My Free Software Activities in December 2016

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in Android, Java, Games and LTS topics, this might be interesting for you.

Debian Android

Debian Games

  • We have entered the final straight for Stretch, so I kept a close eye on new game releases and bug reports in packages which I think should be part of the next stable release. Bzflag is certainly one of them, a tank battling game that can be played in the first-person perspective and which has arrived in version 2.4.8. I also packaged new releases of trigger-rally, a racing game, Renpy, pygame-sdl2 and Minetest
  • Bálint Réczey introduced libopenhmd to Debian a while ago and asked me in #845657 to enable OpenHMD support for neverball. Neverball is now the first game in the archive, at least as far as I know, that is ready for virtual reality. I have never tried it though because I don't own the necessary gear from Oculus myself but it sounds like a cool feature.
  • A user of caveexpress reported a bug (#847147) in one level that prevented him from finishing it. I forwarded this one to upstream and he was able to quickly fix the issue and I could release 2.4+git20160609-3 later.
  • I triaged several RC bugs which were reported against our D language games and it turned out that the bug was in gdc (#845377).
  • I also made some small improvements to monopd's packaging and applied a patch from Laurent Bigonville to Freeciv that corrected a problem with AppData files (#848720).
  • I worked around another RC FTBFS bug in spring (#846921) which is apparently a regression in binutils (#847356) but its maintainer does not consider this to be release critical.
  • I tried to fix #848063 in ri-li but it seems to surface again under special circumstances. Since compilation works on all buildds for all release architectures and on my systems I downgraded the severity to important.
  • I uploaded Bullet 2.85.1 to experimental. It is currently waiting in the NEW queue due to the SONAME bump and because I decided to simplify the packaging. I don't think it is longer worth it to provide several standalone binary packages. All Bullet 2 and 3 core libraries can be found in libbullet2.85 now while all the extra stuff is part of libbullet-extras2.85.
  • Last but not least I released debian-games 1.7 and updated the list of games. Castle Combat was removed this month from Debian.

Debian Java

Debian LTS

This was my tenth month as a paid contributor and I have been paid to work 13,5 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 12. December until 18. December I was in charge of our LTS frontdesk. I triaged bugs in jasper, openjdk-6, bluez, game-music-emu, simplesamlphp, imagemagick, nagios3, most, rabbitmq-server, html5lib and dcmtk.
  • DLA-742-1. Issued a security update for chrony fixing 1 CVE. This update was prepared by Vincent Blut.
  • DLA-745-1. Issued a security update for most fixing 1 CVE.
  • DLA-746-1. Issued a security update for tomcat6 fixing 1 CVE and two regressions from previous updates which were reported to Debian's bug tracker.
  • DLA-747-1. Issued a security update for libupnp fixing 1 CVE.
  • DLA-748-1. Issued a security update for libupnp4 fixing 1 CVE.
  • DLA-746-2. Issued a regression update for tomcat6.
  • DLA-753-1. Issued a security update for tomcat7 fixing 1 CVE and three regressions that were similar in nature to the ones fixed in Tomcat 6.
  • DLA-761-1. Issued a security update for python-bottle fixing 1 CVE.
  • DLA-763-1. Issued a security update for squid3 fixing 1 CVE.
  • DLA-766-1. Issued a security update for libcrypto++ fixing 1 CVE.
  • I also worked on two CVEs for Asterisk, an Open Source PBX and telephony toolkit. The work is done and can currently be found at this location. I asked on the debian-lts mailing list for feedback and testing and already got some positive feedback. I will wait a few more days before I release the security update.

Non-maintainer uploads

  • I did two NMUs this month. I sponsored an upload of libtorrent for Peter Pentchev fixing #828414 and I fixed a trivial bug in gnash myself (#845847).

My Free Software Activities in November 2016

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in Java, Games and LTS topics, this might be interesting for you.

Debian Android

  • Chris Lamb was so kind to send in a patch for apktool to make the build reproducible (#845475). Although this was not enough to fix the issue it set me on the right path to eventually resolve bug number 845475.

Debian Games

  • I packaged a couple of new upstream releases for extremetuxracer, fifechan, fife, unknown-horizons, freeciv, atanks and armagetronad. Most notably fifechan was accepted by the FTP team which allowed me to package new versions of fife and unknown-horizons which are both back in testing again. I expect that upstream will make their final release sometime in December. Atanks has been orphaned a while ago and since upstream is still active and I kinda like the game I decided to adopt it. I also uploaded a backport of Freeciv 2.5.6 to jessie-backports.
  • In November we received a bunch of RC bug reports again because, hey, it is almost time for the Freeze, let's break some packages. Thus I spent some time fixing freeorion (#843132), pokerth (#843078), simutrans (#828545), freeciv (#844198) and warzone2100 (#844870).
  • I also updated the debian-games blend, we are at version 1.6 now, and made some smaller adjustments. The most important change was adding a new binary package, games-all, that installs..well, all! I know this will make at least one person on this planet happy. Actually I was kind of forced into adding it because blends-dev automatically creates it as a requirement for choosing blends with the Debian Installer. But don't be afraid games-all only recommends games-finest, the rest is suggested.
  • Last but not least I worked on performous and could close a wishlist bug report (#425898). The submitter asked to suggest some free song packages for this karaoke game.

