (249582 / 3600))   25.78855349%

I love it.

Like each month, have a look at the work funded by Freexian s Debian LTS offering.

Debian LTS contributors In January, 20 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 8.0h (out of 14.0h assigned), thus carrying over 6.0h to the next month.
• Adrian Bunk did 36.5h (out of 47.75h assigned and 52.25h from previous period), thus carrying over 63.5h to the next month.
• Andrej Shadura did 11.0h (out of 11.0h assigned and 4.0h from previous period), thus carrying over 4.0h to the next month.
• Arturo Borrero Gonzalez did 9.0h (out of 10.0h assigned), thus carrying over 1.0h to the next month.
• Bastien Roucari s did 22.0h (out of 22.0h assigned).
• Ben Hutchings did 8.0h (out of 21.0h assigned and 3.0h from previous period), thus carrying over 16.0h to the next month.
• Chris Lamb did 18.0h (out of 18.0h assigned).
• Daniel Leidert did 20.0h (out of 23.0h assigned and 3.0h from previous period), thus carrying over 6.0h to the next month.
• Emilio Pozuelo Monfort did 34.0h (out of 7.0h assigned and 27.75h from previous period), thus carrying over 0.75h to the next month.
• Guilhem Moulin did 3.25h (out of 20.0h assigned), thus carrying over 16.75h to the next month.
• Jochen Sprickerhof did 23.0h (out of 15.0h assigned and 8.0h from previous period).
• Lee Garrett did 15.75h (out of 8.5h assigned and 51.5h from previous period), thus carrying over 44.25h to the next month.
• Lucas Kanashiro did 8.0h (out of 32.0h assigned and 32.0h from previous period), thus carrying over 56.0h to the next month.
• Markus Koschany did 40.0h (out of 40.0h assigned).
• Roberto C. S nchez did 14.75h (out of 13.5h assigned and 10.5h from previous period), thus carrying over 9.25h to the next month.
• Santiago Ruano Rinc n did 21.75h (out of 18.75h assigned and 6.25h from previous period), thus carrying over 3.25h to the next month.
• Sean Whitton did 8.5h (out of 8.5h assigned).
• Sylvain Beucler did 10.5h (out of 0.0h assigned and 49.5h from previous period), thus carrying over 39.0h to the next month.
• Thorsten Alteholz did 11.0h (out of 11.0h assigned).
• Tobias Frost did 12.0h (out of 12.0h assigned).

Evolution of the situation In January, we have released 33 DLAs. There were numerous security and non-security updates to Debian 11 (codename bullseye ) during January.

• Notable security updates:
  • rsync, prepared by Thorsten Alteholz, fixed several CVEs (including information leak and path traversal vulnerabilities)
  • tomcat9, prepared by Markus Koschany, fixed several CVEs (including denial of service and information disclosure vulnerabilities)
  • ruby2.7, prepared by Bastien Roucari s, fixed several CVEs (including denial of service vulnerabilities)
  • tiff, prepared by Adrian Bunk, fixed several CVEs (including NULL ptr, buffer overflow, use-after-free, and segfault vulnerabilities)
• Notable non-security updates:
  • linux-6.1, prepared by Ben Hutchings, has been packaged for bullseye (this was done specifically to provide a supported upgrade path for systems that currently use kernel packages from the bullseye-backports suite)
  • debian-security-support, prepared by Santiago Ruano Rinc n, which formalized the EOL of intel-mediasdk and node-matrix-js-sdk

In addition to the security and non-security updates targeting bullseye , various LTS contributors have prepared uploads targeting Debian 12 (codename bookworm ) with fixes for a variety of vulnerabilities. Abhijith PA prepared an upload of puma; Bastien Roucari s prepared an upload of node-postcss with fixes for data processing and denial of service vulnerabilities; Daniel Leidert prepared updates for setuptools, python-asyncssh, and python-tornado; Lee Garrett prepared an upload of ansible-core; and Guilhem Moulin prepared updates for python-urllib3, sqlparse, and opensc. Santiago Ruano Rinc n also worked on tracking and filing some issues about packages that need an update in recent releases to avoid regressions on upgrade. This relates to CVEs that were fixed in buster or bullseye, but remain open in bookworm. These updates, along with Santiago s work on identifying and tracking similar issues, underscore the LTS Team s commitment to ensuring that the work we do as part of LTS also benefits the current Debian stable release. LTS contributor Sean Whitton also prepared an upload of jinja2 and Santiago Ruano Rinc n prepared an upload of openjpeg2 for Debian unstable (codename sid ), as part of the LTS Team effort to assist with package uploads to unstable.

Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • Toshiba Corporation (for 112 months)
  • Civil Infrastructure Platform (CIP) (for 80 months)
  • VyOS Inc (for 44 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 122 months)
  • Akamai - Linode (for 116 months)
  • Babiel GmbH (for 106 months)
  • Plat Home (for 105 months)
  • University of Oxford (for 62 months)
  • Deveryware (for 49 months)
  • EDF SA (for 34 months)
  • Dataport A R (for 9 months)
  • CERN (for 7 months)
• Silver sponsors:
  • Domeneshop AS (for 127 months)
  • Nantes M tropole (for 121 months)
  • Univention GmbH (for 113 months)
  • Universit Jean Monnet de St Etienne (for 113 months)
  • Ribbon Communications, Inc. (for 107 months)
  • Exonet B.V. (for 97 months)
  • Leibniz Rechenzentrum (for 91 months)
  • Minist re de l Europe et des Affaires trang res (for 75 months)
  • Cloudways by DigitalOcean (for 64 months)
  • Dinahosting SL (for 62 months)
  • Bauer Xcel Media Deutschland KG (for 56 months)
  • Platform.sh SAS (for 56 months)
  • Moxa Inc. (for 50 months)
  • sipgate GmbH (for 48 months)
  • OVH US LLC (for 46 months)
  • Tilburg University (for 46 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 37 months)
  • Soliton Systems K.K. (for 34 months)
  • THINline s.r.o. (for 10 months)
  • Copenhagen Airports A/S (for 4 months)
• Bronze sponsors:
  • Evolix (for 127 months)
  • Seznam.cz, a.s. (for 127 months)
  • Intevation GmbH (for 124 months)
  • Linuxhotel GmbH (for 124 months)
  • Daevel SARL (for 123 months)
  • Bitfolk LTD (for 122 months)
  • Megaspace Internet Services GmbH (for 122 months)
  • Greenbone AG (for 121 months)
  • NUMLOG (for 121 months)
  • WinGo AG (for 120 months)
  • Entr ouvert (for 111 months)
  • Adfinis AG (for 109 months)
  • Tesorion (for 104 months)
  • GNI MEDIA (for 103 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 103 months)
  • Bearstech (for 95 months)
  • LiHAS (for 95 months)
  • Catalyst IT Ltd (for 90 months)
  • Supagro (for 85 months)
  • Demarcq SAS (for 84 months)
  • Universit Grenoble Alpes (for 70 months)
  • TouchWeb SAS (for 62 months)
  • SPiN AG (for 59 months)
  • CoreFiling (for 55 months)
  • Institut des sciences cognitives Marc Jeannerod (for 50 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 46 months)
  • Tem Innovations GmbH (for 41 months)
  • WordFinder.pro (for 40 months)
  • CNRS DT INSU R sif (for 39 months)
  • Alter Way (for 32 months)
  • Institut Camille Jordan (for 22 months)
  • SOBIS Software GmbH (for 7 months)

Like each month, have a look at the work funded by Freexian s Debian LTS offering.

Debian LTS contributors In December, 19 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 14.0h (out of 14.0h assigned).
• Adrian Bunk did 47.75h (out of 53.0h assigned and 47.0h from previous period), thus carrying over 52.25h to the next month.
• Andrej Shadura did 6.0h (out of 17.0h assigned and -7.0h from previous period after hours given back), thus carrying over 4.0h to the next month.
• Bastien Roucari s did 22.0h (out of 22.0h assigned).
• Ben Hutchings did 15.0h (out of 0.0h assigned and 18.0h from previous period), thus carrying over 3.0h to the next month.
• Chris Lamb did 18.0h (out of 18.0h assigned).
• Daniel Leidert did 23.0h (out of 17.0h assigned and 9.0h from previous period), thus carrying over 3.0h to the next month.
• Emilio Pozuelo Monfort did 32.25h (out of 40.5h assigned and 19.5h from previous period), thus carrying over 27.75h to the next month.
• Guilhem Moulin did 22.5h (out of 9.75h assigned and 12.75h from previous period).
• Jochen Sprickerhof did 2.0h (out of 3.5h assigned and 6.5h from previous period), thus carrying over 8.0h to the next month.
• Lee Garrett did 8.5h (out of 14.75h assigned and 45.25h from previous period), thus carrying over 51.5h to the next month.
• Lucas Kanashiro did 32.0h (out of 10.0h assigned and 54.0h from previous period), thus carrying over 32.0h to the next month.
• Markus Koschany did 40.0h (out of 20.0h assigned and 20.0h from previous period).
• Roberto C. S nchez did 13.5h (out of 6.75h assigned and 17.25h from previous period), thus carrying over 10.5h to the next month.
• Santiago Ruano Rinc n did 18.75h (out of 24.75h assigned and 0.25h from previous period), thus carrying over 6.25h to the next month.
• Sean Whitton did 6.0h (out of 2.0h assigned and 4.0h from previous period).
• Sylvain Beucler did 10.5h (out of 21.5h assigned and 38.5h from previous period), thus carrying over 49.5h to the next month.
• Thorsten Alteholz did 11.0h (out of 11.0h assigned).
• Tobias Frost did 12.0h (out of 12.0h assigned).

Evolution of the situation In December, we have released 29 DLAs. The LTS Team has published updates to several notable packages. Contributor Guilhem Moulin published an update of php7.4, a widely-used open source general purpose scripting language, which addressed denial of service, authorization bypass, and information disclosure vulnerabilities. Contributor Lucas Kanashiro published an update of clamav, an antivirus toolkit for Unix and Linux, which addressed denial of service and authorization bypass vulnerabilities. Finally, contributor Tobias Frost published an update of intel-microcode, the microcode for Intel microprocessors, which well help to ensure that processor hardware is protected against several local privilege escalation and local denial of service vulnerabilities. Beyond our customary LTS package updates, the LTS Team has made contributions to Debian s stable bookworm release and its experimental section. Notably, contributor Lee Garrett published a stable update of dnsmasq. The LTS update was previously published in November and in December Lee continued working to bring the same fixes (addressing the high profile KeyTrap and NSEC3 vulnerabilities) to the dnsmasq package in Debian bookworm. This package was accepted for inclusion in the Debian 12.9 point release scheduled for January 2025. Addititionally, contributor Sean Whitton provided assistance, via upload sponsorships, to the Debian maintainers of xen. This assistance resulted in two uploads of xen into Debian s experimental section, which will contribute to the next Debian stable release having a version of xen with better longterm support from the upstream development team.

Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • Toshiba Corporation (for 111 months)
  • Civil Infrastructure Platform (CIP) (for 79 months)
  • VyOS Inc (for 43 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 121 months)
  • Akamai - Linode (for 115 months)
  • Babiel GmbH (for 105 months)
  • Plat Home (for 104 months)
  • University of Oxford (for 61 months)
  • Deveryware (for 48 months)
  • EDF SA (for 33 months)
  • Dataport A R (for 8 months)
  • CERN (for 6 months)
• Silver sponsors:
  • Domeneshop AS (for 126 months)
  • Nantes M tropole (for 120 months)
  • Univention GmbH (for 112 months)
  • Universit Jean Monnet de St Etienne (for 112 months)
  • Ribbon Communications, Inc. (for 106 months)
  • Exonet B.V. (for 96 months)
  • Leibniz Rechenzentrum (for 90 months)
  • Minist re de l Europe et des Affaires trang res (for 74 months)
  • Cloudways by DigitalOcean (for 63 months)
  • Dinahosting SL (for 61 months)
  • Bauer Xcel Media Deutschland KG (for 55 months)
  • Platform.sh SAS (for 55 months)
  • Moxa Inc. (for 49 months)
  • sipgate GmbH (for 47 months)
  • OVH US LLC (for 45 months)
  • Tilburg University (for 45 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 36 months)
  • Soliton Systems K.K. (for 33 months)
  • THINline s.r.o. (for 9 months)
  • Copenhagen Airports A/S (for 3 months)
• Bronze sponsors:
  • Evolix (for 126 months)
  • Seznam.cz, a.s. (for 126 months)
  • Intevation GmbH (for 123 months)
  • Linuxhotel GmbH (for 123 months)
  • Daevel SARL (for 122 months)
  • Bitfolk LTD (for 121 months)
  • Megaspace Internet Services GmbH (for 121 months)
  • Greenbone AG (for 120 months)
  • NUMLOG (for 120 months)
  • WinGo AG (for 119 months)
  • Entr ouvert (for 111 months)
  • Adfinis AG (for 108 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 103 months)
  • Tesorion (for 103 months)
  • GNI MEDIA (for 102 months)
  • Bearstech (for 94 months)
  • LiHAS (for 94 months)
  • Catalyst IT Ltd (for 89 months)
  • Supagro (for 84 months)
  • Demarcq SAS (for 83 months)
  • Universit Grenoble Alpes (for 69 months)
  • TouchWeb SAS (for 61 months)
  • SPiN AG (for 58 months)
  • CoreFiling (for 54 months)
  • Institut des sciences cognitives Marc Jeannerod (for 49 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 45 months)
  • Tem Innovations GmbH (for 40 months)
  • WordFinder.pro (for 39 months)
  • CNRS DT INSU R sif (for 38 months)
  • Alter Way (for 31 months)
  • Institut Camille Jordan (for 21 months)
  • SOBIS Software GmbH (for 6 months)

Like each month, have a look at the work funded by Freexian s Debian LTS offering.

