Free software activities in December 2017

Here is my monthly update covering what I have been doing in the free software world in December 2017 (previous month):

  • Released a new version ofpython-gfshare, my Python library that implements Shamir’s method for secret sharing
    fixing parts of the documentation as well as fixing two warnings via contributions by Kevin Ji
    […]
    […]
    .
  • Opened a PR against vim-pizza
    (a plugin to order pizza from within the Vim text editor) to use
    xdg-open

    or
    sensible-browser

    under Debian and derivatives. […]
  • Created two pull requests for the RediSearch
    search engine module for Redis
    , first to un-ignore the /debian
    dir in .gitignore
    to aid packaging […]
    and second to inherit CFLAGS
    / LDFLAGS
    from the outside environment to enable hardening support […]
    .
  • Even more hacking on the Lintian
    static analysis tool for Debian packages:

    • New features:

      • Support
        Standards-Version

        4.1.3.
      • Warn when files specified in
        Files-Excluded

        exist in the source tree. ( #871454
        )
      • Check Microsoft Windows Portable Executable (PE) files missing hardening features. ( #837548
        )
      • Warn about Python 2.x packages using ${python3:Depends}
        and Python 3.x packages using ${python:Depends}
        . ( #884676
        )
      • Check changelog entries with incorrectly formatted dates. ( #793406
        )
      • Check override_dh_fixperms
        targets missing calls to dh_fixperms
        . ( #885910
        )
      • Ensure PAM modules are in the admin
        , preventing a false positive for
        libpam-krb5

        . ( #885899
        )
      • Check Python packages installing modules called site
        , docs
        , examples
        etc. into the global namespace. ( #769365
        )
      • Check packages that invoke AC_PATH_PROG
        without considering cross-compilation. ( #884798
        )
      • Emit a warning for packages that mismatch version control systems in
        Vcs-*

        headers. ( #884503
        )
      • Warn when packages specify a Bugs
        field in debian/control
        that does not refer to official Debian infrastructure. ( #741071
        )
      • Warn for packages shipping
        pkg-config

        files under /usr/lib/pkgconfig
        . ( #885096
        )
      • Warn about packages that ship non-reproducible Python .doctree
        files. ( #885327
        )
      • Bump the recommended Debhelper compat level to 11. ( #884699
        )
      • Warn about Python 3 packages that depend on Python 2 packages (and vice versa). ( #782277
        )
      • Check for override_dh_clean
        targets missing calls to dh_clean
        . ( #884817
        )
      • Check Apache 2.0-licensed packages that do not distribute their accompanying NOTICE
        files. ( #885042
        )
      • Detect embedded jQuery libraries with version number in their filenames. ( #833613
        )
      • Also emit embedded-javascript-library
        for Twitter Bootstrap and Mustache.
      • Check development packages that ship ELF binaries in $PATH
        . ( #794295
        )
      • Warn about library packages with excessive priority. ( #834290
        )
      • Warn about
        Multi-Arch:
        foreign

        packages that ship CMake, pkg-config or static libraries in public, architecture-dependent search paths. ( #882684
        )
      • Test for packages shipping gschemas.compiled
        files. ( #884142
        )
      • Warn if a package ships compiled font files. ( #884165
        )
      • Detect invalid debian/po/POTFILES.in
        . ( #883653
        )
      • Warn for packages that modify the epoch yet there’s no comment about the change in the changelog.
    • Bug fixes:

    • Reporting improvements:

    • Documentation:

    • Miscellaneous:

      • Add a vendor profile for Purism’s PureOS
        . ( #884408
        )
      • Allow the tag display limit to be configured via
        --tag-display-limit

        . ( #813525
        )
      • Tag build-dependencies with
        in debian/control.
      • Make
        -v

        imply
        --no-tag-display-limit

        . ( #812756
        )
      • Remove russian
        Russian
        corrections as they are covered by
        data/spelling/corrections-case

        . ( #883041
        )
  • Suggested an improvement to the “lack of entropy” error message in the TLSH
    (Trend Micro Locality Sensitive Hash) fuzzy matching algorithm. […]
  • I also blogged about simple media cachebusting when using GitHub Pages
    .

