Search Results: "rbf"

13 April 2020

Giovanni Mascellani: DKIM for Debian Developers

What is DKIM? DKIM (DomainKeys Identified Mail), as Wikipedia puts it, "is an email authentication method designed to detect forged sender addresses in emails (email spoofing), a technique often used in phishing and email spam". More prosaically, one of the reasons email spam is so abundant is that, given a certain email message, there is no simple way to know for certain who sent it and how reputable they are. So even if people having addresses @debian.org are very nice and well-behaving, any random spammer can easily send emails from whatever@debian.org, and even if you trust people from @debian.org you cannot easily configure your antispam filter to just accept all emails from @debian.org, because spammers would get in too. Since nearly ten years DKIM is there to help you. If you send an email from @debian.org with DKIM, it will have a header like this:

DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=debian.org;
    s=vps.gio.user; t=1586779391;
    bh=B6tckJy2cynGjNRdm3lhFDrp0tD7fF8hS4x0FCfLADo=;
    h=From:Subject:To:Date:From;
    b=H4EDlATxVm7XNqPy2x7IqCchBUz1SxFtUSstB23BAsdyTKJIohM0O4RRWhrQX+pqE
     prPVhzcfNALMwlfExNE69940Q6pMCuYsoxNQjU7Jl/UX1q6PGqdVSO+mKv/aEI+N49
     vvYNgPJNLaAFnYqbWCPI8mNskLHLe2VFYjSjE4GJFOxl9o2Gpe9f5035FYPJ/hnqBF
     XPnZq7Osd9UtBrBq8agEooTCZHbNFSyiXdS0qp1ts7HAo/rfrBfbQSk39fOOQ5GbjV
     6FehkN4GAXFNoFnjfmjrVDJC6hvA8m0tJHbmZrNQS0ljG/SyffW4OTlzFzu4jOmDNi
     UHLnEgT07eucw==

The field d=debian.org is the domain this email claims to be from and the fields bh= and b= are a cryptographic public key signature certifying this fact. How do I check that the email is actually from @debian.org? I use the selector s=vps.gio.user to fetch the public key via DNS, and then use the public key to verify the signature.

$ host -t TXT vps.gio.user._domainkey.debian.org
vps.gio.user._domainkey.debian.org descriptive text "v=DKIM1; k=rsa; s=email; h=sha256; p=" "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsM/W/kxtKWT58Eak0cfm/ntvurfbkkvugrG2jfvSMnHHkFyfJ34Xvn/HhQPLwX1QsjhuLV+tW+BQtxY7jxSABCee6nHQRBrpDej1t86ubw3CSrxcg1mzJI5BbL8un0cwYoBtUvhCYAZKarv1W2otCGs43L0s" "GtEqqtmYN/hIVVm4FcqeYS1cYrZxDsjPzCEocpYBhqHh1MTeUEddVmPHKZswzvllaWF0mgIXrfDNAE0LiX39aFKWtgvflrYFKiL4hCDnBcP2Mr71TVblfDY0wEdAEbGEJqHR1SxvWyn0UU1ZL4vTcylB/KJuV2gMhznOjbnQ6cjAhr2JYpweTYzz3wIDAQAB"

There it is! Debian declares in its DNS record that that key is authorized to sign outbound email from @debian.org. The spammer hopefully does not have access to Debian's DKIM keys, and they cannot sign emails. Many large and small email services have already deployed DKIM since years, while most @debian.org emails still do not use it. Why not? Because people send @debian.org emails from many different servers. Basically, every DD used their @debian.org address sends email from their own mail server, and those mail servers (fortunately) do not have access to Debian's DNS record to install their DKIM keys. Well, that was true until yesterday! :-) A few weeks ago I poked DSA asking to allow any Debian Developer to install their DKIM keys, so that DDs could use DKIM to sign their emails and hopefully reduce the amount of spam sent from @debian.org. They have done it (thank you DSA very much, especially adsb), and now it is possible to use it! How do I configure it? I will not write here a full DKIM tutorial, there are many around. You have to use opendkim-genkey to generate a key and then configure your mail server to use opendkim to digitally sign outbound email. There are a few Debian-specific things you have to care about, though. First the have to choose a selector, which is a string used to distinguish many DKIM keys belonging to the same domain. Debian allows you to installa a key whose selector is <something>.<uid>.user, where <uid> is your Debian uid (this is done both for namespacing reasons and for exposing who might be abusing the system). So check carefully that your selector has this form. Then you cannot edit directly Debian's DNS record. But you can use the email-LDAP gateway on db.debian.org to install your key in a way similar to how entries in debian.net are handled (see the updated documentation). Specifically, suppose that opendkim-genkey generated the following thing for selector vps.gio.user and domain debian.org:

