### My Free Software Activities in April 2019

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.

## Debian Games

• This was a very quiet month compared to pre-freeze time. I reported three security vulnerabilities for Teeworlds (#927152) which were later fixed by Dylan Aïssi. Thank you.
• I also reviewed and sponsored a new revision of OpenMW for Bret Curtis. I’m not sure why he didn’t ask the release team for an unblock but there may be a reason.

## Debian Java

• I fixed a security vulnerability in robocode (#926088) and asked for an unblock.
• I corrected a mistake in solr-tomcat and learned, if you want to override a service file of another package (tomcat9) the conf file has to be installed into
/etc/systemd/system/tomcat9.service.d/

## Misc

• Last month I wrote about the challenges of the ublock-origin addon (#926586). We came to the conclusion that we can no longer provide one version for Firefox and Chromium but that we don’t have to create two binary packages either. Now we use symlinks  and two different directories and hopefully this will solve all the troubles we had before. It is not a great solution but hopefully we can maintain the addon without relying on patches.  Thanks to Michael Meskes who implemented the changes. I will probably upload a new version to experimental in May, so that people can try it out and report back.

## Debian LTS

This was my thirty-eight month as a paid contributor and I have been paid to work 17,25 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

• From 29.04.2019 until 05.05.2019 I was in charge of our LTS frontdesk. I investigated and triaged CVE in rebar, filezilla, lucene-solr, librecad, apparmor, phpbb3, jakarta-jmeter, jetty8, jetty, php-imagick and node-tar.
• DLA-1753-2. Issued a regression update for proftpd-dfsg because it became clear that neither version 1.3.5.e nor 1.3.6 was a way forward to address the memory leaks because those versions also introduced new bugs that affected sftp setups negatively (#926719). I resolved these problems by backporting the patches for the memory leaks and by reverting to version 1.3.5 again.
• DLA-1773-1. Issued a security update for signing-party fixing 1 CVE.
• DLA-1774-1. Issued a security update for otrs2 fixing 1 CVE.
• DLA-1775-1. Issued a security update for phpbb3 fixing 1 CVE.
• DLA-1776-1. Issued a security update for librecad fixing 1 CVE.
• DLA-1785-1. Issued a security update for imagemagick together with Hugo Lefeuvre (3 CVE) fixing 50 CVE in total.

## ELTS

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 „Wheezy“. This was my eleventh month and I have been paid to work 14,5 hours on ELTS.

• I was in charge of our ELTS frontdesk from 15.04.2019 until 21.04.2019 and I triaged CVE in openjdk7, php5 and libvirt.
• ELA-72-2. Issued a regression update for jasper which corrected the patch for CVE-2018-19542.
• ELA-109-1. Issued a security update for jquery fixing 1 CVE.
• ELA-111-1. Issued a security update for linux and linux-latest fixing 24 CVE.
• ELA-117-1. Issued a security update for apache2 fixing 2 CVE and investigated four more CVE which I triaged as not-affected.

Thanks for reading and see you next time.

### My Free Software Activities in March 2019

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. ( a bit later than usual) If you’re interested in Java, Games and LTS topics, this might be interesting for you.

## Debian Games

• Lars Kruse reported a bug in the gui-sdl2 theme of Freeciv, the famous strategy game, which I could quickly fix.  (#923563)
• I fixed RC bug #922947 in retroarch-assets because of a change in fonts-roboto that broke symlinks to font files.
• Pedro Pena and Carlos Donizete Froes packaged two new games for Debian, Infinitetux (Pedro) and Pekka Kana 2 (Carlos). I reviewed and sponsored both games and they are currently waiting in the NEW queue. Infinitetux is a Super Mario like game written in Java. The original author of the game is no one else than Markus Persson, the developer of Minecraft. This game is one of his previous works that used the original game content from Nintendo. However Pedro completely replaced the artwork with freely available images and sounds. Quite interesting for Java developers: The game requires no third-party libraries and uses only classes from the JDK. Pekka Kana 2 is another jump-and-run game from Finnish creator Janne Kivilahti. He kindly released his game under a permissive BSD-2-clause license.