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds
effort is to allow verification that no flaws have been introduced — either maliciously or accidentally — during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

I have generously beenawarded a grant from the Core Infrastructure Initiative
to fund my work in this area.

This month I:

I also made the following changes to our tooling:

diffoscope

diffoscope
is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.

  • Support Android ROM boot.img
    introspection. ( #884557
    )
  • Handle case where a file to be “fuzzy” matched does not contain enough entropy despite being over 512 bytes. ( #882981
    )
  • Ensure the cleanup of symlink placeholders is idempotent. [
    ]

trydiffoscope

trydiffoscope
is a web-based version of the diffoscope
in-depth and content-aware diff utility. Continued thanks to Bytemark
for sponsoring the hardware.

  • Parse
    dpkg-parsechangeloga

    in setup.py
    instead of hardcoding version. [
    ]
  • Flake8
    the main file. [
    ]

buildinfo.debian.net

buildinfo.debian.net
is my experiment into how to process, store and distribute .buildinfo
files after the Debian archive software has processed them.

  • Don’t HTTP 500 if no request body. [
    ]
  • Catch TypeError: decode() argument 1 must be string, not None
    tracebacks. [
    ]

Debian

My activities as the current Debian Project Leader will be covered in my “Bits from the DPL” email to the
debian-devel-announce

mailing list.

Patches contributed

  • bitseq
    : Add missing
    Build-Depends

    on
    python-numpy

    for documentation generation. ( #884677
    )

  • dh-golang

    : Avoid “uninitialized value” warnings. ( #885696
    )
  • marsshooter
    : Avoid
    source-includes-file-in-files-excluded

    Lintian override. ( #885732
    )
  • gtranslator
    : Do not ship .pyo
    and .pyc
    files. ( #884714
    )

  • media-player-info

    : Bugs
    field does not refer to Debian infrastructure. ( #885703
    )
  • pydoctor
    : Add a Homepage
    field to debian/control
    . ( #884255
    )

Debian LTS

This month I have been paid to work 14 hours on Debian Long Term Support (LTS
). In that time I did the following:

  • “Frontdesk” duties, triaging CVEs, etc.
  • Updating old notes in
    data/dla-needed.txt

    .
  • Issued DLA 1204-1
    for the evince
    PDF viewer to fix an arbitrary command injection vulnerability where a specially-crafted embedded DVI filename could be exploited to run commands as the current user when “printing” to PDF.
  • Issued DLA 1209-1
    to fix a vulnerability in
    sensible-browser

    (a utility to start the most suitable web browser based on one’s environment or configuration) where remote attackers could conduct argument-injection attacks via specially-crafted URLs.
  • Issued DLA 1210-1
    for kildclient
    , a “MUD” multiplayer real-time virtual world game to remedy a command-injection vulnerability.

Uploads

  • python-django
    (
    2:2.0-1

    ) — Release the new upstream stable release
    to the experimental
    suite.
  • redis
    :


    • 5:4.0.5-1

      — New upstream release & use “metapackage” over “meta-package” in debian/control
      .

    • 5:4.0.6-1

      — New upstream bugfix release.

    • 5:4.0.6-2

      — Replace
      redis-sentinel

      ‘s main dependency with
      redis-tools

      from
      redis-server

      moving the creating/deletion of the redis
      user, associated data & log directories to
      redis-tools

      ( #884321
      ), and add stub manpages for
      redis-sentinel

      ,
      redis-check-aof

      &
      redis-check-rdb

      .

    • 5:4.0.6-1~bpo9+1

      — Upload to the
      stretch-backports

      repository.
  • redisearch
    :


    • 1.0.1-1

      — New upstream release.