vps.gio.user._domainkey IN  TXT ( "v=DKIM1; h=sha256; k=rsa; "
      "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsM/W/kxtKWT58Eak0cfm/ntvurfbkkvugrG2jfvSMnHHkFyfJ34Xvn/HhQPLwX1QsjhuLV+tW+BQtxY7jxSABCee6nHQRBrpDej1t86ubw3CSrxcg1mzJI5BbL8un0cwYoBtUvhCYAZKarv1W2otCGs43L0sGtEqqtmYN/hIVVm4FcqeYS1cYrZxDsjPzCEocpYBhqHh1MTeUE"
      "ddVmPHKZswzvllaWF0mgIXrfDNAE0LiX39aFKWtgvflrYFKiL4hCDnBcP2Mr71TVblfDY0wEdAEbGEJqHR1SxvWyn0UU1ZL4vTcylB/KJuV2gMhznOjbnQ6cjAhr2JYpweTYzz3wIDAQAB" )  ; ----- DKIM key vps.gio.user for debian.org

Then you have to carefully copy the content of the p= field (without being fooled by it being split between different strings) and construct a request of the form:

dkimPubKey: vps.gio.user MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsM/W/kxtKWT58Eak0cfm/ntvurfbkkvugrG2jfvSMnHHkFyfJ34Xvn/HhQPLwX1QsjhuLV+tW+BQtxY7jxSABCee6nHQRBrpDej1t86ubw3CSrxcg1mzJI5BbL8un0cwYoBtUvhCYAZKarv1W2otCGs43L0sGtEqqtmYN/hIVVm4FcqeYS1cYrZxDsjPzCEocpYBhqHh1MTeUEddVmPHKZswzvllaWF0mgIXrfDNAE0LiX39aFKWtgvflrYFKiL4hCDnBcP2Mr71TVblfDY0wEdAEbGEJqHR1SxvWyn0UU1ZL4vTcylB/KJuV2gMhznOjbnQ6cjAhr2JYpweTYzz3wIDAQAB

and then send it GPG-signed to changes@db.debian.org:

echo 'dkimPubKey: vps.gio.user blahblahblah'   gpg --clearsign   mail changes@db.debian.org

Then use host -t TXT vps.gio.user._domainkey.debian.org to chech the key gets published (it will probably take some minutes/hours, I don't know). Once it is published, you can enable DKIM in you mail server and your email will be signed. Congratulations, you will not look like a spammer any more! You can send an email to check-auth@verifier.port25.com to check that your setup is correct. They will reply with a report, including the success of DKIM test. Notice that currently Debian's setup only allows you to use RSA DKIM keys and doesn't allow you to set other DKIM fields (but you probably won't need to set them). EDIT DSA made an official announcement about DKIM support, which you might want to check out as well, together with its links. EDIT 2 Now ed25519 keys are supported, the syntax for specifying keys on LDAP is a little bit more flexible and you can also insert CNAME records. See the official documentation for the updated details. So we have solved our problems with spam? Ha, no! DKIM is only a small step. Useful, also because it enable other steps to be taken in the future, but small. In particular, DKIM enables you to say: "This particular email actually comes from @debian.org", but doesn't tell anybody what to do with emails that are not signed. A third-party mail server might wonder whether @debian.org emails are actually supposed to be signed or not. There is another standard for dealing with that, which is called DMARD, and I believe that Debian should eventually use it, but not now: the problem is that currently virtually no email from @debian.org is signed with DKIM, so if DMARC was enabled other mail servers would start to nuke all @debian.org emails, except those which are already signed, a minority. If people and services sending emails from @debian.org will start configuring DKIM on their servers, which is now possible, it will eventually come a time when DMARC can be enabled, and spammers will find themselves unable to send forged @debian.org emails. We are not there yet, but todays we are a little step closer than yesterday. Also, notice that having DKIM on @debian.org only counters spam pretending to be from @debian.org, but there is much more. The policy on what to accept is mostly independent on that on what you send. However, knowing that @debian.org emails have DKIM and DMARC would mean that we can set our spam filters to be more aggressive in general, but whitelist official Debian Developers and services. And the same can be done for other domains using DKIM and DMARC. Finally, notice that some incompatibilities between DKIM and mailing lists are known, and do not have a definitive answer yet. Basically, most mailing list engines modify either the body of the headers in forwarded emails, which means that DKIM does not validate any more. There are many proposed solutions, possibly none completely satisfying, but since spam is not very satisfying as well, something will have to be worked out. I wrote a lot already, though, so I wont't discuss this here.

