Planet ALUG

Syndicate content
Planet ALUG - http://planet.alug.org.uk/
Updated: 6 min 9 sec ago

Chris Lamb: Free software activities in November 2016

Wed, 30/11/2016 - 21:18

Here is my monthly update covering what I have been doing in the free software world (previous month):

  • Started work on a Python API to the UK Postbox mail scanning and forwarding service. (repo)
  • Lots of improvements to buildinfo.debian.net, my experiment into how to process, store and distribute .buildinfo files after the Debian archive software has processed them, including making GPG signatures mandatory (#7), updating jenkins.debian.net to sign them and moving to SSL.
  • Improved the Django client to the KeyError error tracking software, enlarging the test coverage and additionally adding support for grouping errors using a context manager.
  • Made a number of improvements to travis.debian.net, my hosted service for projects that host their Debian packaging on GitHub to use the Travis CI continuous integration platform to test builds on every code change:
    • Install build-dependencies with debugging output. Thanks to @waja. (#31)
    • Install Lintian by default. Thanks to @freeekanayaka. (#33).
    • Call mktemp with --dry-run to avoid having to delete it later. (commit)
  • Submitted a pull request to Wheel (a utility to package Python libraries) to make the output of METADATA files reproducible. (#73)
  • Submitted some miscellaneous documentation updates to the Tails operating system. (patches)
Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds effort is to permit verification that no flaws have been introduced — either maliciously or accidentally — during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.


This month:


My work in the Reproducible Builds project was also covered in our weekly reports. (#80, #81, #82 #83.


Toolchain issues

I submitted the following patches to fix reproducibility-related toolchain issues with Debian:


strip-nondeterminism

strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build.


jenkins.debian.net

jenkins.debian.net runs our comprehensive testing framework.

  • buildinfo.debian.net has moved to SSL. (ac3b9e7)
  • Submit signing keys to keyservers after generation. (bdee6ff)
  • Various cosmetic changes, including
    • Prefer if X not in Y over if not X in Y. (bc23884)
    • No need for a dictionary; let's just use a set. (bf3fb6c)
    • Avoid DRY violation by using a for loop. (4125ec5)

I also submitted 9 patches to fix specific reproducibility issues in apktool, cairo-5c, lava-dispatcher, lava-server, node-rimraf, perlbrew, qsynth, tunnelx & zp.

Debian
Debian LTS

This month I have been paid to work 11 hours on Debian Long Term Support (LTS). In that time I did the following:

  • "Frontdesk" duties, triaging CVEs, etc.
  • Issued DLA 697-1 for bsdiff fixing an arbitrary write vulnerability.
  • Issued DLA 705-1 for python-imaging correcting a number of memory overflow issues.
  • Issued DLA 713-1 for sniffit where a buffer overflow allowed a specially-crafted configuration file to provide a root shell.
  • Issued DLA 723-1 for libsoap-lite-perl preventing a Billion Laughs XML expansion attack.
  • Issued DLA 724-1 for mcabber fixing a roster push attack.
Uploads
  • redis:
    • 3.2.5-2 — Tighten permissions of /var/{lib,log}/redis. (#842987)
    • 3.2.5-3 & 3.2.5-4 — Improve autopkgtest tests and install upstream's MANIFESTO and README.md documentation.
  • gunicorn (19.6.0-9) — Adding autopkgtest tests.
  • libfiu:
    • 0.94-1 — Add autopkgtest tests.
    • 0.95-1, 0.95-2 & 0.95-3 — New upstream release and improve autopkgtest coverage.
  • python-django (1.10.3-1) — New upstream release.
  • aptfs (0.8-3, 0.8-4 & 0.8-5) — Adding and subsequently improving the autopkgtext tests.


I performed the following QA uploads:



Finally, I also made the following non-maintainer uploads:

  • libident (0.22-3.1) — Move from obsolete Source-Version substvar to binary:Version. (#833195)
  • libpcl1 (1.6-1.1) — Move from obsolete Source-Version substvar to binary:Version. (#833196)
  • pygopherd (2.0.18.4+nmu1) — Move from obsolete Source-Version substvar to ${source:Version}. (#833202)
Debian bugs filed RC bugs

I also filed 59 FTBFS bugs against arc-gui-clients, asyncpg, blhc, civicrm, d-feet, dpdk, fbpanel, freeciv, freeplane, gant, golang-github-googleapis-gax-go, golang-github-googleapis-proto-client-go, haskell-cabal-install, haskell-fail, haskell-monadcatchio-transformers, hg-git, htsjdk, hyperscan, jasperreports, json-simple, keystone, koji, libapache-mod-musicindex, libcoap, libdr-tarantool-perl, libmath-bigint-gmp-perl, libpng1.6, link-grammar, lua-sql, mediatomb, mitmproxy, ncrack, net-tools, node-dateformat, node-fuzzaldrin-plus, node-nopt, open-infrastructure-system-images, open-infrastructure-system-images, photofloat, ppp, ptlib, python-mpop, python-mysqldb, python-passlib, python-protobix, python-ttystatus, redland, ros-message-generation, ruby-ethon, ruby-nokogiri, salt-formula-ceilometer, spykeviewer, sssd, suil, torus-trooper, trash-cli, twisted-web2, uftp & wide-dhcpv6.

FTP Team

As a Debian FTP assistant I ACCEPTed 70 packages: bbqsql, coz-profiler, cross-toolchain-base, cross-toolchain-base-ports, dgit-test-dummy, django-anymail, django-hstore, django-html-sanitizer, django-impersonate, django-wkhtmltopdf, gcc-6-cross, gcc-defaults, gnome-shell-extension-dashtodock, golang-defaults, golang-github-btcsuite-fastsha256, golang-github-dnephin-cobra, golang-github-docker-go-events, golang-github-gogits-cron, golang-github-opencontainers-image-spec, haskell-debian, kpmcore, libdancer-logger-syslog-perl, libmoox-buildargs-perl, libmoox-role-cloneset-perl, libreoffice, linux-firmware-raspi3, linux-latest, node-babel-runtime, node-big.js, node-buffer-shims, node-charm, node-cliui, node-core-js, node-cpr, node-difflet, node-doctrine, node-duplexer2, node-emojis-list, node-eslint-plugin-flowtype, node-everything.js, node-execa, node-grunt-contrib-coffee, node-grunt-contrib-concat, node-jquery-textcomplete, node-js-tokens, node-json5, node-jsonfile, node-marked-man, node-os-locale, node-sparkles, node-tap-parser, node-time-stamp, node-wrap-ansi, ooniprobe, policycoreutils, pybind11, pygresql, pysynphot, python-axolotl, python-drizzle, python-geoip2, python-mockupdb, python-pyforge, python-sentinels, python-waiting, pythonmagick, r-cran-isocodes, ruby-unicode-display-width, suricata & voctomix-outcasts.

I additionally filed 4 RC bugs against packages that had incomplete debian/copyright files against node-cliui, node-core-js, node-cpr & node-grunt-contrib-concat.

Categories: LUG Community Blogs

Steve Engledow (stilvoid): Win or lose?

