My Free Software Activities in January 2018

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in Java, Games and LTS topics, this might be interesting for you.

Debian Games

• The state of Debian Games: We have created a new games-team group at salsa.debian.org. If you are interested in maintaining games or related projects then we're looking forward to see you there. A couple of Gnome related games are at risk of being removed from Debian. If you are interested in a challenge and want to port them to Gnome 3, we would very much like to hear from you too.
• I reviewed and sponsored new upstream versions of simutrans-pak64 and simutrans for Jörg Frings-Fürst as well as openmw, mygui, wildmidi and openal for Bret Curtis. Later I could also upload hexalate for Unit193 and pegsolitaire for Juhani Numminen. Great job by Juhani who became the new upstream maintainer of pegsolitaire and saved the game from being removed from Debian.
• I for myself packaged new upstream releases of springlobby, peg-e, pygame-sdl2, freeciv, renpy and cube2. I was a bit surprised to see upstream activity for the Sauerbraten engine again. Will we see a new major release this year?
• Peter Green provided a patch to fix Debian RC bug #887929 in trigger-rally which I gladly accepted.
• I also fixed RC bug #885761 in langdrill.

Debian Java

• New upstream versions this month: mediathekview, libsmali-java, apktool, wildfly-common, bouncycastle, bcel, undertow, commons-io, jcifs, libjide-oss-java, sweethome3d and sweethome3d-furniture-editor.
• I introduced jboss-threads to Debian because it is a new build-dependency of jboss-xnio. Thanks FTP team for quickly processing the package!
• I fixed a couple of security issues in plexus-utils (CVE-2017-1000487), libhibernate-validator-java (CVE-2017-7536) and lucene-solr (CVE-2017-3163, CVE-2017-12629) and enabled libpdfbox2-java to build from source again (#887479).
• This month we received another report about security issues in jackson-databind. I resolved this by upgrading to upstream version 2.9.4 and since the jackson stack is usually upgraded in lockstep I ended up with additional uploads for nine different packages.
• Oh Java 9: There are less and less low-hanging fruits by now. Roughly 50 bugs are still open which prevent the switch to OpenJDK 9 as the default JDK/JRE in Debian. This month I fixed or provided patches for nescc, openjpeg2, sonic, ssvnc and pegasus-wms. I also investigated salliere and pescetti. Furthermore I requested the removal of obsolete packages from Debian namely libpam4j, ha-jdbc, tyger-types and libgroboutils-java.

Debian LTS

This was my twenty-third month as a paid contributor and I have been paid to work 18,25 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

• From 08.01.2018 until 14.01.2018 I was in charge of our LTS frontdesk. I investigated and triaged CVE in libhibernate-validator-java, libkohana2-php, xbmc, jasperreports, transmission, wireshark, osc, xmltooling, php5 and openocd.
• DLA-1241-1. Issued a security update for libkohana2-php fixing 1 CVE.
• DLA-1242-1. Issued a security update for xmltooling fixing 1 CVE.
• DLA-1243-1. Issued a security update for xbmc fixing 1 CVE.
• DLA-1251-1. Issued a security update for php5 fixing 1 CVE.
• DLA-1253-1. Issued a security update for openocd fixing 1 CVE.
• DLA-1254-1. Issued a security update for lucene-solr fixing 1 CVE.
• DLA-1264-1. Issued a security update for unbound fixing 1 CVE.
• DLA-1265-1. Issued a security update for krb5 fixing 6 CVE.

Misc

• I reviewed a patch for byzanz (#886439) but wasn't really happy with the result.
• I released version 1.4.10 of imlib2.
• The discussion about a new reportbug feature gathered momentum in #878088 and I am confident now that we can conclude this issue in February.

Thanks for reading and see you next time.