My monthly report covers what I have been doing for Debian. I write it for Debian's Long Term Support sponsors but also for the wider free software community in the hope that it might inspire people to get more involved with Debian or free software in general.
This was my first month as a paid contributor and I have been paid to work 11,25 hours on Debian LTS. During this month I worked on the following things:
- Released DLA-410-1 for OpenJDK 6 fixing eight CVEs.
- Released DLA-418-1 for WordPress fixing two CVEs.
- Released DLA-422-1 for python-imaging fixing one CVE and a second buffer overflow in PcdDecode.c. I also helped to fix these issues in Wheezy and Jessie and sent the patches to Debian's Security Team. This resulted in the release of DSA-3499-1.
- Released DLA-435-1 for Tomcat 6 fixing six CVEs.
- Released DLA-441-1 for pcre3 fixing one security vulnerability. A CVE had not been assigned but this issue is also known as ZDI-CAN-3452.
- Released DLA-443-1 for bsh fixing one CVE. I fixed this issue for all versions of bsh. A DSA is still pending.
- Since February was also the last month of support for Debian 6 "Squeeze" I looked for packages that had been fixed in Squeeze but not in Wheezy. I discovered that Lighttpd was still affected by CVE-2014-3566 aka the "POODLE" attack. Although SSLv3 could be disabled it was still enabled by default. After consulting the Debian Security Team we disabled SSLv3 by default and released DSA-3489-1
- Backported versions 6.0.41 and 6.0.45 of Tomcat 6 to fix all open security vulnerabilities in Wheezy. At the moment I am waiting for the green light from the Security Team.
I have been paid by the Guardian Project to package apktool and android-platform-tools-base. Apktool is a tool for reverse engineering Android apk files while android-platform-tools-base includes the Android Gradle Plugin and several tools and libraries for developing Android software. Unfortunately I discovered that LEDataInputStream.java in apktool was covered by a non-free license. I had to remove this class and thus the tool is currently broken. I am aware of this and I reported this issue to upstream as #1166. I hope I can resolve this problem together with them this month. In order to package the software above I also had to package the following build-dependencies: gradle-jflex-plugin, intellij-annotations and lombok-patcher. I am still working on getting lombok-ast into Debian for which the lombok-* packages were a precondition. These packages were non-trivial because ivyplusplus, lombok and lombok-patcher depend on each other. In addition they failed to build with OpenJDK 8 due to the use of older classes from OpenJDK's tools.jar. I fixed ivyplusplus and lombok which were both broken and updated proguard, trove3 and jflex to simplify the packaging of android-platform-tools-base and apktool by providing Maven artifacts.
- libjide-oss-java. Packaged new upstream release 3.6.13+dfsg-1.
- Netbeans. Packaged Netbeans 8.1+dfsg2-1. I could finally fix the HTML 5 parser runtime error (#809256) because libhtml5parser-java, which I had packaged last month, got accepted into Debian. I also fixed a FTBFS due to a change in svnclientadapter.
- jgit. I disabled the tests as a workaround to fix a FTBFS. (#812643) I intend to package the latest upstream release in the near future. I hope it does not break as many reverse-dependencies as usual.
- libslf4j-java. Updated the package to fix a Netbeans runtime error.
- tomcat6. Packaged new upstream release 6.0.45+dfsg-1.
- simutrans, simutrans-pak64, simutrans-pak128.britain. I sponsored new upstream releases of simutrans which were prepared by Jörg Frings-Fürst.
- extremetuxracer. I packaged the latest upstream release 0.7.1. Eventually I decided to upload this version to unstable and to replace the 0.4 series because upstream ships the extra courses too now. They were once part of tuxracer-extras and had to be converted to a new data format. Since tuxracer-extras was obsolete, I requested its removal from Debian. (#814604)
- freeciv. Packaged version 2.5.3 that fixed two bugs in FreeCiv's Qt client. (#813107, #813218) I also backported this version to Debian Jessie.
- debian-games. I released the latest version of the Debian Games Blend. I recommended four new games: edgar, a 2D platformer, ufoai, a squad-based tactical strategy game, zoom-player, a player for Z-Code stories or games and endless-sky, a space exploration and combat game. The Free Software Foundation recently interviewed Michael Zahniser, the developer of endless-sky, because he uses the GPL for his work.
- corsix-th. I sponsored corsix-th, an open source clone of Theme Hospital. This package was prepared by Alexandre Detiste. You still need the original game data from Theme Hospital to play the game. That is the reason why I had to upload it to contrib. If you own a copy of the game yourself, you can use game-data-packager to create a Debian package for the data.
- osmo. Osmo's internal backup feature was broken on i386 systems. In fact it always produced the same empty file with seize 50 byte. I reported this issue upstream and Maxim Gordienko provided a patch. This issue (#813414) was fixed in version 0.2.14-4. I also uploaded a fixed version for Jessie after I got the permission from the Debian Release Team. (#815469)