Debian Java

  • I sponsored uncommons-watchmaker for Kai-Chung and also reviewed libnative-platform-java and granted upload rights to him.
  • I packaged new upstream releases of lombok-patcher, electric, undertow, sweethome3d and sweethome3d-furniture-editor.
  • I spent quite some time on reviewing (especially the copyright review took most of the time) and improving the packaging for tycho (#816604) which is a precondition for packaging the latest upstream release of Eclipse, a popular Java IDE. Luca Vercelli has been working on it for the last couple of months and he did most of the initial packaging. Unfortunately I was only able to upload the package last week which means that the chances for updating Eclipse for Stretch are slim.
  • Due to time constraints I could not finish the Netbeans update in time which I had started back in October. This is on my priority list for December now.
  • Several security issues were reported against Tomcat{6,7,8}. I helped with reviewing some of the patches that Emmanuel prepared for Jessie and worked on fixing the same bugs in Wheezy.

Debian LTS

This was my ninth month as a paid contributor and I have been paid to work 11 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 14. November until 21. November I was in charge of our LTS frontdesk. I triaged bugs in teeworlds, libdbd-mysql-perl, bash, libxml2, tiff, firefox-esr, drupal7, moin, libgc, w3m and sniffit.
  • DLA-715-1. Issued a security update for drupal7 fixing 2 CVE.
  • DLA-717-1. Issued a security update for moin fixing 2 CVE.
  • DLA-728-1. Issued a security update for tomcat6 fixing 8 CVE. (Debian bug #845385 was assigned a CVE later).
  • DLA-729-1. Issued a security update for tomcat7 fixing 8 CVE. (Debian bug #845385 was assigned a CVE later).
  • Especially the patches and the subsequent testing for CVE-2016-0762 and CVE-2016-6816 required most of the time.

Non-maintainer uploads

  • I uploaded an NMU for angband to fix #837394. The patch was kindly prepared by Adrian Bunk.

It is already this time of the year again. See you next year for another report. 🙂

My Free Software Activities in October 2016

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in Android, Java, Games and LTS topics, this might be interesting for you.

Debian Android

Debian Games

  • I fixed RC bugs in lordsawar (#839323) and doomsday (#839338).
  • I packaged new upstream releases of atanks, lordsawar, blockattack and peg-e.
  • I completed the Bullet transition (#839243). Bullet 2.85 has also been released this month but it is now too late for Stretch because the transition freeze is already on the 5th of November. I expect more point releases a la 2.85.x during the coming weeks and I intend to provide an updated package in experimental soon.
  • I did some cleanups, package upgrades and bug fixes for box2d and redeclipse (apparently redeclipse-server requires the -data package to be present now).
  • I uploaded Redeclipse 1.5.6 to jessie-backports in the hope that more players will be able to connect to the multiplayer servers. Unfortunately network compatibility breaks rather frequently.
  • I applied a patch from Gianfranco Costamagna to address an Multiarch installation issue (#841824) in FreeOrion.

Debian Java

Debian LTS

This was my eight month as a paid contributor and I have been paid to work 13 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 10. October until 17. October I was in charge of our LTS frontdesk. I triaged bugs in libgd2, graphicsmagick, libxrender, mupdf, libxfixes, guile-2.0, glance, inspircd, libxi, libxv, libxst, spip, libxml2, libarchive and jasper.
  • DLA-648-1. Issued a security update for c-ares fixing 1 CVE.
  • DLA-664-1. Issued a security update for libxrender fixing 2 CVE.
  • DLA-666-1. Issued a security update for guile-2.0 fixing 2 CVE.
  • DLA-667-1. Issued a security update for libxv fixing 1 CVE.
  • DLA-668-1. Issued a security update for libass fixing 2 CVE. I triaged CVE-2016-7970 and marked the version in Wheezy as not affected.
  • DLA-673-1. Issued a security update for kdepimlibs fixing 1 CVE.

Non-maintainer uploads

  • I fixed various RC bugs in gnudoq and xsok which are not maintained by the Games Team. The following games are available in Stretch again: gnudoq (#817296, #817484), xsok (#817738) and I also worked on four more bug fixes to improve the game's desktop integration and internationalization support.
  • I fixed another RC bug in trackballs (#831119) but while I was working on the update I discovered that the game frequently segfaults which makes it kind of unplayable (#839788). I haven't found a solution yet but I suspect the switch to guile-2.0 and related patches introduced this behavior.

