Working as a paid LTS contributor

A Debian LTS logoWhile the details about how to join the set of paid contributors have always been public (here) we did not advertise this fact very much outside of the people already interested in LTS (and thus subscribed to But right now we would like to have a few more paid contributors on board and I’m thus posting this call for volunteers.

Who can apply?

You need to meet those requirements:

  • you are Debian Developer or a Debian Maintainer;
  • you have some prior experience with providing security updates in Debian (at least on your own packages);
  • you have good programming skills and know multiple languages (to be able to backport security fixes);
  • you can emit invoices to Freexian;
  • you accept the rules defined for this project:
    • you must respect the privacy of any customer data;
    • you must prepare a public monthly report of the work done on paid time;
    • you must respect the Debian code of conduct and respond to queries about your work from fellow community members;
    • you must do your best to meet the high-quality standards set by the Debian security team.

Even though Freexian is located in France and requires you to provide invoice in EUR, there are no conditions on your nationality or country of residence. For contributors outside of the Euro zone, Freexian is using Transferwise to pay them with minimal currency conversion costs (Paypal is also possible if nothing else works).

The rate offered to paid contributors is the same for all (75 EUR/hour), it’s based on a correct rate for independent contractors in western Europe. If the rate is very high for your own country, then be happy to be able to invoice Freexian at this rate and use this opportunity to work less (for money) and contribute more to Debian on your (now copious) free time.

How does the work look like?

If you apply, you will have to send us an SSH key so that you can have access to the internal git repository used for work. It contains a ledger file to track the hours funded by sponsors and how they have been dispatched to the various contributors. You can always know how many hours are assigned to you, how many can be invoiced, and so on. You will have to update it once a month to record the work you did (and indicate us where the report has been published).

The repository also contains a README with many explanations about the workflow (how hours are dispatched, the delay you have to publish your report, etc) and a small helper script (./find-work) to match up the pending updates (registered in dla-needed.txt) with the popularity of the package among the sponsors.

Now the work itself is relatively well documented in the LTS wiki. You will have to provide updates for packages that need an update.

You have some freedom in selecting the packages but at some point you will have to work on packages that you don’t know that are written in a language that you have almost not used. So you must be able to go out of your comfort zone and still do a good work. You must also be able to multi-task because in some cases you will get stuck on a particular update and you will have to seek help from the upstream developer (or from the Debian package maintainer). Don’t expect to be able to do all your work hours in a single run… thus don’t wait until the last days of the month. Start early and dispatch your work hours over the month.

From time to time, you will also have to handle the “LTS frontdesk” for one week. During this week, you need to spend a bit of time every day to triage the new CVE, to respond to questions on the mailing list, and to sponsor updates prepared by volunteers who do not have upload rights.


Ask your questions in the comments and I will update this section with your questions and our answers.

What if I have no prior experience with security updates?

Start getting some experience. The LTS and security teams are open for anyone to join. Read their documentation and provide some updates that other contributors can sponsor.

Before accepting you as paid contributor, we generally ask you to prepare one or two DLA on your free time just to make sure that you know the workflow and that you are up to the task.

What if I have only X hours available for paid LTS work?

In the git repository there’s a file where you document how many work hours you can handle. You might get less than this amount, but we generally never assign less than 8 hours (to make sure that you can handle one complicated update from start to end, or your possible week of LTS frontdesk).

You can adjust it each month or even opt-out if you are not available for whatever reason. But once you have been assigned work hours, it’s important to actually do the work that you requested!

How do I apply?

Get in touch with me (as documented).

Freexian’s report about Debian Long Term Support, December 2015

A Debian LTS logoLike each month, here comes a report about the work of paid contributors to Debian LTS.

Individual reports

In December, 113.50 work hours have been dispatched among 9 paid contributors. Their reports are available:

  • Antoine Beaupré did 8h for his first month of work on LTS.
  • Ben Hutchings did 20 hours (out of 15 hours allocated + 15 extra hours remaining, meaning that he has 10 extra hours to do over January).
  • Chris Lamb did 12 hours.
  • Guido Günther did 9 hours (out of 8 hours allocated + 2 remaining, thus keeping 1 extra hour for January).
  • Mike Gabriel did nothing (the 8 hours allocated are carried over for January).
  • Raphaël Hertzog did 21.25 hours (18h allocated + 3.25h taken over from Mike’s unused hours of November).
  • Santiago Ruano Rincón did 15 hours (out of 18.25h allocated + 2 remaining + 3.25 taken over from Mike’s unused hours of November, thus keeping 8.50 extra hours for January).
  • Scott Kitterman did 8 hours.
  • Thorsten Alteholz did 21.25 hours (out of 18.25h allocated + 3 hours taken over from Mike’s unused hours of November).

