My Free Software Activities in November 2018

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in Java, Games and LTS topics, this might be interesting for you.

Debian Games

  • This month I packaged a new upstream Git snapshot of performous, a karaoke game, because this seemed to be the quickest route to fix a build failure and RC bug (#914061) with Debian's latest Boost version. We had to overcome some portability issues later (#914667, #914688) and now the only blocker for a migration to testing is GCC-8 itself.
  • I uploaded a new revision of widelands to fix a FTBFS with ICU 63.1 (#913513). The patch was provided by László Böszörményi.
  • I updated the packaging of the following games without making bigger changes, just the normal "grooming": box2d, brainparty, dangen, flatzebra, jester and etw.
  • The latest upstream release 7.1.3 of renpy, a framework for developing visual-novel type games, is available now.
  • Last but not least I backported teeworlds version 0.7.0, a fun action packed 2D shooter, and its special build system bam to Stretch because the current version 0.6.0 is unable to connect to 0.7.0 servers. Now players should be able to choose between their favorite Teeworld versions.

Debian Java

Misc

  • I sponsored another update of android-platform-system-core for Kai-Chung Yan. From now on that should be no longer necessary because he is a Debian Developer now. Congratulations!
  • I packaged a new upstream release of https-everywhere, a very useful Firefox/Chromium addon.

Debian LTS

This was my thirty-third month as a paid contributor and I have been paid to work 30 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 19.11.2018 until 25.11.2018  I was in charge of our LTS frontdesk. I investigated and triaged CVE in jasper, gnome-keyring, keepalived, otrs2, gnuplot, gnuplot5, ncurses, sysstat, php5, uw-imap, eclipse and apktool.
  • DLA-1568-1. Issued a security update for curl fixing 5 CVE.
  • DLA-1583-1. Issued a security update for jasper fixing 5 CVE.
  • DLA-1592-1. Issued a security update for otrs2 fixing 2 CVE.
  • DLA-1593-1. Issued a security update for phpbb3 fixing 1 CVE.
  • DLA-1598-1. Issued a security update for ghostscript fixing 4 CVE.
  • DLA-1600-1. Issued a security update for libarchive fixing 12 CVE.
  • DLA-1603-1. Issued a security update for suricata fixing 4 CVE.
  • I reviewed the openssl update which was later released as DLA 1586-1.
  • I also reviewed and sponsored squid3, icecast2 and keepalived for Abhijith PA.

ELTS

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 "Wheezy". This was my sixth month and I have been paid to work 15  hours on ELTS.

  • I was in charge of our ELTS frontdesk from 19.11.2018 until 25.11.2018 and I triaged CVE in git, sysstat, suricata, libarchive and jasper.
  • ELA-62-1.  Issued a security update for libarchive fixing 3 CVE.
  • ELA-64-1.  Issued a security update for suricata fixing 4 CVE.
  • ELA-65-1.  Issued a security update for jasper fixing 9 CVE.
  • Since upstream development of jasper has slowed down and many bugs remain without a response, I wrote the patches for CVE-2018-18873, CVE-2018-19539 and CVE-2018-19542 myself. I will look into the remaining issues in December.

Thanks for reading and see you next time.

My Free Software Activities in October 2018

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in Java, Games and LTS topics, this might be interesting for you.

Debian Games

  • Again Yavor Doganov saved the day by porting monster-masher away from obsolete libraries like esound and gconfmm (RC, #848052, #856086, #885037). I reviewed and sponsored the package for him again.
  • Gürkan Myczko prepared a new upstream version of greed, a classic text-console game. I provided a desktop icon and sponsored the upload.
  • Several games failed to build from source because freetype-config is gone and pkg-config must be used from now on. That required RC bug fixes in asc (#887600),  brutalchess (#892337, patch by Reiner Herrmann), cube2font (#892330, patch by Reiner Herrmann with additional updates by Martin Erik Werner) and scorched3d (#892434, patch by Adrian Bunk)
  • I packaged new upstream versions of pcsx2, a Playstation 2 emulator, to fix RC bug #907411, also pygame-sdl2, renpy and bzflag.
  • I refreshed the packaging of abe, asc-music, amoebax, angrydd, airstrike, burgerspace, berusky2 and berusky-data.
  • Dima Kogan approached me about improving the current Bullet packaging and provided patches to build the double-precision library versions too.  Bullet is a state-of-the-art C++ library for 3D collision detection, soft body and rigid body dynamics. I once introduced it to Debian because it was a required build-dependency of freeorion. Nowadays it powers several scientific applications. I still maintain it because I think it is a very useful library, e.g. used among others by openrobotics.
  •  I spent most of the time this month on updating Teeworlds. Since I run a Teeworlds server myself I discovered a remote denial-of-service vulnerability first hand. Of course my server was not the only target and the upstream developers  had already released a fix. But I only got aware of it by chance. So I requested CVE-2018-18541, packaged the latest upstream release 0.7.0 and also prepared a security update for Stretch, released as DSA-4329-1.
  • Last but not least I sponsored a new game created and prepared by Gerardo Ballabio called galois. It is a tetris-like game with special features like 3D and different brick shapes. It is currently waiting in the NEW queue.