## Debian Java

• I tackled several RC bugs in Java packages this month.
• libjogl2-java (#887140): The package failed to build on several non-supported architectures. Since we are already glad that it works on amd64 I had to limit the support in debian/control to those architectures where the package may be useful.
• lucene-solr (#919638): Solr refused to start with Tomcat 9 because of more strict permissions in Tomcat’s systemd service file. I initially tried to fix this in Tomcat but had to add a new systemd conf file to lucene-solr that overrides the permissions now.
• javahelper (#923756): I implemented a workaround for Javadoc build failures that started to occur only two months ago after the OpenJDK 11 package was upgraded.
• owasp-java-html-sanitizer (#923654): I removed the now non-existent build-dependency on libjsr305-java-doc.
• sweethome3d (#924594): I had to replace the virtual dependency on icedtea-netx-common with icedtea-netx.
• I triaged a RC bug in libitext-java (#923364). Unfortunately the bug submitter did not provide further information.
• It is a bit sad that Netbeans is currently affected by a severe bug which makes it impossible to create new Java projects. (#925509) I tried to fix it but I am stuck now. Help is appreciated.
• I provided a patch to fix RC bug #923759 in netlib-java.

## Misc

• The  ublock-origin addon does not work anymore with Firefox 66 in unstable (#925337) which is caused by a value in its manifest file, incognito:split, that is not supported by Firefox. Previous versions of Firefox just emitted a warning, now it is fatal. The same value works fine with Chromium. At the moment we provide one webextension package for both browsers in Debian but it looks like we have to consider to provide two different packages of ublock-origin again, to avoid such pitfalls in the future. I have filed #926586 to get more feedback.

## Debian LTS

This was my thirty-seventh month as a paid contributor and I have been paid to work 29,5 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

• From 25.03.2019 until 31.03.2019 I was in charge of our LTS frontdesk. I investigated and triaged CVE in twig, ruby2.1, znc, wpa, cloud-init, dovecot, edk2, activemq, bwa, tomcat8, mosquitto, gpsd, nuget, rails, robocode, libav and clamav.
• DLA-1708-1. Issued a security update for zabbix fixing 2 CVE.
• DLA-1711-1. Issued a security update for systemd fixing 1 CVE.
• DLA-1733-1. Issued a security update for wpa fixing 1 CVE.
• DLA-1736-1. Issued a security update for dovecot fixing 1 CVE.
• DLA-1738-1. Issued a security update for gpsd fixing 1 CVE.
• DLA-1739-1. Issued a security update for rails fixing 2 CVE.
• DLA-1753-1. Issued a security update for proftpd-dfsg to fix several memory leaks. However it turned out that under certain conditions #926719 the daemon now closes sftp connections. This appears to be an upstream bug that was fixed in version 1.3.6. I will investigate if we have to revert to the previous version or if we can move forward.
• DLA-1755-1. Issued a security update for graphicsmagick fixing 6 CVE.
• While I was working on DLA-1755-1 I discovered a regression in jasper which I addressed with DLA-1628-2.

## ELTS

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 „Wheezy“. This was my tenth month and I have been paid to work 15 hours on ELTS.

• I was in charge of our ELTS frontdesk from 11.03.2019 until 17.03.2019 and I triaged CVE in cron, ntp, gdk-pixbuf, glib2.0 and libssh2.
• ELA-92-1. Issued a security update for xmltooling fixing 1 CVE.
• ELA-94-1. Issued a security update for openssh fixing 3 CVE.
• ELA-105-1. Issued a security update for sqlalchemy fixing 2 CVE.
• I started to work on src:linux and will provide a new package next week.

Thanks for reading and see you next time.

### My Free Software Activities in February 2019

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.

## Debian Games

• February was the last month to package new upstream releases before the full freeze, if the changes were not too invasive of course :-). Atomix, gamine, simutrans, simutrans-pak64, simutrans-pak128.britain and hitori qualified.
• I sponsored a new version of mgba, a Game Boy Advance emulator, for Reiner Herrmann and worked together with Bret Curtis on wildmidi and openmw. The latest upstream version resolved a long-standing bug and made it possible that the game engine, a reimplementation of The Elder Scrolls III: Morrowind, will be part of a Debian stable release for the first time.
• Johann Suhter reported a bug in one of brainparty’s minigames and also provided the patch. All I had to do was uploading it. Thanks. (#922485)
• I corrected a minor cross-build FTBFS in openssn. Patch by Helmut Grohne. (#914724)
• I released a new version of debian-games and updated the dependency list of our games metapackages. This is almost the final version but expect another release in one or two months.