Debian LTS contributors In November, 20 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 14.0h (out of 6.0h assigned and 8.0h from previous period).
• Adrian Bunk did 53.0h (out of 15.0h assigned and 85.0h from previous period), thus carrying over 47.0h to the next month.
• Andrej Shadura did 7.0h (out of 7.0h assigned).
• Arturo Borrero Gonzalez did 1.0h (out of 10.0h assigned), thus carrying over 9.0h to the next month.
• Bastien Roucari s did 20.0h (out of 20.0h assigned).
• Ben Hutchings did 0.0h (out of 24.0h assigned), thus carrying over 24.0h to the next month.
• Chris Lamb did 18.0h (out of 18.0h assigned).
• Daniel Leidert did 17.0h (out of 26.0h assigned), thus carrying over 9.0h to the next month.
• Emilio Pozuelo Monfort did 40.5h (out of 60.0h assigned), thus carrying over 19.5h to the next month.
• Guilhem Moulin did 7.25h (out of 7.5h assigned and 12.5h from previous period), thus carrying over 12.75h to the next month.
• Jochen Sprickerhof did 3.5h (out of 10.0h assigned), thus carrying over 6.5h to the next month.
• Lee Garrett did 14.75h (out of 15.25h assigned and 44.75h from previous period), thus carrying over 45.25h to the next month.
• Lucas Kanashiro did 10.0h (out of 54.0h assigned and 10.0h from previous period), thus carrying over 54.0h to the next month.
• Markus Koschany did 20.0h (out of 40.0h assigned), thus carrying over 20.0h to the next month.
• Roberto C. S nchez did 6.75h (out of 9.75h assigned and 14.25h from previous period), thus carrying over 17.25h to the next month.
• Santiago Ruano Rinc n did 24.75h (out of 23.5h assigned and 1.5h from previous period), thus carrying over 0.25h to the next month.
• Sean Whitton did 2.0h (out of 6.0h assigned), thus carrying over 4.0h to the next month.
• Sylvain Beucler did 21.5h (out of 9.5h assigned and 50.5h from previous period), thus carrying over 38.5h to the next month.
• Thorsten Alteholz did 11.0h (out of 11.0h assigned).
• Tobias Frost did 12.0h (out of 10.5h assigned and 1.5h from previous period).

Evolution of the situation In November, we have released 38 DLAs. The LTS coordinators, Roberto and Santiago, delivered a talk at the Mini-DebConf event in Toulouse, France. The title of the talk was How LTS goes beyond LTS . The talk covered work done by the LTS Team during the past year. This included contributions related to individual packages in Debian (such as tomcat, jetty, radius, samba, apache2, ruby, and many others); improvements to tooling and documentation useful to the Debian project as a whole; and contributions to upstream work (apache2, freeimage, node-dompurify, samba, and more). Additionally, several contributors external to the LTS Team were highlighted for their contributions to LTS. Readers are encouraged to watch the video of the presentation for a more detailed review of various ways in which the LTS team has contributed more broadly to the Debian project and to the free software community during the past year. We wish to specifically thank Salvatore (of the Debian Security Team) for swiftly handling during November the updates of needrestart and libmodule-scandeps-perl, both of which involved arbitrary code execution vulnerabilities. We are happy to see increased involvement in LTS work by contributors from outside the formal LTS Team. The work of the LTS Team in November was otherwise unremarkable, encompassing the customary triage, development, testing, and release of numerous DLAs, along with some associated contributions to related packages in stable and unstable.

Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • Toshiba Corporation (for 110 months)
  • Civil Infrastructure Platform (CIP) (for 78 months)
  • VyOS Inc (for 42 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 120 months)
  • Akamai - Linode (for 114 months)
  • Babiel GmbH (for 104 months)
  • Plat Home (for 103 months)
  • CINECA (for 78 months)
  • University of Oxford (for 60 months)
  • Deveryware (for 47 months)
  • EDF SA (for 32 months)
  • Dataport A R (for 7 months)
  • CERN (for 5 months)
• Silver sponsors:
  • Domeneshop AS (for 125 months)
  • Nantes M tropole (for 119 months)
  • Univention GmbH (for 111 months)
  • Universit Jean Monnet de St Etienne (for 111 months)
  • Ribbon Communications, Inc. (for 105 months)
  • Exonet B.V. (for 95 months)
  • Leibniz Rechenzentrum (for 89 months)
  • Minist re de l Europe et des Affaires trang res (for 73 months)
  • Cloudways by DigitalOcean (for 62 months)
  • Dinahosting SL (for 60 months)
  • Bauer Xcel Media Deutschland KG (for 54 months)
  • Platform.sh SAS (for 54 months)
  • Moxa Inc. (for 48 months)
  • sipgate GmbH (for 46 months)
  • OVH US LLC (for 44 months)
  • Tilburg University (for 44 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 35 months)
  • Soliton Systems K.K. (for 32 months)
  • THINline s.r.o. (for 8 months)
  • Copenhagen Airports A/S
• Bronze sponsors:
  • Evolix (for 125 months)
  • Seznam.cz, a.s. (for 125 months)
  • Intevation GmbH (for 122 months)
  • Linuxhotel GmbH (for 122 months)
  • Daevel SARL (for 121 months)
  • Bitfolk LTD (for 120 months)
  • Megaspace Internet Services GmbH (for 120 months)
  • Greenbone AG (for 119 months)
  • NUMLOG (for 119 months)
  • WinGo AG (for 118 months)
  • Entr ouvert (for 110 months)
  • Adfinis AG (for 107 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 102 months)
  • Tesorion (for 102 months)
  • GNI MEDIA (for 101 months)
  • Bearstech (for 93 months)
  • LiHAS (for 93 months)
  • Catalyst IT Ltd (for 88 months)
  • Supagro (for 83 months)
  • Demarcq SAS (for 82 months)
  • Universit Grenoble Alpes (for 68 months)
  • TouchWeb SAS (for 60 months)
  • SPiN AG (for 57 months)
  • CoreFiling (for 53 months)
  • Institut des sciences cognitives Marc Jeannerod (for 48 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 44 months)
  • Tem Innovations GmbH (for 39 months)
  • WordFinder.pro (for 38 months)
  • CNRS DT INSU R sif (for 37 months)
  • Alter Way (for 30 months)
  • Institut Camille Jordan (for 20 months)
  • SOBIS Software GmbH (for 5 months)

Review: Unexploded Remnants, by Elaine Gallagher

Publisher:	Tordotcom
Copyright:	2024
ISBN:	1-250-32522-6
Format:	Kindle
Pages:	111

Unexploded Remnants is a science fiction adventure novella. The protagonist and world background would support an episodic series, but as of this writing it stands alone. It is Elaine Gallagher's first professional publication. Alice is the last survivor of Earth: an explorer, information trader, and occasional associate of the Archive. She scouts interesting places, looks for inconsistencies in the stories the galactic civilizations tell themselves, and pokes around ruins for treasure. As this story opens, she finds a supposedly broken computer core in the Alta Sidoie bazaar that is definitely not what the trader thinks it is. Very shortly thereafter, she's being hunted by a clan of dangerous Delosi while trying to decide what to do with a possibly malevolent AI with frightening intrusion abilities. This is one of those stories where all the individual pieces sounded great, but the way they were assembled didn't click for me. Unusually, I'm not entirely sure why. Often it's the characters, but I liked Alice well enough. The Lewis Carroll allusions were there but not overdone, her computer agent Bugs is a little too much of a Warner Brothers cartoon but still interesting, and the world building has plenty of interesting hooks. I certainly can't complain about the pacing: the plot moves briskly along to a somewhat predictable but still adequate conclusion. The writing is smooth and competent, and the world is memorable enough that I'm still thinking about it. And yet, I never connected with this story. I think it may be because both Alice and the tight third-person narrator tend towards breezy confidence and matter-of-fact descriptions. Alice does, at times, get scared or angry, but I never felt those emotions. They were just events that were described to me. There wasn't an emotional hook, a place where the character grabbed me, and so it felt like everything was happening at an odd remove. The advantage of this approach is that there are no overwrought emotional meltdowns or brooding angstful protagonists, just an adventure story about a competent and thoughtful character, but I think I wanted a bit more emotional involvement than I got. The world background is the best part and feels like it could be part of a larger series. The Milky Way is connected by an old, vast, and only partly understood network of teleportation portals, which had cut off Earth for unknown reasons and then just as mysteriously reactivated when Alice, then Andrew, drunkenly poked at a standing stone while muttering an old prayer in Gaelic. The Archive spent a year sorting out her intellectual diseases (capitalism was particularly alarming) and giving her a fresh start with a new body. Humanity subsequently destroyed itself in a paroxysm of reactionary violence, leaving Alice a free agent, one of a kind in a galaxy of dizzying variety and forgotten history. Gallagher makes great use of the weirdness of the portal network to create a Star Wars style of universe: the focus is more on the diversity of the planets and alien species than on a coherent unifying structure. The settings of this book are not prone to Planet of the Hats problems. They instead have the contrasts that one would get if one dropped portals near current or former Earth population centers and then took a random walk through them (or, in other words, what playing GeoGuessr on a world map feels like). I liked this effect, but I have to admit that it also added to that sense of sliding off the surface of the story. The place descriptions were great bits of atmosphere, but I never cared about them. There isn't enough emotional coherence to make them memorable. One of the more notable quirks of this story is the description of ideologies and prejudices as viral memes that can be cataloged, cured, and deployed like weapons. This is a theme of the world-building as well: this society, or at least the Archive-affiliated parts of it, classifies some patterns of thought as potentially dangerous but treatable contagious diseases. I'm not going to object too much to this as a bit of background and characterization in a fairly short novella stuffed with a lot of other world-building and plot, but there's was something about treating ethical systems like diseases that bugged me in much the same way that medicalization of neurodiversity bugs me. I think some people will find that sense of moral clarity relaxing and others will find it vaguely irritating, and I seem to have ended up in the second group. Overall, I would classify this as an interesting not-quite-success. It felt like a side story in a larger universe, like a story that would work better if I already knew Alice from other novels and had an established emotional connection with her. As is, I would not really recommend it, but there are enough good pieces here that I would be interested to see what Gallagher does next. Rating: 6 out of 10

Like each month, have a look at the work funded by Freexian s Debian LTS offering.

Debian LTS contributors In October, 20 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 6.0h (out of 7.0h assigned and 7.0h from previous period), thus carrying over 8.0h to the next month.
• Adrian Bunk did 15.0h (out of 87.0h assigned and 13.0h from previous period), thus carrying over 85.0h to the next month.
• Arturo Borrero Gonzalez did 10.0h (out of 10.0h assigned).
• Bastien Roucari s did 20.0h (out of 20.0h assigned).
• Ben Hutchings did 4.0h (out of 0.0h assigned and 4.0h from previous period).
• Chris Lamb did 18.0h (out of 18.0h assigned).
• Daniel Leidert did 29.0h (out of 26.0h assigned and 3.0h from previous period).
• Emilio Pozuelo Monfort did 60.0h (out of 23.5h assigned and 36.5h from previous period).
• Guilhem Moulin did 7.5h (out of 19.75h assigned and 0.25h from previous period), thus carrying over 12.5h to the next month.
• Lee Garrett did 15.25h (out of 0.0h assigned and 60.0h from previous period), thus carrying over 44.75h to the next month.
• Lucas Kanashiro did 10.0h (out of 10.0h assigned and 10.0h from previous period), thus carrying over 10.0h to the next month.
• Markus Koschany did 40.0h (out of 40.0h assigned).
• Ola Lundqvist did 14.5h (out of 6.5h assigned and 17.5h from previous period), thus carrying over 9.5h to the next month.
• Roberto C. S nchez did 9.75h (out of 24.0h assigned), thus carrying over 14.25h to the next month.
• Santiago Ruano Rinc n did 23.5h (out of 25.0h assigned), thus carrying over 1.5h to the next month.
• Sean Whitton did 6.25h (out of 1.0h assigned and 5.25h from previous period).
• Stefano Rivera did 1.0h (out of 0.0h assigned and 10.0h from previous period), thus carrying over 9.0h to the next month.
• Sylvain Beucler did 9.5h (out of 16.0h assigned and 44.0h from previous period), thus carrying over 50.5h to the next month.
• Thorsten Alteholz did 11.0h (out of 11.0h assigned).
• Tobias Frost did 10.5h (out of 12.0h assigned), thus carrying over 1.5h to the next month.