QA

  • I uploaded a new revision of criticalmass and applied a patch from Adrian Bunk to fix #811816, a FTBFS.
  • I triaged an RC bug for raptor2 (#824735) and the issue could be closed after the bug reporter confirmed that raptor2 built fine again.

My Free Software Activities in September 2016

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in Android, Java, Games and LTS topics, this might be interesting for you.

Debian Android

Debian Games

  • I packaged a new upstream release of hyperrogue, a rogue-like game settled in a non-euclidian world, fixing one RC bug (#811991). I uploaded two more revisions later that addressed  build failures on arm64 and hppa.
  • I fixed more RC bugs (build failures with GCC-6) in torus-trooper (#835712) and fife (#811858).
  • I packaged new upstream releases of pygame-sdl2, renpy, freeorion, netrek-client-cow, redeclipse, redeclipse-data, hitori, atomix, adonthell and adonthell-data.
  • I updated gtkballs and fixed a documentation bug (#820588) but also a /usr/share/locale issue that prevented the actual use of the translations.
  • I raised the severity of #797998 to grave in unknown-horizons because the game cannot be started currently. In order to fix this issue I packaged a new build-dependency, fifechan, which is currently awaiting approval by the FTP team. As soon as fifechan got accepted I will upload new upstream releases of fife and unknown-horizons.
  • I released debian-games 1.5, a Debian blend and collection of games metapackages.
  • Hardening-wrapper has been deprecated for some time and this issue became release critical now. I updated cookietool, alex4 and netrek-client-cow to use dpkg-buildflags instead.
  • Together with Russel Coker I packaged a new upstream release of warzone2100. This package would benefit from a new regular uploader. If you are interested in it, please get involved. (Same story for hyperrogue, redeclipse, renpy and unknown-horizons and many other games.)
  • I started a new Bullet transition (#839243). The package is currently waiting in the NEW queue and I hope to complete this work in October.
  • I triaged #838199 and reassigned the issue to fonts-roboto. Initially I prepared an NMU but eventually the maintainer uploaded a new revision himself. It is now possible to install the hinted and unhinted versions of fonts-roboto together which also resolved former installation problems with kodi and freeorion.

Debian Java

  • I packaged new upstream releases of undertow, activemq and jackrabbit.
  • I fixed RC bugs in libphonenumber (#836768), wagon2 (#837022) and activemq (#839244).
  • I updated syncany in experimental and simplified the packaging a little. Unfortunately upstream has been on hiatus for the past year and we haven't seen new releases in the meantime. Nevertheless give it a try, even though it is still alpha software, it's an useful cloud-storage and synchronization tool.
  • I sponsored a new upstream release of freeplane for Felix Natter.
  • I prepared and uploaded security updates for jackrabbit and zookeeper in Jessie.

Debian LTS

This was my eight month as a paid contributor and I have been paid to work 12,25 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 12. September until 19. September I was in charge of our LTS frontdesk. I triaged bugs in tiff3, mysql-5.5, curl, dropbear, mantis, icu, dwarfutils, jackrabbit, zendframework, zookeeper and graphicsmagick. For the latter I skimmed through all commits since the last version to identify the patches that fix the recent issues in graphicsmagick. I also answered questions on the mailing list and contacted Diego Biurrun again about his progress with libav. It is now anticipated that Hugo Lefeuvre and Diego will issue a new libav security release this month.
  • I reviewed and tested a patch by Raphaël Hertzog for roundcube.
  • DLA-629-1. Issued a security update for jackrabbit fixing 1 CVE.
  • DLA-630-1. Issued a security update for zookeeper fixing 1 CVE.
  • DLA-633-1. Issued a security update for wordpress fixing 7 CVE. This one also required backports of certain functions from newer releases and a database upgrade that required careful testing.
  • I also issued DLA-622-1 and DLA-623-1, two security issues that I already mentioned last month. It was discovered that Debian's versions of Tomcat were vulnerable to a root privilege escalation issue. However it was also necessary that another exploit, for instance in a web application, could be used to gain write access as the tomcat user. Former security issues were already fixed and new ones are not known. Nevertheless since a zero-day exploit could not be ruled out, the issue was embargoed for a month to give other distributions time to fix this issue as well. You can read more about this topic at legalhackers.com.

Non-maintainer uploads

Misc

  • I packaged a new upstream release of MediathekView.
  • I uploaded a new revision of xarchiver and applied a patch from Helmut Grohne that made it possible to cross-build the package.

My Free Software Activities in August 2016

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in Android, Java, Games and LTS topics, this might be interesting for you.

