My Debian Activities in July 2016

FTP assistant

This month I marked 248 packages for accept and rejected 60. I also sent 13 emails to maintainers asking questions. Again, this was a rather quiet month without much trouble.

Debian LTS

This was my twenty-fifth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

As the number of participants increases, this month my all in all workload has been only 14.70h. Strangely enough, most of the time I choosed packages, where at the end the vulnerable code of the corresponding CVE was not present in the Wheezy version. So I could mark several CVEs for bind, libgd2 and mupfd as not-affected, without doing an upload.

Nevertheless I also did two uploads to fix another two CVEs:

  • [DLA 563-1] libgd2 security update
  • [DLA 569-1] xmlrpc-epi security update

As there arrived some new CVEs for PHP5 I didn’t do an upload this month. But don’t purge your testing environments, a new version is comming soon :-).

This month I also had another term of frontdesk work.

Other stuff

For the Alljoyn framework I took care of RC-bug #829148.

I also uploaded a new version of rplay to fix #805959.

In the Javascript world I could close #831006

APU and Debian

I just got an APU1D4 made by PC Engines. I bought it from a German retailer called VARIA System GmbH. They are also located in Chemnitz, so at least I could support the local economy. I purchased a bundle consisting of mainboard, case, power supply and 16GB SSD. The board has 4GB RAM and three network adapters and shall replace my old PC that I use as router to the internet.

As there is no VGA/HDMI output, the first hurdle was organizing a null-modem cable. Of course I could have prepared the SSD on another PC, but I wanted to try PXE. After finding the cable on the ground of a box, deeply buried under other boxes, I could start.

The DHCP server got an entry

host apu1d4 {
  hardware ethernet 00:0d:b9:42:a0:e8;
  fixed-address apu1d4;
  option broadcast-address;
  option routers;
  filename "pxelinux.0";

and the TFTP server got a file …/tftp/pxelinux.cfg/01-00-0d-b9-42-a0-e8

default install
label install
        menu label ^Install
        menu default
        kernel debian-installer/amd64/linux
        append initrd=debian-installer/amd64/initrd.gz --- vga=off console=ttyS0,115200n8

The files debian-installer/amd64/linux and debian-installer/amd64/initrd.gz are the normal debian installer files obtained from the official Debian servers.

That’s it, the installer starts, spits its output over the serial line and I can install the system. Great! Thanks DebianInstaller team. Why couldn’t everything be always so easy?

My Debian Activities in June 2016

FTP assistant

This month I marked 233 packages for accept and rejected 29. I also sent 11 emails to maintainers asking questions. Currently there are 33 packages in NEW and the minimum this week has been as low as 24 packages. Come on you fellow developers, where are your packages? I am sure you can do better :-).

Debian LTS

This was my twenty-fourth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 18.75h. This resulted in patches for 13 CVEs and the following uploads:

  • [DLA 522-1] python2.7 security update
  • [DLA 533-1] php5 security update
  • [DLA 534-1] libgd2 security update
  • [DLA 536-1] wget security update

I also looked at mxml and libstruts1.2-java and marked CVEs for these packages as “no-dsa”. I also reviewed a patch of Salvatore for an embargoed CVE of xerces-c. Last but not least I looked at the remaining two CVEs for asterisk, but was not really able to create working patches …

This month I called again for testing php5. Thanks a lot to Stefan and anybody else who sent in their reports! As there are already new CVEs for php5 available, I am afraid I need your support again in July …

This month I also had another term of frontdesk work and answered questions or looked for CVEs that are important for Wheezy LTS or could be ignored.

Other stuff

I made some progress with the Alljoyn framework. Up to now the following packages are available:

  • alljoyn-core-1504
  • alljoyn-core-1509
  • alljoyn-core-1604
  • alljoyn-gateway-1504
  • alljoyn-services-1504
  • alljoyn-services-1509
  • alljoyn-thin-client-1504
  • alljoyn-thin-client-1509
  • alljoyn-thin-client-1604
  • duktape

Unfortunately as some of those modules still need to be released in current versions, there are some gaps.

