My Free Software Activities in October 2017

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in  Java, Games and LTS topics, this might be interesting for you.

Debian Games

• I packaged a new upstream version of springlobby. There is even a more recent one now but I discovered that it would fail to build from source. I reported the issue and now I am waiting for another release.
• These packages were also updated: bullet, tuxfootball (#876481), berusky (#877979), spring, hitori and trackballs.
• I released a new version of cube2-data, a DFSG-free version of the Sauerbraten game. This release was largely made possible thanks to the work of Nyav.
• I prepared two stable point releases of berusky and simutrans to fix #877979 and # 869029 for users of Debian's stable distributions too. The bug in Berusky is already resolved but I'm still waiting for the confirmation to upload simutrans (#878668).
• I updated wing and biniax2. Here I discovered that biniax2 would segfault immediately at startup after recompilation. I tracked down the issue to some C code that caused undefined behavior, prepared a patch and released a fixed revision.
• I sponsored a new upstream version of mupen64plus-qt.

Debian Java

• This month I started to work on fixing Java9 bugs since Java 9 shall become the new default JDK/JRE for Buster. The bug reports were filed by Chris West who did the important work of identifying build failures and broken packages. I started with some low hanging fruits first and the following packages are now Java 9 ready: libgetopt-java, libjide-oss-java, activemq-protobuf, antelope, yecht, slashtime, colorpicker, f2j, libreadline-java, libjaxp1.3-java, jlapack, isorelax, libisrt-java, rxtx, uima-addons.
• New upstream releases this month: apktool, jboss-xnio, okio, pdfsam, libsejda-java, bcel, autocomplete, mediathekview, sweethome3d.
• MediathekView introduced yet another build-dependency. Let's welcome libokhttp-java in Debian.
• I upgraded jackson-databind to fix CVE-2017-7525. While I was at it, I continued this work with jackson-core, jackson-annotations, jackson-dataformat-xml, jackson-jr, jackson-datatype-joda, jackson-module-jaxb-annotations, jackson-dataformat-cbor, jackson-dataformat-smile, jackson-dataformat-yaml and jackson-jaxrs-providers. I also requested the removal of jackson-datatype-guava.
• More resolved RC issues: commons-io (#873118), tycho (#879250)
• Package updates: mockobjects (converted from CDBS to DH) and jblas (RC #877225, #873212, #698176)
• The Maven 2 to Maven 3 transition caused (and still causes) a lot of fallout: I investigated the following packages with RC bugs. In most cases the issue was in another package, so the bugs could be closed but there were also packages like conversant-disruptor (#869002) which caused build failures unrelated to the transition. In total 15 packages were triaged or fixed: jasypt (#871195), mustache-java (#869009), libslf4j-java, apache-log4j2, conversant-disruptor, powermock(#869017), jetty9(#869021), maven-site-plugin(#869001),  javamail(#871102), assertj-core(#871131), java-allocation-instrumenter(#869251), json-smart(#868603), sisu-guice(#868611), maven-archiver(#871069), doxia-sitetools(#875948)
• I have started to work on a new upstream version of triplea, multiple strategy games written in Java. The update would fix a couple of bugs and make the package ready for Java 9.
• It was also requested to upgrade Gradle to version 3.4.1 at least. I have made good progress but there is more work to do.

Debian LTS

This was my twentieth month as a paid contributor and I have been paid to work 19 hours on Debian LTS, a project started by Raphaël Hertzog. I will catch up with the remaining 1,75 hours in November. In that time I did the following:

• From 30. October to 05. November I was in charge of our LTS frontdesk. I triaged bugs in jasperreports, jbossas4, libstruts1.2-java, httpcomponents-client, vim, emacs23, trafficserver, async-http-client, liblouis, wordpress, apr, apr-utils, redis, nautilus, libpam4j and spip.
• I decided to mark jbossas4 as end-of-life because the Java application server was never fully packaged and the version in Wheezy is already nine years old. I investigated the open security issues in jasperreports and contacted upstream but they have not published any details yet.
• I pinged bug #878088. The reportbug maintainer still has to respond to the idea of informing the security teams when users report bugs in security uploads. I will discuss the possibility with the rest of the team, whether it is helpful to patch reportbug in Wheezy/Jessie/Stretch now.
• DLA-1151-1 and DLA-1160-1. Issued two security updates for WordPress  addressing 10 CVE. It was later discovered that the patch for CVE-2017-14990 was incomplete and caused a regression when using WordPress' multi-site feature. Single-site installations were not affected. The complete fix would either include a  database upgrade or a different approach without using the new database field "signup_id". I reverted the patch for now and issued a regression update in DLA-1151-2.
• DLA-1158-1. Issued a security update for bchunk fixing 3 CVE.
• DLA-1159-1. Issued a security update for graphicsmagick fixing 2 CVE.
• DLA-1164-1. Issued a security update for mupdf fixing 2 CVE.
• DLA-1165-1. Issued a security update for libpam4j fixing 1 CVE.
• DLA-1167-1. Issued a security update for ruby-yajl fixing 1 CVE.
• DLA-1157-1. I uploaded a security update for openssl. The update was prepared by Kurt Roeckx, the maintainer of openssl.

Misc

• I prepared the security updates for libpam4j (DSA-4025-1) and bchunk (DSA-4026-1) and fixed the same issues in Sid and Buster.

 
Thanks for reading and see you next time.