Debian Android

Debian Games

  • I started the month with package updates for foobillardplus, tuxpuck, etw, cube2, cube2-data and neverball.
  • I released a new revision of triplane to fix a reproducible build issue.
  • I packaged a new upstream release of springlobby.
  • I fixed GCC-6 FTBFS bugs in stormbaancoureur and love and updated both packages to use modern Debian helpers (stormbaancoureur needed it badly).
  • I invested some time to package Liquidwar 6 (#680023) and attached my preliminary work to the bug report. Liquidwar 6 has been in the works for a long time now and is a complete rewrite of the original Liquidwar game. The graphics are much more polished and dozens of new levels are available. I didn't complete my work on Liquidwar 6 because, at least on my system, the game constantly consumes 100% CPU time. Network modus isn't finished yet and it still depends on SDL 1. Nowadays I'm only interested in SDL 2 (or similar) games though because I think the library is more future-proof and SDL 1 will probably become a burden for future maintainers.
  • In the second half of the month I fixed a couple of RC bugs again caused by the Boost 1.61 transition and yes still more GCC-6 bugs : libclaw (GCC-6 and Boost 1.61 issues, new upstream release), freeorion (Boost 1.61 FTBFS, #833773. This one was arguably a regression in Boost 1.61 and I filed #833794 because of it), pokerth (GCC-6 RC bugs. I also took the opportunity to implement systemd support for pokerth-server and I modified the package to run the server as the _pokerth system user out-of-the-box.), 0ad (missing build-dependency on python).
  • Even music packages can pile up bug reports, so I went ahead and updated fretsonfire-songs-muldjord and fretsonfire-songs-sectoid.
  • In the last days of August 2016 I packaged a new upstream release of redeclipse and redeclipse-data, a first-person shooter. The older version was network-incompatible and long unsupported.

Debian Java

Debian LTS

This was my seventh month as a paid contributor and I have been paid to work 14,75 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 01. August to 07. August I was in charge of our LTS frontdesk. I triaged CVEs in wordpress, mysql-5.5, libsys-syslog-perl, libspring-java, curl and squid and answered questions on the debian-lts mailing list.
  • DLA-586-1. Issued a security update for curl fixing 2 CVE.
  • DLA-585-1. Announced the security update for firefox-esr which was prepared by Mike Hommey.
  • I was involved in an embargoed security issue that currently affects two source packages in Wheezy. The update will be released on 15. September 2016 and will be coordinated with Debian's Security Team and other distributions. I will add more information next month.
  • DLA-610-1. I spent most of the time this month on triaging and fixing security issues in tiff3, a library providing support for the Tagged Image File Format (TIFF). 99 source packages currently build-depend on this library in Wheezy. In total I triaged 35 CVEs and fixed 23 of them. I could confirm that CVE-2015-1547, CVE-2016-5322, CVE-2016-5314, CVE-2016-5315, CVE-2016-5316, CVE-2016-5317 and CVE-2016-5320 were duplicates of other CVEs fixed in this update. The update hardened the library and fixed possible denial-of-service (application crash) and arbitrary code execution issues. I tested whenever possible against the provided reproducers (malicious tiff images). The tiff3 package now includes all currently available patches. Most of the current open vulnerabilities do not directly affect end-users since no binary package has been provided for the tiff tools in Wheezy. However they can still pose a threat to people who build these tools from source manually. Though the majority of users should not be affected. It is also unlikely that the remaining issues will be fixed by tiff's upstream developers since they decided to remove the affected applications from newer releases but again most of them can't be exploited since the tools are not built by default in this version.

Non-maintainer uploads

  • I did a NMU for pacman fixing one GCC-6 RC bug.

QA

  • I packaged a new upstream release of pygccxml and worked around a RC bug that threatened to remove spring. For similar reasons I filed #835121 against castxml that got quickly fixed by Gert Wollny.

My Free Software Activities in July 2016

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian.

Debian Android

Debian Games

  • This month GCC-6 bugs became release critical. I fixed and triaged those kind of bugs in games like supertransball2, berusky2, freeorion, bloboats, armagetronad and megaglest.
  • I packaged new upstream releases of scorched3d, bzflag, spring, springlobby, freeorion, freeciv and extremetuxracer.
  • Freeciv, one of the best strategy games ever by the way, also got a new binary package freeciv-client-gtk3. This package will eventually become the new default client to play the game in the future. You are welcome to test it.
  • I packaged a new upstream release of adonthell and adonthell-data. This game is built with Python 3 and SDL 2 now and also uses the latest version of swig to generate its sources. We will probably see only one other future upstream release of adonthell because the main developer has decided to move on after more than 15 years of development.
  • I fixed another RC bug in minetest, updated whichwayisup for this release cycle and moved the package to Git.

