My Free Software Activities in November 2017

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in  Java, Games and LTS topics, this might be interesting for you.

Debian Games

Debian Java

  • New upstream versions this month: undertow, jackrabbit, libpdfbox2, easymock, libokhttp-java, mediathekview, pdfsam, libsejda-java, libsambox-java and libnative-platform-java.
  • I updated bnd (2.4.1-7) in order to help with the removal of Eclipse from Testing. Unfortunately there is more work to do and the only way forward is to package a newer version of Eclipse and to split the package in a way, so that such issues can be avoided in the future. P.S.: We appreciate help with maintaining Eclipse! (#681726)
  • I sponsored libimglib2-java for Ghislain Antony Vaillant.
  • I fixed a regression in libmetadata-extractor-java related to relative classpaths. (#880746)
  • I spent more time on upgrading Gradle to version 3.4.1 and finally succeeded. The package is in experimental now. Upgrading from 3.2.1 to 3.4.1 didn't seem like a big undertaking but the 8 MB debdiff and ~170000 lines of code changes proved me wrong. I discovered two regressions with this version in mockito and bnd. The former one could be resolved but bnd requires probably an upgrade as well. I would like to avoid that at the moment because major bnd upgrades tend to affect dozens of reverse-dependencies, mostly in a negative way.
  • Netbeans was affected by a regression in jaxb and failed to build from source. (#882525) I could partly revert the damage but another bug in jaxb 2.3.0 is currently preventing a complete recovery.
  • I fixed two Java 9 transition bugs in libnative-platform-java (#874645) and  jedit (#875583).

Debian LTS

This was my twenty-first month as a paid contributor and I have been paid to work 14.75 hours (13 +1.75 from October) on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • DLA-1177-1. Issued a security update for poppler fixing 4 CVE.
  • DLA-1178-1. Issued a security update for opensaml2 fixing 1 CVE.
  • DLA-1179-1. Issued a security update for shibboleth-sp2 fixing 1 CVE.
  • DLA-1180-1. Issued a security update for libspring-ldap-java fixing 1 CVE.
  • DLA-1184-1. Issued a security update for optipng fixing 1 CVE.
  • DLA-1185-1. Issued a security update for sam2p fixing 1 CVE.
  • DLA-1197-1. Issued a security update for sox fixing 7 CVE.
  • DLA-1198-1. Issued a security update for libextractor fixing 6 CVE. I also discovered that libextractor in buster/sid is still affected by more security issues and reported my findings as Debian bug #883528.

Misc

  • I packaged a new upstream release of osmo, a neat task manager and calendar application.
  • I prepared a security update for sam2p, which will be part of the next Jessie point release, and libspring-ldap-java. (DSA-4046-1)

Thanks for reading and see you next time.

My Free Software Activities in October 2017

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in  Java, Games and LTS topics, this might be interesting for you.

Debian Games

  • I packaged a new upstream version of springlobby. There is even a more recent one now but I discovered that it would fail to build from source. I reported the issue and now I am waiting for another release.
  • These packages were also updated: bullet, tuxfootball (#876481), berusky (#877979), spring, hitori and trackballs.
  • I released a new version of cube2-data, a DFSG-free version of the Sauerbraten game. This release was largely made possible thanks to the work of Nyav.
  • I prepared two stable point releases of berusky and simutrans to fix #877979 and # 869029 for users of Debian's stable distributions too. The bug in Berusky is already resolved but I'm still waiting for the confirmation to upload simutrans (#878668).
  • I updated wing and biniax2. Here I discovered that biniax2 would segfault immediately at startup after recompilation. I tracked down the issue to some C code that caused undefined behavior, prepared a patch and released a fixed revision.
  • I sponsored a new upstream version of mupen64plus-qt.

