LTS – Page 23

My Free Software Activities in October 2016

November 2, 2016 by Raphaël Hertzog

My monthly report covers a large part of what I have been doing in the free software world. I write it for my donors (thanks to them!) but also for the wider Debian community because it can give ideas to newcomers and it’s one of the best ways to find volunteers to work with me on projects that matter to me.

Debian LTS

Last month I started to work on tiff3 but had not enough time to complete an update, it turns out the issues were hairy enough that nobody else picked up the package. So this month I started again with tiff3 and tiff and I ended up spending my 13h on those two packages.

I filed bugs for issues that were not yet reported to the BTS (#842361 for CVE-2016-5652, #842046 for CVE-2016-5319/CVE-2016-3633/CVE-2015-8668). I marked many CVE as not affecting tiff3 as this source package does not ship the tools (the “tiff” source package does).

Since upstream decided to drop many tools instead of fixing the corresponding security issues, I opted to remove the tools as well. Before doing this, I looked up reverse dependencies of libtiff-tools to ensure that none of the tools removed are used by other packages (the maintainer seems to agree too).

I backported upstream patches for CVE-2016-6223 and CVE-2016-5652.

But the bulk of the time, I spent on CVE-2014-8128, CVE-2015-7554 and CVE-2016-5318. I believe they are all variants of the same problem and upstream seems to agree since he opened a sort of meta-bug to track them. I took inspiration from a patch suggested in ticket #2499 and generalized it a bit by trying to add the tag data for all tags manipulated by the various tools. It was a tiresome process as there are many tags used in multiple places. But in the end, it works as expected. I can no longer reproduce any of the segfaults with the problematic files.

I asked for review/test on the mailing list but did not get much feedback. I’m going to upload the updated packages soon.

Distro Tracker

I noticed a sudden raise in the number of email addresses being automatically unsubscribed from the Debian Package Tracker and I got a few request of bounces. It turns out the BTS has been relaying lots of spam with executables files and those are bounced by Google (and not silently discarded). This is all very unfortunate… the spam flood is unlikely to stop soon and I can’t expect Google to change either, so I had little choice except trying to make the bounce handler smarter. That’s what I did: I have a list of regular expression that will discard a bounce. In other words, once matched the bounce won’t count towards the limit that triggers the automatic unsubscription.

Misc Debian work

Bugs filed. In #839403, I suggest the possibility to set the default pin priority for a source in the sources.list file directly. In #840436 I ask the selenium-firefoxdriver maintainer to do what is required to get this non-free package auto-built.

Packaging. I sponsored puppet-lint 2.0.2-0.1 and I reviewed the rozofs package (wihch I just sponsored into experimental for a start).

Publicity. I’m maintaining the Debian account on Twitter and Facebook. I have been using twitterfeed.com up to now but it’s closing down. I followed their recommendations and switched to dlvr.it to automatically post entries out of the micronews.debian.org feed. In #841165, I reported that the chroots created by sbuild-createchroot are lacking the usual IPv6 entries created by netbase. In #841503, I report a very common cryptsetup upgrade failure that I saw multiple times (both in Debian and in Kali).

Thanks

See you next month for a new summary of my activities.

Freexian’s report about Debian Long Term Support, September 2016

October 19, 2016 by Raphaël Hertzog

A Debian LTS logo Like each month, here comes a report about the work of paid contributors to Debian LTS.

Individual reports

In September, about 152 work hours have been dispatched among 13 paid contributors. Their reports are available:

Balint Reczey did 15 hours (out of 12.25 hours allocated + 7.25 remaining, thus keeping 4.5 extra hours for October).
Ben Hutchings did 6 hours (out of 12.3 hours allocated + 1.45 remaining, he gave back 7h and thus keeps 9.75 extra hours for October).
Brian May did 12.25 hours.
Chris Lamb did 12.75 hours (out of 12.30 hours allocated + 0.45 hours remaining).
Emilio Pozuelo Monfort did 1 hour (out of 12.3 hours allocated + 2.95 remaining) and gave back the unused hours.
Guido Günther did 6 hours (out of 7h allocated, thus keeping 1 extra hour for October).
Hugo Lefeuvre did 12 hours.
Jonas Meurer did 8 hours (out of 9 hours allocated, thus keeping 1 extra hour for October).
Markus Koschany did 12.25 hours.
Ola Lundqvist did 11 hours (out of 12.25 hours assigned thus keeping 1.25 extra hours).
Raphaël Hertzog did 12.25 hours.
Roberto C. Sanchez did 14 hours (out of 12.25h allocated + 3.75h remaining, thus keeping 2 extra hours).
Thorsten Alteholz did 12.25 hours.

