Here s my (thirty-sixth) monthly but brief update about the activities I ve done in the F/L/OSS world.
Debian
This was my 45th month of actively contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
There s a bunch of things I do, both, technical and non-technical. Here are the things I did this month:
Debian Uploads
rails (2:6.1.6.1+dfsg-2) - Add patch to allow Symbols in YAML columns, fixes #1018934.
rails (2:6.1.6.1+dfsg-3) - Add patch to remove active_record.yaml initializers.
rails (2:6.1.6.1+dfsg-4) - Add patch to allow Date, Time, ActiveSupport::HashWithIndifferentAccess in YAML columns.
ruby-arbre (1.4.0-2) - Add patch to use selector to detect authenticity token input.
Ubuntu
This was my 20th month of actively contributing to Ubuntu.
Now that I joined Canonical to work on Ubuntu full-time, there s a bunch of things I do! \o/
I mostly worked on different things, I guess.
I was too lazy to maintain a list of things I worked on so there s
no concrete list atm. Maybe I ll get back to this section later or
will start to list stuff from the fall, as I was doing before. :D
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my thirty-sixth month as a Debian LTS and twenty-seventh month as a Debian ELTS paid contributor.
I worked for 38.00 hours for LTS and 27.00 hours for ELTS.
Looked at src:mbedtls which has about 18 CVEs opened in buster (including no-dsa).
Also, spoke to the maintainer - they said they d be uncomfortable doing or reviewing the backport (although they initially said they d be happy to help).
Fixed src:rails regression via 2:6.1.6.1+dfsg-2, 2:6.1.6.1+dfsg-3, and 2:6.1.6.1+dfsg-4 for sid.
CVE-2022-32224 broke the entire world. :)
Helped Abhijith figure out the regression fix for CVE-2022-32224.
Also got that verified by the people who reported regression, Raphael, Sven, and Jude. The whole thread is on debian-lts@.
ELTS CVE Fixes and Announcements:
Rolled out announcemnet for src:ruby-tzinfo.
Rolled out announcemnet for src:grubt.
Issued ELA 682-1, fixing CVE-2022-31676, for open-vm-tools.
For Debian 9 stretch, these problems have been fixed in version 2:10.1.5-5055683-4+deb9u3.
Issued ELA 691-1, fixing CVE-2020-21365, for wkhtmltopdf.
For Debian 8 jessie, these problems have been fixed in version 0.12.1-2+deb8u1.
For Debian 9 stretch, these problems have been fixed in version 0.12.3.2-3+deb9u1.
Issued ELA 692-1, fixing CVE-2022-37452, for exim4.
For Debian 8 jessie, these problems have been fixed in version 4.84.2-2+deb8u9.
For Debian 9 stretch, these problems have been fixed in version 4.89-2+deb9u9.
Started to look at src:tiff again. Has a lot of open issues. Haven t claimed the package officially yet, though. :)
Like each month, have a look at the work funded by Freexian s Debian LTS offering.
Debian project funding
No any major updates on running projects. Two 1, 2 projects are in the pipeline now. Tryton project is in a review phase. Gradle projects is still fighting in work.
In July, we put aside 2389 EUR to fund Debian projects.
We re looking forward to receive more projects from various Debian teams! Learn more about the rationale behind this initiative in this article.
Debian LTS contributors
In July, 14 contributors have been paid to work on Debian LTS, their reports are available:
Abhijith PA did 0.00h (out of 14.00h assigned, thus carrying over 14.00h to the next month).
Andreas R nnquist did 0.00h (out of 0.00h assigned and 10.50h from previous period, thus carrying over 10.50h to the next month).
Anton Gladky did 23.00h (out of 25.00h assigned, thus carrying over 2.00h to the next month).
Ben Hutchings did 3.00h (out of 24.00h assigned, thus carrying over 21.00h to the next month).
Dominik George did 0.00h (out of 0.00h assigned and 22.17h from previous period, thus carrying over 22.17h to the next month).
Utkarsh Gupta did not report back about their work so we assume they did nothing (out of 35.75 available hours, thus carrying them over to the next month).
Evolution of the situation
In July, we have released 3 DLAs. July was the period, when the Debian Stretch had already ELTS status, but Debian Buster was still in the hands of security team. Many member of LTS used this time to update internal infrastructure, documentation and some internal tickets. Now we are ready to take the next release in our hands: Buster!
Thanks to our sponsors
Sponsors that joined recently are in bold.
Like each month, have a look at the work funded by Freexian s Debian LTS offering.
Debian project funding
No any major updates on running projects. Two 1, 2 projects are in the pipeline now. Tryton project is in a review phase. Gradle projects is still fighting in work.
In June, we put aside 2254 EUR to fund Debian projects.
We re looking forward to receive more projects from various Debian teams! Learn more about the rationale behind this initiative in this article.
Debian LTS contributors
In June, 15 contributors have been paid to work on Debian LTS, their reports are available:
Utkarsh Gupta did not report back about their work so we assume they did nothing (out of 30.25 available hours, thus carrying them over to the next month).
Evolution of the situation
In June we released 27 DLAs.
This is a special month, where we have two releases (stretch and jessie) as ELTS and NO release as LTS. Buster is still handled by the security team and will probably be given in LTS hands at the beginning of the August. During this month we are updating the infrastructure, documentation and improve our internal processes to switch to a new release. Many developers have just returned back from Debconf22, hold in Prizren, Kosovo! Many (E)LTS members could meet face-to-face and discuss some technical and social topics! Also LTS BoF took place, where the project was introduced (link to video).