Debian Java

Misc

  • I sponsored android-platform-system-core for Kai-Chung Yan and did a non-maintainer upload for eboard, a chess client to fix RC bug #893167. I forwarded some patches and I hope we will see another upstream release in the near future that addresses some issues.
  • I packaged a new upstream release of ublock-origin.

Debian LTS

This was my thirty-second month as a paid contributor and I have been paid to work 30 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 08.10.2018 until 14.10.2018 and 29.10.2018 until 4.11.2018 I was in charge of our LTS frontdesk. I investigated and triaged CVE in gnulib, otrs2, tcpreplay, net-snmp, ghostscript, paramiko, pyopenssl, qpdf, requests, glassfish, imagemagick, tomcat8, tomcat7, moin, glusterfs, mono, tiff, systemd, network-manager, shellinabox, openssl, curl, squid3, icecast2, sdl-image1.2, libsdl2-image, mkvtoolnix, libapache-mod-jk, mariadb-10.0, mysql-connector-java and jasper.
  • There was a problem with our list manager and some announcements could not be preserved.
  • DLA-1535-1. Issued a security update for php-horde fixing 1 CVE.
  • DLA-1536-1. Issued a security update for php-horde-core fixing 1 CVE.
  • DLA-1537-1. Issued a security update for php-horde-kronolith fixing 1 CVE.
  • DLA-1540-1. Issued a security update for net-snmp fixing 1 CVE.
  • DLA-1543-1. Issued a security update for gnulib fixing 1 CVE.
  • DLA-1544-1. Issued a security update for tomcat7 fixing 1 CVE.
  • DLA-1545-1. Issued a security update for tomcat8 fixing 1 CVE.
  • DLA-1546-1. Issued a security update for moin fixing 1 CVE.
  • DLA-1552-1. Issued a security update for ghostscript fixing 3 CVE.
  • DLA-1564-1. Issued a security update for mono fixing 1 CVE.
  • DLA-1565-1. Issued a security update for glusterfs fixing 5 CVE.

ELTS

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 "Wheezy". This was my fifth month and I have been paid to work 15  hours on ELTS.

  • I was in charge of our ELTS frontdesk from 15.10.2018 until 21.10.2018 and I triaged CVE in chromium-browser, ghostscript, openexr, unzip, virtualbox, elfutils, liblivemedia, exiv2, movabletype-opensource, quemu, quemu-kvm, tiff and tcpreplay.
  • ELA-50-1. Issued a security update for linux fixing 34 CVE.
  • ELA-51-1. Issued a security update for tomcat7 fixing 1 CVE.
  • ELA-54-1. Issued a security update for curl fixing 1 CVE.
  • ELA-55-1. Issued a security update for firmware-nonfree fixing 8 CVE.

Thanks for reading and see you next time.

My Free Software Activities in September 2018

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in Java, Games and LTS topics, this might be interesting for you.

Debian Games

  • Yavor Doganov continued his heroics in September and completed the port to GTK 3 of teg, a risk-like game. (#907834) Then he went on to fix gnome-breakout.
  • I packaged a new upstream release of freesweep, a minesweeper game, which fixed some minor bugs but unfortunately not #907750.
  • I spent most of the time this month on packaging a newer upstream version of unknown-horizons, a strategy game similar to the old Anno games. After also upgrading the fife engine, fifechan and NMUing python-enet, the game is up-to-date again.
  • More new upstream versions this month: atomix, springlobby, pygame-sdl2, and renpy.
  • I updated widelands to fix an incomplete appdata file (#857644) and to make the desktop icon visible again.
  • I enabled gconf support in morris (#908611) again because gconf will be supported in Buster.
  • Drascula, a classic adventure game, refused to start because of changes to the ScummVM engine. It is working now. (#908864)
  • In other news I backported freeorion to Stretch and sponsored a new version of the runescape wrapper for Carlos Donizete Froes.

