apt-get install debian-wizard

Insider infos, master your Debian/Ubuntu distribution

You are here: Home / Archives for Raphaël Hertzog

My Free Software Activities in March 2015

by

My monthly report covers a large part of what I have been doing in the free software world. I write it for my donators (thanks to them!) but also for the wider Debian community because it can give ideas to newcomers and it’s one of the best ways to find volunteers to work with me on projects that matter to me.

Debian LTS

This month I have been paid to work 15.25 hours on Debian LTS. In that time I did the following:

  • CVE triage: I pushed 37 commits to the security tracker and contacted 20 maintainers about security issues affecting their packages.
  • I started a small helper script based on the new JSON output of the security tracker (see #761859 for details). It’s not ready yet but will make it easier to detect issues where the LTS team lags behind the security team, and other divergences like this and will speed up future CVE triage work (once done).
  • I sent DLA-174-1 (tcpdump update fixing 3 CVE) after having received a debdiff from the Romain Françoise.
  • I prepared DLA-175-1 on gnupg, fixing 3 CVE.
  • I prepared DLA-180-1 on gnutls26, fixing 3 CVE.

That’s it for the paid work. But still about LTS, I proposed two events for Debconf 15:

A Debian LTS logoIn my last Freexian LTS report, I mentioned briefly that it would be nice to have a logo for the LTS project. Shortly after I got a first logo prepared by Damien Escoffier and a few more followed: they are available on a wiki page (and the logo you see above is from him!). Following a suggestion of Paul Wise, I registered the logo request on another wiki page dedicated to artwork requests. That kind of collaboration is awesome! Thanks to all the artists involved in Debian.

Debian packaging

Django. This month has seen no less than 3 upstream point releases packaged for Debian (1.7.5, 1.7.6 and 1.7.7) and they have been accepted by the release team into Jessie. I’m pleased with this tolerance as I have argued the case for it multiple times in the past given the sane upstream release policy (bugfix only in a given released branch).

Python code analysis. I discovered a few months ago a tool combining the power of multiple Python code analysis tools: it’s prospector. I just filed a “Request for Package” for it (see #781165) and someone already volunteered to package it, yay \o/

update-rc.d and systemd. While working on a Kali version based on Jessie, I got hit by what boils down to a poor interaction between systemd and update-rc.d (see #746580) and after some exchanges with other affected users I raised the severity to serious as we really ought to do something about it before release. I also opened #781155 on openbsd-inetd as its usage of inetd.service instead of openbsd-inetd.service (which is only provided as a symlink to the former) leads to multiple small issues.

Misc

Debian France. The general assembly is over and the new board elected its new president: it’s now official, I’m no longer Debian France’s president. Good luck to Nicolas Dandrimont who took on this responsibility.

Salt’s openssh formula. I improved salt’s openssh formula to make it possible to manage the /etc/ssh/ssh_known_hosts file referencing the public SSH keys of other managed minions.

Tendenci.com. I was looking for a free software solution to handle membership management of a large NPO and I discovered Tendenci. It looked very interesting feature wise and written with a language/framework that I enjoy (Python/Django). But while it’s free software, there’s no community at all. The company that wrote it released it under a free software license and it really looks like that they did intend to build a community but they failed at it. When I looked their “development forums” were web-based and mostly empty with only initial discussion of the current developers and no reply from anybody… there’s also no mention of an IRC channel or a mailing list. I sent them a mail to see what kind of collaboration we could expect if we opted for their software and got no reply. A pity, really.

What free software membership management solution would you use when you have more than 10000 members to handle and when you want to use the underlying database to offer SSO authentication to multiple external services?

Thanks

See you next month for a new summary of my activities.

Freexian’s report about Debian Long Term Support, February 2015

by

Like each month, here comes a report about the work of paid contributors to Debian LTS.

Individual reports

In February, 58 work hours have been equally split among 4 paid contributors. Their reports are available:

Evolution of the situation

During the last month, we gained 3 paid work hours: we’re now at 61 hours per month sponsored by 28 organizations and we have one supplementary sponsor in the pipe that should bring 4 more hours.

The increase is not very quick but seems to be steady. Hopefully at some point, we will have enough resources to do a more exhaustive job. For now, the paid contributors handle in priority the most popular packages used by the sponsors and there are some packages in the end of the queue which have open security issues for months already (example: CVE-2012-6685 on libnokogiri-ruby).

So, as usual, we are looking for more sponsors.

In terms of security updates waiting to be handled, the situation looks a little bit worse than last month: the dla-needed.txt file lists 40 packages awaiting an update (3 more than last month), the list of open vulnerabilities in Squeeze shows about 58 affected packages in total (5 less than last month). We are getting a bit more effective with CVE triage.

A logo for the LTS project?

Every time that I write an LTS report, I remember that it would be nice if my LTS related articles could feature a nice picture/logo that reminds people of the LTS team/initiative. Is there anyone up for the challenge of creating that logo? 🙂

Thanks to our sponsors

The new sponsors of the month are in bold.

