My Free Software Activities in August 2016

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in Android, Java, Games and LTS topics, this might be interesting for you.

Debian Android

• This was the final month of the Google Summer of Code and the students achieved the main goal of packaging the Android SDK. It is now possible to build Android apps on Debian with packages only from the main distribution (apt install android-sdk). Chirayu Desai fixed the last remaining issue in android-platform-system-core (#827216).  That also means apktool is now ready to rebuild Android applications. You can find more information about the students' work at wiki.debian.org and on their individual pages Chirayu Desai, Kai-Chung Yan and Mouaad Aallam.
• I sponsored a new upstream release (2.2.0) of apktool for Chirayu Desai.
• I also reviewed and sponsored the following packages for Kai-Chung and Chirayu Desai (RC bug fixes and new upstream releases): android-platform-dalvik, android-platform-frameworks-base, android-sdk-meta.

Debian Games

• I started the month with package updates for foobillardplus, tuxpuck, etw, cube2, cube2-data and neverball.
• I released a new revision of triplane to fix a reproducible build issue.
• I packaged a new upstream release of springlobby.
• I fixed GCC-6 FTBFS bugs in stormbaancoureur and love and updated both packages to use modern Debian helpers (stormbaancoureur needed it badly).
• I invested some time to package Liquidwar 6 (#680023) and attached my preliminary work to the bug report. Liquidwar 6 has been in the works for a long time now and is a complete rewrite of the original Liquidwar game. The graphics are much more polished and dozens of new levels are available. I didn't complete my work on Liquidwar 6 because, at least on my system, the game constantly consumes 100% CPU time. Network modus isn't finished yet and it still depends on SDL 1. Nowadays I'm only interested in SDL 2 (or similar) games though because I think the library is more future-proof and SDL 1 will probably become a burden for future maintainers.
• In the second half of the month I fixed a couple of RC bugs again caused by the Boost 1.61 transition and yes still more GCC-6 bugs : libclaw (GCC-6 and Boost 1.61 issues, new upstream release), freeorion (Boost 1.61 FTBFS, #833773. This one was arguably a regression in Boost 1.61 and I filed #833794 because of it), pokerth (GCC-6 RC bugs. I also took the opportunity to implement systemd support for pokerth-server and I modified the package to run the server as the _pokerth system user out-of-the-box.), 0ad (missing build-dependency on python).
• Even music packages can pile up bug reports, so I went ahead and updated fretsonfire-songs-muldjord and fretsonfire-songs-sectoid.
• In the last days of August 2016 I packaged a new upstream release of redeclipse and redeclipse-data, a first-person shooter. The older version was network-incompatible and long unsupported.

Debian Java

• I packaged new upstream releases of libjide-oss-java, undertow, jboss-xnio, hawtjni.
• I fixed RC bugs in libfreemaker-java, airlift-slice, japi-compliance-checker (was already fixed by Emmanuel Bourg but never uploaded), lucene2, libbtm-java, javassist, commons-math, libslf4j-java, surefire, maven-invoker, maven-scm and sweethome3d-furniture-editor.
• I triaged RC bug #834744 in xmlgraphics-commons and lowered the severity because the build failure was not reproducible in a clean cowbuilder environment. Another RC bug was reported against mina2 but I also couldn't reproduce the test failure hence I lowered the severity and marked #834682 as unreproducible.
• Another RC bug was reported against bookkeeper, #835277, allegedly the issue was caused by a missing artifact. After some investigation it turned out that the recent update of libprotobuf-java, one of bookkeeper's build-dependencies, used the wrong pom.xml and thus different Maven coordinates for the artifact. I filed #835358 and later #835514 against libprotobuf-java and both issues got resolved quickly.
• I reported #835354 against libitext-java because the package was uninstallable.
• I sponsored a new upstream release of freeplane for Felix Natter.

Debian LTS

This was my seventh month as a paid contributor and I have been paid to work 14,75 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

• From 01. August to 07. August I was in charge of our LTS frontdesk. I triaged CVEs in wordpress, mysql-5.5, libsys-syslog-perl, libspring-java, curl and squid and answered questions on the debian-lts mailing list.
• DLA-586-1. Issued a security update for curl fixing 2 CVE.
• DLA-585-1. Announced the security update for firefox-esr which was prepared by Mike Hommey.
• I was involved in an embargoed security issue that currently affects two source packages in Wheezy. The update will be released on 15. September 2016 and will be coordinated with Debian's Security Team and other distributions. I will add more information next month.
• DLA-610-1. I spent most of the time this month on triaging and fixing security issues in tiff3, a library providing support for the Tagged Image File Format (TIFF). 99 source packages currently build-depend on this library in Wheezy. In total I triaged 35 CVEs and fixed 23 of them. I could confirm that CVE-2015-1547, CVE-2016-5322, CVE-2016-5314, CVE-2016-5315, CVE-2016-5316, CVE-2016-5317 and CVE-2016-5320 were duplicates of other CVEs fixed in this update. The update hardened the library and fixed possible denial-of-service (application crash) and arbitrary code execution issues. I tested whenever possible against the provided reproducers (malicious tiff images). The tiff3 package now includes all currently available patches. Most of the current open vulnerabilities do not directly affect end-users since no binary package has been provided for the tiff tools in Wheezy. However they can still pose a threat to people who build these tools from source manually. Though the majority of users should not be affected. It is also unlikely that the remaining issues will be fixed by tiff's upstream developers since they decided to remove the affected applications from newer releases but again most of them can't be exploited since the tools are not built by default in this version.

Non-maintainer uploads

• I did a NMU for pacman fixing one GCC-6 RC bug.

QA

• I packaged a new upstream release of pygccxml and worked around a RC bug that threatened to remove spring. For similar reasons I filed #835121 against castxml that got quickly fixed by Gert Wollny.