Like each month, have a look at the work funded by Freexian s Debian LTS offering. Some notable fixes which were made in LTS during the month of November include the gnutls28 cryptographic library and the freerdp2 Remote Desktop Protocol client/server implementation. The gnutls28 update was prepared by LTS contributor Markus Koschany and dealt with a timing attack which could be used to compromise a cryptographic system, while the freerdp2 update was prepared by LTS contributor Tobias Frost and is the result of work spanning 3 months to deal with dozens of vulnerabilities. In addition to the many ordinary LTS tasks which were completed (CVE triage, patch backports, package updates, etc), there were several contributions by LTS contributors for the benefit of Debian stable and old-stable releases, as well as for the benefit of upstream projects. LTS contributor Abhijith PA uploaded an update of the puma package to unstable in order to fix a vulnerability in that package while LTS contributor Thosten Alteholz sponsored an upload to unstable of libde265 and himself made corresponding uploads of libde265 to Debian stable and old-stable. LTS contributor Bastien Roucari s developed patches for vulnerabilities in zbar and audiofile which were then provided to the respective upstream projects. Updates to packages in Debian stable were made by Markus Koschany to deal with security vulnerabilities and by Chris Lamb to deal with some non-security bugs. As always, the LTS strives to provide high quality updates to packages under the direct purview of the LTS team while also rendering assistance to maintainers, the stable security team, and upstream developers whenever practical.

Debian LTS contributors In November, 18 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 7.0h (out of 0h assigned and 14.0h from previous period), thus carrying over 7.0h to the next month.
• Adrian Bunk did 15.0h (out of 14.0h assigned and 9.75h from previous period), thus carrying over 8.75h to the next month.
• Anton Gladky did 10.0h (out of 9.5h assigned and 5.5h from previous period), thus carrying over 5.0h to the next month.
• Bastien Roucari s did 16.0h (out of 18.25h assigned and 1.75h from previous period), thus carrying over 4.0h to the next month.
• Ben Hutchings did 12.0h (out of 16.5h assigned and 12.25h from previous period), thus carrying over 16.75h to the next month.
• Chris Lamb did 18.0h (out of 17.25h assigned and 0.75h from previous period).
• Emilio Pozuelo Monfort did 15.5h (out of 23.5h assigned and 0.25h from previous period), thus carrying over 8.25h to the next month.
• Guilhem Moulin did 13.0h (out of 12.0h assigned and 8.0h from previous period), thus carrying over 7.0h to the next month.
• Lee Garrett did 14.5h (out of 16.75h assigned and 7.0h from previous period), thus carrying over 9.25h to the next month.
• Markus Koschany did 30.0h (out of 30.0h assigned).
• Ola Lundqvist did 6.5h (out of 8.25h assigned and 15.5h from previous period), thus carrying over 17.25h to the next month.
• Roberto C. S nchez did 5.5h (out of 12.0h assigned), thus carrying over 6.5h to the next month.
• Santiago Ruano Rinc n did 3.25h (out of 13.62h assigned and 2.375h from previous period), thus carrying over 12.745h to the next month.
• Sean Whitton did 3.25h (out of 10.0h assigned), thus carrying over 6.75h to the next month.
• Sylvain Beucler did 10.0h (out of 13.5h assigned and 10.25h from previous period), thus carrying over 13.75h to the next month.
• Thorsten Alteholz did 14.0h (out of 14.0h assigned).
• Tobias Frost did 12.0h (out of 12.0h assigned).
• Utkarsh Gupta did 0.0h (out of 6.0h assigned and 17.75h from previous period), thus carrying over 23.75h to the next month.

Evolution of the situation In November, we have released 35 DLAs.

Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 99 months)
  • Civil Infrastructure Platform (CIP) (for 67 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 110 months)
  • Linode (for 104 months)
  • Babiel GmbH (for 93 months)
  • Plat Home (for 93 months)
  • University of Oxford (for 49 months)
  • Deveryware (for 36 months)
  • VyOS Inc (for 31 months)
  • EDF SA (for 20 months)
• Silver sponsors:
  • Domeneshop AS (for 114 months)
  • Nantes M tropole (for 108 months)
  • Univention GmbH (for 100 months)
  • Universit Jean Monnet de St Etienne (for 100 months)
  • Ribbon Communications, Inc. (for 94 months)
  • Exonet B.V. (for 84 months)
  • Leibniz Rechenzentrum (for 78 months)
  • CINECA (for 67 months)
  • Minist re de l Europe et des Affaires trang res (for 61 months)
  • Cloudways Ltd (for 51 months)
  • Dinahosting SL (for 49 months)
  • Bauer Xcel Media Deutschland KG (for 43 months)
  • Platform.sh SAS (for 43 months)
  • Moxa Inc. (for 37 months)
  • sipgate GmbH (for 34 months)
  • OVH US LLC (for 32 months)
  • Tilburg University (for 32 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 23 months)
  • Soliton Systems K.K. (for 21 months)
• Bronze sponsors:
  • Evolix (for 115 months)
  • Seznam.cz, a.s. (for 115 months)
  • Intevation GmbH (for 112 months)
  • Linuxhotel GmbH (for 112 months)
  • Daevel SARL (for 110 months)
  • Bitfolk LTD (for 109 months)
  • Megaspace Internet Services GmbH (for 109 months)
  • Greenbone AG (for 108 months)
  • NUMLOG (for 108 months)
  • WinGo AG (for 108 months)
  • Ecole Centrale de Nantes - LHEEA (for 104 months)
  • Entr ouvert (for 99 months)
  • Adfinis AG (for 96 months)
  • GNI MEDIA (for 91 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 91 months)
  • Tesorion (for 91 months)
  • Bearstech (for 82 months)
  • LiHAS (for 82 months)
  • Catalyst IT Ltd (for 77 months)
  • Supagro (for 72 months)
  • Demarcq SAS (for 71 months)
  • Universit Grenoble Alpes (for 57 months)
  • TouchWeb SAS (for 49 months)
  • SPiN AG (for 46 months)
  • CoreFiling (for 41 months)
  • Institut des sciences cognitives Marc Jeannerod (for 36 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 33 months)
  • Tem Innovations GmbH (for 27 months)
  • WordFinder.pro (for 27 months)
  • CNRS DT INSU R sif (for 26 months)
  • Alter Way (for 19 months)
  • Institut Camille Jordan (for 8 months)

Contributing to Debian is part of Freexian s mission. This article covers the latest achievements of Freexian and their collaborators. All of this is made possible by organizations subscribing to our Long Term Support contracts and consulting services.

Preparing for Python 3.12 by Stefano Rivera Stefano uploaded a few packages in preparation for Python 3.12, including pycxx and cython. Cython has a major new version (Cython 3), adding support for 3.12, but also bringing changes that many packages in Debian aren t ready to build with, yet. Stefano uploaded it to Debian experimental and did an archive rebuild of affected packages, and some analysis of the result. Matthias Klose has since filed bugs for all of these issues.

debian-printing, by Thorsten Alteholz This month Thorsten invested some of the previously obtained money to build his own printlab. At the moment it only consists of a dedicated computer with an USB printer attached. Due to its 64GB RAM and an SSD, building of debian-printing packages is much faster now. Over time other printers will be added and understanding bugs should be a lot easier now. Also Thorsten again adopted two packages, namely mink and ink, and moved them to the debian-printing team.

Merged-/usr transition by Helmut Grohne, et al The dumat analysis tool has been improved in quite some aspects. Beyond fixing false negative diagnostics, it now recognizes protective diversions used for mitigating Multi-Arch: same file loss. It was found that the proposed mitigation for ineffective diversions does not work as expected. Trying to fix it up resulted in more problems, some of which remain unsolved as of this writing. Initial work on moving shared libraries in the essential set has been done. Meanwhile, the wider Debian community worked on fixing all known Multi-Arch: same file loss scenarios. This work is now being driven by Christian Hofstaedler and during the Mini DebConf in Cambridge, Chris Boot, tienne Mollier, Miguel Landaeta, Samuel Henrique, and Utkarsh Gupta sent the other half of the necessary patches.

Miscellaneous contributions

• Stefano merged patches to support loong64 and hurd-amd64 in re2.
• For the Cambridge mini-conf, Stefano added a web player to the DebConf video streaming frontend, as the Cambridge miniconf didn t have its own website to host the player.
• Rapha l helped the upstream developers of hamster-time-tracker to prepare a new upstream release (the first in multiple years) and packaged that new release in Debian unstable.
• Enrico joined Hemut in brainstorming some /usr-merge solutions.
• Thorsten took care of RM-bugs to remove no longer needed packages from the Debian archive and closed about 50 of them.
• Helmut ported the feature of mounting a fuse connection via /dev/fd/N from fuse3 to fuse2.
• Helmut sent a number of patches simplifying unprivileged use of piuparts.
• Roberto worked with Helmut to prepare the Shorewall package for the ongoing /usr-move transition.
• Utkarsh also helped with the ongoing /usr-merge work by preparing patches for gitlab, libnfc, and net-tools.
• Utkarsh, along with Helmut, brainstormed on fixing #961138, as this affects the whole archive and all the suites and not just R packages. Utkarsh intends to follow up on the bug in December.
• Santiago organized a MiniDebConf in Uruguay. In total, nine people attended, including most of DDs in the surrounding area. Here s a nicely written blog by Gunnar Wolf.
• Santiago also worked on some issues on Salsa CI, fixed with some merge requests: #462, #463, and #466.

Contributing to Debian is part of Freexian s mission. This article covers the latest achievements of Freexian and their collaborators. All of this is made possible by organizations subscribing to our Long Term Support contracts and consulting services.

urllib3 s old security patch by Stefano Rivera Stefano ran into a test-suite failure in a new Debian package (python-truststore), caused by Debian s patch to urllib3 from a decade ago, making it enable TLS verification by default (remember those days!). Some analysis confirmed that this patch isn t useful any more, and could be removed. While working on the package, Stefano investigated the scope of the urllib3 2.x transition. It looks ready to start, not many packages are affected.

Preparing for Python 3.12 in dh-python by Stefano Rivera We are preparing to start the Python 3.12 transition in Debian. Two of the upstream changes that are going to cause a lot of packages to break could be worked-around in dh-python, so we did:

• Distutils is no longer shipped in the Python stdlib. Packages need to Build-Depend on python3-setuptools to get a (compatibility shim) distutils. Until that happens, dh-python will Depend on setuptools.
• A failure to find any tests to execute will now make the unittest runner exit 5, like pytest does. This was our change, to test-suites that have failed to be automatically discovered. It will cause many packages to fail to build, so until they explicitly skip running test suites, dh-python will ignore these failures.

/usr-merge by Helmut Grohne It has become clear that the planned changes to debhelper and systemd.pc cause more rc-bugs. Helmut researched these systematically and filed another stack of patches. At the time of this writing, the uploads would still cause about 40 rc-bugs. A new opt-in helper dh_movetousr has been developed and added to debhelper in trixie and unstable.

debian-printing, by Thorsten Alteholz This month Thorsten adopted two packages, namely rlpr and lprng, and moved them to the debian-printing team. As part of this Thorsten could close eight bugs in the BTS. Thorsten also uploaded a new upstream version of cups, which also meant that eleven bugs could be closed. As package hannah-foo2zjs still depended on the deprecated policykit-1 package, Thorsten changed the dependency list accordingly and could close one RC bug by the following upload.