Evolution of the situation

We lost our first silver sponsor (, they prefer to give the same amount of money to Debian directly) and another sponsor reduced his sponsorship level. While this won’t show in the hours dispatched in January, we will do a small jump backwards in February (unless we get new sponsors replacing those in the next 3 weeks).

This is a bit unfortunate as we are rather looking at reinforcing the amount of sponsorship we get as we approach Wheezy LTS and we will need more support to properly support virtualization related packages and other packages that were formerly excluded from Squeeze LTS. Can you convince your company and help us reach our second goal?

In terms of security updates waiting to be handled, the situation is close to last month. It looks like that having about 20 packages needing an update is the normal situation and that we can’t really get further down given the time required to process some updates (sometimes we wait until the upstream authors provides a patch, and so on).

Thanks to our sponsors

We got one new bronze sponsor but he’s not listed (he did not fill the form where we request their permission to be listed).

My Free Software Activities in December 2015

My monthly report covers a large part of what I have been doing in the free software world. I write it for my donators (thanks to them!) but also for the wider Debian community because it can give ideas to newcomers and it’s one of the best ways to find volunteers to work with me on projects that matter to me.

Debian LTS

This month I have been paid to work 21.25 hours on Debian LTS. During this time I worked on the following things:

  • Sent a first patch and later an updated patch to modify DAK so that it can send the accept/reject mails to the signer of the upload instead of the maintainer. Details in #796784.
  • Uploaded MySQL 5.5 compabitility fixes for phpmyadmin and postfix-policyd so that we could release MySQL 5.5 as an upgrade option MySQL 5.1 (see DLA 359-1).
  • Released DLA 361-1 on bouncycastle after having gotten the green light from upstream.
  • Released DLA 362-1 on dhcpd fixing three CVE.
  • Released DLA 366-1 on arts fixing one CVE.
  • Released DLA 367-1 on kdelibs fixing one CVE.
  • Handled the LTS frontdesk for a whole week.
  • Sponsored the upload of foomatic-filters for DLA 371-1.
  • Filed #808256 and #808257 to get libnsbmp/libnsgif removed. Both packages had recent CVE and were sitting unused in Debian since their introduction 6 years ago…
  • Released DLA 372-1 announcing the end of support of virtualbox-ose.
  • Updated git repository of debian-security-support to account for the former change and also took care of a few pending issues.
  • Released DLA 376-1 on mono to fix one CVE.
  • Added some initial DEP-8 tests to python-django that will help to ensure that a security update doesn’t break the package.

Distro Tracker

I put a big focus on work this month. I completed the switch of the mail interface from to and I announced the change on debian-devel-announce.

The changes resulted in a few problems that I quickly fixed (like #807073) and some other failures seen only by me and that were generated by weird spam messages (did you know that a subject can’t have a newline character but that it can be encoded and folded over multiple lines?).

Related to that I fixed some services so that they send their mails to directly instead of relying on the old emails (they get forwarded for now but it would be nice to be able to get rid of that forward). I updated (with the help of Lucas Nussbaum) the service that forwards the Launchpad bugs to the tracker, I sent a patch to update the aliases (not yet applied), I updated the configuration of all git commit notice scripts in the Alioth collab-maint and python-modules project (many remain to be done). I asked Ubuntu’s Merge-O-Matic to use the new emails as well (see LP 1525497). DAK and the Debian BTS still have to be updated, as of yet nobody reacted to my announce… last but not least I updated many wiki pages which duplicated the instructions to setup the commit notice sent to the PTS.

While on a good track I opted to tackle the long-standing RC bug that was plaguing (#789183), so I updated the codebase to rely on Twitter’s bootstrap v4 instead of v2. I had to switch to something else for the icons since glyphicons is no longer provided as part of bootstrap and the actual license for the standalone version was not suitable for use. I opted for Github’s Octicons. I made numerous little improvements while doing that (closing some bugs in the process) and I believe that the result is more pleasant to use.