Debian Java

  • This month I started to work on fixing Java9 bugs since Java 9 shall become the new default JDK/JRE for Buster. The bug reports were filed by Chris West who did the important work of identifying build failures and broken packages. I started with some low hanging fruits first and the following packages are now Java 9 ready: libgetopt-java, libjide-oss-java, activemq-protobuf, antelope, yecht, slashtime, colorpicker, f2j, libreadline-java, libjaxp1.3-java, jlapack, isorelax, libisrt-java, rxtx, uima-addons.
  • New upstream releases this month: apktool, jboss-xnio, okio, pdfsam, libsejda-java, bcel, autocomplete, mediathekview, sweethome3d.
  • MediathekView introduced yet another build-dependency. Let's welcome libokhttp-java in Debian.
  • I upgraded jackson-databind to fix CVE-2017-7525. While I was at it, I continued this work with jackson-core, jackson-annotations, jackson-dataformat-xml, jackson-jr, jackson-datatype-joda, jackson-module-jaxb-annotations, jackson-dataformat-cbor, jackson-dataformat-smile, jackson-dataformat-yaml and jackson-jaxrs-providers. I also requested the removal of jackson-datatype-guava.
  • More resolved RC issues: commons-io (#873118), tycho (#879250)
  • Package updates: mockobjects (converted from CDBS to DH) and jblas (RC #877225, #873212, #698176)
  • The Maven 2 to Maven 3 transition caused (and still causes) a lot of fallout: I investigated the following packages with RC bugs. In most cases the issue was in another package, so the bugs could be closed but there were also packages like conversant-disruptor (#869002) which caused build failures unrelated to the transition. In total 15 packages were triaged or fixed: jasypt (#871195), mustache-java (#869009), libslf4j-java, apache-log4j2, conversant-disruptor, powermock(#869017), jetty9(#869021), maven-site-plugin(#869001),  javamail(#871102), assertj-core(#871131), java-allocation-instrumenter(#869251), json-smart(#868603), sisu-guice(#868611), maven-archiver(#871069), doxia-sitetools(#875948)
  • I have started to work on a new upstream version of triplea, multiple strategy games written in Java. The update would fix a couple of bugs and make the package ready for Java 9.
  • It was also requested to upgrade Gradle to version 3.4.1 at least. I have made good progress but there is more work to do.

Debian LTS

This was my twentieth month as a paid contributor and I have been paid to work 19 hours on Debian LTS, a project started by Raphaël Hertzog. I will catch up with the remaining 1,75 hours in November. In that time I did the following:

  • From 30. October to 05. November I was in charge of our LTS frontdesk. I triaged bugs in jasperreports, jbossas4, libstruts1.2-java, httpcomponents-client, vim, emacs23, trafficserver, async-http-client, liblouis, wordpress, apr, apr-utils, redis, nautilus, libpam4j and spip.
  • I decided to mark jbossas4 as end-of-life because the Java application server was never fully packaged and the version in Wheezy is already nine years old. I investigated the open security issues in jasperreports and contacted upstream but they have not published any details yet.
  • I pinged bug #878088. The reportbug maintainer still has to respond to the idea of informing the security teams when users report bugs in security uploads. I will discuss the possibility with the rest of the team, whether it is helpful to patch reportbug in Wheezy/Jessie/Stretch now.
  • DLA-1151-1 and DLA-1160-1. Issued two security updates for WordPress  addressing 10 CVE. It was later discovered that the patch for CVE-2017-14990 was incomplete and caused a regression when using WordPress' multi-site feature. Single-site installations were not affected. The complete fix would either include a  database upgrade or a different approach without using the new database field "signup_id". I reverted the patch for now and issued a regression update in DLA-1151-2.
  • DLA-1158-1. Issued a security update for bchunk fixing 3 CVE.
  • DLA-1159-1. Issued a security update for graphicsmagick fixing 2 CVE.
  • DLA-1164-1. Issued a security update for mupdf fixing 2 CVE.
  • DLA-1165-1. Issued a security update for libpam4j fixing 1 CVE.
  • DLA-1167-1. Issued a security update for ruby-yajl fixing 1 CVE.
  • DLA-1157-1. I uploaded a security update for openssl. The update was prepared by Kurt Roeckx, the maintainer of openssl.

Misc

  • I prepared the security updates for libpam4j (DSA-4025-1) and bchunk (DSA-4026-1) and fixed the same issues in Sid and Buster.

 
Thanks for reading and see you next time.

My Free Software Activities in September 2017

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in  Java, Games and LTS topics, this might be interesting for you.