Invalid PEP-440 Versions in Python Packages by Stefano Rivera Stefano investigated how many packages in Debian (typically Debian-native packages) recorded versions in their packaging metadata (egg-info directories) that weren t valid PEP-440 Python versions. pip is starting to enforce that all versions on the system are valid.

Miscellaneous contributions

• distro-info-data updates in Debian, due to the new Ubuntu release, by Stefano.
• DebConf 23 bookkeeping continues, but is winding down. Stefano still spends a little time on it.
• Utkarsh continues to monitor and help with reimbursements.
• Helmut continues to maintain architecture bootstrap and accidentally broke pam briefly
• Anton uploaded boost1.83 and started to prepare a transition to make boost1.83 as a default boost version.
• Rejuntada Debian UY 2023, a MiniDebConf that will be held in Montevideo, from 9 to 11 November, mainly organized by Santiago.

Like each month, have a look at the work funded by Freexian s Debian LTS offering.

Debian LTS contributors In October, 18 contributors have been paid to work on Debian LTS, their reports are available:

• Adrian Bunk did 8.0h (out of 7.75h assigned and 10.0h from previous period), thus carrying over 9.75h to the next month.
• Anton Gladky did 9.5h (out of 9.5h assigned and 5.5h from previous period), thus carrying over 5.5h to the next month.
• Bastien Roucari s did 16.0h (out of 16.75h assigned and 1.0h from previous period), thus carrying over 1.75h to the next month.
• Ben Hutchings did 8.0h (out of 17.75h assigned), thus carrying over 9.75h to the next month.
• Chris Lamb did 17.0h (out of 17.75h assigned), thus carrying over 0.75h to the next month.
• Emilio Pozuelo Monfort did 17.5h (out of 17.75h assigned), thus carrying over 0.25h to the next month.
• Guilhem Moulin did 9.75h (out of 17.75h assigned), thus carrying over 8.0h to the next month.
• Helmut Grohne did 1.5h (out of 10.0h assigned), thus carrying over 8.5h to the next month.
• Lee Garrett did 10.75h (out of 17.75h assigned), thus carrying over 7.0h to the next month.
• Markus Koschany did 30.0h (out of 30.0h assigned).
• Ola Lundqvist did 4.0h (out of 0h assigned and 19.5h from previous period), thus carrying over 15.5h to the next month.
• Roberto C. S nchez did 12.0h (out of 5.0h assigned and 7.0h from previous period).
• Santiago Ruano Rinc n did 13.625h (out of 7.75h assigned and 8.25h from previous period), thus carrying over 2.375h to the next month.
• Sean Whitton did 13.0h (out of 6.0h assigned and 7.0h from previous period).
• Sylvain Beucler did 7.5h (out of 11.25h assigned and 6.5h from previous period), thus carrying over 10.25h to the next month.
• Thorsten Alteholz did 14.0h (out of 14.0h assigned).
• Tobias Frost did 16.0h (out of 9.25h assigned and 6.75h from previous period).
• Utkarsh Gupta did 0.0h (out of 0.75h assigned and 17.0h from previous period), thus carrying over 17.75h to the next month.

Evolution of the situation In October, we have released 49 DLAs. Of particular note in the month of October, LTS contributor Chris Lamb issued DLA 3627-1 pertaining to Redis, the popular key-value database similar to Memcached, which was vulnerable to an authentication bypass vulnerability. Fixing this vulnerability involved dealing with a race condition that could allow another process an opportunity to establish an otherwise unauthorized connection. LTS contributor Markus Koschany was involved in the mitigation of CVE-2023-44487, which is a protocol-level vulnerability in the HTTP/2 protocol. The impacts within Debian involved multiple packages, across multiple releases, with multiple advisories being released (both DSA for stable and old-stable, and DLA for LTS). Markus reviewed patches and security updates prepared by other Debian developers, investigated reported regressions, provided patches for the aforementioned regressions, and issued several security updates as part of this. Additionally, as MariaDB 10.3 (the version originally included with Debian buster) passed end-of-life earlier this year, LTS contributor Emilio Pozuelo Monfort has begun investigating the feasibility of backporting MariaDB 10.11. The work is in early stages, with much testing and analysis remaining before a final decision can be made, as this only one of several available potential courses of action concerning MariaDB. Finally, LTS contributor Lee Garrett has invested considerable effort into the development the Functional Test Framework here. While so far only an initial version has been published, it already has several features which we intend to begin leveraging for testing of LTS packages. In particular, the FTF supports provisioning multiple VMs for the purposes of performing functional tests of network-facing services (e.g., file services, authentication, etc.). These tests are in addition to the various unit-level tests which are executed during package build time. Development work will continue on FTF and as it matures and begins to see wider use within LTS we expect to improve the quality of the updates we publish.

Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 98 months)
  • Civil Infrastructure Platform (CIP) (for 66 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 109 months)
  • Linode (for 103 months)
  • Babiel GmbH (for 92 months)
  • Plat Home (for 92 months)
  • University of Oxford (for 48 months)
  • Deveryware (for 35 months)
  • VyOS Inc (for 30 months)
  • EDF SA (for 19 months)
• Silver sponsors:
  • Domeneshop AS (for 113 months)
  • Nantes M tropole (for 107 months)
  • Univention GmbH (for 99 months)
  • Universit Jean Monnet de St Etienne (for 99 months)
  • Ribbon Communications, Inc. (for 93 months)
  • Exonet B.V. (for 83 months)
  • Leibniz Rechenzentrum (for 77 months)
  • CINECA (for 66 months)
  • Minist re de l Europe et des Affaires trang res (for 60 months)
  • Cloudways Ltd (for 50 months)
  • Dinahosting SL (for 48 months)
  • Bauer Xcel Media Deutschland KG (for 42 months)
  • Platform.sh (for 42 months)
  • Moxa Inc. (for 36 months)
  • sipgate GmbH (for 33 months)
  • OVH US LLC (for 31 months)
  • Tilburg University (for 31 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 23 months)
  • Soliton Systems K.K. (for 20 months)
• Bronze sponsors:
  • Evolix (for 114 months)
  • Seznam.cz, a.s. (for 114 months)
  • Intevation GmbH (for 111 months)
  • Linuxhotel GmbH (for 111 months)
  • Daevel SARL (for 109 months)
  • Bitfolk LTD (for 108 months)
  • Megaspace Internet Services GmbH (for 108 months)
  • Greenbone AG (for 107 months)
  • NUMLOG (for 107 months)
  • WinGo AG (for 107 months)
  • Ecole Centrale de Nantes - LHEEA (for 103 months)
  • Entr ouvert (for 98 months)
  • Adfinis AG (for 95 months)
  • GNI MEDIA (for 90 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 90 months)
  • Tesorion (for 90 months)
  • Bearstech (for 81 months)
  • LiHAS (for 81 months)
  • Catalyst IT Ltd (for 76 months)
  • Supagro (for 71 months)
  • Demarcq SAS (for 70 months)
  • Universit Grenoble Alpes (for 56 months)
  • TouchWeb SAS (for 48 months)
  • SPiN AG (for 45 months)
  • CoreFiling (for 40 months)
  • Institut des sciences cognitives Marc Jeannerod (for 35 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 32 months)
  • Tem Innovations GmbH (for 27 months)
  • WordFinder.pro (for 26 months)
  • CNRS DT INSU R sif (for 25 months)
  • Alter Way (for 18 months)
  • Institut Camille Jordan (for 7 months)

Contributing to Debian is part of Freexian s mission. This article covers the latest achievements of Freexian and their collaborators. All of this is made possible by organizations subscribing to our Long Term Support contracts and consulting services.

Freexian Meetup, by Stefano Rivera, Utkarsh Gupta, et al. During DebConf, Freexian organized a meetup for its collaborators and those interested in learning more about Freexian and its services. It was well received and many people interested in Freexian showed up. Some developers who were interested in contributing to LTS came to get more details about joining the project. And some prospective customers came to get to know us and ask questions. Sadly, the tragic loss of Abraham shook DebConf, both individually and structurally. The meetup got rescheduled to a small room without video coverage. With that, we still had a wholesome interaction and here s a quick picture from the meetup taken by Utkarsh (which is also why he s missing!).

Debusine, by Rapha l Hertzog, et al. Freexian has been investing into debusine for a while, but development speed is about to increase dramatically thanks to funding from SovereignTechFund.de. Rapha l laid out the 5 milestones of the funding contract, and filed the issues for the first milestone. Together with Enrico and Stefano, they established a workflow for the expanded team. Among the first steps of this milestone, Enrico started to work on a developer-friendly description of debusine that we can use when we reach out to the many Debian contributors that we will have to interact with. And Rapha l started the design work of the autopkgtest and lintian tasks, i.e. what s the interface to schedule such tasks, what behavior and what associated options do we support? At this point you might wonder what debusine is supposed to be let us try to answer this: Debusine manages scheduling and distribution of Debian-related build and QA tasks to a network of worker machines. It also manages the resulting artifacts and provides the results in an easy to consume way. We want to make it easy for Debian contributors to leverage all the great QA tools that Debian provides. We want to build the next generation of Debian s build infrastructure, one that will continue to reliably do what it already does, but that will also enable distribution-wide experiments, custom package repositories and custom workflows with advanced package reviews. If this all sounds interesting to you, don t hesitate to watch the project on salsa.debian.org and to contribute.

lpr/lpd in Debian, by Thorsten Alteholz During Debconf23, Till Kamppeter presented CPDB (Common Print Dialog Backend), a new way to handle print queues. After this talk it was discussed whether the old lpr/lpd based printing system could be abandoned in Debian or whether there is still demand for it. So Thorsten asked on the debian-devel email list whether anybody uses it. Oddly enough, these old packages are still useful:

• Within a small network it is easier to distribute a printcap file, than to properly configure cups clients.
• One of the biggest manufacturers of WLAN router and DSL boxes only supports raw queues when attaching an USB printer to their hardware. Admittedly the CPDB still has problems with such raw queues.
• The Pharos printing system at MIT is still lpd-based.

As a result, the lpr/lpd stuff is not yet ready to be abandoned and Thorsten will adopt the relevant packages (or rather move them under the umbrella of the debian-printing team). Though it is not planned to develop new features, those packages should at least have a maintainer. This month Thorsten adopted rlpr, an utility for lpd printing without using /etc/printcap. The next one he is working on is lprng, a lpr/lpd printer spooling system. If you know of any other package that is also needed and still maintained by the QA team, please tell Thorsten.

/usr-merge, by Helmut Grohne Discussion about lifting the file move moratorium has been initiated with the CTTE and the release team. A formal lift is dependent on updating debootstrap in older suites though. A significant number of packages can automatically move their systemd unit files if dh_installsystemd and systemd.pc change their installation targets. Unfortunately, doing so makes some packages FTBFS and therefore patches have been filed. The analysis tool, dumat, has been enhanced to better understand which upgrade scenarios are considered supported to reduce false positive bug filings and gained a mode for local operation on a .changes file meant for inclusion in salsa-ci. The filing of bugs from dumat is still manual to improve the quality of reports. Since September, the moratorium has been lifted.

