Free software activities in September 2018

微信扫一扫,分享到朋友圈

Free software activities in September 2018

Here is my monthly update covering what I have been doing in the free software world during September 2018 (previous month):

More hacking on the Lintian
static analysis tool for Debian packages:

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws almost all software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds
effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

This month I:

  • Opened a pull request in the Sphinx documentation builder
    to ensure ensure Python frozenset
    object descriptions are reproducible. [
    ]

  • Followed-up to my previous merge request against the Redis
    key-value database and encouraged it to be merged upstream. [
    ]

  • Made the following changes to diffoscope
    , our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues:

    • Fix testsuite under LLVM
      version 7.0
      +. ( #908074
      )
    • Ensure “substvar” generation is deterministic regardless of installed packages. ( #908072
      )
    • Fix tests under colord
      version 1.4.3
      +. ( #908900
      )
    • Disable binwalk
      ‘s configuration for predictable results, etc. ( #903444
      )
    • Ensure we return bytes objects from Command.filter
      to prevent LLVM
      tracebacks. [
      ]
    • Don’t print output from GnuPG
      . [
      ]
    • Drop print()
      statement in PPU tests. [
      ]
    • Strip trailing whitespace from ssconvert(1)
      output to support gnumeric
      1.12.43
      +. [
      ]
    • Clarify distinction between tools and packages when generating substvars. [
      ]
  • Updated my pull request for the sphinx-gallery
    extension for the Sphinx documentation builder
    to automatically generate an example gallery to not show the “Total running time” if
    SOURCE_DATE_EPOCH

    is set. [
    ]

  • Within Debian:

  • Categorised a large number of packages and issues in the ” package classification
    ” repository.

  • Updated our website
    including fixing some broken navigation [
    and ensuring images were visible on all pages on the site [
    as well as updated the SSL certificate for buildinfo.debian.net
    .

  • Worked on publishing our weekly reports. ( #174
    , #175
    , #176
    , #177
    & #178
    )

  • Corrected the spelling/grammar in a comment within strip-nondeterminism
    , our tool to remove specific non-deterministic results from a completed build. [
    ]

  • Escaped the package name in the “Schedule a new build” links in our Jenkins
    -based testing framework that powers tests.reproducible-builds.org
    . [
    ]

Debian

  • As a member of the Debian Python Module Team
    I pushed a large number of changes across 100s of repositories including removing empty debian/patches/series
    & debian/source/options
    files, correcting email addresses, dropping generated .debhelper
    dirs, removing trailing whitespaces, respecting the nocheck
    build profile via DEB_BUILD_OPTIONS
    and correcting spelling mistakes in debian/control
    files.

  • Added a missing dependency on golang-golang-x-tools
    for digraph(1)
    in dh-make-golang
    as part of the Debian Go Packaging Team
    .

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS
) and 12 hours on its sister Extended LTS
project

  • “Frontdesk” duties, triaging CVEs, responding to user questions, etc.

  • Issued DLA 1492-1
    fixing a string injection vulnerability in the dojo
    Javascript library.

  • Issued DLA 1496-1
    to correct an integer overflow vulnerability in the “Little CMS 2” colour management library. A specially-crafted input file could have lead to a heap-based buffer overflow.

  • Issued DLA 1498-1
    for the curl
    utility to fix an integer overflow vulnerability ( background
    ).

  • Issued DLA 1501-1
    to fix an out-of-bounds read vulnerability in libextractor
    , a tool to extract meta-data from files of arbitrary type.

  • Issued DLA 1503-1
    to prevent a potential denial of service and a potential arbitrary code execution vulnerability in the kamailio
    SIP ( Session Initiation Protocol
    ) server. A specially-crafted SIP message with an invalid Via
    header could cause a segmentation fault and crash the server due to missing input validation.

  • Issued ELA 34-1
    for the Redis
    key-value database where the redis-cli
    tool could have allowed an attacker to achieve code execution and/or escalate to higher privileges via a specially-crafted command line.

Uploads

I also uploaded the following packages as a member of the Debian Python Module Team
: django-ipware
( 2.1.0-1
), django-adminaudit
( 0.3.3-2
), python-openid
( 2.2.5-7
), python-social-auth
( 1:0.2.21+dfsg-3
). python-vagrant
( 0.5.15-2
) & python-validictory
( 0.8.3-3
)

Finally, I sponsored the following uploads: bm-el
( 201808-1
), elpy
( 1.24.0-1
), mutt-alias-el
( 1.5-1
) & android-platform-external-boringssl
( 8.1.0+r23-2
).

Debian bugs filed

FTP Team

As a Debian FTP assistant
I ACCEPTed 81 packages: adios
, android-platform-system-core
, aom
, appmenu-registrar
, astroid2
, black
, bm-el
, colmap
, cowpatty
, devpi-common
, equinox-bundles
, fabulous
, fasttracker2
, folding-mode-el
, fontpens
, ganeti-2.15
, geomet
, golang-github-google-go-github
, golang-github-gregjones-httpcache
, hub
, infnoise
, intel-processor-trace
, its-playback-time
, jsonb-api
, kitinerary
, kpkpass
, libclass-tiny-chained-perl
, libmoox-traits-perl
, librda
, libtwitter-api-perl
, liburl-encode-perl
, libwww-oauth-perl
, llvm-toolchain-7
, lucy
, markdown-toc-el
, mmdebstrap
, mozjs60
, mutt-alias-el
, nvidia-graphics-drivers-legacy-390xx
, o-saft
, pass-tomb
, pass-tomb-basic
, pgformatter
, picocli
, pikepdf
, pipewire
, poliastro
, port-for
, pyagentx
, pylint2
, pynwb
, pytest-flask
, python-argon2
, python-asteval
, python-caldav
, python-djangosaml2
, python-pcl
, python-persist-queue
, python-rfc3161ng
, python-treetime
, python-x2go
, python-x3dh
, python-xeddsa
, rust-crossbeam-deque
, rust-iovec
, rust-phf-generator
, rust-simd
, rust-spin
, rustc
, sentinelsat
, sesman
, sphinx-autobuild
, sphinxcontrib-restbuilder
, tao-pegtl
, trojan
, ufolib2
, ufonormalizer
, unarr
, vlc-plugin-bittorrent
, xlunzip
& xxhash
.

I additionally filed 6 RC bugs against packages that had potentially-incomplete debian/copyright
files against adios
, pgformatter
, picocli
, python-argon2
, python-pcl
& python-treetime
.

微信扫一扫,分享到朋友圈

Free software activities in September 2018

Salesforce singles out gaps in Microsoft and Oracle’s services as its road map for growth

上一篇

Cisco working with Smartworld to design a smart network for Expo 2020 Dubai

下一篇

你也可能喜欢

Free software activities in September 2018

长按储存图像,分享给朋友