Anyway, the next uploads will include an XMPP connector, to basically bridge a local AllJoyn bus to a remote AllJoyn bus over XMPP. Further, with the lighting module, real lamps can be switched on and off and much more. Also the Home Appliances and Entertainment Service Framework seems to be interesting as well.

In the Javascript world I uploaded some new packages …

  • node-strip-ansi
  • node-lodash-compat
  • node-has-flag
  • node-errs
  • node-ejs
  • node-absolute-path

… and uploaded new versions for the following packages:

  • node-base62
  • node-array-flatten
  • node-eventsource
  • node-xmlhttprequest-ssl
  • node-wrappy

My Debian Activities in May 2016

FTP assistant

This month I marked 286 packages for accept and rejected 35. I also sent 13 emails to maintainers asking questions. Apart from this nothing unusual happened this month.

Debian LTS

This was my twenty-third month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload reached a new high with 31.00h. This resulted in patches for 35 CVEs and the following uploads:

  • [DLA 454-1] minissdpd security update
  • [DLA 453-1] extplorer security update
  • [DLA 455-1] asterisk security update
  • [DLA 457-1] mplayer security update
  • [DLA 458-1] mplayer2 security update
  • [DLA 459-1] mercurial security update
  • [DLA 466-1] ocaml security update
  • [DLA 467-1] xerces-c security update
  • [DLA 485-1] extplorer security update
  • [DLA 493-1] openafs security update
  • [DLA 495-1] libtasn1-3 security update
  • [DLA 499-1] php5 security update

Thanks a lot to all the people who answered my calls for testing, especially Gabriel Filion, Joost van Baal-Ilić and Stefan!

This month I also had another term of doing frontdesk work and looked for CVEs that are important for Wheezy LTS or could be ignored.

Other stuff

As already mentioned in an earlier post, I tried to enliven the Internet of Things in Debian. If you would like to help in this field, please drop me a line.

Debian and the Internet of Things

Everybody is talking about the Internet of Things. Unfortunately there is no sign of it in Debian yet. Besides some smaller packages like sispmctl, usbrelay or the 1-wire support in digitemp and owfs, there is not much software to control devices over a network.

With the recent upload of alljoyn-core-1504 this might change.

The Alljoyn Framework, where the Alljoyn Core is just one of several modules, lets devices and applications detect each other and communicate with one another over a D-Bus like message bus. The development of the framework has been started by Qualcomm some years ago and is meanwhile managed by the AllSeen Alliance, a nonprofit consortium. The software is licensed under the ISC license.

This first upload is just the first step of a long journey. Other modules that compose the framework and already have a released tarball are related to lightning products, gateways to overcome the boundaries of the local network and much more. In the near future it is also planned to have modules that attach Z-Wave-, ZigBee- or Bluetooth-devices to the Alljoyn bus.

So all in all, this looks like an exciting task and everybody is invited to help maintaining the software in Debian.

My Debian Activities in April 2016

FTP assistant

This month I marked 171 packages for accept and rejected 42. I also sent 3 emails to maintainers asking questions. It seems to be that another quiet month is behind us. Nevertheless the flood of strange things in NEW continued this month. Hmm, weird world ..

Debian LTS

This was my twenty-second month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload had been 15.75h. After getting the permission of the security team I changed the temporary-issues to meanwhile assigned CVEs and uploaded fuseiso. This resulted in DSA 3551-1.

I also prepared new packages for asterisk and asked for testers on the LTS mailing list. Luckily Gabriel Filion really tried these packages and found a regression with manager connections. Dear reader, the new packages are waiting for your tests now :-).

Further I used the upload of poppler (DLA 446-1) to test the workflow of the new wheezy-security upload. Uploading and building packages worked perfectly. Unfortunately the push to the security mirrors was a bit delayed (it only happened after an upload of the security team). But this seems to be fixed by Ansgar now.

