News

Freexian’s report about Debian Long Term Support, November 2016

December 16, 2016 by Raphaël Hertzog Leave a Comment

A Debian LTS logo Like each month, here comes a report about the work of paid contributors to Debian LTS.

Individual reports

In October, about 150 work hours have been dispatched among 14 paid contributors. Their reports are available:

Antoine Beaupré did 4 hours (out of 11 hours allocated, thus keeping 7 extra hours for December).
Balint Reczey did 11 hours.
Ben Hutchings did 9 hours (out of 11 hours allocated, thus keeping 2 extra hours for December).
Brian May did 11 hours.
Chris Lamb did 11 hours.
Emilio Pozuelo Monfort did 11 hours.
Guido Günther did 8 hours.
Hugo Lefeuvre did 11 hours.
Jonas Meurer did 12.75 hours (out of 11 hours allocated + 1.75 hours remaining).
Markus Koschany did 11 hours.
Ola Lundqvist did 11.75 hours (out of 11 hours allocated + 0.75 hours remaining).
Raphaël Hertzog did 11 hours.
Roberto C. Sanchez did 11 hours.
Thorsten Alteholz did 11 hours.

Evolution of the situation

The number of sponsored hours did not change this month and in fact we haven’t had any new sponsor since September. We still need a couple of supplementary sponsors to reach our objective of funding the equivalent of a full time position.

The security tracker currently lists 40 packages with a known CVE and the dla-needed.txt file 36. We don’t seem to really catch up the small backlog. The reasons are not clear but I noticed that there are a few packages that take a lot of time due to the number of issues found with fuzzers. We also handle many issues that the security team ends up classifying as not worth an update because we add the package to dla-needed.txt before the security team has done its review and nobody checks afterwards.

Thanks to our sponsors

New sponsors are in bold.

Platinum sponsors:

TOSHIBA (for 14 months)
GitHub (for 5 months)

Gold sponsors:

The Positive Internet (for 30 months)
Blablacar (for 29 months)
Linode LLC (for 19 months)
Babiel GmbH (for 8 months)
Plat’Home (for 8 months)

Silver sponsors:

Domeneshop AS (for 29 months)
Université Lille 3 (for 29 months)
Trollweb Solutions (for 27 months)
Nantes Métropole (for 23 months)
University of Luxembourg (for 21 months)
Dalenys (for 20 months)
Univention GmbH (for 15 months)
Université Jean Monnet de St Etienne (for 15 months)
Sonus Networks (for 9 months)
UR Communications BV (for 3 months)
maxcluster GmbH (for 3 months)

Bronze sponsors:

David Ayers – IntarS Austria (for 30 months)
Evolix (for 30 months)
Offensive Security (for 30 months)
Seznam.cz, a.s. (for 30 months)
Freeside Internet Service (for 29 months)
MyTux (for 29 months)
Linuxhotel GmbH (for 27 months)
Intevation GmbH (for 26 months)
Daevel SARL (for 25 months)
Bitfolk LTD (for 24 months)
Megaspace Internet Services GmbH (for 24 months)
Greenbone Networks GmbH (for 23 months)
NUMLOG (for 23 months)
WinGo AG (for 22 months)
Ecole Centrale de Nantes – LHEEA (for 19 months)
Sig-I/O (for 16 months)
Entr’ouvert (for 14 months)
Adfinis SyGroup AG (for 11 months)
Laboratoire LEGI – UMR 5519 / CNRS (for 6 months)
Quarantainenet BV (for 6 months)
GNI MEDIA (for 5 months)
RHX Srl (for 3 months)

My Free Software Activities in November 2016

December 2, 2016 by Raphaël Hertzog Leave a Comment

My monthly report covers a large part of what I have been doing in the free software world. I write it for my donors (thanks to them!) but also for the wider Debian community because it can give ideas to newcomers and it’s one of the best ways to find volunteers to work with me on projects that matter to me.

Debian LTS

In the 11 hours of (paid) work I had to do, I managed to release DLA-716-1 aka tiff 4.0.2-6+deb7u8 fixing CVE-2016-9273, CVE-2016-9297 and CVE-2016-9532. It looks like this package is currently getting new CVE every month.

Then I spent quite some time to review all the entries in dla-needed.txt. I wanted to get rid of some misleading/no longer applicable comments and at the same time help Olaf who was doing LTS frontdesk work for the first time. I ended up tagging quite a few issues as no-dsa (meaning that we will do nothing for them as they are not serious enough) such as those affecting dwarfutils, dokuwiki, irssi. I dropped libass since the open CVE is disputed and was triaged as unimportant. While doing this, I fixed a bug in the bin/review-update-needed script that we use to identify entries that have not made any progress lately.

