My Debian Activities in April 2019

FTP master

This was again a quiet month and I only accepted 70 packages and rejected 11 uploads. The overall number of packages that got accepted was 102. As with every release, people still upload new versions of packages to unstable during the full freeze. I always wonder why they do this?

Debian LTS

This was my fifty eighth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 17.25h. During that time I did LTS uploads or prepared security uploads of:

  • [DLA 1760-1] wget security update for one CVE
  • [DLA 1763-1] putty security update for three CVEs
  • [DLA 1765-1] gpac security update for two CVEs
  • [DLA 1767-1] monit security update for two CVEs
  • [DLA 1769-1] gst-plugins-base0.10 security update for one CVE
  • [DLA 1770-1] gst-plugins-base1.0 security update for one CVE

I also started to work on CVEs for bind.

Last but not least I did some days of frontdesk duties and tried to add my DLAs to the Debian Website.

Debian ELTS

This month was the eleventh ELTS month.

During my allocated time I uploaded:

  • ELA-99-2 of libssh2 for an upstream regression of CVE-2019-3859
  • ELA-112-1 of wget for one CVE
  • ELA-113-1 of monit for two CVEs
  • ELA-114-1 of ruby1.9.1 for four CVES

As like in LTS, I also did some days of frontdesk duties.

Other stuff

I uploaded a new upstream version of …

On my grafana challenge I uploaded golang-github-apparentlymart-go-cidr, golang-github-apparentlymart-go-rundeck-api, golang- github-corpix-uarand, golang-github-cyberdelia-heroku-go, golang-github-facebookgo-inject, golang-github-hmrc-vmware-govcd, golang-github-icrowley-fake, golang-github-michaeltjones-walk, golang-github-willf-bloom. There is still more to come and thank you ever so much, Chris, for marking all those for ACCEPT.

I also sponsored the following packages for other members of the Go team: easygen, golang-github-anmitsu-go-shlex, golang-github-emirpasic-gods, golang-github-fzambia-sentinel, golang-github-gliderlabs-ssh, golang-github-hashicorp-go-safetemp, golang-github-jesseduffield-gocui, golang-github-jesseduffield-termbox-go, golang-github-jesseduffield-pty, golang-github-kevinburke-ssh-config, golang-github-mgutz-str, golang-github-mgutz-to, golang-github-nozzle-throttler, golang-github-src-d-gcfg, golang-github-stvp-roll, golang-gopkg-src-d-go-billy.v4

My Debian Activities in March 2016

FTP assistant

This month I marked 226 packages for accept and rejected 22. I also sent 5 emails to maintainers asking questions. It seems to be that a rather quiet month is behind us. As I have seen some packages with strange debian/copyright in binNEW, I wonder whether also the archive should be checked regularly. Maybe it is time to file some bugs …

Debian LTS

This was my twenty-first month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

Due to outstanding hours that were redistributed, my all in all workload had been 14.25h. As Wheezy LTS didn’t start yet and I am not able to do normal security uploads, I sent debdiffs to the security team. Btw. this can be done by everybody and the way to go is described in chapter 5.8.5 of the Debian Developer’s Reference.

Altogether I sent the following debdiffs for …

  • extplorer to fix CVE-2015-0896
  • inspircd to fix CVE-2015-8702
  • libmatroska to fix CVE-2015-8792
  • libstruts1.2-java to fix CVE-2015-0899
  • fuseiso to fix two temporary issues
  • minissdpd to fix CVE-2016-3178 and CVE-2016-3179
  • tlslite to fix CVE-2015-3220

As the security team wants to update Wheezy and Jessie with only one DSA, whenever applicable I created debdiffs for both releases. Up to now the results can be seen in DSA 3526-1, DSA 3527-1 and DSA 3536-1. As tlslite has been removed from Wheezy during today’s point release, I am afraid that was a wasted effort.

Other stuff

My node activities this month involved uploads of: node-component-consoler, node-generator-supported, node-xmlhttprequest-ssl, node-co, node-uid-umber, node-url-join, node-uri-path, node-read-file, node-nth-check, node-base62, node-require-dir, node-for-in, node-obj-util, node-normalize-it-url, node-delve, node-function-bind, node-seq, node-json-localizer, node-through, node-addressparser, node-ansi-regex, node-crypto-cacerts, node-decamelize, node-array-find-index, node-require-main-filename, node-invert-kv, node-starttls.

To fix one or the other bug I also uploaded: node-connect, node-mysql.

I also forwarded bug #809252, which is tagged as security relevant in the BTS, to the Node Security Project. I even got one answer stating that the report arrived. We will see what happens next. At least after 45 days another email might arrive …

Debian Med Bug Squashing in Advent 2015

The Debian Med Bug Squashing just ended and the Debian Med Advent Calendar is full to bursting.

