Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.
- ufoai (RC #861979) : Robert Hackbauer discovered that ufoai crashed as soon as one player joined a game. I had never seen this crash before and the bug probably surfaced due to the recompilation last month but fortunately I could get a meaningful backtrace and upstream was able to provide a patch within 24 hours.
- pixbros (RC #861612): The RC bug in pixbros was a rather sad story as it was claimed that the level design (the design, not the artwork) was non-free. The bug submitter argued that there was a high degree of resemblance with one of the original games (pixbros is an amalgamation of several games) thus making pixbros unsuitable for Debian and non-free. This was the kind of bug report which you will probably only see in the games section. We have many games in the archive that try to be a clone and free software alternative of a more popular commercial and non-free game. Not only are they sometimes developed in a completely different programming language, their new artwork, even the gameplay can differ heavily. In this case the level design was just two-dimensional horizontal and vertical bars on which the protagonists perform their actions and in my opinion this is not what we call non-free in Debian. The sad part was, because it happens rather frequently, that random people think they are copyright and trademark experts although they are neither lawyers nor the original copyright holder and, to underline the layman status, often end their sentences with the ominous IANAL. I would like to see that people focus more on improving the games section by packaging new games and maintaining existing ones instead of playing hobby lawyer and creating issues where issues don’t exist.
- doomsday (RC #847651, #863536): Doomsday failed to start but Bernhard Übelacker provided a patch to fix #847651. If nobody beats me to it, I will also upload the fix for #863536 very soon.
New upstream release
- I mentioned torcs in my last report which I adopted earlier. It turned out that some car models were non-free (not like pixbros but this time for real) because the license didn’t allow modification. I repacked the tarball and released version 1.3.3+dfsg2-1 for Stretch (#861959) and pushed the latest upstream release to experimental. I also discovered that torcs would FTBFS due to a bug in debhelper and reported it. (#861852)
- I packaged new upstream versions of freeorion, springlobby, freeciv and bzflag.
- Elana Hashman is working on the clojure eco-system in Debian. I reviewed and sponsored libbultitude-clojure for her.
- I fixed a follow-up bug in pdfsam (#855324) and documented in a NEWS file that the config file in $HOME must be updated by hand when a user upgrades from Jessie to Stretch.
- I uploaded a new upstream release of activemq to experimental and fixed a minor changelog typo bug.
- From 1. May until 7. May I was in charge of our LTS frontdesk. I triaged security issues in rxvt, imagemagick, libtirpc, rpcbind, binutils, wordpress, eglibc and tiff3.
- I prepared a security update for wordpress fixing 6 CVE. I contacted the maintainer, Craig Small, for feedback and intend to release the update soon.
- I have been working on smb4k which is currently affected by a root privilege vulnerability. Backporting the fix is non-trivial and requires more testing.
- I triaged libarchive and fixed CVE-2016-10349 and CVE-2016-10350 but decided to postpone the release until more important issues are discovered.
- DLA-933-1. Issued a security update for roundcube fixing 1 CVE.
- DLA-936-1. Issued a security update for libtirpc fixing 1 CVE.
- DLA-937-1. Issued a security update for rpcbind fixing 1 CVE.
- DLA-938-1. Issued a security update for git fixing 1 CVE.
- DLA-924-1. Issued a regression update for tomcat7 and fixed bug #861872.
- DLA-941-1. Issued a security update for squirrelmail fixing 1 CVE.
- DLA-945-1. Issued a security update for mysql-connector-java fixing 3 CVE.
- DLA-953-1. Issued a security update for graphicsmagick fixing 1 CVE.
- DLA-968-1. Issued a security update for libpodofo fixing 10 CVE.
- DLA-969-1. Issued a security update for tiff fixing 2 CVE.
- Nikolaus Rath discovered that adding files to a tar archive with xarchiver would actually delete the existing archive (#862593). The issue occured when the archive name contained shell meta characters which were improperly escaped. While I was trying to find the root cause for this issue Chris Lamb provided an alternative solution to fix this problem.
Thanks for reading and see you next time.