My Free Software Activities in May 2020

Welcome to gambaru.de. Here is my monthly report (+ the first week in June) that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.

Debian Games

  • I decided to upgrade Nethack to version 3.6.6 that fixed several security vulnerabilities and a GCC 10 FTBFS bug. Unfortunately the Debian specific lisp fork of Nethack is no longer compatible with the most recent changes. I could fix some errors but really didn’t want to maintain something that should better be upstreamed. I filed Debian bug #961932 because nethack-lisp is unusable now. In my opinion the lisp fork prevents more regular updates and it really needs a maintainer who likes to care for the code. But the best solution would be to merge the code upstream. Anyone interested in a challenge?
  • This month I could update a couple of games that haven’t seen much love in the past years, but to be fair, all of them still just worked fine. They just needed some modifications due to the switch to debhelper-compat = 13, or they could not be reproducibly build or cross-build from source. And then there were also some GCC 10 bugs, that are currently severity normal but will become release-critical soon. So there was briquolo (#960386, reproducible-build patch by Chris Lamb), a 3D breakout game, empire (#957172, GCC-10), asc (#957013, GCC-10), asc-music, ace-of-penguins (#956976, GCC-10), foobillardplus (#914622, cross-build, patch by Helmut Grohne), vodovod (cross-build, patch by Helmut Grohne), holotz-castle (cross-build, patch by Helmut Grohne), kball (cross-build, patch by Helmut Grohne), zaz, an action puzzle game, xgalaga (cross-build, patch by Helmut Grohne), xmahjongg and plee-the-bear (Boost FTBFS, patch by Giovanni Mascellani and a cross-build issue, patch by Helmut Grohne).
  • I was contacted by Martin Gerhardy, upstream maintainer of caveexpress and former lead-developer of ufoai. He is currently working on a new free software voxel game engine and its tools. He asked me to take a look at the Debian packaging but I couldn’t promise to package it yet, although this is certainly something that interests me. I will provide some feedback for the prelimary Debian packaging though, which he has prepared already. In the meantime he released a new version of caveexpress and I hope that we can find a solution for an ufoai RC-bug quite soon, but at least before Debian freezes.
  • I sponsored bzflag and supertux for Reiner Herrman. Greatly appreciated!
  • Ryan Tandy contributed an overhauled mgba package, a Game Boy Advance emulator. Thanks a lot!
  • I also packaged new versions of hexalate, hitori and peg-e.

Debian Java

  • New upstream versions this month: undertow, jboss-xnio and libapache-mod-jk. The latter package contained a wrongly named file that prevented the apache tools a2enmod and a2dismod from symlinking that file. I corrected the error by preparing a stable point-update as well.

Misc

  • I packaged new versions of wabt, privacybadger and https-everywhere. I would like to update ublock-origin as well but the package is still stuck in the NEW queue. I don’t know why.
  • I packaged a new upstream version of xarchiver and applied a patch to address Debian bug #959914. There is still a problem with multi-part encrypted 7zip files but since it is already known upstream, I am confident there will be a fix eventually.

Debian LTS

This was my 51. month as a paid contributor and I have been paid to work 25 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • DLA-2209-1. Issued a security update for tomcat8 fixing 4 CVE. The update was delayed due to an error, which was not discovered by the test suite and a new CVE, CVE-2020-9484.
  • squid3: I have almost completed the update and prepared patches for 16 different security vulnerabilities in Stretch and Jessie. Due to the in part invasive changes I will publish a request for testing on the debian-lts mailing list first. If there are no negative reports, the update should happen next week now.
  • imagemagick: I am currently working on a complete update of the popular image manipulation program. I have already completed 10 patches but I intend to release a full update until the end of the month.

ELTS

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 „Wheezy“. This was my 24. month and I have been paid to work 9,25 hours on ELTS.

  • ELA-232-1. Issued a security update for nss fixing 1 CVE.
  • ELA-233-1. Issued a security update for openjdk-7 fixing 1 CVE.
  • Prepared the last security update of linux for Wheezy. The new kernel will be available on Saturday, 13.06.2020, after it passes the usual tests.

Thanks for reading and see you next time.

My Free Software Activities in April 2020

Welcome to gambaru.de. Here is my monthly report (+ the first week in May) that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.

