My Free Software Activities in July 2016

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian.

Debian Android

Debian Games

  • This month GCC-6 bugs became release critical. I fixed and triaged those kind of bugs in games like supertransball2, berusky2, freeorion, bloboats, armagetronad and megaglest.
  • I packaged new upstream releases of scorched3d, bzflag, spring, springlobby, freeorion, freeciv and extremetuxracer.
  • Freeciv, one of the best strategy games ever by the way, also got a new binary package freeciv-client-gtk3. This package will eventually become the new default client to play the game in the future. You are welcome to test it.
  • I packaged a new upstream release of adonthell and adonthell-data. This game is built with Python 3 and SDL 2 now and also uses the latest version of swig to generate its sources. We will probably see only one other future upstream release of adonthell because the main developer has decided to move on after more than 15 years of development.
  • I fixed another RC bug in minetest, updated whichwayisup for this release cycle and moved the package to Git.

Debian Java

Debian LTS

This was my sixth month as a paid contributor and I have been paid to work 14,7 hours on Debian LTS. In that time I did the following:

  • DLA-554-1. I spent most of the time this month on completing my work on libarchive. I issued DLA-554-1 and fixed 18 CVE plus another issue which was later assigned CVE-2016-6250.
  • DLA-555-1. Issued a security update for python-django fixing 1 CVE.
  • DLA-561-1. Issued a security update for uclibc fixing 3 CVE.
  • DLA-562-1. Issued a security update for gosa fixing 1 CVE. I could triage another open CVE as not-affected after confirming that the issue had already been fixed two years ago.
  • DLA-568-1. Issued a security update for wordpress fixing 6 CVE. I decided to go ahead with this update because I could not find any regressions. Unfortunately this wasn't true for my intended fix for CVE-2015-8834. The database upgrade did not succeed hence I decided to postpone the fix for CVE-2015-8834 until we can narrow down the issue.
  • DLA-576-1. Issued a security update for libdbd-mysql-perl fixing 2 CVE.
  • From 04. July to 10. July I was in charge of our LTS frontdesk. I triaged CVEs in librsvg, bind9, trn, pdns and drupal7 and answered questions on the debian-lts mailing list.

Misc and QA

  • I fixed another GCC-6 bug in wbar, a light and fast launch bar.
  • Childsplay and gvrng were orphaned last month. I updated both of them, fixed the RC-bug in childsplay (non-free font) and moved the packages to the Debian QA Group.

My Free Software Activities in June 2016

My monthly report covers what I have been doing for Debian. I write it for Debian's Long Term Support sponsors but also for the wider free software community in the hope that it might inspire people to get more involved with Debian or free software in general.

Debian Android

Debian Games

  • I packaged CaveExpress and CavePacker for Debian. CaveExpress is a remake of the old Amiga classic Ugh! In this game you control a pedal-powered flying machine and pick up packages from your clients. An interesting aspect of CaveExpress is its physics-based gameplay. The packages must be delivered to a collection point and their movement is quite realistic thanks to the excellent Box2d physics engine. The other game, CavePacker, based on the same engine as CaveExpress is a Sokoban-like game. Both games feature dozens of levels and if you have nothing better to do, you should definitely check them out.
  • This month I also packaged a new upstream release of Netpanzer. Apparently there is new upstream activity.
  • Blockattack 2.0 was released and is now available in Debian.
  • I also updated the following packages: kball, pathogen, ceferino, slimevolley, pangzero and airstrike.
  • I adopted abe, berusky and berusky-data, updated the packages to use modern debian helpers and also packaged version 1.7 of berusky, a great Sokoban-like game by the way.
  • June also saw a new release of debian-games, several metapackages that make it much easier to install a subset of games or even the finest.
  • I sponsored RC-bug fixes for parsec47, tumiki-fighters, mu-cade and tatan all prepared by Peter De Wachter who keeps our D (yes, that's a language) games alive. But we will face more issues in the post Stretch future. Apparently the D language people intend to remove parts of their API and of course all our D-based games are affected. Peter has announced more information about that. I think all these games are pretty unique and real gems. If you know a little D and want to help out, please get involved.