Evolution of the situation In October, we have released 35 DLAs. Some notable updates prepared in October include denial of service vulnerability fixes in nss, regression fixes in apache2, multiple fixes in php7.4, and new upstream releases of firefox-esr, openjdk-17, and opendk-11. Additional contributions were made for the stable Debian 12 bookworm release by several LTS contributors. Arturo Borrero Gonzalez prepared a parallel update of nss, Bastien Roucari s prepared a parallel update of apache2, and Santiago Ruano Rinc n prepared updates of activemq for both LTS and Debian stable. LTS contributor Bastien Roucari s undertook a code audit of the cacti package and in the process discovered three new issues in node-dompurity, which were reported upstream and resulted in the assignment of three new CVEs. As always, the LTS team continues to work towards improving the overall sustainability of the free software base upon which Debian LTS is built. We thank our many committed sponsors for their ongoing support.

Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • Toshiba Corporation (for 109 months)
  • Civil Infrastructure Platform (CIP) (for 77 months)
  • VyOS Inc (for 41 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 119 months)
  • Akamai - Linode (for 113 months)
  • Babiel GmbH (for 103 months)
  • Plat Home (for 102 months)
  • CINECA (for 77 months)
  • University of Oxford (for 59 months)
  • Deveryware (for 46 months)
  • EDF SA (for 31 months)
  • Dataport A R (for 6 months)
  • CERN (for 4 months)
• Silver sponsors:
  • Domeneshop AS (for 124 months)
  • Nantes M tropole (for 118 months)
  • Univention GmbH (for 110 months)
  • Universit Jean Monnet de St Etienne (for 110 months)
  • Ribbon Communications, Inc. (for 104 months)
  • Exonet B.V. (for 94 months)
  • Leibniz Rechenzentrum (for 88 months)
  • Minist re de l Europe et des Affaires trang res (for 72 months)
  • Cloudways by DigitalOcean (for 61 months)
  • Dinahosting SL (for 59 months)
  • Bauer Xcel Media Deutschland KG (for 53 months)
  • Platform.sh SAS (for 53 months)
  • Moxa Inc. (for 47 months)
  • sipgate GmbH (for 45 months)
  • OVH US LLC (for 43 months)
  • Tilburg University (for 43 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 34 months)
  • Soliton Systems K.K. (for 31 months)
  • THINline s.r.o. (for 7 months)
  • Copenhagen Airports A/S
• Bronze sponsors:
  • Evolix (for 124 months)
  • Seznam.cz, a.s. (for 124 months)
  • Intevation GmbH (for 121 months)
  • Linuxhotel GmbH (for 121 months)
  • Daevel SARL (for 120 months)
  • Bitfolk LTD (for 119 months)
  • Megaspace Internet Services GmbH (for 119 months)
  • Greenbone AG (for 118 months)
  • NUMLOG (for 118 months)
  • WinGo AG (for 117 months)
  • Entr ouvert (for 108 months)
  • Adfinis AG (for 106 months)
  • Tesorion (for 101 months)
  • GNI MEDIA (for 100 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 100 months)
  • Bearstech (for 92 months)
  • LiHAS (for 92 months)
  • Catalyst IT Ltd (for 87 months)
  • Supagro (for 82 months)
  • Demarcq SAS (for 81 months)
  • Universit Grenoble Alpes (for 67 months)
  • TouchWeb SAS (for 59 months)
  • SPiN AG (for 56 months)
  • CoreFiling (for 52 months)
  • Institut des sciences cognitives Marc Jeannerod (for 47 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 43 months)
  • Tem Innovations GmbH (for 38 months)
  • WordFinder.pro (for 37 months)
  • CNRS DT INSU R sif (for 36 months)
  • Alter Way (for 29 months)
  • Institut Camille Jordan (for 19 months)
  • SOBIS Software GmbH (for 4 months)

Like each month, have a look at the work funded by Freexian s Debian LTS offering.

Debian LTS contributors In September, 18 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 7.0h (out of 0.0h assigned and 14.0h from previous period), thus carrying over 7.0h to the next month.
• Adrian Bunk did 51.75h (out of 9.25h assigned and 55.5h from previous period), thus carrying over 13.0h to the next month.
• Arturo Borrero Gonzalez did 10.0h (out of 0.0h assigned and 10.0h from previous period).
• Bastien Roucari s did 20.0h (out of 20.0h assigned).
• Ben Hutchings did 20.0h (out of 12.0h assigned and 12.0h from previous period), thus carrying over 4.0h to the next month.
• Chris Lamb did 18.0h (out of 18.0h assigned).
• Daniel Leidert did 23.0h (out of 26.0h assigned), thus carrying over 3.0h to the next month.
• Emilio Pozuelo Monfort did 23.5h (out of 22.25h assigned and 37.75h from previous period), thus carrying over 36.5h to the next month.
• Guilhem Moulin did 22.25h (out of 20.0h assigned and 2.5h from previous period), thus carrying over 0.25h to the next month.
• Lucas Kanashiro did 10.0h (out of 5.0h assigned and 15.0h from previous period), thus carrying over 10.0h to the next month.
• Markus Koschany did 40.0h (out of 40.0h assigned).
• Ola Lundqvist did 6.5h (out of 14.5h assigned and 9.5h from previous period), thus carrying over 17.5h to the next month.
• Roberto C. S nchez did 24.75h (out of 21.0h assigned and 3.75h from previous period).
• Santiago Ruano Rinc n did 19.0h (out of 19.0h assigned).
• Sean Whitton did 0.75h (out of 4.0h assigned and 2.0h from previous period), thus carrying over 5.25h to the next month.
• Sylvain Beucler did 16.0h (out of 42.0h assigned and 18.0h from previous period), thus carrying over 44.0h to the next month.
• Thorsten Alteholz did 11.0h (out of 11.0h assigned).
• Tobias Frost did 17.0h (out of 7.5h assigned and 9.5h from previous period).

Evolution of the situation In September, we have released 52 DLAs. September marked the first full month of Debian 11 bullseye under the responsibility of the LTS Team and the team immediately got to work, publishing more than 4 dozen updates. Some notable updates include ruby2.7 (denial-of-service, information leak, and remote code execution), git (various arbitrary code execution vulnerabilities), firefox-esr (multiple issues), gnutls28 (information disclosure), thunderbird (multiple issues), cacti (cross site scripting and SQL injection), redis (unauthorized access, denial of service, and remote code execution), mariadb-10.5 (arbitrary code execution), cups (arbitrary code execution). Several LTS contributors have also contributed package updates which either resulted in a DSA (a Debian Security Announcement, which applies to Debian 12 bookworm) or in an upload that will be published at the next stable point release of Debian 12 bookworm. This list of packages includes cups, cups-filters, booth, nghttp2, puredata, python3.11, sqlite3, and wireshark. This sort of work, contributing fixes to newer Debian releases (and sometimes even to unstable), helps to ensure that upgrades from a release in the LTS phase of its lifecycle to a newer release do not expose users to vulnerabilities which have been closed in the older release. Looking beyond Debian, LTS contributor Bastien Roucari s has worked with the upstream developers of apache2 to address regressions introduced upstream by some recent vulnerability fixes and he has also reached out to the community regarding a newly discovered security issue in the dompurify package. LTS contributor Santiago Ruano Rinc n has undertaken the work of triaging and reproducing nearly 4 dozen CVEs potentially affecting the freeimage package. The upstream development of freeimage appears to be dormant and some of the issues have languished for more than 5 years. It is unclear how much can be done without the aid of upstream, but we will do our best to provide as much help to the community as we can feasibly manage. Finally, it is sometimes necessary to limit or discontinue support for certain packages. The transition of a release from being under the responsibility of the Debian Security Team to that of the LTS Team is an occasion where we assess any pending decisions in this area and formalize them. Please see the announcement for a complete list of packages which have been designated as unsupported.

Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 108 months)
  • Civil Infrastructure Platform (CIP) (for 76 months)
  • VyOS Inc (for 40 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 118 months)
  • Akamai - Linode (for 112 months)
  • Babiel GmbH (for 102 months)
  • Plat Home (for 101 months)
  • CINECA (for 76 months)
  • University of Oxford (for 58 months)
  • Deveryware (for 45 months)
  • EDF SA (for 30 months)
  • Dataport A R (for 5 months)
  • CERN (for 3 months)
• Silver sponsors:
  • Domeneshop AS (for 123 months)
  • Nantes M tropole (for 117 months)
  • Univention GmbH (for 109 months)
  • Universit Jean Monnet de St Etienne (for 109 months)
  • Ribbon Communications, Inc. (for 103 months)
  • Exonet B.V. (for 92 months)
  • Leibniz Rechenzentrum (for 87 months)
  • Minist re de l Europe et des Affaires trang res (for 70 months)
  • Cloudways by DigitalOcean (for 60 months)
  • Dinahosting SL (for 58 months)
  • Bauer Xcel Media Deutschland KG (for 52 months)
  • Platform.sh SAS (for 52 months)
  • Moxa Inc. (for 46 months)
  • sipgate GmbH (for 44 months)
  • OVH US LLC (for 42 months)
  • Tilburg University (for 42 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 33 months)
  • Soliton Systems K.K. (for 30 months)
  • THINline s.r.o. (for 6 months)
  • Copenhagen Airports A/S
• Bronze sponsors:
  • Evolix (for 123 months)
  • Seznam.cz, a.s. (for 123 months)
  • Intevation GmbH (for 120 months)
  • Linuxhotel GmbH (for 120 months)
  • Daevel SARL (for 119 months)
  • Bitfolk LTD (for 118 months)
  • Megaspace Internet Services GmbH (for 118 months)
  • Greenbone AG (for 117 months)
  • NUMLOG (for 117 months)
  • WinGo AG (for 116 months)
  • Entr ouvert (for 107 months)
  • Adfinis AG (for 105 months)
  • Tesorion (for 100 months)
  • GNI MEDIA (for 99 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 99 months)
  • Bearstech (for 91 months)
  • LiHAS (for 91 months)
  • Catalyst IT Ltd (for 86 months)
  • Supagro (for 81 months)
  • Demarcq SAS (for 80 months)
  • Universit Grenoble Alpes (for 66 months)
  • TouchWeb SAS (for 58 months)
  • SPiN AG (for 55 months)
  • CoreFiling (for 51 months)
  • Institut des sciences cognitives Marc Jeannerod (for 46 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 42 months)
  • Tem Innovations GmbH (for 37 months)
  • WordFinder.pro (for 36 months)
  • CNRS DT INSU R sif (for 35 months)
  • Alter Way (for 28 months)
  • Institut Camille Jordan (for 18 months)
  • SOBIS Software GmbH (for 3 months)

Like each month, have a look at the work funded by Freexian s Debian LTS offering.

Debian LTS contributors In August, 16 contributors have been paid to work on Debian LTS, their reports are available:

• Adrian Bunk did 44.5h (out of 46.5h assigned and 53.5h from previous period), thus carrying over 55.5h to the next month.
• Bastien Roucari s did 20.0h (out of 20.0h assigned).
• Ben Hutchings did 9.0h (out of 0.0h assigned and 21.0h from previous period), thus carrying over 12.0h to the next month.
• Chris Lamb did 18.0h (out of 18.0h assigned).
• Daniel Leidert did 12.0h (out of 7.0h assigned and 5.0h from previous period).
• Emilio Pozuelo Monfort did 22.25h (out of 6.5h assigned and 53.5h from previous period), thus carrying over 37.75h to the next month.
• Guilhem Moulin did 17.5h (out of 8.75h assigned and 11.25h from previous period), thus carrying over 2.5h to the next month.
• Lee Garrett did 11.5h (out of 58.0h assigned and 2.0h from previous period), thus carrying over 48.5h to the next month.
• Markus Koschany did 40.0h (out of 40.0h assigned).
• Ola Lundqvist did 14.5h (out of 4.0h assigned and 20.0h from previous period), thus carrying over 9.5h to the next month.
• Roberto C. S nchez did 8.25h (out of 5.0h assigned and 7.0h from previous period), thus carrying over 3.75h to the next month.
• Santiago Ruano Rinc n did 21.5h (out of 11.5h assigned and 10.0h from previous period).
• Sean Whitton did 4.0h (out of 2.25h assigned and 3.75h from previous period), thus carrying over 2.0h to the next month.
• Sylvain Beucler did 42.0h (out of 46.0h assigned and 14.0h from previous period), thus carrying over 18.0h to the next month.
• Thorsten Alteholz did 11.0h (out of 11.0h assigned).
• Tobias Frost did 2.5h (out of 7.75h assigned and 4.25h from previous period), thus carrying over 9.5h to the next month.

