My Debian Activities in November 2016

FTP assistant

This month I marked 377 packages for accept and rejected 36 packages. I also sent 13 emails to maintainers asking questions.

Debian LTS

This was my twenty-ninth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 11h. During that time I did uploads of

  • [DLA 696-1] bind9 security update for one CVE
  • [DLA 711-1] curl security update for nine CVEs

The upload of curl started as an embargoed one but the discussion about one fix took some time and the upload was a bit delayed.

I also prepared a test package for jasper which takes care of nine CVEs and is available here. If you are interested in jasper, please download it and check whether everything is working in your environment. As upstream only takes care of CVEs/bugs at the moment, maybe we should not upload the old version with patches but the new version with all fixes. Any comments?

Other stuff

As it is again this time of the year, I would also like to draw some attention to the Debian Med Advent Calendar. Like the past years, the Debian Med team starts a bug squashing event from the December 1st to 24th. Every bug that is closed will be registered in the calendar. So instead of taking something from the calendar, this special one will be filled and at Christmas hopefully every Debian Med related bug is closed. Don’t hestitate, start to squash :-).

In November I also uploaded new versions of libmatthew-java, node-array-find-index, node-ejs, node-querystringify, node-require-dir, node-setimmediate, libkeepalive,
Further I added node-json5, node-emojis-list, node-big.js, node-eslint-plugin-flowtype to the NEW queue, sponsored an upload of node-lodash, adopted gnupg-pkcs11-scd, reverted the -fPIC-patch in libctl and fixed RC bugs in alljoyn-core-1504, alljoyn-core-1509, alljoyn-core-1604.

My Debian Activities in October 2016

FTP assistant

This month I caught up from last month and marked 317 packages for accept and rejected 23 packages. I also sent 5 emails to maintainers asking questions.

Debian LTS

This was my twenty-eighth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 13h. During that time I did uploads of

  • [DLA 645-1] bind9 security update
  • [DLA 646-1] zendframework security update
  • [DLA 665-1] libgd2 security update
  • [DLA 671-1] libxvmc security update
  • [DLA 672-1] bind9 security update
  • [DLA 691-1] libxml2 security update

The second upload of bind was an embargoed one.

Other stuff

I uploaded a new version of greylistd and fixed RC bug #837501. A new version of highlight.js fixed RC bug #830189. With a new upstream version of chktex I could close bugs #782342, #782343 and #819885. I also uploaded the new package node-random-bytes and new upstream versions of alljoyn-core-1604 and duktape

Finally, after about 4 years, I managed to upload entropybroker and instantly had to deal with #840018, #840019 and #840020. One cannot overemphasize the importance of our QA stuff!

I also uploaded a new version of libctl to solve the -fPIC issue but was asked short time after to revert that again :-(.

As already mentioned some days ago I adopted libmatthew-java. At that time about 956 package were orphaned and I asked everybody to adopt one of these packages. Unfortunately now there are 982 package orphaned. I guess I have to clear up a misunderstanding. You should adopt those packages and not oprhan more of them!

DOPOM: libmatthew-java – Unix socket API and bindings for Java

While looking at the “action needed”-paragraph of one of my packages, I saw that a dependency was orphaned and needed a new maintainer. So I decided to restart DOPOM (Debian Orphaned Package Of the Month), that I started in 2012 with ent as the first package.

This month I adopted libmatthew-java. Sure it was not a big deal as the QA-team already did a good job and kept the package in shape. But now there is one burden lifted from their shoulders.

According to the Work-Needing and Prospective Packages page 956 packages are ophaned at the moment. If every Debian contributor grabs one of them, we could unwind the QA-team (no, just kidding). So similar to NEW which was down to 0 this year, can we get rid of the WNPP as well? At least for a short time?

My Debian Activities in September 2016

FTP assistant

This month I was rather busy with other stuff and only marked 191 packages for accept and rejected 21 packages. I also sent 6 emails to maintainers asking questions.

Debian LTS

This was my twenty-seventh month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 12.25h. During that time I did an upload of php5 fixing 17 CVEs and two additional bugs, I uploaded mactelnet and fixed one CVE. I also prepared a package for testing of zendframework, which will fix one CVE. Unfortunately my bind9 upload needed to be postponed as Florian Weimer found an incomplete patch of a previous CVE. I am trying to fix that as well. I also had some progress with the asterisk CVEs and of course the next round of php5 patches is waiting…

This month I also had a few days of frontdesk work at the beginning of the month and a few days at the end.

Other stuff

For the Alljoyn framework I uploaded alljoyn-services-1604 and as I forgot a Conflict:, I had to take care of RC-bugs: #836717, #836718 and #836719. Thanks a lot to Ralf Treinen for his automatic installation tests.

As mentioned earlier, openzwave is on its way to the Debian archive. While it is still in non-free, the author of a used library gave his permission to relicense this code, so the way to main is paved now.

Openzwave in Debian

It was a real surprise when I saw activity on #791965, which is my ITP bug to package openzwave.

As Ralph wrote, the legal status of the Z-Wave standard has been changed. According to a press release of Sigma Designs, the Z-Wave standard is now put into the public domain.

As even the specification of the Z-Wave S2 security application framework is available now, the openzwave community is finally able to create a really compatible application which might also pass the Z-Wave certification. Thus there is new hope that there will be an openzwave package in Debian.

My Debian Activities in August 2016

FTP assistant

This month I marked 257 packages for accept and rejected only 26. Seems to be that I mostly choosed the high quality packages this month. I also sent 12 emails to maintainers asking questions.