Debian Java

Debian LTS

This was my fifth month as a paid contributor and I have been paid to work 19,75 hours on Debian LTS. In that time I did the following:

  • DLA-501-1. Salvatore Bonaccorso from Debian's Security Team discovered that the original fix for CVE-2015-7552 (DLA-450-1) was incomplete. I prepared and uploaded a new revision of gdk-pixbuf and issued the DLA.
  • DLA-502-1. Issued a security update for graphicsmagick fixing 1 CVE.
  • DLA-504-1. Issued a security update for libxstream-java fixing 1 CVE which was prepared by Emmanuel Bourg.
  • DLA-505-1. Issued a security update for libpdfbox-java fixing 1 CVE.
  • DLA-508-1. Issued a security update for expat fixing 2 CVE.
  • DLA-511-1. Issued a security update for libtorrent-rasterbar fixing 1 CVE.
  • DLA-526-1. Issued a security update for mysql-connector-java fixing 1 CVE. I also prepared the update for Jessie which is still pending to be reviewed by the Security Team.
  • DLA-528-1. Issued a security update for libcommons-fileupload-java fixing 1 CVE.
  • DLA-529-1. Issued a security update for tomcat7 fixing 1 CVE.
  • DLA-530-1. As previously announced I switched the default Java implementation from OpenJDK 6 to OpenJDK 7.
  • DLA-537-1. Issued a security update for roundcube fixing 1 CVE. I triaged CVE-2016-5103, CVE-2015-2180 and CVE-2015-2181 and marked them as "not-vulnerable".
  • I triaged 22 CVEs for libarchive and marked two of them as "not-vulnerable". You can find my preliminary work for libarchive on the wheezy branch in Debian's git repository. I expect a security update very soon.
  • From 13 June to 19. June I was responsible for Wheezy's LTS frontdesk. It was a rather calm week on the debian-lts mailing list and in our IRC channel. I triaged CVE-2016-4970 (netty), CVE-2016-3189 (bzip2), CVE-2016-1621 (libvpx) and CVE-2016-4493, CVE-2016-4492, CVE-2016-4491, CVE-2016-4490, CVE-2016-4489, CVE-2016-4488, CVE-2016-4487, CVE-2016-2226 which were all minor issues in developer tools or in the gcc toolchain.
  • I commented on Ola's question about open security issues in phpmyadmin.

QA uploads

  • I fixed pygccxml that threatened to remove spring.
  • I completely overhauled gl-117, fixed four bugs and closed two obsolete ones. gl-117 always reminds me a little of the Falcon series from the early 90ies.

My Free Software Activities in May 2016

My monthly report covers what I have been doing for Debian. I write it for Debian's Long Term Support sponsors but also for the wider free software community in the hope that it might inspire people to get more involved with Debian or free software in general.

Debian LTS

This was my  fourth month as a paid contributor and I have been paid to work 30 hours on Debian LTS. During this month I worked on the following things:

  • DLA-460-1. Issued a security update for file fixing 1 CVE.
  • DLA-461-1. Issued a security update for nagios3 fixing 1 CVE.
  • From 2 May until 8 May I managed the LTS frontdesk and triaged CVEs in ikiwiki, jansson, libuser, librsvg, roundcube, ocaml, wpa and sogo. I reviewed a security update of icu for Roberto C. Sánchez. I also reviewed the security update of ikiwiki prepared by Simon McVittie and took care of the announcement which resulted in DLA-463-1.
  • DLA-468-1. I fixed two serious issues in the libuser library that allowed a normal user to gain root privileges and to corrupt /etc/passwd.
  • DLA-449-2. I issued a regression update for botan1.10's reverse dependencies, monotone and softhsm. Both packages had to be rebuilt in Wheezy. I also prepared the no-change rebuilds for all reverse-dependencies in Jessie. (DSA-3565-2)
  • DLA-471-1. Issued a security update for jansson fixing 1 CVE.
  • DLA-473-1. Issued a security update for wpa fixing 2 CVE.
  • DLA-475-1. Issued a security update for python-tornado fixing 1 CVE.
  • DLA-483-1. Issued a security update for expat fixing 1 CVE.
  • DLA-484-1. Issued a security update for graphicsmagick fixing 8 CVE. Graphicsmagick is a fork of Imagemagick and also affected by vulnerabilities commonly known as ImageTragick. It is likely that we will see more CVEs in the near future.
  • DLA-488-1. Issued a security update for xymon fixing 4 CVE. I marked CVE-2016-2057 as not-affected in Wheezy.
  • DLA-490-1. Issued a security update for bozohttpd fixing 2 CVE.
  • Misc: I sent a short news update to bits.debian.org and debian-lts-announce which was released on 2 June and announced the now official support of armel and armhf for Wheezy LTS.
  • I sent a DLA announcement for Icedove. The security update was prepared by Christoph Goehre. (DLA-472-1)