Debian Java

  • Only late in September I found the time to work on JavaFX but by then Emmanuel Bourg had already done most of the work and upgraded OpenJFX to version 11. We now have a couple of broken packages (again) because JavaFX is no longer tied to the JRE but is designed more like a library. Since most projects still cling to JavaFX 8 we have to fix several build systems by accommodating those new circumstances.  Surely there will be more to report next month.
  • A Ubuntu user reported that importing furniture libraries was no longer possible in sweethome3d (LP: #1773532) when it is run with OpenJDK 10. Although upstream is more interested in supporting Java 6, another user found a fix which I could apply too.
  • New upstream versions this month: jboss-modules, libtwelvemonkeys-java, robocode, apktool, activemq (RC #907688), cup and jflex. The cup/jflex update required a careful order of uploads because both packages depend on each other. After I confirmed that all reverse-dependencies worked as expected, both parsers are up-to-date again.
  • I submitted two point updates for dom4j and tomcat-native to fix several security issues in Stretch.

Misc

  • Firefox 60 landed in Stretch which broke all xul-* based browser plugins. I thought it made sense to backport at least two popular addons, ublock-origin and https-everywhere, to Stretch.
  • I also prepared another security update for discount (DSA-4293-1) and uploaded  libx11 to Stretch to fix three open CVE.

Debian LTS

This was my thirty-first month as a paid contributor and I have been paid to work 29,25 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 24.09.2018 until 30.09.2018 I was in charge of our LTS frontdesk. I investigated and triaged CVE in dom4j, otrs2, strongswan, python2.7, udisks2, asterisk, php-horde, php-horde-core, php-horde-kronolith, binutils, jasperreports, monitoring-plugins, percona-xtrabackup, poppler, jekyll and golang-go.net-dev.
  • DLA-1499-1. Issued a security update for discount fixing 4 CVE.
  • DLA-1504-1. Issued a security update for ghostscript fixing 14 CVE.
  • DLA-1506-1. Announced a security update for intel-microcode.
  • DLA-1507-1. Issued a security update for libapache2-mod-perl2 fixing 1 CVE.
  • DLA-1510-1. Issued a security update for glusterfs fixing 11 CVE.
  • DLA-1511-1. Issued an update for reportbug.
  • DLA-1513-1. Issued a security update for openafs fixing 3 CVE.
  • DLA-1517-1. Issued a security update for dom4j fixing 1 CVE.
  • DLA-1523-1. Issued a security update for asterisk fixing 1 CVE.
  • DLA-1527-1 and DLA-1527-2. Issued a security update for ghostscript fixing 2 CVE and corrected an incomplete fix for CVE-2018-16543 later.
  • I reviewed and uploaded strongswan and otrs2 for Abhijith PA.

ELTS

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 "Wheezy". This was my fourth month and I have been paid to work 15  hours on ELTS.

  • I was in charge of our ELTS frontdesk from 10.09.2018 until 16.09.2018 and I triaged CVE in samba, activemq, chromium-browser, curl, dom4j, ghostscript, firefox-esr, elfutils, gitolite, glib2.0, glusterfs, imagemagick, lcms2, lcms, jhead, libpodofo, libtasn1-3, mgetty, opensc, openafs, okular, php5, smarty3, radare, sympa, wireshark, zsh, zziplib and intel-microcode.
  • ELA-35-1. Issued a security update for samba fixing 1 CVE.
  • ELA-36-1. Issued a security update for curl fixing 1 CVE.
  • ELA-37-2. Issued a regression update for openssh.
  • ELA-39-1. Issued a security update for intel-microcode addressing 6 CVE.
  • ELA-42-1. Issued a security update for libapache2-mod-perl2 fixing 1 CVE.
  • ELA-45-1. Issued a security update for dom4j fixing 1 CVE.
  • I started to work on a security update for the Linux kernel which will be released shortly.

Thanks for reading and see you next time.

My Free Software Activities in August 2018

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in Java, Games and LTS topics, this might be interesting for you.

Debian Games

  • Really good news this month as Yavor Doganov provided patches for  gamazons (#885735), gnomekiss (#885740) and teg (#885751) which all depended on obsolete GNOME 2 libraries. He succeeded in porting them to GooCanvas and GNOME 3. We are currently aware of some issues in Teg (#907834) and would appreciate more feedback from game testers. In any case this was a non-trivial feat and many thanks go to Yavor who prevented the removal of three games from Debian.
  • I applied a patch from Adrian Bunk which made FreeOrion (#906746) more portable and packaged the latest and greatest release 0.4.8 later.
  • I fixed a broken start script in FreeCol due to OpenJDK 10 changes. (#907661)
  • The Spring RTS engine was affected by a GCC-8 RC bug. (#906409)
  • I backported FreeCiv 2.6.0 to Stretch.
  • I updated some games to the latest standards in Debian, made some minor changes and applied patches to fix FTCBFS bugs or build failures due to a missing libm library. Those issues were solved in tenmado, supertransball2 (#902537), seahorse-adventures, empire (#900197), phlipple (#907207) and ace-of-penguins (#900200).
  • I sponsored mupen64plus-qt for Dan Hastings.