Evolution of the situation In August, we have released 1 DLAs. During the month of August Debian 11 "bullseye" officially transitioned to the responsibility of the LTS team (on 2024-08-15). However, because the final point release (11.11) was not made until 2024-08-31, LTS contributors were prevented from uploading packages to bullseye until after the point release had been made. That said, the team was not at all idle, and was busy at work on a variety of tasks which impacted both LTS and the broader Debian community, as well as preparing uploads which will be released during the month of September. Of particular note, LTS contributor Bastien Roucari s prepared updates of the putty and cacti packages for bookworm (1 2) and bullseye (1 2), which were accepted by the old-stable release managers for the August point releases. He also analysed several security regressions in the apache2 package. LTS contributor Emilio Pozuelo Monfort worked on the Rust toolchain in bookworm and bullseye, which will be needed to support the upcoming Firefox ESR and Thunderbird ESR releases from the Mozilla project. Additionally, LTS contributor Thorsten Alteholz prepared bookworm and bullseye updates of the cups package (1 2), which were accepted by the old-stable release managers for the August point releases. LTS contributor Markus Koschany collaborated with Emmanuel Bourg, co-maintainer of the tomcat packages in Debian. Regressions in a proposed security fix necessitated the updating of the tomcat10 package in Debian to the latest upstream release. LTS contributors Bastien and Santiago Ruano Rinc n collaborated with the upstream developers and the Debian maintainer (Bernhard Schmidt) of the FreeRADIUS project towards addressing the BlastRADIUS vulnerability in the bookworm and bullseye versions of the freeradius package. If you use FreeRADIUS in Debian bookworm or bullseye, we encourage you to test the packages following the instructions found in the call for testers to help identifying any possible regression that could be introduced with these updates. Testing is an important part of the work the LTS Team does, and in that vein LTS contributor Sean Whitton worked on improving the documentation and tooling around creating test filesystems which can be used for testing a variety of package update scenarios.

Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 107 months)
  • Civil Infrastructure Platform (CIP) (for 75 months)
  • VyOS Inc (for 39 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 117 months)
  • Akamai - Linode (for 111 months)
  • Babiel GmbH (for 101 months)
  • Plat Home (for 100 months)
  • CINECA (for 75 months)
  • University of Oxford (for 57 months)
  • Deveryware (for 44 months)
  • EDF SA (for 29 months)
  • Dataport A R (for 4 months)
• Silver sponsors:
  • Domeneshop AS (for 122 months)
  • Nantes M tropole (for 116 months)
  • Univention GmbH (for 108 months)
  • Universit Jean Monnet de St Etienne (for 108 months)
  • Ribbon Communications, Inc. (for 102 months)
  • Exonet B.V. (for 91 months)
  • Leibniz Rechenzentrum (for 86 months)
  • Minist re de l Europe et des Affaires trang res (for 69 months)
  • Cloudways by DigitalOcean (for 59 months)
  • Dinahosting SL (for 57 months)
  • Bauer Xcel Media Deutschland KG (for 51 months)
  • Platform.sh SAS (for 51 months)
  • Moxa Inc. (for 45 months)
  • sipgate GmbH (for 43 months)
  • OVH US LLC (for 41 months)
  • Tilburg University (for 41 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 32 months)
  • Soliton Systems K.K. (for 29 months)
  • THINline s.r.o. (for 5 months)
• Bronze sponsors:
  • Evolix (for 122 months)
  • Seznam.cz, a.s. (for 122 months)
  • Intevation GmbH (for 119 months)
  • Linuxhotel GmbH (for 119 months)
  • Daevel SARL (for 118 months)
  • Bitfolk LTD (for 117 months)
  • Megaspace Internet Services GmbH (for 117 months)
  • Greenbone AG (for 116 months)
  • NUMLOG (for 116 months)
  • WinGo AG (for 115 months)
  • Entr ouvert (for 106 months)
  • Adfinis AG (for 104 months)
  • Tesorion (for 99 months)
  • GNI MEDIA (for 98 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 98 months)
  • Bearstech (for 90 months)
  • LiHAS (for 90 months)
  • Catalyst IT Ltd (for 85 months)
  • Supagro (for 80 months)
  • Demarcq SAS (for 79 months)
  • Universit Grenoble Alpes (for 65 months)
  • TouchWeb SAS (for 57 months)
  • SPiN AG (for 54 months)
  • CoreFiling (for 50 months)
  • Institut des sciences cognitives Marc Jeannerod (for 45 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 41 months)
  • Tem Innovations GmbH (for 36 months)
  • WordFinder.pro (for 35 months)
  • CNRS DT INSU R sif (for 34 months)
  • Alter Way (for 27 months)
  • Institut Camille Jordan (for 17 months)
  • SOBIS Software GmbH

Like each month, have a look at the work funded by Freexian s Debian LTS offering.

Debian LTS contributors In July, 13 contributors have been paid to work on Debian LTS, their reports are available:

• Bastien Roucari s did 20.0h (out of 20.0h assigned).
• Chris Lamb did 18.0h (out of 18.0h assigned).
• Daniel Leidert did 5.0h (out of 4.0h assigned and 6.0h from previous period), thus carrying over 5.0h to the next month.
• Guilhem Moulin did 8.75h (out of 4.5h assigned and 15.5h from previous period), thus carrying over 11.25h to the next month.
• Lee Garrett did 51.5h (out of 10.5h assigned and 43.0h from previous period), thus carrying over 2.0h to the next month.
• Lucas Kanashiro did 5.0h (out of 5.0h assigned and 15.0h from previous period), thus carrying over 15.0h to the next month.
• Markus Koschany did 40.0h (out of 40.0h assigned).
• Ola Lundqvist did 4.0h (out of 10.0h assigned and 14.0h from previous period), thus carrying over 20.0h to the next month.
• Roberto C. S nchez did 5.0h (out of 5.25h assigned and 6.75h from previous period), thus carrying over 7.0h to the next month.
• Santiago Ruano Rinc n did 6.0h (out of 16.0h assigned), thus carrying over 10.0h to the next month.
• Sean Whitton did 2.25h (out of 6.0h assigned), thus carrying over 3.75h to the next month.
• Sylvain Beucler did 39.5h (out of 2.5h assigned and 51.0h from previous period), thus carrying over 14.0h to the next month.
• Thorsten Alteholz did 11.0h (out of 11.0h assigned).

Evolution of the situation In July, we have released 1 DLA. August will be the month that Debian 11 makes the transition to LTS. Our contributors have already been hard at work with preparatorty tasks and also with making contributions to packages in Debian 11 in close collaboration with the Debian security team and package maintainers. As a result, users and sponsors should not observe any especially notable differences as the transition occurs. While only one DLA was released in July (as a result of the transitional state of Debian 11 bullseye ), there were some notable highlights. LTS contributor Guilhem Moulin prepared an update of libvirt for Debian 11 (in collaboration with the Old-Stable Release Managers and the Debian Security Team) to fix a number of outstanding CVEs which did not rise to the level of a DSA by the Debian Security Team. The update prepared by Guilhem will be included in Debian 11 as part of the final point release at the end of August, one of the final transition steps by the Release Managers as Debian 11 moves entirely to the LTS Team s responsibility. Notable work was also undertaken by contributors Lee Garrett (fixes on the ansible test suite and a bullseye update), Lucas Kanashiro (Rust toolchain, utilized by the clamav, firefox-esr, and thunderbird packages), and Sylvain Beucler (fixes on the ruby2.5/2.7 test suites and CI infrastructure), which will help improve the quality of updates produced during the next LTS cycle. June was the final month of LTS for Debian 10 (as announced on the debian-lts-announce mailing list). No additional Debian 10 security updates will be made available on security.debian.org. However, Freexian and its team of paid Debian contributors will continue to maintain Debian 10 going forward for customers of the Extended LTS offer. Subscribe right away if you still have Debian 10 systems which must be kept secure (and which cannot yet be upgraded).

Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 106 months)
  • Civil Infrastructure Platform (CIP) (for 74 months)
  • VyOS Inc (for 38 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 116 months)
  • Linode (for 110 months)
  • Babiel GmbH (for 100 months)
  • Plat Home (for 99 months)
  • CINECA (for 74 months)
  • University of Oxford (for 56 months)
  • Deveryware (for 43 months)
  • EDF SA (for 28 months)
  • Dataport A R (for 3 months)
• Silver sponsors:
  • Domeneshop AS (for 121 months)
  • Nantes M tropole (for 115 months)
  • Univention GmbH (for 107 months)
  • Universit Jean Monnet de St Etienne (for 107 months)
  • Ribbon Communications, Inc. (for 101 months)
  • Exonet B.V. (for 91 months)
  • Leibniz Rechenzentrum (for 85 months)
  • Minist re de l Europe et des Affaires trang res (for 69 months)
  • Cloudways by DigitalOcean (for 58 months)
  • Dinahosting SL (for 56 months)
  • Bauer Xcel Media Deutschland KG (for 50 months)
  • Platform.sh SAS (for 50 months)
  • Moxa Inc. (for 44 months)
  • sipgate GmbH (for 42 months)
  • OVH US LLC (for 40 months)
  • Tilburg University (for 40 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 31 months)
  • Soliton Systems K.K. (for 28 months)
  • THINline s.r.o. (for 4 months)
• Bronze sponsors:
  • Evolix (for 121 months)
  • Seznam.cz, a.s. (for 121 months)
  • Intevation GmbH (for 118 months)
  • Linuxhotel GmbH (for 118 months)
  • Daevel SARL (for 117 months)
  • Bitfolk LTD (for 116 months)
  • Megaspace Internet Services GmbH (for 116 months)
  • Greenbone AG (for 115 months)
  • NUMLOG (for 115 months)
  • WinGo AG (for 114 months)
  • Entr ouvert (for 105 months)
  • Adfinis AG (for 103 months)
  • Tesorion (for 98 months)
  • GNI MEDIA (for 97 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 97 months)
  • Bearstech (for 89 months)
  • LiHAS (for 89 months)
  • Catalyst IT Ltd (for 84 months)
  • Supagro (for 79 months)
  • Demarcq SAS (for 78 months)
  • Universit Grenoble Alpes (for 64 months)
  • TouchWeb SAS (for 56 months)
  • SPiN AG (for 53 months)
  • CoreFiling (for 49 months)
  • Institut des sciences cognitives Marc Jeannerod (for 44 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 40 months)
  • Tem Innovations GmbH (for 35 months)
  • WordFinder.pro (for 34 months)
  • CNRS DT INSU R sif (for 33 months)
  • Alter Way (for 26 months)
  • Institut Camille Jordan (for 16 months)
  • SOBIS Software GmbH

Most banks are behind CDNs and DDoS mitigation providers nowadays, though they still hold their own IP space. Was interested in this, so compiled a list from BGP.Tools and Hurricane Electric BGP Toolkit.

• AS17436 ICICIBANK Ltd, Banking, Mumbai
• AS24055 Deutsche Bank AG-India Internet AS
• AS38029 Citibank N.A. - ISP Peering, Chennai, India
• AS38468 ASN for Yes Bank
• AS45644 SBI-EMS-NET-IN
• AS59194 Central Bank of India
• AS131283 HDFC Bank House
• AS132440 Unity Small Finance Bank Pvt. Ltd.
• AS132946 Ujjivan Small Finance Bank Ltd
• AS132989 Sangli Urban Co-operative Bank Ltd
• AS133640 Indian Overseas Bank
• AS133657 IndusInd Bank Ltd
• AS134909 The South Indian Bank Ltd
• AS135086 Axis Bank Limited
• AS135745 UCO Bank
• AS135819 Chaitanya Godavari Grameena Bank
• AS136252 The Bank of Baroda Limited
• AS136324 IDBI Bank Ltd
• AS136622 Equitas Small Finance Bank Ltd
• AS136680 Bank of Maharashtra
• AS136707 The Kalupur Commercial Co-operative Bank Limited
• AS137104 India Post Payments Bank Limited
• AS137108 Bank of India
• AS137130 Punjab National Bank
• AS137662 IDFC Bank Ltd
• AS137670 Canara Bank
• AS138318 The Visakhapatnam Cooperative Bank Ltd
• AS140156 Karnataka Gramin Bank
• AS141222 Telangana State Coorperative Apex Bank Ltd
• AS141561 Punjab and Sind Bank
• AS146870 TJSB Sahakari Bank Ltd
• AS149202 The Jammu And Kashmir Bank Pvt Ltd
• AS149528 Indian Bank
• AS149603 Suryoday Small Finance Bank Limited
• AS150029 The Karnataka Bank Ltd
• AS151172 CSB Bank Ltd
• AS151692 Small Industries Development Bank of India

Other noteable mentions:

• AS141857 National Bank for Agriculture and Rural Development
• AS151773 Reserve Bank Information Technology Pvt Ltd

Let me know if I m missing someone. Many thanks to Saswata Sarkar for helping with the list.

Like each month, have a look at the work funded by Freexian s Debian LTS offering.