Miscellaneous contributions

• Rapha l updated Django s backport in bullseye-backports to match the latest security release that was published in bookworm. Tracker.debian.org is still using that backport.
• Helmut Grohne sent 13 patches for cross build failures.
• Helmut Grohne performed a maintenance upload of debvm enabling its use in autopkgtests.
• Helmut Grohne wrote an API-compatible reimplementation of autopkgtest-build-qemu. It is powered by mmdebstrap, therefore unprivileged, EFI-only and will soon be included in mmdebstrap.
• Santiago continued the work regarding how to make it easier to (automatically) test reverse dependencies. An example of the ongoing work was presented during the Salsa CI BoF at DebConf 23.
  In fact, omniorb-dfsg test pipelines as the above were used for the omniorb-dfsg 4.3.0 transition, verifying how the reverse dependencies (tango, pytango and omnievents) were built and how their autopkgtest jobs run with the to-be-uploaded omniorb-dfsg new release.
• Utkarsh and Stefano attended and helped run DebConf 23. Also continued winding up DebConf 22 accounting.
• Anton Gladky did some science team uploads to fix RC bugs.

Like each month, have a look at the work funded by Freexian s Debian LTS offering.

Debian LTS contributors In August, 19 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 0.0h (out of 12.0h assigned and 2.0h from previous period), thus carrying over 14.0h to the next month.
• Adrian Bunk did 18.5h (out of 18.5h assigned).
• Anton Gladky did 7.5h (out of 5.0h assigned and 10.0h from previous period), thus carrying over 7.5h to the next month.
• Bastien Roucari s did 17.0h (out of 15.5h assigned and 3.0h from previous period), thus carrying over 1.5h to the next month.
• Ben Hutchings did 18.5h (out of 9.0h assigned and 9.5h from previous period).
• Chris Lamb did 18.0h (out of 18.0h assigned).
• Emilio Pozuelo Monfort did 18.5h (out of 18.25h assigned and 0.25h from previous period).
• Guilhem Moulin did 24.0h (out of 22.5h assigned and 1.5h from previous period).
• Jochen Sprickerhof did 2.5h (out of 8.5h assigned and 10.0h from previous period), thus carrying over 16.0h to the next month.
• Lee Garrett did 18.0h (out of 9.25h assigned and 9.25h from previous period), thus carrying over 0.5h to the next month.
• Markus Koschany did 28.5h (out of 28.5h assigned).
• Ola Lundqvist did 0.0h (out of 0h assigned and 24.0h from previous period), thus carrying over 24.0h to the next month.
• Roberto C. S nchez did 18.5h (out of 13.0h assigned and 5.5h from previous period).
• Santiago Ruano Rinc n did 18.5h (out of 18.25h assigned and 0.25h from previous period).
• Sean Whitton did 7.0h (out of 10.0h assigned), thus carrying over 3.0h to the next month.
• Sylvain Beucler did 18.5h (out of 9.75h assigned and 8.75h from previous period).
• Thorsten Alteholz did 14.0h (out of 14.0h assigned).
• Tobias Frost did 16.0h (out of 16.0h assigned).
• Utkarsh Gupta did 12.25h (out of 0h assigned and 12.25h from previous period).

Evolution of the situation In August, we have released 42 DLAs. The month of August turned out to be a rather quiet month for the LTS team. Three notable updates were to bouncycastle, openssl, and zabbix. In the case of bouncycastle a flaw allowed for the possibility of LDAP injection and the openssl update corrected a resource exhaustion bug that could result in a denial of service. Zabbix, while not widely used, was the subject of several vulnerabilities which while not individually severe did combine to result in the zabbix update being of particular note. Apart from those, the LTS team continued the always ongoing work of triaging, investigating, and fixing vulnerabilities, as well as making contributions to the broader Debian and Free Software communities.

Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 96 months)
  • Civil Infrastructure Platform (CIP) (for 64 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 107 months)
  • Linode (for 101 months)
  • Babiel GmbH (for 90 months)
  • Plat Home (for 90 months)
  • University of Oxford (for 46 months)
  • Deveryware (for 33 months)
  • VyOS Inc (for 28 months)
  • EDF SA (for 17 months)
• Silver sponsors:
  • Domeneshop AS (for 111 months)
  • Nantes M tropole (for 105 months)
  • Univention GmbH (for 97 months)
  • Universit Jean Monnet de St Etienne (for 97 months)
  • Ribbon Communications, Inc. (for 91 months)
  • Exonet B.V. (for 81 months)
  • Leibniz Rechenzentrum (for 75 months)
  • CINECA (for 64 months)
  • Minist re de l Europe et des Affaires trang res (for 58 months)
  • Cloudways Ltd (for 48 months)
  • Dinahosting SL (for 46 months)
  • Bauer Xcel Media Deutschland KG (for 40 months)
  • Platform.sh (for 40 months)
  • Moxa Inc. (for 34 months)
  • sipgate GmbH (for 31 months)
  • OVH US LLC (for 29 months)
  • Tilburg University (for 29 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 20 months)
  • Soliton Systems K.K. (for 18 months)
• Bronze sponsors:
  • Evolix (for 112 months)
  • Seznam.cz, a.s. (for 112 months)
  • Linuxhotel GmbH (for 109 months)
  • Intevation GmbH (for 108 months)
  • Daevel SARL (for 107 months)
  • Bitfolk LTD (for 106 months)
  • Megaspace Internet Services GmbH (for 106 months)
  • Greenbone AG (for 105 months)
  • NUMLOG (for 105 months)
  • WinGo AG (for 105 months)
  • Ecole Centrale de Nantes - LHEEA (for 101 months)
  • Entr ouvert (for 96 months)
  • Adfinis AG (for 93 months)
  • GNI MEDIA (for 88 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 88 months)
  • Tesorion (for 88 months)
  • Bearstech (for 79 months)
  • LiHAS (for 79 months)
  • Catalyst IT Ltd (for 74 months)
  • Supagro (for 69 months)
  • Demarcq SAS (for 68 months)
  • Universit Grenoble Alpes (for 54 months)
  • TouchWeb SAS (for 46 months)
  • SPiN AG (for 43 months)
  • CoreFiling (for 38 months)
  • Institut des sciences cognitives Marc Jeannerod (for 33 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 30 months)
  • Tem Innovations GmbH (for 24 months)
  • WordFinder.pro (for 24 months)
  • CNRS DT INSU R sif (for 23 months)
  • Alter Way (for 16 months)
  • Institut Camille Jordan (for 5 months)

Contributing to Debian is part of Freexian s mission. This article covers the latest achievements of Freexian and their collaborators. All of this is made possible by organizations subscribing to our Long Term Support contracts and consulting services.

/usr-merge work, by Helmut Grohne, et al. Given that we now have consensus on moving forward by moving aliased files from / to /usr, we will also run into the problems that the file move moratorium was meant to prevent. The way forward is detecting them early and applying workarounds on a per-package basis. Said detection is now automated using the Debian Usr Merge Analysis Tool. As problems are reported to the bug tracking system, they are connected to the reports if properly usertagged. Bugs and patches for problem categories DEP17-P2 and DEP17-P6 have been filed. After consensus has been reached on the bootstrapping matters, debootstrap has been changed to swap the initial unpack and merging to avoid unpack errors due to pre-existing links. This is a precondition for having base-files install the aliasing symbolic links eventually. It was identified that the root filesystem used by the Debian installer is still unmerged and a change has been proposed. debhelper was changed to recognize systemd units installed to /usr. A discussion with the CTTE and release team on repealing the moratorium has been initiated.

Salsa CI work, by Santiago Ruano Rinc n August was a busy month in the Salsa CI world. Santiago reviewed and merged a bunch of MRs that have improved the project in different aspects: The aptly job got two MRs from Philip Hands. With the first one, the aptly now can export a couple of variables in a dotenv file, and with the second, it can include packages from multiple artifact directories. These MRs bring the base to improve how to test reverse dependencies with Salsa CI. Santiago is working on documenting this. As a result of the mass bug filing done in August, Salsa CI now includes a job to test how a package builds twice in a row. Thanks to the MRs of Sebastiaan Couwenberg and Johannes Schauer Marin Rodrigues. Last but not least, Santiago helped Johannes Schauer Marin Rodrigues to complete the support for arm64-only pipelines.

DebConf23 lead-up, by Stefano Rivera Stefano wears a few hats in the DebConf organization and in the lead up to the conference in mid-September, they ve all been quite busy. As one of the treasurers of DebConf 23, there has been a final budget update, and quite a few payments to coordinate from Debian s Trusted Organizations. We try to close the books from the previous conference at the next one, so a push was made to get DebConf 22 account statements out of TOs and record them in the conference ledger. As a website developer, we had a number of registration-related tasks, emailing attendees and trying to estimate numbers for food and accommodation. As a conference committee member, the job was mostly taking calls and helping the local team to make decisions on urgent issues. For example, getting conference visas issued to attendees required getting political approval from the Indian government. We only discovered the full process for this too late to clear some complex cases, so this required some hard calls on skipping some countries from the application list, allowing everyone else to get visas in time. Unfortunate, but necessary.

Miscellaneous contributions

• Rapha l Hertzog updated gnome-shell-extension-hamster to a new upstream git snapshot that is compatible with GNOME Shell 44 that was recently uploaded to Debian unstable/testing. This extension makes it easy to start/stop tracking time with Hamster Time Tracker. Very handy for consultants like us who are billing their work per hour.
• Rapha l also updated zim to the latest upstream release (0.74.2). This is a desktop wiki that can be very useful as a note-taking tool to build your own personal knowledge base or even to manage your personal todo lists.
• Utkarsh reviewed and sponsored some uploads from mentors.debian.net.
• Utkarsh helped the local team and the bursary team with some more DebConf activities and helped finalize the data.
• Thorsten tried to update package hplip. Unfortunately upstream added some new compressed files that need to appear uncompressed in the package. Even though this sounded like an easy task, which seemed to be already implemented in the current debian/rules, the new type of files broke this implementation and made the package no longer buildable. The problem has been solved and the upload will happen soon.
• Helmut sent 7 patches for cross build failures. Since dpkg-buildflags now defaults to issue arm64-specific compiler flags, more care is needed to distinguish between build architecture flags and host architecture flags than previously.
• Stefano pushed the final bit of the tox 4 transition over the line in Debian, allowing dh-python and tox 4 to migrate to testing. We got caught up in a few unusual bugs in tox and the way we run it in Debian package building (which had to change with tox 4). This resulted in a couple of patches upstream.
• Stefano visited Haifa, Israel, to see the proposed DebConf 24 venue and meet with the local team. While the venue isn t committed yet, we have high hopes for it.

Like each month, have a look at the work funded by Freexian s Debian LTS offering.

Debian LTS contributors In July, 18 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 0.0h (out of 0h assigned and 2.0h from previous period), thus carrying over 2.0h to the next month.
• Adrian Bunk did 24.75h (out of 18.25h assigned and 6.5h from previous period).
• Anton Gladky did 5.0h (out of 5.0h assigned and 10.0h from previous period), thus carrying over 10.0h to the next month.
• Bastien Roucari s did 17.0h (out of 17.0h assigned and 3.0h from previous period), thus carrying over 3.0h to the next month.
• Ben Hutchings did 14.0h (out of 24.0h assigned), thus carrying over 9.5h to the next month.
• Chris Lamb did 18.0h (out of 18.0h assigned).
• Emilio Pozuelo Monfort did 24.0h (out of 24.75h assigned), thus carrying over 0.25h to the next month.
• Guilhem Moulin did 23.25h (out of 24.75h assigned), thus carrying over 1.5h to the next month.
• Jochen Sprickerhof did 10.0h (out of 20.0h assigned), thus carrying over 10.0h to the next month.
• Lee Garrett did 16.0h (out of 9.75h assigned and 15.5h from previous period), thus carrying over 9.25h to the next month.
• Markus Koschany did 24.75h (out of 24.75h assigned).
• Ola Lundqvist did 0.0h (out of 13.0h assigned and 11.0h from previous period), thus carrying over 24.0h to the next month.
• Roberto C. S nchez did 19.25h (out of 14.75h assigned and 10.0h from previous period), thus carrying over 5.5h to the next month.
• Santiago Ruano Rinc n did 25.5h (out of 10.5h assigned and 15.25h from previous period), thus carrying over 0.25h to the next month.
• Sylvain Beucler did 16.0h (out of 21.25h assigned and 3.5h from previous period), thus carrying over 8.75h to the next month.
• Thorsten Alteholz did 14.0h (out of 14.0h assigned).
• Tobias Frost did 16.0h (out of 16.0h assigned).
• Utkarsh Gupta did 1.5h (out of 0h assigned and 13.75h from previous period), thus carrying over 12.25h to the next month.