Then I claimed libgc and and released DLA-721-1 aka libgc 1:7.1-9.1+deb7u1 fixing CVE-2016-9427. The patch was large and had to be manually backported as it was not applying cleanly.

The last thing I did was to test a new imagemagick and review the update prepared by Roberto.

pkg-security work

The pkg-security team is continuing its good work: I sponsored patator to get rid of a useless dependency on pycryptopp which was going to be removed from testing due to #841581. After looking at that bug, it turns out the bug was fixed in libcrypto++ 5.6.4-3 and I thus closed it.

I sponsored many uploads: polenum, acccheck, sucrack (minor updates), bbqsql (new package imported from Kali). A bit later I fixed some issues in the bbsql package that had been rejected from NEW.

I managed a few RC bugs related to the openssl 1.1 transition: I adopted sslsniff in the team and fixed #828557 by build-depending on libssl1.0-dev after having opened the proper upstream ticket. I did the same for ncrack and #844303 (upstream ticket here). Someone else took care of samdump2 but I still adopted the package in the pkg-security team as it is a security relevant package. I also made an NMU for axel and #829452 (it’s not pkg-security related but we still use it in Kali).

Misc Debian work

Django. I participated in the discussion about a change letting Django count the number of developers that use it. Such a change has privacy implications and the discussion sparked quite some interest both in Debian mailing lists and up to LWN.

On a more technical level, I uploaded version 1.8.16-1~bpo8+1 to jessie-backports (security release) and I fixed RC bug #844139 by backporting two upstream commits. This led to the 1.10.3-2 upload. I ensured that this was fixed in the 1.10.x upstream branch too.

dpkg and merged /usr. While reading debian-devel, I discovered dpkg bug #843073 that was threatening the merged-/usr feature. Since the bug was in code that I wrote a few years ago, and since Guillem was not interested in fixing it, I spent an hour to craft a relatively clean patch that Guillem could apply. Unfortunately, Guillem did not yet manage to pull out a new dpkg release with the patches applied. Hopefully it won’t be too long until this happens.

Debian Live. I closed #844332 which was a request to remove live-build from Debian. While it was marked as orphaned, I was always keeping an eye on it and have been pushing small fixes to git. This time I decided to officially adopt the package within the debian-live team and work a bit more on it. I reviewed all pending patches in the BTS and pushed many changes to git. I still have some pending changes to finish to prettify the Grub menu but I plan to upload a new version really soon now.

Misc bugs filed. I filed two upstream tickets on uwsgi to help fix currently open RC bugs on the package. I filed #844583 on sbuild to support arbitrary version suffix for binary rebuild (binNMU). And I filed #845741 on xserver-xorg-video-qxl to get it fixed for the xorg 1.19 transition.

Zim. While trying to fix #834405 and update the required dependencies, I discovered that I had to update pygtkspellcheck first. Unfortunately, its package maintainer was MIA (missing in action) so I adopted it first as part of the python-modules team.

Distro Tracker. I fixed a small bug that resulted in an ugly traceback when we got queries with a non-ASCII HTTP_REFERER.

Thanks

See you next month for a new summary of my activities.

Freexian’s report about Debian Long Term Support, October 2016

November 14, 2016 by Raphaël Hertzog

A Debian LTS logo Like each month, here comes a report about the work of paid contributors to Debian LTS.

Individual reports

In October, about 175 work hours have been dispatched among 14 paid contributors. Their reports are available:

Antoine Beaupré did 13 hours.
Balint Reczey did 7 hours (out of 13 hours allocated + 4.5 remaining, the extra hours have been given back).
Ben Hutchings did 13.75 hours (out of 13 hours allocated + 0.75 remaining).
Brian May did 13 hours.
Chris Lamb did 13 hours.
Emilio Pozuelo Monfort did 13 hours.
Guido Günther did 9 hours (out of 8h allocated + 1h remaining).
Hugo Lefeuvre did 12 hours.
Jonas Meurer did 10.25 hours (out of 12 hours allocated, thus keeping 1.75 extra hours for November).
Markus Koschany did 13 hours.
Ola Lundqvist did 13.5 hours (out of 13 hours assigned + 1.25 remaining, thus keeping 0.75 extra hours).
Raphaël Hertzog did 13 hours.
Roberto C. Sanchez did 14.75 hours (out of 13h allocated + 1.75h remaining).
Thorsten Alteholz did 13 hours.

Evolution of the situation

The number of sponsored hours did not change this month. We still need a couple of supplementary sponsors to reach our objective of funding the equivalent of a full time position.

The security tracker currently lists 34 packages with a known CVE and the dla-needed.txt file 29. The situation improved slightly compared to last month.

Thanks to our sponsors

New sponsors are in bold.