## Debian LTS

This was my thirty-sixth month as a paid contributor and I have been paid to work 19,5 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

• From 25.02.2019 until 03.03.2019 I was in charge of our LTS frontdesk. I investigated and triaged CVE in sox, collabtive, libkohana2-php, ldb, libpodofo, libvirt, openssl, wordpress, twitter-bootstrap, ceph, ikiwiki, edk2, advancecomp, glibc, spice-xpi and zabbix.
• DLA-1675-1. Issued a security update for python-gnupg fixing 1 CVE.
• DLA-1676-1. Issued a security update for unbound fixing 1 CVE.
• DLA-1696-1. Issued a security update for ceph fixing 2 CVE.
• DLA-1701-1. Issued a security update for openssl fixing 1 CVE.
• DLA-1702-1. Issued a security update for advancecomp fixing 2 CVE.
• DLA-1703-1. Issued a security update for jackson-databind fixing 10 CVE.
• DLA-1706-1. Issued a security update for poppler fixing 5 CVE.

## ELTS

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 „Wheezy“. This was my ninth month and I have been paid to work 15 hours on ELTS.

• I was in charge of our ELTS frontdesk from 25.02.2019 until 03.03.2019 and I triaged CVE in file, gnutls26, nettle, libvirt, busybox and eglibc.
• ELA-84-1. Issued a security update for gnutls26 fixing 4 CVE. I also investigated CVE-2018-16869 in nettle and also CVE-2018-16868 in gnutls26. After some consideration I decided to mark these issues as ignored because the changes were invasive and would have required intensive testing. The benefits appeared small in comparison.
• ELA-88-1. Issued a security update for openssl fixing 1 CVE.
• ELA-90-1. Issued a security update for libsdl1.2 fixing 11 CVE.
• I started to work on sqlalchemy which requires a complex backport to fix a possible SQL injection vulnerability.

Thanks for reading and see you next time.

### My Free Software Activities in January 2019

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.

## Debian Games

• Time’s almost up and the soft freeze is near. In January I packaged a couple of new upstream versions for Teeworlds (0.7.2), Neverball (this one was a Git snapshot because they apparently don’t like regular releases), cube2-data (easy, because I am upstream myself), adonthell and adonthell-data, fifechan, fife and unknown-horizons.
• After I uploaded the latest Teeworlds release to stretch-backports too, I sponsored pegsolitaire for Juhani Numminen and a shiny new Supertux release for Reiner Herrmann.
• I updated KXL, the Kacchan X Windows System Library. You have never heard of it? Well, never mind. However it powers three Debian games.
• Last but not least I updated btanks,  your fast 2D tank arcade game.

## Debian LTS

This was my thirty-fifth month as a paid contributor and I have been paid to work 20,5 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

• From 28.01.2019 until 03.02.2019 I was in charge of our LTS frontdesk. I investigated and triaged CVE in mupdf, coturn, php5, netkit-rsh, guacamole-client, openjdk-7, python-numpy, python-gnupg, muble, mysql-connector-python, enigmail, python-colander, slurml-llnl, sox, uriparser, and drupal7.
• DLA-1631-1. Issued a security update for libcaca fixing 4 CVE.
• DLA-1633-1. Issued a security update for sqlite3 fixing 5 CVE.
• DLA-1650-1. Issued a security update for rssh fixing 1 CVE.
• DLA-1656-1. Issued a security update for agg fixing 1 CVE. This one required a sourceful upload of desmume and exactimage as well because agg provides only a static library.
• DLA-1662-1. Issued a security update for libthrift-java fixing 1 CVE.
• DLA-1673-1. Issued a security update for wordpress fixing 7 CVE.

## ELTS

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 „Wheezy“. This was my eight month and I have been paid to work 15 hours on ELTS.

• I was in charge of our ELTS frontdesk from 28.01.2019 until 03.02.2019 and I triaged CVE in php5 and systemd.
• ELA-81-1. Issued a security update for systemd fixing 2 CVE. I investigated CVE-2018-16865 and found that systemd was not exploitable. I marked CVE-2018-16864, CVE-2018-16866 and CVE-2018-15688 as <not-affected> because the vulnerable code was introduced later.
• ELA-83-1. Issued a security update for php5  fixing 7 upstream bugs. No CVE have been assigned yet but upstream intends to do so shortly.