Evolution of the situation In July, we have released 35 DLAs. LTS contributor Lee Garrett, has continued his hard work to prepare a testing framework for Samba, that can now provision bootable VMs with little effort, both for Debian and for Windows. This work included the introduction of a new package to Debian, rhsrvany, which allows turning any Windows program or script into a Windows service. As the Samba testing framework matures it will be possible to perform functional tests which cannot be performed with other available test mechanisms and aspects of this framework will be generalizable to other package ecosystems beyond Samba. July included a notable security update of bind9 by LTS contributor Chris Lamb. This update addressed a potential denial of service attack in this critical network infrastructure component.

Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 95 months)
  • Civil Infrastructure Platform (CIP) (for 63 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 106 months)
  • Linode (for 100 months)
  • Babiel GmbH (for 89 months)
  • Plat Home (for 89 months)
  • University of Oxford (for 45 months)
  • Deveryware (for 32 months)
  • VyOS Inc (for 27 months)
  • EDF SA (for 16 months)
• Silver sponsors:
  • Domeneshop AS (for 110 months)
  • Nantes M tropole (for 104 months)
  • Univention GmbH (for 96 months)
  • Universit Jean Monnet de St Etienne (for 96 months)
  • Ribbon Communications, Inc. (for 90 months)
  • Exonet B.V. (for 80 months)
  • Leibniz Rechenzentrum (for 74 months)
  • CINECA (for 63 months)
  • Minist re de l Europe et des Affaires trang res (for 57 months)
  • Cloudways Ltd (for 47 months)
  • Dinahosting SL (for 45 months)
  • Bauer Xcel Media Deutschland KG (for 39 months)
  • Platform.sh (for 39 months)
  • Moxa Inc. (for 33 months)
  • sipgate GmbH (for 30 months)
  • OVH US LLC (for 28 months)
  • Tilburg University (for 28 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 20 months)
  • Soliton Systems K.K. (for 17 months)
• Bronze sponsors:
  • Evolix (for 111 months)
  • Seznam.cz, a.s. (for 111 months)
  • Intevation GmbH (for 108 months)
  • Linuxhotel GmbH (for 108 months)
  • Daevel SARL (for 106 months)
  • Bitfolk LTD (for 105 months)
  • Megaspace Internet Services GmbH (for 105 months)
  • Greenbone AG (for 104 months)
  • NUMLOG (for 104 months)
  • WinGo AG (for 104 months)
  • Ecole Centrale de Nantes - LHEEA (for 100 months)
  • Entr ouvert (for 95 months)
  • Adfinis AG (for 92 months)
  • GNI MEDIA (for 87 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 87 months)
  • Tesorion (for 87 months)
  • Bearstech (for 78 months)
  • LiHAS (for 78 months)
  • Catalyst IT Ltd (for 73 months)
  • Supagro (for 68 months)
  • Demarcq SAS (for 67 months)
  • Universit Grenoble Alpes (for 53 months)
  • TouchWeb SAS (for 45 months)
  • SPiN AG (for 42 months)
  • CoreFiling (for 37 months)
  • Institut des sciences cognitives Marc Jeannerod (for 32 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 29 months)
  • Tem Innovations GmbH (for 24 months)
  • WordFinder.pro (for 23 months)
  • CNRS DT INSU R sif (for 22 months)
  • Alter Way (for 15 months)
  • Institut Camille Jordan (for 4 months)

Contributing to Debian is part of Freexian s mission. This article covers the latest achievements of Freexian and their collaborators. All of this is made possible by organizations subscribing to our Long Term Support contracts and consulting services.

tracker.debian.org work by Rapha l Hertzog Rapha l spent some time during his vacation to update distro-tracker to be fully compatible with Django 3.2 so that the codebase and the whole testsuite can run on Debian 12. There s one exception though with the functional test suite that still needs further work to cope with the latest version of Selenium. By dropping support of Django 2.2, Rapha l could also start to work toward support of Django 4.2 since Django helpfully emits deprecation warnings of things that will break in future versions. All the warnings have been fixed but the codebase still fails its testsuite in Django 4.2 because we have to get rid of the python3-django-jsonfield dependency (that is rightfully dead upstream since Django has native support nowadays). All the JSONField have been converted to use Django s native field, but the migration system still requires that dependency at this point. This will require either some fresh reboot of the migration history, or some other trickery to erase the jsonfield dependency from the history of migrations. If you have experience with that, don t hesitate to share it (mail at hertzog@debian.org, or reach out to buxy on IRC). At this point, tracker.debian.org runs with Django 3.2 on Debian 11 since Debian System Administrators are not yet ready to upgrade debian.org hosts to Debian 12.

DebConf 23 bursary work by Utkarsh Gupta Utkarsh led the bursary team this year. The bursary team got a ton of requests this time. Rolling out the results in 4 batches, the bursary team catered over 165 bursary requests - which is superb! The team managed to address all the requests and answered a bit over 120 emails in the process. With that, the bursaries are officially closed for DebConf 2023. The team also intends to roll out some of the statistics closer to DebConf.

Miscellaneous contributions

• Stefano implemented meson support in pybuild, the tool for building Python packages in Debian against multiple Python versions.
• Santiago did some work on Salsa CI to enhance the ARM support on the autopkgtest job and make Josch s branch work. MR to come soon.
• Helmut sent patches for 6 cross build failures.
• Stefano has been preparing for DebConf 23: Working on the website, and assisting the local teams.
• Stefano attended the DebConf Video team sprint in Paris, mostly looking at new hardware and software options for video capture and live-mixing. Full sprint report.

Like each month, have a look at the work funded by Freexian s Debian LTS offering.

Debian LTS contributors In June, 17 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 12.0h (out of 6.0h assigned and 8.0h from previous period), thus carrying over 2.0h to the next month.
• Adrian Bunk did 28.0h (out of 0h assigned and 34.5h from previous period), thus carrying over 6.5h to the next month.
• Anton Gladky did 5.0h (out of 6.0h assigned and 9.0h from previous period), thus carrying over 10.0h to the next month.
• Bastien Roucari s did 17.0h (out of 17.0h assigned and 3.0h from previous period), thus carrying over 3.0h to the next month.
• Ben Hutchings did 24.0h (out of 16.5h assigned and 7.0h from previous period).
• Chris Lamb did 18.0h (out of 18.0h assigned).
• Emilio Pozuelo Monfort did 24.0h (out of 21.0h assigned and 2.5h from previous period).
• Guilhem Moulin did 20.0h (out of 20.0h assigned).
• Lee Garrett did 25.0h (out of 0h assigned and 40.5h from previous period), thus carrying over 15.5h to the next month.
• Markus Koschany did 23.5h (out of 23.5h assigned).
• Ola Lundqvist did 13.0h (out of 0h assigned and 24.0h from previous period), thus carrying over 11.0h to the next month.
• Roberto C. S nchez did 13.5h (out of 9.75h assigned and 13.75h from previous period), thus carrying over 10.0h to the next month.
• Santiago Ruano Rinc n did 8.25h (out of 23.5h assigned), thus carrying over 15.25h to the next month.
• Sylvain Beucler did 20.0h (out of 23.5h assigned), thus carrying over 3.5h to the next month.
• Thorsten Alteholz did 14.0h (out of 14.0h assigned).
• Tobias Frost did 16.0h (out of 16.0h assigned).
• Utkarsh Gupta did 0.0h (out of 0h assigned and 25.5h from previous period), thus carrying over 25.5h to the next month.

Evolution of the situation In June, we have released 40 DLAs. Notable security updates in June included mariadb-10.3, openssl, and golang-go.crypto. The mariadb-10.3 package was synchronized with the latest upstream maintenance release, version 10.3.39. The openssl package was patched to correct several flaws with certificate validation and with object identifier parsing. Finally, the golang-go.crypto package was updated to address several vulnerabilities, and several associated Go packages were rebuilt in order to properly incorporate the update. LTS contributor Sylvain has been hard at work with some behind-the-scenes improvements to internal tooling and documentation. His efforts are helping to improve the efficiency of all LTS contributors and also helping to improve the quality of their work, making our LTS updates more timely and of higher quality. LTS contributor Lee Garrett began working on a testing framework specifically for Samba. Given the critical role which Samba plays in many deployments, the tremendous impact which regressions can have in those cases, and the unique testing requirements of Samba, this work will certainly result in increased confidence around our Samba updates for LTS. LTS contributor Emilio Pozuelo Monfort has begun preparatory work for the upcoming Firefox ESR version 115 release. Firefox ESR (and the related Thunderbird ESR) requires special work to maintain up to date in LTS. Mozilla do not release individual patches for CVEs, and our policy is to incorporate new ESR releases from Mozilla into LTS. Most updates are minor updates, but once a year Mozilla will release a major update as they move to a new major version for ESR. The update to a new major ESR version entails many related updates to toolchain and other packages. The preparations that Emilio has begun will ensure that once the 115 ESR release is made, updated packages will be available in LTS with minimal delay. Another highlight of behind-the-scenes work is our Front Desk personnel. While we often focus on the work which results in published package updates, much work is also involved in reviewing new vulnerabilities and triaging them (i.e., determining if they affect one or more packages in LTS and then determining the severity of those which are applicable). These intrepid contributors (Emilio Pozuelo Monfort, Markus Koschany, Ola Lundqvist, Sylvain Beucler, and Thorsten Alteholz for the month of June) reviewed dozens of vulnerabilities and made decisions about how those vulnerabilities should be dealt with.