Debian Java

Debian LTS

This was my sixth month as a paid contributor and I have been paid to work 14,7 hours on Debian LTS. In that time I did the following:

  • DLA-554-1. I spent most of the time this month on completing my work on libarchive. I issued DLA-554-1 and fixed 18 CVE plus another issue which was later assigned CVE-2016-6250.
  • DLA-555-1. Issued a security update for python-django fixing 1 CVE.
  • DLA-561-1. Issued a security update for uclibc fixing 3 CVE.
  • DLA-562-1. Issued a security update for gosa fixing 1 CVE. I could triage another open CVE as not-affected after confirming that the issue had already been fixed two years ago.
  • DLA-568-1. Issued a security update for wordpress fixing 6 CVE. I decided to go ahead with this update because I could not find any regressions. Unfortunately this wasn't true for my intended fix for CVE-2015-8834. The database upgrade did not succeed hence I decided to postpone the fix for CVE-2015-8834 until we can narrow down the issue.
  • DLA-576-1. Issued a security update for libdbd-mysql-perl fixing 2 CVE.
  • From 04. July to 10. July I was in charge of our LTS frontdesk. I triaged CVEs in librsvg, bind9, trn, pdns and drupal7 and answered questions on the debian-lts mailing list.

Misc and QA

  • I fixed another GCC-6 bug in wbar, a light and fast launch bar.
  • Childsplay and gvrng were orphaned last month. I updated both of them, fixed the RC-bug in childsplay (non-free font) and moved the packages to the Debian QA Group.

My Free Software Activities in June 2016

My monthly report covers what I have been doing for Debian. I write it for Debian's Long Term Support sponsors but also for the wider free software community in the hope that it might inspire people to get more involved with Debian or free software in general.

Debian Android

Debian Games

  • I packaged CaveExpress and CavePacker for Debian. CaveExpress is a remake of the old Amiga classic Ugh! In this game you control a pedal-powered flying machine and pick up packages from your clients. An interesting aspect of CaveExpress is its physics-based gameplay. The packages must be delivered to a collection point and their movement is quite realistic thanks to the excellent Box2d physics engine. The other game, CavePacker, based on the same engine as CaveExpress is a Sokoban-like game. Both games feature dozens of levels and if you have nothing better to do, you should definitely check them out.
  • This month I also packaged a new upstream release of Netpanzer. Apparently there is new upstream activity.
  • Blockattack 2.0 was released and is now available in Debian.
  • I also updated the following packages: kball, pathogen, ceferino, slimevolley, pangzero and airstrike.
  • I adopted abe, berusky and berusky-data, updated the packages to use modern debian helpers and also packaged version 1.7 of berusky, a great Sokoban-like game by the way.
  • June also saw a new release of debian-games, several metapackages that make it much easier to install a subset of games or even the finest.
  • I sponsored RC-bug fixes for parsec47, tumiki-fighters, mu-cade and tatan all prepared by Peter De Wachter who keeps our D (yes, that's a language) games alive. But we will face more issues in the post Stretch future. Apparently the D language people intend to remove parts of their API and of course all our D-based games are affected. Peter has announced more information about that. I think all these games are pretty unique and real gems. If you know a little D and want to help out, please get involved.

Debian Java

Debian LTS

This was my fifth month as a paid contributor and I have been paid to work 19,75 hours on Debian LTS. In that time I did the following:

  • DLA-501-1. Salvatore Bonaccorso from Debian's Security Team discovered that the original fix for CVE-2015-7552 (DLA-450-1) was incomplete. I prepared and uploaded a new revision of gdk-pixbuf and issued the DLA.
  • DLA-502-1. Issued a security update for graphicsmagick fixing 1 CVE.
  • DLA-504-1. Issued a security update for libxstream-java fixing 1 CVE which was prepared by Emmanuel Bourg.
  • DLA-505-1. Issued a security update for libpdfbox-java fixing 1 CVE.
  • DLA-508-1. Issued a security update for expat fixing 2 CVE.
  • DLA-511-1. Issued a security update for libtorrent-rasterbar fixing 1 CVE.
  • DLA-526-1. Issued a security update for mysql-connector-java fixing 1 CVE. I also prepared the update for Jessie which is still pending to be reviewed by the Security Team.
  • DLA-528-1. Issued a security update for libcommons-fileupload-java fixing 1 CVE.
  • DLA-529-1. Issued a security update for tomcat7 fixing 1 CVE.
  • DLA-530-1. As previously announced I switched the default Java implementation from OpenJDK 6 to OpenJDK 7.
  • DLA-537-1. Issued a security update for roundcube fixing 1 CVE. I triaged CVE-2016-5103, CVE-2015-2180 and CVE-2015-2181 and marked them as "not-vulnerable".
  • I triaged 22 CVEs for libarchive and marked two of them as "not-vulnerable". You can find my preliminary work for libarchive on the wheezy branch in Debian's git repository. I expect a security update very soon.
  • From 13 June to 19. June I was responsible for Wheezy's LTS frontdesk. It was a rather calm week on the debian-lts mailing list and in our IRC channel. I triaged CVE-2016-4970 (netty), CVE-2016-3189 (bzip2), CVE-2016-1621 (libvpx) and CVE-2016-4493, CVE-2016-4492, CVE-2016-4491, CVE-2016-4490, CVE-2016-4489, CVE-2016-4488, CVE-2016-4487, CVE-2016-2226 which were all minor issues in developer tools or in the gcc toolchain.
  • I commented on Ola's question about open security issues in phpmyadmin.