Debian Java

Misc

Debian LTS

This was my thirtieth month as a paid contributor and I have been paid to work 23,75 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 13.08.2018 until 19.08.2018 and from 27.08.2018 until 02.09.2018 I was in charge of our LTS frontdesk. I investigated and triaged CVE in intel-microcode, bind9, confuse, libykneomgr, mp4v2, gdm3, wesnoth-1.10, ruby-zip, otrs2, mathjax, mono, tcpflow, bluez, openssh, mariadb-10.0, tomcat-native, wordpress, thunderbird, spice, spice-gtk, libextractor, postgresql-9.1, libcgroup, zutils, soundtouch, squirrelmail, git-annex, ghostscript, libpgjava, elfutils, libpodofo, libtirpc, libxkbcommon, libtasn1-6, cinder, 389-ds-base, wireshark, php5, libzypp, imagemagick, kfreebsd-10, tiff, discount and polarssl.
  • DLA-1467-1.  Issued a security update for ruby-zip fixing 1 CVE.
  • I worked on gdm3 to fix CVE-2018-14424.  I backported the patch to Jessie but could still trigger a session restart with the POC. Since there is no crash and the session is completely restored, we believe now that this is the intended behavior.  I also tried to contact Chris Coulson, the original bug reporter, for further advice but have not received a reply yet. If we don't discover another issue we will release a DLA for gdm3 in September.
  • DLA-1472-1. Issued a security update for libcgroup fixing 1 CVE.
  • DLA-1473-1. Issued a security update for otrs2 fixing 1 CVE.
  • DLA-1482-1. Issued a security update for libx11 fixing 3 CVE.
  • DLA-1475-1. Issued a security update for tomcat-native fixing 2 CVE.
  • I am still working on a security update for ghostscript. I have already backported the majority of patches to Jessie to fix a serious sandboxing issue with the -dSAFER mode.  More patches are required to fix the problem and only yesterday more CVE were assigned to them.

ELTS

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 "Wheezy". This was my third month and I have been paid to work 12  hours on ELTS.

  • I was in charge of our ELTS frontdesk from 13.08.2018 until 19.08.2018 and I triaged CVE in intel-microcode, azureus, gdm3, couchdb, lxc, squirrelmail, wordpress, wpa, xen, tomcat7, firmware-nonfree, postgresql-9.1, apache2, bluez, dojo, libcommons-compress-java, spice, spice-gtk, tomcat-native, libcgroup, libx11 and samba.
  • ELA-21-1. Issued a security update for openssl fixing 1 CVE.
  • ELA-27-1. Issued a security update for tomcat7 fixing 1 CVE.
  • ELA-28-1. Issued a security update for tomcat-native fixing 2 CVE.
  • ELA-20-2. Issued a regression update for busybox.
  • ELA-29-1. Issued a security update for postgresql-9.1 fixing 1 CVE.
  • ELA-30-1. Issued a security update for libx11 fixing 3 CVE.

Thanks for reading and see you next time.

wiki.debian.org: The Java Packaging Guide

The Java Mascot

Good things come to those who wait. I always wanted to improve our Java Packaging documentation a little. When I started to contribute to Debian Java in 2012,  I often struggled to find the right information and examples that would explain how I could package my own libraries or applications for Debian. After six years of trial and error and helpful advice on the debian-java mailing list, I figured it would be time to document this journey.
At DebConf 2018 in Hsinchu I began to work on updating the wiki documentation. The current status of this work will always be visible at:

https://wiki.debian.org/Java/Packaging


My basic idea was to explain packaging by examples. I didn't assume that everyone was already familiar with the Java basics and more often than not people end up packaging Java software because it is part of their job or an application supports more than one programming language. Otherwise it is a book of seven seals.


The first thing to know  is that Java compiles to bytecode, so that *.java source files become *.class files. Those files are usually packed together in a zip-based archive, et voila now we have *.jar files. To compile your source code into bytecode you need the Java Virtual Machine  provided by OpenJDK. Learn what the CLASSPATH and a MANIFEST file is and you are good to go. This is what the Java Packaging 101 is all about.


If you grok the basics you will easily understand the next section: NoBuildSystem
Despite the fact that some upstream projects come without a proper build system, they are often very simple to compile. Instead of one or two source files, you just have to compile dozens in one single directory. We have a Java helper tool called....Javahelper that does exactly that for you.  A good start is to read the docs at /usr/share/doc/javahelper/tutorial.txt.gz also replicated here.


