My Free Software Activities in June 2016

My monthly report covers what I have been doing for Debian. I write it for Debian's Long Term Support sponsors but also for the wider free software community in the hope that it might inspire people to get more involved with Debian or free software in general.

Debian Android

• We (the Android Tools Maintainers and our three GSoC students) started our regular IRC meetings on Thursday.
• I am mostly involved in answering packaging questions, reviewing package updates and uploading them to the archive.
• I sponsored new versions of android-platform-build, android-platform-external-libselinux, android-platform-external-libunwind, android-platform-frameworks-base, android-platform-system-core and android-platform-system-extras.
• I sponsored a new revision of apktool prepared by Chirayu Desai and myself that fixed the decoding issue from last month and three other bugs. Thanks to Paul Wise for the reports and Chirayu for fixing two bugs and creating a separate android-framework-res binary package on which we could depend on. It seems decoding works now as intended but we still need to tackle the building problem.

Debian Games

• I packaged CaveExpress and CavePacker for Debian. CaveExpress is a remake of the old Amiga classic Ugh! In this game you control a pedal-powered flying machine and pick up packages from your clients. An interesting aspect of CaveExpress is its physics-based gameplay. The packages must be delivered to a collection point and their movement is quite realistic thanks to the excellent Box2d physics engine. The other game, CavePacker, based on the same engine as CaveExpress is a Sokoban-like game. Both games feature dozens of levels and if you have nothing better to do, you should definitely check them out.
• This month I also packaged a new upstream release of Netpanzer. Apparently there is new upstream activity.
• Blockattack 2.0 was released and is now available in Debian.
• I also updated the following packages: kball, pathogen, ceferino, slimevolley, pangzero and airstrike.
• I adopted abe, berusky and berusky-data, updated the packages to use modern debian helpers and also packaged version 1.7 of berusky, a great Sokoban-like game by the way.
• June also saw a new release of debian-games, several metapackages that make it much easier to install a subset of games or even the finest.
• I sponsored RC-bug fixes for parsec47, tumiki-fighters, mu-cade and tatan all prepared by Peter De Wachter who keeps our D (yes, that's a language) games alive. But we will face more issues in the post Stretch future. Apparently the D language people intend to remove parts of their API and of course all our D-based games are affected. Peter has announced more information about that. I think all these games are pretty unique and real gems. If you know a little D and want to help out, please get involved.

Debian Java

• I sponsored a new package for Tobias Ilte, stegosuite, a steganography tool to hide information in image files.
• I packaged new upstream releases of jboss-logmanager, jboss-modules, jboss-xnio, activemq and undertow.
• Together with Emmanuel Bourg I prepared a security update for Tomcat 8  fixing 8 CVEs. (DSA-3609-1)
• I backported the lastest stable release of mysql-connector-java to Jessie to fix CVE-2015-2575. A DSA is pending.
• I blogged about the default Java switch in Wheezy.

Debian LTS

This was my fifth month as a paid contributor and I have been paid to work 19,75 hours on Debian LTS. In that time I did the following:

• DLA-501-1. Salvatore Bonaccorso from Debian's Security Team discovered that the original fix for CVE-2015-7552 (DLA-450-1) was incomplete. I prepared and uploaded a new revision of gdk-pixbuf and issued the DLA.
• DLA-502-1. Issued a security update for graphicsmagick fixing 1 CVE.
• DLA-504-1. Issued a security update for libxstream-java fixing 1 CVE which was prepared by Emmanuel Bourg.
• DLA-505-1. Issued a security update for libpdfbox-java fixing 1 CVE.
• DLA-508-1. Issued a security update for expat fixing 2 CVE.
• DLA-511-1. Issued a security update for libtorrent-rasterbar fixing 1 CVE.
• DLA-526-1. Issued a security update for mysql-connector-java fixing 1 CVE. I also prepared the update for Jessie which is still pending to be reviewed by the Security Team.
• DLA-528-1. Issued a security update for libcommons-fileupload-java fixing 1 CVE.
• DLA-529-1. Issued a security update for tomcat7 fixing 1 CVE.
• DLA-530-1. As previously announced I switched the default Java implementation from OpenJDK 6 to OpenJDK 7.
• DLA-537-1. Issued a security update for roundcube fixing 1 CVE. I triaged CVE-2016-5103, CVE-2015-2180 and CVE-2015-2181 and marked them as "not-vulnerable".
• I triaged 22 CVEs for libarchive and marked two of them as "not-vulnerable". You can find my preliminary work for libarchive on the wheezy branch in Debian's git repository. I expect a security update very soon.
• From 13 June to 19. June I was responsible for Wheezy's LTS frontdesk. It was a rather calm week on the debian-lts mailing list and in our IRC channel. I triaged CVE-2016-4970 (netty), CVE-2016-3189 (bzip2), CVE-2016-1621 (libvpx) and CVE-2016-4493, CVE-2016-4492, CVE-2016-4491, CVE-2016-4490, CVE-2016-4489, CVE-2016-4488, CVE-2016-4487, CVE-2016-2226 which were all minor issues in developer tools or in the gcc toolchain.
• I commented on Ola's question about open security issues in phpmyadmin.

QA uploads

• I fixed pygccxml that threatened to remove spring.
• I completely overhauled gl-117, fixed four bugs and closed two obsolete ones. gl-117 always reminds me a little of the Falcon series from the early 90ies.