Debian Games

Playonlinux
  • Scott Talbert did a fantastic job by porting playonlinux, a user-friendly frontend for Wine, to Python 3 (#937302). I tested his patch and uploaded the package today. More testing and feedback is welcome. Scott’s work basically prevented the removal of one of the most popular packages in the games section. I believe this will also give interested people more time to package the Java successor of playonlinux called Phoenicis.
  • Reiner Herrmann ported ardentryst, an action role playing game, to Python 3 to fix a release critical Py2 removal bug (#936148). He also packaged the latest release of xaos, a real-time interactive fractal zoomer, and improved various packaging details. I reviewed both of them and sponsored the upload for him.
  • I packaged new upstream releases of minetest, lordsawar, gtkatlantic and cutemaze.
  • I also sponsored a new simutrans update for Jörg Frings-Fürst.

Debian Java

Misc

  • I packaged new versions of wabt and binaryen, required to build Webassembly code from source.

Debian LTS

This was my 50. month as a paid contributor and I have been paid to work 11,5 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • I completed the security update of Tomcat 8 in Stretch released as DSA-4673-1 and Tomcat 8 in Jessie soon to be released as DLA-2209-1.
  • I am currently assigned more hours and my plan is to invest the time in a project to improve our knowledge about embedded code copies and their current security impact which I want to discuss with the security team. The rest will be spent on Stretch security updates which will become the new LTS release soon.

ELTS

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 „Wheezy“. This was my 23. month and I have been paid to work 2 hours on ELTS.

  • I prepared the fix for CVE-2019-18218 in php5 released as ELA-227-1.
  • I checked jetty for unfixed vulnerabilities and discovered that the version in Wheezy was not affected by CVE-2019-17632. No further action was required.
  • It turned out that the apache2 package in Wheezy was not affected by vulnerable embedded expat code because it depends on already fixed system packages.

Thanks for reading and see you next time.

My Free Software Activities in March 2020

Welcome to gambaru.de. Here is my monthly report (+ the first week in April) that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.

I am sure I am not the only one who will remember March 2020 in the future as a month nobody was really fond of. I was mostly occupied with non-Debian work and managed to get ill in the same week I wanted to celebrate my birthday but it didn’t matter anyway because of ehm quarantine and social distancing. Maybe next year March will be great again.

Debian Games

  • I was notified by Minetest upstream that Debian did not build the game with CMAKE_BUILD_TYPE=Release or that we simply missed the -DNDEBUG compiler flag which in turn could cause some unexepected runtime errors. I quickly fixed the problem and backported the change to buster-backports. There is another pending merge request about build-depending on libspatialindex-dev. I was told it will speed up some processes on the server side, so I wanted to give it a try.
  • I fixed RC bug #954722 in spring, the RTS game engine. A change in GCC caused yet another FTBFS but was rather easy to fix.
  • I sponsored jag and runescape for Carlos Donizete Froes. Despite being such a trivial helper script for downloading the runescape launcher, the latter caused some controversy. Now it looks like all problems can be resolved and I expect another upload with bug fixes in April.
  • Last but not least I packaged a new upstream release of extremetuxracer, the racing game with Tux for all the family.

Debian Java

  • I worked on new releases of wildfly-common, undertow, jboss-threads, jboss-xnio, libsmali-java and apktool.
  • I uploaded a security update of checkstyle to Stretch and Buster and prepared another point update for Buster to fix a bug in el-api, websocket-api and jsp-api when libservlet3.1-java was upgraded from Stretch to Buster.
  • A missing jar file on the CLASSPATH in commons-configuration2 made mediathekview and other packages FTBFS (#955755) but it also motivated me to remove the unnecessary update check in MediathekView on every startup because it may take a while until I can upgrade this program again.
  • I also applied a patch by Bas Couwenberg for OpenJFX to fix a FTBFS bug due to the -Werror=deprecated-declarations flag.

Misc

  • While I am still waiting for ublock-origin being processed in the NEW queue, I packaged the latest version of another browser addon, https-everywhere.

Debian LTS

This was my 49. month as a paid contributor and I have been paid to work 10 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • I worked on Tomcat 8 in Jessie and prepared patches for CVE-2020-1938, CVE-2020-1935 and CVE-2019-17563. I am working together with Abhihith PA who is currently reviewing them. Especially CVE-2020-1938 requires careful attention because of new options to secure the AJP port and protocol. In contrast to Wheezy, Tomcat in Jessie will be supported at least for another year, so it makes sense to apply the upstream changes for hardening the setup.
  • I prepared another Tomcat 8 update for Stretch which will be released this month.