Debian Games

Debian Java

Debian LTS

This was my nineteenth month as a paid contributor and I have been paid to work 15,75 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 18. September to 24. September I was in charge of our LTS frontdesk. I triaged bugs in poppler, binutils, kannel, wordpress, libsndfile, libexif, nautilus, libstruts1.2-java, nvidia-graphics-drivers, p3scan, otrs2 and glassfish.
  • DLA-1108-1. Issued a security update for tomcat7 fixing 1 CVE.
  • DLA-1116-1. Issued a security update for poppler fixing 3 CVE.
  • DLA-1119-1. Issued a security update for otrs2 fixing 4 CVE.
  • DLA-1122-1. Issued a security update for asterisk fixing 1 CVE. I also investigated CVE-2017-14099 and CVE-2017-14603. I decided against a backport because the fix was too intrusive and the vulnerable option is disabled by default in Wheezy's version which makes it a minor issue for most users.
  • I submitted a patch for Debian's reportbug tool. (#878088) During our LTS BoF at DebConf 17 we came to the conclusion that we should implement a feature in reportbug that checks whether the bug reporter wants to report a regression for a recent security update. Usually the LTS and security teams  receive word from the maintainer or users who report issues directly to our mailing lists or IRC channels. However in some cases we were not informed about possible regressions and the new feature in reportbug shall ensure that we can respond faster to such reports.
  • I started to investigate the open security issues in wordpress and will complete the work in October.

Misc

  • I packaged a new version of xarchiver. Thanks to the work of Ingo Brückl xarchiver can handle almost all archive formats in Debian now.

QA upload

  • I did a QA upload of xball, an ancient game from the 90ies that simulates bouncing balls.  It should be ready for another decade at least.

Thanks for reading and see you next time.

My Free Software Activities in August 2017

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in  Java, Games and LTS topics, this might be interesting for you.

DebConf 17 in Montreal

I traveled to DebConf 17 in Montreal/Canada. I arrived on 04. August and met a lot of different people which I only knew by name so far. I think this is definitely one of the best aspects of real life meetings, putting names to faces and getting to know someone better. I totally enjoyed my stay and I would like to thank all the people who were involved in organizing this event. You rock! I also gave a talk about the "The past, present and future of Debian Games",  listened to numerous other talks and got a nice sunburn which luckily turned into a more brownish color when I returned home on 12. August. The only negative experience I made was with my airline which was supposed to fly me home to Frankfurt again. They decided to cancel the flight one hour before check-in for unknown reasons and just gave me a telephone number to sort things out.  No support whatsoever. Fortunately (probably not for him) another DebConf attendee suffered the same fate and together we could find another flight with Royal Air Maroc the same day. And so we made a short trip to Casablanca/Morocco and eventually arrived at our final destination in Frankfurt a few hours later. So which airline should you avoid at all costs (they still haven't responded to my refund claims) ? It's WoW-Air from Iceland. (just wow)

Debian Games

Debian Java

Debian LTS

This was my eighteenth month as a paid contributor and I have been paid to work 20,25 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 31. July until 06. August I was in charge of our LTS frontdesk. I triaged bugs in tinyproxy, mantis, sox, timidity, ioquake3, varnish, libao, clamav, binutils, smplayer, libid3tag, mpg123 and shadow.
  • DLA-1064-1. Issued a security update for freeradius fixing 6 CVE.
  • DLA-1068-1. Issued a security update for git fixing 1 CVE.
  • DLA-1077-1. Issued a security update for faad2 fixing 11 CVE.
  • DLA-1083-1. Issued a security update for openexr fixing 3 CVE.
  • DLA-1095-1. Issued a security update for freerdp fixing 5 CVE.

Non-maintainer upload

  • I uploaded a security fix for openexr (#864078) to fix CVE-2017-9110, CVE-2017-9112 and CVE-2017-9116.

Thanks for reading and see you next time.

My Free Software Activities in July 2017

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in  Java, Games and LTS topics, this might be interesting for you.

