My Free Software Activities in April 2018

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in Java, Games and LTS topics, this might be interesting for you.

Debian Games

• I adopted childsplay, a suite of educational games for young children. I triaged all open bugs and thanks to a very responsive upstream developer the game is back in testing again now.
• I did a QA upload for pax-britannica to fix #825673 and #718884 and updated the packaging.
• In the same vein I did two NMUs for animals and acm and fixed RC bugs #875547 and #889530. Later I contacted the release team to get the fix for animals into Stretch too.
• I packaged new upstream releases of extremetuxracer, adonthell, renpy and pygame-sdl2.
• I sponsored and reviewed new versions of tanglet, connectagram and cutemaze for Innocent de Marchi.
• I released version 2.3 of debian-games, a collection of metapackages to make it easier to find and install certain types of games.
• I backported the latest release of freeciv to Stretch.
• Finally I could resolve the RC bugs in morris and grhino and both games are part of Buster again.

Debian Java

• Last month I talked about the switch to OpenJDK 9 as the default runtime in Debian, only one month later number nine is gone and OpenJDK 10 is here. We could significantly reduce the RC bugs introduced by the switch to version nine but there are still many bugs left including an upgrade to a Gradle version that supports Java 9, fixing OpenJFX in Debian and bringing the Eclipse IDE back into shape. The switch to OpenJDK 10 gave us even more work to do since the javah tool and more internal classes or methods were removed. Naturally this increased our bug count a little but it seems it is not as bad as anticipated. Still the list of Java 9 issues and our general RC bug count is challenging, any help is welcome.
• I addressed or triaged RC bugs in the following packages: libfreemarker-java, libstax-java, libgoogle-gson-java, gradle, sat4j, dita-ot, csvjdbc, jsoup, libcommons-validator-java, libcommons-lang3-java, libquartz2-java, livetribe-jsr223, javassist, scala, openjpa, activemq, libnb-platform18-java, fop, libxbean-java and checkstyle.
• New upstream releases this month: libsmali-java, apktool, easymock, jboss-modules, jboss-logmanager, libpdfbox2-java.
• I prepared security updates for jruby in oldstable and stable but haven't resolved a build failure in Jessie that is unrelated to the update yet. I have also prepared the security updates for lucene-solr in Sid and Stretch (DSA-4194-1) and jackson-databind (DSA-4190-1).

Debian LTS

This was my twenty-sixth month as a paid contributor and I have been paid to work 16,25 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

• From 16.04.2018 until 22.04.2018 I was in charge of our LTS frontdesk. I investigated and triaged CVE in bouncycastle, jruby, typo3-src, imagemagick, pegl, ocaml, radare2, movabletype-opensource, cacti, ghostscript, glusterfs, jasperreports, xulrunner, phpmyadmin, gunicorn, psensor, nasm and lucene-solr.
• DLA-1352-1. Issued a security update for jruby fixing 1 CVE.
• DLA-1361-1. Issued a security update for psensor fixing 1 CVE.
• DLA-1363-1. Issued a security update for ghostscript fixing 1 CVE.
• DLA-1366-1. Issued a security update for wordpress fixing 2 CVE.
• DSA-4190-1. Prepared the security update for jackson-databind in Jessie fixing 1 CVE.
• DSA-4194-1. Prepared the security update for lucene-solr in Jessie fixing 1 CVE.
• Prepared a security update for imagemagick in Jessie fixing 8 CVE. At the moment it is pending review by the security team and will be released soon.
• Prepared and uploaded a point-update for faad2 in Jessie and Stretch that addresses 11 security vulnerabilities. (#897369)
• Prepared a security update for php5 in Wheezy. This one will be released soon. (DLA-1373-1)

Misc

• I filed wishlist bugs against tracker.debian.org (#897225 and #897227) and requested a feature to allow users to override certain metainformation like VCS-URLs. In the past years we changed VCS addresses multiple times which always requires a source upload. In my opinion this is a design flaw and highly inefficient and such a change in tracker would make it possible to drop the fields from our team maintained packages.

Thanks for reading and see you next time.