ELTS

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 „Wheezy“. This was my 22. month and I have been paid to work 9 hours on ELTS.

  • I investigated all identified source packages from last month. They are supported but embed external software, sometimes affected by unfixed security vulnerabilities. After a closer inspection I discovered that most packages were either affected only by minor issues, which did not warrant an extra update, or they were not even affected at all because they linked against system libraries. However zlib, apache2 and php5 contained embedded and unfixed code copies of expat and file and zlib’s miniunzip program was still prone to a directory traversal attack. I fixed the latter in ELA-222-1. The apache2 update will follow shortly and there is ongoing work for PHP5 anyway which allows us to fix the latest reported vulnerabilites and address the embedded code copy issues together in one update.

Thanks for reading and see you next time.

My Free Software Activities in February 2020

Welcome to gambaru.de. Here is my monthly report (+ the first week in March) that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.

Debian Games

  • The games team received a lot of FTBFS bug reports due to a recent change in SDL2. (#951087) Many games that relied on the FindSDL2.cmake macro suddenly stopped building from source. Simon McVittie, who analyzed the situation, provided some helpful fixes for the problem. Ideally all affected packages and SDL2 should be fixed. I applied his patch for blockattack (#951943) and came up with similar patches for megaglest (#951959) and spring (#951974), pekka-kana-2 (#952049) was fixed by Simon and Carlos again.
  • I updated clanlib, an older SDK for game development, fixed a Perl build failure and applied patches to make cross-builds and reproducible builds possible.
  • I backported the latest version of Minetest, 5.1.1, to buster-backports.
  • Morris was ported to GSetting by Yavor Doganov and Reiner Herrmann ported it to the signals2 boost library (well done folks!) while I was tying all things together.
  • Freecol, a remake of the old Colonization received some love too. I could fix a build failure, create a valid appdata file and apply upstream’s patch to address CVE-2018-1000825.
  • I packaged new upstream releases of freeciv, freeorion and armagetronad.
  • ufoai: I fixed a build failure caused by an upgrade to the mxml 3.x library. There is another issue with the old and soon to be removed gtksourceview2 library which the map editor relies on for some specific functions. I suppose the only way is to disable the functionality or to disable the editor alltogether. The game itself is not affected.
  • I sponsored an improved version of mupen64plus-qt for Dan Hastings, an RC fix for widelands by Juhani Numminen and
  • reviewed opensurge and surgescript for Carlos Donizete Froes. The former retro platformer opensurge is still missing from Debian and would be a nice addition to the games section. There is still some kind of runtime problem / shared library error and more work is required to make progress here.

Debian Java

Misc

  • After we received new bug reports for ublock-origin, this time because of sandboxing limitations in Chromium, I decided to revert back to two different binary packages, one for Firefox and one for Chromium. This will avoid any sandboxing problems due to the previous use of symlinks. The new version 1.25.0 is currently waiting in NEW.
  • Instead the update of privacybadger to version 2020.2.19 and binaryen was much more straightforward.

Debian LTS

This was my 48. month as a paid contributor and I have been paid to work 10 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • DLA-2133-1. Issued a security update for tomcat7 fixing 3 CVE.
  • DLA-2138-1. Issued a security update for wpa fixing 1 CVE.
  • Worked on a security update for squid3 that is not finished yet.

ELTS

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 „Wheezy“. This was my 21. month and I have been paid to work 8 hours on ELTS.

  • ELA-217-1. Issued a security update for tomcat7 fixing 1 CVE. I investigated CVE-2019-17569 and found that it did not affect the version in Wheezy because the refactoring and thus the regression happened in a later version. I worked on CVE-2020-1938, a possible remote code execution vulnerability regarding the AJP protocol. After I had backported the initial upstream patch, I discovered that more and more changes to the code were required which I found to be too intrusive eventually. Since the AJP port is disabled by default in Debian and the scenario of an untrusted user/service like mod_jk and Apache 2 seems unlikely, I opted for not making those changes.
  • Created a script to display which supported source packages are embedded into other supported packages and to show the embedded code copies in supported packages. There will be another script for LTS that behaves slightly different but it will also help to highlight CVE in embedded-code-copies in LTS and Debian packages in general.