Debian LTS contributors In June, 18 contributors have been paid to work on Debian LTS, their reports are available:

• Adrian Bunk did 47.0h (out of 74.25h assigned and 11.75h from previous period), thus carrying over 39.0h to the next month.
• Arturo Borrero Gonzalez did 6.0h (out of 6.0h assigned).
• Bastien Roucari s did 20.0h (out of 20.0h assigned).
• Ben Hutchings did 15.5h (out of 16.0h assigned and 8.0h from previous period), thus carrying over 8.5h to the next month.
• Chris Lamb did 18.0h (out of 18.0h assigned).
• Daniel Leidert did 4.0h (out of 8.0h assigned and 2.0h from previous period), thus carrying over 6.0h to the next month.
• Emilio Pozuelo Monfort did 23.25h (out of 49.5h assigned and 10.5h from previous period), thus carrying over 36.75h to the next month.
• Guilhem Moulin did 4.5h (out of 13.0h assigned and 7.0h from previous period), thus carrying over 15.5h to the next month.
• Lee Garrett did 17.0h (out of 25.0h assigned and 35.0h from previous period), thus carrying over 43.0h to the next month.
• Lucas Kanashiro did 5.0h (out of 10.0h assigned and 10.0h from previous period), thus carrying over 15.0h to the next month.
• Markus Koschany did 40.0h (out of 40.0h assigned).
• Ola Lundqvist did 10.0h (out of 6.5h assigned and 17.5h from previous period), thus carrying over 14.0h to the next month.
• Roberto C. S nchez did 5.25h (out of 7.75h assigned and 4.25h from previous period), thus carrying over 6.75h to the next month.
• Santiago Ruano Rinc n did 22.5h (out of 14.5h assigned and 8.0h from previous period).
• Sean Whitton did 6.5h (out of 6.0h assigned and 0.5h from previous period).
• Stefano Rivera did 0.5h (out of 0.0h assigned and 10.0h from previous period), thus carrying over 9.5h to the next month.
• Sylvain Beucler did 9.0h (out of 24.5h assigned and 35.5h from previous period), thus carrying over 51.0h to the next month.
• Thorsten Alteholz did 14.0h (out of 14.0h assigned).

Evolution of the situation In June, we have released 31 DLAs. Notable security updates in June included:

• git: multiple vulnerabilities, which may result in privilege escalation, denial of service, and arbitrary code execution
• sendmail: SMTP smuggling allowed remote attackers bypass SPF protection checks
• cups: arbitrary remote code execution

Looking further afield to the broader Debian ecosystem, LTS contributor Bastien Roucari s also patched sendmail in Debian 12 (bookworm) and 11 (bullseye) in order to fix the previously mentioned SMTP smuggling vulnerability. Furthermore, LTS contributor Thorsten Alteholz provided fixes for the cups packages in Debian 12 (bookworm) and 11 (bullseye) in order to fix the aforementioned arbitrary remote code execution vulnerability. Additionally, LTS contributor Ben Hutchings has commenced work on an updated backport of Linux kernel 6.1 to Debian 11 (bullseye), in preparation for bullseye transitioning to the responsibility of the LTS (and the associated closure of the bullseye-backports repository). LTS Lucas Kanashiro also began the preparatory work of backporting parts of the rust/cargo toolchain to Debian 11 (bullseye) in order to make future updates of the clamav virus scanner possible. June was the final month of LTS for Debian 10 (as announced on the debian-lts-announce mailing list). No additional Debian 10 security updates will be made available on security.debian.org. However, Freexian and its team of paid Debian contributors will continue to maintain Debian 10 going forward for the customers of the Extended LTS offer. Subscribe right away if you sill have Debian 10 which must be kept secure (and which cannot yet be upgraded).

Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 105 months)
  • Civil Infrastructure Platform (CIP) (for 73 months)
  • VyOS Inc (for 37 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 115 months)
  • Linode (for 109 months)
  • Babiel GmbH (for 99 months)
  • Plat Home (for 98 months)
  • CINECA (for 73 months)
  • University of Oxford (for 55 months)
  • Deveryware (for 42 months)
  • EDF SA (for 27 months)
  • Dataport A R
• Silver sponsors:
  • Domeneshop AS (for 120 months)
  • Nantes M tropole (for 114 months)
  • Univention GmbH (for 106 months)
  • Universit Jean Monnet de St Etienne (for 106 months)
  • Ribbon Communications, Inc. (for 100 months)
  • Exonet B.V. (for 90 months)
  • Leibniz Rechenzentrum (for 84 months)
  • Minist re de l Europe et des Affaires trang res (for 68 months)
  • Cloudways by DigitalOcean (for 57 months)
  • Dinahosting SL (for 55 months)
  • Bauer Xcel Media Deutschland KG (for 49 months)
  • Platform.sh SAS (for 49 months)
  • Moxa Inc. (for 43 months)
  • sipgate GmbH (for 41 months)
  • OVH US LLC (for 39 months)
  • Tilburg University (for 39 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 30 months)
  • Soliton Systems K.K. (for 27 months)
  • THINline s.r.o. (for 3 months)
• Bronze sponsors:
  • Evolix (for 120 months)
  • Seznam.cz, a.s. (for 120 months)
  • Intevation GmbH (for 117 months)
  • Linuxhotel GmbH (for 117 months)
  • Daevel SARL (for 116 months)
  • Bitfolk LTD (for 115 months)
  • Megaspace Internet Services GmbH (for 115 months)
  • Greenbone AG (for 114 months)
  • NUMLOG (for 114 months)
  • WinGo AG (for 113 months)
  • Ecole Centrale de Nantes - LHEEA (for 109 months)
  • Entr ouvert (for 104 months)
  • Adfinis AG (for 102 months)
  • Tesorion (for 97 months)
  • GNI MEDIA (for 96 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 96 months)
  • Bearstech (for 88 months)
  • LiHAS (for 88 months)
  • Catalyst IT Ltd (for 83 months)
  • Supagro (for 78 months)
  • Demarcq SAS (for 77 months)
  • Universit Grenoble Alpes (for 63 months)
  • TouchWeb SAS (for 55 months)
  • SPiN AG (for 52 months)
  • CoreFiling (for 48 months)
  • Institut des sciences cognitives Marc Jeannerod (for 43 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 39 months)
  • Tem Innovations GmbH (for 34 months)
  • WordFinder.pro (for 33 months)
  • CNRS DT INSU R sif (for 32 months)
  • Alter Way (for 25 months)
  • Institut Camille Jordan (for 15 months)

Like each month, have a look at the work funded by Freexian s Debian LTS offering.

Debian LTS contributors In May, 17 contributors have been paid to work on Debian LTS, their reports are available:

• Adrian Bunk did 34.25h (out of 24.0h assigned and 22.0h from previous period), thus carrying over 11.75h to the next month.
• Bastien Roucari s did 20.0h (out of 20.0h assigned).
• Ben Hutchings did 16.0h (out of 24.0h assigned), thus carrying over 8.0h to the next month.
• Chris Lamb did 18.0h (out of 18.0h assigned).
• Daniel Leidert did 8.0h (out of 10.0h assigned), thus carrying over 2.0h to the next month.
• Emilio Pozuelo Monfort did 35.5h (out of 46.0h assigned), thus carrying over 10.5h to the next month.
• Guilhem Moulin did 13.0h (out of 14.75h assigned and 5.25h from previous period), thus carrying over 7.0h to the next month.
• Lee Garrett did 11.0h (out of 37.25h assigned and 8.75h from previous period), thus carrying over 35.0h to the next month.
• Lucas Kanashiro did 10.0h (out of 20.0h assigned), thus carrying over 10.0h to the next month.
• Markus Koschany did 40.0h (out of 40.0h assigned).
• Ola Lundqvist did 6.5h (out of 22.5h assigned and 1.5h from previous period), thus carrying over 17.5h to the next month.
• Roberto C. S nchez did 7.75h (out of 11.0h assigned and 1.0h from previous period), thus carrying over 4.25h to the next month.
• Santiago Ruano Rinc n did 8.0h (out of 16.0h assigned), thus carrying over 8.0h to the next month.
• Sean Whitton did 5.5h (out of 5.5h assigned and 0.5h from previous period), thus carrying over 0.5h to the next month.
• Sylvain Beucler did 10.5h (out of 0.75h assigned and 45.25h from previous period), thus carrying over 35.5h to the next month.
• Thorsten Alteholz did 14.0h (out of 14.0h assigned).
• Tobias Frost did 7.75h (out of 10.0h assigned and 2.0h from previous period), thus carrying over 4.25h to the next month.

Evolution of the situation In May, we have released 20 DLAs. Notable security updates in May included:

• apache2: multiple vulnerabilities which may result in HTTP response splitting, denial of service, or authorization bypass (by Bastien Roucari s, in collaboration with apache2 maintainer Yadd)
• bind9: two vulnerabilities, called KeyTrap and NSEC3, which may result in denial of service (by Santiago Ruano Rinc n)
• python-pymysql: potential SQL injection attack (by Chris Lamb)

The aforementioned apache2 was prepared by its Debian maintainer Yadd. This update also involved work on the package test suite in buster, which contributor Bastien Roucari s then forwarded to the apache2 package in unstable. More importantly, a regression in fossil was reported, and Bastien prepared a fix for it. Bastien coordinated the upload of both packages to minimize the introduction of regressions. Contributor Daniel Leidert also prepared an upload of runc to Debian 11 in order fix a number of CVEs still affecting that package. Finally, contributor Thorsten Alteholz prepared uploads for qtbase-opensource-src, libjwt, and libmicrohttpd in Debian 11. Note that Debian 11 will pass into the LTS phase of support in August and these updates will improve the state and long-term supportability of Debian 11. Debian 10 is presently in its final month of LTS support (as announced on the debian-lts-announce mailing list, support will end on June 30th), after which no new security updates will be made available on security.debian.org. However, Freexian and its team of paid Debian contributors will continue to maintain Debian 10 going forward for the customers of the Extended LTS offer. Subscribe right away if you sill have Debian 10 which must be kept secure (and which cannot yet be upgraded).

Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 105 months)
  • Civil Infrastructure Platform (CIP) (for 73 months)
  • VyOS Inc (for 37 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 116 months)
  • Linode (for 110 months)
  • Babiel GmbH (for 99 months)
  • Plat Home (for 99 months)
  • CINECA (for 73 months)
  • University of Oxford (for 55 months)
  • Deveryware (for 42 months)
  • EDF SA (for 26 months)
  • CERN
• Silver sponsors:
  • Domeneshop AS (for 120 months)
  • Nantes M tropole (for 115 months)
  • Univention GmbH (for 106 months)
  • Universit Jean Monnet de St Etienne (for 106 months)
  • Ribbon Communications, Inc. (for 100 months)
  • Exonet B.V. (for 90 months)
  • Leibniz Rechenzentrum (for 84 months)
  • Minist re de l Europe et des Affaires trang res (for 67 months)
  • Cloudways by DigitalOcean (for 57 months)
  • Dinahosting SL (for 55 months)
  • Bauer Xcel Media Deutschland KG (for 49 months)
  • Platform.sh SAS (for 49 months)
  • Moxa Inc. (for 43 months)
  • sipgate GmbH (for 40 months)
  • OVH US LLC (for 38 months)
  • Tilburg University (for 38 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 30 months)
  • Soliton Systems K.K. (for 27 months)
  • THINline s.r.o.
• Bronze sponsors:
  • Evolix (for 121 months)
  • Seznam.cz, a.s. (for 121 months)
  • Intevation GmbH (for 118 months)
  • Linuxhotel GmbH (for 118 months)
  • Daevel SARL (for 116 months)
  • Bitfolk LTD (for 115 months)
  • Megaspace Internet Services GmbH (for 115 months)
  • NUMLOG (for 115 months)
  • Greenbone AG (for 114 months)
  • WinGo AG (for 114 months)
  • Ecole Centrale de Nantes - LHEEA (for 110 months)
  • Entr ouvert (for 105 months)
  • Adfinis AG (for 102 months)
  • GNI MEDIA (for 97 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 97 months)
  • Tesorion (for 97 months)
  • Bearstech (for 88 months)
  • LiHAS (for 88 months)
  • Catalyst IT Ltd (for 83 months)
  • Supagro (for 78 months)
  • Demarcq SAS (for 77 months)
  • Universit Grenoble Alpes (for 63 months)
  • TouchWeb SAS (for 55 months)
  • SPiN AG (for 52 months)
  • CoreFiling (for 47 months)
  • Institut des sciences cognitives Marc Jeannerod (for 42 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 39 months)
  • Tem Innovations GmbH (for 34 months)
  • WordFinder.pro (for 33 months)
  • CNRS DT INSU R sif (for 32 months)
  • Alter Way (for 25 months)
  • Institut Camille Jordan (for 14 months)

Like each month, have a look at the work funded by Freexian s Debian LTS offering.