Debian Games

  • I backported freeciv, freeorion and minetest to stretch-backports.
  • The bug fix (#866378) for 3dchess also landed in Stretch and Jessie.
  • I sponsored Lugaru for Vincent Prat and Martin Erik Werner, a really cool 3D fighting game featuring a rabbit. The game is dfsg-free now and will replace openlugaru.
  • I uploaded fifechan to unstable and packaged new upstream versions of fife, unknown-horizons, adonthell-data and hyperrogue.
  • I fixed bugs in bloboats (#864534), lordsawar (RC #866988), kraptor (#826423), pathogen (#845991), fretsonfire (#866426), blockout2 (#826416), boswars (#827112), kanatest (RC #868315, fix also backported to Stretch), overgod (#827114), morris (#829948, #721834, #862224), mousetrap (#726842), alsoft-conf (#784052, #562898) and nikwi (#835625)
  • I uploaded a new revision of clanlib and teg fixing Perl transition bugs. The patches were provided by gregor herrmann. I added myself to Uploaders in case of teg because the package was missing a human maintainer.
  • I adopted trackballs after I discovered #868983 where Henrique de Moraes Holschuh called attention to a new fork of Trackballs. The current version was broken and unplayable and it was only a matter of time before the game was removed from Debian. I could fix a couple of bugs, forwarded some issues upstream and I believe a nice game was saved.
  • I uploaded Bullet 2.86.1 to unstable and completed another Bullet transition.

Debian Java

Debian LTS

This was my seventeenth month as a paid contributor and I have been paid to work 23,5 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 24. July until 31. July I was in charge of our LTS frontdesk. I triaged bugs in tinyproxy, varnish, freerdp, ghostscript, gcc-4.6, gcc-4.7, fontforge, teamspeak-server, teamspeak-client, qpdf, nvidia-graphics-drivers and sipcrack. I also pinged Diego Biurrun for more information about the next libav update and replied to questions on the debian-lts mailing list and LTS IRC channel.
  • DLA 1034-1. Issued a security update for php5 fixing 5 CVE. I discussed CVE-2017-11362 with the security team. We came to the conclusion that it was no security issue but just a normal bug.
  • DLA 1036-1. Issued a security update for gsoap fixing 1 CVE.
  • DLA 1037-1. Issued a security update for catdoc fixing 1 CVE.
  • DLA 613-2. Issued a regression update for roundcube.
  • DLA 1045-1. Issued a security update for graphicsmagick fixing 10 CVE.
  • DLA 1047-1. Issued a security update for supervisor fixing 1 CVE.
  • DLA-1048-1.  Issued a security update for ghostscript fixing 8 CVE.

Non-maintainer upload

  • I uploaded the security fix for spice to unstable which was already fixed in Stretch and earlier versions.

Thanks for reading and see you next time.

PDFsam: How to upgrade a Maven application for Debian

pdfsam

In the coming weeks and months I intend to write a mini series about packaging Java software for Debian. The following article basically starts in the middle of this journey because the PDFsam upgrade is still fresh in my mind. It requires some preexisting knowledge about build tools like Maven and some Java terminology. But do not fear. Hopefully it will make sense in the end when all pieces fall into place.
A month ago I decided to upgrade PDFsam, a Java application to split, merge, extract, mix and rotate PDF documents. The current version 1.1.4 is already seven years old and uses Ant as its build system. Unfortunately up to now nobody was interested enough to invest the time to upgrade it to the latest version. A quick internet search unveils that the current sources can be found on github.com. Another brief look reveals we are dealing with a Maven project here because we can find a pom.xml file in the root directory and there is no sign of Ant's typical build.xml file anymore. Here are some general tips how to proceed from this point by using the PDFsam upgrade as an example.

Find out how many new dependencies you really need

The pom.xml file declares its dependencies in the <dependencies> section. It is good practice to inspect the pom.xml file and determine how much work will be required to upgrade the package. A seasoned Java packager will quickly find common dependencies like Hibernate or the Apache Commons libraries. Fortunately for you they are already packaged in Debian because a lot of projects depend on them. If you are unsure what is and what is not packaged for Debian, tracker.debian.org and codesearch.debian.net are useful tools to search for those packages. If in doubt just ask on debian-java@lists.debian.org. There is no automagical tool (yet) to find out what dependencies are really new (we talk about mh_make soon) but if you use the aforementioned tools and websites you will notice that in June 2017 one could not find the following artifacts: fontawesomefx, eventstudio, sejda-* and jackson-jr-objects. There are also jdepend and testFx but notice they are marked as <scope>test</scope> meaning they are only required if you would like to run upstream's test suite as well. For the sake of simplicity, it is best to ignore them for now and to focus on packaging only dependencies which are really needed to compile the application. Test dependencies can always be added later.