Wed, 23/11/2016 - 01:02

I never paid any attention in art classes. On reflection, I think we had an awful teacher who more or less ignored those of us with no latent talent or interest. I grew up mildly jealous of people I knew who could draw and always wished I was able.

Over the past few years, I've heard several people say that artistic ability is 10% talent and 90% practice and I've considered giving it a go at some point. Recently, we bought some pencils and a pad for my son and this evening, with a glass of wine at hand and some 70s rock on the stereo, I decided to take the plunge and see what horrors I could submit the unwitting page to.

Here's the first thing I've drawn since school:

It was supposed to be my wife. If you know her, you'll know I failed ;)

I focussed too much on the individual features and not enough on the overall shape. The eyes and hair aren't bad (at least they look something like hers), but the mouth and nose are too large and disproportionate - though recognisable.

I decided to try drawing what was in front of me: a ghost-shaped candle holder:

That's a photo by the way, not my drawing ;)

Here's the drawing. I killed the perspective somewhat but at least it's recognisable!

After I'd drawn the ghost, I decided to have another go at my wife while she wasn't paying attention. This one looks more like her but the eyes look as though she's been in a fight and the hair is a tad more Edward Scissorhands than I'd intended.

Overall, I got a better result than I'd expected from my first three attempts at sketching in 20 years. This might turn into a series.

More than willing to receive criticism and advice from people who know what they're doing with a pencil :)

Categories: LUG Community Blogs

Steve Engledow (stilvoid): Win or lose?

Wed, 23/11/2016 - 01:02

I never paid any attention in art classes. On reflection, I think we had an awful teacher who more or less ignored those of us with no latent talent or interest. I grew up mildly jealous of people I knew who could draw and always wished I was able.

Over the past few years, I've heard several people say that artistic ability is 10% talent and 90% practice and I've considered giving it a go at some point. Recently, we bought some pencils and a pad for my son and this evening, with a glass of wine at hand and some 70s rock on the stereo, I decided to take the plunge and see what horrors I could submit the unwitting page to.

Here's the first thing I've drawn since school:

It was supposed to be my wife. If you know her, you'll know I failed ;)

I focussed too much on the individual features and not enough on the overall shape. The eyes and hair aren't bad (at least they look something like hers), but the mouth and nose are too large and disproportionate - though recognisable.

I decided to try drawing what was in front of me: a ghost-shaped candle holder:

That's a photo by the way, not my drawing ;)

Here's the drawing. I killed the perspective somewhat but at least it's recognisable!

After I'd drawn the ghost, I decided to have another go at my wife while she wasn't paying attention. This one looks more like her but the eyes look as though she's been in a fight and the hair is a tad more Edward Scissorhands than I'd intended.

Overall, I got a better result than I'd expected from my first three attempts at sketching in 20 years. This might turn into a series.

More than willing to receive criticism and advice from people who know what they're doing with a pencil :)

Categories: LUG Community Blogs

Steve Engledow (stilvoid): Win or lose?

Wed, 23/11/2016 - 01:02

I never paid any attention in art classes. On reflection, I think we had an awful teacher who more or less ignored those of us with no latent talent or interest. I grew up mildly jealous of people I knew who could draw and always wished I was able.

Over the past few years, I've heard several people say that artistic ability is 10% talent and 90% practice and I've considered giving it a go at some point. Recently, we bought some pencils and a pad for my son and this evening, with a glass of wine at hand and some 70s rock on the stereo, I decided to take the plunge and see what horrors I could submit the unwitting page to.

Here's the first thing I've drawn since school:

It was supposed to be my wife. If you know her, you'll know I failed ;)

I focussed too much on the individual features and not enough on the overall shape. The eyes and hair aren't bad (at least they look something like hers), but the mouth and nose are too large and disproportionate - though recognisable.

I decided to try drawing what was in front of me: a ghost-shaped candle holder:

That's a photo by the way, not my drawing ;)

Here's the drawing. I killed the perspective somewhat but at least it's recognisable!

After I'd drawn the ghost, I decided to have another go at my wife while she wasn't paying attention. This one looks more like her but the eyes look as though she's been in a fight and the hair is a tad more Edward Scissorhands than I'd intended.

Overall, I got a better result than I'd expected from my first three attempts at sketching in 20 years. This might turn into a series.

More than willing to receive criticism and advice from people who know what they're doing with a pencil :)

Categories: LUG Community Blogs

Mick Morgan: if it be your will

Fri, 11/11/2016 - 17:30

A bleak week just got worse. The results of the US Presidential election are, frankly, beyond belief. We now have a xenophobic, racist, misogynistic megalomaniac waiting to move into the White House and become, literally, the most powerful man on earth.

And now Leonard Cohen has died.

Cohen is one of my all time favourite artists. A writer of beautiful poetry and lyrics beyond compare and endowed with a voice capable of moving me to tears. I cry now because that voice is silenced.

In the mid eighties he wrote “If it be your will” which starts:

If it be your will
That I speak no more
And my voice be still
As it was before
I will speak no more
I shall abide until
I am spoken for
If it be your will

This year he wrote in “You want it darker

If You are the dealer, I’m out of the game
If You are the healer, I’m broken and lame
If Thine is the glory, then mine must be the shame
You want it darker – we kill the flame.
Magnified, sanctified is your holy name
Vilified, crucified in the human frame
A million candles burning for the help that never came
You want it darker – Hineni, Hineni, I’m ready, my Lord.

Now he is gone, in the same week the US voted a dangerous buffoon to the Presidency. If there be a God, he has a cruel sense of humour. The world has just got darker.

Categories: LUG Community Blogs

Chris Lamb: Awarded Core Infrastructure Initiative grant for Reproducible Builds

Fri, 11/11/2016 - 17:04

I'm delighted to announce that I have been awarded a grant from the Core Infrastructure Initiative (CII) to fund my previously-voluntary work on Reproducible Builds.

Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users. The motivation behind the Reproducible Builds effort is to permit verification that no flaws have been introduced — either maliciously or accidentally — during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

I'd like to sincerely thank the CII, not only for their material support but also for their recognition of my existing contributions. I am looking forward to working with my co-grantees towards fulfilling our shared goal.

You can read the CII's press release here.

Categories: LUG Community Blogs

Chris Lamb: Core Infrastructure Initiative grant for Reproducible Builds

Fri, 11/11/2016 - 17:01

I'm delighted to announce that I have been awarded a grant from the Core Infrastructure Initiative (CII) to fund my previously-voluntary work on Reproducible Builds.

Whilst anyone can inspect the original source code of free software for malicious flaws, most GNU/Linux distributions provide pre-compiled software to end users. The motivation behind the Reproducible Builds effort is to allow verification that no flaws have been introduced — either maliciously or accidentally — during this compilation process by promising identical binary packages are always generated from a given source.

I'd like to sincerely thank the CII, not only for their material support but also for their recognition of my existing contributions. I am looking forward to working with my co-grantees towards fulfilling our shared goal.

Press release.

Categories: LUG Community Blogs

Steve Engledow (stilvoid): Rye, oh rye?