Debian LTS contributors In April, 19 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 0.5h (out of 0.0h assigned and 14.0h from previous period), thus carrying over 13.5h to the next month.
• Adrian Bunk did 35.75h (out of 17.25h assigned and 40.5h from previous period), thus carrying over 22.0h to the next month.
• Bastien Roucari s did 25.0h (out of 25.0h assigned).
• Ben Hutchings did 24.0h (out of 9.0h assigned and 15.0h from previous period).
• Chris Lamb did 18.0h (out of 18.0h assigned).
• Daniel Leidert did 10.0h (out of 10.0h assigned).
• Emilio Pozuelo Monfort did 46.0h (out of 12.0h assigned and 34.0h from previous period).
• Guilhem Moulin did 14.75h (out of 20.0h assigned), thus carrying over 5.25h to the next month.
• Lee Garrett did 51.25h (out of 0.0h assigned and 60.0h from previous period), thus carrying over 8.75h to the next month.
• Markus Koschany did 40.0h (out of 40.0h assigned).
• Ola Lundqvist did 22.5h (out of 19.5h assigned and 4.5h from previous period), thus carrying over 1.5h to the next month.
• Roberto C. S nchez did 11.0h (out of 9.25h assigned and 2.75h from previous period), thus carrying over 1.0h to the next month.
• Santiago Ruano Rinc n did 20.0h (out of 20.0h assigned).
• Sean Whitton did 9.5h (out of 4.5h assigned and 5.5h from previous period), thus carrying over 0.5h to the next month.
• Stefano Rivera did 1.5h (out of 0.0h assigned and 10.0h from previous period), thus carrying over 8.5h to the next month.
• Sylvain Beucler did 12.5h (out of 22.75h assigned and 35.0h from previous period), thus carrying over 45.25h to the next month.
• Thorsten Alteholz did 14.0h (out of 14.0h assigned).
• Tobias Frost did 10.0h (out of 12.0h assigned), thus carrying over 2.0h to the next month.
• Utkarsh Gupta did 3.25h (out of 28.5h assigned and 29.25h from previous period), thus carrying over 54.5h to the next month.

Evolution of the situation In April, we have released 28 DLAs. During the month of April, there was one particularly notable security update made in LTS. Guilhem Moulin prepared DLA-3782-1 for util-linux (part of the set of base packages and containing a number of important system utilities) in order to address a possible information disclosure vulnerability. Additionally, several contributors prepared updates for oldstable (bullseye), stable (bookworm), and unstable (sid), including:

• ruby-rack: prepared for oldstable, stable, and unstable by Adrian Bunk
• wpa: prepared for oldstable, stable, and unstable by Bastien Roucari s
• zookeeper: prepared for stable by Bastien Roucari s
• libjson-smart: prepared for unstable by Bastien Roucari s
• ansible: prepared for stable and unstable, including autopkgtest fixes to increase future supportability, by Lee Garrett
• wordpress: prepared for oldstable and stable by Markus Koschany
• emacs and org-mode: prepared for oldstable and stable by Sean Whitton
• qtbase-opensource-src: prepared for oldstable and stable by Thorsten Alteholz
• libjwt: prepared for oldstable by Thorsten Alteholz
• libmicrohttpd: prepared for oldstable by Thorsten Alteholz

These fixes were in addition to corresponding updates in LTS. Another item to highlight in this month s report is an update to the distro-info-data database by Stefano Rivera. This update ensures that Debian buster systems have the latest available information concerning the end-of-life dates and other related information for all releases of Debian and Ubuntu. As announced on the debian-lts-announce mailing list, it is worth to point out that we are getting close to the end of support of Debian 10 as LTS. After June 30th, no new security updates will be made available on security.debian.org. However, Freexian and its team of paid Debian contributors will continue to maintain Debian 10 going forward for the customers of the Extended LTS offer. If you still have Debian 10 servers to keep secure, it s time to subscribe!

Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 104 months)
  • Civil Infrastructure Platform (CIP) (for 72 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 115 months)
  • Linode (for 109 months)
  • Babiel GmbH (for 98 months)
  • Plat Home (for 98 months)
  • CINECA (for 72 months)
  • University of Oxford (for 54 months)
  • Deveryware (for 41 months)
  • VyOS Inc (for 36 months)
  • EDF SA (for 25 months)
• Silver sponsors:
  • Domeneshop AS (for 119 months)
  • Nantes M tropole (for 114 months)
  • Univention GmbH (for 105 months)
  • Universit Jean Monnet de St Etienne (for 105 months)
  • Ribbon Communications, Inc. (for 99 months)
  • Exonet B.V. (for 89 months)
  • Leibniz Rechenzentrum (for 83 months)
  • Minist re de l Europe et des Affaires trang res (for 67 months)
  • Cloudways by DigitalOcean (for 56 months)
  • Dinahosting SL (for 54 months)
  • Bauer Xcel Media Deutschland KG (for 48 months)
  • Platform.sh SAS (for 48 months)
  • Moxa Inc. (for 42 months)
  • sipgate GmbH (for 39 months)
  • OVH US LLC (for 37 months)
  • Tilburg University (for 37 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 29 months)
  • Soliton Systems K.K. (for 26 months)
  • THINline s.r.o.
• Bronze sponsors:
  • Evolix (for 120 months)
  • Seznam.cz, a.s. (for 120 months)
  • Intevation GmbH (for 117 months)
  • Linuxhotel GmbH (for 117 months)
  • Daevel SARL (for 115 months)
  • Bitfolk LTD (for 114 months)
  • Megaspace Internet Services GmbH (for 114 months)
  • NUMLOG (for 114 months)
  • Greenbone AG (for 113 months)
  • WinGo AG (for 113 months)
  • Ecole Centrale de Nantes - LHEEA (for 109 months)
  • Entr ouvert (for 104 months)
  • Adfinis AG (for 102 months)
  • GNI MEDIA (for 96 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 96 months)
  • Tesorion (for 96 months)
  • Bearstech (for 87 months)
  • LiHAS (for 87 months)
  • Catalyst IT Ltd (for 82 months)
  • Supagro (for 77 months)
  • Demarcq SAS (for 76 months)
  • Universit Grenoble Alpes (for 62 months)
  • TouchWeb SAS (for 54 months)
  • SPiN AG (for 51 months)
  • CoreFiling (for 46 months)
  • Institut des sciences cognitives Marc Jeannerod (for 41 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 38 months)
  • Tem Innovations GmbH (for 33 months)
  • WordFinder.pro (for 32 months)
  • CNRS DT INSU R sif (for 31 months)
  • Alter Way (for 24 months)
  • Institut Camille Jordan (for 13 months)

I am happy to report that the megactl package, useful to fetch RAID status when using the LSI Megaraid controller, now is available in Debian. It passed NEW a few days ago, and is now available in unstable, and probably showing up in testing in a weeks time. The new version should provide Appstream hardware mapping and should integrate nicely with isenkram. As usual, if you use Bitcoin and want to show your support of my activities, please send Bitcoin donations to my address 15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b.

Like each month, have a look at the work funded by Freexian s Debian LTS offering.

Debian LTS contributors In March, 19 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 0.0h (out of 10.0h assigned and 4.0h from previous period), thus carrying over 14.0h to the next month.
• Adrian Bunk did 59.5h (out of 47.5h assigned and 52.5h from previous period), thus carrying over 40.5h to the next month.
• Bastien Roucari s did 22.0h (out of 20.0h assigned and 2.0h from previous period).
• Ben Hutchings did 9.0h (out of 2.0h assigned and 22.0h from previous period), thus carrying over 15.0h to the next month.
• Chris Lamb did 18.0h (out of 18.0h assigned).
• Daniel Leidert did 12.0h (out of 12.0h assigned).
• Emilio Pozuelo Monfort did 0.0h (out of 3.0h assigned and 57.0h from previous period), thus carrying over 60.0h to the next month.
• Guilhem Moulin did 22.5h (out of 7.25h assigned and 15.25h from previous period).
• Holger Levsen did 0.0h (out of 0.5h assigned and 11.5h from previous period), thus carrying over 12.0h to the next month.
• Lee Garrett did 0.0h (out of 0.0h assigned and 60.0h from previous period), thus carrying over 60.0h to the next month.
• Markus Koschany did 40.0h (out of 40.0h assigned).
• Ola Lundqvist did 19.5h (out of 24.0h assigned), thus carrying over 4.5h to the next month.
• Roberto C. S nchez did 9.25h (out of 3.5h assigned and 8.5h from previous period), thus carrying over 2.75h to the next month.
• Santiago Ruano Rinc n did 19.0h (out of 16.5h assigned and 2.5h from previous period).
• Sean Whitton did 4.5h (out of 4.5h assigned and 1.5h from previous period), thus carrying over 1.5h to the next month.
• Sylvain Beucler did 25.0h (out of 24.5h assigned and 35.5h from previous period), thus carrying over 35.0h to the next month.
• Thorsten Alteholz did 14.0h (out of 14.0h assigned).
• Tobias Frost did 12.0h (out of 12.0h assigned).
• Utkarsh Gupta did 19.5h (out of 0.0h assigned and 48.75h from previous period), thus carrying over 29.25h to the next month.

Evolution of the situation In March, we have released 31 DLAs. Adrian Bunk was responsible for updating gtkwave not only in LTS, but also in unstable, stable, and old-stable as well. This update involved an upload of a new upstream release of gtkwave to each target suite to address 82 separate CVEs. Guilhem Moulin prepared an update of libvirt which was particularly notable, as it fixed multiple vulnerabilities which would lead to denial of service or information disclosure. In addition to the normal security updates, multiple LTS contributors worked at getting various packages updated in more recent Debian releases, including gross for bullseye/bookworm (by Adrian Bunk), imlib2 for bullseye, jetty9 and tomcat9/10 for bullseye/bookworm (by Markus Koschany), samba for bullseye, py7zr for bullseye (by Santiago Ruano Rinc n), cacti for bullseye/bookwork (by Sylvain Beucler), and libmicrohttpd for bullseye (by Thorsten Alteholz). Additionally, Sylvain actively coordinated with cacti upstream concerning an incomplete fix for CVE-2024-29894.

Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 103 months)
  • Civil Infrastructure Platform (CIP) (for 71 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 114 months)
  • Linode (for 108 months)
  • Babiel GmbH (for 97 months)
  • Plat Home (for 97 months)
  • CINECA (for 71 months)
  • University of Oxford (for 53 months)
  • Deveryware (for 40 months)
  • VyOS Inc (for 35 months)
  • EDF SA (for 24 months)
• Silver sponsors:
  • Domeneshop AS (for 118 months)
  • Nantes M tropole (for 112 months)
  • Univention GmbH (for 104 months)
  • Universit Jean Monnet de St Etienne (for 104 months)
  • Ribbon Communications, Inc. (for 98 months)
  • Exonet B.V. (for 88 months)
  • Leibniz Rechenzentrum (for 82 months)
  • Minist re de l Europe et des Affaires trang res (for 65 months)
  • Cloudways by DigitalOcean (for 55 months)
  • Dinahosting SL (for 53 months)
  • Bauer Xcel Media Deutschland KG (for 47 months)
  • Platform.sh SAS (for 47 months)
  • Moxa Inc. (for 41 months)
  • sipgate GmbH (for 38 months)
  • OVH US LLC (for 36 months)
  • Tilburg University (for 36 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 28 months)
  • Soliton Systems K.K. (for 25 months)
  • THINline s.r.o.
• Bronze sponsors:
  • Evolix (for 119 months)
  • Seznam.cz, a.s. (for 119 months)
  • Intevation GmbH (for 116 months)
  • Linuxhotel GmbH (for 116 months)
  • Daevel SARL (for 114 months)
  • Bitfolk LTD (for 113 months)
  • Megaspace Internet Services GmbH (for 113 months)
  • Greenbone AG (for 112 months)
  • NUMLOG (for 112 months)
  • WinGo AG (for 112 months)
  • Ecole Centrale de Nantes - LHEEA (for 108 months)
  • Entr ouvert (for 103 months)
  • Adfinis AG (for 100 months)
  • GNI MEDIA (for 95 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 95 months)
  • Tesorion (for 95 months)
  • Bearstech (for 86 months)
  • LiHAS (for 86 months)
  • Catalyst IT Ltd (for 81 months)
  • Supagro (for 76 months)
  • Demarcq SAS (for 75 months)
  • Universit Grenoble Alpes (for 61 months)
  • TouchWeb SAS (for 53 months)
  • SPiN AG (for 50 months)
  • CoreFiling (for 45 months)
  • Institut des sciences cognitives Marc Jeannerod (for 40 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 37 months)
  • Tem Innovations GmbH (for 32 months)
  • WordFinder.pro (for 31 months)
  • CNRS DT INSU R sif (for 30 months)
  • Alter Way (for 23 months)
  • Institut Camille Jordan (for 12 months)

Like each month, have a look at the work funded by Freexian s Debian LTS offering.