Thanks for reading and see you next time.

My Free Software Activities in January 2020

Welcome to gambaru.de. Here is my monthly report (+ the first week in February) that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.

Debian Games

  • Again Reiner Herrman did a very good job with updating some of the most famous FOSS games in Debian. I reviewed and sponsored supertux 0.6.1.1, supertuxkart 1.1 and love 11.3, also several updates to fix build failures with the latest version of scons in Debian. Reiner Herrmann, Moritz Mühlenhoff and Phil Wyett contributed patches to fix release critical bugs in netpanzer, boswars, btanks, and xboxdrv.
  • I packaged new upstream versions of minetest 5.1.1, empire 1.15 and bullet 2.89.
  • I backported freeciv 2.6.1 to buster-backports and
  • applied a patch by Asher Gordon to fix a teleporter bug in berusky2. He also submitted another patch to address even more bugs and I hope to review and upload a new revision soon.

Debian Java

Misc

  • As the maintainer I requested the removal of pyblosxom, a web blog engine written in Python 2. Unfortunately pyblosxom is no longer actively maintained and the port to Python 3 has never been finished. I thought it would be better to remove the package now since we have a couple of good alternatives like Hugo or Jekyll.
  • I packaged new upstream versions of wabt and privacybadger.

Debian LTS

This was my 47. month as a paid contributor and I have been paid to work 15 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • DLA-2065-1. Issued a security update for apache-log4j1.2 fixing 1 CVE.
  • DLA-2077-1. Issued a security update for tomcat7 fixing 2 CVE.
  • DLA-2078-1. Issued a security update for libxmlrpc3-java fixing 1 CVE.
  • DLA-2097-1. Issued a security update for ppp fixing 1 CVE.
  • DLA-2098-1. Issued a security update for ipmitool fixing 1 CVE.
  • DLA-2099-1. Issued a security update for checkstyle fixing 1 CVE.

ELTS

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 „Wheezy“. This was my twentieth month and I have been paid to work 10 hours on ELTS.

  • ELA-208-1. Issued a security update for tomcat7 fixing 2 CVE.
  • ELA-209-1. Issued a security update for linux fixing 41 CVE.
  • Investigated CVE-2019-17023 in nss which is needed to build and run OpenJDK 7. I found that the vulnerability did not affect this version of nss because of the incomplete and experimental support for TLS 1.3.

Thanks for reading and see you next time.

My Free Software Activities in December 2019

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.

Debian Games

  • I started the month by backporting the latest version of minetest to buster-backports.
  • New versions of Springlobby, the single and multiplayer lobby for the Spring RTS engine, and Freeciv (now at 2.6.1) were packaged.
  • I had to remove python-pygccxml as a build-dependency from spring because of the Python 2 removal and there was also another unrelated build failure that got fixed as well.
  • I also released a new version of the debian-games metapackages. A considerable number of games were removed from Debian in the past months, in parts due to the ongoing Python 2 removal but also because of inactive maintainers or upstreams. There were also some new games though. Check out the 3.1 changelog for more information. As a consequence of our Python 2 goal, the development metapackage for Python 2 is gone now.

Debian Java

Misc

  • The imlib2 image library was updated to version 1.6.1 and now supports the webp image format.
  • I backported the Thunderbird addon dispmua to Buster and Stretch because the new Thunderbird ESR version had made it unusable.
  • I also updated binaryen, a compiler and library for WebAssembly and asked upstream if they could relax the build-dependency on Git which they did.

Debian LTS

This was my 46. month as a paid contributor and I have been paid to work 16,5 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

From 23.12.2019 until 05.01.2020 I was in charge of our LTS frontdesk. I investigated and triaged CVE in sudo, shiro, waitress, sa-exim, imagemagick, nss, apache-log4j1.2, sqlite3, lemonldap-ng, libsixel, graphicsmagick, debian-lan-config, xerces-c, libpodofo, vim, pure-ftpd, gthumb, opencv, jackson-databind, pillow, fontforge, collabtive, libhibernate-validator-java, lucene-solr and gpac.

  • DLA-2051-1. Issued a security update for intel-microcode fixing 2 CVE.
  • DLA-2058-1. Issued a security update for nss fixing 1 CVE.
  • DLA-2062-1. Issued a security update for sa-exim fixing 1 CVE.
  • I prepared a security update for tomcat7 by updating to the latest upstream release in the 7.x series. It is pending review by Mike Gabriel at the moment.