Fri, 04/11/2016 - 16:36

A few months ago, I signed up for Flavourly which delivers me different beers every month from small breweries. I've been tucking in to this month's batch and, as I was sitting at my laptop, the beer I'd just opened made me want to review it which is something I've never done before. Excuse my indulgence ;)

Battersea Rye from Sambrook's brewery.

The first words out of my mouth after pouring some of this into my Norwich beer festival 2015 glass and giving it a distracted sip were "ooh, this is nice" which, speaking as a Brit, is high praise. It's these moments I live for when trying new beers; when the first sip is taken while I've got my mind on other things - in this case I was reading a requirements doc - and the taste just takes over making me forget what I was doing - in a good way.

Now that I've paused for a few moments to write that first paragraph, I've just taken a second, more deliberate swig. The initial surprise is out of the way and I can see that there's depth beyond the first sip. It's malty, which I'd expected, but fruity too, which I hadn't - although looking at the label now, I notice it bears a tagline of "bold spicy fruit".

A few moments after that second sip, I can still feel the malt rolling around in my mouth. Time for a third...

Still good but now I'm noticing the strength (I just checked, it's 5.8%). I think the rest of this bottle is going to go down very nicely. I've been suckered into the recent popularity of pale ales and haven't drunk much that's brown for months so this is a very pleasant change and it's particularly nice not to be assaulted by the overly malty taste that some darker brews bring to the table.

Half the bottle down and this is definitely living up to the "bold" part of its tagline which suits me just fine; I'm a fan of stronger beers generally. Give me some Good King Henry any day of the week and I'm a happy man. The fruitiness is starting to dissipate and giving way to a foamy mouthfeel that I'm willing to look past. A large gulp brings back the fruity taste as I let the beer swill around. At the risk of sounding like a wine taster, there's cherry, dates, and perhaps fig there.

All in all, I'm thoroughly enjoying this beer. It crossed my mind briefly that perhaps it would be better if it had less fizz and was slightly less alcoholic but on reflection, as I near the bottom of the glass, I think that would take away from the balance.

I'd give this a rating but they're only of any use against other ratings and this is the first beer I've reviewed ;)

If it helps, my wife, who generally only drinks pale ales, said "hmm, very nice".

Categories: LUG Community Blogs

Steve Engledow (stilvoid): Rye, oh rye?

Fri, 04/11/2016 - 16:36

A few months ago, I signed up for Flavourly which delivers me different beers every month from small breweries. I've been tucking in to this month's batch and, as I was sitting at my laptop, the beer I'd just opened made me want to review it which is something I've never done before. Excuse my indulgence ;)

Battersea Rye from Sambrook's brewery.

The first words out of my mouth after pouring some of this into my Norwich beer festival 2015 glass and giving it a distracted sip were "ooh, this is nice" which, speaking as a Brit, is high praise. It's these moments I live for when trying new beers; when the first sip is taken while I've got my mind on other things - in this case I was reading a requirements doc - and the taste just takes over making me forget what I was doing - in a good way.

Now that I've paused for a few moments to write that first paragraph, I've just taken a second, more deliberate swig. The initial surprise is out of the way and I can see that there's depth beyond the first sip. It's malty, which I'd expected, but fruity too, which I hadn't - although looking at the label now, I notice it bears a tagline of "bold spicy fruit".

A few moments after that second sip, I can still feel the malt rolling around in my mouth. Time for a third...

Still good but now I'm noticing the strength (I just checked, it's 5.8%). I think the rest of this bottle is going to go down very nicely. I've been suckered into the recent popularity of pale ales and haven't drunk much that's brown for months so this is a very pleasant change and it's particularly nice not to be assaulted by the overly malty taste that some darker brews bring to the table.

Half the bottle down and this is definitely living up to the "bold" part of its tagline which suits me just fine; I'm a fan of stronger beers generally. Give me some Good King Henry any day of the week and I'm a happy man. The fruitiness is starting to dissipate and giving way to a foamy mouthfeel that I'm willing to look past. A large gulp brings back the fruity taste as I let the beer swill around. At the risk of sounding like a wine taster, there's cherry, dates, and perhaps fig there.

All in all, I'm thoroughly enjoying this beer. It crossed my mind briefly that perhaps it would be better if it had less fizz and was slightly less alcoholic but on reflection, as I near the bottom of the glass, I think that would take away from the balance.

I'd give this a rating but they're only of any use against other ratings and this is the first beer I've reviewed ;)

If it helps, my wife, who generally only drinks pale ales, said "hmm, very nice".

Categories: LUG Community Blogs

Chris Lamb: Free software activities in October 2016

Mon, 31/10/2016 - 20:48

Here is my monthly update covering what I have been doing in the free software world (previously):

  • Made a large number of improvements to travis.debian.net, my hosted service for projects that host their Debian packaging on GitHub to use the Travis CI continuous integration platform to test builds on every code change:
    • Enabled the use of Git submodules. Thanks to @unera & @hosiet. (#30)
    • Managed a contribution from @xhaakon to allow adding an extra repository for custom dependencies. (#17)
    • Fixed an issue where builds did not work under Debian Wheezy or Ubuntu Trusty due to a call to dpkg-buildpackage --show-field. (#28)
    • Fixed an issue where TRAVIS_DEBIAN_EXTRA_REPOSITORY was accidentally required. (#27)
    • Made a number of miscellaneous cosmetic improvements. (f7e5b080 & 037de91cc, etc.)
  • Submitted a pull request to Alabaster, the default theme for the Python Sphinx documentation system, to ensure that "extra navigation links" are rendered reproducibly. (#90)
  • Improved my Chrome extension for the FastMail web interface:
    • Managed a pull request from @jlerner to add an optional confirmation dialogue before sending any message. (#10)
    • Added an optional Ctrl+Enter alias for Alt+Enter to limit searches to the current folder; the latter shortcut is already mapped by my window manager. (d691b07)
    • Various cosmetic changes to the options page. (7b95e887 & 833ff0fe)
  • Submitted two pull requests to mypy, an experimental static type checker for Python:
    • Ensure that the output of --usage is reproducible. (#2234)
    • Update the --usage output to match the — now-reproducible — output. (#2235)
  • Updated django-slack, my library to easily post messages to the Slack group-messaging utility:
    • Merged a feature from @lvpython to add an option to post the message as the authenticated user rather than the specified one. (#59)
    • Merged a documentation update from @ataylor32 regarding the new method of generating access tokens. (#58)
  • Made a number of cosmetic improvements to AptFs, my FUSE-based filesystem that provides a view on unpacked Debian source packages as regular folders.
  • Updated the SSL certificate for try.diffoscope.org, a hosted version of the diffoscope in-depth and content-aware diff utility. Continued thanks to Bytemark for sponsoring the hardware.

Debian & Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws, most GNU/Linux distributions provide binary (or "compiled") packages to end users. The motivation behind the Reproducible Builds effort is to allow verification that no flaws have been introduced — either maliciously and accidentally — during this compilation process by promising identical binary packages are always generated from a given source.

  • Presented a talk entitled "Reproducible Builds" talk at Software Freedom Kosova, in Prishtina, Republic of Kosovo.

  • I filed my 2,500th bug in the Debian BTS: #840972: golang-google-appengine: accesses the internet during build.