Platinum sponsors:

TOSHIBA (for 13 months)
GitHub (for 4 months)

Gold sponsors:

The Positive Internet (for 29 months)
Blablacar (for 28 months)
Linode LLC (for 18 months)
Babiel GmbH (for 7 months)
Plat’Home (for 7 months)
UR Communications BV

Silver sponsors:

Domeneshop AS (for 28 months)
Université Lille 3 (for 28 months)
Trollweb Solutions (for 26 months)
Nantes Métropole (for 22 months)
University of Luxembourg (for 20 months)
Dalenys (for 19 months)
Univention GmbH (for 14 months)
Université Jean Monnet de St Etienne (for 14 months)
Sonus Networks (for 8 months)
maxcluster GmbH

Bronze sponsors:

David Ayers – IntarS Austria (for 29 months)
Evolix (for 29 months)
Offensive Security (for 29 months)
Seznam.cz, a.s. (for 29 months)
Freeside Internet Service (for 28 months)
MyTux (for 28 months)
Linuxhotel GmbH (for 26 months)
Intevation GmbH (for 25 months)
Daevel SARL (for 24 months)
Bitfolk LTD (for 23 months)
Megaspace Internet Services GmbH (for 23 months)
Greenbone Networks GmbH (for 22 months)
NUMLOG (for 22 months)
WinGo AG (for 21 months)
Ecole Centrale de Nantes – LHEEA (for 18 months)
Sig-I/O (for 15 months)
Entr’ouvert (for 13 months)
Adfinis SyGroup AG (for 10 months)
Laboratoire LEGI – UMR 5519 / CNRS (for 5 months)
Quarantainenet BV (for 5 months)
GNI MEDIA (for 4 months)
RHX Srl

My Free Software Activities in October 2016

November 2, 2016 by Raphaël Hertzog

Debian LTS

Last month I started to work on tiff3 but had not enough time to complete an update, it turns out the issues were hairy enough that nobody else picked up the package. So this month I started again with tiff3 and tiff and I ended up spending my 13h on those two packages.

I filed bugs for issues that were not yet reported to the BTS (#842361 for CVE-2016-5652, #842046 for CVE-2016-5319/CVE-2016-3633/CVE-2015-8668). I marked many CVE as not affecting tiff3 as this source package does not ship the tools (the “tiff” source package does).

Since upstream decided to drop many tools instead of fixing the corresponding security issues, I opted to remove the tools as well. Before doing this, I looked up reverse dependencies of libtiff-tools to ensure that none of the tools removed are used by other packages (the maintainer seems to agree too).

I backported upstream patches for CVE-2016-6223 and CVE-2016-5652.

But the bulk of the time, I spent on CVE-2014-8128, CVE-2015-7554 and CVE-2016-5318. I believe they are all variants of the same problem and upstream seems to agree since he opened a sort of meta-bug to track them. I took inspiration from a patch suggested in ticket #2499 and generalized it a bit by trying to add the tag data for all tags manipulated by the various tools. It was a tiresome process as there are many tags used in multiple places. But in the end, it works as expected. I can no longer reproduce any of the segfaults with the problematic files.

I asked for review/test on the mailing list but did not get much feedback. I’m going to upload the updated packages soon.

Distro Tracker

I noticed a sudden raise in the number of email addresses being automatically unsubscribed from the Debian Package Tracker and I got a few request of bounces. It turns out the BTS has been relaying lots of spam with executables files and those are bounced by Google (and not silently discarded). This is all very unfortunate… the spam flood is unlikely to stop soon and I can’t expect Google to change either, so I had little choice except trying to make the bounce handler smarter. That’s what I did: I have a list of regular expression that will discard a bounce. In other words, once matched the bounce won’t count towards the limit that triggers the automatic unsubscription.

Misc Debian work

Bugs filed. In #839403, I suggest the possibility to set the default pin priority for a source in the sources.list file directly. In #840436 I ask the selenium-firefoxdriver maintainer to do what is required to get this non-free package auto-built.

Packaging. I sponsored puppet-lint 2.0.2-0.1 and I reviewed the rozofs package (wihch I just sponsored into experimental for a start).

Publicity. I’m maintaining the Debian account on Twitter and Facebook. I have been using twitterfeed.com up to now but it’s closing down. I followed their recommendations and switched to dlvr.it to automatically post entries out of the micronews.debian.org feed. In #841165, I reported that the chroots created by sbuild-createchroot are lacking the usual IPv6 entries created by netbase. In #841503, I report a very common cryptsetup upgrade failure that I saw multiple times (both in Debian and in Kali).

Thanks

See you next month for a new summary of my activities.

Individual reports

Evolution of the situation

Thanks to our sponsors

Debian LTS

pkg-security work

Misc Debian work

Thanks

Individual reports

Evolution of the situation

Thanks to our sponsors

Debian LTS

Distro Tracker

Misc Debian work

Thanks

Tags

Recent Posts