My Free Software Activities in January 2016

My monthly report covers a large part of what I have been doing in the free software world. I write it for my donators (thanks to them!) but also for the wider Debian community because it can give ideas to newcomers and it’s one of the best ways to find volunteers to work with me on projects that matter to me.

Debian LTS

I did not ask for any paid hours this month and won’t be requesting paid hours for the next 5 months as I have a big project to handle with a deadline in June. That said I still did a few LTS related tasks:

  • I uploaded a new version of debian-security-support (2016.01.07) to officialize that virtualbox-ose is no longer supported in Squeeze and that redmine was not really supportable ever since we dropped support for rails.
  • Made a summary of the discussion about what to support in wheezy and started a new round of discussions with some open questions. I invited contributors to try to pickup one topic, study it and bring the discussion to some conclusion.
  • I wrote a blog post to recruit new paid contributors. Brian May, Markus Koschany and Damyan Ivanov candidated and will do their first paid hours over February.

Distro Tracker

Due to many nights spent on playing Splatoon (I’m at level 33, rank B+, anyone else playing it?), I did not do much work on Distro Tracker.

After having received the bug report #809211, I investigated the reasons why SQLite was no longer working satisfactorily in Django 1.9 and I opened the upstream ticket 26063 and I had a long discussion with two upstream developers to find out the best fix. The next point release (1.9.2) will fix that annoying regression.

I also merged a couple of contributions (two patches from Christophe Siraut, one adding descriptions to keywords, cf #754413, one making it more obvious that chevrons in action items are actionable to show more data, a patch from Balasankar C in #810226 fixing a bad URL in an action item).

I fixed a small bug in the “unsubscribe” command of the mail bot, it was not properly recognizing source packages.

I updated the task notifying of new upstream versions to use the data generated by UDD (instead of the data generated by Christoph Berg’s mole-based implementation which was suffering from a few bugs). 

Debian Packaging

Testing experimental sbuild. While following the work of Johannes Schauer on sbuild, I installed the version from experimental to support his work and give him some feedback. In the process I uncovered #810248.

Python sponsorship. I reviewed and uploaded many packages for Daniel Stender who keeps doing great work maintaining prospector and all its recursive dependencies: pylint-common, python-requirements-detector, sphinx-argparse, pylint-django, prospector. He also prepared an upload of python-bcrypt which I requested last month for Django.

Django packaging. I uploaded Django 1.8.8 to jessie-backports.
My stable updates for Django 1.7.11 was not handled before the release of Debian 8.3 even though it was filed more than 1.5 months before.

Misc stuff. My stable update for debian-handbook has been accepted fairly shortly after my last monthly report (thank you Adam!) so I uploaded the package once acked by a release manager. I also sponsor a backports upload of zim prepared by Joerg Desch.

Kali related work

Kernel work. The switch to Linux 4.3 in Kali resulted in a few bug reports that I investigated with the help of #debian-kernel and where I reported my findings back so that the Debian kernel could also benefit from the fixes I uploaded to Kali: first we included a patch for a regression in the vmwgfx video driver used by VMWare virtual machines (which broke the gdm login screen), then we fixed the input-modules udeb to fix support of some Logitech keyboards in debian-installer (see #796096).

Misc work. I made a non-maintainer upload of python-maxminddb to fix #805689 which had been removed from stretch and that we needed in Kali. I also had to NMU libmaxminddb since it was no longer available on armel and we actually support armel in Kali. During that NMU, it occurred to me that dh-exec could offer a feature of “optional install”, that is installing a file that exists but not failing if it doesn’t exist. I filed this as #811064 and it stirred up quite some debate.

Thanks

See you next month for a new summary of my activities.

Working as a paid LTS contributor

A Debian LTS logoWhile the details about how to join the set of paid contributors have always been public (here) we did not advertise this fact very much outside of the people already interested in LTS (and thus subscribed to debian-lts@lists.debian.org). But right now we would like to have a few more paid contributors on board and I’m thus posting this call for volunteers.

Who can apply?

You need to meet those requirements:

  • you are Debian Developer or a Debian Maintainer;
  • you have some prior experience with providing security updates in Debian (at least on your own packages);
  • you have good programming skills and know multiple languages (to be able to backport security fixes);
  • you can emit invoices to Freexian;
  • you accept the rules defined for this project:
    • you must respect the privacy of any customer data;
    • you must prepare a public monthly report of the work done on paid time;
    • you must respect the Debian code of conduct and respond to queries about your work from fellow community members;
    • you must do your best to meet the high-quality standards set by the Debian security team.

Even though Freexian is located in France and requires you to provide invoice in EUR, there are no conditions on your nationality or country of residence. For contributors outside of the Euro zone, Freexian is using Transferwise to pay them with minimal currency conversion costs (Paypal is also possible if nothing else works).