  • In order to build packages reproducibly, one not only needs identical sources but also some external and sharable definition of the environment used for a particular build, stipulating such things such as the version numbers of the required build-dependencies.

    It is not currently clear how to handle these .buildinfo files after the archive software has processed them and how to make them available to the world so I started development on a proof-of-concept server to see what issues arise in practice. It is available at buildinfo.debian.net.

  • Chaired an IRC meeting and ran a poll to determine a regular time .

  • Submitted two design proposals to our wiki page.

  • Improvements to our tests.reproducible-builds.org testing framework:

    • Move regular "Scheduled in..." messages to the #debian-reproducible-changes IRC channel.
    • Use our log_info method instead of manual echo calls.
    • Correct an "all sources packages" → "all source packages" typo.
    • Submit .buildinfo files to buildinfo.debian.net.
    • Create GPG key on nodes for buildinfo.debian.net at deploy time, not "lazily".

My work in the Reproducible Builds project was also covered in our weekly reports. (#75, #76, #77 & #78).


I also submitted 14 patches to fix specific reproducibility issues in bio-eagle, cf-python, fastx-toolkit, fpga-icestorm, http-icons, lambda-align, mypy, playitslowly, seabios, stumpwm, sympa, tj3, wims-help & xotcl.

Debian LTS

This month I have been paid to work 13 hours on Debian Long Term Support (LTS). In that time I did the following:

  • Seven days of "frontdesk" duties, triaging CVEs, etc.
  • Issued DLA 647-1 for freeimage correcting an out-of-bounds write vulnerability in the XMP image handling functionality.
  • Issued DLA 649-1 for python-django fixing a possible CSRF protection bypass on sites that use Google Analytics.
  • Issued DLA 654-1 for libxfixes preventing an integer overflow when a malicious client sent INT_MAX as a "length".
  • Issued DLA 662-1 for quagga correcting a programming error where two constants were confused that could cause stack overrun in IPv6 routing code.
  • Issued DLA 688-1 for cairo to prevent a DoS attack where a malicious SVG could generate invalid pointers.
Patches contributed
Uploads
  • gunicorn:
    • 19.6.0-7 — Set supplementary groups when changing uid, add an example systemd .service file to gunicorn-examples, and expand README.Debian to make it clearer what to do now that /etc/gunicorn.d has been removed.
    • 19.6.0-8 — Correct previous supplementary groups patch to be compatible with Python 3.
  • redis:
    • 3:3.2.4-2 — Ensure that sentinel's configuration actually writes to a pidfile location so that systemd can detect that the daemon has started.
    • 3:3.2.5-1 — New upstream release.
  • libfiu:
    • 0.94-8 — Fix FTBFS under Bash due to lack of && in debian/rules.
    • 0.94-9 — Ensure the build is reproducible by sorting injected modules.
  • aptfs (2:0.8-2) — Minor cosmetic changes.

Sponsored uploads
NMUs
  • libxml-dumper-perl (0.81-1.2) — Move away from a unsupported debhelper compat level 4.
  • netatalk (2.2.5-1.1) — Drop build-dependency on hardening-includes.

QA uploads
  • anon-proxy (00.05.38+20081230-4) — Move to a supported debhelper compatibility level 9.
  • ara (1.0.32) — Make the build reproducible.
  • binutils-m68hc1x (1:2.18-8) — Make the build reproducible & move to a supported debhelper compatibility level.
  • fracplanet (0.4.0-5) — Make the build reproducible.
  • libnss-ldap (265-5) — Make the build reproducible.
  • python-uniconvertor (1.1.5-3) — Fix an "option release requires an argument" FTBFS. (#839375)
  • ripole (0.2.0+20081101.0215-3) — Actually include the ripole binary in package. (#839919) & enable hardening flags.
  • twitter-bootstrap (2.0.2+dfsg-10) — Fix incorrect copyright formatting when building under Bash. (#824592)
  • zpaq (1.10-3) — Make the build reproducible.
Bugs filed (without patches)

I additionally filed 7 bugs for packages that access the internet during build against berkshelf, golang-google-appengine, node-redis, python-eventlet, python-keystoneclient, python-senlinclient & tornado-pyvows.


RC bugs

I also filed 65 FTBFS bugs against android-platform-external-jsilver, auto-multiple-choice, awscli, batmon.app, bgpdump, cacti-spine, cucumber, check, debci, eximdoc4, freetennis, freezegun, gatos, git/gnuit, gnucash, grads, haskell-debian, haskell-hsopenssl-x509-system, homesick, ice-builder-gradle, kscreen, latex-cjk-japanese-wadalab, libdbd-firebird-perl, libgit2, libp11, libzypp, mozart-stdlib, mqtt-client, mtasc, musicbrainzngs, network-manager-openvpn, network-manager-vpnc, nim, node-lodash, node-once, npgsql, ocamlbuild, ocamldsort, ohai, partclone, plaso, polyglot-maven, projectreactor, python-launchpadlib, python-pygraphviz, python-pygraphviz, python-pygraphviz, python-textile, qbittorrent, qbrew, qconf, qjoypad, rdp-alignment, reel, ruby-foreman, ruby-gettext, ruby-gruff, ruby-rspec-rails, samtools, sbsigntool, spock, sugar, taglib-extras, tornado-pyvows, unifdef, virt-top, vmware-nsx & zshdb.

Debian FTP Team

As a Debian FTP assistant I ACCEPTed 147 packages: ace-link, amazon-s2n, avy, basez, bootstrap-vz, bucklespring, camitk, carettah, cf-python, debian-reference, dfcgen-gtk, efivar, entropybroker, fakesleep, gall, game-data-packager, gitano, glare, gnome-panel, gnome-shell-extension-dashtodock, gnome-shell-extension-refreshwifi, gnome-shell-extension-remove-dropdown-arrows, golang-github-gogits-go-gogs-client, golang-github-gucumber-gucumber, golang-github-hlandau-buildinfo, golang-github-hlandau-dexlogconfig, golang-github-hlandau-goutils, golang-github-influxdata-toml, golang-github-jacobsa-crypto, golang-github-kjk-lzma, golang-github-miekg-dns, golang-github-minio-sha256-simd, golang-github-nfnt-resize, golang-github-nicksnyder-go-i18n, golang-github-pointlander-compress, golang-github-pointlander-jetset, golang-github-pointlander-peg, golang-github-rfjakob-eme, golang-github-thecreeper-go-notify, golang-github-twstrike-gotk3adapter, golang-github-unknwon-goconfig, golang-gopkg-dancannon-gorethink.v1, golang-petname, haskell-argon2, haskell-binary-parsers, haskell-bindings-dsl, haskell-deriving-compat, haskell-hackage-security, haskell-hcwiid, haskell-hsopenssl-x509-system, haskell-megaparsec, haskell-mono-traversable-instances, haskell-prim-uniq, haskell-raaz, haskell-readable, haskell-readline, haskell-relational-record, haskell-safe-exceptions, haskell-servant-client, haskell-token-bucket, haskell-zxcvbn-c, irclog2html, ironic-ui, lace, ledger, libdancer2-plugin-passphrase-perl, libdatetime-calendar-julian-perl, libdbix-class-optimisticlocking-perl, libdbix-class-schema-config-perl, libgeo-constants-perl, libgeo-ellipsoids-perl, libgeo-functions-perl, libgeo-inverse-perl, libio-async-loop-mojo-perl, libmojolicious-plugin-assetpack-perl, libmojolicious-plugin-renderfile-perl, libparams-validationcompiler-perl, libspecio-perl, libtest-time-perl, libtest2-plugin-nowarnings-perl, linux, lua-scrypt, mono, mutt-vc-query, neutron, node-ansi-font, node-buffer-equal, node-defaults, node-formatio, node-fs-exists-sync, node-fs.realpath, node-is-buffer, node-jison-lex, node-jju, node-jsonstream, node-kind-of, node-lex-parser, node-lolex, node-loud-rejection, node-random-bytes, node-randombytes, node-regex-not, node-repeat-string, node-samsam, node-set-value, node-source-map-support, node-spdx-correct, node-static-extend, node-test, node-to-object-path, node-type-check, node-typescript, node-unset-value, nutsqlite, opencv, openssl1.0, panoramisk, perl6, pg-rage-terminator, pg8000, plv8, puppet-module-oslo, pymoc, pyramid-jinja2, python-bitbucket-api, python-ceilometermiddleware, python-configshell-fb, python-ewmh, python-gimmik, python-jsbeautifier, python-opcua, python-pyldap, python-s3transfer, python-testing.common.database, python-testing.mysqld, python-testing.postgresql, python-wheezy.template, qspeakers, r-cran-nleqslv, recommonmark, rolo, shim, swift-im, tendermint-go-clist, tongue, uftrace & zaqar-ui.