Last but not least I had a look at PHP5. I think I will start my regular uploads in May.

Other stuff

As I had to deal with non-Debian stuff this month, I didn’t do lots of other things. I only uploaded node-uml …

My Debian Activities in March 2016

FTP assistant

This month I marked 226 packages for accept and rejected 22. I also sent 5 emails to maintainers asking questions. It seems to be that a rather quiet month is behind us. As I have seen some packages with strange debian/copyright in binNEW, I wonder whether also the archive should be checked regularly. Maybe it is time to file some bugs …

Debian LTS

This was my twenty-first month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

Due to outstanding hours that were redistributed, my all in all workload had been 14.25h. As Wheezy LTS didn’t start yet and I am not able to do normal security uploads, I sent debdiffs to the security team. Btw. this can be done by everybody and the way to go is described in chapter 5.8.5 of the Debian Developer’s Reference.

Altogether I sent the following debdiffs for …

  • extplorer to fix CVE-2015-0896
  • inspircd to fix CVE-2015-8702
  • libmatroska to fix CVE-2015-8792
  • libstruts1.2-java to fix CVE-2015-0899
  • fuseiso to fix two temporary issues
  • minissdpd to fix CVE-2016-3178 and CVE-2016-3179
  • tlslite to fix CVE-2015-3220

As the security team wants to update Wheezy and Jessie with only one DSA, whenever applicable I created debdiffs for both releases. Up to now the results can be seen in DSA 3526-1, DSA 3527-1 and DSA 3536-1. As tlslite has been removed from Wheezy during today’s point release, I am afraid that was a wasted effort.

Other stuff

My node activities this month involved uploads of: node-component-consoler, node-generator-supported, node-xmlhttprequest-ssl, node-co, node-uid-umber, node-url-join, node-uri-path, node-read-file, node-nth-check, node-base62, node-require-dir, node-for-in, node-obj-util, node-normalize-it-url, node-delve, node-function-bind, node-seq, node-json-localizer, node-through, node-addressparser, node-ansi-regex, node-crypto-cacerts, node-decamelize, node-array-find-index, node-require-main-filename, node-invert-kv, node-starttls.

To fix one or the other bug I also uploaded: node-connect, node-mysql.

I also forwarded bug #809252, which is tagged as security relevant in the BTS, to the Node Security Project. I even got one answer stating that the report arrived. We will see what happens next. At least after 45 days another email might arrive …

My Debian Activities in February 2016

FTP assistant

This month I marked 364 package for accept and rejected 66. Due to the help of lamby, the length of the NEW queue dropped mostly below 50, so there is no need for complaints anymore :-). I also sent 22 emails to maintainers asking questions.

Squeeze LTS

This was my twentieth month that I did some work for the Squeeze LTS initiative, started by Raphael Hertzog at Freexian.

This month more people started to contribute and my workload dropped down to 11.25h. Altogether I uploaded those DLAs:

  • [DLA 424-1] didiwiki security update
  • [DLA 423-1] krb5 security update
  • [DLA 433-1] xerces-c security update
  • [DLA 444-1] php5 security update

This month I was also involved in embargoed uploads and could do an upload on my own (DLA 433-1).

Now Squeeze LTS is officially done. I leave it with mixed feelings. On the one hand it became more and more difficult to backport patches for the latest version to the old software. On the other hand I could learn a lot of stuff about the methods other maintainers used some years ago. Yes, although not always visible at first sight, over the years there are lots of improvements on how packages can be handled in Debian.

So, let us start with Wheezy now …

Other stuff

On the way to, grunt and some other cool stuff, I uploaded:

  • node-abab
  • node-array-equal
  • node-array-flatten
  • node-array-unique
  • node-cors
  • node-deep-extend
  • node-original
  • node-simplesmtp
  • node-setimmediate
  • node-uglify-save-license
  • node-unpipe

Yes, sometimes this npm2deb makes it really easy to create a package.