Evolution of the situation

The number of sponsored hours reached 172 hours per month thanks to maxcluster GmbH joining as silver sponsor and RHX Srl joining as bronze sponsor.

We only need a couple of supplementary sponsors now to reach our objective of funding the equivalent of a full time position.

The security tracker currently lists 39 packages with a known CVE and the dla-needed.txt file 34. It’s a small bump compared to last month but almost all issues are affected to someone.

Thanks to our sponsors

New sponsors are in bold.

Platinum sponsors:

TOSHIBA (for 12 months)
GitHub (for 3 months)

Gold sponsors:

The Positive Internet (for 28 months)
Blablacar (for 27 months)
Linode LLC (for 17 months)
Babiel GmbH (for 6 months)
Plat’Home (for 6 months)
UR Communications BV

Silver sponsors:

Domeneshop AS (for 27 months)
Université Lille 3 (for 27 months)
Trollweb Solutions (for 25 months)
Nantes Métropole (for 21 months)
University of Luxembourg (for 19 months)
Dalenys (for 18 months)
Univention GmbH (for 13 months)
Université Jean Monnet de St Etienne (for 13 months)
Sonus Networks (for 7 months)
maxcluster GmbH

Bronze sponsors:

David Ayers – IntarS Austria (for 28 months)
Evolix (for 28 months)
Offensive Security (for 28 months)
Seznam.cz, a.s. (for 28 months)
Freeside Internet Service (for 27 months)
MyTux (for 27 months)
Intevation GmbH (for 25 months)
Linuxhotel GmbH (for 25 months)
Daevel SARL (for 23 months)
Bitfolk LTD (for 22 months)
Megaspace Internet Services GmbH (for 22 months)
Greenbone Networks GmbH (for 21 months)
NUMLOG (for 21 months)
WinGo AG (for 21 months)
Ecole Centrale de Nantes – LHEEA (for 17 months)
Sig-I/O (for 14 months)
Entr’ouvert (for 12 months)
Adfinis SyGroup AG (for 9 months)
GNI MEDIA (for 4 months)
Laboratoire LEGI – UMR 5519 / CNRS (for 4 months)
Quarantainenet BV (for 4 months)
RHX Srl

My Free Software Activities in September 2016

October 4, 2016 by Raphaël Hertzog

My monthly report covers a large part of what I have been doing in the free software world. I write it for my donators (thanks to them!) but also for the wider Debian community because it can give ideas to newcomers and it’s one of the best ways to find volunteers to work with me on projects that matter to me.

Debian LTS

With the increasing number of paid contributors, easy fixes (CVE with patches available) tend to be processed rather quickly. All the package I worked on had issues that were open for a long time because they were hard to handle.

I prepared DLA-613-1 fixing 3 CVE on roundcube. The fix required to manually backport the CRSF handling code which was not available in the wheezy version. I spent almost 8 hours on roundcube.

Then I started to work on tiff3. I reviewed many CVE: CVE-2016-3658, CVE-2015-7313, CVE-2015-7554, CVE-2015-8668, CVE-2016-5318, CVE-2016-3625, CVE-2016-5319. I updated their status for tiff3 in wheezy, requested reproducer files to people who reported the CVE when the files were not publicly available and made sure that everything was recorded in the upstream bug tracker. The 4.25 hours I spent on the package were not enough to work on patches, so I put the package back in the work queue.

GNOME 3.22 transition

I uploaded a new gnome-shell-timer that would work with GNOME 3.21 that had been uploaded to sid.

Unfortunately, that new GNOME (and GTK+) version caused many regressions that affected Debian Testing (and thus Kali) users in particular in gnome-control-center. I uploaded a new version fixing some of those issues and I reported a bunch of them to upstream too (#771515, #771517, #771696).

Kali

I worked on #836211 creating a dpkg patch to work-around the overlayfs limitation (we use it in Kali because persistence of live system relies on overlayfs) and I contacted the upstream overlayfs maintainer to hopefully get a proper fix on the overlayfs side instead.

I uploaded radcli 1.2.6-2.1 to fix RC bug #825121 as the package was removed from testing and openvas depends on it in Kali.

As part of the pkg-security team, I sponsored/uploaded acccheck and arp-scan for Marcos Fouces, and p0f 3.09b as well.

Misc Debian work

Distro Tracker. I tested, fixed and merged Paul Wise’s patch integrating multiarch hints into tracker.debian.org (#833623).

