News

Freexian’s report about Debian Long Term Support, January 2017

February 13, 2017 by Raphaël Hertzog Leave a Comment

A Debian LTS logo Like each month, here comes a report about the work of paid contributors to Debian LTS.

Individual reports

In January, about 159 work hours have been dispatched among 13 paid contributors. Their reports are available:

Antoine Beaupré did 12.75 hours.
Balint Reczey did 14 hours (out of 12.75 hours allocated + 2.5 hours remaining, thus keeping 1.25 hours for February).
Ben Hutchings did 3 hours (out of 12.75 hours allocated + 5.5 hours remaining, thus keeping 15.25 extra hours for February).
Chris Lamb did 12.75 hours.
Emilio Pozuelo Monfort did 15.25 hours (out of 12.75 hours allocated + 2.5 hours remaining).
Guido Günther did 8 hours.
Hugo Lefeuvre did 15.25 hours (out of 12.75 hours allocated + 2.5 hours remaining).
Jonas Meurer did 9 hours (out of 12 hours allocated + 6.75 hours remaining, thus keeping 9.75 extra hours for February).
Markus Koschany did 12.75 hours.
Ola Lundqvist did 12.75 hours.
Raphaël Hertzog did 10 hours.
Roberto C. Sanchez did 12.5 hours (out of 12.75 hours allocated, thus keeping 0.25 hours for February).
Thorsten Alteholz did 12.75 hours.

Evolution of the situation

The number of sponsored hours increased slightly thanks to Exonet joining us.

The security tracker currently lists 37 packages with a known CVE and the dla-needed.txt file 36. The situation is roughly similar to last month even though the number of open issues increased slightly.

Thanks to our sponsors

New sponsors are in bold.

Platinum sponsors:

TOSHIBA (for 16 months)
GitHub (for 7 months)

Gold sponsors:

The Positive Internet (for 32 months)
Blablacar (for 31 months)
Linode LLC (for 21 months)
Babiel GmbH (for 10 months)
Plat’Home (for 10 months)

Silver sponsors:

Domeneshop AS (for 31 months)
Université Lille 3 (for 31 months)
Trollweb Solutions (for 29 months)
Nantes Métropole (for 25 months)
University of Luxembourg (for 23 months)
Dalenys (for 22 months)
Univention GmbH (for 17 months)
Université Jean Monnet de St Etienne (for 17 months)
Sonus Networks (for 11 months)
UR Communications BV (for 5 months)
maxcluster GmbH (for 5 months)
Exonet B.V.

Bronze sponsors:

David Ayers – IntarS Austria (for 32 months)
Evolix (for 32 months)
Offensive Security (for 32 months)
Seznam.cz, a.s. (for 32 months)
Freeside Internet Service (for 31 months)
MyTux (for 31 months)
Linuxhotel GmbH (for 29 months)
Intevation GmbH (for 28 months)
Daevel SARL (for 27 months)
Bitfolk LTD (for 26 months)
Megaspace Internet Services GmbH (for 26 months)
Greenbone Networks GmbH (for 25 months)
NUMLOG (for 25 months)
WinGo AG (for 24 months)
Ecole Centrale de Nantes – LHEEA (for 21 months)
Sig-I/O (for 18 months)
Entr’ouvert (for 16 months)
Adfinis SyGroup AG (for 13 months)
Laboratoire LEGI – UMR 5519 / CNRS (for 8 months)
Quarantainenet BV (for 8 months)
GNI MEDIA (for 7 months)
RHX Srl (for 5 months)

My Free Software Activities in January 2017

January 31, 2017 by Raphaël Hertzog Leave a Comment

My monthly report covers a large part of what I have been doing in the free software world. I write it for my donors (thanks to them!) but also for the wider Debian community because it can give ideas to newcomers and it’s one of the best ways to find volunteers to work with me on projects that matter to me.