Thanks to our sponsors
Sponsors that joined recently are in bold. We are pleased to welcome Alter Way where their support of Debian is publicly acknowledged at the higher level, see this French quote of Alterway s CEO.
Like each month, have a look at the work funded by Freexian s Debian LTS offering.
Debian project funding
Two [1, 2] projects are in the pipeline now. Tryton project is in a final phase. Gradle projects is fighting with technical difficulties.
In May, we put aside 2233 EUR to fund Debian projects.
We re looking forward to receive more projects from various Debian teams! Learn more about the rationale behind this initiative in this article.
Debian LTS contributors
In May, 14 contributors have been paid to work on Debian LTS, their reports are available:
Utkarsh Gupta did 35h (out of 19h assigned and 30h from April), thus carrying over 14h to June.
Evolution of the situation
In May we released 49 DLAs. The security tracker currently lists 71 packages with a known CVE and the dla-needed.txt file has 65 packages needing an update.
The number of paid contributors increased significantly, we are pleased to welcome our latest team members: Andreas R nnquist, Dominik George, Enrico Zini and Stefano Rivera.
It is worth pointing out that we are getting close to the end of the LTS period for Debian 9. After June 30th, no new security updates will be made available on security.debian.org. We are preparing to overtake Debian 10 Buster for the next two years and to make this process as smooth as possible.
But Freexian and its team of paid Debian contributors will continue to maintain Debian 9 going forward for the customers of the Extended LTS offer. If you have Debian 9 servers to keep secure, it s time to subscribe!
You might not have noticed, but Freexian formalized a mission statement where we explain that our purpose is to help improve Debian. For this, we want to fund work time for the Debian developers that recently joined Freexian as collaborators. The Extended LTS and the PHP LTS offers are built following a model that will help us to achieve this if we manage to have enough customers for those offers. So consider subscribing: you help your organization but you also help Debian!
Thanks to our sponsors
Sponsors that joined recently are in bold.
Like each month, have a look at the work funded by Freexian s Debian LTS offering.
Debian project funding
Two projects are currently in the pipeline: Gradle enterprise and Tryton update. Progress is quite slow on the Gradle one, there are technical difficulties. The tryton one was stalled because the developer had not enough time but seems to progress smoothly in the last weeks.
In April, we put aside 2635 EUR to fund Debian projects.
We re looking forward to receive more projects from various Debian teams! Learn more about the rationale behind this initiative in this article.
Debian LTS contributors
In April, 11 contributors have been paid to work on Debian LTS, their reports are available:
Utkarsh Gupta did 23.25h out of 51.5h assigned and 1.75h from March, thus carrying over 30h to May
Evolution of the situation
In April we released 30 DLAs and we were glad to welcome a new customer with Alter Way.
The security tracker currently lists 72 packages with a known CVE and the dla-needed.txt file has 71 packages needing an update.
It is worth pointing out that we are getting close to the end of the LTS period for Debian 9. After June 30th, no new security updates will be made available on security.debian.org.
But Freexian and its team of paid Debian contributors will continue to maintain Debian 9 going forward for the customers of the Extended LTS offer. If you have Debian 9 servers to keep secure, it s time to subscribe!
You might not have noticed, but Freexian formalized a mission statement where we explain that our purpose is to help improve Debian. For this, we want to fund work time for the Debian developers that recently joined Freexian as collaborators. The Extended LTS and the PHP LTS offers are built following a model that will help us to achieve this if we manage to have enough customers for those offers. So consider subscribing: you help your organization but you also help Debian!
Thanks to our sponsors
Sponsors that joined recently are in bold.
This is the report for the Debian Clojure Team remote sprint
that took place on May 13-14th.
Looking at my previous blog entries, this was my first Debian sprint since
July 2020! Crazy how fast time flies...
Many thanks to those who participated, namely:
Rob Browning (rlb)
Elana Hashman (ehashman)
J r me Charaoui (lavamind)
Leandro Doctors (allentiak)
Louis-Philippe V ronneau (pollo)
Sadly, Utkarsh Gupta although having planned on participating ended up not
being able to and worked on DebConf Bursary paperwork instead.
rlb
Rob mostly worked on creating a dh-clojure tool to help make packaging
Clojure libraries easier.
At the moment, most of the packaging is done manually, by invoking build
tools by hand. Having a tool to automate many of the steps required to build
Clojure packages would go a long way in making them more uniform.
His work (although still very much a WIP) can be found here:
https://salsa.debian.org/rlb/dh-clojure/
ehashman
Elana:
Finished the Java Team VCS migration to the Clojure Team namespace.
lavamind
It was J r me's first time working on Clojure packages, and things went great!
During the sprint, he:
Joined the Clojure Team on salsa.
Identified missing dependencies to update puppetdb to the 7.x release.
Learned how to package Clojure libraries in Debian.
Packaged murphy-clojure, truss-clojure and encore-clojure and uploaded
them to NEW.
Began to package nippy-clojure.
allentiak
Leandro joined us on Saturday, since he couldn't get off work on Friday. He
mostly continued working on replacing our in-house scripts for
/usr/bin/clojure by upstream's, a task he had already started during GSoC
2021.
Sadly, none of us were familiar with Debian's mechanism for alternatives. If you
(yes you, dear reader) are familiar with it, I'm sure he would warmly welcome
feedback on his development branch.
pollo
As for me, I:
Fixed a classpath bug in core-async-clojure that was breaking other
libraries.
Added meaningful autopkgtests to core-async-clojure.
Uploaded new versions of tools-analyzer-clojure and
trapperkeeper-clojure with autopkgtests.