Of course the Java world has invented the most powerful build systems in existence that are even able to bend light and can throw galaxies around.  Let's welcome Ant, Maven and Gradle. Everything else is irrelevant but don't trust me.
If you can choose we recommend to either use Ant or Maven. Gradle is packaged for Debian but is more difficult to tame because every upstream project looks different. On the contrary Maven follows conventions and every project looks very similar.
Last but not least there is also a Java Packaging FAQ.


Shouldn't there be more examples and much more information? I'd love that. Please help us to improve the documentation. If you think there is currently something missing, please contact us at debian-java@lists.debian.org or just update the documentation. It's a Wiki!

My Free Software Activities in July 2018

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in Java, Games and LTS topics, this might be interesting for you.

DebConf18 in Hsinchu/Taiwan

  • This year the annual Debian Conference took place in the city of Hsinchu/Taiwan. I was there from the 26th of July to the 6th of August. I enjoyed almost two weeks of hacking and talks and met more than a few nice people. I gave an updated talk about the current status of Debian Games and started a project to improve our Java packaging documentation (more about that in the next blog post).
  • DebConf18 wasn't all about talking. I actually got some work done. I started with wbar (RC #897885) and lwjgl (RC #893302). I hope we still don't need OpenJDK 8 in buster for building packages but I don't think it would be the end of the world as long as we can avoid a runtime dependency. However it is clear that this only prolongs the inevitable. In libpdfbox2-java I could close (#899183) after I made sure that the last update corrected the problem.  In the same vein I triaged an RC bug in asc after it became clear that asc was not affected by the GCC-8 transition.
  • I had a go at libjide-oss-java (RC, #897491). So basically the package won't compile with OpenJDK 10 and later anymore because it depends on classes that were removed from the JDK. Fortunately for us they were only Windows-specific, so I could just remove the non-building classes. I hope there will be a better upstream solution in the future.
  • I sponsored updates for cutemaze, connectagram and tanglet for Innocent de Marchi.
  • I packaged new upstream releases of several games and Java packages too and also released an update of debian-games, a Blend and collection of metapackages. New versions this month: libokhttp-java, okio, blockattack, peg-e, hexalate, robocode, freeorion, hyperrogue and freeciv.
  • I released a small bug fix release for marsshooter and hopefully made some KDE users happy.
  • Thanks to Reiner Herrmann love and mrrescue are up-to-date again and free of RC bugs!
  • I NMUed bomberclone and fixed/worked around a simple RC bug.
  • Some guys talked me into maintaining https-everywhere, ublock-origin and privacybadger. 😉
  • One of the best aspects of any conference is that you can just talk to someone who sits at the same table as you if you want to solve a problem. Together with Andreas Tille I could finally solve a packaging issue in pilon, which uses Scala. It would still be nice to have a working sbt build tool in Debian though.
  • What can you say about Taiwan? I was impressed by the friendly people at the airport and railway stations who guided you along the way to Hsinchu and helped you out in case you struggled for directions.  I have also learned on our day trip that you can just enter a police station to refill your water bottles. Those cold water producing machines are absolute  lifesavers. Although I could only visit a small part of Taiwan and see Hsinchu and Taipei, I hope there will be a next time. Aah, and the weather was warm and humid. A bit too humid for my taste perhaps but I got used to it. Looking forward how it feels in spring or autumn. A big thanks goes out to all the people who organized and sponsored this DebConf. It was more than a pleasure.

Debian Java

Debian Games

  • Most exciting things happened at DebConf18 but before that I sponsored a new simutrans version, prepared by Jörg Frings-Fürst. Enjoy.

Debian LTS

This was my twenty-ninth month as a paid contributor and I have been paid to work 30 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 09.07.2018 until 15.07.2018 I was in charge of our LTS frontdesk. I investigated and triaged CVE in mailman, ruby-sprockets, beep, audiofile, gpac, libarchive-zip-perl, libgit2, znc, ant, ceph, xapian-core, wine, radare2, policykit-1 and taglib.
  • DLA-1440-1. Issued a security update for libarchive-zip-perl fixing 1 CVE.
  • DLA-1441-1. Issued a security update for sympa fixing 1 CVE.
  • DLA-1442-1. Issued a security update for mailman fixing 2 CVE. (also DLA-1442-2)
  • DLA-1445-1. Issued a security update for busybox fixing 10 CVE. Two regressions were discovered later and addressed in DLA-1445-2 and DLA-1445-3.
  • DLA-1446-1. Issued a security update for intel-microcode fixing 2 CVE.
  • DLA-1449-1. Issued a security update for openssl fixing 2 CVE.
  • DLA-1452-1. Issued a security update for wordpress fixing 2 CVE.
  • DLA-1453-1. Issued a security update for tomcat7 fixing 1 CVE.
  • DLA-1465-1. Issued a security update for blender fixing 21 CVE.