ELTS

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 „Wheezy“. This was my nineteenth month and I have been assigned to work 15 hours on ELTS.

  • I was in charge of our ELTS frontdesk from 23.12.2019 until 05.01.2020 and I triaged CVE in sqlite3, libxml2 and nss.
  • ELA-200-2. Issued a security update for intel-microcode.
  • Worked on tomcat7, CVE-2019-12418 and CVE-2019-17563, and finished the patches prepared by Mike Gabriel. We have discovered some unrelated test failures and are currently investigating the root cause of them.
  • Worked on nss, which is required to build OpenJDK 7 and also needed at runtime for the SunEC security provider. I am currently investigating CVE-2019-17023 which has been assigned only a few days ago.
  • ELA-206-1. Issued a security update for apache-log4j1.2 fixing 1 CVE.

Thanks for reading and see you next time.

My Free Software Activities in November 2019

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.

Debian Games

  • Simon Schmeisser prepared a new upstream version of Ogre 1.12, a 3D object-oriented graphics rendering engine. I reviewed his work and gave some advice but he hasn’t had the time to work on the package again.
  • Auralquiz failed to build from source related to phonon4qt5. (#943870)
  • I packaged a new upstream Git snapshot of Berusky2, a 3D logic game with bugs (lalala). Asher Gordon and Bernhard Übelacker prepared patches to fix crashes which partially surfaced because of the switch to GCC 9.
  • Drascula, the evil vampire adventure game, didn’t want to start anymore and needed an update because of an engine change in ScummVM 2.10.
  • After I had updated armagetronad, the tron-like lightcycle game, a relocation error appeared due to changes in GCC 9 and prevented the game from starting. Thanks to boffi and Bernhard Übelacker we could identify the correct patch to address the problem.
  • After more than six years upstream released a new version of burgerspace again, a neat clone of burgertime, and its corresponding flatzebra library.
  • I packaged Minetest 5.1.0 and intend to backport this version to stable-backports soon.
  • Last but not least I decided to package the latest released version of caveexpress, which has a rather odd version number and contains only minor changes but I had to do it. 🙂

Debian Java

  • This month I packaged new releases of jboss-modules, intellij-annotations, easymock, undertow, activemq and jboss-xnio.
  • In order to let easymock migrate to testing I had to rebuild junit5, apiguardian, opentest4j and univocity-parsers and do source-only uploads. Currently all newly introduced packages to Debian have to be uploaded with all binaries included. Once the package has been approved, it is stuck in unstable and can’t migrate to testing and needs another source-only rebuild. I believe we should find a better way to reduce this kind of make-work when there is actually nothing to improve from the initial upload.
  • I have been working on a security update for Tomcat 8 in Stretch and hope to finish it soon.

Misc

  • As usual I updated some Firefox addons and packaged new upstream releases for privacybadger, https-everywhere and dispmua. The latter is actually a Thunderbird addon and displays what kind of email software (MUA) your correspondent uses (which can tell you a lot about someone’s personality 😉 ) I intend to prepare a stretch/buster-pu for it too.

Debian LTS

This was my 45. month as a paid contributor and I have been paid to work 24,5 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • DLA-1996-1. Issued a security update for libapache2-mod-auth-openidc fixing 1 CVE.
  • DLA-2023-1. Issued a security update for openjdk-7 fixing 16 CVE.
  • DLA-2027-1. Issued a security update for jruby fixing 4 CVE.
  • DLA-2028-1. Issued a security update for squid3 fixing 4 CVE.
  • DLA-2030-1. Issued a security update for jackson-databind fixing 2 CVE.

ELTS

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 „Wheezy“. This was my eightteenth month and I have been assigned to work 15 hours on ELTS.

  • I was in charge of our ELTS frontdesk from 25.11.2019 until 01.12.2019 and I triaged CVE in jetty, gnupg, rabbitmq-server, netkit-telnet and nss.
  • ELA-190-1. Issued a security update for linux fixing 2 CVE.
  • ELA-199-1. Issued a security update for intel-microcode fixing 2 CVE.
  • ELA-200-1. Issued a security update for openjdk-7 fixing 16 CVE. In order to improve the test coverage, I investigated together with Roberto Sanchez how to backport and use autopkgtests for OpenJDK 7. The idea is to catch changes in OpenJDK that are actually a regression in Debian but may not be an actual test failure. The previous release suddenly required to build the SunEC security provider in order to provide the same cryptographic classes to users as before and hopefully an autopkgtest is able to find such a regression earlier. The tests are currently not integrated in the package and only available locally but the intention is to make them available with the next security update.