Updated pomegranate-clojure and nrepl-clojure to the latest upstream
version and revamped the way they were packaged.
Assisted lavamind with Clojure packaging.
Overall, it was quite a productive sprint!
Thanks to Debian for sponsoring our food during the sprint. It was nice to be
able to concentrate on fixing things instead of making food :)
Here's a bonus picture of the nice sushi platter I ended up getting for dinner
on Saturday night:
Here s my (thirty-first) monthly but brief update about the activities I ve done in the F/L/OSS world.
Debian
This was my 40th month of actively contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
There s a bunch of things I did this month but mostly non-technical, now that DC22 is around the corner. Here are the things I did:
Debian Uploads
Helped Andrius w/ FTBFS for php-text-captcha, reported via #977403.
I fixed the samed in Ubuntu a couple of months ago and they copied over the patch here.
Other $things:
Volunteering for DC22 Content team.
Leading the Bursary team w/ Paulo.
Answering a bunch of questions of referees and attendees around bursary.
Ubuntu
This was my 15th month of actively contributing to Ubuntu.
Now that I joined Canonical to work on Ubuntu full-time, there s a bunch of things I do! \o/
I mostly worked on different things, I guess.
I was too lazy to maintain a list of things I worked on so there s
no concrete list atm. Maybe I ll get back to this section later or
will start to list stuff from the fall, as I was doing before. :D
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my thirty-first month as a Debian LTS and twentieth month as a Debian ELTS paid contributor.
I worked for 23.25 hours for LTS and 20.00 hours for ELTS.
LTS CVE Fixes and Announcements:
Issued DLA 2976-1, fixing CVE-2022-1271, for gzip.
For Debian 9 stretch, these problems have been fixed in version 1.6-5+deb9u1.
Issued DLA 2977-1, fixing CVE-2022-1271, for xz-utils.
For Debian 9 stretch, these problems have been fixed in version 5.2.2-1.2+deb9u1.
Working on src:tiff and src:mbedtls to fix the issues, still waiting for more issues to be reported, though.
Looking at src:mutt CVEs. Haven t had the time to complete but shall roll out next month.
ELTS CVE Fixes and Announcements:
Issued ELA 593-1, fixing CVE-2022-1271, for gzip.
For Debian 8 jessie, these problems have been fixed in version 1.6-4+deb8u1.
Issued ELA 594-1, fixing CVE-2022-1271, for xz-utils.
For Debian 8 jessie, these problems have been fixed in version 5.1.1alpha+20120614-2+deb8u1.
Working on src:tiff and src:beep to fix the issues, still waiting for more issues to be reported for src:tiff and src:beep is a bit of a PITA, though. :)
There was no new activity in Debian project funding in the two existing projects. However, there was a survey run with hundreds of Debian Developers and Debian contributors. The survey results are being collated and we will use the anonymized data to further develop the Freexian project funding initiative.
We are preparing to more broadly announce additional support for Debian 8 Jessie and Debian 9 Stretch. Now, Debian 8 can be supported until June 2025 and Debian 9 until June 2027. More information on ELTS support is available.
Learn more about the rationale behind this initiative in this article.
Debian LTS contributors
In March, 11 contributors were paid to work on Debian LTS, their reports are available below. If you re interested in participating in the LTS or ELTS teams, we welcome participation from the Debian community. Simply get in touch with Jeremiah or Rapha l if you are if you are interested in participating.
Utkarsh Gupta did 57.75h out of 59.5h assigned, carrying over 1.75 hours.
Evolution of the situation
In March we released 42 DLAs.
The security tracker currently lists 81 packages with a known CVE and the dla-needed.txt file has 52 packages needing an update.
We re glad to welcome a few new sponsors such as lectricit de France (Gold sponsor), Telecats BV and Soliton Systems.
Thanks to our sponsors
Sponsors that joined recently are in bold.
In February Rapha l and the LTS worked on a survey of Debian developers meant to solicit ideas for improvements in the Debian project at large. You can see the results of the initial discussion here in the list of ideas of which there are already over 30.
The full survey is due to be emailed to Debian Developers shortly.
Debian LTS contributors
In February, 12 contributors were paid to work on Debian LTS, their reports are available below. If you re interested in participating in the LTS or ELTS teams, we welcome participation from the Debian community. Simply get in touch with Jeremiah or Rapha l if you are if you are interested in participating.
Utkarsh Gupta did 15.75h (out of 42.75h available), thus carrying over 27h to March.
Evolution of the situation
In February we released 24 DLAs.
The security tracker currently lists 61 packages with a known CVE and the dla-needed.txt file has 26 packages needing an update.
You can find out more about the Debian LTS project via the following video:
Thanks to our sponsors
Sponsors that joined recently are in bold.
Here s my (twenty-ninth) monthly but brief update about the activities I ve done in the F/L/OSS world.
Debian
This was my 38th month of actively contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
I had been sick this month, so most of the time I spent away from system, recovering, et al,
and also went through the huge backlog that I had, which is starting to get smaller. :D
Anyway, I did the following stuff in Debian:
Uploads and bug fixes:
at (3.4.4-1) - Adding a DEP8 test for the package, fixing bug #985421.
Other $things:
Mentoring for newcomers.
Moderation of -project mailing list.
Ubuntu
This was my 13th month of actively contributing to Ubuntu.
Now that I joined Canonical to work on Ubuntu full-time, there s a bunch of things I do! \o/
I mostly worked on different things, I guess.
I was too lazy to maintain a list of things I worked on so there s
no concrete list atm. Maybe I ll get back to this section later or
will start to list stuff from the fall, as I was doing before. :D
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my twenty-ninth month as a Debian LTS and eighteenth month as a Debian ELTS paid contributor.