Debian Android

  • I packaged a new version of apktool. This tool has several issues at the moment. The most important one is the missing basic framework resource files which are needed for decoding apk files. They are not part of the source tarball release so we need to find other ways to make them available in Debian. Chirayu Desai, one of the GSoC students 2016, already came up with a good proposal.
  • We had our first GSoC meetings.

Debian Java

  • I fixed an RC bug in gradle-jflex-plugin due to an incompatibility with Gradle >= 2.12.
  • I clarified licenses and updated debian/copyright for Netbeans. I also removed some files from the original tarball with possibly controversial licenses.
  • I packaged new upstream releases of hsqldb and objenesis and updated fontchooser.
  • I sponsored libmnemonicsetter-java for Felix Natter.
  • I prepared a security update for Tomcat 8 which still awaits  approval by the Security Team.
  • I spent too much time with trying to upgrade libnetlib-java. In the end I came to the conclusion that it is not worth the effort.

Debian Games

  • I fixed a long standing RC bug in warzone2100 and another bug in fretsonfire.
  • I packaged new upstream releases of springlobby, freeorion and freeciv. This fixed the lags in FreeOrion which were seemingly introduced by an X server update. I also uploaded the latest versions of FreeCiv and Minetest to jessie-backports.

Misc

  • Xarchiver crashed when someone attempted to cancel the extraction procedure with the Thunar plugin. (#822115) I fixed the issue in Sid, Stretch and Jessie.

My Free Software Activities in April 2016

My monthly report covers what I have been doing for Debian. I write it for Debian's Long Term Support sponsors but also for the wider free software community in the hope that it might inspire people to get more involved with Debian or free software in general.

Debian LTS

This was my third month as a paid contributor and I have been paid to work 16 hours on Debian LTS. During this month I worked on the following things:

  • DSA-3552-1: I finished my work on Tomcat 7 which I started back in March. Debian's Security Team eventually reviewed the package and issued DSA-3552-1. This update fixed 9 CVEs in Wheezy and 7 CVEs in Jessie.
  • DSA-3541-1: My security update for roundcube (Wheezy) fixing 1 CVE was issued by the Security Team.
  • DLA-449-1. I worked on botan1.10, a C++ library which provides support for many common cryptographic operations and fixed 7 CVEs in Wheezy. I also sent an updated package for Jessie to the Security Team and they issued DSA-3565-1 for it. For Jessie 6 CVEs could be closed.  I am currently investigating a possible regression (#823297) that might require a rebuild of monotone.
  • DLA-450-1. I prepared an update for gdk-pixbuf fixing 1 CVE. While I was working on this issue I discovered that Debian's fix for CVE-2015-7674 was incomplete and thus I added another patch to prevent possible heap-based overflows in pixops/pixops.c. Thanks to SUSE's Security Team for their initial work on this issue.
  • DLA-451-1. I backported and tested a security update for OpenJDK-7 fixing 7 CVEs. Thanks to Matthias Klose and Tiago Stürmer Daitx for their initial work.
  • DLA-452-1. I fixed a bug in smarty3 (Wheezy), a template engine for PHP, that allowed remote attackers to bypass the secure mode restrictions and to execute arbitrary PHP code.
  • I triaged CVE-2015-7496 in GDM3 and marked this issue as <not affected> in Wheezy because the vulnerable code was neither present nor was the issue reproducible.
  • I triaged two more CVEs in Swift, CVE-2016-0738 and CVE-2016-0737 and marked both CVEs as fixed in Wheezy because the vulnerable code was not present. I also had a closer look at Xymon. This package appears to be partly affected by the open security issues and needs further investigation.
  • The security support for Wheezy was handed over to the LTS team on 26 April 2016. I drafted an official announcement which was published on debian.org and debian-lts-announce. Before I started a call for review on debian-lts. Thanks for all the feedback and especially for the reviews from the English language team.
  • Making OpenJDK 7 the default-java implementation in Wheezy-LTS. I uploaded a new revision of java-common with the sole intention to increase the user awareness for our intended switch to OpenJDK 7 as the default Java implementation. Moreover I updated 14 Java packages in Wheezy that strictly depended on openjdk-6-jre or openjdk-6-jdk. The requirements were relaxed so that users will be able to install OpenJDK 7 now without the need for installing the unsupported OpenJDK 6 too. Three Java packages are still pending due to a bug in Debian's archive software that will hopefully be resolved soon. I think we could have uploaded those packages sooner but the Release Team did not deem these issues to be important enough. (#819247)