Categories: LUG Community Blogs

Chris Lamb: Concorde

Mon, 24/10/2016 - 18:59

Today marks the 13th anniversary since the last passenger flight from New York arrived in the UK. Every seat was filled, a feat that had become increasingly rare for a plane that was a technological marvel but a commercial flop….


  • Only 20 aircraft were ever built despite 100 orders, most of them cancelled in the early 1970s.
  • Taxiing to the runway consumed 2 tons of fuel.
  • The white colour scheme was specified to reduce the outer temperature by about 10°C.
  • In a promotional deal with Pepsi, F-BTSD was temporarily painted blue. Due to the change of colour, Air France were advised to remain at Mach 2 for no more than 20 minutes at a time.
  • At supersonic speed the fuselage would heat up and expand by as much as 30cm. The most obvious manifestation of this was a gap that opened up on the flight deck between the flight engineer's console and the bulkhead. On some aircraft conducting a retiring supersonic flight, the flight engineers placed their caps in this expanded gap, permanently wedging the cap as it shrank again.
  • At Concorde's altitude a breach of cabin integrity would result in a loss of pressure so severe that passengers would quickly suffer from hypoxia despite application of emergency oxygen. Concorde was thus built with smaller windows to reduce the rate of loss in such a breach.
  • The high cruising altitude meant passengers received almost twice the amount of radiation as a conventional long-haul flight. To prevent excessive exposure, the flight deck comprised of a radiometer; if the radiation level became too high, pilots would descend below 45,000 feet.
  • BA's service had a greater number of passengers who booked a flight and then failed to appear than any other aircraft in their fleet.
  • Market research later in Concorde's life revealed that customers thought Concorde was more expensive than it actually was. Ticket prices were progressively raised to match these perceptions.
  • The fastest transatlantic airliner flight was from New York JFK to London Heathrow on 7 February 1996 by British Airways' G-BOAD in 2 hours, 52 minutes, 59 seconds from takeoff to touchdown. It was aided by a 175 mph tailwind.


See also: A Rocket to Nowhere.

Categories: LUG Community Blogs

Mick Morgan: do not click here

Mon, 24/10/2016 - 11:22

I have just noticed that the getsafeonline campaign’s website contains this wonderfully ironic side bar graphic.

Go on, you know you want to.

Categories: LUG Community Blogs

Daniel Silverstone (Kinnison): Gitano - Approaching Release - Deprecated commands

Mon, 24/10/2016 - 02:24

As mentioned previously I am working toward getting Gitano into Stretch. Last time we spoke about lace, on which a colleague and friend of mine (Richard Maw) did a large pile of work. This time I'm going to discuss deprecation approaches and building more capability out of fewer features.

First, a little background -- Gitano is written in Lua which is a deliberately small language whose authors spend more time thinking about what they can remove from the language spec than they do what they could add in. I first came to Lua in the 3.2 days, a little before 4.0 came out. (The authors provide a lovely timeline in case you're interested.) With each of the releases of Lua which came after 3.2, I was struck with how the authors looked to take a number of features which the language had, and collapse them into more generic, more powerful, smaller, fewer features.

This approach to design stuck with me over the subsequent decade, and when I began Gitano I tried to have the smallest number of core features/behaviours, from which could grow the power and complexity I desired. Gitano is, at its core, a set of files in a single format (clod) stored in a consistent manner (Git) which mediate access to a resource (Git repositories). Some of those files result in emergent properties such as the concept of the 'owner' of a repository (though that can simply be considered the value of the project.owner property for the repository). Indeed the concept of the owner of a repository is a fiction generated by the ACL system with a very small amount of collusion from the core of Gitano. Yet until recently Gitano had a first class command set-owner which would alter that one configuration value.

[gitano] set-description ---- Set the repo's short description (Takes a repo) [gitano] set-head ---- Set the repo's HEAD symbolic reference (Takes a repo) [gitano] set-owner ---- Sets the owner of a repository (Takes a repo)

Those of you with Gitano installations may see the above if you ask it for help. Yet you'll also likely see:

[gitano] config ---- View and change configuration for a repository (Takes a repo)

The config command gives you access to the repository configuration file (which, yes, you could access over git instead, but the config command can be delegated in a more fine-grained fashion without having to write hooks). Given the config command has all the functionality of the three specific set-* commands shown above, it was time to remove the specific commands.

Migrating

If you had automation which used the set-description, set-head, or set-owner commands then you will want to switch to the config command before you migrate your server to the current or any future version of Gitano.

In brief, where you had:

ssh git@gitserver set-FOO repo something

You now need:

ssh git@gitserver config repo set project.FOO something

It looks a little more wordy but it is consistent with the other features that are keyed from the project configuration, such as:

ssh git@gitserver config repo set cgitrc.section Fooble Section Name

And, of course, you can see what configuration is present with:

ssh git@gitserver config repo show

Or look at a specific value with:

ssh git@gitserver config repo show specific.key

As always, you can get more detailed (if somewhat cryptic) help with:

ssh git@gitserver help config

Next time I'll try and touch on the new PGP/GPG integration support.

Categories: LUG Community Blogs

Mick Morgan: NFC? NFW

Sat, 22/10/2016 - 19:48

As is our custom on a Saturday, this morning my wife and I went out to a local cafe for breakfast. We know the proprietress so I was chatting to her whilst paying for the meal. Part way through the chat, the cafe proprietress tore off the receipt from the POS terminal and removed my debit card and handed it back to me.