ELTS

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 "Wheezy". This was my second month and I have been paid to work 11.75  hours on ELTS.

  • ELA-16-1. Issued a security update for tiff fixing 1 CVE.
  • ELA-17-1. Issued a security update for linux 3.16 fixing 13 CVE.
  • ELA-18-1. Issued a security update for intel-microcode fixing 3 CVE.
  • ELA-19-1. Issued a security update for tiff3 fixing 2 CVE.
  • ELA-20-1. Issued a security update for busybox fixing 10 CVE.
  • I investigated open issues in apache2 and found out that it was not affected by CVE-2018-1333 and CVE-2018-8011.
  • I was in charge of our ELTS frontdesk from 09.07.2018 until 15.07.2018 and triaged further CVE in audiofile, libsndfile, curl, couchdb, policykit-1, bouncycastle and cups.

Thanks for reading and see you next time.

My Free Software Activities in June 2018

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in Java, Games and LTS topics, this might be interesting for you.

Debian Games

  • I advocated Phil Morrell to become Debian Maintainer with whom I have previously worked together on corsix-th. This month I sponsored his updates for scorched3d and the new play.it package, an installer for drm-free commercial games. Play.it is basically a collection of shell scripts that create a wrapper around games from gog.com or Steam and put them into a Debian package which is then seamlessly integrated into the user's system.  Similar software are game-data-packager, playonlinux or lutris (not yet in Debian).
  • I packaged new upstream releases of blockattack, renpy, atomix and minetest, and also backported Minetest version 0.4.17.1 to Stretch later on.
  • I uploaded RC bug fixes from Peter de Wachter for torus-trooper, tumiki-fighters and val-and-rick and moved the packages to Git.
  • I tackled an RC bug (#897548) in yabause, a Saturn emulator.
  • I sponsored connectagram, cutemaze and tanglet updates for Innocent de Marchi.
  • Last but not least I refreshed the packaging of trophy and sauerbraten which had not seen any updates for the last couple of years.

Debian Java

  • I packaged a new upstream release of activemq and could later address #901366 thanks to a bug report by Chris Donoghue.
  • I also packaged upstream releases of bouncycastle, libpdfbox-java, libpdfbox2-java because of reported security vulnerabilities.
  • I investigated and fixed RC bugs in openjpa (#901045), osgi-foundation-ee (#893382) and ditaa (#897494, Java 10 related).
  • A snakeyaml update introduced a regression in apktool (#902666) which was only visible at runtime. Once known I could fix it.
  •   I worked on Netbeans again. It can be built from source now but there is still a runtime error (#891957) that prevents users from starting the application. The current plan is to package the latest release candidate of Netbeans 9 and move forward.

Debian LTS

This was my twenty-eight month as a paid contributor and I have been paid to work 23,75 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 18.06.2018 until 24.06.2018 I was in charge of our LTS frontdesk. I investigated and triaged CVE in jasperreports, 389-ds-base, asterisk, lava-server, libidn, php-horde-image, tomcat8, thunderbird, glusterfs, ansible, mercurial, php5, jquery, redis, redmine, libspring-java, php-horde-crypt, mupdf, binutils, jetty9 and libpdfbox-java.
  • DSA-4221-1. Issued a security update for libvncserver fixing 1 CVE.
  • DLA-1398-1. Issued a security update for php-horde-crypt fixing 2 CVE.
  • DLA-1399-1. Issued a security update for ruby-passenger fixing 2 CVE.
  • DLA-1411-1. Issued a security update for tiff fixing 5 CVE.
  • DLA-1410-1. Issued a security update for python-pysaml fixing 2 CVE.
  • DLA-1418-1. Issued a security update for bouncycastle fixing 7 CVE.

ELTS

Extended Long Term Support (ELTS) is a new project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 "Wheezy". This was my first month and I have been paid to work 7 hours on ELTS.

  • ELA-1-1. Issued a security update for Git fixing 1 CVE.
  • ELA-8-1. Issued a security update for ruby-passenger fixing 1 CVE.
  • ELA-14-1. Backported the Linux 3.16 kernel from Jessie to Wheezy. This update also included backports of initramfs-tools and the linux-latest source package. The new kernel is available for amd64 and i386 architectures.

Misc

  • I prepared security updates for libvncserver (Stretch, DSA-4221-1) and Sid) and bouncycastle (Stretch, DSA-4233-1)

Thanks for reading and see you next time.

