Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in Java, Games and LTS topics, this might be interesting for you.
Debian Games
- Since Alioth is history now I picked up some random games this month, converted their SVN repositories to Git and moved them to salsa.debian.org. Meanwhile I also updated those games to the latest standards in Debian. But even if they were already maintained in Git, some of them just deserved some new lease of life. Their names are: openssn, oneisenough, geki2, lmemory, ardentryst, barrage, asylum, amphetamine, bouncy, berusky2-data, phlipple, blocks-of-the-undead, billard-gl, pathological and freecol.
- I packaged new upstream releases of bzflag, trackballs and enet.
- I fixed an RC bug (import error) in raincat (#897542).
- I adopted pente and bastet because the former uploaders are no longer active in Debian.
- I made the quiz in childsplay playable again.
Debian Java
- Another month, another Java bug squashing party. I could triage and fix a couple of RC bugs in electric, uddi4j, modulator, libjide-oss-java, lucene-solr, libhtmlparser-java, mongo-java-driver, libxalan2-java, libjibx1.2-java, svnkit, libxerces2-java.
- New upstream releases: okio, wildfly-common, jboss-modules, jboss-logmanager, undertow and batik.
- Unfortunately we had to make a decision in regard to undertow (embeddable webserver) and decided to request the removal from Stable. It is rather frequently affected by security issues but upstream often provides little information how to fix them (except of the usual "upgrade to the latest release" of course). I filed a bug report and asked for a better and more transparent security policy but it will probably take some time until it is implemented. In the meantime we will remove Undertow from Stable because it has no reverse-dependencies and simply saves us time for more important tasks.
- I prepared security updates for batik (DSA-4215-1), zookeeper (DSA-4214-1) in Stretch and jackson-databind (DSA-4190-1) (Jessie/Stretch).
Debian LTS
This was my twenty-seventh month as a paid contributor and I have been paid to work 24,25 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:
- From 21.05.2018 until 27.05.2018 I was in charge of our LTS frontdesk. I investigated and triaged CVE in glusterfs, tomcat7, zookeeper, imagemagick, strongswan, radare2, batik, mupdf and graphicsmagick.
- I drafted a announcement for Wheezy's EOL that was later released as DLA-1393-1 and as an official Debian news.
- DLA-1384-1. I reviewed and uploaded xdg-utils for Abhijith PA.
- DLA-1381-1. Issued a security update for imagemagick/Wheezy fixing 3 CVE.
- DLA-1385-1. Issued a security update for batik/Wheezy fixing 1 CVE.
- Prepared a backport of Tomcat 7.0.88 for Jessie which fixes all open CVE (5) in Jessie. From now on we intend to provide the latest upstream releases for a specific Tomcat branch. We hope this will improve the user experience. It also allows Debian users to get more help from Tomcat developers directly because there is no significant Debian specific delta anymore. The update is pending review by the security team.
- Prepared a security update for graphicsmagick fixing 19 CVE. I also investigated CVE-2017-10794 and CVE-2017-17913 and came to the conclusion that the Jessie version is not affected. I merged and reviewed another update by László Böszörményi. At the moment the update is pending review by the security team. Together these updates will fix the most important issues in Graphicsmagick/Jessie.
- DSA-4214-1. Prepared a security update for zookeeper fixing 1 CVE.
- DSA-4215-1. Prepared a security update for batik/Jessie fixing 1 CVE.
- Prepared a security update for memcached in Jessie and Stretch fixing 2 CVE. This update is also pending review by the security team.
- Finished the security update for JRuby (Jessie and Stretch) fixing 5 respectively 7 CVE. However we discovered that JRuby fails to build from source in Jessie and a fix or workaround will most likely break reverse-dependencies. Thus we have decided to mark JRuby as end-of-life in Jessie also because the version is already eight years old.
Misc
- I reviewed and sponsored xtrkcad for Jörg Frings-Fürst.
Thanks for reading and see you next time.