    • 1.0.2-1

      — New upstream release, ensure .so
      file is hardered ( upstream patch
      ), update upstream’s .gitignore
      so our changes under debian/
      are visible without
      -f

      ( upstream patch
      and override
      no-upstream-changelog

      in all binary packages.
  • installation-birthday
    ( 6
    ) — Bump
    Standards-Version

    to 4.1.2 and replace Priority: extra
    with Priority: optional
    .

Finally, I also made the following miscellaneous uploads:

  • cpio
    (
    2.12+dfsg-6

    ), NMU
    -ing a new 2.12 upstream version to the “unstable” suite.
  • wolfssl
    (
    3.12.2+dfsg-1

    &
    3.13.0+dfsg-1

    ) — Sponsoring new upstream versions.

Debian bugs filed

FTP Team

As a Debian FTP assistant
I ACCEPTed 106 packages: aodh
, autosuspend
, binutils
, btrfs-compsize
, budgie-extras
, caja-seahorse
, condor
, cross-toolchain-base-ports
, dde-calendar
, deepin-calculator
, deepin-shortcut-viewer
, dewalls
, dh-dlang
, django-mailman3
, flask-gravatar
, flask-mail
, flask-migrate
, flask-paranoid
, flask-peewee
, gcc-5-cross-ports
, getmail
, gitea
, gitlab
, golang-github-go-kit-kit
, golang-github-knqyf263-go-deb-version
, golang-github-knqyf263-go-rpm-version
, golang-github-mwitkow-go-conntrack
, golang-github-parnurzeal-gorequest
, golang-github-prometheus-tsdb
, haskell-unicode-transforms
, haskell-unliftio-core
, htslib
, hyperkitty
, libcbor
, libcdio
, libcidr
, libcloudproviders
, libepubgen
, libgaminggear
, libgitlab-api-v4-perl
, libgoocanvas2-perl
, libical
, libical3
, libixion
, libjaxp1.3-java
, liblog-any-adapter-tap-perl
, liborcus
, libosmo-netif
, libt3config
, libtirpc
, linux-show-player
, mailman-hyperkitty
, mailman-suite
, mailmanclient
, muchsync
, node-browser-stdout
, node-crc32
, node-deflate-js
, node-get-func-name
, node-ip-regex
, node-json-parse-better-errors
, node-katex
, node-locate-path
, node-uglifyjs-webpack-plugin
, nq
, nvidia-cuda-toolkit
, openstack-meta-packages
, osmo-ggsn
, osmo-hlr
, osmo-libasn1c
, osmo-mgw
, osmo-pcu
, patman
, peewee
, postorius
, pyasn1
, pymediainfo
, pyprind
, pysmi
, python-colour
, python-defaults
, python-django-channels
, python-django-x509
, python-ldap
, python-quamash
, python-ratelimiter
, python-rebulk
, python-trezor
, python3-defaults
, python3-stdlib-extensions
, python3.6
, python3.7
, qscintilla2
, range-v3
, rawkit
, remmina
, reprotest
, ruby-gettext-i18n-rails-js
, ruby-webpack-rails
, sacjava
, sphinxcontrib-pecanwsme
, unicode-cldr-core
, wolfssl
, writerperfect
, xrdp
& yoshimi
.

I additionally filed 4 RC bugs against packages that had incomplete debian/copyright
files against: libtirpc
, python-ldap
, python-trezor
& sphinxcontrib-pecanwsme
.

Planet Debian责编内容来自:Planet Debian (源链) | 更多关于

阅读提示:酷辣虫无法对本内容的真实性提供任何保证,请自行验证并承担相关的风险与后果!
本站遵循[CC BY-NC-SA 4.0]。如您有版权、意见投诉等问题,请通过eMail联系我们处理。
酷辣虫 » 综合编程 » Free software activities in December 2017

喜欢 (0)or分享给?

专业 x 专注 x 聚合 x 分享 CC BY-NC-SA 4.0

使用声明 | 英豪名录