Whilst I was assigned 42.75 hours for LTS and 45.25 hours for ELTS, I could only work a little due to being sick and so
I spent 15.75 hours on LTS and 9.25 hours on ELTS and worked on the following things:
LTS CVE Fixes and Announcements:
Issued DLA 2909-1, fixing CVE-2021-45079, for strongswan.
For Debian 9 stretch, these problems have been fixed in version 5.5.1-4+deb9u6.
In January we saw a new funded project proposed. The project is meant to bring in a number of changes to the Tryton modules and packages in Debian. Tryton, a full featured, entirely open source business software platform, is supported by its own foundation. You can track the current status of all our funded projects at its dedicated web page.
Folks continue to add to the Grow Your Ideas project page, that s great.
We continue to looking forward to hearing about Debian project proposals from various Debian stakeholders. This month has seen work on a survey that will go out to Debian Developers to gather feedback on what they think should be the priorities for funding in the project. Learn more about the rationale behind this initiative in this article.
Debian LTS contributors
In January, 13 contributors were paid to work on Debian LTS, their reports are available below. If you re interested in participating in the LTS or ELTS teams, we welcome participation from the Debian community. Simply get in touch with Jeremiah or Rapha l.
Utkarsh Gupta worked 58.25 hours out of 58.25 available.
Evolution of the situation
In January we released 34 DLAs.
The security tracker currently lists 39 packages with a known CVE and the dla-needed.txt file has 20 packages still needing an update.
Thanks to our sponsors
Sponsors that joined recently are in bold.
Here s my (twenty-seventh) monthly but brief update about the activities I ve done in the F/L/OSS world.
Debian
This was my 36th month of actively contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
Just churning through the backlog again this month. Ugh.
Anyway, I did the following stuff in Debian:
Uploads and bug fixes:
ruby2.7 (2.7.5-1) - New upstream version fixing 3 new CVEs.
Other $things:
Mentoring for newcomers.
Moderation of -project mailing list.
Ubuntu
This was my 11th month of actively contributing to Ubuntu.
Now that I ve joined Canonical to work on Ubuntu full-time, there s a bunch of things I do! \o/
I mostly worked on different things, I guess.
I was too lazy to maintain a list of things I worked on so there s
no concrete list atm. Maybe I ll get back to this section later or
will start to list stuff from next year onward, as I was doing before. :D
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my twenty-seventh month as a Debian LTS and eighteenth month as a Debian ELTS paid contributor.
I was assigned 40.00 hours for LTS and 60.00 hours for ELTS and worked on the following things:
(since I had a 3-week vacation, I wanted to wrap things up that were pending and so I worked for 20h more for LTS, which I ll compensate the next month!)
Issued DLA 2854-1, fixing CVE-2017-18635, for novnc.
For Debian 9 stretch, these problems have been fixed in version 1:0.4+dfsg+1+20131010+gitf68af8af3d-6+deb9u1.
Issued ELA 536-1, fixing CVE-2021-43818, for lxml.
For Debian 8 jessie, these problems have been fixed in version Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain.
Started working on src:samba for CVE-2020-25717 to CVE-2020-25722 and CVE-2021-23192 for jessie and stretch, both.
The version difference b/w the suites are a bit too much for the patch(es) to be easily backported. I ve talked to Anton to work something out. \o/
Found the problem w/ libjdom1-java. Will have to roll the regression upload.
I ve prepared the patch but needs some testing to be finally rolled out. Same for stretch.
Other (E)LTS Work:
Front-desk duty from 29-11 to 05-12 and 20-12 to 26-12 for both LTS and ELTS.
Our project funding work continues with an active bid on the work of packaging a recent gradle in Debian. This month the bidder has been estimating the scope of the entire project.
The Grow Your Ideas project page also has some ambitious initiatives that may evolve into a funded project. The project ideas on that page range from a new wiki for Debian, a more efficient reimbursement process, and the implementation of PPAs for Debian.
We continue to looking forward to hearing about Debian project proposals from various Debian stakeholders. This month has seen work on a survey that will go out to Debian Developers to gather feedback on what they think should be the priorities for funding in the project.
Learn more about the rationale behind this initiative in this article.
Debian LTS contributors
In November 13 contributors were paid to work on Debian LTS, their reports are available below. If you re interested in participating in the LTS or ELTS teams, we welcome participation from the Debian community. Simply get in touch with Jeremiah if you are interested in participating.
Adrian Bunk did 62h out of 56h assigned for November and 6h from October.
Jeremiah Foster is coordinating/managing the LTS team did 29h (out of 10h assigned and 10h from October for LTS administration), and spent 9 hours on Projects funded directly through the project funding program.
Lee Garrett did 9 hours out 60 assigned and carried over 51h into December
Utkarsh Gupta did 30 (out of 40h assigned), thus carrying over 10h to December.
Evolution of the situation
In November we released 31 DLAs.
The security tracker currently lists 23 packages with a known CVE and the dla-needed.txt file has 16 packages needing an update.
Thanks to our sponsors
Sponsors that joined recently are in bold.
Here s my (twenty-sixth) monthly but brief update about the activities I ve done in the F/L/OSS world.
Debian
This was my 35th month of actively contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
Just churning through the backlog again this month. Ugh.
Anyway, I did the following stuff in Debian:
Uploads and bug fixes:
rails (2:6.1.4.1+dfsg-3) - No-change rebuild for unstable.
Other $things:
Mentoring for newcomers.
Moderation of -project mailing list.
Ubuntu
This was my 10th month of actively contributing to Ubuntu.