Thanks for reading and see you next time.

### My Free Software Activities in December 2018

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.

## Debian Games

• I used this month to polish some of my team-maintained packages and to slightly improve the debian packaging in openyahtzee, monopd, opencity, pangzero, powermanga, ri-li, tecnoballz, whichwayisup, atanks, ufoai and dreamchess.
• I fixed RC bug #915453 in supertuxkart.
• I released a new version of debian-games,  a collection of metapackages to ease the installation of games in Debian. I plan to do another update in January. This one will then almost be the final state for Buster but there is usually another last minor update during deep freeze to include even the latest changes.
• I also packaged a new upstream version of enemylines3, which was merely a bug fix release though. Nevertheless I could drop two Debian patches. Yeah.

## Misc

• I updated osmo, tofrodos and iftop and applied a patch by Andreas Henriksson for wbar to  fix a reproducibility issue on merged-usr systems.
• The browser extension privacybadger was updated to version 2018.12.17.
• I prepared a security update of libarchive for Stretch released as DSA-4360-1.
• I reported a FTBFS that got recently fixed in moria. (#916030)

## Debian LTS

This was my thirty-fourth month as a paid contributor and I have been paid to work 30 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

• From 17.12.2018 until 06.01.2019 I was in charge of our LTS frontdesk. I investigated and triaged CVE in graphiscmagick, sqlite3, libvncserver, pspp, yara, terminology, sssd, libarchive, freecol, rabbitmq-server, hoteldruid, libraw, nagios3, gnupg2, igraph, python3.4, radare2, imagemagick, tar, poppler, tcpreplay,  libcaca, binutils, liblas, mxml, jasper, aria2, systemd, libpff, libsixel, libspring-security-2.0-java, nasm, yaml-cpp and yaml-cpp0.3.
• DLA-1630-1. I triaged and investigated 39 CVE in libav. Later I issued a security update for libav fixing 14 of them.
• DLA-1612-1. Issued a security update for libarchive fixing 2 CVE.
• DLA-1615-1. Issued a security update for nagios3 fixing 5 CVE.
• DLA-1616-1. Issued a security update for libextractor fixing 2 CVE.
• DLA-1628-1. Issued a security update for jasper fixing 8 CVE (announced 9). It turned out that CVE-2018-19139 has not been fixed yet.

## ELTS

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 „Wheezy“. This was my seventh month and I have been paid to work 15 hours on ELTS.

• I was in charge of our ELTS frontdesk from 17.12.2018 until 06.01.2019 and I triaged CVE in libarchive, gnutls26, rabbitmq-server, binutils, wget, tar, krb5, jasper and systemd.
• ELA-72-1. Issued a security update for jasper fixing 5 CVE. I analyzed the remaining open issues, prepared patches myself and forwarded them upstream.
• ELA-73-1. Issued a security update for libcaca fixing 4 CVE.
• ELA-74-1. Issued a security update for sqlite3 fixing 3 CVE.

Thanks for reading and see you next time.

### My Free Software Activities in November 2018

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.

## Debian Games

• This month I packaged a new upstream Git snapshot of performous, a karaoke game, because this seemed to be the quickest route to fix a build failure and RC bug (#914061) with Debian’s latest Boost version. We had to overcome some portability issues later (#914667, #914688) and now the only blocker for a migration to testing is GCC-8 itself.
• I uploaded a new revision of widelands to fix a FTBFS with ICU 63.1 (#913513). The patch was provided by László Böszörményi.
• I updated the packaging of the following games without making bigger changes, just the normal „grooming“: box2d, brainparty, dangen, flatzebra, jester and etw.
• The latest upstream release 7.1.3 of renpy, a framework for developing visual-novel type games, is available now.
• Last but not least I backported teeworlds version 0.7.0, a fun action packed 2D shooter, and its special build system bam to Stretch because the current version 0.6.0 is unable to connect to 0.7.0 servers. Now players should be able to choose between their favorite Teeworld versions.

## Misc

• I sponsored another update of android-platform-system-core for Kai-Chung Yan. From now on that should be no longer necessary because he is a Debian Developer now. Congratulations!
• I packaged a new upstream release of https-everywhere, a very useful Firefox/Chromium addon.