Debian LTS contributors In February, 18 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 10.0h (out of 14.0h assigned), thus carrying over 4.0h to the next month.
• Adrian Bunk did 13.5h (out of 24.25h assigned and 41.75h from previous period), thus carrying over 52.5h to the next month.
• Bastien Roucari s did 20.0h (out of 20.0h assigned).
• Ben Hutchings did 2.0h (out of 14.5h assigned and 9.5h from previous period), thus carrying over 22.0h to the next month.
• Chris Lamb did 18.0h (out of 18.0h assigned).
• Daniel Leidert did 10.0h (out of 10.0h assigned).
• Emilio Pozuelo Monfort did 3.0h (out of 28.25h assigned and 31.75h from previous period), thus carrying over 57.0h to the next month.
• Guilhem Moulin did 7.25h (out of 4.75h assigned and 15.25h from previous period), thus carrying over 12.75h to the next month.
• Holger Levsen did 0.5h (out of 3.5h assigned and 8.5h from previous period), thus carrying over 11.5h to the next month.
• Lee Garrett did 0.0h (out of 18.25h assigned and 41.75h from previous period), thus carrying over 60.0h to the next month.
• Markus Koschany did 40.0h (out of 40.0h assigned).
• Roberto C. S nchez did 3.5h (out of 8.75h assigned and 3.25h from previous period), thus carrying over 8.5h to the next month.
• Santiago Ruano Rinc n did 13.5h (out of 13.5h assigned and 2.5h from previous period), thus carrying over 2.5h to the next month.
• Sean Whitton did 4.5h (out of 0.5h assigned and 5.5h from previous period), thus carrying over 1.5h to the next month.
• Sylvain Beucler did 24.5h (out of 27.75h assigned and 32.25h from previous period), thus carrying over 35.5h to the next month.
• Thorsten Alteholz did 14.0h (out of 14.0h assigned).
• Tobias Frost did 12.0h (out of 12.0h assigned).
• Utkarsh Gupta did 11.25h (out of 26.75h assigned and 33.25h from previous period), thus carrying over 48.75 to the next month.

Evolution of the situation In February, we have released 17 DLAs. The number of DLAs published during February was a bit lower than usual, as there was much work going on in the area of triaging CVEs (a number of which turned out to not affect Debia buster, and others which ended up being duplicates, or otherwise determined to be invalid). Of the packages which did receive updates, notable were sudo (to fix a privilege management issue), and iwd and wpa (both of which suffered from authentication bypass vulnerabilities). While this has already been already announced in the Freexian blog, we would like to mention here the start of the Long Term Support project for Samba 4.17. You can find all the important details in that post, but we would like to highlight that it is thanks to our LTS sponsors that we are able to fund the work from our partner, Catalyst, towards improving the security support of Samba in Debian 12 (Bookworm).

Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 102 months)
  • Civil Infrastructure Platform (CIP) (for 70 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 113 months)
  • Linode (for 107 months)
  • Babiel GmbH (for 96 months)
  • Plat Home (for 96 months)
  • CINECA (for 70 months)
  • University of Oxford (for 52 months)
  • Deveryware (for 39 months)
  • VyOS Inc (for 34 months)
  • EDF SA (for 23 months)
• Silver sponsors:
  • Domeneshop AS (for 117 months)
  • Nantes M tropole (for 112 months)
  • Univention GmbH (for 103 months)
  • Universit Jean Monnet de St Etienne (for 103 months)
  • Ribbon Communications, Inc. (for 97 months)
  • Exonet B.V. (for 87 months)
  • Leibniz Rechenzentrum (for 81 months)
  • Minist re de l Europe et des Affaires trang res (for 64 months)
  • Cloudways by DigitalOcean (for 54 months)
  • Dinahosting SL (for 52 months)
  • Bauer Xcel Media Deutschland KG (for 46 months)
  • Platform.sh SAS (for 46 months)
  • Moxa Inc. (for 40 months)
  • sipgate GmbH (for 37 months)
  • OVH US LLC (for 35 months)
  • Tilburg University (for 35 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 27 months)
  • Soliton Systems K.K. (for 24 months)
• Bronze sponsors:
  • Evolix (for 118 months)
  • Seznam.cz, a.s. (for 118 months)
  • Intevation GmbH (for 115 months)
  • Linuxhotel GmbH (for 115 months)
  • Daevel SARL (for 113 months)
  • Bitfolk LTD (for 112 months)
  • Megaspace Internet Services GmbH (for 112 months)
  • NUMLOG (for 112 months)
  • Greenbone AG (for 111 months)
  • WinGo AG (for 111 months)
  • Ecole Centrale de Nantes - LHEEA (for 107 months)
  • Entr ouvert (for 102 months)
  • Adfinis AG (for 99 months)
  • GNI MEDIA (for 94 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 94 months)
  • Tesorion (for 94 months)
  • Bearstech (for 85 months)
  • LiHAS (for 85 months)
  • Catalyst IT Ltd (for 80 months)
  • Supagro (for 75 months)
  • Demarcq SAS (for 74 months)
  • Universit Grenoble Alpes (for 60 months)
  • TouchWeb SAS (for 52 months)
  • SPiN AG (for 49 months)
  • CoreFiling (for 44 months)
  • Institut des sciences cognitives Marc Jeannerod (for 39 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 36 months)
  • Tem Innovations GmbH (for 31 months)
  • WordFinder.pro (for 30 months)
  • CNRS DT INSU R sif (for 29 months)
  • Alter Way (for 22 months)
  • Institut Camille Jordan (for 11 months)

The last few days I have revisited RAID setup using the LSI Megaraid controller. These are a family of controllers called PERC by Dell, and is present in several old PowerEdge servers, and I recently got my hands on one of these. I had forgotten how to handle this RAID controller in Debian, so I had to take a peek in the Debian wiki page "Linux and Hardware RAID: an administrator's summary" to remember what kind of software is available to configure and monitor the disks and controller. I prefer Free Software alternatives to proprietary tools, as the later tend to fall into disarray once the manufacturer loose interest, and often do not work with newer Linux Distributions. Sadly there is no free software tool to configure the RAID setup, only to monitor it. RAID can provide improved reliability and resilience in a storage solution, but only if it is being regularly checked and any broken disks are being replaced in time. I thus want to ensure some automatic monitoring is available. In the discovery process, I came across a old free software tool to monitor PERC2, PERC3, PERC4 and PERC5 controllers, which to my surprise is not present in debian. To help change that I created a request for packaging of the megactl package, and tried to track down a usable version. The original project site is on Sourceforge, but as far as I can tell that project has been dead for more than 15 years. I managed to find a more recent fork on github from user hmage, but it is unclear to me if this is still being maintained. It has not seen much improvements since 2016. A more up to date edition is a git fork from the original github fork by user namiltd, and this newer fork seem a lot more promising. The owner of this github repository has replied to change proposals within hours, and had already added some improvements and support for more hardware. Sadly he is reluctant to commit to maintaining the tool and stated in my first pull request that he think a new release should be made based on the git repository owned by hmage. I perfectly understand this reluctance, as I feel the same about maintaining yet another package in Debian when I barely have time to take care of the ones I already maintain, but do not really have high hopes that hmage will have time to spend on it and hope namiltd will change his mind. In any case, I created a draft package based on the namiltd edition and put it under the debian group on salsa.debian.org. If you own a Dell PowerEdge server with one of the PERC controllers, or any other RAID controller using the megaraid or megaraid_sas Linux kernel modules, you might want to check it out. If enough people are interested, perhaps the package will make it into the Debian archive. There are two tools provided, megactl for the megaraid Linux kernel module, and megasasctl for the megaraid_sas Linux kernel module. The simple output from the command on one of my machines look like this (yes, I know some of the disks have problems. :).

# megasasctl 
a0       PERC H730 Mini           encl:1 ldrv:2  batt:good
a0d0       558GiB RAID 1   1x2  optimal
a0d1      3067GiB RAID 0   1x11 optimal
a0e32s0     558GiB  a0d0  online   errs: media:0  other:19
a0e32s1     279GiB  a0d1  online  
a0e32s2     279GiB  a0d1  online  
a0e32s3     279GiB  a0d1  online  
a0e32s4     279GiB  a0d1  online  
a0e32s5     279GiB  a0d1  online  
a0e32s6     279GiB  a0d1  online  
a0e32s8     558GiB  a0d0  online   errs: media:0  other:17
a0e32s9     279GiB  a0d1  online  
a0e32s10    279GiB  a0d1  online  
a0e32s11    279GiB  a0d1  online  
a0e32s12    279GiB  a0d1  online  
a0e32s13    279GiB  a0d1  online  
#

In addition to displaying a simple status report, it can also test individual drives and print the various event logs. Perhaps you too find it useful? In the packaging process I provided some patches upstream to improve installation and ensure a Appstream metainfo file is provided to list all supported HW, to allow isenkram to propose the package on all servers with a relevant PCI card. As usual, if you use Bitcoin and want to show your support of my activities, please send Bitcoin donations to my address 15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b.

Like each month, have a look at the work funded by Freexian s Debian LTS offering.

Debian LTS contributors In January, 16 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 14.0h (out of 7.0h assigned and 7.0h from previous period).
• Bastien Roucari s did 22.0h (out of 16.0h assigned and 6.0h from previous period).
• Ben Hutchings did 14.5h (out of 8.0h assigned and 16.0h from previous period), thus carrying over 9.5h to the next month.
• Chris Lamb did 18.0h (out of 18.0h assigned).
• Daniel Leidert did 10.0h (out of 10.0h assigned).
• Emilio Pozuelo Monfort did 10.0h (out of 14.75h assigned and 27.0h from previous period), thus carrying over 31.75h to the next month.
• Guilhem Moulin did 9.75h (out of 25.0h assigned), thus carrying over 15.25h to the next month.
• Holger Levsen did 3.5h (out of 12.0h assigned), thus carrying over 8.5h to the next month.
• Markus Koschany did 40.0h (out of 40.0h assigned).
• Roberto C. S nchez did 8.75h (out of 9.5h assigned and 2.5h from previous period), thus carrying over 3.25h to the next month.
• Santiago Ruano Rinc n did 13.5h (out of 8.25h assigned and 7.75h from previous period), thus carrying over 2.5h to the next month.
• Sean Whitton did 0.5h (out of 0.25h assigned and 5.75h from previous period), thus carrying over 5.5h to the next month.
• Sylvain Beucler did 9.5h (out of 23.25h assigned and 18.5h from previous period), thus carrying over 32.25h to the next month.
• Thorsten Alteholz did 14.0h (out of 14.0h assigned).
• Tobias Frost did 12.0h (out of 10.25h assigned and 1.75h from previous period).
• Utkarsh Gupta did 8.5h (out of 35.75h assigned), thus carrying over 24.75h to the next month.

Evolution of the situation In January, we have released 25 DLAs. A variety of particularly notable packages were updated during January. Among those updates were the Linux kernel (both versions 5.10 and 4.19), mariadb-10.3, openjdk-11, firefox-esr, and thunderbird. In addition to the many other LTS package updates which were released in January, LTS contributors continue their efforts to make impactful contributions both within the Debian community.

Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 101 months)
  • Civil Infrastructure Platform (CIP) (for 69 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 112 months)
  • Linode (for 106 months)
  • Babiel GmbH (for 95 months)
  • Plat Home (for 95 months)
  • CINECA (for 69 months)
  • University of Oxford (for 51 months)
  • Deveryware (for 38 months)
  • VyOS Inc (for 33 months)
  • EDF SA (for 22 months)
• Silver sponsors:
  • Domeneshop AS (for 116 months)
  • Nantes M tropole (for 110 months)
  • Univention GmbH (for 102 months)
  • Universit Jean Monnet de St Etienne (for 102 months)
  • Ribbon Communications, Inc. (for 96 months)
  • Exonet B.V. (for 86 months)
  • Leibniz Rechenzentrum (for 80 months)
  • Minist re de l Europe et des Affaires trang res (for 63 months)
  • Cloudways by DigitalOcean (for 53 months)
  • Dinahosting SL (for 51 months)
  • Bauer Xcel Media Deutschland KG (for 45 months)
  • Platform.sh SAS (for 45 months)
  • Moxa Inc. (for 39 months)
  • sipgate GmbH (for 36 months)
  • OVH US LLC (for 34 months)
  • Tilburg University (for 34 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 26 months)
  • Soliton Systems K.K. (for 23 months)
• Bronze sponsors:
  • Evolix (for 117 months)
  • Seznam.cz, a.s. (for 117 months)
  • Intevation GmbH (for 114 months)
  • Linuxhotel GmbH (for 114 months)
  • Daevel SARL (for 112 months)
  • Bitfolk LTD (for 111 months)
  • Megaspace Internet Services GmbH (for 111 months)
  • Greenbone AG (for 110 months)
  • NUMLOG (for 110 months)
  • WinGo AG (for 110 months)
  • Ecole Centrale de Nantes - LHEEA (for 106 months)
  • Entr ouvert (for 101 months)
  • Adfinis AG (for 98 months)
  • GNI MEDIA (for 93 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 93 months)
  • Tesorion (for 93 months)
  • Bearstech (for 84 months)
  • LiHAS (for 84 months)
  • Catalyst IT Ltd (for 79 months)
  • Supagro (for 74 months)
  • Demarcq SAS (for 73 months)
  • Universit Grenoble Alpes (for 59 months)
  • TouchWeb SAS (for 51 months)
  • SPiN AG (for 48 months)
  • CoreFiling (for 43 months)
  • Institut des sciences cognitives Marc Jeannerod (for 38 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 35 months)
  • Tem Innovations GmbH (for 30 months)
  • WordFinder.pro (for 29 months)
  • CNRS DT INSU R sif (for 28 months)
  • Alter Way (for 21 months)
  • Institut Camille Jordan (for 10 months)

Like each month, have a look at the work funded by Freexian s Debian LTS offering.