QA uploads

  • I fixed pygccxml that threatened to remove spring.
  • I completely overhauled gl-117, fixed four bugs and closed two obsolete ones. gl-117 always reminds me a little of the Falcon series from the early 90ies.

My Free Software Activities in May 2016

My monthly report covers what I have been doing for Debian. I write it for Debian's Long Term Support sponsors but also for the wider free software community in the hope that it might inspire people to get more involved with Debian or free software in general.

Debian LTS

This was my  fourth month as a paid contributor and I have been paid to work 30 hours on Debian LTS. During this month I worked on the following things:

  • DLA-460-1. Issued a security update for file fixing 1 CVE.
  • DLA-461-1. Issued a security update for nagios3 fixing 1 CVE.
  • From 2 May until 8 May I managed the LTS frontdesk and triaged CVEs in ikiwiki, jansson, libuser, librsvg, roundcube, ocaml, wpa and sogo. I reviewed a security update of icu for Roberto C. Sánchez. I also reviewed the security update of ikiwiki prepared by Simon McVittie and took care of the announcement which resulted in DLA-463-1.
  • DLA-468-1. I fixed two serious issues in the libuser library that allowed a normal user to gain root privileges and to corrupt /etc/passwd.
  • DLA-449-2. I issued a regression update for botan1.10's reverse dependencies, monotone and softhsm. Both packages had to be rebuilt in Wheezy. I also prepared the no-change rebuilds for all reverse-dependencies in Jessie. (DSA-3565-2)
  • DLA-471-1. Issued a security update for jansson fixing 1 CVE.
  • DLA-473-1. Issued a security update for wpa fixing 2 CVE.
  • DLA-475-1. Issued a security update for python-tornado fixing 1 CVE.
  • DLA-483-1. Issued a security update for expat fixing 1 CVE.
  • DLA-484-1. Issued a security update for graphicsmagick fixing 8 CVE. Graphicsmagick is a fork of Imagemagick and also affected by vulnerabilities commonly known as ImageTragick. It is likely that we will see more CVEs in the near future.
  • DLA-488-1. Issued a security update for xymon fixing 4 CVE. I marked CVE-2016-2057 as not-affected in Wheezy.
  • DLA-490-1. Issued a security update for bozohttpd fixing 2 CVE.
  • Misc: I sent a short news update to bits.debian.org and debian-lts-announce which was released on 2 June and announced the now official support of armel and armhf for Wheezy LTS.
  • I sent a DLA announcement for Icedove. The security update was prepared by Christoph Goehre. (DLA-472-1)

Debian Android

  • I packaged a new version of apktool. This tool has several issues at the moment. The most important one is the missing basic framework resource files which are needed for decoding apk files. They are not part of the source tarball release so we need to find other ways to make them available in Debian. Chirayu Desai, one of the GSoC students 2016, already came up with a good proposal.
  • We had our first GSoC meetings.

Debian Java

  • I fixed an RC bug in gradle-jflex-plugin due to an incompatibility with Gradle >= 2.12.
  • I clarified licenses and updated debian/copyright for Netbeans. I also removed some files from the original tarball with possibly controversial licenses.
  • I packaged new upstream releases of hsqldb and objenesis and updated fontchooser.
  • I sponsored libmnemonicsetter-java for Felix Natter.
  • I prepared a security update for Tomcat 8 which still awaits  approval by the Security Team.
  • I spent too much time with trying to upgrade libnetlib-java. In the end I came to the conclusion that it is not worth the effort.

Debian Games

  • I fixed a long standing RC bug in warzone2100 and another bug in fretsonfire.
  • I packaged new upstream releases of springlobby, freeorion and freeciv. This fixed the lags in FreeOrion which were seemingly introduced by an X server update. I also uploaded the latest versions of FreeCiv and Minetest to jessie-backports.

Misc

  • Xarchiver crashed when someone attempted to cancel the extraction procedure with the Thunar plugin. (#822115) I fixed the issue in Sid, Stretch and Jessie.