Debian Handbook. I enabled the new Vietnamese translation on debian-handbook.info and updated all translations with Weblate updates.

systemd units for apache2. I prepared systemd units for apache2 which I submitted in #798430. With approval of Stefan Fritsch, I committed my work to the git repository and then uploaded the result in version 2.4.23-5.

Hindsight packaging. I first packaged lua-sandbox (#838969) — which is a dependency of Hindsight — and then Hindsight itself (#838968). In this process, I opened a couple of upstream tickets.

PIE by default. I uploaded a new version of cpputest compiled with -fPIC so shat executable linking to its static library can be compiled with -fPIE (#837363, forwarded upstream here).

Bugs filed. Bad homepage link in haskell-dice-entropy-conduit. Inconsistent options --onlyscripts and --noscripts in debhelper. pidgin entry in security-support-limited is out of date in debian-security-support. New upstream version (2.0.2) in puppet-lint.

Thanks

See you next month for a new summary of my activities.

Freexian’s report about Debian Long Term Support, August 2016

September 13, 2016 by Raphaël Hertzog

A Debian LTS logo Like each month, here comes a report about the work of paid contributors to Debian LTS.

Individual reports

In August, 140 work hours have been dispatched among 10 paid contributors. Their reports are available:

Balint Reczey did 9.5 hours (out of 14.75 hours allocated + 2 remaining, thus keeping 7.25 extra hours for September).
Ben Hutchings did 14 hours (out of 14.75 hours allocated + 0.7 remaining, keeping 1.45 extra hours for September).
Brian May did 14.75 hours.
Chris Lamb did 15 hours (out of 14.75 hours, thus keeping 0.45 hours for next month).
Emilio Pozuelo Monfort did 13.5 hours (out of 14.75 hours allocated + 0.5 remaining, thus keeping 2.95 hours extra hours for September).
Guido Günther did 9 hours.
Markus Koschany did 14.75 hours.
Ola Lundqvist did 15.2 hours (out of 14.5 hours assigned + 0.7 remaining).
Roberto C. Sanchez did 11 hours (out of 14.75h allocated, thus keeping 3.75 extra hours for September).
Thorsten Alteholz did 14.75 hours.

Evolution of the situation

The number of sponsored hours rised to 167 hours per month thanks to UR Communications BV joining as gold sponsor (funding 1 day of work per month)!

In practice, we never distributed this amount of work per month because some sponsors did not renew in time and some of them might not even be able to renew at all.

The security tracker currently lists 31 packages with a known CVE and the dla-needed.txt file 29. It’s a small bump compared to last month but almost all issues are affected to someone.

Thanks to our sponsors

New sponsors are in bold.

Platinum sponsors:

TOSHIBA (for 11 months)
GitHub

Gold sponsors:

The Positive Internet (for 27 months)
Blablacar (for 26 months)
Linode LLC (for 16 months)
Babiel GmbH (for 5 months)
Plat’Home (for 4 months)
UR Communications BV

Silver sponsors:

Domeneshop AS (for 26 months)
Université Lille 3 (for 26 months)
Trollweb Solutions (for 24 months)
Nantes Métropole (for 20 months)
University of Luxembourg (for 18 months)
Dalenys (for 16 months)
Univention GmbH (for 12 months)
Université Jean Monnet de St Etienne (for 12 months)
Sonus Networks (for 6 months)

Bronze sponsors:

David Ayers – IntarS Austria (for 27 months)
Evolix (for 27 months)
Offensive Security (for 27 months)
Seznam.cz, a.s. (for 27 months)
Freeside Internet Service (for 26 months)
MyTux (for 26 months)
Linuxhotel GmbH (for 24 months)
Intevation GmbH (for 23 months)
Daevel SARL (for 22 months)
Bitfolk LTD (for 21 months)
Megaspace Internet Services GmbH (for 21 months)
Greenbone Networks GmbH (for 20 months)
NUMLOG (for 20 months)
WinGo AG (for 19 months)
Ecole Centrale de Nantes – LHEEA (for 16 months)
Sig-I/O (for 13 months)
Entr’ouvert (for 11 months)
Adfinis SyGroup AG (for 8 months)
Laboratoire LEGI – UMR 5519 / CNRS (for 3 months)
Quarantainenet BV (for 3 months)
GNI MEDIA

Debian LTS

Distro Tracker

Misc Debian work

Thanks

Individual reports

Evolution of the situation

Thanks to our sponsors

Debian LTS

GNOME 3.22 transition

Kali

Misc Debian work

Thanks

Individual reports

Evolution of the situation

Thanks to our sponsors

Tags

Recent Posts