I also did a lot of bug triage and fixed a few small issues like the incomplete architecture list (#793547), or fixing a page used only by people with javascript disabled that was not working. Or the invalid links for packages still using CVS (ugh, see #561228).

Misc packaging

Django. After having added DEP-8 tests (as part of my LTS work, see above), I discovered that the current version in unstable did not pass its test suite… so I filed the issue upstream (ticket 26016) and added the corresponding patch. And I encouraged others to update python-bcrypt in Debian to a newer version that would have worked with Django 1.9 (see #803096). I also fixed another small issue in Django (see ticket 26017 with my pull request that got accepted).

I asked the release managers to consider accepting the latest 1.7.x version in jessie (see #807654) but I have gotten zero answer so far. And I’m not the only one waiting an answer. It’s a bit of a sad situation… we still have a few weeks until the next point release but for once I do it in advance and I would love to have timely feedback.

Last but not least, I started the maintaining the current LTS release (1.8.x) in jessie-backports.

Tryton. I upgraded to Tryton 3.8 and discovered an issue that I filed in #806781. I sponsored 5 new tryton modules for Matthias Behrle (who is DM) as well as one security upload (for CVE-2015-0861).

Debian Handbook. I uploaded a new version to Debian Unstable and requested (to the release managers) the permission to upload a backport of it to jessie so that jessie has a version of the package that documents jessie and not wheezy… contrary to my other Django request, this one should be non-controversial but I also have had zero answer so far, see #807515.

Misc. I filed #808583 when sbuild stopped working with Perl 5.22. I handled #807860 on publican, I found the corresponding upstream ticket and discovered a work around with the help of upstream (see here).

Kali related work

I reported a bug to #debian-apt about apt miscalculating download size (ending up with 18 EB!) which resulted in a fix here in version 1.1.4. Installing a meta-package that needed more than 2GB was no longer possible without this fix and we have a kali-linux-all metapackage in that situation that gets regularly installed in a Jenkins test.

I added captcha support to Distro Tracker and enabled this feature on

I filed #808863 against uhd-host because it was not possible to install the package in a systemd-nspawn’s managed chroot where /proc is read-only. And we started using this to test dist-upgrade from one version of Kali to the next…


See you next month for a new summary of my activities.

Freexian’s report about Debian Long Term Support, November 2015

A Debian LTS logoLike each month, here comes a report about the work of paid contributors to Debian LTS.

Individual reports

In November, 114.50 work hours have been dispatched among 8 paid contributors. Their reports are available:

  • Ben Hutchings did 5 hours only (out of 15 hours allocated + 5 extra hours remaining, meaning that he has 15 extra hours to do over December).
  • Chris Lamb did 13 hours (12h allocated + 1h remaining).
  • Guido Günther did 10 hours (out of 8 hours allocated + 4 remaining, thus keeping 2 extra hours for December).
  • Mike Gabriel did 6.5 hours only (out of 8 hours allocated + 8 hours remaining, the 9.5 unused extra hours have been dispatched to others for December).
  • Raphaël Hertzog did 21.25 hours.
  • Santiago Ruano Rincón did 19 hours (out of 21h allocated, thus keeping 2 extra hours for December).
  • Scott Kitterman did 8 hours.
  • Thorsten Alteholz did 21.25 hours.

Evolution of the situation

We lost one hour of funding for December due to a sponsor not renewing, and we don’t have any new sponsor lined up right now. There’s another sponsor who will reduce his sponsorship starting with 2016.

While the situation is relatively healthy right now, we should continue the efforts to find new sponsors, both to ensure we can cover more software in wheezy and to better share the costs: having many small sponsors is more resilient than relying on a few big ones. And we still haven’t reached our second goal of funding the equivalent of a full-time position.

In terms of security updates waiting to be handled, the situation is close to last month: the dla-needed.txt file lists 19 packages awaiting an update (2 less than last month), the list of open vulnerabilities in Squeeze shows about 22 affected packages in total (1 less than last month).

Thanks to our sponsors

The new sponsors are in bold.