Now that I ve joined Canonical to work on Ubuntu full-time, there s a bunch of things I do! \o/
I mostly worked on different things, I guess.
I was too lazy to maintain a list of things I worked on so there s
no concrete list atm. Maybe I ll get back to this section later or
will start to list stuff from next year onward, as I was doing before. :D
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my twenty-sixth month as a Debian LTS and seventeenth month as a Debian ELTS paid contributor.
I was assigned 30.00 hours for LTS and 45.00 hours for ELTS and worked on the following things:
Issued DLA 2836-1, fixing CVE-2021-43527, for nss.
For Debian 9 stretch, these problems have been fixed in version 2:3.26.2-1.1+deb9u3.
Started working on src:samba for CVE-2020-25717 to CVE-2020-25722 and CVE-2021-23192 for jessie and stretch, both.
The version difference b/w the suites are a bit too much for the patch(es) to be easily backported. I ve talked to Anton to work something out. \o/
Found the problem w/ libjdom1-java. Will have to roll the regression upload.
I ve prepared the patch but needs some testing to be finally rolled out. Same for jessie.
Issued ELA 524-1, fixing CVE-2021-43618, for gmp.
For Debian 8 jessie, these problems have been fixed in version 2:6.0.0+dfsg-6+deb8u1.
Issued ELA 525-1, fixing CVE-2021-43527, for nss.
For Debian 8 jessie, these problems have been fixed in version 2:3.26-1+debu8u14.
Started working on src:samba for CVE-2020-25717 to CVE-2020-25722 and CVE-2021-23192 for jessie and stretch, both.
The version difference b/w the suites are a bit too much for the patch(es) to be easily backported. I ve talked to Anton to work something out. \o/
Found the problem w/ libjdom1-java. Will have to roll the regression upload.
I ve prepared the patch but needs some testing to be finally rolled out. Same for stretch.
Other (E)LTS Work:
Front-desk duty from 29-11 to 05-12 for both LTS and ELTS.
Our project funding work continues with an active bid on the work of packaging gradle in Debian. The next steps are reviewing the bid and formal approval.
We re looking forward to receiving more projects from various Debian teams! Learn more about the rationale behind this initiative in this article.
Debian LTS contributors
In October 12 contributors were paid to work on Debian LTS, their reports are available below.
Adrian Bunk did 40.5h in October (out of 28.5h assigned and 18h remaining, thus keeping 6h for November).
Evolution of the situation
In October we released 34 DLAs.
Also, we would like to remark once again that we are constantly looking for new contributors. Please contact Jeremiah if you are interested!
The security tracker currently lists 37 packages with a known CVE and the dla-needed.txt file has 22 packages needing an update.
Thanks to our sponsors
Sponsors that joined recently are in bold.
Like each month, have a look at the work funded by Freexian s Debian LTS offering.
Debian project funding
Folks from the LTS team, along with members of the Debian Android Tools team and Phil Morrel, have proposed work on the Java build tool, gradle, which is currently blocked due to the need to build with a plugin not available in Debian. The LTS team reviewed the project submission and it has been approved. After approval we ve created a Request for Bids which is active now.
You ll hear more about this through official Debian channels, but in the meantime, if you feel you can help with this project, please submit a bid. Thanks!
This September, Freexian set aside 2550 EUR to fund Debian projects.
We re looking forward to receive more projects from various Debian teams! Learn more about the rationale behind this initiative in this article.
Debian LTS contributors
In September, 15 contributors have been paid to work on Debian LTS, their reports are available:
Abhijith PA has returned hours and marked themselves inactive, at least for the time being. He did 0h out of 14h, carried over 14h and returned 28h.
Adrian Bunk did 19.5h (out of 24.75h assigned and 12.75 from August), carrying over 18h to October.
Emilio Pozuelo Monfort did not report back about their work so we assume they did nothing (out of 5.5h assigned plus 74.5h from August), thus is carrying over 80h for October.
Holger Levsen did 3h (out of 12h assigned) and gave back 9h and carried over 3h.
Jeremiah Foster worked 10 hours (out of 20h assigned) on LTS work, carrying over 10h.
Lee Garrett did not report back about their work so we assume they did nothing (out of 24.75h assigned and 23.75 from August), thus is carrying over 48.50h for October.
Markus Koschany did 43.5h (out of 24.75h assigned and 18.75h from August)
Utkarsh Gupta did 24.75h (out of 24.75h assigned) but did not publish his report yet.
Ola Lundqvist did 2 hours (out of 21h carried over from previous months), and is thus carrying 19h for October.
Evolution of the situation
In September we released 30 DLAs. September was also the second month of Jeremiah coordinating LTS contributors.
Also, we would like say that we are always looking for new contributors to LTS. Please contact Jeremiah if you are interested!
The security tracker currently lists 33 packages with a known CVE and the dla-needed.txt file has 26 packages needing an update.
Thanks to our sponsors
Sponsors that joined recently are in bold.
Like each month, have a look at the work funded by Freexian s Debian LTS offering.
Debian project funding
In August, we put aside 2460 EUR to fund Debian projects. We received a new project proposal that got approved and there s an associated bid request if you feel like proposing yourself to implement this project.
We re looking forward to receive more projects from various Debian teams! Learn more about the rationale behind this initiative in this article.
Debian LTS contributors
In August, 14 contributors have been paid to work on Debian LTS, their reports are available:
Abhijith PA did 4.0h (out of 14h assigned and 5h from August), thus carrying over 15h to September.
Adrian Bunk did 11h (out of 23.75h assigned), thus carrying over 12.75h to September.