## Debian LTS

This was my thirty-third month as a paid contributor and I have been paid to work 30 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

• From 19.11.2018 until 25.11.2018  I was in charge of our LTS frontdesk. I investigated and triaged CVE in jasper, gnome-keyring, keepalived, otrs2, gnuplot, gnuplot5, ncurses, sysstat, php5, uw-imap, eclipse and apktool.
• DLA-1568-1. Issued a security update for curl fixing 5 CVE.
• DLA-1583-1. Issued a security update for jasper fixing 5 CVE.
• DLA-1592-1. Issued a security update for otrs2 fixing 2 CVE.
• DLA-1593-1. Issued a security update for phpbb3 fixing 1 CVE.
• DLA-1598-1. Issued a security update for ghostscript fixing 4 CVE.
• DLA-1600-1. Issued a security update for libarchive fixing 12 CVE.
• DLA-1603-1. Issued a security update for suricata fixing 4 CVE.
• I reviewed the openssl update which was later released as DLA 1586-1.
• I also reviewed and sponsored squid3, icecast2 and keepalived for Abhijith PA.

## ELTS

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 „Wheezy“. This was my sixth month and I have been paid to work 15  hours on ELTS.

• I was in charge of our ELTS frontdesk from 19.11.2018 until 25.11.2018 and I triaged CVE in git, sysstat, suricata, libarchive and jasper.
• ELA-62-1.  Issued a security update for libarchive fixing 3 CVE.
• ELA-64-1.  Issued a security update for suricata fixing 4 CVE.
• ELA-65-1.  Issued a security update for jasper fixing 9 CVE.
• Since upstream development of jasper has slowed down and many bugs remain without a response, I wrote the patches for CVE-2018-18873, CVE-2018-19539 and CVE-2018-19542 myself. I will look into the remaining issues in December.

Thanks for reading and see you next time.

### My Free Software Activities in October 2018

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.

## Debian Games

• Again Yavor Doganov saved the day by porting monster-masher away from obsolete libraries like esound and gconfmm (RC, #848052, #856086, #885037). I reviewed and sponsored the package for him again.
• Gürkan Myczko prepared a new upstream version of greed, a classic text-console game. I provided a desktop icon and sponsored the upload.
• Several games failed to build from source because freetype-config is gone and pkg-config must be used from now on. That required RC bug fixes in asc (#887600),  brutalchess (#892337, patch by Reiner Herrmann), cube2font (#892330, patch by Reiner Herrmann with additional updates by Martin Erik Werner) and scorched3d (#892434, patch by Adrian Bunk)
• I packaged new upstream versions of pcsx2, a Playstation 2 emulator, to fix RC bug #907411, also pygame-sdl2, renpy and bzflag.
• I refreshed the packaging of abe, asc-music, amoebax, angrydd, airstrike, burgerspace, berusky2 and berusky-data.
• Dima Kogan approached me about improving the current Bullet packaging and provided patches to build the double-precision library versions too.  Bullet is a state-of-the-art C++ library for 3D collision detection, soft body and rigid body dynamics. I once introduced it to Debian because it was a required build-dependency of freeorion. Nowadays it powers several scientific applications. I still maintain it because I think it is a very useful library, e.g. used among others by openrobotics.
•  I spent most of the time this month on updating Teeworlds. Since I run a Teeworlds server myself I discovered a remote denial-of-service vulnerability first hand. Of course my server was not the only target and the upstream developers  had already released a fix. But I only got aware of it by chance. So I requested CVE-2018-18541, packaged the latest upstream release 0.7.0 and also prepared a security update for Stretch, released as DSA-4329-1.
• Last but not least I sponsored a new game created and prepared by Gerardo Ballabio called galois. It is a tetris-like game with special features like 3D and different brick shapes. It is currently waiting in the NEW queue.

## Misc

• I sponsored android-platform-system-core for Kai-Chung Yan and did a non-maintainer upload for eboard, a chess client to fix RC bug #893167. I forwarded some patches and I hope we will see another upstream release in the near future that addresses some issues.
• I packaged a new upstream release of ublock-origin.