31 August 2017

Chris Lamb: Free software activities in August 2017

Here is my monthly update covering what I have been doing in the free software world in August 2017 (previous month):

Created ZeroCoolOS, a live operating system that plays the film Hackers (1995) on a continuous loop.
Sent a patch for pristine-tar to allow storage of detached upstream signatures. (#871809)
Worked more on Lintian, a static analysis tool for Debian packages, reporting on various errors, omissions and quality-assurance issues to the maintainer (previous changes):
- Fix an apache2-unparsable-dependency false positive by allowing periods in dependency names. (#873701)
- Ignore "repacked" packages when checking for upstream source tarball signatures as they will never match.
- Downgrade the severity of orig-tarball-missing-upstream-signature. (#870722)
- From a suggestion by Theodore Ts'o, expand the explanation of orig-tarball-missing-upstream-signature to include the location of where dpkg-source looks.
- Address a number of issues in the copyright-year-in-future tag including preventing false positives in port numbers, email addresses, ISO standard numbers and street addresses (#869788), as well as "meta" or testing statements (#873323). In addition, report all violating years in a line and expand the testsuite.
- Don't match quoted "FIXME" variants of file-contains-fixme-placeholder (#870199), avoid checking copyright_hints files (#872843) and downgrade the tag's severity.
- Apply a patch from Alex Muntada to recommend "substr" over of "substring" in mentions-deprecated-usr-lib-perl5-directory. (#871767)
- Prevent missing-build-dependency-for-dh_-command false positives exposed by following the advice in useless-autoreconf-build-depends. (#869541)
- Ensure readme-debian-contains-debmake-template also checks for files containing "Automatically generated by debmake".
- Check python3-foo packages have a Section: python, not just python2-foo. (#870272)
- Check for packages shipping compiled Java class files. (#873211)
- Additionally consider .cljc files to avoid codeless-jar warnings. (#870649)
- Prevent desktop-entry-lacks-keywords-entry false positives for Link and Directory-style .desktop files. (#873702)
- Split out Python checks from checks/scripts.pm check to a new, source check of type source.
- Check for python-foo without a corresponding python3-foo package. (#870681)
- Complain about packages that Build-Depend on python-sphinx only. (#870730)
- Warn about packages that alternatively Build-Depend on the Python 2 and Python 3 versions of Sphinx. (#870758)
- Check for packages that depend on Python 2.x. (#870822)
- Correct false positives in unconditional-use-of-dpkg-statoverride by detecting "if !" as a shell prefix. (#869587)
- Alert on for missing calls to dpkg-maintscript-helper(1) in maintainer scripts. (#872042)
- Check for packages using sensible-utils without declaring a dependency after splitting from debianutils. (#872611)
- Warn about scripts using nodejs as an interpreter now that the nodejs script provides /usr/bin/node. (#873096)
- Remove recommendations to add a Testsuite: autopkgtest field to debian/control and emit a new tag the package if it does so. (#865531)
- Recognise autopkgtest-pkg-elpa as a valid test suite. (#873458)
- Add note to /etc/bash_completion.d's obsolete path warning output regarding stricter filename requirements. (#814599)
- Add 4.0.1 and 4.1.0 as known Policy standards versions.
- Apply a patch from Maia Everett to avoid British spellings under the en_US locale. (#868897)
- Stop emitting maintainer,uploader -address-causes-mail-loops for @packages.debian.org addresses. (#871575)
- Modify Lintian::Data's all subroutine to always return keys in insertion order.
- Apply a patch from Steve Langasek to accomodate binutils outputting symbols in a different format on the ppc64el architecture. (#869750)
- Add an explicit test for packages including external fonts via the Google Font and TypeKit APIs. (#873434)
- Add missing entries in internal Test-For fields to make development/testing workflow less error-prone.
Sent three pull requests to git-buildpackage, a tool to assist in Debian packaging from Git repositories:
- Make pq --abbrev= configurable. (#872351)
- Use build profiles to avoid installation of test dependencies. (#31)
- Correct "allow to" grammar. (#30)
Updated travis.debian.net (my hosted service for projects that host their Debian packaging on GitHub to use the Travis CI continuous integration platform for testing):
- Move away from deb.debian.org; Travis appears to be using a HTTP proxy that strips SRV records. (commit)
- Highlight double quotes are required for TRAVIS_DEBIAN_EXTRA_REPOSITORY. (commit)
- Use force-unsafe-io. (commit)
- Clarify docs when upstream already has a travis.yml file. (#46)
- Make documentation easier to copy-paste. (commit)
Merged a pull request in django-slack, my library to easily post messages to the Slack group-messaging utility, where instantiation of a SlackException was failing. (#71)
Assigned two pull requests to the Redis key-value database store to correct "did not received" and "faield" typos. (#4216 & #4215).