Emilio Pozuelo Monfort did not report back about their work so we assume they did nothing (out of 23.75h assigned plus 50.75h from August), thus is carrying over 74.5h for September.
Holger Levsen did 3h (out of 12h assigned) to help coordinate the team, and gave back the remaining hours.
Lee Garrett did nothing (out of 23.75h assigned), thus is carrying over 23.75h for September.
Markus Koschany did 35h (out of 23.75h assigned and 30h from August), thus carrying over 18.75h to September.
Neil Williams did 24h (out of 23.75h assigned), thus anticipating 0.25h of October.
Roberto C. S nchez did 22.25h (out of 23.75h assigned), thus carrying over 1.5h to September.
Sylvain Beucler did 21.5h (out of 23.75h assigned), thus carrying over 2.25h to September.
Evolution of the situation
In August we released 30 DLAs.
This is the first month of Jeremiah coordinating LTS contributors. We would like to thank Holger Levsen for his work on this role up to now.
Also, we would like to remark once again that we are constantly looking for new contributors. Please contact Jeremiah if you are interested!
The security tracker currently lists 73 packages with a known CVE and the dla-needed.txt file has 29 packages needing an update.
Thanks to our sponsors
Sponsors that joined recently are in bold.
Here s my (twenty-third) monthly but brief update about the activities I ve done in the F/L/OSS world.
Debian
This was my 32nd month of actively contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
Tough month but I mostly spent on it churning through the immense backlog. But that
somewhat backfired and I have even more backlog than ever. :D
Anyway, I did the following stuff in Debian:
Ubuntu
This was my 7th month of actively contributing to Ubuntu.
Now that I ve joined Canonical to work on Ubuntu full-time, there s a bunch of things I do! \o/
I mostly worked on different things, I guess. But mostly on packaging keylime and some Google Agents upload(s) and SRU(s). Also did a lot of reviewing, et al.
I was too lazy to maintain a list of things I worked on so there s no concrete list atm. Maybe I ll get back to this section later or will start to list stuff from next month onward, as I ve been doing before. :D
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my twenty-third month as a Debian LTS and eleventh month as a Debian ELTS paid contributor.
I was assigned 23.75 hours for LTS and 40.00 hours for ELTS and worked on the following things:
(however, I only worked for 23.75h on ELTS work, thereby, carrying the rest to next month)
Noticed that there s a fallout of CVE-2021-3185, where an update was issued for gst-plugins-bad1.0, however, not for gst-plugins-bad0.10.
Thanks to Sylvain s script, this came up and I prepped an update for that.
Started to work on libjdom1-java s regression.
Other (E)LTS Work:
Front-desk duty from 26-07 until 01-08 and from 30-08 until 05-09 for both LTS and ELTS.
Mark CVE-2021-39240/haproxy as not-affected for stretch and jessie.
Mark CVE-2021-39241/haproxy as not-affected for stretch and jessie.
Mark CVE-2021-39242/haproxy as not-affected for stretch and jessie.
Mark CVE-2021-33582/cyrus-imapd as no-dsa for stretch.
Mark CVE-2020-18771/exiv2 as no-dsa for exiv2 for stretch.
Mark CVE-2020-18899/exiv2 as no-dsa for exiv2 for stretch.
Mark CVE-2021-38171/ffmpeg as postponed for stretch.
Mark CVE-2021-40330/git as no-dsa for stretch and jessie.
Mark CVE-2020-19481/gpac as ignored for stretch.
Mark CVE-2021-40491/inetutils as no-dsa for stretch.
Mark CVE-2021-36370/mc as no-dsa for stretch and jessie.
Mark CVE-2021-35368/modsecurity-crs as no-dsa for stretch.
Mark CVE-2021-23434/node-object-path as end-of-life for stretch.
Mark CVE-2021-32610/php-pear as no-dsa for stretch.
Mark CVE-2017-9525/systemd-cron as no-dsa for stretch.
Mark CVE-2021-37701/node-tar as end-of-life for stretch.
Mark CVE-2021-37712/node-tar as end-of-life in stretch.
Mark CVE-2021-3750/qemu as postponsed for jessie.
Mark CVE-2021-27511/prototypejs as postponsed for jessie.
Mark CVE-2021-23437/pillow as postponed for stretch and jessie.
Auto EOL ed gpac, cacti, openscad, cgal, cyrus-imapd-2.4, libsolv, mosquitto, atomicparsley, gtkpod, node-tar, libapache2-mod-auth-openidc, neutron, inetutils and linux for jessie.
Drop cpio from ela-needed; open issues don t warrant an ELA.
Attended monthly Debian LTS meeting.
Answered questions (& discussions) on IRC (#debian-lts and #debian-elts).
Like each month, have a look at the work funded by Freexian s Debian LTS offering.
Debian project funding
In July, we put aside 2400 EUR to fund Debian projects. We haven t received proposals of projects to fund in the last months, so we have scheduled a discussion during Debconf to try to to figure out why that is and how we can fix that. Join us on August 26th at 16:00 UTC on this link.
We are pleased to announce that Jeremiah Foster will help out to make this initiative a success : he can help Debian members to come up with solid proposals, he can look for people willing to do the work once the project has been formalized and approved, and he will make sure that the project implementation keeps on track when the actual work has begun.
We re looking forward to receive more projects from various Debian teams! Learn more about the rationale behind this initiative in this article.
Debian LTS contributors
In July, 12 contributors have been paid to work on Debian LTS, their reports are available:
Abhijith PA did 5.0h (out of 7h assigned and 3h remaining), thus carrying over 5h to August.