Debian LTS

This was my twenty-sixth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 14.75h. Again, most of the time I choosed packages, where at the end the vulnerable code of the corresponding CVE was not present in the Wheezy version. So I could mark several CVEs for lshell and wget as not-affected, without doing an upload. Unfortunately I had to give up working on chicken. My scheme abilities appear to be rather rusty.

Further, I uploaded a test version for php5 that takes care of 17 CVEs and as requested by the LTS users, two additional bugs. After all tests are passed, I will do a real upload with DLA.

This month I also had another term of frontdesk work.

Other stuff

For the Alljoyn framework I fixed a compile issue with gcc 6 and could close RC-bugs
#831127, #831091, and #831198.
My patch was also accepted by upstream.

Unfortunately a bug in gtest resulted in #833636.

As gcc 6 is the default compiler now in testing, I could also close RC bug #831106.

My Debian Activities in July 2016

FTP assistant

This month I marked 248 packages for accept and rejected 60. I also sent 13 emails to maintainers asking questions. Again, this was a rather quiet month without much trouble.

Debian LTS

This was my twenty-fifth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

As the number of participants increases, this month my all in all workload has been only 14.70h. Strangely enough, most of the time I choosed packages, where at the end the vulnerable code of the corresponding CVE was not present in the Wheezy version. So I could mark several CVEs for bind, libgd2 and mupfd as not-affected, without doing an upload.

Nevertheless I also did two uploads to fix another two CVEs:

  • [DLA 563-1] libgd2 security update
  • [DLA 569-1] xmlrpc-epi security update

As there arrived some new CVEs for PHP5 I didn’t do an upload this month. But don’t purge your testing environments, a new version is comming soon :-).

This month I also had another term of frontdesk work.

Other stuff

For the Alljoyn framework I took care of RC-bug #829148.

I also uploaded a new version of rplay to fix #805959.

In the Javascript world I could close #831006

My Debian Activities in June 2016

FTP assistant

This month I marked 233 packages for accept and rejected 29. I also sent 11 emails to maintainers asking questions. Currently there are 33 packages in NEW and the minimum this week has been as low as 24 packages. Come on you fellow developers, where are your packages? I am sure you can do better :-).

Debian LTS

This was my twenty-fourth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 18.75h. This resulted in patches for 13 CVEs and the following uploads:

  • [DLA 522-1] python2.7 security update
  • [DLA 533-1] php5 security update
  • [DLA 534-1] libgd2 security update
  • [DLA 536-1] wget security update

I also looked at mxml and libstruts1.2-java and marked CVEs for these packages as “no-dsa”. I also reviewed a patch of Salvatore for an embargoed CVE of xerces-c. Last but not least I looked at the remaining two CVEs for asterisk, but was not really able to create working patches …

This month I called again for testing php5. Thanks a lot to Stefan and anybody else who sent in their reports! As there are already new CVEs for php5 available, I am afraid I need your support again in July …

This month I also had another term of frontdesk work and answered questions or looked for CVEs that are important for Wheezy LTS or could be ignored.

Other stuff

I made some progress with the Alljoyn framework. Up to now the following packages are available:

  • alljoyn-core-1504
  • alljoyn-core-1509
  • alljoyn-core-1604
  • alljoyn-gateway-1504
  • alljoyn-services-1504
  • alljoyn-services-1509
  • alljoyn-thin-client-1504
  • alljoyn-thin-client-1509
  • alljoyn-thin-client-1604
  • duktape

Unfortunately as some of those modules still need to be released in current versions, there are some gaps.

Anyway, the next uploads will include an XMPP connector, to basically bridge a local AllJoyn bus to a remote AllJoyn bus over XMPP. Further, with the lighting module, real lamps can be switched on and off and much more. Also the Home Appliances and Entertainment Service Framework seems to be interesting as well.

In the Javascript world I uploaded some new packages …

  • node-strip-ansi
  • node-lodash-compat
  • node-has-flag
  • node-errs
  • node-ejs
  • node-absolute-path

… and uploaded new versions for the following packages:

  • node-base62
  • node-array-flatten
  • node-eventsource
  • node-xmlhttprequest-ssl
  • node-wrappy

My Debian Activities in May 2016

FTP assistant

This month I marked 286 packages for accept and rejected 35. I also sent 13 emails to maintainers asking questions. Apart from this nothing unusual happened this month.

Debian LTS

This was my twenty-third month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload reached a new high with 31.00h. This resulted in patches for 35 CVEs and the following uploads:

  • [DLA 454-1] minissdpd security update
  • [DLA 453-1] extplorer security update
  • [DLA 455-1] asterisk security update
  • [DLA 457-1] mplayer security update
  • [DLA 458-1] mplayer2 security update
  • [DLA 459-1] mercurial security update
  • [DLA 466-1] ocaml security update
  • [DLA 467-1] xerces-c security update
  • [DLA 485-1] extplorer security update
  • [DLA 493-1] openafs security update
  • [DLA 495-1] libtasn1-3 security update
  • [DLA 499-1] php5 security update

Thanks a lot to all the people who answered my calls for testing, especially Gabriel Filion, Joost van Baal-Ilić and Stefan!

This month I also had another term of doing frontdesk work and looked for CVEs that are important for Wheezy LTS or could be ignored.

Other stuff

As already mentioned in an earlier post, I tried to enliven the Internet of Things in Debian. If you would like to help in this field, please drop me a line.