This pom.xml investigation leads us to the following conclusion: PDFsam depends on Sejda, a PDF library. Basically Sejda is the product of a major refactoring that happened years ago and allows upstream to develop PDFsam faster and in multiple directions. For Debian packagers it is quite clear now that the "upgrade" of PDFsam is in reality more like packaging a completely new application. The inspection of Sejda's pom.xml file (another Maven project) reveals we also have to package imgscalr, Twelvemonkeys and SAMBox. We continue with these pom.xml analyses and end up with these new source packages: jackson-jr, libimgscalr-java, libsambox-java, libsejda-java, libsejda-injector-java, libsejda-io-java, libsejda-eventstudio-java, libtwelvemonkeys-java, fontawesomefx and libpdfbox2-java. Later I discovered that gettext-maven-plugin was also required.

This was not obvious at first glance if you only check the pom.xml in the root directory but PDFsam and Sejda are multi-module projects! In this case every subdirectory (module) contains another pom.xml with additional information, so ideally you should check those too before you decide to start with your packaging. But don't worry it is often possible to ignore modules with a simple --ignore  rule inside your debian/*.poms file. The package will have less functionality but it can be still useful if you only need a subset of the modules. Of course in this case ignoring the gettext-maven-plugin artifact would result in a runtime error. C'est la vie.

A brief remark about Java package names: Java library packages must be named like libXXX-java. This is important for binary packages to avoid naming collisions. We are more tolerant when it comes to source package names but in general we recommend to use the exact same name as for the binary package. There are exceptions like prefixing source packages with their well known project name like jackson-XXX or jboss-XXX but this should only be used when there are already existing packages that use such a naming scheme. If in doubt, talk to us.

mh_make or how to quickly generate an initial debian directory

Packaging a Maven library is usually not very difficult even if it consists of multiple modules. The tricky part is to get the maven.rules, maven.IgnoreRules and your *.poms file right but debian/rules often only consists of a single dh line and the rest is finding the build-dependencies and adding them to debian/control.
A small tool called mh_make, which is included in maven-debian-helper, can lend you a helping hand. The tool is not perfect yet. It requires that most build-dependencies are already installed on your local system, otherwise it won't create the initial debian directory and will only produce some unfinished (but in some cases still useful) files.
A rule of thumb is to start with a package that does not depend on any other new dependency and requires the fewest build-dependencies.  I have chosen libtwelvemonkeys-java because it was the simplest package and met the aforementioned criteria.

Here is how mh_make looks like in action. (The animated GIF was created with Byzanz) First of all download the release tarball, unpack it and run mh_make inside the root directory.

Ok, what is happening here? First you can choose a source and binary package name. Then disable the tests and don't run javadoc to create the documentation. This will simplify things a little.  Tests and javadoc settings can be added later. Choose the version you want to package and then you can basically follow the default recommendations and confirm them by hitting the Enter key. Throughout the project we choose to transform the upstream version with the symbolic "debian" version. Remember that Java/Maven is version-centric. This will ensure that our Maven dependencies are always satisfied later and we can simply upgrade our Maven libraries and don't have to change the versions by hand in various pom.xml files; maven-debian-helper will automatically transform them for us to "debian". Enable all modules. If you choose not to, you can select each module individually. Note that later on some of the required build-dependencies cannot be found because they are either not installed (libjmagick6-java) or they cannot be found in Debian's Maven repository under /usr/share/maven-repo.  You can fix this by entering a substitution rule or, as I did in this case, you can just ignore these artifacts for now. They will be added to maven.IgnoreRules. In order to successfully compile your program you have to remove them from this file later again, create the correct substitution rule in maven.rules and add the missing build-dependencies to debian/control. For now we just want to quickly create our initial debian directory.