## Debian LTS

This was my thirty-second month as a paid contributor and I have been paid to work 30 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

• From 08.10.2018 until 14.10.2018 and 29.10.2018 until 4.11.2018 I was in charge of our LTS frontdesk. I investigated and triaged CVE in gnulib, otrs2, tcpreplay, net-snmp, ghostscript, paramiko, pyopenssl, qpdf, requests, glassfish, imagemagick, tomcat8, tomcat7, moin, glusterfs, mono, tiff, systemd, network-manager, shellinabox, openssl, curl, squid3, icecast2, sdl-image1.2, libsdl2-image, mkvtoolnix, libapache-mod-jk, mariadb-10.0, mysql-connector-java and jasper.
• There was a problem with our list manager and some announcements could not be preserved.
• DLA-1535-1. Issued a security update for php-horde fixing 1 CVE.
• DLA-1536-1. Issued a security update for php-horde-core fixing 1 CVE.
• DLA-1537-1. Issued a security update for php-horde-kronolith fixing 1 CVE.
• DLA-1540-1. Issued a security update for net-snmp fixing 1 CVE.
• DLA-1543-1. Issued a security update for gnulib fixing 1 CVE.
• DLA-1544-1. Issued a security update for tomcat7 fixing 1 CVE.
• DLA-1545-1. Issued a security update for tomcat8 fixing 1 CVE.
• DLA-1546-1. Issued a security update for moin fixing 1 CVE.
• DLA-1552-1. Issued a security update for ghostscript fixing 3 CVE.
• DLA-1564-1. Issued a security update for mono fixing 1 CVE.
• DLA-1565-1. Issued a security update for glusterfs fixing 5 CVE.

## ELTS

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 „Wheezy“. This was my fifth month and I have been paid to work 15  hours on ELTS.

• I was in charge of our ELTS frontdesk from 15.10.2018 until 21.10.2018 and I triaged CVE in chromium-browser, ghostscript, openexr, unzip, virtualbox, elfutils, liblivemedia, exiv2, movabletype-opensource, quemu, quemu-kvm, tiff and tcpreplay.
• ELA-50-1. Issued a security update for linux fixing 34 CVE.
• ELA-51-1. Issued a security update for tomcat7 fixing 1 CVE.
• ELA-54-1. Issued a security update for curl fixing 1 CVE.
• ELA-55-1. Issued a security update for firmware-nonfree fixing 8 CVE.

Thanks for reading and see you next time.

### My Free Software Activities in September 2018

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.

## Debian Games

• Yavor Doganov continued his heroics in September and completed the port to GTK 3 of teg, a risk-like game. (#907834) Then he went on to fix gnome-breakout.
• I packaged a new upstream release of freesweep, a minesweeper game, which fixed some minor bugs but unfortunately not #907750.
• I spent most of the time this month on packaging a newer upstream version of unknown-horizons, a strategy game similar to the old Anno games. After also upgrading the fife engine, fifechan and NMUing python-enet, the game is up-to-date again.
• More new upstream versions this month: atomix, springlobby, pygame-sdl2, and renpy.
• I updated widelands to fix an incomplete appdata file (#857644) and to make the desktop icon visible again.
• I enabled gconf support in morris (#908611) again because gconf will be supported in Buster.
• Drascula, a classic adventure game, refused to start because of changes to the ScummVM engine. It is working now. (#908864)
• In other news I backported freeorion to Stretch and sponsored a new version of the runescape wrapper for Carlos Donizete Froes.

## Debian Java

• Only late in September I found the time to work on JavaFX but by then Emmanuel Bourg had already done most of the work and upgraded OpenJFX to version 11. We now have a couple of broken packages (again) because JavaFX is no longer tied to the JRE but is designed more like a library. Since most projects still cling to JavaFX 8 we have to fix several build systems by accommodating those new circumstances.  Surely there will be more to report next month.
• A Ubuntu user reported that importing furniture libraries was no longer possible in sweethome3d (LP: #1773532) when it is run with OpenJDK 10. Although upstream is more interested in supporting Java 6, another user found a fix which I could apply too.
• New upstream versions this month: jboss-modules, libtwelvemonkeys-java, robocode, apktool, activemq (RC #907688), cup and jflex. The cup/jflex update required a careful order of uploads because both packages depend on each other. After I confirmed that all reverse-dependencies worked as expected, both parsers are up-to-date again.
• I submitted two point updates for dom4j and tomcat-native to fix several security issues in Stretch.

## Misc

• Firefox 60 landed in Stretch which broke all xul-* based browser plugins. I thought it made sense to backport at least two popular addons, ublock-origin and https-everywhere, to Stretch.
• I also prepared another security update for discount (DSA-4293-1) and uploaded  libx11 to Stretch to fix three open CVE.