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users. The motivation behind the Reproducible Builds effort is to allow verification that no flaws have been introduced either maliciously or accidentally during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised. I have generously been awarded a grant from the Core Infrastructure Initiative to fund my work in this area. This month I:

Presented a status update at Debconf17 in Montr al, Canada alongside Holger Levsen, Maria Glukhova, Steven Chamberlain, Vagrant Cascadian, Valerie Young and Ximin Luo.
I worked on the following issues upstream:
- glib2.0: Please make the output of gio-querymodules reproducible. (...)
- gcab: Please make the output reproducible. (...)
- gtk+2.0: Please make the immodules.cache files reproducible. (...)
- desktop-file-utils: Please make the output reproducible. (...)
Within Debian:
- My work as Debian Project Leader (DPL) is covered in my monthly Bits from the DPL email to debian-devel-announce.
- Created isdebianreproducibleyet.com.
- Sent a patch to dpkg to sort the "unused substitution" warnings. (#870221)
- Added a script to devscripts to report on reproducibility status of installed packages. (#872514)
- Modified the Debian archive tools (dak) to automatically reject packages which do not bump their date in debian/changelog. (debian-devel post)
- Fixed an QA issue in snappy that was caught by the reproducible builds continuous integration framework. (#872226)
- I submitted three patches to fix specific reproducibility issues in grap, isa-support & python-numpy.
- Finally, I also performed two non-maintainer uploads (NMUs) for jsmath-fonts (#792319) and xvier (#777330) to make their builds reproducible.
Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.
Worked on publishing our weekly reports. (#118, #119, #120, #121 & #122)

I also made the following changes to our tooling:

diffoscope

diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.

Use name attribute over path to avoid leaking comparison full path in output. (commit)
Add missing skip_unless_module_exists import. (commit)
Tidy diffoscope.progress and the XML comparator (commit, commit)

disorderfs

disorderfs is our FUSE-based filesystem that deliberately introduces non-determinism into directory system calls in order to flush out reproducibility issues.

Add a simple autopkgtest smoke test. (commit)

Debian

Patches contributed

openssh: Quote the IP address in ssh-keygen -f suggestions. (#872643)
libgfshare:
- SIGSEGV if /dev/urandom is not accessible. (#873047)
- Add bindnow hardening. (#872740)
- Support nodoc build profile. (#872739)
devscripts:
- Enable hardening buildflags for /usr/bin/debpkg. (#873379)
- Add missing scripts/debc to .gitignore. (#873381)
memcached: Add hardening to systemd .service file. (#871610)
googler: Tidy long and short package descriptions. (#872461)
gnome-split: Homepage points to domain-parked website. (#873037)