Thanks to our sponsors

• Platinum sponsors:
  • TOSHIBA (for 94 months)
  • Civil Infrastructure Platform (CIP) (for 62 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 105 months)
  • Linode (for 99 months)
  • Babiel GmbH (for 88 months)
  • Plat Home (for 88 months)
  • University of Oxford (for 44 months)
  • Deveryware (for 31 months)
  • VyOS Inc (for 26 months)
  • EDF SA (for 15 months)
• Silver sponsors:
  • Domeneshop AS (for 109 months)
  • Nantes M tropole (for 103 months)
  • Univention GmbH (for 95 months)
  • Universit Jean Monnet de St Etienne (for 95 months)
  • Ribbon Communications, Inc. (for 89 months)
  • Exonet B.V. (for 79 months)
  • Leibniz Rechenzentrum (for 73 months)
  • CINECA (for 62 months)
  • Minist re de l Europe et des Affaires trang res (for 56 months)
  • Cloudways Ltd (for 46 months)
  • Dinahosting SL (for 44 months)
  • Bauer Xcel Media Deutschland KG (for 38 months)
  • Platform.sh (for 38 months)
  • Moxa Inc. (for 32 months)
  • sipgate GmbH (for 29 months)
  • OVH US LLC (for 27 months)
  • Tilburg University (for 27 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 18 months)
  • Soliton Systems K.K. (for 16 months)
• Bronze sponsors:
  • Evolix (for 110 months)
  • Seznam.cz, a.s. (for 110 months)
  • Intevation GmbH (for 107 months)
  • Linuxhotel GmbH (for 107 months)
  • Daevel SARL (for 105 months)
  • Bitfolk LTD (for 104 months)
  • Megaspace Internet Services GmbH (for 104 months)
  • Greenbone AG (for 103 months)
  • NUMLOG (for 103 months)
  • WinGo AG (for 103 months)
  • Ecole Centrale de Nantes - LHEEA (for 99 months)
  • Entr ouvert (for 94 months)
  • Adfinis AG (for 91 months)
  • GNI MEDIA (for 86 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 86 months)
  • Tesorion (for 86 months)
  • Bearstech (for 77 months)
  • LiHAS (for 77 months)
  • Catalyst IT Ltd (for 72 months)
  • Supagro (for 67 months)
  • Demarcq SAS (for 66 months)
  • Universit Grenoble Alpes (for 52 months)
  • TouchWeb SAS (for 44 months)
  • SPiN AG (for 41 months)
  • CoreFiling (for 36 months)
  • Institut des sciences cognitives Marc Jeannerod (for 31 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 28 months)
  • Tem Innovations GmbH (for 22 months)
  • WordFinder.pro (for 22 months)
  • CNRS DT INSU R sif (for 21 months)
  • Alter Way (for 14 months)
  • Institut Camille Jordan (for 3 months)

Contributing to Debian is part of Freexian s mission. This article covers the latest achievements of Freexian and their collaborators. All of this is made possible by organizations subscribing to our Long Term Support contracts and consulting services.

/usr-merge, by Helmut Grohne, et al The work on /usr-merge continues from May. The lengthy discussion was condensed into a still lengthy rewrite of DEP17 listing all known problems and proposed mitigations. An initial consensus call did not resolve all questions, but we now have rough consensus on finalizing the transition without relying on major changes to dpkg. Other questions still have diverging opinions and some matters such as how to not break backports are still missing satisfying answers.

DebConf Bursary prep, by Utkarsh Gupta DebCamp and DebConf is happening from 03rd September to 17th September in Kochi, India, and the DebConf Bursary team is gearing up for that. After extending the bursary deadline (catering to the requests coming in from various people), we ve finally managed to clock over 260 bursary requests. The team is set up and we re starting to review the applications. The team intends to roll out the result as soon as possible.

debci, by Helmut Grohne As Freexian is working on deploying autopkgtests for the LTS and ELTS services, debci and autopkgtests were improved in Debian to better deal with derivatives (e.g. by better supporting external package signing keyrings). Other aspects that are not deployed on ci.debian.net such as the qemu backend were also improved. We express thanks to the relevant maintainers Antonio Terceiro, Paul Gevers and Simon McVittie for their timely reviews and merges of our changes.

Miscellaneous contributions

• Following the release of Debian 12, Rapha l Hertzog updated tracker.debian.org to be aware of trixie. He also pushed some fixes to distro-tracker (the software powering tracker.debian.org) and released version 1.2.0 (since the former release was lacking fixes to run on Debian 12 bookworm).
• Following the release of Debian 12, Helmut Grohne updated crossqa.debian.net systems. He also sent 7 patches for cross build failures and continued adapting rebootstrap to changes in unstable.
• Santiago Ruano Rinc n started to work on how to improve the robustness of Salsa CI s pipeline for some jobs failing frequently.
• Thorsten Alteholz did security updates of cpdb-libs in Unstable and Bookworm.
• Stefano Rivera upgraded pixelfed.debian.social to bookworm.
• Stefano started an re2 library transition, and started preparation for the next transition.
• Helmut Grohne updated debvm in unstable releasing changes that accumulated during the freeze.
• Stefano did some work on the website and infrastructure for DebConf 23.
• Utkarsh Gupta helped review and fix open redmine bugs and fix them all in unstable.

Like each month, have a look at the work funded by Freexian s Debian LTS offering.

Debian LTS contributors In May, 18 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 6.0h (out of 6.0h assigned and 8.0h from previous period), thus carrying over 8.0h to the next month.
• Anton Gladky did 6.0h (out of 8.0h assigned and 7.0h from previous period), thus carrying over 9.0h to the next month.
• Bastien Roucari s did 17.0h (out of 17.0h assigned and 3.0h from previous period), thus carrying over 3.0h to the next month.
• Ben Hutchings did 17.0h (out of 16.0h assigned and 8.0h from previous period), thus carrying over 7.0h to the next month.
• Chris Lamb did 18.0h (out of 18.0h assigned).
• Daniel Leidert did 0.0h (out of 0h assigned and 12.0h from previous period), thus carrying over 12.0h to the next month.
• Dominik George did 0.0h (out of 0h assigned and 20.34h from previous period), thus carrying over 20.34h to the next month.
• Emilio Pozuelo Monfort did 32.0h (out of 18.5h assigned and 16.0h from previous period), thus carrying over 2.5h to the next month.
• Guilhem Moulin did 20.0h (out of 8.5h assigned and 11.5h from previous period).
• Holger Levsen did 0.0h (out of 0h assigned and 10.0h from previous period), thus carrying over 10.0h to the next month.
• Lee Garrett did 0.0h (out of 0h assigned and 40.5h from previous period), thus carrying over 40.5h to the next month.
• Markus Koschany did 34.5h (out of 34.5h assigned).
• Roberto C. S nchez did 18.25h (out of 20.5h assigned and 11.5h from previous period), thus carrying over 13.75h to the next month.
• Scarlett Moore did 20.0h (out of 20.0h assigned).
• Sylvain Beucler did 34.5h (out of 29.0h assigned and 5.5h from previous period).
• Thorsten Alteholz did 14.0h (out of 14.0h assigned).
• Tobias Frost did 16.0h (out of 15.0h assigned and 1.0h from previous period).
• Utkarsh Gupta did 5.5h (out of 5.0h assigned and 26.0h from previous period), thus carrying over 25.5h to the next month.

Evolution of the situation In May, we have released 34 DLAs. Several of the DLAs constituted notable security updates to LTS during the month of May. Of particular note were the linux (4.19) and linux-5.10 packages, both of which addressed a considerable number of CVEs. Additionally, the postgresql-11 package was updated by synchronizing it with the 11.20 release from upstream. Notable non-security updates were made to the distro-info-data database and the timezone database. The distro-info-data package was updated with the final expected release date of Debian 12, made aware of Debian 14 and Ubuntu 23.10, and was updated with the latest EOL dates for Ubuntu releases. The tzdata and libdatetime-timezone-perl packages were updated with the 2023c timezone database. The changes in these packages ensure that in addition to the latest security updates LTS users also have the latest information concerning Debian and Ubuntu support windows, as well as the latest timezone data for accurate worldwide timekeeping. LTS contributor Anton implemented an improvement to the Debian Security Tracker Unfixed vulnerabilities in unstable without a filed bug view, allowing for more effective management of CVEs which do not yet have a corresponding bug entry in the Debian BTS. LTS contributor Sylvain concluded an audit of obsolete packages still supported in LTS to ensure that new CVEs are properly associated. In this case, a package being obsolete means that it is no longer associated with a Debian release for which the Debian Security Team has direct responsibility. When this occurs, it is the responsibility of the LTS team to ensure that incoming CVEs are properly associated to packages which exist only in LTS. Finally, LTS contributors also contributed several updates to packages in unstable/testing/stable to fix CVEs. This helps package maintainers, addresses CVEs in current and future Debian releases, and ensures that the CVEs do not remain open for an extended period of time only for the LTS team to be required to deal with them much later in the future.

Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 93 months)
  • Civil Infrastructure Platform (CIP) (for 61 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 104 months)
  • Linode (for 98 months)
  • Babiel GmbH (for 87 months)
  • Plat Home (for 87 months)
  • University of Oxford (for 43 months)
  • Deveryware (for 30 months)
  • VyOS Inc (for 25 months)
  • EDF SA (for 14 months)
• Silver sponsors:
  • Domeneshop AS (for 108 months)
  • Nantes M tropole (for 102 months)
  • Univention GmbH (for 94 months)
  • Universit Jean Monnet de St Etienne (for 94 months)
  • Ribbon Communications, Inc. (for 88 months)
  • Exonet B.V. (for 78 months)
  • Leibniz Rechenzentrum (for 72 months)
  • CINECA (for 61 months)
  • Minist re de l Europe et des Affaires trang res (for 55 months)
  • Cloudways Ltd (for 45 months)
  • Dinahosting SL (for 43 months)
  • Bauer Xcel Media Deutschland KG (for 37 months)
  • Platform.sh (for 37 months)
  • Moxa Inc. (for 31 months)
  • sipgate GmbH (for 28 months)
  • OVH US LLC (for 26 months)
  • Tilburg University (for 26 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 17 months)
  • Soliton Systems K.K. (for 15 months)
• Bronze sponsors:
  • Evolix (for 109 months)
  • Seznam.cz, a.s. (for 109 months)
  • Linuxhotel GmbH (for 106 months)
  • Intevation GmbH (for 105 months)
  • Daevel SARL (for 104 months)
  • Bitfolk LTD (for 103 months)
  • Megaspace Internet Services GmbH (for 103 months)
  • Greenbone AG (for 102 months)
  • NUMLOG (for 102 months)
  • WinGo AG (for 102 months)
  • Ecole Centrale de Nantes - LHEEA (for 98 months)
  • Entr ouvert (for 93 months)
  • Adfinis AG (for 90 months)
  • GNI MEDIA (for 85 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 85 months)
  • Tesorion (for 85 months)
  • Bearstech (for 76 months)
  • LiHAS (for 76 months)
  • Catalyst IT Ltd (for 71 months)
  • Supagro (for 66 months)
  • Demarcq SAS (for 65 months)
  • Universit Grenoble Alpes (for 51 months)
  • TouchWeb SAS (for 43 months)
  • SPiN AG (for 40 months)
  • CoreFiling (for 35 months)
  • Institut des sciences cognitives Marc Jeannerod (for 30 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 27 months)
  • Tem Innovations GmbH (for 21 months)
  • WordFinder.pro (for 21 months)
  • CNRS DT INSU R sif (for 20 months)
  • Alter Way (for 13 months)
  • Institut Camille Jordan

Contributing to Debian is part of Freexian s mission. This article covers the latest achievements of Freexian and their collaborators. All of this is made possible by organizations subscribing to our Long Term Support contracts and consulting services.

/usr-merge, by Helmut Grohne, et al Towards the end of April, the discussion on DEP 17 on debian-devel@l.d.o initiated by Helmut Grohne took off, trying to deal with the fact that while Debian bookworm has a merged /usr, files are still being distributed to / and /usr in Debian binary packages, and moving them currently has some risk of breakage. Most participants of the discussion agreed that files should be moved, and there are several competing design ideas for doing it safely. Most of the time was spent understanding the practical implications of lifting the moratorium and moving all the files from / to /usr in a coordinated effort. With help from Emilio Pozuelo Monfort, Enrico Zini, and Raphael Hertzog, Helmut Grohne performed extensive analysis of the various aspects, including quantitative analysis of the original file move problem, analysis of effects on dpkg-divert, dpkg-statoverride, and update-alternatives, analysis of effects on filesystem bootstrapping tools. Most of the problematic cases spawned plausible workarounds, such as turning Breaks into Conflicts in selected cases or adding protective diversions for the symbolic links that enable aliasing. Towards the end of May, Andreas Beckmann reported a new failure scenario which may cause shared resources to inadvertently disappear, such as directories and even regular files in case of Multi-Arch packages, and our work on analyzing these problems and proposing mitigations is on-going. While the quantitative analysis is funded by Freexian, we wouldn t be here without the extensive feedback and ideas of many voluntary contributors from multiple areas of Debian, which are too many to name here. Thank you.