## Debian LTS

This was my thirty-first month as a paid contributor and I have been paid to work 29,25 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

• From 24.09.2018 until 30.09.2018 I was in charge of our LTS frontdesk. I investigated and triaged CVE in dom4j, otrs2, strongswan, python2.7, udisks2, asterisk, php-horde, php-horde-core, php-horde-kronolith, binutils, jasperreports, monitoring-plugins, percona-xtrabackup, poppler, jekyll and golang-go.net-dev.
• DLA-1499-1. Issued a security update for discount fixing 4 CVE.
• DLA-1504-1. Issued a security update for ghostscript fixing 14 CVE.
• DLA-1506-1. Announced a security update for intel-microcode.
• DLA-1507-1. Issued a security update for libapache2-mod-perl2 fixing 1 CVE.
• DLA-1510-1. Issued a security update for glusterfs fixing 11 CVE.
• DLA-1511-1. Issued an update for reportbug.
• DLA-1513-1. Issued a security update for openafs fixing 3 CVE.
• DLA-1517-1. Issued a security update for dom4j fixing 1 CVE.
• DLA-1523-1. Issued a security update for asterisk fixing 1 CVE.
• DLA-1527-1 and DLA-1527-2. Issued a security update for ghostscript fixing 2 CVE and corrected an incomplete fix for CVE-2018-16543 later.
• I reviewed and uploaded strongswan and otrs2 for Abhijith PA.

## ELTS

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 „Wheezy“. This was my fourth month and I have been paid to work 15  hours on ELTS.

• I was in charge of our ELTS frontdesk from 10.09.2018 until 16.09.2018 and I triaged CVE in samba, activemq, chromium-browser, curl, dom4j, ghostscript, firefox-esr, elfutils, gitolite, glib2.0, glusterfs, imagemagick, lcms2, lcms, jhead, libpodofo, libtasn1-3, mgetty, opensc, openafs, okular, php5, smarty3, radare, sympa, wireshark, zsh, zziplib and intel-microcode.
• ELA-35-1. Issued a security update for samba fixing 1 CVE.
• ELA-36-1. Issued a security update for curl fixing 1 CVE.
• ELA-37-2. Issued a regression update for openssh.
• ELA-39-1. Issued a security update for intel-microcode addressing 6 CVE.
• ELA-42-1. Issued a security update for libapache2-mod-perl2 fixing 1 CVE.
• ELA-45-1. Issued a security update for dom4j fixing 1 CVE.
• I started to work on a security update for the Linux kernel which will be released shortly.

Thanks for reading and see you next time.

### My Free Software Activities in August 2018

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.

## Debian Games

• Really good news this month as Yavor Doganov provided patches for  gamazons (#885735), gnomekiss (#885740) and teg (#885751) which all depended on obsolete GNOME 2 libraries. He succeeded in porting them to GooCanvas and GNOME 3. We are currently aware of some issues in Teg (#907834) and would appreciate more feedback from game testers. In any case this was a non-trivial feat and many thanks go to Yavor who prevented the removal of three games from Debian.
• I applied a patch from Adrian Bunk which made FreeOrion (#906746) more portable and packaged the latest and greatest release 0.4.8 later.
• I fixed a broken start script in FreeCol due to OpenJDK 10 changes. (#907661)
• The Spring RTS engine was affected by a GCC-8 RC bug. (#906409)
• I backported FreeCiv 2.6.0 to Stretch.
• I updated some games to the latest standards in Debian, made some minor changes and applied patches to fix FTCBFS bugs or build failures due to a missing libm library. Those issues were solved in tenmado, supertransball2 (#902537), seahorse-adventures, empire (#900197), phlipple (#907207) and ace-of-penguins (#900200).
• I sponsored mupen64plus-qt for Dan Hastings.