Uploads

python-django 1:1.11.4-1 New upstream release.
redis:
- 4:4.0.1-3 Drop yet more non-deterministic tests.
- 4:4.0.1-4 Tighten systemd/seccomp hardening.
- 4:4.0.1-5 Drop even more tests with timing issues.
- 4:4.0.1-6 Don't install completions to /usr/share/bash-completion/completions/debian/bash_completion/.
- 4:4.0.1-7 Don't let sentinel integration tests fail the build as they use too many timers to be meaningful. (#872075)
python-gflags 1.5.1-3 If SOURCE_DATE_EPOCH is set, either use that as a source of current dates or the UTC-version of the file's modification time (#836004), don't call update-alternatives --remove in postrm. update debian/watch/Homepage & refresh/tidy the packaging.
bfs 1.1.1-1 New upstream release, tidy autopkgtest & patches, organising the latter with Pq-Topic.
python-daiquiri 1.2.2-1 New upstream release, tidy autopkgtests & update travis.yml from travis.debian.net.
aptfs 2:0.10-2 Add upstream signing key, refer to /usr/share/common-licenses/GPL-3 in debian/copyright & tidy autopkgtests.
adminer 4.3.1-2 Add a simple autopkgtest & don't install the Selenium-based tests in the binary package.
zoneminder (1.30.4+dfsg-2) Prevent build failures with GCC 7 (#853717) & correct example /etc/fstab entries in README.Debian (#858673).

Finally, I reviewed and sponsored uploads of astral, inflection, more-itertools, trollius-redis & wolfssl.

Debian LTS

This month I have been paid to work 18 hours on Debian Long Term Support (LTS). In that time I did the following:

"Frontdesk" duties, triaging CVEs, etc.
Issued DLA 1049-1 for libsndfile preventing a remote denial of service attack.
Issued DLA 1052-1 against subversion to correct an arbitrary code execution vulnerability.
Issued DLA 1054-1 for the libgxps XML Paper Specification library to prevent a remote denial of service attack.
Issued DLA 1056-1 for cvs to prevent a command injection vulnerability.
Issued DLA 1059-1 for the strongswan VPN software to close a denial of service attack.

Debian bugs filed

wget: Please hash the hostname in ~/.wget-hsts files. (#870813)
debian-policy: Clarify whether mailing lists in Maintainers/Uploaders may be moderated. (#871534)
git-buildpackage: "pq export" discards text within square brackets. (#872354)
qa.debian.org: Escape HTML in debcheck before outputting. (#872646)
pristine-tar: Enable multithreaded compression in pristine-xz. (#873229)
tryton-meta: Please combine tryton-modules-* into a single source package with multiple binaries. (#873042)
azure-cli:
- New upstream release. (#871418)
- debian/watch file broken. (#871417)
fwupd-tests: Don't ship test files to generic /usr/share/installed-tests dir. (#872458)
libvorbis: Maintainer fields points to a moderated mailing list. (#871258)
rmlint-gui: Ship a rmlint-gui binary. (#872162)
template-glib: debian/copyright references online source without quotation. (#873619)

