Here is my monthly update covering what I have been doing in the free software world (previous month):
Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users.
The motivation behind the Reproducible Builds effort is to permit verification that no flaws have been introduced — either maliciously or accidentally — during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
I also made the following changes to our tooling:
diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.
- Avoid unnecessary string manipulation writing --text output (~20x speedup).
- Avoid n iterations over archive files (~8x speedup).
- Don’t analyse .deb s twice when comparing .changes files (2x speedup).
- Avoid shelling out to colordiff by implementing color support directly.
- Memoize calls to distutils.spawn.find_executable to avoid excessive stat(1) syscalls.
- Progress bar:
- Show current file / ELF section under analysis etc. in progress bar.
- Move the --status-fd output to use JSON and to include the current filename.
- Code tidying:
- Split out the try.diffoscope.org client so that it can be released separately on PyPI.
- Completely rework the diffoscope and diffoscope.comparators modules, grouping similar utilities into their own modules, etc.
- Update dex_expected_diffs test to ensure compatibility with enjarify ≥ 1.0.3.
- Ensure that running from Git will always use that checkout’s Python modules.
- Add a simple profiling framework.
strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build.
- Makefile.PL: Change NAME argument to a Perl package name.
- Ensure our binaries are available in autopkgtest tests.
trydiffoscope is a web-based version of the diffoscope in-depth and content-aware diff utility. Continued thanks to Bytemark for sponsoring the hardware.
- Show progress bar and position in queue, etc. (#25 & #26)
- Promote command-line client with PyPI instructions.
- Increase comparison time limit to 90 seconds.
buildinfo.debian.net is my experiment into how to process, store and distribute .buildinfo files after the Debian archive software has processed them.
- Added support for version 0.2 .buildinfo files. (#15)
This month I have been paid to work 13½ hours on Debian Long Term Support (LTS). In that time I did the following:
- “Frontdesk” duties, triaging CVEs, etc.
- Issued DLA 733-1 for openafs, fixing an information leak vulnerability. Due to incomplete initialization or clearing of reused memory, directory objects could contain ‘dead’ directory entry information.
- Issued DLA 734-1 for mapserver closing an information leakage vulnerability.
- Issued DLA 737-1 for roundcube preventing arbitrary remote code execution by sending a specially crafted email.
- Issued DLA 738-1 for spip patching a cross-site scripting (XSS) vulnerability.
- Issued DLA 740-1 for libgsf fixing a null pointer deference exploit via a crafted .tar file.
- 3.2.5-5 — Add RunTimeDirectory=redis to systemd .service files.
- 3.2.5-6 — Add missing Depends on lsb-base for /lib/lsb/init-functions usage in redis-sentinel‘s initscript.
- 3.2.6-1 — New upstream release.
- 4.0-1 & 4.0-rc2-1 — New upstream experimental releases.
- aptfs: 0.9-1 & 0.10-1 — New upstream releases.
Debian bugs filed
I filed 29 FTBFS bugs against a7xpg, conntrack-tools, factory-boy, faker, glimpse, gunroar, hexchat-otr, jackson-datatype-guava, jalview, jquery, kodi-pvr-mythtv, leap-cli, libbio-graphics-perl, libparanoid-perl, libsass-python, metastudent-data, node-temporary, node-yargs, python-requests-unixsocket, python-restless, ruby-bunny, ruby-github-markup, ruby-rabl, sagenb-export, seaborn, soapdenovo2, titanion, ufw & vagrant-cachier.
I additionally filed 2 bugs for packages that access the internet during build against fence-agents & lua-geoip.
Debian FTP Team
As a Debian FTP assistant I ACCEPTed 107 packages: android-platform-libcore, compiz, debian-edu, dehydrated, dh-cargo, gnome-shell-extension-pixelsaver, golang-1.8, golang-github-btcsuite-btcd-btcec, golang-github-elithrar-simple-scrypt, golang-github-pelletier-go-toml, golang-github-restic-chunker, golang-github-weaveworks-mesh, golang-google-genproto, igmpproxy, jimfs, kpmcore, libbio-coordinate-perl, libdata-treedumper-oo-perl, libdate-holidays-de-perl, libpgobject-type-bytestring-perl, libspecio-library-path-tiny-perl, libterm-table-perl, libtext-hogan-perl, lighttpd, linux, linux-signed, llmnrd, lua-geoip, lua-sandbox-extensions, lua-systemd, node-cli-cursor, node-command-join, node-death, node-detect-indent, node-domhandler, node-duplexify, node-end-of-stream, node-first-chunk-stream, node-from2, node-glob-stream, node-has-binary, node-inquirer, node-interpret, node-is-negated-glob, node-is-unc-path, node-lazy-debug-legacy, node-lazystream, node-load-grunt-tasks, node-merge-stream, node-object-assign-sorted, node-orchestrator, node-pkg-up, node-resolve-from, node-resolve-pkg, node-rx, node-sorted-object, node-stream-shift, node-streamtest, node-string.prototype.codepointat, node-strip-bom-stream, node-through2-filter, node-to-absolute-glob, node-unc-path-regex, node-vinyl, openzwave, openzwave-controlpanel, pcb-rnd, pd-upp, pg-partman, postgresql-common, pybigwig, python-acora, python-cartopy, python-codegen, python-efilter, python-flask-sockets, python-intervaltree, python-jsbeautifier, python-portpicker, python-pretty-yaml, python-protobix, python-sigmavirus24-urltemplate, python-sqlsoup, python-tinycss, python-watson-developer-cloud, python-zc.customdoctests, python-zeep, r-cran-dbitest, r-cran-dynlm, r-cran-mcmcpack, r-cran-memoise, r-cran-modelmetrics, r-cran-plogr, r-cran-prettyunits, r-cran-progress, r-cran-withr, ruby-clean-test, ruby-gli, ruby-json-pure, ruby-parallel, rustc, sagemath, sbuild, scram, sidedoor, toolz & yabasic.
I additionally filed 4 RC bugs against packages that had incomplete debian/copyright files against jimfs, compiz, python-efilter & ruby-json-pure.