If everything went as planned a complete debian directory should be visible in your root directory. The only thing left is to fix the substitution rule for the Servlet API 3.1. Add libservlet3.1-java to Build-Depends and the following rule to maven.rules:
javax.servlet s/servlet-api/javax.servlet-api/ * s/.*/3.1/ * *
s/javax.servlet/javax.servlet.jsp/ s/jsp-api/javax.servlet.jsp-api/ * s/.*/2.3/ * *

The maven.rules file consists of multiple rows separated by six columns. The values represent groupId, artifactId, type, version number and two fields which I never use. 🙂 You can just use an asterisk to match any value. Every value can be substituted. This is necessary when the value of upstream's pom.xml file differs from Debian's system packages. This happens frequently for API packages which are uploaded to Maven Central multiple times under a different groupId/artifactId but provide the same features. In this case the Twelvemonkeys' pom requires an older API version but Debian is already at version 3.1. Note that we require a strict version number in this case because libservlet3.1-java does not use a symbolic debian version since we provide more than one Servlet API in the archive and this measure prevents conflicts.
Thanks for reading this far. More articles about Java packaging will follow in the near future and hopefully they will clarify some terms and topics which could only be briefly mentioned in this post.

before

and after

My Free Software Activities in June 2017

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in  Java, Games and LTS topics, this might be interesting for you.

Debian Games

Debian Java + Android

Debian LTS

This was my sixteenth month as a paid contributor and I have been paid to work 16 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • I triaged mp3splt and putty and marked CVE-2017-5666 and CVE-2017-6542 as no-dsa because the impact was very low.
  • DLA-975-1. I uploaded the security update for wordpress which I prepared last month fixing 6 CVE.
  • DLA-986-1. Issued a security update for zookeeper fixing 1 CVE.
  • DLA-989-1. Issued a security update for jython fixing 1 CVE.
  • DLA-996-1. Issued a security update for tomcat7 fixing 1 CVE.
  • DLA-1002-1. Issued a security update for smb4k fixing 1 CVE.
  • DLA-1013-1. Issued a security update for graphite2 fixing 8 CVE.
  • DLA-1020-1. Issued a security update for jetty fixing 1 CVE.
  • DLA-1021-1. Issued a security update for jetty8 fixing 1 CVE.

Misc

  • I updated wbar, fixed #829981 and uploaded mediathekview and osmo to unstable. For the Buster release cycle I decided to package the fork of xarchiver's master branch which receives regular updates and bug fixes. Besides being an GTK-3 application now, a lot of older bugs could be fixed.

Thanks for reading and see you next time.

My Free Software Activities in May 2017

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in  Java, Games and LTS topics, this might be interesting for you.

Debian Games

Bug fixes

  • ufoai (RC #861979) : Robert Hackbauer discovered that ufoai crashed as soon as one player joined a game. I had never seen this crash before and the bug probably surfaced due to the recompilation last month but fortunately I could get a meaningful backtrace and upstream was able to provide a patch within 24 hours.
  • pixbros (RC #861612): The RC bug in pixbros was a rather sad story as it was claimed that the level design (the design, not the artwork) was non-free. The bug submitter argued that there was a high degree of resemblance with one of the original games (pixbros is an amalgamation of several games) thus making pixbros unsuitable for Debian and non-free. This was the kind of bug report which you will probably only see in the games section. We have many games in the archive that try to be a clone and free software alternative of a more popular commercial and non-free game. Not only are they sometimes developed in a completely different programming language, their new artwork, even the gameplay can differ heavily. In this case the level design was just two-dimensional horizontal and vertical bars on which the protagonists perform their actions and in my opinion this is not what we call non-free in Debian. The sad part was, because it happens rather frequently, that random people think they are copyright and trademark experts although they are neither lawyers nor the original copyright holder and, to underline the layman status, often end their sentences with the ominous IANAL. I would like to see that people focus more on improving the games section by packaging new games and maintaining existing ones instead of playing hobby lawyer and creating issues where issues don't exist.
  • doomsday (RC #847651, #863536): Doomsday failed to start but Bernhard Übelacker provided a patch to fix #847651. If nobody beats me to it, I will also upload the fix for #863536 very soon.

New upstream release

  • I mentioned torcs in my last report which I adopted earlier. It turned out that some car models were non-free (not like pixbros but this time for real) because the license didn't allow modification. I repacked the tarball and released version 1.3.3+dfsg2-1 for Stretch (#861959) and pushed the latest upstream release to experimental. I also discovered that torcs would FTBFS due to a bug in debhelper and reported it. (#861852)
  • I packaged new upstream versions of freeorion, springlobby, freeciv and bzflag.