FTP Team

As a Debian FTP assistant I ACCEPTed 147 packages: abiword, adacgi, adasockets, ahven, animal-sniffer, astral, astroidmail, at-at-clojure, audacious, backdoor-factory, bdfproxy, binutils, blag-fortune, bluez-qt, cheshire-clojure, core-match-clojure, core-memoize-clojure, cypari2, data-priority-map-clojure, debian-edu, debian-multimedia, deepin-gettext-tools, dehydrated-hook-ddns-tsig, diceware, dtksettings, emacs-ivy, farbfeld, gcc-7-cross-ports, git-lfs, glewlwyd, gnome-recipes, gnome-shell-extension-tilix-dropdown, gnupg2, golang-github-aliyun-aliyun-oss-go-sdk, golang-github-approvals-go-approval-tests, golang-github-cheekybits-is, golang-github-chzyer-readline, golang-github-denverdino-aliyungo, golang-github-glendc-gopher-json, golang-github-gophercloud-gophercloud, golang-github-hashicorp-go-rootcerts, golang-github-matryer-try, golang-github-opentracing-contrib-go-stdlib, golang-github-opentracing-opentracing-go, golang-github-tdewolff-buffer, golang-github-tdewolff-minify, golang-github-tdewolff-parse, golang-github-tdewolff-strconv, golang-github-tdewolff-test, golang-gopkg-go-playground-validator.v8, gprbuild, gsl, gtts, hunspell-dz, hyperlink, importmagic, inflection, insighttoolkit4, isa-support, jaraco.itertools, java-classpath-clojure, java-jmx-clojure, jellyfish1, lazymap-clojure, libblockdev, libbytesize, libconfig-zomg-perl, libdazzle, libglvnd, libjs-emojify, libjwt, libmysofa, libundead, linux, lua-mode, math-combinatorics-clojure, math-numeric-tower-clojure, mediagoblin, medley-clojure, more-itertools, mozjs52, openssh-ssh1, org-mode, oysttyer, pcscada, pgsphere, poppler, puppetdb, py3status, pycryptodome, pysha3, python-cliapp, python-coloredlogs, python-consul, python-deprecation, python-django-celery-results, python-dropbox, python-fswrap, python-hbmqtt, python-intbitset, python-meshio, python-parameterized, python-pgpy, python-py-zipkin, python-pymeasure, python-thriftpy, python-tinyrpc, python-udatetime, python-wither, python-xapp, pythonqt, r-cran-bit, r-cran-bit64, r-cran-blob, r-cran-lmertest, r-cran-quantmod, r-cran-ttr, racket-mode, restorecond, rss-bridge, ruby-declarative, ruby-declarative-option, ruby-errbase, ruby-google-api-client, ruby-rash-alt, ruby-representable, ruby-test-xml, ruby-uber, sambamba, semodule-utils, shimdandy, sjacket-clojure, soapysdr, stencil-clojure, swath, template-glib, tools-analyzer-jvm-clojure, tools-namespace-clojure, uim, util-linux, vim-airline, vim-airline-themes, volume-key, wget2, xchat, xfce4-eyes-plugin & xorg-gtest. I additionally filed 6 RC bugs against packages that had incomplete debian/copyright files against: gnome-recipes, golang-1.9, libdazzle, poppler, python-py-zipkin & template-glib.

31 January 2017

Chris Lamb: Free software activities in January 2017

Here is my monthly update covering what I have been doing in the free software world (previous month):

Created github-sync, a tool to mirror arbitrary repositories onto GitHub.
Submitted two pull requests to the word-wrap Chrome browser extension that adds the ability to wrap text via the right-click context menu:
- Support dynamically-added <textarea> elements in "rich" Javascript applications such as mail clients, etc. (#2)
- Avoid an error message if no "editable" has been selected yet. (#1)
Submitted a pull request to wordwarvi (a "retro-styled old school side-scrolling shooter") to ensure the build is reproducible. (#5)
Filed a pull request with the yard Ruby documentation tool to ensure the generated output is reproducible. (#1048)
Made some improvements to travis.debian.net, my hosted service for projects that host their Debian packaging on GitHub to use the Travis CI continuous integration platform to test builds on every code change:
- Merged a pull request from Evgeni Golov to allow for skipped tests. (#39)
- Add logging when running autopkgtests. (commit)
Merged a pull request from jwilk for python-fadvise my Python interface to the posix_fadvise(2) interface to predeclare an pattern for accessing data. (#6)
Filed an issue against the redis key-value database regarding build failures on non-x86 architectures. (#3768)

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users. The motivation behind the Reproducible Builds effort is to permit verification that no flaws have been introduced either maliciously or accidentally during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised. (I have previously been awarded a grant from the Core Infrastructure Initiative to fund my work in this area.) This month I:

Presented Reproducible Builds: Two years in the trenches at linux.conf.au, Hobart, Australia. (YouTube)
Recorded an episode of the Changelog podcast on Reproducible Builds. It is scheduled to go live in early February.
Submitted the following patches to fix reproducibility-related toolchain issues within Debian:
- mono: Please make the output of dh_makeclilibs reproducible
- yard: Please make the output reproducible
- jenkins.debian.org: Please install Build-Depends prior to locale switch
I also submitted 4 patches to fix specific reproducibility issues in flask-limiter, fontypython, pciutils & sed.
Chaired an IRC meeting on 3rd January.
Worked on publishing our weekly reports. (#88, #89, #90, 92 & 91)

I also made the following changes to our tooling:

diffoscope

diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.