My Free Software Activities in April 2016

My monthly report covers what I have been doing for Debian. I write it for Debian's Long Term Support sponsors but also for the wider free software community in the hope that it might inspire people to get more involved with Debian or free software in general.

Debian LTS

This was my third month as a paid contributor and I have been paid to work 16 hours on Debian LTS. During this month I worked on the following things:

  • DSA-3552-1: I finished my work on Tomcat 7 which I started back in March. Debian's Security Team eventually reviewed the package and issued DSA-3552-1. This update fixed 9 CVEs in Wheezy and 7 CVEs in Jessie.
  • DSA-3541-1: My security update for roundcube (Wheezy) fixing 1 CVE was issued by the Security Team.
  • DLA-449-1. I worked on botan1.10, a C++ library which provides support for many common cryptographic operations and fixed 7 CVEs in Wheezy. I also sent an updated package for Jessie to the Security Team and they issued DSA-3565-1 for it. For Jessie 6 CVEs could be closed.  I am currently investigating a possible regression (#823297) that might require a rebuild of monotone.
  • DLA-450-1. I prepared an update for gdk-pixbuf fixing 1 CVE. While I was working on this issue I discovered that Debian's fix for CVE-2015-7674 was incomplete and thus I added another patch to prevent possible heap-based overflows in pixops/pixops.c. Thanks to SUSE's Security Team for their initial work on this issue.
  • DLA-451-1. I backported and tested a security update for OpenJDK-7 fixing 7 CVEs. Thanks to Matthias Klose and Tiago Stürmer Daitx for their initial work.
  • DLA-452-1. I fixed a bug in smarty3 (Wheezy), a template engine for PHP, that allowed remote attackers to bypass the secure mode restrictions and to execute arbitrary PHP code.
  • I triaged CVE-2015-7496 in GDM3 and marked this issue as <not affected> in Wheezy because the vulnerable code was neither present nor was the issue reproducible.
  • I triaged two more CVEs in Swift, CVE-2016-0738 and CVE-2016-0737 and marked both CVEs as fixed in Wheezy because the vulnerable code was not present. I also had a closer look at Xymon. This package appears to be partly affected by the open security issues and needs further investigation.
  • The security support for Wheezy was handed over to the LTS team on 26 April 2016. I drafted an official announcement which was published on debian.org and debian-lts-announce. Before I started a call for review on debian-lts. Thanks for all the feedback and especially for the reviews from the English language team.
  • Making OpenJDK 7 the default-java implementation in Wheezy-LTS. I uploaded a new revision of java-common with the sole intention to increase the user awareness for our intended switch to OpenJDK 7 as the default Java implementation. Moreover I updated 14 Java packages in Wheezy that strictly depended on openjdk-6-jre or openjdk-6-jdk. The requirements were relaxed so that users will be able to install OpenJDK 7 now without the need for installing the unsupported OpenJDK 6 too. Three Java packages are still pending due to a bug in Debian's archive software that will hopefully be resolved soon. I think we could have uploaded those packages sooner but the Release Team did not deem these issues to be important enough. (#819247)

Debian Android

  • apktool and libsmali-java. I packaged the latest upstream release of Apktool, 2.1.0. Smali is now a dependency of Apktool and no longer included in the official tarballs. That's the reason why I decided to package libsmali-java.
  • I will be a Mentor for Google Summer of Code again together with Hans-Christoph Steiner. I presume this year will be quite exciting and we will try to package more Android software for Debian.

Debian Java

Debian Games

Misc

  • gimp-dimage-color. I asked the ftp team to remove gimp-dimage-color because it has not been updated in the past seven years and it is also not part of Debian stable.
  • I reviewed and sponsored python-adventure for Ben Finney.
  • I also reviewed freecell-solver for Shlomi Fish on debian-mentors but the package was eventually uploaded by the actual package maintainer.

Syncany: Dropbox-Alternative für die Datensicherung in der Cloud

syncany-logoDa habe ich eben noch von der klassischen Sicherung auf externe Datenträger geschrieben und natürlich gibt es noch die Möglichkeit alles Wichtige wie Fotos, Urkunden, Krankenakten und Versicherungspolicen säuberlich eingescannt und für jeden einsehbar in der ominösen Cloud abzuspeichern. Warum nicht einfach beides nutzen? Doch macht das alles wirklich Sinn und welche Alternativen gibt es?
Anfang des Jahrzehnts nutzte ich für eine Weile Dropbox, weil es für mich ein einfacher Weg war, um Dateien an andere Leute freizugeben. Gleichzeitig hatte ich einen kostenlosen Datenspeicher und eine weitere Backupmöglichkeit gefunden. Irgendwann hatte ich dann meinen eigenen vServer, weswegen ich den Dienst nicht mehr brauchte. Vor einigen Tagen erhielt ich nun die Nachricht, dass mein Dropbox-Konto in 90 Tagen geschlossen werden sollte, weswegen ich das kurzerhand und als Motivation für diesen Artikel selbst erledigt habe.
Es gibt mittlerweile zahlreiche Freie-Software-Alternativen zu Dropbox, wobei OwnCloud,  Seafile und SparkleShare sicherlich drei der bekanntesten sind. Mit diesem Artikel möchte ich Syncany kurz vorstellen, dass ich letztes Jahr für Debian paketiert habe. Die Software ist in Java geschrieben und gegenüber Dropbox zeichnet sich dieses Programm vor allem durch zwei Merkmale aus:

  • Lokale Verschlüsselung der Daten vor dem Upload
  • Nahezu beliebige Wahl des externen Datenspeichers durch ein Pluginsystem

Der erste Punkt ist für mich persönlich der wichtigste, warum ich Anwendungen wie Syncany Dropbox vorziehe. Es ist Freie Software, transparent und man hat volle Kontrolle bevor man die Daten irgendwohin hochlädt. Zwar werden Dateien auch bei Dropbox verschlüsselt auf den Servern gespeichert, jedoch besitzt das Unternehmen auch den Schlüssel, um die Informationen wieder im Klartext anzuzeigen, sprich sensible Daten könnten ohne weiteres eingesehen werden. Syncany hingegen verschlüsselt die Dateien auf dem eigenen Rechner vor dem Upload.
Das Programm lässt sich sowohl mit einem GUI-Plugin als auch über die Kommandozeile bedienen und liefert dazu noch eine ausführliche Online-Dokumentation, mehrere Manpages und Beispiele. Bevor ich nun aber mein persönliches Setup vorstelle, hier eine ausdrückliche Warnung: Syncany ist noch Alpha-Software. Das bedeutet ihr solltet kritische Daten noch auf eine andere Weise gesichert haben, bevor ihr sie Syncany anvertraut.

Syncany und das SFTP-Plugin

Syncany lässt sich zur Zeit über Debian Experimental installieren, wo es vermutlich eine Weile bleiben wird, da die Entwicklung seit Ende letzten Jahres sich deutlich verlangsamt hat und der Hauptentwickler gebeten hat diese Version nicht für eine stabile Debian/Ubuntu-Distribution betreuen zu müssen. Installieren lässt sie sich dennoch ganz einfach mit
apt install syncany -t experimental
Mit sy plugin list erhaltet ihr eine Übersicht aller zur Verfügung stehenden Plugins. Sobald Syncany für stabil erklärt wurde, plane ich zumindest das GUI- und SFTP-Plugin für Debian zu paketieren. Zur weiteren Verfügung stehen momentan Plugins für: Azure, Dropbox, Flickr, FTP, Raid0, Amazon S3, Samba, Openstack Swift und Webdav.
Das SFTP-Plugin wird mit sy plugin install sftp installiert und findet sich danach in ~/.config/syncany/plugins/lib wieder.
Ladet zuerst euren öffentlichen SSH-Schlüssel zum SSH-Server hoch, z.b. mit ssh-copy-id. Wechselt danach in das Verzeichnis, dass in Zukunft mit dem SFTP-Server synchronisiert werden soll und gebt nacheinander das Folgende ein:

  • sy init
  • sftp
  • Name des Hosts oder die IP-Adresse
  • Name des Benutzers auf dem Server
  • Pfad zum privaten SSH-Schlüssel
  • Password des privaten Schlüssels
  • Pfad zum Verzeichnis auf dem Server
  • Port des SSH-Servers

Das wars. Ihr könnt neue Dateien danach mit sy up hochladen.
Was bietet Syncany noch? Wie bei Dropbox könnt ihr Links zu euren Dateien mit anderen Leuten teilen. Je nach Plugin ist dieses Merkmal anders ausgearbeitet. Automatische Synchronisation gibt es mit sy daemon.

Fazit und Ausblick

Trotz des Alpha-Status ist Syncany ein nützliches Werkzeug für mich mit großem Potenzial. Das Grundkonzept ist absolut stimmig, Daten werden lokal verschlüsselt, externer Speicher kann beliebig gewählt werden. Das ist äußerst flexibel und kann an die eigenen Bedürfnisse angepasst werden. Ein funktionierendes Webfrontend wie bei Owncloud wäre natürlich noch super. Mit den jetzigen Plugins bin ich jedoch schon zufrieden. Das Hauptproblem ist momentan die geringe Entwicklungstätigkeit, weswegen Syncany vorerst nicht in Ubuntu oder einer stabilen Debianversion erscheinen wird. Wer das ändern möchte, sollte Syncany weiter testen, mögliche Fehler melden oder gegebenenfalls sogar mitentwickeln.