Debian Java

  • Elana Hashman is working on the clojure eco-system in Debian. I reviewed and sponsored libbultitude-clojure for her.
  • I fixed a follow-up bug in pdfsam (#855324) and documented in a NEWS file that the config file in $HOME must be updated by hand when a user upgrades from Jessie to Stretch.
  • I uploaded a new upstream release of activemq to experimental and fixed a minor changelog typo bug.

Debian LTS

This was my fifteenth month as a paid contributor and I have been paid to work 27,25 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 1. May until 7. May I was in charge of our LTS frontdesk. I triaged security issues in rxvt, imagemagick, libtirpc, rpcbind, binutils, wordpress, eglibc and tiff3.
  • I prepared a security update for wordpress fixing 6 CVE. I contacted the maintainer, Craig Small, for feedback and intend to release the update soon.
  • I have been working on smb4k which is currently affected by a root privilege vulnerability. Backporting the fix is non-trivial and requires more testing.
  • I triaged libarchive and fixed CVE-2016-10349 and CVE-2016-10350 but decided to postpone the release until more important issues are discovered.
  • DLA-933-1. Issued a security update for roundcube fixing 1 CVE.
  • DLA-936-1. Issued a security update for libtirpc fixing 1 CVE.
  • DLA-937-1. Issued a security update for rpcbind fixing 1 CVE.
  • DLA-938-1. Issued a security update for git fixing 1 CVE.
  • DLA-924-1. Issued a regression update for tomcat7 and fixed bug #861872.
  • DLA-941-1. Issued a security update for squirrelmail fixing 1 CVE.
  • DLA-945-1. Issued a security update for mysql-connector-java fixing 3 CVE.
  • DLA-953-1. Issued a security update for graphicsmagick fixing 1 CVE.
  • DLA-968-1. Issued a security update for libpodofo fixing 10 CVE.
  • DLA-969-1. Issued a security update for tiff fixing 2 CVE.

Misc

  • Nikolaus Rath discovered that adding files to a tar archive with xarchiver would actually delete the existing archive (#862593). The issue occured when the archive name contained shell meta characters which were improperly escaped. While I was trying to find the root cause for this issue Chris Lamb provided an alternative solution to fix this problem.

Thanks for reading and see you next time.

My Free Software Activities in April 2017

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in  Java, Games and LTS topics, this might be interesting for you.

Debian Games

  • I released the final version 2 of debian-games for Stretch, a collection of metapackages that make it easier to install one's favorite games. No surprises here, but two games were removed from Debian and some others didn't make it into Stretch, so an update of the debian/control file was necessary.
  • I could close three RC bugs in ufoai (#860680) and slashem (#860393), thanks to the analysis and help from Bernhard Übelacker, and one in tecnoballz. (#861268)
  • I reviewed and sponsored gnome-games-app and retro-gtk for Jeremy Bicha. The Gnome application is basically a game browser and a unified interface to access various games, engines and emulators.
  • I adopted torcs, a racing car simulator, updated the package to the latest upstream release and completely overhauled the packaging. This is still work in progress but I think I can upload the new version in May.

Debian Java

  • I prepared security updates for bouncycastle, logback, activemq, tomcat 7 and tomcat 8 which were later accepted for Stretch and Jessie.
  • New upstream releases this month: hsqldb and robocode.
  • We had to deal with a weird bug in libnb-platform18-java respectively libjna-jni (#858876). We are still not sure why the JNA system library was not found by Netbeans but we could find a way to resolve it. I took the opportunity to fix another annoying bug in Netbeans and added the missing dependencies for some symlinked system JAR files.
  • Last but not least I made the test results in jnr-posix non-fatal (#860691) until we receive more information from upstream why two tests fail on i386. Since the package is arch:all and completes all tests on amd64 successfully, the RC bug was later marked as "stretch ignore" by the release team.