Thanks for reading and see you next time.

My Free Software Activities in October 2019

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.

Debian Games

  • Python 3 ports: I reviewed and sponsored krank and solarwolf for Reiner Herrmann. Thanks to his diligent work two more Python games were ported to Python 3. He also packaged a new upstream release of hyperrogue and improved the build system. Less memory is required to build hyperrogue now and some buildd are thankful for that.
  • The bullet transition got finally approved and completed successfully.
  • I uploaded a new version of pygame-sdl2 to experimental which supports Python 3 now. However the library is still exclusively needed for renpy but upstream hasn’t finished the porting work to Python 3 yet. Hopefully this will be done next year. That means the new version of renpy which I also packaged this month still depends on Python 2.
  • I fixed two bugs in Freeciv, the famous strategy game, by replacing fonts-noto-cjk with fonts-unfonts-core. (#934588) The latter fonts looks apparently better on ordinary screens. The second one was simple to fix, I just had to remove an unneeded Python 2 build-dependency. (#936553)
  • The strategy game asc, a neat clone of Battle Isle 2, also needed some attention this month. I had to replace libwxgtk3.0-dev with libwxgtk3.0-gtk3-dev. (#943439)
  • I did a QA upload of open-invaders because the maintainer email address was bouncing. The game needs a new maintainer.

Debian Java

Misc

  • I packaged a new version of privacybadger, and backported ublock-origin  to Stretch and Buster because the addon was incompatible with the latest Firefox ESR release.

Debian LTS

This was my 44. month as a paid contributor and I have been paid to work 22,75 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 14.10.2019 until 20.10.2019 and from 28.10.2019 until 03.11.2019 I was in charge of our LTS frontdesk. I investigated and triaged CVE in wordpress, ncurses, opencv, pillow, poppler, golang, gdal, lz4, python-reportlab, ruby-haml, vips, rdesktop, modsecurity-crs, zabbix, polarssl and tika.
  • DLA-1960-1. Issued a security update for wordpress fixing 7 CVE.
  • DLA-1966-1. Issued a security update for aspell fixing 1 CVE.
  • DLA-1973-1. Issued a security update for libxslt fixing 1 CVE.
  • DLA-1978-1. Issued a security update for python-ecdsa fixing 2 CVE.
  • DLA-1982-1. Issued a security update for openafs fixing 2 CVE.
  • I triaged 17 CVE in libgig and forwarded the result upstream. After the investigation I decided to mark these issues as no-dsa because all in all the security risk was low. (#931309)

ELTS

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 „Wheezy“. This was my seventeenth month and I have been assigned to work 15 hours on ELTS plus five hours from September. I used 8 of them for the following:

  • ELA-185-1. Issued a security update for libxslt fixing 1 CVE.
  • ELA-186-1. Issued a security update for libssh2 fixing 1 CVE.
  • ELA-187-1. Issued a security update for cpio fixing 1 CVE. The update was prepared by Ola Lundqvist.
  • ELA-188-1. Issued a security update for djvulibre fixing 1 CVE.
  • I worked on OpenJDK 7. I contacted upstream and asked for a new IcedTea release on which we rely for packaging new upstream releases of OpenJDK. The release is still delayed.

My Free Software Activities in September 2019

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.

Debian Games

  • Reiner Herrmann investigated a build failure of supertuxkart on several architectures and prepared an update to link against libatomic. I reviewed and sponsored the new revision which allowed supertuxkart 1.0 to migrate to testing.
  • Python 3 ports: Reiner also ported bouncy, a game for small kids, to Python3 which I reviewed and uploaded to unstable.
  • Myself upgraded atomix to version 3.34.0 as requested although it is unlikely that you will find a major difference to the previous version.

Debian Java

Misc

  • I packaged new upstream releases of ublock-origin and privacybadger, two popular Firefox/Chromium addons and
  • packaged a new upstream release of wabt, the WebAssembly Binary Toolkit.