Debian LTS contributors In December, 18 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 7.0h (out of 7.0h assigned and 7.0h from previous period), thus carrying over 7.0h to the next month.
• Adrian Bunk did 16.0h (out of 26.25h assigned and 8.75h from previous period), thus carrying over 19.0h to the next month.
• Bastien Roucari s did 16.0h (out of 16.0h assigned and 4.0h from previous period), thus carrying over 4.0h to the next month.
• Ben Hutchings did 8.0h (out of 7.25h assigned and 16.75h from previous period), thus carrying over 16.0h to the next month.
• Chris Lamb did 18.0h (out of 18.0h assigned).
• Emilio Pozuelo Monfort did 8.0h (out of 26.75h assigned and 8.25h from previous period), thus carrying over 27.0h to the next month.
• Guilhem Moulin did 25.0h (out of 18.0h assigned and 7.0h from previous period).
• Holger Levsen did 5.5h (out of 5.5h assigned).
• Jochen Sprickerhof did 0.0h (out of 0h assigned and 10.0h from previous period), thus carrying over 10.0h to the next month.
• Lee Garrett did 0.0h (out of 25.75h assigned and 9.25h from previous period), thus carrying over 35.0h to the next month.
• Markus Koschany did 35.0h (out of 35.0h assigned).
• Roberto C. S nchez did 9.5h (out of 5.5h assigned and 6.5h from previous period), thus carrying over 2.5h to the next month.
• Santiago Ruano Rinc n did 8.255h (out of 3.26h assigned and 12.745h from previous period), thus carrying over 7.75h to the next month.
• Sean Whitton did 4.25h (out of 3.25h assigned and 6.75h from previous period), thus carrying over 5.75h to the next month.
• Sylvain Beucler did 16.5h (out of 21.25h assigned and 13.75h from previous period), thus carrying over 18.5h to the next month.
• Thorsten Alteholz did 14.0h (out of 14.0h assigned).
• Tobias Frost did 10.25h (out of 12.0h assigned), thus carrying over 1.75h to the next month.
• Utkarsh Gupta did 18.75h (out of 11.25h assigned and 13.5h from previous period), thus carrying over 6.0h to the next month.

Evolution of the situation In December, we have released 29 DLAs. A particularly notable update in December was prepared by LTS contributor Santiago Ruano Rinc n for the openssh package. The updated produced DLA-3694-1 and included a fix for the Terrapin Attack (CVE-2023-48795), which was a rather serious flaw in the SSH protocol itself. The package bluez was the subject of another notable update by LTS contributor Chris Lamb, which resulted in DLA-3689-1 to address an insecure default configuration which allowed attackers to inject keyboard commands over Bluetooth without first authenticating. The LTS team continues its efforts to have a positive impact beyond the boundaries of LTS. Several contributors worked on packages, preparing LTS updates, but also preparing patches or full updates which were uploaded to the unstable, stable, and oldstable distributions, including: Guilhem Moulin s update of tinyxml (uploads to LTS and unstable and patches submitted to the security team for stable and oldstable); Guilhem Moulin s update of xerces-c (uploads to LTS and unstable and patches submitted to the security team for oldstable); Thorsten Alteholz s update of libde265 (uploads to LTS and stable and additional patches submitted to the maintainer for stable and oldstable); Thorsten Alteholz s update of cjson (upload to LTS and patches submitted to the maintainer for stable and oldstable); and Tobias Frost s update of opendkim (sponsor maintainer-prepared upload to LTS and additionally prepared updates for stable and oldstable). Going beyond Debian and looking to the broader community, LTS contributor Bastien Roucari s was contacted by SUSE concerning an update he had prepared for zbar. He was able to assist by coordinating with the former organization of the original zbar author to secure for SUSE access to information concerning the exploits. This has enabled another distribution to benefit from the work done in support of LTS and from the assistance of Bastien in coordinating the access to information. Finally, LTS contributor Santiago Ruano Rinc n continued work relating to how updates for packages in statically-linked language ecosystems (e.g., Go, Rust, and others) are handled. The work is presently focused on more accurately and reliably identifying which packages are impacted in a given update scenario to enable notifications to be published so that users will be made aware of these situations as they occur. As the work continues, it will eventually result in improvements to Debian infrustructure so that the LTS team and Security team are able to manage updates of this nature in a more consistent way.

Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 100 months)
  • Civil Infrastructure Platform (CIP) (for 68 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 111 months)
  • Linode (for 105 months)
  • Babiel GmbH (for 94 months)
  • Plat Home (for 94 months)
  • University of Oxford (for 50 months)
  • Deveryware (for 37 months)
  • VyOS Inc (for 32 months)
  • EDF SA (for 21 months)
• Silver sponsors:
  • Domeneshop AS (for 115 months)
  • Nantes M tropole (for 109 months)
  • Univention GmbH (for 101 months)
  • Universit Jean Monnet de St Etienne (for 101 months)
  • Ribbon Communications, Inc. (for 95 months)
  • Exonet B.V. (for 85 months)
  • Leibniz Rechenzentrum (for 79 months)
  • CINECA (for 68 months)
  • Minist re de l Europe et des Affaires trang res (for 62 months)
  • Cloudways by DigitalOcean (for 52 months)
  • Dinahosting SL (for 50 months)
  • Bauer Xcel Media Deutschland KG (for 44 months)
  • Platform.sh SAS (for 44 months)
  • Moxa Inc. (for 38 months)
  • sipgate GmbH (for 35 months)
  • OVH US LLC (for 33 months)
  • Tilburg University (for 33 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 25 months)
  • Soliton Systems K.K. (for 22 months)
• Bronze sponsors:
  • Evolix (for 116 months)
  • Seznam.cz, a.s. (for 116 months)
  • Intevation GmbH (for 113 months)
  • Linuxhotel GmbH (for 113 months)
  • Daevel SARL (for 111 months)
  • Bitfolk LTD (for 110 months)
  • Megaspace Internet Services GmbH (for 110 months)
  • Greenbone AG (for 109 months)
  • NUMLOG (for 109 months)
  • WinGo AG (for 109 months)
  • Ecole Centrale de Nantes - LHEEA (for 105 months)
  • Entr ouvert (for 100 months)
  • Adfinis AG (for 97 months)
  • GNI MEDIA (for 92 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 92 months)
  • Tesorion (for 92 months)
  • Bearstech (for 83 months)
  • LiHAS (for 83 months)
  • Catalyst IT Ltd (for 78 months)
  • Supagro (for 73 months)
  • Demarcq SAS (for 72 months)
  • Universit Grenoble Alpes (for 58 months)
  • TouchWeb SAS (for 50 months)
  • SPiN AG (for 47 months)
  • CoreFiling (for 42 months)
  • Institut des sciences cognitives Marc Jeannerod (for 37 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 34 months)
  • Tem Innovations GmbH (for 29 months)
  • WordFinder.pro (for 28 months)
  • CNRS DT INSU R sif (for 27 months)
  • Alter Way (for 20 months)
  • Institut Camille Jordan (for 9 months)

Like each month, have a look at the work funded by Freexian s Debian LTS offering. Some notable fixes which were made in LTS during the month of November include the gnutls28 cryptographic library and the freerdp2 Remote Desktop Protocol client/server implementation. The gnutls28 update was prepared by LTS contributor Markus Koschany and dealt with a timing attack which could be used to compromise a cryptographic system, while the freerdp2 update was prepared by LTS contributor Tobias Frost and is the result of work spanning 3 months to deal with dozens of vulnerabilities. In addition to the many ordinary LTS tasks which were completed (CVE triage, patch backports, package updates, etc), there were several contributions by LTS contributors for the benefit of Debian stable and old-stable releases, as well as for the benefit of upstream projects. LTS contributor Abhijith PA uploaded an update of the puma package to unstable in order to fix a vulnerability in that package while LTS contributor Thosten Alteholz sponsored an upload to unstable of libde265 and himself made corresponding uploads of libde265 to Debian stable and old-stable. LTS contributor Bastien Roucari s developed patches for vulnerabilities in zbar and audiofile which were then provided to the respective upstream projects. Updates to packages in Debian stable were made by Markus Koschany to deal with security vulnerabilities and by Chris Lamb to deal with some non-security bugs. As always, the LTS strives to provide high quality updates to packages under the direct purview of the LTS team while also rendering assistance to maintainers, the stable security team, and upstream developers whenever practical.

Debian LTS contributors In November, 18 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 7.0h (out of 0h assigned and 14.0h from previous period), thus carrying over 7.0h to the next month.
• Adrian Bunk did 15.0h (out of 14.0h assigned and 9.75h from previous period), thus carrying over 8.75h to the next month.
• Anton Gladky did 10.0h (out of 9.5h assigned and 5.5h from previous period), thus carrying over 5.0h to the next month.
• Bastien Roucari s did 16.0h (out of 18.25h assigned and 1.75h from previous period), thus carrying over 4.0h to the next month.
• Ben Hutchings did 12.0h (out of 16.5h assigned and 12.25h from previous period), thus carrying over 16.75h to the next month.
• Chris Lamb did 18.0h (out of 17.25h assigned and 0.75h from previous period).
• Emilio Pozuelo Monfort did 15.5h (out of 23.5h assigned and 0.25h from previous period), thus carrying over 8.25h to the next month.
• Guilhem Moulin did 13.0h (out of 12.0h assigned and 8.0h from previous period), thus carrying over 7.0h to the next month.
• Lee Garrett did 14.5h (out of 16.75h assigned and 7.0h from previous period), thus carrying over 9.25h to the next month.
• Markus Koschany did 30.0h (out of 30.0h assigned).
• Ola Lundqvist did 6.5h (out of 8.25h assigned and 15.5h from previous period), thus carrying over 17.25h to the next month.
• Roberto C. S nchez did 5.5h (out of 12.0h assigned), thus carrying over 6.5h to the next month.
• Santiago Ruano Rinc n did 3.25h (out of 13.62h assigned and 2.375h from previous period), thus carrying over 12.745h to the next month.
• Sean Whitton did 3.25h (out of 10.0h assigned), thus carrying over 6.75h to the next month.
• Sylvain Beucler did 10.0h (out of 13.5h assigned and 10.25h from previous period), thus carrying over 13.75h to the next month.
• Thorsten Alteholz did 14.0h (out of 14.0h assigned).
• Tobias Frost did 12.0h (out of 12.0h assigned).
• Utkarsh Gupta did 0.0h (out of 6.0h assigned and 17.75h from previous period), thus carrying over 23.75h to the next month.

Evolution of the situation In November, we have released 35 DLAs.

Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 99 months)
  • Civil Infrastructure Platform (CIP) (for 67 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 110 months)
  • Linode (for 104 months)
  • Babiel GmbH (for 93 months)
  • Plat Home (for 93 months)
  • University of Oxford (for 49 months)
  • Deveryware (for 36 months)
  • VyOS Inc (for 31 months)
  • EDF SA (for 20 months)
• Silver sponsors:
  • Domeneshop AS (for 114 months)
  • Nantes M tropole (for 108 months)
  • Univention GmbH (for 100 months)
  • Universit Jean Monnet de St Etienne (for 100 months)
  • Ribbon Communications, Inc. (for 94 months)
  • Exonet B.V. (for 84 months)
  • Leibniz Rechenzentrum (for 78 months)
  • CINECA (for 67 months)
  • Minist re de l Europe et des Affaires trang res (for 61 months)
  • Cloudways Ltd (for 51 months)
  • Dinahosting SL (for 49 months)
  • Bauer Xcel Media Deutschland KG (for 43 months)
  • Platform.sh SAS (for 43 months)
  • Moxa Inc. (for 37 months)
  • sipgate GmbH (for 34 months)
  • OVH US LLC (for 32 months)
  • Tilburg University (for 32 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 23 months)
  • Soliton Systems K.K. (for 21 months)
• Bronze sponsors:
  • Evolix (for 115 months)
  • Seznam.cz, a.s. (for 115 months)
  • Intevation GmbH (for 112 months)
  • Linuxhotel GmbH (for 112 months)
  • Daevel SARL (for 110 months)
  • Bitfolk LTD (for 109 months)
  • Megaspace Internet Services GmbH (for 109 months)
  • Greenbone AG (for 108 months)
  • NUMLOG (for 108 months)
  • WinGo AG (for 108 months)
  • Ecole Centrale de Nantes - LHEEA (for 104 months)
  • Entr ouvert (for 99 months)
  • Adfinis AG (for 96 months)
  • GNI MEDIA (for 91 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 91 months)
  • Tesorion (for 91 months)
  • Bearstech (for 82 months)
  • LiHAS (for 82 months)
  • Catalyst IT Ltd (for 77 months)
  • Supagro (for 72 months)
  • Demarcq SAS (for 71 months)
  • Universit Grenoble Alpes (for 57 months)
  • TouchWeb SAS (for 49 months)
  • SPiN AG (for 46 months)
  • CoreFiling (for 41 months)
  • Institut des sciences cognitives Marc Jeannerod (for 36 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 33 months)
  • Tem Innovations GmbH (for 27 months)
  • WordFinder.pro (for 27 months)
  • CNRS DT INSU R sif (for 26 months)
  • Alter Way (for 19 months)
  • Institut Camille Jordan (for 8 months)