Debian LTS

This was my fourteenth month as a paid contributor and I have been paid to work 23,75 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 10. April until 16. April I was in charge of our LTS frontdesk. I triaged security issues in wavpack, binutils, tiff, tiff3, imagemagick, wireshark, elfutils, libosip2, feh, freetype, web2py and libplist.
  • DLA-888-1. Issued a security update for logback fixing 1 CVE.
  • DLA-893-1. Issued a security update for bouncycastle fixing 1 CVE.
  • DLA-924-1. Issued a security update for tomcat7 fixing 2 CVE.
  • DLA-900-1. Issued a security update for freetype. Later it was determined that freetype in Wheezy was not affected and the change was reverted.
  • DLA-899-1. Issued a security update for feh fixing 1 CVE.
  • DLA-902-1. Issued a security update for imagemagick fixing 2 CVE.
  • DLA-911-1. Issued a security update for tiff fixing 11 CVE.
  • DLA-912-1. Issued a security update for tiff3 fixing 8 CVE.
  • DLA-913-1. Issued a security update for activemq fixing 1 CVE.
  • DLA-929-1. Issued a security update for libpodofo fixing 7 CVE.

Misc

  • I packaged a new major version of Osmo, a personal organizer and calendar application. It has been completely converted to GTK3 and WebKitGtk2 now.

Thanks for reading and see you next time.

My Free Software Activities in March 2017

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in Android, Java, Games and LTS topics, this might be interesting for you.

Debian Android

  • A new upstream release of apktool was uploaded to experimental.

Debian Games

  • I packaged new upstream releases of megaglest and megaglest-data.
  • I fixed a bug in pangzero (#857474) that crashed the game when someone pressed the pause key. The updated package will be part of Stretch.
  • The severity was inflated and the issue debatable but since it took less time to "fix" bug #857801 in dopewars than writing this sentence, I did it anyway.
  • I fixed bug #857236 and #857845 in holotz-castle. Background: There are various packages in Debian that ship a considerable amount of documentation which is usually a good thing. We always strive to optimize packages and reducing the package size is one option. In the past people thought that symlinking the doc directory of an arch:all (architecture-independent) package to an an arch:any (architecture-dependent) package saves disk space because it is not necessary to duplicate the same content on every architecture. Unfortunately this feature, dh-installdocs --link-doc, is broken by design (#766711) and in its current state not usable for this use case. As a consequence I filed a bug report against tracker.debian.org #857851, asked for an improvement of piuparts' status reports and also filed #857852 against dpkg which was later cloned into #858036 for debhelper. In a nutshell I would like to see better documentation how to use dh-maintscript-helper and *.maintscript files. I also believe it would be nice to simplify the latter by using only one file.

Debian Java

  • I packaged version 5.4 of sweethome3d and added myself to Uploaders and closed two bugs (#854030),(#856769)
  • I fixed an RC bug (#856626) in lucene-solr, more precisely in one of the configuration files of solr-tomcat, a search engine with Tomcat integration, that prevented the server from starting.
  • I am still investigating an RC issue (#857343) in logback. This is a potential security vulnerability that allows remote attackers to execute arbitrary code. My first patch was incomplete and more backported code from the latest upstream release is required. Unfortunately upstream was not very helpful in tracking down the necessary code changes. My question still remains unanswered.
  • Netbeans (#837081): Netbeans has been crashing from time to time. It is not easy to trigger the issue but it is related to libatk-wrapper-java-jni and the Accessibility ToolKit (ATK). I have cloned bug number #837081 as #858700 for now because I don't think it can be fixed in Netbeans.

Debian LTS

This was my thirteenth month as a paid contributor and I have been paid to work 14,75 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 06. March until 13. March I was in charge of our LTS frontdesk. I triaged security issues in qbittorrent, imagemagick, freetype, glibc, vim, suricada, texlive-base, web2py, lxc, r-base, mysql-5.5, partclone, irrsi, wordpress, mupdf and php5.
  • DLA-846-1. Issued a security update for libzip-ruby fixing 1 CVE.
  • DLA-853-1. Issued a security update for pidgin fixing 1 CVE.
  • DLA-855-1. Issued a security update for roundcube fixing 1 CVE.
  • DLA-860-1. Issued a security update for wordpress fixing 3 CVE.
  • DLA-870-1. Issued a security update for libplist fixing 3 CVE.
  • DLA-872-1. Issued a security update for xrdp fixing 1 CVE.
  • DLA-875-1. Issued a security update for php5 fixing 3 CVE.

Misc

  • March 2017 also saw a new version of MediathekView (now in experimental).

Thanks for reading and see you next time.