## Debian LTS

This was my thirtieth month as a paid contributor and I have been paid to work 23,75 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

• From 13.08.2018 until 19.08.2018 and from 27.08.2018 until 02.09.2018 I was in charge of our LTS frontdesk. I investigated and triaged CVE in intel-microcode, bind9, confuse, libykneomgr, mp4v2, gdm3, wesnoth-1.10, ruby-zip, otrs2, mathjax, mono, tcpflow, bluez, openssh, mariadb-10.0, tomcat-native, wordpress, thunderbird, spice, spice-gtk, libextractor, postgresql-9.1, libcgroup, zutils, soundtouch, squirrelmail, git-annex, ghostscript, libpgjava, elfutils, libpodofo, libtirpc, libxkbcommon, libtasn1-6, cinder, 389-ds-base, wireshark, php5, libzypp, imagemagick, kfreebsd-10, tiff, discount and polarssl.
• DLA-1467-1.  Issued a security update for ruby-zip fixing 1 CVE.
• I worked on gdm3 to fix CVE-2018-14424.  I backported the patch to Jessie but could still trigger a session restart with the POC. Since there is no crash and the session is completely restored, we believe now that this is the intended behavior.  I also tried to contact Chris Coulson, the original bug reporter, for further advice but have not received a reply yet. If we don’t discover another issue we will release a DLA for gdm3 in September.
• DLA-1472-1. Issued a security update for libcgroup fixing 1 CVE.
• DLA-1473-1. Issued a security update for otrs2 fixing 1 CVE.
• DLA-1482-1. Issued a security update for libx11 fixing 3 CVE.
• DLA-1475-1. Issued a security update for tomcat-native fixing 2 CVE.
• I am still working on a security update for ghostscript. I have already backported the majority of patches to Jessie to fix a serious sandboxing issue with the -dSAFER mode.  More patches are required to fix the problem and only yesterday more CVE were assigned to them.

## ELTS

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 „Wheezy“. This was my third month and I have been paid to work 12  hours on ELTS.

• I was in charge of our ELTS frontdesk from 13.08.2018 until 19.08.2018 and I triaged CVE in intel-microcode, azureus, gdm3, couchdb, lxc, squirrelmail, wordpress, wpa, xen, tomcat7, firmware-nonfree, postgresql-9.1, apache2, bluez, dojo, libcommons-compress-java, spice, spice-gtk, tomcat-native, libcgroup, libx11 and samba.
• ELA-21-1. Issued a security update for openssl fixing 1 CVE.
• ELA-27-1. Issued a security update for tomcat7 fixing 1 CVE.
• ELA-28-1. Issued a security update for tomcat-native fixing 2 CVE.
• ELA-20-2. Issued a regression update for busybox.
• ELA-29-1. Issued a security update for postgresql-9.1 fixing 1 CVE.
• ELA-30-1. Issued a security update for libx11 fixing 3 CVE.

Thanks for reading and see you next time.

### wiki.debian.org: The Java Packaging Guide

Good things come to those who wait. I always wanted to improve our Java Packaging documentation a little. When I started to contribute to Debian Java in 2012,  I often struggled to find the right information and examples that would explain how I could package my own libraries or applications for Debian. After six years of trial and error and helpful advice on the debian-java mailing list, I figured it would be time to document this journey.
At DebConf 2018 in Hsinchu I began to work on updating the wiki documentation. The current status of this work will always be visible at:

https://wiki.debian.org/Java/Packaging

My basic idea was to explain packaging by examples. I didn’t assume that everyone was already familiar with the Java basics and more often than not people end up packaging Java software because it is part of their job or an application supports more than one programming language. Otherwise it is a book of seven seals.

The first thing to know  is that Java compiles to bytecode, so that *.java source files become *.class files. Those files are usually packed together in a zip-based archive, et voila now we have *.jar files. To compile your source code into bytecode you need the Java Virtual Machine  provided by OpenJDK. Learn what the CLASSPATH and a MANIFEST file is and you are good to go. This is what the Java Packaging 101 is all about.

If you grok the basics you will easily understand the next section: NoBuildSystem
Despite the fact that some upstream projects come without a proper build system, they are often very simple to compile. Instead of one or two source files, you just have to compile dozens in one single directory. We have a Java helper tool called….Javahelper that does exactly that for you.  A good start is to read the docs at /usr/share/doc/javahelper/tutorial.txt.gz also replicated here.

Of course the Java world has invented the most powerful build systems in existence that are even able to bend light and can throw galaxies around.  Let’s welcome Ant, Maven and Gradle. Everything else is irrelevant but don’t trust me.
If you can choose we recommend to either use Ant or Maven. Gradle is packaged for Debian but is more difficult to tame because every upstream project looks different. On the contrary Maven follows conventions and every project looks very similar.
Last but not least there is also a Java Packaging FAQ.