Welcome to gambaru.de. Here is my monthly report (+ the first week in November) that covers what I have been doing for Debian. If you're interested in Java, Games and LTS topics, this might be interesting for you.
Debian Games
- I released a new version of debian-games, a collection of metapackages for games. As expected the Python 2 removal takes its toll on games in Debian that depend on pygame or other Python 2 libraries. Currently we have lost more games in 2020 than could be newly introduced to the archive. All in all it could be better but also a lot worse.
- New upstream releases were packaged for freeorion and xaos.
- Most of the time was spent on upgrading the bullet physics library to version 3.06, testing all reverse-dependencies and requesting a transition for it. (#972395) Similar to bullet I also updated box2d, the 2D counterpart. The only reverse-dependency, caveexpress fails to build from source with box2d 2.4.1, so unless I can fix it, it doesn't make much sense to upload the package to unstable.
- Some package polishing: I could fix two bugs in stormbaancoureur, patch by Helmut Grohne, and ardentryst that required a dependency on python3-future to start.
- I sponsored mgba and pekka-kana-2 for Ryan Tandy and Carlos Donizete Froes
- and started to work on porting childsplay to Python 3.
- Finally I did a NMU for bygfoot to work around a GCC 10 FTBFS.
Debian Java
- I uploaded pdfsam and its related sejda libraries to unstable and applied an upstream patch to fix an error with Debian's jackson-jr version. Everything should be usable and up-to-date now.
- I updated mina2 and investigated a related build failure in apache-directory-server, packaged a new upstream release of commons-io and undertow and fixed a security vulnerability in junit4 by upgrading to version 4.13.1.
- The upgrade of jflex to version 1.8.2 took a while. The package is available in experimental now but regression tests with ratt showed, that several reverse-dependencies FTBFS with 1.8.2. Since all of these projects work fine with 1.7.0, I intend to postpone the upload to unstable. No need to break something.
Misc
- This month also saw new upstream versions of wabt and binaryen.
- I intend to update ublock-origin in Buster but I haven't heard back from the release team yet. (#973695)
Debian LTS
This was my 56. month as a paid contributor and I have been paid to work 20,75 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:
- DLA-2440-1. Issued a security update for poppler fixing 9 CVE.
- DLA-2445-1. Issued a security update for libmaxminddb fixing 1 CVE.
- DLA-2447-1. Issued a security update for pacemaker fixing 1 CVE. The update had to be reverted because of an unexpected permission problem. I am in contact with one of the users who reported the regression and my intention is to update pacemaker to the latest supported release in the 1.x branch. If further tests show no regressions anymore, a new update will follow shortly.
- Investigated CVE-2020-24614 in fossil and marked the issue as no-dsa because the impact for Debian users was low.
- Investigated the open security vulnerabilities in ansible (11) and prepared some preliminary patches. The work is ongoing.
- Fixed the remaining zsh vulnerabilities in Stretch in line with Debian 8 "Jessie", so that all versions in Debian are equally protected.
ELTS
Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 8 „Jessie“. This was my 29. month and I have been paid to work 15 hours on ELTS.
- ELA-302-1. Issued a security update for poppler fixing 2 CVE. Investigated Debian bug #942391, identified the root cause and reverted the patch for CVE-2018-13988.
- ELA-303-1. Issued a security update for junit4 fixing 1 CVE.
- ELA-316-1. Issued a security update for zsh fixing 7 CVE.
Thanks for reading and see you next time.