Emilio Pozuelo Monfort did not report back about their work so we assume they did nothing (out of 39.75h assigned plus 11h from June), thus is carrying over 50.75h for August.
Holger Levsen s work was coordinating/managing the LTS team, he did 3.5h (out of 12h assigned) and gave back 8.5h to the pool.
Markus Koschany did 30h (out of 30h assigned and 30h from June), thus carrying over 30h to August.
Ola Lundqvist did nothing (out of 12h assigned plus 20h from June), thus is carrying over 32h for August.
Roberto C. S nchez did 13.5h (out of 32h assigned and 20h from June), and gave back 38.5h to the pool.
Evolution of the situation
In July we released 30 DLAs. Also we were glad to welcome Neil Williams and Lee Garrett who became active contributors.
The security tracker currently lists 63 packages with a known CVE and the dla-needed.txt file has 17 packages needing an update.
We would like to thank Holger Levsen for the years of work where he managed/coordinated the paid LTS contributors. Jeremiah Foster will take over his duties.
Thanks to our sponsors
Sponsors that joined recently are in bold.
IntroMy name is Leandro Doctors ( allentiak on IRC), and I ve been the GSoC
intern working with the Debian Clojure Team during 2021. This is my
final report. You can also check my original
proposal
and my first
report.
SummaryWhereas the raw data may not sound by itself very positive, my personal
conclusion is. This is, whereas I didn t fully finish the required
deliverables envisioned in my original proposal, I do feel I am much
closer to, eventually, becoming a Debian Developer. So, by all means, I
consider this project has had a positive outcome.
ProjectThe goal of the Clojure Build Tools in Debian project was to provide
Clojure Debian users with some of the latest advanced build tools and
libraries the upstream Clojure developers have been lately working on.
These include tools.deps.alpha, a library for dependency graph
resolution and classpath building, and the CLI tool clj, for REPL
interaction. If time permitted, I was also to improve the quality of
both new and existing Clojure packages, and the overall Debian Clojure
packaging process. My mentor was Louis-Louis-Philippe V ronneau, and my
co-mentor was Utkarsh Gupta.
MotivationWhy this project? On the one side, if you re a Clojure lover like me,
you may have noticed that the Clojure experience in Debian is, as of mid
2021, well... still quiet limited. Additionally, this project aligned
with my own background in Free Software community building and my
research interest in Peer Production.When I mention how limited today s Clojure experience in Debian is, I
can see two reasons for this, deeply intertwined. The first one is that
there currently aren t many Clojure-specific packaging tools in Debian
(such as a clojure-debian-helper). The second reason for which we only
currently have a suboptimal Clojure experience in Debian, and probably
the root of the previous one, is that many core build tools and
libraries for the language have not simply been packaged yet. My project
aimed to attack that seemingly root cause.As I said, another reason for me choosing this project is my own
experience as the Co-founder and Leader of, probably, the first Free
Software Community experience in my hometown of San Juan, Argentina.
That interest in Free Software evolved in a first PhD attempt in what is
now known as the field of Peer Production. A subject that has lived
within me as a research interest during my day job at a University.Being a Clojure fan, it felt only logical combining all those interests
somehow. And this project seemed like the ideal combination.
The Debian Clojure TeamI ve been working with a small, yet very warm team. The current
incarnation of the Debian Clojure Team exists thanks to the hard work of
three people.Elana Hashman (aka the Clojure necromancer ), revived the team around
three years ago. Later on, the team gained the invaluable presence of
Louis-Philippe V ronneau and Utkarsh Gupta (my mentor and co-mentor,
respectively).Together, these Three Musketeers have maintained the team alive,
allowing us, Debian users, to enjoy Clojure.
StatusDuring the first part of my project, I mainly worked on learning the
basics of Debian packaging, and got my first package uploaded. I have to
thank Louis-Philippe, Utkarsh, and Elana for their immense patience and
support during that part, as it took me quite some effort grasping the
basics of Debian packaging.During the second part of my project, I worked on my last packages, and
almost completed the originally required scope of the project. I only
have to finish working on the transition from the currently provided set
of packages (based on a Debian-specific clojure runner) to the newly
provided upstream clojure and clj runners.Unfortunately, I didn t have much time left to start working on the
opportunities for improvement already identified by the Debian Clojure
Team originally outlined in my proposal. Whereas I did update one older
Clojure package not built using leiningen (tools-data-xml-clojure), I
didn t write any Lintian tags to make Clojure packaging in Debian more
robust, nor worked towards the automation of Clojure unit tests in
autopkgtests via autodep8.
Deliverables: Data vs. ConclusionsIf we are to talk about deliverables, we should start with the data.
According to my original proposal, I was required to provide both new
and updated Clojure packages accepted into Debian unstable , and
updated Clojure packaging documentation. Additionally, if time
permitted, I was to also provide new Clojure Lintian tags merged by the
Lintian maintainers, and new Clojure autodep8 scripts merged by the
autodep8 maintainers. Whereas I partially accomplished both required
tasks, I didn t manage to start working on any of the optional
deliverables.When looked in isolation, those numbers may look somewhat disappointing
for some people. However, I can draw a much more positive conclusion.
Why?Firstly, GSoC is supposed to be a learning experience. Moreover, as I
said in my original proposal, I
approach[ed] this project as a great
opportunity to, finally, start my journey towards becoming a Debian
Developer . In that sense, I consider the time invested into this
project fruitful. In this way, I have learned the basics of packaging,
how to interact with the Debian Clojure Team, and and already got my
first packages accepted. Plus, I m looking forward to continuing to work
with the Debian Clojure Team so I can attain the original scope of the
project. Therefore, all things considered, I can consider this
experience as a moderate success.