Debian Android

  • apktool and libsmali-java. I packaged the latest upstream release of Apktool, 2.1.0. Smali is now a dependency of Apktool and no longer included in the official tarballs. That's the reason why I decided to package libsmali-java.
  • I will be a Mentor for Google Summer of Code again together with Hans-Christoph Steiner. I presume this year will be quite exciting and we will try to package more Android software for Debian.

Debian Java

Debian Games

Misc

  • gimp-dimage-color. I asked the ftp team to remove gimp-dimage-color because it has not been updated in the past seven years and it is also not part of Debian stable.
  • I reviewed and sponsored python-adventure for Ben Finney.
  • I also reviewed freecell-solver for Shlomi Fish on debian-mentors but the package was eventually uploaded by the actual package maintainer.

My Free Software Activities in March 2016

My monthly report covers what I have been doing for Debian. I write it for Debian's Long Term Support sponsors but also for the wider free software community in the hope that it might inspire people to get more involved with Debian or free software in general.

Debian LTS

This was my second month as a paid contributor and I have been paid to work 14,25 hours on Debian LTS. During this month I worked on the following things:

  • DSA-3530-1: I finished the work on Tomcat 6 which I started last month and closely worked together with Debian's Security Team who reviewed the package and eventually issued DSA-3530-1. This update fixed 18 CVEs in Wheezy and Jessie.
  • DSA-3524-1: Prepared security updates for ActiveMQ (Wheezy and Jessie) fixing one CVE.
  • Tomcat 7.  Prepared security updates for Tomcat 7 fixing 9 CVEs in Wheezy and 7 CVEs in Jessie. I asked for reviews and testing on the debian-java mailing list and I intend to finish the work in April.
  • DSA-3537-1:  Prepared security updates for imlib2 fixing 3 CVEs in Wheezy and Jessie.
  • DSA-3538-1:  Prepared security updates for libebml fixing 3 CVEs in Wheezy and Jessie.
  • DSA-3539-1:  Prepared security updates for srtp fixing 1 CVE in Wheezy and Jessie.
  • roundcube. Prepared a security update for roundcube (Wheezy) fixing 1 CVE. Review by the Security Team is still pending. I expect a DSA in April.
  • optipng. Prepared and uploaded a security update for optipng to Wheezy fixing 1 CVE.
  • Making OpenJDK 7 the default-java implementation in Wheezy-LTS: March was also the month to prepare for the next LTS release on 2016-04-26. I worked several hours on the transition to OpenJDK 7 which will be supported for the whole LTS release cycle.  I identified eighteen Java packages in Wheezy whose runtime dependencies must be updated to ensure that they will not pull in OpenJDK 6 by default but they will still work with OpenJDK 7. I updated the java-common package to make OpenJDK 7 the default-java implementation. I filed bug #819247 against release.debian.org and asked the Release Team to include the updated Java packages in the last point release for Wheezy. This issue is pending now and I expect that those packages will either be uploaded as part of the next point update for Wheezy or at the beginning of Wheezy-LTS. I will continue to work on this task in April and provide a backport of java-common for testing purposes and upload no-change updates of Tomcat 6/7, Jetty and java-common to Wheezy-LTS with NEWS files that inform users about the switch to OpenJDK 7. The goal is to switch default-java to OpenJDK 7 on 2016-06-26.