Me: “Hang on, I haven’t entered my PIN. Are you sure that has been paid?”
CP: “Yes, it says here it’s paid.”
Me: “I have NOT authorised that transaction. It cannot be paid.”
CP: “Oh, don’t worry, we accept “swipe to pay” it probably just authorised that as you put your card in the terminal.”
Me: “That cannot happen. That card is not “swipe to pay” enabled. And I haven’t authorised any payment yet.”
CP (looking at receipt): “It says here “Contactless Sale” and the payment has been authorised”.
Me: “Show me that receipt.”

Sure enough, the receipt showed a “Contactless Sale” for the amount of the breakfast, however, the card type shown, and the last four digits of the card quoted were not those of my debit card. But I did recognise the card type as one I hold in my wallet so I checked that. Sure enough, that card has the WiFi symbol on it and the last four digits matched that on the Cafe receipt. So the POS terminal had taken the payment from a card in my wallet and not the card I had actually inserted.

That should not happen. And the fact that it did worries the hell out of me.

At the time the payment was taken, my wallet holding the other card was in my left hand (I had just removed my debit card from it with my right hand because I am right handed). So I placed that wallet on the counter beside me so that I could pick up the POS terminal in my left hand allowing me push my debit card in with my right hand and then enter my PIN. Replaying that action afterwards I am absolutely certain that at no time was my wallet anywhere nearer than a foot or more away from the POS terminal. Moreover that terminal had a card inserted – my debit card – and it should have been waiting for my PIN authorisation. So what happened?

I don’t know. And as I said above, that worries me.

I have checked both Wikipedia for details of the standards used in passive NFC of the type used in contactless payment and the “Security FAQ” for contactless payments on the Smart Card Alliance site (warning, PDF). Both those references tell me what I thought I already knew – NFC is only supposed to work at ranges of up to 2-4 inches (or 10 cm). No way was my wallet ever anywhere near 10 cm from that POS terminal. The closest it could have been was at least a foot away.

If this can happen to me, then I am certain it must have happened to others. Possibly to others who have been charged for someone else’s transaction simply because their NFC enabled card happens to be within range of the POS in question. In such cases, neither the actual customer nor the unwitting person really charged for the transaction would be any the wiser at the time of the transaction. Nor would the retailer know or care because they have a receipt for a contactless sale.

I’ll bet there have been some interesting conversations between such unwitting payers and their banks when the payment was noticed and then disputed.

Meanwhile, I’m going to find out whether I can get a card without the NFC capability to replace the card I unwittingly used to pay for breakfast. No way do I want this to happen again.

Categories: LUG Community Blogs

Mick Morgan: variable substitution in lighttpd

Wed, 19/10/2016 - 16:25

I’ve been a lighty user for many years now, having junked apache when it became obviously overweight for my target devices (the slugs in particular). Trivia is, of course, powered by lighty as are all my other websites.

Lighty’s configuration file syntax is reasonably simple to understand, and is well documented on the Redmine wiki. The guys at Calomel.org have also put together quite a nice introduction to lighty. If you haven’t tried it, and find that apache is becoming too much of a resource hog for you, I’d recommend that you give lighty a run.

I use lighty’s access control mechanisms to prevent random bots and bad guys from reaching trivia’s administrative functions and I do this in much the same way as I limit access to my ssh and openvpn daemons – I restrict access to the fixed IP address assigned to my router by my ISP. So in the lighty virtual host configuration file I use the following construct:

$HTTP[“remoteip”] !~ “12.34.56.78” {
$HTTP[“url”] =~ “^/wp-admin/” {
url.access-deny = (“”)
}

That says: if the remote IP address is not 12.34.56.78, then deny access to the wp-admin directory.

Now I have several virtual hosts running and I also protect several directories. I also use a similar construct to redirect all my own access to my websites to port 443 so that I can always be certain that my own connection is encrypted and my authentication credentials will be protected. This means, of course, that I have several entries of the form: “if this IP address, then take this action” dotted around my configuration files. Not good. A recent change of ISP meant that my IP address has changed and I needed to edit my configuration files or find myself locked out. The most important files to change were my iptables rules so that I could still get ssh access on all my VMs. This didn’t take long because I have all the important configuration details (ssh IP addresses and ports, openvpn port, DNS addresses etc.) defined at the head of the bash script. One change is all that is necessary and bash variable substitution takes care of the rest. But my lighty configuration files were a different matter and I had to check carefully to ensure that I didn’t miss an important change. That’s just daft. Surely lighty allows for variable assignment and substitution. And of course it does, I just hadn’t checked before now.

The syntax looks like this:

At the head of the configuration file make an entry of the form:

# set our fixed remote ip address used in access control

IP = “23.45.67.89”

and then change the earlier configuration lines to:

$HTTP[“remoteip”] !~ IP {
$HTTP[“url”] =~ “^/wp-admin/” {
url.access-deny = (“”)
}

Simple, and I feel a complete idiot for not noticing this before.

Categories: LUG Community Blogs

MJ Ray: Rinse and repeat

Tue, 18/10/2016 - 04:28

Forgive me, reader, for I have sinned. It has been over a year since my last blog post. Life got busy. Paid work. Another round of challenges managing my chronic illness. Cycle campaigning. Fun bike rides. Friends. Family. Travels. Other social media to stroke. I’m still reading some of the planets where this blog post should appear and commenting on some, so I’ve not felt completely cut off, but I am surprised how many people don’t allow comments on their blogs any more (or make it too difficult for me with reCaptcha and the like).

The main motive for this post is to test some minor upgrades, though. Hi everyone. How’s it going with you? I’ll probably keep posting short updates in the future.

Go in peace to love and serve the web.

Categories: LUG Community Blogs

Daniel Silverstone (Kinnison): Gitano - Approaching Release - Access Control Changes

Sat, 15/10/2016 - 03:11

As mentioned previously I am working toward getting Gitano into Stretch. A colleague and friend of mine (Richard Maw) did a large pile of work on Lace to support what we are calling sub-defines. These let us simplify Gitano's ACL files, particularly for individual projects.

In this posting, I'd like to cover what has changed with the access control support in Gitano, so if you've never used it then some of this may make little sense. Later on, I'll be looking at some better user documentation in conjunction with another friend of mine (Lars Wirzenius) who has promised to help produce a basic administration manual before Stretch is totally frozen.

Sub-defines

With a more modern lace (version 1.3 or later) there is a mechanism we are calling 'sub-defines'. Previously if you wanted to write a ruleset which said something like "Allow Steve to read my repository" you needed:

define is_steve user exact steve allow "Steve can read my repo" is_steve op_read

And, as you'd expect, if you also wanted to grant read access to Jeff then you'd need yet set of defines:

define is_jeff user exact jeff define is_steve user exact steve define readers anyof is_jeff is_steve allow "Steve and Jeff can read my repo" readers op_read

This, while flexible (and still entirely acceptable) is wordy for small rulesets and so we added sub-defines to create this syntax:

allow "Steve and Jeff can read my repo" op_read [anyof [user exact jeff] [user exact steve]]

Of course, this is generally neater for simpler rules, if you wanted to add another user then it might make sense to go for:

define readers anyof [user exact jeff] [user exact steve] [user exact susan] allow "My friends can read my repo" op_read readers

The nice thing about this sub-define syntax is that it's basically usable anywhere you'd use the name of a previously defined thing, they're compiled in much the same way, and Richard worked hard to get good error messages out from them just in case.