My Free Software Activities in May 2018

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in Java, Games and LTS topics, this might be interesting for you.

Debian Games

Debian Java

Debian LTS

This was my twenty-seventh month as a paid contributor and I have been paid to work 24,25 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 21.05.2018 until 27.05.2018 I was in charge of our LTS frontdesk. I investigated and triaged CVE in glusterfs, tomcat7, zookeeper, imagemagick, strongswan, radare2, batik, mupdf and graphicsmagick.
  • I drafted a announcement for Wheezy's EOL that was later released as DLA-1393-1 and as an official Debian news.
  • DLA-1384-1. I reviewed and uploaded xdg-utils for Abhijith PA.
  • DLA-1381-1. Issued a security update for imagemagick/Wheezy fixing 3 CVE.
  • DLA-1385-1. Issued a security update for batik/Wheezy fixing 1 CVE.
  • Prepared a backport of Tomcat 7.0.88 for Jessie which fixes all open CVE (5) in Jessie. From now on we intend to provide the latest upstream releases for a specific Tomcat branch. We hope this will improve the user experience. It also allows Debian users to get more help from Tomcat developers directly because there is no significant Debian specific delta anymore. The update is pending review by the security team.
  • Prepared a security update for graphicsmagick fixing 19 CVE. I also investigated CVE-2017-10794 and CVE-2017-17913 and came to the conclusion that the Jessie version is not affected. I merged and reviewed another update by László Böszörményi. At the moment the update is pending review by the security team. Together these updates will fix the most important issues in Graphicsmagick/Jessie.
  • DSA-4214-1. Prepared a security update for zookeeper fixing 1 CVE.
  • DSA-4215-1. Prepared a security update for batik/Jessie fixing 1 CVE.
  • Prepared a security update for memcached in Jessie and Stretch fixing 2 CVE. This update is also pending review by the security team.
  • Finished the security update for JRuby (Jessie and Stretch) fixing 5 respectively 7 CVE. However we discovered that JRuby fails to build from source in Jessie and a fix or workaround will most likely break reverse-dependencies. Thus we have decided to mark JRuby as end-of-life in Jessie also because the version is already eight years old.

Misc

  • I reviewed and sponsored xtrkcad for Jörg Frings-Fürst.

Thanks for reading and see you next time.

My Free Software Activities in April 2018

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in Java, Games and LTS topics, this might be interesting for you.

Debian Games

  • I adopted childsplay, a suite of educational games for young children. I triaged all open bugs and thanks to a very responsive upstream developer the game is back in testing again now.
  • I did a QA upload for pax-britannica to fix #825673 and #718884 and updated the packaging.
  • In the same vein I did two NMUs for animals and acm and fixed RC bugs #875547 and #889530. Later I contacted the release team to get the fix for animals into Stretch too.
  • I packaged new upstream releases of extremetuxracer, adonthell, renpy and pygame-sdl2.
  • I sponsored and reviewed new versions of tanglet, connectagram and cutemaze for Innocent de Marchi.
  • I released version 2.3 of debian-games, a collection of metapackages to make it easier to find and install certain types of games.
  • I backported the latest release of freeciv to Stretch.
  • Finally I could resolve the RC bugs in morris and grhino and both games are part of Buster again.

Debian Java

Debian LTS

This was my twenty-sixth month as a paid contributor and I have been paid to work 16,25 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 16.04.2018 until 22.04.2018 I was in charge of our LTS frontdesk. I investigated and triaged CVE in bouncycastle, jruby, typo3-src, imagemagick, pegl, ocaml, radare2, movabletype-opensource, cacti, ghostscript, glusterfs, jasperreports, xulrunner, phpmyadmin, gunicorn, psensor, nasm and lucene-solr.
  • DLA-1352-1. Issued a security update for jruby fixing 1 CVE.
  • DLA-1361-1. Issued a security update for psensor fixing 1 CVE.
  • DLA-1363-1. Issued a security update for ghostscript fixing 1 CVE.
  • DLA-1366-1. Issued a security update for wordpress fixing 2 CVE.
  • DSA-4190-1. Prepared the security update for jackson-databind in Jessie fixing 1 CVE.
  • DSA-4194-1. Prepared the security update for lucene-solr in Jessie fixing 1 CVE.
  • Prepared a security update for imagemagick in Jessie fixing 8 CVE. At the moment it is pending review by the security team and will be released soon.
  • Prepared and uploaded a point-update for faad2 in Jessie and Stretch that addresses 11 security vulnerabilities. (#897369)
  • Prepared a security update for php5 in Wheezy. This one will be released soon. (DLA-1373-1)

Misc

  • I filed wishlist bugs against tracker.debian.org (#897225 and #897227) and requested a feature to allow users to override certain metainformation like VCS-URLs. In the past years we changed VCS addresses multiple times which always requires a source upload. In my opinion this is a design flaw and highly inefficient and such a change in tracker would make it possible to drop the fields from our team maintained packages.