Preparing for the tox 4 transition, by Stefano Rivera While Debian was in freeze for the bookworm release, tox 4 has landed in Debian experimental, and some packages are starting to require it, upstream. It has some backwards-incompatible behavior that breaks many packages using tox through pybuild. So Stefano had to make some changes to pybuild and to many packages that run build-time tests with tox. The easy bits of this transition are now completed in git / experimental, but a few packages that integrate deeply into tox need upstream work.

Debian Printing, by Thorsten Alteholz Just before the release of Bookworm, lots of QA tools were used to inspect packages. One of these tools found a systemd service file in a wrong directory. So, Thorsten did another upload of package lprint to correct this. Thanks a lot to all the hardworking people who run such tools and file bugs. Thorsten also participated in discussions about the new Common Printing Dialog Backends (CPDB) that will be introduced in Trixie and hopefully can replace the current printing architecture in Forky.

Miscellaneous contributions

• DebConf 23 preparations by Stefano Rivera. Some work on the website, video team planning, accounting, and team documentation.
• Utkarsh Gupta started to prep the work on the bursary team s side for DC23.
• Stefano spun up a website for the Hamburg mini-DebConf so that the video team could have a machine-readable schedule and a place to stream video from the event.
• Santiago Ruano Rinc n reviewed and sponsored four python packages of a prospective Debian member.
• Helmut Grohne supported Timo Roehling and Jochen Sprickerhof to improve cross building in 15 ROS packages.
• Helmut Grohne supported Jochen Sprickerhof with diagnosing an e2fsprogs RC bug.
• Helmut Grohne continued to maintain rebootstrap and located an issue with lto in gcc-13.
• Anton Gladky fixed some RC-Bugs and uploaded a new stravalib python library.

Like each month, have a look at the work funded by Freexian s Debian LTS offering.

Debian LTS contributors In April, 18 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 6.0h (out of 0h assigned and 14.0h from previous period), thus carrying over 8.0h to the next month.
• Adrian Bunk did 18.0h (out of 16.5h assigned and 24.0h from previous period), thus carrying over 22.5h to the next month.
• Anton Gladky did 8.0h (out of 9.5h assigned and 5.5h from previous period), thus carrying over 7.0h to the next month.
• Bastien Roucari s did 17.0h (out of 17.0h assigned and 3.0h from previous period), thus carrying over 3.0h to the next month.
• Ben Hutchings did 16.0h (out of 12.0h assigned and 12.0h from previous period), thus carrying over 8.0h to the next month.
• Chris Lamb did 18.0h (out of 18.0h assigned).
• Dominik George did 0.0h (out of 0h assigned and 20.34h from previous period), thus carrying over 20.34h to the next month.
• Emilio Pozuelo Monfort did 4.5h (out of 11.0h assigned and 9.5h from previous period), thus carrying over 16.0h to the next month.
• Guilhem Moulin did 8.5h (out of 8.0h assigned and 12.0h from previous period), thus carrying over 11.5h to the next month.
• Helmut Grohne did 5.0h (out of 2.5h assigned and 7.5h from previous period), thus carrying over 5.0h to the next month.
• Lee Garrett did 0.0h (out of 31.5h assigned and 9.0h from previous period), thus carrying over 40.5h to the next month.
• Markus Koschany did 40.0h (out of 40.0h assigned).
• Ola Lundqvist did 12.5h (out of 0h assigned and 24.0h from previous period), thus carrying over 11.5h to the next month.
• Roberto C. S nchez did 8.5h (out of 4.75h assigned and 15.25h from previous period), thus carrying over 11.5h to the next month.
• Stefano Rivera did 1.0h (out of 0h assigned and 28.0h from previous period), thus carrying over 27.0h to the next month.
• Sylvain Beucler did 35.0h (out of 40.5h assigned), thus carrying over 5.5h to the next month.
• Thorsten Alteholz did 14.0h (out of 14.0h assigned).
• Tobias Frost did 15.0h (out of 15.0h assigned and 1.0h from previous period), thus carrying over 1.0h to the next month.
• Utkarsh Gupta did 3.5h (out of 11.0h assigned and 18.5h from previous period), thus carrying over 26.0h to the next month.

Evolution of the situation In April, we have released 35 DLAs. The LTS team would like to welcome our newest sponsor, Institut Camille Jordan, a French research lab. Thanks to the support of the many LTS sponsors, the entire Debian community benefits from direct security updates, as well as indirect improvements and collaboration with other members of the Debian community. As part of improving the efficiency of our work and the quality of the security updates we produce, the LTS has continued improving our workflow. Improvements include more consistent tagging of release versions in Git and broader use of continuous integration (CI) to ensure packages are tested thoroughly and consistently. Sponsors and users can rest assured that we work continuously to maintain and improve the already high quality of the work that we do.

Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 92 months)
  • Civil Infrastructure Platform (CIP) (for 60 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 103 months)
  • Linode (for 97 months)
  • Babiel GmbH (for 86 months)
  • Plat Home (for 86 months)
  • University of Oxford (for 42 months)
  • Deveryware (for 29 months)
  • VyOS Inc (for 24 months)
  • EDF SA (for 13 months)
• Silver sponsors:
  • Domeneshop AS (for 107 months)
  • Nantes M tropole (for 101 months)
  • Univention GmbH (for 93 months)
  • Universit Jean Monnet de St Etienne (for 93 months)
  • Ribbon Communications, Inc. (for 87 months)
  • Exonet B.V. (for 77 months)
  • Leibniz Rechenzentrum (for 71 months)
  • CINECA (for 60 months)
  • Minist re de l Europe et des Affaires trang res (for 54 months)
  • Cloudways Ltd (for 43 months)
  • Dinahosting SL (for 41 months)
  • Bauer Xcel Media Deutschland KG (for 36 months)
  • Platform.sh (for 36 months)
  • Moxa Inc. (for 30 months)
  • sipgate GmbH (for 27 months)
  • OVH US LLC (for 25 months)
  • Tilburg University (for 25 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 16 months)
  • Soliton Systems K.K. (for 14 months)
• Bronze sponsors:
  • Evolix (for 108 months)
  • Seznam.cz, a.s. (for 108 months)
  • Linuxhotel GmbH (for 105 months)
  • Intevation GmbH (for 104 months)
  • Daevel SARL (for 103 months)
  • Bitfolk LTD (for 102 months)
  • Megaspace Internet Services GmbH (for 102 months)
  • Greenbone AG (for 101 months)
  • NUMLOG (for 101 months)
  • WinGo AG (for 100 months)
  • Ecole Centrale de Nantes - LHEEA (for 97 months)
  • Entr ouvert (for 92 months)
  • Adfinis AG (for 89 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 84 months)
  • Tesorion (for 84 months)
  • GNI MEDIA (for 83 months)
  • Bearstech (for 75 months)
  • LiHAS (for 75 months)
  • Catalyst IT Ltd (for 70 months)
  • Supagro (for 65 months)
  • Demarcq SAS (for 64 months)
  • Universit Grenoble Alpes (for 50 months)
  • TouchWeb SAS (for 42 months)
  • SPiN AG (for 38 months)
  • CoreFiling (for 34 months)
  • Institut des sciences cognitives Marc Jeannerod (for 29 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 26 months)
  • Tem Innovations GmbH (for 20 months)
  • WordFinder.pro (for 20 months)
  • CNRS DT INSU R sif (for 19 months)
  • Alter Way (for 11 months)
  • Institut Camille Jordan

Contributing to Debian is part of Freexian s mission. This article covers the latest achievements of Freexian and their collaborators. All of this is made possible by organizations subscribing to our Long Term Support contracts and consulting services.

DEP-17 progress, by Helmut and Emilio We posted a proposal for modifying dpkg to better cope with directory aliasing. After an initial period of silence, the discussion took off, but was mostly diverted to a competing proposal by Luca Boccassi: Do not change dpkg at all, but still move all files affected by aliasing to their canonical location and thus removing the bad effects of aliasing. We facilitated this discussion and performed extensive analysis of this and competing proposals highlighting resulting problems and proposing solutions or workarounds. We performed a detailed analysis of how aliasing affects usage of dpkg-divert, dpkg-statoverride and update-alternatives. Details are available on the debian-dpkg mailinglist thread.

Debian Reimbursements Web App Progress, by Stefano Rivera In a project funded by Freexian s Project Funding initiative, Stefano made some more progress on the Debian Reimbursements Web App. The full workflow can now be exercised, completing the first milestone of the project, the Working Prototype.

DebConf Bursary Team, by Utkarsh Gupta Utkarsh started to prep the bursary team work, gearing up for DebConf, happening in India in September 2023. To learn more about the bursaries team, head to https://wiki.debian.org/Teams/DebConf/Bursaries. For learning how to apply for bursaries, visit https://debconf23.debconf.org/about/bursaries.

Miscellaneous contributions

• Stefano attended several DebConf planning meetings, and did some work on the DebConf 23 website.
• Stefano updated distro-info-data to include the release date of Debian bullseye, and added the next Ubuntu release, Mantic Minotour. This required a round of updates to all the stable releases, LTS, and ELTS.
• Helmut sent patches for 13 cross build failures and filed 104 RC bugs for missing Breaks and Replaces.

Contributing to Debian is part of Freexian s mission. This article covers the latest achievements of Freexian and their collaborators. All of this is made possible by organizations subscribing to our Long Term Support contracts and consulting services.

Results of the Debian Developer Survey, by Roberto C. S nchez In 2022, Freexian polled Debian Developers about the usage of money in Debian. More than 200 Debian Developers graciously participated, providing useful and constructive answers. Roberto and Utkarsh have worked on reviewing this feedback and summarizing it in a report recently published and announced to the project.

DebConf 23 Website, by Stefano Rivera In preparation for DebConf 23, Stefano did some work on the DebConf website s registration system. To support an expected large number of local registration requests, and a limited venue size, Stefano added a review system for registration requests. There was also some infrastructure work for the website framework. We use the same framework for miniconfs and DebConf, but without the full registration system. Since last DebConf, we have migrated from a pure-JS toolchain for the static assets, to django-compressor, to be friendlier to contributors and have a simpler dependency setup. This required some updates in the full-DebConf registration system that hadn t been noticed yet in miniDebConfs. Finally, with Utkarsh, we started to wind up the DebConf 22 travel bursary reimbursement process.

Debian Reimbursements Web App Progress, by Stefano Rivera In a project funded by Freexian s Project Funding initiative, Stefano made some more progress on the Debian Reimbursements Web App. The first rough implementation core request lifecycle is almost complete. Receipts can be collected and itemized, and the request can be submitted for a reimbursement request.