Debian LTS

I was allocated 10 hours to work on security updates for Debian 7 Wheezy. During this time I did the following:

I reviewed multiple CVE affecting ntp and opted to mark them no-dsa (just like what has been done for jessie).
I pinged upstream authors of jbig2dec (here) and XML::Twig (by private email) where the upstream report had not gotten any upstream reply yet.
I asked on oss-security for more details about CVE-2016-9584 because it was not clear whether it had already been reported upstream. Turns out that it was. I then updated the security tracker accordingly.
Once I got a reply on jbig2dec, I started to backport the patch pointed out by upstream, it was hard work. When I was done, I had also received by private email the fuzzed file at the origin of the report… unfortunately that file did not trigger the same problem with the old jbig2dec version in wheezy. That said valgrind still identified read outside of allocated memory. At this point I had a closer look at the git history only to discover that the last 3 years of work consisted mainly of security fixes for similar cases that were never reported to CVE. I thus opened a discussion about how to handle this situation.
Matthias Geerdsen reported in #852610 a regression in libtiff4. I confirmed the problem and spent multiple hours to come up with a fix. The patch that introduced the regression was Debian-specific as upstream did not fix those issues yet. I released a fixed package in DLA-610-2.

Debian packaging

With the deep freeze approaching, I made some last-minute updates:

schroot 1.6.10-3 fixing some long-standing issues with the way bind mounts are shared (#761435) and other important fixes.
live-boot 1:20170112 to fix a failure when booting on a FAT filesystem and other small fixes.
live-config 5.20170112 merging useful patches from the BTS.
I finished the update of hashcat 3.30 with its new private library and fixed RC bug #851497 at the same time. The work was initiated by fellow members of the pkg-security team.

Misc work

Sponsorship. I sponsored a new asciidoc upload demoting a dependency into a recommends (#850301). I sponsored a new upstream version of dolibarr.

Discussions. I seconded quite a few changes prepared by Russ Allbery on debian-policy. I helped Scott Kitterman with #849584 about a misunderstanding of how the postfix service files are supposed to work. I discussed in #849913 about a regression in building of cross-compilers, and made a patch to avoid the problem. In the end, Guillem developed a better fix.

Bugs. I investigated #850236 where a django test failed during the first week after each leap year. I filed #853224 on desktop-base about multiple small problems in the maintainer scripts.

Thanks

See you next month for a new summary of my activities.

Freexian’s report about Debian Long Term Support, December 2016

January 16, 2017 by Raphaël Hertzog

A Debian LTS logo Like each month, here comes a report about the work of paid contributors to Debian LTS.

Individual reports

In December, about 175 work hours have been dispatched among 14 paid contributors. Their reports are available:

Antoine Beaupré did 20.5 hours (out of 13.5 hours allocated + 7 remaining hours).
Balint Reczey did 10 hours (out of 13.5 hours allocated, thus keeping 2.5 hours for January).
Ben Hutchings did 10 hours (out of 13.5 hours allocated + 2 hours remaining, thus keeping 5.5 extra hours for January).
Brian May did 10 hours.
Chris Lamb did 13.5 hours.
Emilio Pozuelo Monfort did 11 hours (out of 13.5 hours allocated, thus keeping 2.5 extra hours for January).
Guido Günther did 8 hours.
Hugo Lefeuvre did 11 hours (out of 13.5 hours allocated, thus keeping 2.5 extra hours for January).
Jonas Meurer did 5.25 hours (out of 12 hours allocated, thus keeping 6.75 extra hours for January).
Markus Koschany did 13.5 hours.
Ola Lundqvist did 13.5 hours.
Raphaël Hertzog did 10 hours.
Roberto C. Sanchez did 13.5 hours.
Thorsten Alteholz did 13.5 hours.

Evolution of the situation

The number of sponsored hours did not increase but a new silver sponsor is in the process of joining. We are only missing another silver sponsor (or two to four bronze sponsors) to reach our objective of funding the equivalent of a full time position.

The security tracker currently lists 31 packages with a known CVE and the dla-needed.txt file 27. The situation improved a little bit compared to last month.

Thanks to our sponsors

New sponsors are in bold.

Platinum sponsors:

TOSHIBA (for 14 months)
GitHub (for 5 months)

Gold sponsors:

The Positive Internet (for 30 months)
Blablacar (for 29 months)
Linode LLC (for 19 months)
Babiel GmbH (for 8 months)
Plat’Home (for 8 months)

Silver sponsors:

Domeneshop AS (for 29 months)
Université Lille 3 (for 29 months)
Trollweb Solutions (for 27 months)
Nantes Métropole (for 23 months)
University of Luxembourg (for 21 months)
Dalenys (for 20 months)
Univention GmbH (for 15 months)
Université Jean Monnet de St Etienne (for 15 months)
Sonus Networks (for 9 months)
UR Communications BV (for 3 months)
maxcluster GmbH (for 3 months)