The rate offered to paid contributors is the same for all (75 EUR/hour), it’s based on a correct rate for independent contractors in western Europe. If the rate is very high for your own country, then be happy to be able to invoice Freexian at this rate and use this opportunity to work less (for money) and contribute more to Debian on your (now copious) free time.

How does the work look like?

If you apply, you will have to send us an SSH key so that you can have access to the internal git repository used for work. It contains a ledger file to track the hours funded by sponsors and how they have been dispatched to the various contributors. You can always know how many hours are assigned to you, how many can be invoiced, and so on. You will have to update it once a month to record the work you did (and indicate us where the report has been published).

The repository also contains a README with many explanations about the workflow (how hours are dispatched, the delay you have to publish your report, etc) and a small helper script (./find-work) to match up the pending updates (registered in dla-needed.txt) with the popularity of the package among the sponsors.

Now the work itself is relatively well documented in the LTS wiki. You will have to provide updates for packages that need an update.

You have some freedom in selecting the packages but at some point you will have to work on packages that you don’t know that are written in a language that you have almost not used. So you must be able to go out of your comfort zone and still do a good work. You must also be able to multi-task because in some cases you will get stuck on a particular update and you will have to seek help from the upstream developer (or from the Debian package maintainer). Don’t expect to be able to do all your work hours in a single run… thus don’t wait until the last days of the month. Start early and dispatch your work hours over the month.

From time to time, you will also have to handle the “LTS frontdesk” for one week. During this week, you need to spend a bit of time every day to triage the new CVE, to respond to questions on the mailing list, and to sponsor updates prepared by volunteers who do not have upload rights.

Questions?

Ask your questions in the comments and I will update this section with your questions and our answers.

What if I have no prior experience with security updates?

Start getting some experience. The LTS and security teams are open for anyone to join. Read their documentation and provide some updates that other contributors can sponsor.

Before accepting you as paid contributor, we generally ask you to prepare one or two DLA on your free time just to make sure that you know the workflow and that you are up to the task.

What if I have only X hours available for paid LTS work?

In the git repository there’s a file where you document how many work hours you can handle. You might get less than this amount, but we generally never assign less than 8 hours (to make sure that you can handle one complicated update from start to end, or your possible week of LTS frontdesk).

You can adjust it each month or even opt-out if you are not available for whatever reason. But once you have been assigned work hours, it’s important to actually do the work that you requested!

How do I apply?

Get in touch with me (as documented).

Freexian’s report about Debian Long Term Support, December 2015

A Debian LTS logoLike each month, here comes a report about the work of paid contributors to Debian LTS.

Individual reports

In December, 113.50 work hours have been dispatched among 9 paid contributors. Their reports are available:

  • Antoine Beaupré did 8h for his first month of work on LTS.
  • Ben Hutchings did 20 hours (out of 15 hours allocated + 15 extra hours remaining, meaning that he has 10 extra hours to do over January).
  • Chris Lamb did 12 hours.
  • Guido Günther did 9 hours (out of 8 hours allocated + 2 remaining, thus keeping 1 extra hour for January).
  • Mike Gabriel did nothing (the 8 hours allocated are carried over for January).
  • Raphaël Hertzog did 21.25 hours (18h allocated + 3.25h taken over from Mike’s unused hours of November).
  • Santiago Ruano Rincón did 15 hours (out of 18.25h allocated + 2 remaining + 3.25 taken over from Mike’s unused hours of November, thus keeping 8.50 extra hours for January).
  • Scott Kitterman did 8 hours.
  • Thorsten Alteholz did 21.25 hours (out of 18.25h allocated + 3 hours taken over from Mike’s unused hours of November).

Evolution of the situation

We lost our first silver sponsor (Gandi.net, they prefer to give the same amount of money to Debian directly) and another sponsor reduced his sponsorship level. While this won’t show in the hours dispatched in January, we will do a small jump backwards in February (unless we get new sponsors replacing those in the next 3 weeks).

This is a bit unfortunate as we are rather looking at reinforcing the amount of sponsorship we get as we approach Wheezy LTS and we will need more support to properly support virtualization related packages and other packages that were formerly excluded from Squeeze LTS. Can you convince your company and help us reach our second goal?

In terms of security updates waiting to be handled, the situation is close to last month. It looks like that having about 20 packages needing an update is the normal situation and that we can’t really get further down given the time required to process some updates (sometimes we wait until the upstream authors provides a patch, and so on).

Thanks to our sponsors

We got one new bronze sponsor but he’s not listed (he did not fill the form where we request their permission to be listed).

My Free Software Activities in December 2015

My monthly report covers a large part of what I have been doing in the free software world. I write it for my donators (thanks to them!) but also for the wider Debian community because it can give ideas to newcomers and it’s one of the best ways to find volunteers to work with me on projects that matter to me.