Debian Printing, by Thorsten Alteholz Due to the upcoming release, only bug fixing uploads are allowed in this part of the release cycle and Thorsten did uploads of three Debian Printing packages. The upload of hplip was rather straightforward and five bugs could be closed. cups-filters suddenly started to FTBFS and thus got an RC bug. It failed due to a compile error in a header file of some dependency. Luckily the maintainer of that dependency knew that his package now needed c++17, so the fix was to just remove an old compile flag that forced the compiler to use c++0x. This flag was once progressive but nowadays it is more of a hindrance than a help. The third package upload was for cups, which got some translation updates. Unfortunately this was the most tricky one as some translations did not appear in the binary packages. After debugging for some time, it turned out that the handling of links did not work properly. Now the version in Bookworm will be the cups version with the most translated man pages ever.

Miscellaneous contributions

• Stefano Rivera updated a few Python modules in the Debian Python Team, to the latest upstream versions.
• Stefano Rivera reviewed the current patch series applied to Python 3.12, as an Arch package maintainer had noticed that we dropped a patch by mistake, and reinstated it.
• Anton Gladky prepared an upload of newer version (9.2.6) of vtk library and uploaded it into the experimental due to a freeze. VTK is the visualization kit - a library used mostly for scientific and engineering applications to visualize complex objects. Transition of dependent packages is planned on after-release phase.
• Helmut Grohne, in the continual effort to improve Debian s cross-build support, provided 22 cross-build patches to packages in the archive.

Like each month, have a look at the work funded by Freexian s Debian LTS offering.

Debian LTS contributors In February, 15 contributors have been paid to work on Debian LTS, their reports are available:

• Adrian Bunk did 22.0h (out of 32.25h assigned), thus carrying over 10.25h to the next month.
• Anton Gladky did 9.75h (out of 11.5h assigned and 3.5h from previous period), thus carrying over 5.25h to the next month.
• Ben Hutchings did 8.0h (out of 8.0h assigned and 16.0h from previous period), thus carrying over 16.0h to the next month.
• Chris Lamb did 18.0h (out of 18.0h assigned).
• Emilio Pozuelo Monfort did 26.25h (out of 0h assigned and 35.0h from previous period), thus carrying over 8.75h to the next month.
• Guilhem Moulin did 20.0h (out of 20.0h assigned).
• Helmut Grohne did 5.0h (out of 5.0h assigned and 5.0h from previous period), thus carrying over 5.0h to the next month.
• Lee Garrett did 26.75h (out of 19.75h assigned and 12.5h from previous period), thus carrying over 5.5h to the next month.
• Markus Koschany did 32.25h (out of 32.25h assigned).
• Ola Lundqvist did 11.5h (out of 12.5h assigned and 11.5h from previous period), thus carrying over 12.5h to the next month.
• Roberto C. S nchez did 5.0h (out of 9.5h assigned and 22.5h from previous period), thus carrying over 27.0h to the next month.
• Sylvain Beucler did 32.0h (out of 17.25h assigned and 15.0h from previous period), thus carrying over 0.25h to the next month.
• Thorsten Alteholz did 8.0h (out of 14.0h assigned), thus carrying over 6.0h to the next month.
• Tobias Frost did 16.0h (out of 16.0h assigned).
• Utkarsh Gupta did 24.25h (out of 49.25h assigned), thus carrying over 8.0h to the next month.

Evolution of the situation In February, we have released 44 DLAs, which resolved 156 CVEs. We are glad to welcome some new contributors who will hopefully help us fix CVEs in the supported release even faster. However, we also experienced some setbacks as a few sponsors have stopped (or decreased) their support. If your company ever hesitated to sponsor Debian LTS, now might be a good time to join to ensure that we can continue this important work without having to scale down on the number of packages that we are able to support.

Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 90 months)
  • Civil Infrastructure Platform (CIP) (for 58 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 101 months)
  • Linode (for 95 months)
  • Babiel GmbH (for 84 months)
  • Plat Home (for 84 months)
  • University of Oxford (for 40 months)
  • Deveryware (for 27 months)
  • VyOS Inc (for 22 months)
  • EDF SA (for 11 months)
• Silver sponsors:
  • Domeneshop AS (for 105 months)
  • Nantes M tropole (for 100 months)
  • Univention GmbH (for 91 months)
  • Universit Jean Monnet de St Etienne (for 91 months)
  • Ribbon Communications, Inc. (for 85 months)
  • Exonet B.V. (for 75 months)
  • Leibniz Rechenzentrum (for 69 months)
  • CINECA (for 58 months)
  • Minist re de l Europe et des Affaires trang res (for 52 months)
  • Cloudways Ltd (for 42 months)
  • Dinahosting SL (for 40 months)
  • Bauer Xcel Media Deutschland KG (for 34 months)
  • Platform.sh (for 34 months)
  • Moxa Inc. (for 28 months)
  • sipgate GmbH (for 25 months)
  • OVH US LLC (for 23 months)
  • Tilburg University (for 23 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 15 months)
  • Soliton Systems K.K. (for 12 months)
• Bronze sponsors:
  • Evolix (for 106 months)
  • Seznam.cz, a.s. (for 106 months)
  • Intevation GmbH (for 103 months)
  • Linuxhotel GmbH (for 103 months)
  • Daevel SARL (for 101 months)
  • Bitfolk LTD (for 100 months)
  • Megaspace Internet Services GmbH (for 100 months)
  • NUMLOG (for 100 months)
  • Greenbone AG (for 99 months)
  • WinGo AG (for 99 months)
  • Ecole Centrale de Nantes - LHEEA (for 95 months)
  • Entr ouvert (for 90 months)
  • Adfinis AG (for 87 months)
  • GNI MEDIA (for 82 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 82 months)
  • Tesorion (for 82 months)
  • Bearstech (for 73 months)
  • LiHAS (for 73 months)
  • Catalyst IT Ltd (for 68 months)
  • Supagro (for 63 months)
  • Demarcq SAS (for 62 months)
  • Universit Grenoble Alpes (for 48 months)
  • TouchWeb SAS (for 40 months)
  • SPiN AG (for 37 months)
  • CoreFiling (for 32 months)
  • Institut des sciences cognitives Marc Jeannerod (for 27 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 24 months)
  • Tem Innovations GmbH (for 19 months)
  • WordFinder.pro (for 18 months)
  • CNRS DT INSU R sif (for 17 months)
  • Alter Way (for 10 months)

Contributing to Debian is part of Freexian s mission. This article covers the latest achievements of Freexian and their collaborators. All of this is made possible by organizations subscribing to our Long Term Support contracts and consulting services.

Core Python Packages, by Stefano Rivera Just before the freeze, pip added support for PEP-668. This is a scheme devised by Debian with other distributions and the Python Packaging Authority, to allow distributors to mark Python installations as being managed by a distribution package manager. When this EXTERNALLY-MANAGED flag is present, installers like pip will refuse to install packages outside a virtual environment. This protects users from breaking unrelated software on their systems, when installing packages with pip or similar tools. Stefano quickly got this version of pip into the archive, marked Debian s Python interpreters as EXTERNALLY-MANAGED, and worked with the upstream to add a mechanism to allow users to override the restriction. Debian bookworm will likely be the first distro release to implement this change. The transition from Python 3.10 to 3.11 was one of the last to complete before the bookworm freeze (as 3.11 only released at the end of October 2022). Stefano helped port some Python packages to 3.11, in January, and also kicked off the final transition to remove Python 3.10 support. Stefano did a big round of bug triage in the cPython interpreter (and related) packages, applying some provided patches, and fixing some long-standing minor bugs in the packaging. To allow Debian packages to more accurately reflect upstream-specified dependencies that only apply under specific Python interpreter versions, in the future, Stefano added more metadata to the python3 binary package. Python s unittest runner would successfully exit with 0 passed tests, if it couldn t find any tests. This means that configuration / layout changes can cause test failures to go unnoticed, because the tests aren t being run any more in Debian packages. Stefano proposed a change to Python 3.12 to change this behavior and treat 0 tests as a kind of failure.

debvm, by Helmut Grohne With support from Johannes Schauer Marin Rodrigues, and Jochen Sprickerhof, Helmut Grohne wrote debvm, a tool for quickly creating and running Debian virtual machine images for various architectures and Debian and Ubuntu releases. This is meant for development and testing purposes and has already identified a number of bugs in e.g. fakechroot (#1029490), Linux (#1029270), and runit (#1028181).

Rails 6 and Redmine 5 available in bullseye-backports, by Utkarsh Gupta Bullseye users can now upgrade to the latest 6.1 branch of Rails, v6.1.7, and the latest Redmine version, v5.0.4. The Ruby team received numerous requests to backport the latest version of Rails and Redmine, especially since there was no redmine shipped in the bullseye release itself. So this is big news for all users as we ve not only successfully backported both the packages, but also fixed all the CVEs and RC bugs in the process! This work was sponsored by Entrouvert.

Patches metadata in the Package Tracker, by Rapha l Hertzog Building on the great Ultimate Debian Database work of Lucas Nussbaum and on his suggestion, Rapha l enhanced the Debian Package Tracker to display action items when the patches metadata indicate that some patches were not forwarded upstream, or when the metadata were invalid. One can now also browse the patches metadata from the Links panel on the right.

Fixed kernel bug that broke debian-installer on computers with Mediatek wifi devices, by Helmut Grohne As part of our regular work on Kali Linux for OffSec, they funded Helmut s work to fix the MT7921e driver. When being loaded without firmware available, it would not register itself, but upon module release it would unregister itself causing a kernel oops. This was commonly observed in Kali Linux when reloading the module to add firmware. Helmut Grohne identified the cause and sent a patch, a different variant of which is now heading into Linux and available from Kali Linux.

Printing in Debian, by Thorsten Alteholz There are about 40 packages in Debian that take care of sending output to printers, scan documents, or even send documents to fax machines. In the light of the upcoming/already ongoing freeze, these packages had to be updated to the latest version and bugs had to be fixed. Basically this applies to large packages like cups, cups-filters, hplip but also the smaller ones that shouldn t be neglected. All in all Thorsten uploaded 13 packages with new upstream versions or improved packaging and could resolve 14 bugs. Further triaging led to 35 bugs that could be closed, either because they were already fixed and not closed in an earlier upload or they could not be reproduced with current software versions. There is also work to do to prepare for the future. Historically, printing on Linux required finding a PPD file for your printer and finding some software that is able to render your documents with this PPD. These days, driverless printing is becoming more common and the use of PPD files has decreased. In the upcoming version 3.0 of cups, PPD files are no longer supported and so called printer applications need to be used. In order not to lose the ability to print documents, this big transition needs to be carefully planned. This started in the beginning of 2023 and will hopefully be finished with the release of Debian Trixie. More information can be found in this Debian Printing Wiki article. In preparation for this transition Thorsten created three new packages.

Yade update, by Anton Gladky Last month, Anton updated the yade package to the newest 2023.02a version, which includes new features. Yade is a software package for discrete element method (DEM) simulations, which are widely used in scientific and engineering fields for the simulation of granular systems. Yade is an open-source project that is being used worldwide for different tasks, such as geomechanics, civil engineering, mining, and materials science. The Yade package in Debian supports different precision levels for its simulations. This means that researchers and engineers can select the needed precision level without recompiling the package, saving time and effort.

Miscellaneous contributions

• Helmut Grohne continues to improve cross building (mostly Qt) and architecture bootstrap (mostly loong64 and musl).

Here s my (forty-first) monthly but brief update about the activities I ve done in the F/L/OSS world.