Bronze sponsors:

David Ayers – IntarS Austria (for 30 months)
Evolix (for 30 months)
Offensive Security (for 30 months)
Seznam.cz, a.s. (for 30 months)
Freeside Internet Service (for 29 months)
MyTux (for 29 months)
Linuxhotel GmbH (for 27 months)
Intevation GmbH (for 26 months)
Daevel SARL (for 25 months)
Bitfolk LTD (for 24 months)
Megaspace Internet Services GmbH (for 24 months)
Greenbone Networks GmbH (for 23 months)
NUMLOG (for 23 months)
WinGo AG (for 22 months)
Ecole Centrale de Nantes – LHEEA (for 19 months)
Sig-I/O (for 16 months)
Entr’ouvert (for 14 months)
Adfinis SyGroup AG (for 11 months)
Laboratoire LEGI – UMR 5519 / CNRS (for 6 months)
Quarantainenet BV (for 6 months)
GNI MEDIA (for 5 months)
RHX Srl (for 3 months)

My Free Software Activities in December 2016

January 4, 2017 by Raphaël Hertzog

Debian LTS

I was allocated 10 hours to work on security updates for Debian 7 Wheezy. During this time I did the following:

I released DLA-741-1 on unzip. This was an easy update.
I reviewed Roberto Sanchez’s patch for CVE-2014-9911 in ICU.
I released DLA-759-1 on nss in collaboration with Antoine Beaupré. I merged and updated Guido’s work to enable the testsuite during build and to add DEP-8 tests.
I created a git repository for php5 maintenance in Debian LTS and started to work on an update. I added patches for two CVE (CVE-2016-3141, CVE-2016-2554) and added some binary files required by (currently failing) tests.

Misc packaging

With the strong freeze approaching, I had some customer requests to push packages into Debian and/or to fix packages that were in danger of being removed from stretch.

While trying to bring back uwsgi into testing I filed #847095 (libmongoclient-dev: Should not conflict with transitional mongodb-dev) and #847207 (uwsgi: FTBFS on multiple architectures with undefined references to uwsgi_* symbols) and interacted on some of the RC bugs that were keeping the package out of testing.

I also worked on a few new packages (lua-trink-cjson, lua-inotify, lua-sandbox-extensions) that enhance hindsight in some use cases and sponsored a rozofs update in experimental to fix a file conflict with inn2 (#846571).

Misc Debian work

Debian Live. I released two live-build updates. The second update added more options to customize the grub configuration (we use it in Kali to override the theme and add more menu entries) both for EFI boot and normal boot.

Misc bugreports. #846569 on libsnmp-dev to accomodate the libssl transition (I noticed the package was not maintained, I asked for new maintainers on debian-devel). #847168 on devscripts for debuild that started failing when lintian was failing (unexpected regression). #847318 on lintian to not emit spurious errors for kali packages (which was annoying with the debuild regression above). #847436 for an upgrade problem I got with tryton-server. #847223 on firefoxdriver as it was still depending on iceweasel instead of firefox.

Sponsorship. I sponsored a new version of asciidoc (#831965) and of ssldump 0.9b3-6 (for libssl transition). I also uploaded a new version of mutter to fix #846898 (it was ready in SVN already).

Distro Tracker

Not much happening, I fixed #814315 by switching a few remaining URLs to https. I merged patches from efkin to fix the functional test suite (#814315), that was a really useful contribution! The same contributer started to tackle another ticket (#824912) about adding an API to retrieve action items. This is a larger project and needs some thoughts. I still have to respond to him on his latest patches (after two rounds already).

Misc stuff

I updated the letsencrypt-sh salt formula for version 0.3.0 and added the possibility to customize the hook script to reload the webserver.

The @planetdebian twitter account is no longer working since twitterfeed.com closed doors and the replacement (dlvr.it) is unhappy about the RSS feed of planet.debian.org. I filed bug #848123 against planet-venus since it does not preserve the isPermalink attribute in the guid tag

Thanks

See you next month for a new summary of my activities.

Individual reports

Evolution of the situation

Thanks to our sponsors

Debian LTS

Debian packaging

Misc work

Thanks

Individual reports

Evolution of the situation

Thanks to our sponsors

Debian LTS

Misc packaging

Misc Debian work

Distro Tracker

Misc stuff

Thanks

Tags

Recent Posts