Chris Lamb: Free software activities in July 2017
Here is my monthly update covering what I have been doing in the free software world during July 2017 (previous month):
- Updated travis.debian.net, my hosted service for projects that host their Debian packaging on GitHub to use the Travis CI continuous integration platform to test builds:
- Updated django-slack, my library to easily post messages to the Slack group-messaging utility:
- Added Pascal support to Louis Taylor's anyprint hack to add support for "print" statements from other languages into Python. [ ]
- Filed a PR against Julien Danjou's daiquiri Python logging helper to clarify an issue in the documentation. [ ]
- Merged a PR to Strava Enhancement Suite my Chrome extension that improves and fixes annoyances in the web interface of the Strava cycling and running tracker to remove Zwift activities with maps. [ ]
- Submitted a pull request for Redis key-value database store to fix a spelling mistake in a binary. [ ]
- Sent patches upstream to the authors of the OpenSVC cloud engine and the Argyll Color Management System to fix some "1204" typos.
- Fixed a number of Python and deployment issues in my stravabot IRC bot. [ ]
- Correct a "1204" typo in Facebook's RocksDB key-value store. [ ]
- Corrected =+ typos in the Calibre e-book reader software. [ ]
- Filed a PR against the diaspy Python interface to the DIASPORA social network to correct the number of seconds in a day. [ ]
- Sent a pull request to remedy a =+ typo in sparqlwrapper, a SPARQL endpoint interface for Python. [ ]
- Filed a PR against Postfix Admin to fix some =+ typos. [ ]
- Fixed a "1042" typo in ImageJ, a Java image processing library. [ ]
- On a less-serious note, I filed an issue for Brad Abraham's bot for the Reddit sub-reddit to add some missing "hit the gym" advice. [ ]
Reproducible builds
Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users.
The motivation behind the Reproducible Builds effort is to permit verification that no flaws have been introduced either maliciously or accidentally during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
(I have generously been awarded a grant from the Core Infrastructure Initiative to fund my work in this area.)
This month I:
I also made the following changes to our tooling:
- Assisted Mattia with a draft of an extensive status update to the debian-devel-announce mailing list. There were interesting follow-up discussions on Hacker News and Reddit.
- Submitted the following patches to fix reproducibility-related toolchain issues within Debian:
- apt: Make the output of apt-ftparchive reproducible. Thanks to Colin Percival from Tarsnap for the initial bug report. (#869557)
- gconf: Make the output of /var/lib/gconf/defaults/%gconf-tree-*.xml files reproducible. (#867848, forwarded upstream)
- grunt: Make the output reproducible. (#867753, forwarded upstream)
- node-marked-man: Make the output reproducible. (#868321, forwarded upstream)
- xorg-server: Make BUILD_ DATE,TIME reproducible. (#868843)
- I also submitted 5 patches to fix specific reproducibility issues in autopep8, castle-game-engine, grep, libcdio & tinymux.
- Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.
- Worked on publishing our weekly reports. (#114 #115, #116 & #117)
I also made the following changes to our tooling:
diffoscope
diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.
- comparators.xml:
- APK files can also be identified as "DOS/MBR boot sector". (#868486)
- comparators.sqlite: Simplify file detection by rewriting manual recognizes call with a Sqlite3Database.RE_FILE_TYPE definition. [ ]
- comparators.directory:
- Revert the removal of a try-except. (#868534)
- Tidy module. [ ]
strip-nondeterminism
strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build.
- Add missing File::Temp imports in the JAR and PNG handlers. This appears to have been exposed by lazily-loading handlers in #867982. (#868077)
buildinfo.debian.net
buildinfo.debian.net is my experiment into how to process, store and distribute .buildinfo files after the Debian archive software has processed them.
Debian
My activities as the current Debian Project Leader are covered in my "Bits from the DPL emails to the debian-devel-announce mailing list.