Debian

This was my 50th month of actively contributing to Debian. I became a DM in late March 2019 and a DD on Christmas 19! \o/ There s a bunch of things I do, both, technical and non-technical. Here are the things I did this month:

Uploads

• ruby-delayed-job (4.1.9-1~bpo11+1) - Backport to bullseye.
• ruby-delayed-job-active-record (4.1.6-3~bpo11+1) - Backport to bullseye.
• ruby-globalid (0.6.0-1~bpo11+1) - Backport to bullseye.
• ruby-tzinfo (2.0.4-1~bpo11+2) - Backport to bullseye.
• rails (2:6.1.7+dfsg-3~bpo11+1) - Backport to bullseye.
• ruby-commonmarker (0.23.6-1~bpo11+1) - Backport to bullseye.
• ruby-csv (3.2.2-1~bpo11+1) - Backport to bullseye.
• ruby-task-list (2.3.2-2~bpo11+1) - Backport to bullseye.
• ruby-i18n (1.10.0-2~bpo11+1) - Backport to bullseye.
• ruby-mini-magick (4.11.0-1~bpo11+1) - Backport to bullseye.
• ruby-net-ldap (0.17.0-1~bpo11+1) - Backport to bullseye.
• ruby-roadie-rails (3.0.0-1~bpo11+1) - Backport to bullseye.
• ruby-roadie (5.1.0-1~bpo11+1) - Backport to bullseye.
• ruby-sanitize (6.0.0-1~bpo11+1) - Backport to bullseye.
• ruby-nokogiri (1.13.1+dfsg-2~bpo11+1) - Backport to bullseye.
• ruby-mini-portile2 (2.8.0-1~bpo11+2) - Backport to bullseye.
• ruby-webrick (1.7.0-3~bpo11+2) - Backport to bullseye.
• ruby-zip (2.3.0-2~bpo11+1) - Backport to bullseye.
• gem2deb (2.1~bpo11+1) - Backport to bullseye.
• ruby-actionpack-action-caching (1.2.2-1~bpo11+1) - Backport to bullseye.
• ruby-nokogiri (1.13.5+dfsg-2~bpo11+1) - Backport to bullseye.
• redmine (5.0.4-2~bpo11+1) - Backport to bullseye.
• rails (2:6.1.7+dfsg-3~bpo11+2) - Backport to bullseye.
• ruby-roadie-rails (3.0.0-1~bpo11+2) - Backport to bullseye.
• redmine (5.0.4-4~bpo11+1) - Backport to bullseye.
• redmine (5.0.4-5~bpo11+1) - Backport to bullseye.
• ruby-web-console (4.2.0-1~bpo11+1) - Backport to bullseye.
• libyang2 (2.1.30-2) - Adding DEP8 test for yangre.
• redmine (5.0.4-3) - Add patch to stop unnecessary recursive chown ing (Fixes: #1022816, #1022817).
• redmine (5.0.4-4) - Set DH_RUBY_IGNORE_TESTS to all (Fixes: #1031308).
• python-jira (3.4.1-1) - New upstream version, v3.4.1.

Others

• Looked up some Release team documentation.
• Sponsored php-font-lib and php-dompdf-svg-lib for William.
• Granted DM rights for php-dompdf.
• Mentoring for newcomers.
• Reviewed micro bits for Nilesh, new uploads and changes.
• Ruby sprints.
• Bug work (on BTS and #debian-ruby) for rails and redmine.
• Moderation of -project mailing list.

A huge thanks to Freexian for sponsoring my Debian work and Entrouvert for sponsoring the Redmine backports. :D

---

Ubuntu

This was my 25th month of actively contributing to Ubuntu. Now that I joined Canonical to work on Ubuntu full-time, there s a bunch of things I do! \o/ I mostly worked on different things, I guess. I was too lazy to maintain a list of things I worked on so there s no concrete list atm. Maybe I ll get back to this section later or will start to list stuff from the fall, as I was doing before. :D

---

Debian (E)LTS

Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success. And Debian Extended LTS (ELTS) is its sister project, extending support to the stretch and jessie release (+2 years after LTS support). This was my forty-first month as a Debian LTS and thirty-second month as a Debian ELTS paid contributor.
I worked for 24.25 hours for LTS and 28.50 hours for ELTS.

LTS CVE Fixes and Announcements:

• Fixed CVE-2022-47016 for tmux and uploaded to buster via 2.8-3+deb10u1.
  But decided to not roll the DLA for the package as the CVE got rejected upstream.
• Issued DLA 3359-1, fixing CVE-2019-13038 and CVE-2021-3639, for libapache2-mod-auth-mellon.
  For Debian 10 buster, these problems have been fixed in version 0.14.2-1+deb10u1.
• Issued DLA 3360-1, fixing CVE-2021-30151 and CVE-2022-23837, for ruby-sidekiq.
  For Debian 10 buster, these problems have been fixed in version 5.2.3+dfsg-1+deb10u1.
• Worked on ruby-rails-html-sanitize and added notes to the security-tracker.
  TL;DR: we need newer methods in ruby-loofah to make the patches for ruby-rails-html-sanitize backportable.
• Started to look at other set of packages meanwhile.

ELTS CVE Fixes and Announcements:

• Issued ELA 813-1, fixing CVE-2017-12618 and CVE-2022-25147, for apr-util.
  For Debian 8 jessie, these problems have been fixed in version 1.5.4-1+deb8u1.
  For Debian 9 stretch, these problems have been fixed in version 1.5.4-3+deb9u1.
• Issued ELA 814-1, fixing CVE-2022-39286, for jupyter-core.
  For Debian 9 stretch, these problems have been fixed in version 4.2.1-1+deb9u1.
• Issued ELA 815-1, fixing CVE-2022-44792 and CVE-2022-44793, for net-snmp.
  For Debian 8 jessie, these problems have been fixed in version 5.7.2.1+dfsg-1+deb8u6.
  For Debian 9 stretch, these problems have been fixed in version 5.7.3+dfsg-1.7+deb9u5.
• Helped facilitate RabbitMQ s update queries by one of our customers.
• Started to look at other set of packages meanwhile.

Other (E)LTS Work:

• Triaged ruby-loofah, ruby-sinatra, tmux, ruby-sidekiq, libapache2-mod-auth-mellon, jupyter-core, net-snmp, and apr-util, rabbitmq-server.
• Helped and assisted new contributors joining Freexian (LTS/ELTS/internally).
• Answered questions (& discussions) on IRC (#debian-lts and #debian-elts) and Matrix.
• Participated and helped fellow members with their queries via private mail and chat.
• General and other discussions on LTS private and public mailing list.
• Attended the monthly LTS meeting.

---

Until next time.
:wq for today.

Like each month, have a look at the work funded by Freexian s Debian LTS offering. This is the first monthly report in 2023.

Debian LTS contributors In January, 17 contributors have been paid to work on Debian LTS. which is possibly the highest number of active contributors per month! Their reports are available:

• Abhijith PA did 0.0h (out of 3.0h assigned and 11.0h from previous period), thus carrying over 14.0h to the next month.
• Adrian Bunk did 26.25h (out of 26.25h assigned).
• Anton Gladky did 11.5h (out of 8.0h assigned and 7.0h from previous period), thus carrying over 3.5h to the next month.
• Ben Hutchings did 8.0h (out of 24.0h assigned), thus carrying over 16.0h to the next month.
• Chris Lamb did 18.0h (out of 18.0h assigned).
• Emilio Pozuelo Monfort did 8.0h (out of 0h assigned and 43.0h from previous period), thus carrying over 35.0h to the next month.
• Guilhem Moulin did 20.0h (out of 17.5h assigned and 2.5h from previous period).
• Helmut Grohne did 10.0h (out of 15.0h assigned), thus carrying over 5.0h to the next month.
• Lee Garrett did 7.5h (out of 20.0h assigned), thus carrying over 12.5h to the next month.
• Markus Koschany did 26.25h (out of 26.25h assigned).
• Ola Lundqvist did 4.5h (out of 10.0h assigned and 6.0h from previous period), thus carrying over 11.5h to the next month.
• Roberto C. S nchez did 3.75h (out of 18.75h assigned and 7.5h from previous period), thus carrying over 22.5h to the next month.
• Stefano Rivera did 4.5h (out of 0h assigned and 32.5h from previous period), thus carrying over 28.0h to the next month.
• Sylvain Beucler did 23.5h (out of 0h assigned and 38.5h from previous period), thus carrying over 15.0h to the next month.
• Thorsten Alteholz did 14.0h (out of 10.0h assigned and 4.0h from previous period).
• Tobias Frost did 19.0h (out of 19.0h assigned).
• Utkarsh Gupta did 43.25h (out of 26.25h assigned and 17.0h from previous period).

Evolution of the situation Furthermore, we released 46 DLAs in January, which resolved 146 CVEs. We are working diligently to reduce the number of packages listed in dla-needed.txt, and currently, we have 55 packages listed. We are constantly growing and seeking new contributors. If you are a Debian Developer and want to join the LTS team, please contact us.

Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 89 months)
  • GitHub (for 80 months)
  • Civil Infrastructure Platform (CIP) (for 57 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 100 months)
  • Linode (for 94 months)
  • Babiel GmbH (for 83 months)
  • Plat Home (for 83 months)
  • University of Oxford (for 39 months)
  • Deveryware (for 26 months)
  • VyOS Inc (for 21 months)
  • EDF SA (for 10 months)
• Silver sponsors:
  • Domeneshop AS (for 105 months)
  • Nantes M tropole (for 99 months)
  • Univention GmbH (for 90 months)
  • Universit Jean Monnet de St Etienne (for 90 months)
  • Ribbon Communications, Inc. (for 84 months)
  • Exonet B.V. (for 74 months)
  • Leibniz Rechenzentrum (for 68 months)
  • CINECA (for 57 months)
  • Minist re de l Europe et des Affaires trang res (for 52 months)
  • Cloudways Ltd (for 41 months)
  • Dinahosting SL (for 39 months)
  • Bauer Xcel Media Deutschland KG (for 33 months)
  • Platform.sh (for 33 months)
  • MOXA INC. (for 27 months)
  • sipgate GmbH (for 24 months)
  • Tilburg University (for 23 months)
  • OVH US LLC (for 22 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 14 months)
  • Soliton Systems K.K. (for 11 months)
• Bronze sponsors:
  • Evolix (for 105 months)
  • Seznam.cz, a.s. (for 105 months)
  • Intevation GmbH (for 102 months)
  • Linuxhotel GmbH (for 102 months)
  • Daevel SARL (for 101 months)
  • Bitfolk LTD (for 99 months)
  • Megaspace Internet Services GmbH (for 99 months)
  • NUMLOG (for 99 months)
  • Greenbone Networks GmbH (for 98 months)
  • WinGo AG (for 98 months)
  • Ecole Centrale de Nantes - LHEEA (for 94 months)
  • Entr ouvert (for 89 months)
  • Adfinis AG (for 87 months)
  • GNI MEDIA (for 81 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 81 months)
  • Tesorion (for 81 months)
  • Bearstech (for 73 months)
  • LiHAS (for 72 months)
  • Catalyst IT Ltd (for 67 months)
  • Supagro (for 62 months)
  • Demarcq SAS (for 61 months)
  • Universit Grenoble Alpes (for 47 months)
  • TouchWeb SAS (for 39 months)
  • SPiN AG (for 36 months)
  • CoreFiling (for 31 months)
  • Institut des sciences cognitives Marc Jeannerod (for 26 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 23 months)
  • Tem Innovations GmbH (for 18 months)
  • WordFinder.pro (for 17 months)
  • CNRS DT INSU R sif (for 16 months)
  • Alter Way (for 9 months)