Debian Android

  • android-platform-tools-base. I uploaded a new revision because I could eventually reenable the Lint module since lombok-ast got accepted into Debian which I had packaged one week before.
  • apktool. Thanks to Chirayu Desai, who discovered a free public-domain implementation of the Little Endian data input stream class, I could fix apktool, close #819191 and sync this version with Ubuntu.
  • android-platform-build. I sponsored a new revision for Kai-Chung.

Debian Java

  • qdwizard. I sponsored qdwizard (ITP: #816426) prepared by Felix Natter, a new dependency for Jajuk, an advanced jukebox and music organizer.
  • netbeans. I tightened the dependency on Java 8 because Netbeans did not work correctly with Java 7. (#816758, #817152)
  • I triaged the following RC bugs for jpathwatch (#816998),  velocity (#814679), lwjgl (#814167)
  • activemq. I spent several hours on upgrading ActiveMQ, a Java message broker, to the latest upstream release 5.13.2 and closed two RC bugs (#809733, #808636) and another bug (#770455). All files under /etc/activemq will be properly removed on purge now. In addition this update required an update of uima-as that build-depends on libactivemq-java and while I was at it I did some spring cleaning and updated the related activemq-protobuf and activemq-activeio packages as well.
  • uima-as. I updated uima-as and fixed an activemq related RC bug.
  • undertow and jboss. I packaged new upstream releases of undertow, jboss-modules, jboss-jdeparser2 and jboss-xnio.

Debian Games

  • renpy. I packaged the latest upstream releases 6.99.9 and 6.99.10 of python-pygame-sdl2 and renpy, a framework for developing visual novel games.
  • spring. I packaged the latest release 101 of spring, a modern full-3D RTS game engine.
  • freesweep. I updated the whole Freesweep package, a minesweeper game for the console, to use modern Debian helpers and technologies. In this process I fixed four outstanding bugs.
  • atomix. I packaged the latest stable release of Atomix, a puzzle game.
  • teg. I did another spring cleaning and updated teg, a strategy game like Risk.
  • hitori. Packaged new upstream release 3.20.0.
  • nikwi. Fixed bug #791966 and added arm64 to nikwi's supported architectures.
  • dopewars. Fixed FTBFS bug #819619.
  • zaz. Fixed three bugs and triaged the remaining ones in zaz, a 3D arcade action puzzle game.

Non-maintainer uploads

  • mtpaint. Fixed RC bug (#803286), so that mtpaint could migrate to testing again.
  • pinball. Fixed FTBFS (#816108) and another build failure when building with dpkg-buildpackage -A (#806093). I also discovered that /var/games/pinball is correctly removed on purge nowadays and closed #443493.
  • jcc. I NMUed jcc and fixed two RC bugs because it was one the packages that blocked the removal of OpenJDK 7 from Debian.

QA uploads

  • piespy. I did a QA upload for piespy because it was one of the packages that blocked the removal of OpenJDK 7 from Debian.

Misc

  • yics. I requested the removal of yics because this chess client was defunct without the Yahoo chess servers which closed down in 2014. (#814360)
  • smc. I tried to fix #812096, a FTBFS, and updated outdated CEGUI includes but I soon realized that more porting work had to be done and it would be best to package the lastest upstream release instead.

My Free Software Activities in February 2016

My monthly report covers what I have been doing for Debian. I write it for Debian's Long Term Support sponsors but also for the wider free software community in the hope that it might inspire people to get more involved with Debian or free software in general.

Debian LTS

This was my first month as a paid contributor and I have been paid to work 11,25 hours on Debian LTS. During this month I worked on the following things:

  • Released DLA-410-1 for OpenJDK 6 fixing eight CVEs.
  • Released DLA-418-1 for WordPress fixing two CVEs.
  • Released DLA-422-1 for python-imaging fixing one CVE and a second buffer overflow in PcdDecode.c. I also helped to fix these issues in Wheezy and Jessie and sent the patches to Debian's Security Team. This resulted in the release of DSA-3499-1.
  • Released DLA-435-1 for Tomcat 6 fixing six CVEs.
  • Released DLA-441-1 for pcre3 fixing one security vulnerability. A CVE had not been assigned but this issue is also known as ZDI-CAN-3452.
  • Released DLA-443-1 for bsh fixing one CVE. I fixed this issue for all versions of bsh. A DSA is still pending.
  • Since February was also the last month of support for Debian 6 "Squeeze" I looked for packages that had been fixed in Squeeze but not in Wheezy. I discovered that Lighttpd was still affected by CVE-2014-3566 aka the "POODLE" attack. Although SSLv3 could be disabled it was still enabled by default. After consulting the Debian Security Team we disabled SSLv3 by default and released DSA-3489-1
  • Backported versions 6.0.41 and 6.0.45 of Tomcat 6 to fix all open security vulnerabilities in Wheezy. At the moment I am waiting for the green light from the Security Team.

Debian Android

I have been paid by the Guardian Project to package apktool and android-platform-tools-base. Apktool is a tool for reverse engineering Android apk files while android-platform-tools-base includes the Android Gradle Plugin and several tools and libraries for developing Android software. Unfortunately I discovered that LEDataInputStream.java in apktool was covered by a non-free license. I had to remove this class and thus the tool is currently broken. I am aware of this and I reported this issue to upstream as #1166. I hope I can resolve this problem together with them this month. In order to package the software above I also had to package the following build-dependencies: gradle-jflex-plugin, intellij-annotations and lombok-patcher. I am still working on getting lombok-ast into Debian for which the lombok-* packages were a precondition. These packages were non-trivial because ivyplusplus, lombok and lombok-patcher depend on each other. In addition they failed to build with OpenJDK 8 due to the use of older classes from OpenJDK's tools.jar.  I fixed ivyplusplus and lombok which were both broken and updated proguard, trove3 and jflex to simplify the packaging of android-platform-tools-base and apktool by providing Maven artifacts.

Debian Java

  • libjide-oss-java. Packaged new upstream release 3.6.13+dfsg-1.
  • Netbeans. Packaged Netbeans 8.1+dfsg2-1. I could finally fix the HTML 5 parser runtime error (#809256) because libhtml5parser-java, which I had packaged last month, got accepted into Debian. I also fixed a FTBFS due to a change in svnclientadapter.
  • jgit. I disabled the tests as a workaround to fix a FTBFS. (#812643) I intend to package the latest upstream release in the near future. I hope it does not break as many reverse-dependencies as usual.
  • libslf4j-java. Updated the package to fix a Netbeans runtime error.
  • tomcat6. Packaged new upstream release 6.0.45+dfsg-1.

Debian Games

  • simutrans, simutrans-pak64, simutrans-pak128.britain. I sponsored new upstream releases of simutrans which were prepared by Jörg Frings-Fürst.
  • extremetuxracer. I packaged the latest upstream release 0.7.1. Eventually I decided to upload this version to unstable and to replace the 0.4 series because upstream ships the extra courses too now. They were once part of tuxracer-extras and had to be converted to a new data format. Since tuxracer-extras was obsolete, I requested its removal from Debian. (#814604)
  • freeciv. Packaged version 2.5.3 that fixed two bugs in FreeCiv's Qt client. (#813107, #813218) I also backported this version to Debian Jessie.
  • debian-games. I released the latest version of the Debian Games Blend. I recommended four new games: edgar, a 2D platformer, ufoai, a squad-based tactical strategy game, zoom-player, a player for Z-Code stories or games and endless-sky, a space exploration and combat game. The Free Software Foundation recently interviewed Michael Zahniser, the developer of endless-sky, because he uses the GPL for his work.
  • corsix-th. I sponsored corsix-th, an open source clone of Theme Hospital. This package was prepared by Alexandre Detiste. You still need the original game data from Theme Hospital to play the game. That is the reason why I had to upload it to contrib. If you own a copy of the game yourself, you can use game-data-packager to create a Debian package for the data.

Misc

  • osmo. Osmo's internal backup feature was broken on i386 systems. In fact it always produced the same empty file with seize 50 byte. I reported this issue upstream and Maxim Gordienko provided a patch. This issue (#813414) was fixed in version 0.2.14-4. I also uploaded a fixed version for Jessie after I got the permission from the Debian Release Team.  (#815469)