Debian LTS

This was my 43. month as a paid contributor and I have been paid to work 23,75 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 11.09.2019 until 15.09.2019 I was in charge of our LTS frontdesk. I investigated and triaged CVE in libonig, bird, curl, openssl, wpa, httpie, asterisk, wireshark and libsixel.
  • DLA-1922-1. Issued a security update for wpa fixing 1 CVE.
  • DLA-1932-1. Issued a security update for openssl fixing 2 CVE.
  • DLA-1900-2. Issued a regression update for apache fixing 1 CVE.
  • DLA-1943-1. Issued a security update for jackson-databind fixing 4 CVE.
  • DLA-1954-1. Issued a security update for lucene-solr fixing 1 CVE. I triaged CVE-2019-12401 and marked Jessie as not-affected because we use the system libraries of woodstox in Debian.
  • DLA-1955-1. Issued a security update for tcpdump fixing 24 CVE by backporting the latest upstream release to Jessie. I discovered several test failures but after more investigation I came to the conclusion that the test cases were simply created with a newer version of libpcap which causes the test failures with Jessie’s older version.

ELTS

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 „Wheezy“. This was my sixteenth month and I have been assigned to work 15 hours on ELTS plus five hours from August. I used 15 of them for the following:

  • I was in charge of our ELTS frontdesk from 30.09.2019 until 06.10.2019 and I triaged CVE in tcpdump. There were no reports of other security vulnerabilities for supported packages in this week.
  • ELA-163-1. Issued a security update for curl fixing 1 CVE.
  • ELA-171-1. Issued a security update for openssl fixing 2 CVE.
  • ELA-172-1. Issued a security update for linux fixing 23 CVE.
  • ELA-174-1. Issued a security update for tcpdump fixing 24 CVE.

Lowendspirit: VPS-Server ab 3 Euro pro Jahr

Vor sechs Jahren habe ich über den Fünf-Cent-pro-Tag-Server geschrieben, ein damals schon ungemein günstiger Einstieg in die Welt der virtuellen Server. Neulich fand ich dann zu lowendspirit.com, wo man sich seinen Server ab drei Euro pro …Jahr mieten kann. Die Frage ist nun: Taugt das was und wozu braucht man das? Hier ein kurzer Bericht.
Lowendspirit ist ein Projekt mehrerer Anbieter, die vom Vermieten von Webspace und Servern leben und Standorte auf der ganzen Welt haben. Der Grundgedanke ist dabei, wie viel darf ein virtueller Server gerade noch kosten und welche Merkmale muss er haben, damit er einerseits wirtschaftlich betrieben und zum anderen für den Käufer noch nützlich sein kann. Die Antwort liefern die drei Hoster auf dieser Seite.
Das Angebot reicht von 64 MB RAM und 1 GB Festplatte in Hong Kong, über 128 MB RAM und 3 GB Festplatte (teilweise SSD) bis zu 256 MB RAM bei Mr. VM. Bei den eher „exotischeren“ Standorten Hong Kong, Johannesburg oder Tokyo ist der Traffic eher eingeschränkt (zwischen 50 GB und 150 GB pro Monat), ansonsten pendelt dieser so zwischen 300-500 GB pro Monat in Europa und Nordamerika, was in der Regel ausreichend ist um kleinere Projekte zu realisieren.

MiniVPS128 – UK

Zum Testen habe ich mir das Angebot von Inception Hosting angeschaut. Ausgesucht habe ich mir den Standort Enfield in London mit 128 MB RAM, 3 GB SSD und 350 GB Traffic inklusive pro Monat.

Die Bestellung war unkompliziert. Lediglich der Name des Servers und das Rootpasswort musste man angeben, welche später auch wieder geändert werden können. Bezahlt werden kann mit Paypal oder Kreditkarte, manchmal auch mit Kryptowährungen. Als Administrationswerkzeug kommt SolusVM zum Einsatz. Man muss ausdrücklich bestätigen, dass man weiß, was man hier kauft. Der vServer kommt primär mit IPv6-Unterstützung, eine NAT IPv4-Adresse ist mehr als Bonus zu sehen. Im Klartext: Der Server hat nur eine private IPv4-Adresse und ist ohne weitere Konfiguration nicht direkt mit dem alten Protokoll zu erreichen. Für die meisten Kunden aus Deutschland sollte das aber kein Problem sein, da IPv6 mittlerweile praktisch überall verfügbar ist oder sogar bei DSL-Lite-Anschlüssen vorausgesetzt wird. Kleine Helfer wie 6tunnel oder OpenVPN helfen außerdem Probleme mit IPv4/IPv6-Adressen zu umgehen. Wichtigste Anlaufstelle für Fragen ist das englischsprachige Forum. Direkten Support gibt es nicht und kann man bei dem Preis auch nicht wirklich erwarten.