Lessons LearnedTechnically speaking, if I have learned one thing during these weeks, is
that packaging, although easy to be underestimated, is by no means a
trivial process. As any Debian Developer surely knows, the onboarding
process can take some time. Plus, what is easy for some people, can be
difficult for others. In my case, this was quite evident. Whereas I can
speak several languages and learning new ones takes me little effort,
grasping the basics of packaging took me (literally!) blood, sweat and
tears. Indeed, the packaging learning curve was quite steep for me.That being said, I did learn a thing or two about packaging. So, if I
managed to get here, I m sure many others can. It may take them more or
less time than what it took me, but learning (at least the basics) of
packaging is an achievable goal.Technical skill learning aside, I value very highly the non-technical
skills I have so far improved during this project.For instance, I also learned that it can take some time to adapt to
real-time online communication. Before this project, remote working
meant either exchanging emails or getting into video or audio calls,
with a low emphasis on chat-based interaction. Early on, I realized that
the Debian Clojure Team interacts almost exclusively via, well... chat!
And those two approaches are very different indeed. It has taken me some
time to adjust, but I ve improved greatly in this aspect as well.Finally, improving my time management skills has been also a key part of
this process. Whereas I had already been working remotely for over a
year and a half already, my day job is not so interaction-dependent as
this project (specially in the beginning). So it took me some time to
adapt to this way of working, and to plan my workload so I could use
those waiting moments to advance in other parts of the project. Still a
lot to improve here, but improving nevertheless.
AcknowledgmentsI first have to thank upstream. More specifically, one of the upstream
developers of the clojure-tools, Alex Miller. Everytime I needed
specific information on what do specific parts of the Clojure CLI
tools s codebase do, tools.deps.alpha do, he popped up a reply in a
matter of hours. He has shown genuine interest in the success of is
project during by carefully replying to my emails with detailed
explanations of code intent and form, both in private and in public
conversations. Thank you for all that, Alex!Let s move on to the Debian Clojure Team.First, Elana. I thank Elana for her initial openness when I first
contacted her about this idea. It was *her*
who initially contacted Louis-Philippe so he would become my mentor. I
wouldn t have started to work on this project if it wasn t for her.
Plus, she provided quite a piece of advise in more that one ocassion.
So, thank you very much for all that, Elana!I also thank Utkarsh, my co-mentor, for his overall technical advise.
And a special mention to his initial help to setup my Matrix client for
OFTC chat. At that moment, it was *him* who
took the time to help me in real time so I could solve that problem. So,
thank you very much for all that, Utkarsh!I finally have to thank Louis-Philippe, my mentor, for his patient
guidance during the whole process. His dedication and hard work has been
*instrumental* for my progress. And a
special mention for his tolerance with respect to some unforeseen
personal circumstances I had to endure during the first weeks. When one
is playing the newbie, times abound when one depends on other people s
feedback. And Debian is made of volunteers, who have a life outside it.
Every time I asked, Louis-Philippe was there. I wouldn t have gotten
here if it wasn t for him. So, thank you
*so* much for all that, Louis-Philippe!
Final WordsI would like to close this report with a reflection.I have been using Debian for many, many years now, and I had been
looking for a way to contribute back to the project for some time
already. I even did some work on a non-packaging Debian project. That
being said, I never managed to deliver much, really.So, the very existence of outreach programs as this one is, in my humble
opinion, crucial. In my case, the funding I got through the GSoC program
was instrumental in being able to allocate time for this endeavor, and
to finally get started contributing to Debian. Plus, it has had a very
positive impact on me; in many ways, some of which I am only starting to
discover now that the project is ending.When I put things into perspective, this project is very important for
me. Actually, it is nothing but the first step within a long-term
journey: becoming a Debian member. Hopefully, I would like to be able to
apply for Debian membership by the end of this year.
Questions?Thank you very much for your time reading this! I look forward to
hearing (or reading) your feedback. Please come and meet with the Debian
Clojure Team Moreover, I will be in the Clojure BoF on DebConf2021.
Moreover, do not hesitate to send me an email.
Data
Task Status
Required Tasks:
T1: Setting up a full Debian packaging development environment
and learning the basics of Debian packaging.
Successfully completed the first part during the Application
period.
Successfully completed the second part during the Coding
periods.
T2: Identifying and packaging the missing dependencies to
package clojure-cli.
Successfully completed as of the end of Coding II.
T3: Packaging clojure-cli.
90% done as of the end of Coding II.
T4: Updating clojure to use clojure-cli.
To be completed after GSoC.
T5: Updating the Clojure Packaging Guide with information on how
to use the new clojure-cli scripts.
Improved existing documentation. To be completed after GSoC.
Optional Tasks:
T6: Writing Lintian tags to make Clojure packaging in Debian
more robust.
To be completed after GSoC.
T7: Working to automate Clojure unit testing in autopkgtests
using autodep8.
To be completed after GSoC.
T8: Updating older Clojure packages not built using leiningen or
clojure-cli.
tools-gitlibs-clojure -- Clojure API for programatically
accessing git libraries. ITP:
#905543in
NEW.
ITP: tools-deps-alpha-clojure -- functional API for dependency
management and classpath creation
https://bugs.debian.org/891136 Needs to be uploaded by
Louis-Philippe.
In-Progress packages:
ITP: clojure-cli -- upstream CLI entrypoints for Clojure
https://bugs.debian.org/891141 90% done - Package completed.
I only need to finish implementing the transition from existing
clojure scripts. To be completed after GSoC.