My Free Software Activities in February 2015

by

My monthly report covers a large part of what I have been doing in the free software world. I write it for my donators (thanks to them!) but also for the wider Debian community because it can give ideas to newcomers and it’s one of the best ways to find volunteers to work with me on projects that matter to me.

Debian LTS

This month I have been paid to work 14.5 hours on Debian LTS. I worked mostly on CVE triage (41 commits in the security tracker) and organizational issues. One maintainer complained that he had not been kept in the loop for an LTS update of his package. After some discussion, I decided to change the way I did CVE triage so that any time that I add a package to our list of packages needing an update, I also send a mail to the maintainer, thus offering him the opportunity to step in.

To make this sustainable, I wrote a small helper script that will generate a mail out of a template. And to kickstart the process I mailed all maintainers of packages that were already listed in our queue of packages to update.

To improve the email generated, I requested a JSON export of the security tracker data (see discussions in #761859). In the mean time, Holger worked on this already and after a few iterations we did converge on an output format that will be really useful both for my needs in terms of CVE triage but also for the Package Tracker to be able to display the list of security vulnerabilities affecting each release (see #761730).

Last but not least, I don’t want to be the only one doing CVE triage for our LTS release so I documented the process in our wiki page.

As a side note, I sponsored an e2fsprogs update prepared by Nguyen Cong and I sent the DLA for the embargoed samba update that had been prepared by Ivo de Decker (thanks to both of them!).

Tryton

Like last month, I invested again a copious amount of time on Tryton, fixing some bugs that were affecting me and improving the French chart of accounts to properly manage purchases and sales within the European Union. Here are some links for more details:

Debian

I did some work on Distro Tracker, I fixed #777453 (password reset not working because the generated email was using an invalid From email) and #779247 (obsolete build reproducibility action items were not dropped). I also started to work on restructuring the mail handling in distro-tracker (cf #754913) but it’s not public yet.

While I have no plans to stop contributing to Debian (it’s part of my day job!), I reduced my non-work related involvement by officially recognizing that I was no longer properly assuming some of my responsibilities and that I was following too many mailing lists and RSS feeds. The most notable changes are that I removed myself from the maintenance of dpkg, developers-reference, quilt, sql-ledger, and a few perl/python modules.

Misc

Voting software. Part of the reason why I’m reducing my involvement in Debian is that I got more involved in Nouvelle Donne (a French political party) and in particular in the handling of its digital infrastructure (currently running on Ubuntu, doh!). As part of this, I was looking for free software to handle secure votes and elections (and if possible adhering to the principles of liquid democracy). There’s no perfect solution and no clear winner.

That said I started following the evolution of AgoraVoting because it seems to have a good momentum and has some interesting features (it already supports votes with ranked choices, supports good crypto, has been used for elections involving large numbers of voters in the context of Podemos in Spain). But it still has some ways to go to establish itself as a truly international and community-backed project.

GDM bug. Due to my work on Kali, I filed a bug against GDM (this one has been quickly fixed upstream, it’s still open in Debian) and another one against accountsservice to request the possibility to define the default graphical session.

Dirvish formula for Salt. I contributed another formula to manage backups with dirvish.

Thanks

See you next month for a new summary of my activities.

Freexian’s report about Debian Long Term Support, January 2015

by

Like each month, here comes a report about the work of paid contributors to Debian LTS.

Individual reports

In January, 48 work hours have been equally split among 4 paid contributors. Their reports are available:

Evolution of the situation

During the last month, the number of paid work hours has made a noticeable jump: we’re now at 58 hours per month. At this rate, we would need 3 more months to reach our minimal goal of funding the equivalent of a half-time position. Unfortunately, the number of new sponsors actually in the process is not likely to be enough to have a similar raise next month.

So, as usual, we are looking for more sponsors.

In terms of security updates waiting to be handled, the situation looks a bit worse than last month: the dla-needed.txt file lists 37 packages awaiting an update (7 more than last month), the list of open vulnerabilities in Squeeze shows about 63 affected packages in total (7 more than last month).

The increase is not too worrying, but the waiting time before an issue is dealt with is sometimes more problematic. To be able to deal with all incoming issues in a timely manner, the LTS team needs more resources: some months will have more issues than usual, some issues will be longer to handle than others, etc.

Thanks to our sponsors

The new sponsors of the month are in bold.

Tags

3.0 (quilt) Activity summary APT aptitude Blog Book Cleanup conffile Contributing CUT d-i Debconf Debian Debian France Debian Handbook Debian Live Distro Tracker dpkg dpkg-source Flattr Flattr FOSS Freexian Funding Git GNOME GSOC HOWTO Interview LTS Me Multiarch nautilus-dropbox News Packaging pkg-security Programming PTS publican python-django Reference release rolling synaptic Ubuntu WordPress

Recent Posts