Like the years before, the Debian Med team performed a bug squashing event from December 1st to 24th. All bugs that have been closed during that period got an entry in the calendar. This year I am really impressed with the achievement of all participants. After the rather small quantity last year, the incredible number of 150 bugs have been closed this year! Thanks alot!

year number of bugs closed
2011 63
2012 28
2013 73
2014 5
2015 150

BOM: bug squashing and new versions during last three months

As announced in my previous DTPOM article the month of May should be a bug squashing month. As everything worked well, I used last three months to decrease the bug count in Debian packages. Unfortunately I don’t remeber everything, so this list might be incomplete:

  • Due to the help of T, who pointed me to a patch which was sent to the fpdns-user emaillist, bug 680077 disappeared.
  • All meep-* packages had a problem with include files installed in the wrong directory. So development of own programs was a bit difficult. This resulted in

    All bugs have been closed in Sid, but the release team doesn’t want to put it to stable!?

  • Package setserial had some open bugs. Most of them resulted from a strange concept of initializing the serial port and could be closed with just some explanations:
  • With the next upload of greylistd to experimental two bugs could be closed:
  • Two uploads of package uucp closed a few ‘simple’ and one RC bug:

Further I created packages for some new software versions:

  • all packages of the mgltools got a new version (1.5.7~rc1~cvs.20130519-1)
    autodocktools, mgltools-bhtree, mgltools-cadd, mgltools-dejavu, mgltools-geomutils, mgltools-gle, mgltools-mglutil, mgltools-molkit, mgltools-networkeditor, mgltools-opengltk, mgltools-pmv, mgltools-pyautodock, mgltools-pybabel, mgltools-pyglf, mgltools-scenario2, mgltools-sff, mgltools-support, mgltools-symserv, mgltools-utpackages, mgltools-viewerframework, mgltools-vision, mgltools-visionlibraries, mgltools-volume, mgltools-webservices

  • autodocksuite is now available in version 4.2.5.1-3
  • saint is now available in version 2.3.4+dfsg-2
  • I uploaded version 1.5.3-1 of python-cogent, but meanwhile even version 1.5.3-2 is available
  • gcal got an update to version 3.6.3-2
  • epigrass got an update to version 2.2.2-2, unfortunately in that version it depends on python-sqlsoup, which is still in the NEW-queue. Thus this package got an RC bug …

From my point of view 17 closed bugs and 29 updated packages within three months are a pretty good result.

The next month will be characterized by solving all problems with epigrass (and of course python-sqlsoup), mgltools-cadd (there must be a better version hidden somewhere in the sources that needs to be activated somehow) and mgltools-sff (why doesn’t it migrate to testing?). Further the TODO-list of the Debian Med UDD needs to become smaller.

Debian Med advent calendar

I would like to anounce the Debian Med advent calendar 2012. Just like last year the Debian Med team starts a bug squashing event from the December 1st to 24th. Every day at least one bug from the Debian BTS should be closed. Especially RC bugs for the oncoming Debian release (Wheezy) or bugs in one of the packages maintained by Debian Med shall be closed. Anyone shall be called upon to fix a bug or send a patch. Don’t hestitate, start to squash :-).

BOM: overflow in ent

Recently I got a bug report for package ent. The internal counter of processed bytes has just type long. In case you feed enough bytes to ent, there will be an overflow after about half an hour (of course that depends on your type of CPU, the bug was reported on architecture i386).

As modern C (C99) introduced a new type long long, I changed the type of some variables from simple long to unsigned long long. The overflow disappeared for now, but it will reappear just some trillion bytes later.

So, are there any recommendations on how to handle such a situation better?

BOM: lintian

As you might have guessed from the previous posts, with BOM (Bug Of the Month) I want to take care of at least one bug from the Debian BTS each month.

Being a nice guy I have a five step plan in case a program does not work as expected.
1) read the manual
2) read the manual
3) ask my favourite search engine about that issue
4) read the manual
5) ask my favourite search engine about that issue
Unfortunately this plan totally failed while trying to understand the output of lintian. For an unknown reason I was always told that an init.d-script was not registered in debian/postinst. But I could see that seemingly missing call to updaterc.d

Looking at the PTS and the number of bugs for lintian, I decided that this might be the next entry. Fairly quickly I found the code where the error must be hidden. A bit shocked I was faced with something like:

  my $opts_r = qr/-\S+\s*/;
  my $name_r = qr/[\w.-]+/;
  my $action_r = qr/\w+/;

  /^(?:.+;|^\s*system[\s\(\']+)?\s*update-rc\.d\s+ (?:$opts_r)*($name_r)\s+($action_r)/xo;

At the sight of that regular expression I just wanted to run away and do some gardening (normally it is the other way around). After pulling up weeds for awhile, I sat down again and tried to decode that expression. Surprisingly it was not as difficult as expected before.

As a result #677142 containing a patch came into existence.

Result: regular expressions look strange but lift their secret after some time of thinking