Thanks for reading and see you next time.

My Free Software Activities in March 2018

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in Java, Games and LTS topics, this might be interesting for you.

Debian Games

Debian Java

  • I spent most of my free time on Java packages because...OpenJDK 9 is now the default Java runtime environment in Debian! As of today I count 319 RC bugs (bugs with severity normal would be serious today as well) of which 227 are already resolved. That means one third of the Java team's packages have to be adjusted for the new OpenJDK version. Java 9 comes with a new module system called Jigsaw. Undoubtedly it represents a lot of new interesting ideas but it is also a major paradigm shift. For us mere packagers it means more work than any other version upgrade in the past. Let's say we are a handful of regular contributors (I'm generous) and we spend most of our time to stabilize the Java ecosystem in Debian to the point that we can build all of our packages again. Repeat for every new Debian release. Unfortunately not much time is actually spent on packaging new and cool applications or libraries unless they are strictly required to fix a specific Java 9 issue. It just doesn't feel right at the moment. Most upstreams are rather indifferent or relaxed when it comes to porting their applications to Java 9 because they still can use Java 8, so why can't we? They don't have to provide security support for five years and can make the switch to Java 9 much later. They can also cherry-pick certain versions of libraries whereas we have to ensure that everything works with one specific version of a library. But that's not all: Java 9 will not be shipped with Buster and we even aim for OpenJDK 11! Releases of OpenJDK will be more frequent from now on, expect a new release every six months, and there are certain versions which will receive extended security support like OpenJDK 11. One thing we can look forward to: Apparently more commercial features of Oracle JDK will be merged into OpenJDK and it appears the longterm goal is to make Oracle JDK and OpenJDK builds completely interchangeable. So maybe one day only one free software JDK for everything and everyone? I hope so.
  • I worked on the following packages to address Java 9 or other bugs: activemq, snakeyaml, libjchart2d-java, jackson-dataformat-yaml, jboss-threads, jboss-logmanager, jboss-logging-tools, qdox2, wildfly-common, activemq-activeio, jackson-datatype-joda, antlr, axis, libitext5-java, libitext1-java, libitext-java, jedit, conversant-disruptor, beansbinding, cglib, undertow, entagged, jackson-databind, libslf4j-java, proguard, libhtmlparser-java, libjackson-json-java and sweethome3d (patch by Emmanuel Bourg)
  • New upstream versions: jboss-threads, okio, libokhttp-java, snakeyaml, robocode.
  • I NMUed jtb and applied a patch from Tiago Stürmer Daitx.

Debian LTS

This was my twenty-fifth month as a paid contributor and I have been paid to work 23,25 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 19.03.2018 until 25.03.2018 I was in charge of our LTS frontdesk. I investigated and triaged CVE in imagemagick, libvirt, freeplane, exempi, calibre, gpac, ipython, binutils, libraw, memcached, mosquitto, sdl-image1.2, slurm-llnl, graphicsmagick, libslf4j-java, radare2, sam2p, net-snmp, apache2, ldap-account-manager, librelp, ruby-rack-protection, libvncserver, zsh and xerces-c.
  • DLA-1310-1. Issued a security update for exempi fixing 6 CVE.
  • DLA-1315-1. Issued a security update for libvirt fixing 2 CVE.
  • DLA-1316-1. Issued a security update for freeplane fixing 1 CVE.
  • DLA-1322-1. Issued a security update for graphicsmagick fixing 6 CVE.
  • DLA-1325-1. Issued a security update for drupal7 fixing 1 CVE.
  • DLA-1326-1. Issued a security update for php5 fixing 1 CVE.
  • DLA-1328-1. Issued a security update for xerces-c fixing 1 CVE.
  • DLA-1335-1. Issued a security update for zsh fixing 2 CVE.
  • DLA-1340-1. Issued a security update for sam2p fixing 5 CVE. I also prepared a security update for Jessie. (#895144)
  • DLA-1341-1. Issued a security update for sdl-image1.2 fixing 6 CVE.

Misc

  • I triaged all open bugs in imlib2 and forwarded the issues upstream. The current developer of imlib2 was very responsive and helpful. Thanks to Kim Woelders several longstanding bugs could be fixed.
  • There was also a new upstream release for xarchiver. Check it out!

Thanks for reading and see you next time.