No more auto_user_XXX and auto_group_YYY

As a result of the above being implemented, the support Gitano previously grew for automatically defining users and groups has been removed. The approach we took was pretty inflexible and risked compilation errors if a user was deleted or renamed, and so the sub-define approach is much much better.

If you currently use auto_user_XXX or auto_group_YYY in your rulesets then your upgrade path isn't bumpless but it should be fairly simple:

  1. Upgrade your version of lace to 1.3
  2. Replace any auto_user_FOO with [user exact FOO] and similarly for any auto_group_BAR to [group exact BAR].
  3. You can now upgrade Gitano safely.
No more 'basic' matches

Since Gitano first gained support for ACLs using Lace, we had a mechanism called 'simple match' for basic inputs such as groups, usernames, repo names, ref names, etc. Simple matches looked like user FOO or group !BAR. The match syntax grew more and more arcane as we added Lua pattern support refs ~^refs/heads/${user}/. When we wanted to add proper PCRE regex support we added a syntax of the form: user pcre ^/.+?... where pcre could be any of: exact, prefix, suffix, pattern, or pcre. We had a complex set of rules for exactly what the sigils at the start of the match string might mean in what order, and it was getting unwieldy.

To simplify matters, none of the "backward compatibility" remains in Gitano. You instead MUST use the what how with match form. To make this slightly more natural to use, we have added a bunch of aliases: is for exact, starts and startswith for prefix, and ends and endswith for suffix. In addition, kind of match can be prefixed with a ! to invert it, and for natural looking rules not is an alias for !is.

This means that your rulesets MUST be updated to support the more explicit syntax before you update Gitano, or else nothing will compile. Fortunately this form has been supported for a long time, so you can do this in three steps.

  1. Update your gitano-admin.git global ruleset. For example, the old form of the defines used to contain define is_gitano_ref ref ~^refs/gitano/ which can trivially be replaced with: define is_gitano_ref prefix refs/gitano/
  2. Update any non-zero rulesets your projects might have.
  3. You can now safely update Gitano

If you want a reference for making those changes, you can look at the Gitano skeleton ruleset which can be found at https://git.gitano.org.uk/gitano.git/tree/skel/gitano-admin/rules/ or in /usr/share/gitano if Gitano is installed on your local system.

Next time, I'll likely talk about the deprecated commands which are no longer in Gitano, and how you'll need to adjust your automation to use the new commands.

Categories: LUG Community Blogs

Daniel Silverstone (Kinnison): Gitano - Approaching Release - Changes

Fri, 14/10/2016 - 13:30

Continuing on from the previous article, here is a (probably incomplete) list of the critical changes to Gitano which have been, or will be, worked on during the run toward a 1.0 release. Each of these will have a blog posting to discuss what the changes mean for current and future users. Sometimes I'll aggregate postings, sometimes I won't.

The following are some highlights from the past little while of development which has been undertaken by Richard and myself. Each item is, I feel, important enough to warrant commentary, even for those who already use Gitano.

  • Lace now supports a sub-define syntax: [foo bar] which makes for simpler rulesets.
  • Gitano no longer creates auto_user_XXX and auto_group_XXX Lace predicates
  • Gitano no longer supports "basic" simple matches of the form user foo but instead requires a match kind such as group prefix bar-.
  • Gitano is gaining i18n/l10n support, though it will not be complete for version 1.0 the basics will be in place.
  • Gitano is gaining a much larger integration test suite using yarn.
  • Deprecated commands have now been removed from Gitano. (e.g. no more set-owner)
  • Gitano has gained PGP/GPG signature verification for commits and tags.

Any number of smaller things have been done which fall below some arbitrary barrier for telling you about. If you're aware of any of them and feel they are worthwhile telling the world about, then please prod me and I'll add an article to the series.

Finally it's worth noting that the effort to get all this into Debian Stretch proceeds apace. Of the eight packages needed, at the time of posting: one was already in and has been updated (luxio), three have been accepted into Debian already (supple, clod, lua-scrypt), two are in NEW (gall and lace), and that leaves the newest library (tongue) and then Gitano itself still to go. The Debian FTP team have been awesome in helping me with all this, so thanks go to them.

Categories: LUG Community Blogs

Daniel Silverstone (Kinnison): Gitano - Approaching Release - Work

Tue, 04/10/2016 - 04:41

I have been working quite hard, along with my friend and colleague Richard Maw, on getting Gitano ready for a release suitable for inclusion into Debian Stretch.

You can see how we're doing on the various Trello boards for:

As Richard and I work toward a version of Gitano we're prepared to support long-term in Debian we are making many changes to make our lives easier. For those of you who have been using Gitano over the past few years, you'll need to pay attention to some postings which will be coming soon about how to make the changes you need so as to not explode horribly when you upgrade to the version we're releasing soon. For those of you who are not yet using Gitano but feel like you might want to; I'll also be producing some postings about getting started with the packages. And for those happily running current HEAD of Gitano already, I'll be posting about some of the new features over the next little while in case you're not aware of them.

IMPORTANT: If you're using Gitano already and have any issues or feature requests then please please please let me know ASAP otherwise they're unlikely to be resolved/implemented before 1.0. irl already asked for the facility to verify GPG signed commits and tags, but if you want anything else considering then I need to know v. soon. (Ideally email me, but you may comment on this posting too if you must)

Categories: LUG Community Blogs

Chris Lamb: Free software activities in September 2016

Fri, 30/09/2016 - 21:44

Here is my monthly update covering what I have been doing in the free software world (previous month):

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws, most Linux distributions provide binary (or "compiled") packages to end users.

The motivation behind the Reproducible Builds effort is to allow verification that no flaws have been introduced — either maliciously and accidentally — during this compilation process by promising identical binary packages are always generated from a given source.

My work in the Reproducible Builds project was also covered in our weekly reports #71, #72, #73 & #74.

I made the following improvements to our tools:


diffoscope

diffoscope is our "diff on steroids" that will not only recursively unpack archives but will transform binary formats into human-readable forms in order to compare them.

  • Added a global Progress object to track the status of the comparison process allowing for graphical and machine-readable status indicators. I also blogged about this feature in more detail.
  • Moved the global Config object to a more Pythonic "singleton" pattern and ensured that constraints are checked on every change.

disorderfs

disorderfs is our FUSE filesystem that deliberately introduces nondeterminism into the results of system calls such as readdir(3).

  • Display the "disordered" behaviour we intend to show on startup. (#837689)
  • Support relative paths in command-line parameters (previously only absolute paths were permitted).

strip-nondeterminism

strip-nondeterminism is our tool to remove specific information from a completed build.