Top oder Flop?

Mit der Begrüßungsmail erhält man die Zugangsdaten und eine Anleitung wie man sich per IPv4 verbinden kann. Im SolusVM-Konfigurator lässt sich aber auch direkt die IPv6-Adresse ablesen. Anschließend kann man sich wie gewohnt mit SSH verbinden. Der vServer nutzt als Virtualisierungslösung OpenVZ und Debian Wheezy war bei mir das voreingestellte Betriebssystem. Da Wheezy nun nicht mehr offiziell von Debian unterstützt wird, kann man sich entweder die neue, erweiterte Langzeitunterstützung anschaun (ELTS) oder man führt ganz einfach ein Upgrade auf Jessie durch, was problemlos bei mir geklappt hat.
Die Performance fühlt sich gut an, was ich bisher nicht immer von allen OpenVZ-Angeboten behaupten konnte. Der Server läuft seit mehr als einem Monat ununterbrochen und die Dienste, die ich für einen solchen Server sinnvoll halte (dazu gleich mehr) funktionieren problemlos. Festplattendurchsatz und Zugriffszeiten sind natürlich wie zu erwarten nicht berauschend. Hier mal eine Momentaufnahme mit ioping.

Inception Hosting – MiniVPS128 – UK
75 requests completed in 1.32 min, 17 iops, 71.0 KiB/s
min/avg/max/mdev = 184 us / 56.3 ms / 536.5 ms / 123.9 ms
Bei leistungsstärkeren Angeboten liegen die Zugriffszeiten normalerweise durchschnittlich alle im Mikrosekunden- anstatt Millisekundenbereich.

Empfohlene Dienste / Ideen

128 MB RAM klingt wenig, aber es gibt einige Dienste, für die das vollkommen ausreichend ist. Ein Lowendspirit-Server eignet sich ideal als SOCKS-Proxy. Da OpenSSH sowie schon vorinstalliert ist, kann man sich z.B. von seinem Rechner aus mit
ssh -D 9999 -C -q -N Lowendserver-IP-Adresse
verbinden. Im Firefox dann unter Einstellungen->Fortgeschritten->Netzwerk->Verbindung die Werte wie auf dem folgenden Bild setzen und schon surft man mit einer englischen IP-Adresse.


Auch Debians OpenVPN-Paket lässt sich problemlos betreiben. Und dann wäre da ja noch die Möglichkeit einen Webserver mit Lighttpd oder Nginx aufzusetzen. Zu Lighty hatte ich schon vor ein paar Jahren was geschrieben und zu Nginx braucht man heutzutage nicht mehr viel sagen.

Besser bleiben lassen

Intensive Datenbankanwendungen und alles was gerne Unmengen an RAM verschlingt (Hallo Java!). Mit etwas Optimierung lassen sich Forensoftware oder WordPress-Blogs installieren, hierzu würde ich aber eher zu einem 256 RAM Server greifen. Unmöglich ist es aber auch mit 128 RAM nicht, vielleicht liegt darin auch der Spaß und die Herausforderung.

Fazit

Lowendspirit.com ist ein Projekt, das keinen Gewinn macht, aber dennoch ein vernünftiges Angebot ist. Für 3,50 Euro pro Jahr geht man kein finanzielles Risiko ein. Die Server sind nicht für Anfänger geeignet. Wenn man jedoch bereit ist Neues dazuzulernen, gibt es kaum einen günstigeren Einstieg in die Welt der virtuellen Server. Die Server kommen ohne Backups, aber mit Werkzeugen wie rsync oder der Dirvish-Backuplösung sollte auch dieses Problem lösbar sein. Für alle, die schon immer mal einen Server in verschiedenen Ländern der Erde haben wollten, auf jeden Fall interessant. Übrigens, es gibt manchmal Bundleangebote: Fünf Server für 10 Euro pro Jahr. Dem eigenen Cluster steht nun nichts mehr im Wege. 😉