Comparators:
- Display magic file type when we know the file format but can't find file-specific details. (Closes: #850850).
- Ensure our "APK metadata" file appears first, fixing non-deterministic tests. (998b288)
- Fix APK extration with absolute filenames. (Closes: #850485).
- Don't error if directory containing ELF debug symbols already exists. (Closes: #850807).
- Support comparing .ico files (Closes: #850730).
- If we don't have a tool (eg. apktool), don't blow up when attempting to unpack it.
Output formats:
- Add Markdown output format. (Closes: #848141).
- Add RestructuredText output format.
- Use an optimised indentation routine throughout all presenters.
- Move text presenter to use the Visitor pattern.
- Correctly escape value of href="" elements (re. #849411).
Tests:
- Prevent FTBFS by loading fixtures as UTF-8 in case surrounding terminal is not Unicode-aware. (Closes: #852926).
- Skip tests if binutils can't handle the object file format. (Closes: #851588).
- Actually compare the output of text/ReST/Markdown formats to fixtures.
- Add tests for: Comparing two empty directories, HTML output, image.ICOImageFile, --html-dir, --text-color & no arguments (beyond the filenames) emits the text output.
Profiling:
- Count the number of calls, not just the total time.
- Skip as much profiling overhead when not enabled for a ~2% speedup.
Misc:
- Alias an expensive Config() lookup for a 10% optimisation.
- Avoid expensive regex creation until we actually need it, speeding up diff parsing by 2X.
- Use Pythonic logging functions based on __name__, etc.
- Drop milliseconds from logging output.

buildinfo.debian.net

buildinfo.debian.net is my experiment into how to process, store and distribute .buildinfo files after the Debian archive software has processed them.

Store files directly onto S3.
Drop big unique_together index to save disk space.
Show SHA256 checksums where space permits.

Debian LTS

This month I have been paid to work 12.75 hours on Debian Long Term Support (LTS). In that time I did the following:

"Frontdesk" duties, triaging CVEs, etc.
Issued DLA 773-1 for python-crypto fixing a vulnerability where calling AES.new with an invalid parameter could crash the Python interpreter.
Issued DLA 777-1 for libvncserver addressing two heap-based buffer overflow attacks based on invalid FramebufferUpdate data.
Issued DLA 778-1 for pcsc-lite correcting a use-after-free vulnerability.
Issued DLA 795-1 for hesiod which fixed a weak SUID check as well as removed the hard-coding of a fallback domain if the configuration file could not be found.
Issued DLA 810-1 for libarchive fixing a heap buffer overflow.

Uploads

python-django:
- 1:1.10.5-1 New upstream stable release.
- 1:1.11~alpha1-1 New upstream experimental release.
gunicorn (19.6.0-10) Moved debian/README.Debian to debian/NEWS so that the recent important changes will be displayed to users when upgrading to stretch.
redis:
- 3:3.2.6-2 & 4:4.0-rc2-2 Tidy patches and rename RunTimeDirectory to RuntimeDirectory in .service files. (Closes: #850534)
- 3:3.2.6-3 Remove a duplicate redis-server binary by symlinking /usr/bin/redis-check-rdb. This was found by the dedup service.
- 3:3.2.6-4 Expand the documentation in redis-server.service and redis-sentinel.service regarding the default hardening options and how, in most installations, they can be increased.
- 3:3.2.6-5, 3:3.2.6-6, 4:4.0-rc2-3 & 4:4.0-rc2-4 Add taskset calls to try and avoid build failures due to parallelism in upstream test suite.

I also made the following non-maintainer uploads:

cpio:
- 2.12+dfsg-1 New upstream release (to experimental), refreshing all patches, etc.
- 2.12+dfsg-2 Add missing autoconf to Build-Depends.
xjump (2.7.5-6.2) Make the build reproducible by passing -n to gzip calls in debian/rules. (Closes: #777354)
magicfilter (1.2-64.1) Make the build reproducible by passing -n to gzip calls in debian/rules. (Closes: #777478)

Debian bugs filed

diffoscope: Comparing a device with a regular file fails
python-django: Please avoid accessing the internet for intersphinx mapping
xcalib: "Error - unsupported ramp size 0" when trying to invert screen
strip-nondeterminism: Not running full testsuite on ci.debian.net
polygen: fix seriuos serious typo

RC bugs

python-mne: bootstrap.min.js corrupted when built with dash as /bin/sh
xdotool: "type" subcommand fails with "no windows on the stack"

I also filed 16 FTBFS bugs against bzr-git, coq-highschoolgeometry, eclipse-anyedit, eclipse-gef, libmojolicious-plugin-assetpack-perl, lua-curl, node-liftoff, node-liftoff, octave-msh, pcb2gcode, qtile, rt-authen-externalauth, ruby-hamster, ruby-sshkit, tika & txfixtures.