Patches contributed
- obs-studio: Remove annoying "click wrapper" on first startup. (#867756)
- vim: Syntax highlighting for debian/copyright files. (#869965)
- moin: Incorrect timezone offset applied due to "84600" typo. (#868463)
- ssss: Add a simple autopkgtest. (#869645)
- dch: Please bump $latest_bpo_dist to current stable release. (#867662)
- python-kaitaistruct: Remove Markdown and homepage references from package long descriptions. (#869265)
- album-data: Correct invalid Vcs-Git URI. (#869822)
- pytest-sourceorder: Update Homepage field. (#869125)
Debian LTS
This month I have been paid to work 18 hours on Debian Long Term Support (LTS). In that time I did the following:
- "Frontdesk" duties, triaging CVEs, etc.
- Issued DLA 1014-1 for libclamunrar, a library to add unrar support to the Clam anti-virus software to fix an arbitrary code execution vulnerability.
- Issued DLA 1015-1 for the libgcrypt11 crypto library to fix a "sliding windows" information leak.
- Issued DLA 1016-1 for radare2 (a reverse-engineering framework) to prevent a remote denial-of-service attack.
- Issued DLA 1017-1 to fix a heap-based buffer over-read in the mpg123 audio library.
- Issued DLA 1018-1 for the sqlite3 database engine to prevent a vulnerability that could be exploited via a specially-crafted database file.
- Issued DLA 1019-1 to patch a cross-site scripting (XSS) exploit in phpldapadmin, a web-based interface for administering LDAP servers.
- Issued DLA 1024-1 to prevent an information leak in nginx via a specially-crafted HTTP range.
- Issued DLA 1028-1 for apache2 to prevent the leakage of potentially confidential information via providing Authorization Digest headers.
- Issued DLA 1033-1 for the memcached in-memory object caching server to prevent a remote denial-of-service attack.
Uploads
I also reviewed and sponsored the uploads of gtts-token 1.1.1-1 and nlopt 2.4.2+dfsg-3.
- redis:
- 4:4.0.0-1 Upload new major upstream release to unstable.
- 4:4.0.0-2 Make /usr/bin/redis-server in the primary package a symlink to /usr/bin/redis-check-rdb in the redis-tools package to prevent duplicate debug symbols that result in a package file collision. (#868551)
- 4:4.0.0-3 Add -latomic to LDFLAGS to avoid a FTBFS on the mips & mipsel architectures.
- 4:4.0.1-1 New upstream version. Install 00-RELEASENOTES as the upstream changelog.
- 4:4.0.1-2 Skip non-deterministic tests that rely on timing. (#857855)
- python-django:
- 1:1.11.3-1 New upstream bugfix release. Check DEB_BUILD_PROFILES consistently, not DEB_BUILD_OPTIONS.
- bfs:
- 1.0.2-2 & 1.0.2-3 Use help2man to generate a manpage.
- 1.0.2-4 Set hardening=+all for bindnow, etc.
- 1.0.2-5 & 1.0.2-6 Don't use upstream's release target as it overrides our CFLAGS & install RELEASES.md as the upstream changelog.
- 1.1-1 New upstream release.
- libfiu:
- 0.95-4 Apply patch from Steve Langasek to fix autopkgtests. (#869709)
- python-daiquiri:
- 1.0.1-1 Initial upload. (ITP)
- 1.1.0-1 New upstream release.
- 1.1.0-2 Tidy package long description.
- 1.2.1-1 New upstream release.
Debian bugs filed
FTP Team
As a Debian FTP assistant I ACCEPTed 45 packages: 2ping, behave, cmake-extras, cockpit, cppunit1.13, curvedns, flask-mongoengine, fparser, gnome-shell-extension-dash-to-panel, graphene, gtts-token, hamlib, hashcat-meta, haskell-alsa-mixer, haskell-floatinghex, haskell-hashable-time, haskell-integer-logarithms, haskell-murmur-hash, haskell-quickcheck-text, haskell-th-abstraction, haskell-uri-bytestring, highlight.js, hoel, libdrm, libhtp, libpgplot-perl, linux, magithub, meson-mode, orcania, pg-dirtyread, prometheus-apache-exporter, pyee, pytest-pep8, python-coverage-test-runner, python-digitalocean, python-django-imagekit, python-rtmidi, python-transitions, qdirstat, redtick, ulfius, weresync, yder & zktop.
I additionally filed 5 RC bugs against packages that had incomplete debian/copyright files against: cockpit, cppunit, cppunit1.13, curvedns & highlight.js.