  • Fix an issue where temporary files were being left on the filesystem and add a test to avoid similar issues in future. (#836670)
  • Print an error if the file to normalise does not exist. (#800159)
  • Testsuite improvements:
    • Set the timezone in tests to avoid a FTBFS and add a File::StripNondeterminism::init method to the API to to set tzset everywhere. (#837382)
    • "Smoke test" the strip-nondeterminism(1) and dh_strip_nondeterminism(1) scripts to prevent syntax regressions.
    • Add a testcase for .jar file ordering and normalisation.
    • Check the stripping process before comparing file attributes to make it less confusing on failure.
    • Move to a lookup table for descriptions of stat(1) indices and use that for nicer failure messages.
    • Don't uselessly test whether the inode number has changed.
  • Run perlcritic across the codebase and adopt some of its prescriptions including explicitly using oct(..) for integers with leading zeroes, avoiding mixing high and low-precedence booleans, ensuring subroutines end with a return statement, etc.

I also submitted 4 patches to fix specific reproducibility issues in golang-google-grpc, nostalgy, python-xlib & torque.



Debian
Patches contributed Debian LTS

This month I have been paid to work 12.75 hours on Debian Long Term Support (LTS). In that time I did the following:

  • "Frontdesk" duties, triaging CVEs, etc.
  • Issued DLA 608-1 for mailman fixing a CSRF vulnerability.
  • Issued DLA 611-1 for jsch correcting a path traversal vulnerability.
  • Issued DLA 620-1 for libphp-adodb patching a SQL injection vulnerability.
  • Issued DLA 631-1 for unadf correcting a buffer underflow issue.
  • Issued DLA 634-1 for dropbear fixing a buffer overflow when parsing ASN.1 keys.
  • Issued DLA 635-1 for dwarfutils working around an out-of-bounds read issue.
  • Issued DLA 638-1 for the SELinux policycoreutils, patching a sandbox escape issue.
  • Enhanced Brian May's find-work --unassigned switch to take an optional "except this user" argument.
  • Marked matrixssl and inspircd as being unsupported in the current LTS version.
Uploads
  • python-django 1:1.10.1-1 — New upstream release and ensure that django-admin startproject foo creates files with the correct shebang under Python 3.
  • gunicorn:
    • 19.6.0-5 — Don't call chown(2) if it would be a no-op to avoid failure under snap.
    • 19.6.0-6 — Remove now-obsolete conffiles and logrotate scripts; they should have been removed in 19.6.0-3.
  • redis:
    • 3.2.3-2 — Call ulimit -n 65536 by default from SysVinit scripts to normalise the behaviour with systemd. I also bumped the Debian package epoch as the "2:" prefix made it look like we are shipping version 2.x. I additionaly backported this upload to Debian Jessie.
    • 3.2.4-1 — New upstream release, add missing -ldl for dladdr(3) & add missing dependency on lsb-base.
  • python-redis (2.10.5-2) — Bump python-hiredis to Suggests to sync with Ubuntu and move to a machine-readable debian/copyright. I also backported this upload to Debian Jessie.
  • adminer (4.2.5-3) — Move mysql-server dependencies to default-mysql-server. I also backported this upload to Debian Jessie.
  • gpsmanshp (1.2.3-5) on behalf of the QA team:
    • Move to "minimal" debhelper style, making the build reproducible. (#777446 & #792991)
    • Reorder linker command options to build with --as-needed (#729726) and add hardening flags.
    • Move to machine-readable copyright file, add missing #DEBHELPER# tokens to postinst and prerm scripts, tidy descriptions & other debian/control fields and other smaller changes.

I sponsored the upload of 5 packages from other developers:


I also NMU'd:



RC bugs

I filed 37 FTBFS bugs against csoundqt, cups-filters, dymo-cups-drivers, easytag, erlang-p1-oauth2, erlang-p1-sqlite3, erlang-p1-xmlrpc, erlang-redis-client, fso-datad, gnome-python-desktop, gnote, gstreamermm-1.0, gtkglextmm, gupnp-dlna, haskell-hmatrix-gsl, jdeb, kryo-serializers, libcmrt, libfso-glib, libmonitoring-livestatus-perl, librasterlite2, network-manager, print-manager, psychtoolbox-3, python-3to2, python-tidylib, recutils, slang2, snd, sugar, tj3, transmission-remote-gtk, vino, webkit2pdf, xml-core, xml-core & xml-core.

I additionally filed 2 "important" bugs for packages that access the internet during build against gnupg2 & libgdata.

FTP Team

As a Debian FTP assistant I ACCEPTed 147 packages: alljoyn-services-1604, android-platform-external-doclava, android-platform-system-tools-aidl, aufs, bcolz, binwalk, bmusb, bruteforce-salted-openssl, cappuccino, captagent, chrome-gnome-shell, ciphersaber, cmark, colorfultabs, cppformat, dnsrecon, dogtag-pki, dxtool, e2guardian, flask-compress, fonts-mononoki, fwknop-gui, gajim-httpupload, glbinding, glewmx, gnome-2048, golang-github-googleapis-proto-client-go, google-android-installers, gsl, haskell-hmatrix-gsl, haskell-relational-query, haskell-relational-schemas, haskell-secret-sharing, hindsight, i8c, ip4r, java-string-similarity, khal, khronos-opencl-headers, liblivemedia, libshell-config-generate-perl, libshell-guess-perl, libstaroffice, libxml2, libzonemaster-perl, linux, linux-grsec-base, linux-signed, lua-sandbox, lua-torch-trepl, mbrola-br2, mbrola-br4, mbrola-de1, mbrola-de2, mbrola-de3, mbrola-ir1, mbrola-lt1, mbrola-lt2, mbrola-mx1, mimeo, mimerender, mongo-tools, mozilla-gnome-keyring, munin, node-grunt-cli, node-js-yaml, nova, open-build-service, openzwave, orafce, osmalchemy, pgespresso, pgextwlist, pgfincore, pgmemcache, pgpool2, pgsql-asn1oid, postbooks-schema, postgis, postgresql-debversion, postgresql-multicorn, postgresql-mysql-fdw, postgresql-unit, powerline-taskwarrior, prefix, pycares, pydl, pynliner, pytango, pytest-cookies, python-adal, python-applicationinsights, python-async-timeout, python-azure, python-azure-storage, python-blosc, python-can, python-canmatrix, python-chartkick, python-confluent-kafka, python-jellyfish, python-k8sclient, python-msrestazure, python-nss, python-pytest-benchmark, python-tenacity, python-tmdbsimple, python-typing, python-unidiff, python-xstatic-angular-schema-form, python-xstatic-tv4, quilt, r-bioc-phyloseq, r-cran-filehash, r-cran-png, r-cran-testit, r-cran-tikzdevice, rainbow-mode, repmgr, restart-emacs, restbed, ruby-azure-sdk, ruby-babel-source, ruby-babel-transpiler, ruby-diaspora-prosody-config, ruby-haikunator, ruby-license-finder, ruby-ms-rest, ruby-ms-rest-azure, ruby-rails-assets-autosize, ruby-rails-assets-blueimp-gallery, ruby-rails-assets-bootstrap, ruby-rails-assets-bootstrap-markdown, ruby-rails-assets-emojione, ruby-sprockets-es6, ruby-timeliness, rustc, skytools3, slony1-2, snmp-mibs-downloader, syslog-ng, test-kitchen, uctodata, usbguard, vagrant-azure, vagrant-mutate & vim.

Categories: LUG Community Blogs