In order to fix FTBFSs, errors from DebCI or whatever might fail these days, I also uploaded new versions of:

  • node-array-equal
  • node-array-parallel
  • node-bufferjs
  • node-crc
  • node-css-what
  • node-eventsource
  • node-mime-types
  • node-mocks-http
  • node-rai
  • node-requires-port
  • node-url-parse
  • node-xoauth2

Today I could see the first fruits of my labor. Some packages, I did not touch, migrated to testing because some of their dependencies were finally able to migrate as well.

My Debian Activities in January 2016

FTP assistant

This month I marked 281 package for accept and rejected 58, so almost back to normal processing. I also sent 19 emails to maintainers asking questions.

As mentioned in October the accept-number has reached another milestone. I accepted package 6666 on 20151221, it was python-skbio_0.4.1-1. The winner of a fast processed package with the best guess of this date is: *tata* Javi. Ok, he was the only participant :-). So, who can guess the date of 7777?

Squeeze LTS

This was my nineteenth month that I did some work for the Squeeze LTS initiative, started by Raphael Hertzog at Freexian.

This month several people had to reduce their contribution, so all in all I got a workload of 30h. Altogether I uploaded those DLAs:

  • [DLA 392-1] roundcube security update
  • [DLA 393-1] srtp security update
  • [DLA 394-1] passenger security update
  • [DLA 399-1] foomatic-filters security update
  • [DLA 398-1] privoxy security update
  • [DLA 401-1] imlib2 security update

For the first time this month, I was also involved in three embargoed uploads. Ben and I were informed about some security issues before they got published and I prepared the DLAs. Although the real upload for all suites were still done by the security team, it was really exciting.

I also spent some time on #796095 and prepared another patch for review. Further I am almost done with the next upload of PHP 5.3. Just before starting dupload, another issue appeared. As I think that this will be the last upload of PHP for Squeeze LTS, I also want to take care of this latecomer. The upload of krb5 is waiting in the pipeline, I am just waiting for a confirmation that everything is fine.

This month I also had another term of doing frontdesk work and looked for CVEs that are important for Squeeze LTS or could be ignored.

As Wheezy LTS is just before the start, I already prepared the new build environment. So either now or later in April, I am ready …

Other stuff

Due to the high LTS workload, there was no time for other stuff :-(.

book: Building Microservices from Sam Newman

Recently I read the book Building Microservices from Sam Newman, published by O’Reilly. Up to now I didn’t have to deal with microservices and this book gave a very good summary of this topic.

Unfortunately there are lots of links inside that book, but I could not find a page where all of them are listed online. So here are most of them in the and the direct one: Alistair Cockburn’s concept of hexagonal architecture Robert C. Martin’s definition of the Single Responsibility Principle Heroku’s 12 Factors Dropwizard = Open source, JVM-based microcontainer Karyon = Open source, JVM-based microcontainer ciruit breaker library Hystrix Richardson Maturity Model Martin Fowler: catastrophic failover Postel’s law Semantic versioning Strangler Application Pattern Aegisthus project Packer Eradicating Non-Determinism in Tests “Now you have 2.1.0 problems” Pact Logstash – log file parser Kibana – ElasticSearch-backed system for viewing logs Open Web Application Security Project The antifragil organization Eureka from Netflix

Further several books are recommended.

  • Domain-Driven Design, Eric Evan at
  • Implementing Domain-Driven Design by Vaughn Vernon at
  • Working Effectively with Legacy Code by Michael Feathers at
  • Refactrogin Databases by Scott J. Amber and Pramod J. Sadalage at
  • Continuous delivery by Jez Humble and Dave Farley at
  • Agile Testing by Lisa Crispin and Janet Gregory at
  • Succeeding with Agile by Mike Cohn at
  • Information Dashboard Design: Displaying Data for At-a-Glance Monitoring by Stephen Few at
  • Lightweight Systems for Realtime Monitoring by Sam Newman
  • Cryptography Engineering by Niels Ferguson, Bruce Schneier and Tadayoshi Kohno at
  • Release It! by Michael Nygard at