Debian LTS

This month I have been paid to work 21.25 hours on Debian LTS. During this time I worked on the following things:

  • Sent a first patch and later an updated patch to modify DAK so that it can send the accept/reject mails to the signer of the upload instead of the maintainer. Details in #796784.
  • Uploaded MySQL 5.5 compabitility fixes for phpmyadmin and postfix-policyd so that we could release MySQL 5.5 as an upgrade option MySQL 5.1 (see DLA 359-1).
  • Released DLA 361-1 on bouncycastle after having gotten the green light from upstream.
  • Released DLA 362-1 on dhcpd fixing three CVE.
  • Released DLA 366-1 on arts fixing one CVE.
  • Released DLA 367-1 on kdelibs fixing one CVE.
  • Handled the LTS frontdesk for a whole week.
  • Sponsored the upload of foomatic-filters for DLA 371-1.
  • Filed #808256 and #808257 to get libnsbmp/libnsgif removed. Both packages had recent CVE and were sitting unused in Debian since their introduction 6 years ago…
  • Released DLA 372-1 announcing the end of support of virtualbox-ose.
  • Updated git repository of debian-security-support to account for the former change and also took care of a few pending issues.
  • Released DLA 376-1 on mono to fix one CVE.
  • Added some initial DEP-8 tests to python-django that will help to ensure that a security update doesn’t break the package.

Distro Tracker

I put a big focus on tracker.debian.org work this month. I completed the switch of the mail interface from packages.qa.debian.org to tracker.debian.org and I announced the change on debian-devel-announce.

The changes resulted in a few problems that I quickly fixed (like #807073) and some other failures seen only by me and that were generated by weird spam messages (did you know that a subject can’t have a newline character but that it can be encoded and folded over multiple lines?).

Related to that I fixed some services so that they send their mails to tracker.debian.org directly instead of relying on the old emails (they get forwarded for now but it would be nice to be able to get rid of that forward). I updated (with the help of Lucas Nussbaum) the service that forwards the Launchpad bugs to the tracker, I sent a patch to update the @packages.debian.org aliases (not yet applied), I updated the configuration of all git commit notice scripts in the Alioth collab-maint and python-modules project (many remain to be done). I asked Ubuntu’s Merge-O-Matic to use the new emails as well (see LP 1525497). DAK and the Debian BTS still have to be updated, as of yet nobody reacted to my announce… last but not least I updated many wiki pages which duplicated the instructions to setup the commit notice sent to the PTS.

While on a good track I opted to tackle the long-standing RC bug that was plaguing tracker.debian.org (#789183), so I updated the codebase to rely on Twitter’s bootstrap v4 instead of v2. I had to switch to something else for the icons since glyphicons is no longer provided as part of bootstrap and the actual license for the standalone version was not suitable for use. I opted for Github’s Octicons. I made numerous little improvements while doing that (closing some bugs in the process) and I believe that the result is more pleasant to use.

I also did a lot of bug triage and fixed a few small issues like the incomplete architecture list (#793547), or fixing a page used only by people with javascript disabled that was not working. Or the invalid links for packages still using CVS (ugh, see #561228).

Misc packaging

Django. After having added DEP-8 tests (as part of my LTS work, see above), I discovered that the current version in unstable did not pass its test suite… so I filed the issue upstream (ticket 26016) and added the corresponding patch. And I encouraged others to update python-bcrypt in Debian to a newer version that would have worked with Django 1.9 (see #803096). I also fixed another small issue in Django (see ticket 26017 with my pull request that got accepted).

I asked the release managers to consider accepting the latest 1.7.x version in jessie (see #807654) but I have gotten zero answer so far. And I’m not the only one waiting an answer. It’s a bit of a sad situation… we still have a few weeks until the next point release but for once I do it in advance and I would love to have timely feedback.

Last but not least, I started the maintaining the current LTS release (1.8.x) in jessie-backports.

Tryton. I upgraded to Tryton 3.8 and discovered an issue that I filed in #806781. I sponsored 5 new tryton modules for Matthias Behrle (who is DM) as well as one security upload (for CVE-2015-0861).

Debian Handbook. I uploaded a new version to Debian Unstable and requested (to the release managers) the permission to upload a backport of it to jessie so that jessie has a version of the package that documents jessie and not wheezy… contrary to my other Django request, this one should be non-controversial but I also have had zero answer so far, see #807515.

Misc. I filed #808583 when sbuild stopped working with Perl 5.22. I handled #807860 on publican, I found the corresponding upstream ticket and discovered a work around with the help of upstream (see here).

Kali related work

I reported a bug to #debian-apt about apt miscalculating download size (ending up with 18 EB!) which resulted in a fix here in version 1.1.4. Installing a meta-package that needed more than 2GB was no longer possible without this fix and we have a kali-linux-all metapackage in that situation that gets regularly installed in a Jenkins test.

I added captcha support to Distro Tracker and enabled this feature on pkg.kali.org.

I filed #808863 against uhd-host because it was not possible to install the package in a systemd-nspawn’s managed chroot where /proc is read-only. And we started using this to test dist-upgrade from one version of Kali to the next…

Thanks

See you next month for a new summary of my activities.