29 January 2017

Reproducible builds folks: Reproducible Builds: week 91 in Stretch cycle

What happened in the Reproducible Builds effort between Sunday January 15 and Saturday January 21 2017: Media Coverage

Valerie Young presented Reproducible Builds for a Better Future (video) at linux.conf.au 2017.
Chris Lamb presented Reproducible Builds: Two years in the trenches (video) at linux.conf.au 2017.

Upcoming Events

The Reproducible Build Zoo will be presented by Vagrant Cascadian at the Embedded Linux Conference in Portland, Oregon, February 22nd.
Dennis Gilmore and Holger Levsen will present on "Reproducible Builds and Fedora" at Devconf.cz on February 27th.
Introduction to Reproducible Builds will be presented by Vagrant Cascadian at Scale15x in Pasadena, California, March 5th.
Verifying Software Freedom with Reproducible Builds will be presented by Vagrant Cascadian at Libreplanet2017 in Boston, March 25th-26th.

Toolchain development and fixes Ximin Luo continued work on data formats, code, and test cases for SOURCE_PREFIX_MAP. He also continued to talk with the rustc team on the topic. Chris Lamb submitted a patch to implement SOURCE_DATE_EPOCH for wordwarvi, a game which gave extra points to people who built it from source within one hour. This fixes Debian #786593. Launchpad bug 1657704 was filed for them to start accepting buildinfo files. Bugs filed

Chris Lamb:
- #851809 filed against mono.
Daniel Shahaf:
- #851764 filed against hhsuite.

Reviews of unreproducible packages 10 package reviews have been added, 149 have been updated and 153 have been removed in this week, adding to our knowledge about identified issues. 2 issue types have been updated:

Weekly QA work During our reproducibility testing, the following FTBFS bugs have been detected and reported by:

Chris Lamb (3)
Ond ej Kobli ek (1)

diffoscope development diffoscope 69 was uploaded to unstable by Chris Lamb. It included contributions from:

Maria Glukhova:
- Bug fixes: #850055, #850501.
- Improve comparison of APK files: #850502.
- Add comparison of image metadata: #849395.
Chris Lamb:
- Many bug fixes: #849411, #850485, #850807, #850850, #851588.
- Add comparison of ICO files: #850730.
- Optimisations: disable profiling unless needed, and pre-compile regexes.
- Many code quality improvements.
Mattia Rizzolo:
- Deduplicate code for recognising file types based on RE_FILE_TYPE and RE_FILE_EXTENSION.
- Improve code quality in tests.

Further development continued in Git, and will be released as version 70 next week:

Chris Lamb:
- Add tests for --html-dir output and improve code quality elsewhere in tests.
- Add markdown and reStructuredText output, as well as tests for these.
- Improve software architecture of presenters.
- Fix error-checking in the Haskell comparator.
James Clarke:
- Haskell comparator: properly extract version from interface files.
Mattia Rizzolo:
- Improve some documentation.
Brett Smith:
- Improve documentation including --help output.

reproducible-builds.org website development

Brett Smith:
- berlin2016: List Conservancy consistently as a participant.
Chris Lamb:
- Add Valerie's talk to resources page.
Daniel Shahaf:
- Improved the "How to chair a meeting" section.

tests.reproducible-builds.org

Holger added arm64 to https://tests.reproducible-builds.org/debian/index_variations.html
Mattia improved our process for building the performance page so that stats for new architectures are computed correctly without manual intervention.
Holger enhanced the build node maintenance scripts to correctly detect if /dev/shm is mounted incorrectly (due to #851427) and deployed an /etc/rc.local startup script to all systems which works around it. As a result, jenkins_semaphore_setup_issue should be obsolete.
Mattia improved the diskspace monitoring visible at our munin page for the 44 nodes we're currently running.
Holger added 6GB more RAM to jenkins.debian.net, for a total of 64GB RAM, to better cope with the new jobs due to arm64. As usual, thanks to profitbricks.com for the hardware resources enabling this work.

Misc. This week's edition was written by Ximin Luo, Vagrant Cascadian, Holger Levsen & Chris Lamb and reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.