My Free Software Activities in August 2017

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in  Java, Games and LTS topics, this might be interesting for you.

DebConf 17 in Montreal

I traveled to DebConf 17 in Montreal/Canada. I arrived on 04. August and met a lot of different people which I only knew by name so far. I think this is definitely one of the best aspects of real life meetings, putting names to faces and getting to know someone better. I totally enjoyed my stay and I would like to thank all the people who were involved in organizing this event. You rock! I also gave a talk about the "The past, present and future of Debian Games",  listened to numerous other talks and got a nice sunburn which luckily turned into a more brownish color when I returned home on 12. August. The only negative experience I made was with my airline which was supposed to fly me home to Frankfurt again. They decided to cancel the flight one hour before check-in for unknown reasons and just gave me a telephone number to sort things out.  No support whatsoever. Fortunately (probably not for him) another DebConf attendee suffered the same fate and together we could find another flight with Royal Air Maroc the same day. And so we made a short trip to Casablanca/Morocco and eventually arrived at our final destination in Frankfurt a few hours later. So which airline should you avoid at all costs (they still haven't responded to my refund claims) ? It's WoW-Air from Iceland. (just wow)

Debian Games

Debian Java

Debian LTS

This was my eighteenth month as a paid contributor and I have been paid to work 20,25 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 31. July until 06. August I was in charge of our LTS frontdesk. I triaged bugs in tinyproxy, mantis, sox, timidity, ioquake3, varnish, libao, clamav, binutils, smplayer, libid3tag, mpg123 and shadow.
  • DLA-1064-1. Issued a security update for freeradius fixing 6 CVE.
  • DLA-1068-1. Issued a security update for git fixing 1 CVE.
  • DLA-1077-1. Issued a security update for faad2 fixing 11 CVE.
  • DLA-1083-1. Issued a security update for openexr fixing 3 CVE.
  • DLA-1095-1. Issued a security update for freerdp fixing 5 CVE.

Non-maintainer upload

  • I uploaded a security fix for openexr (#864078) to fix CVE-2017-9110, CVE-2017-9112 and CVE-2017-9116.

Thanks for reading and see you next time.

My Free Software Activities in July 2017

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in  Java, Games and LTS topics, this might be interesting for you.

Debian Games

  • I backported freeciv, freeorion and minetest to stretch-backports.
  • The bug fix (#866378) for 3dchess also landed in Stretch and Jessie.
  • I sponsored Lugaru for Vincent Prat and Martin Erik Werner, a really cool 3D fighting game featuring a rabbit. The game is dfsg-free now and will replace openlugaru.
  • I uploaded fifechan to unstable and packaged new upstream versions of fife, unknown-horizons, adonthell-data and hyperrogue.
  • I fixed bugs in bloboats (#864534), lordsawar (RC #866988), kraptor (#826423), pathogen (#845991), fretsonfire (#866426), blockout2 (#826416), boswars (#827112), kanatest (RC #868315, fix also backported to Stretch), overgod (#827114), morris (#829948, #721834, #862224), mousetrap (#726842), alsoft-conf (#784052, #562898) and nikwi (#835625)
  • I uploaded a new revision of clanlib and teg fixing Perl transition bugs. The patches were provided by gregor herrmann. I added myself to Uploaders in case of teg because the package was missing a human maintainer.
  • I adopted trackballs after I discovered #868983 where Henrique de Moraes Holschuh called attention to a new fork of Trackballs. The current version was broken and unplayable and it was only a matter of time before the game was removed from Debian. I could fix a couple of bugs, forwarded some issues upstream and I believe a nice game was saved.
  • I uploaded Bullet 2.86.1 to unstable and completed another Bullet transition.

Debian Java

Debian LTS

This was my seventeenth month as a paid contributor and I have been paid to work 23,5 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 24. July until 31. July I was in charge of our LTS frontdesk. I triaged bugs in tinyproxy, varnish, freerdp, ghostscript, gcc-4.6, gcc-4.7, fontforge, teamspeak-server, teamspeak-client, qpdf, nvidia-graphics-drivers and sipcrack. I also pinged Diego Biurrun for more information about the next libav update and replied to questions on the debian-lts mailing list and LTS IRC channel.
  • DLA 1034-1. Issued a security update for php5 fixing 5 CVE. I discussed CVE-2017-11362 with the security team. We came to the conclusion that it was no security issue but just a normal bug.
  • DLA 1036-1. Issued a security update for gsoap fixing 1 CVE.
  • DLA 1037-1. Issued a security update for catdoc fixing 1 CVE.
  • DLA 613-2. Issued a regression update for roundcube.
  • DLA 1045-1. Issued a security update for graphicsmagick fixing 10 CVE.
  • DLA 1047-1. Issued a security update for supervisor fixing 1 CVE.
  • DLA-1048-1.  Issued a security update for ghostscript fixing 8 CVE.

Non-maintainer upload

  • I uploaded the security fix for spice to unstable which was already fixed in Stretch and earlier versions.

Thanks for reading and see you next time.

My Free Software Activities in June 2017

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in  Java, Games and LTS topics, this might be interesting for you.

Debian Games

Debian Java + Android

Debian LTS

This was my sixteenth month as a paid contributor and I have been paid to work 16 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • I triaged mp3splt and putty and marked CVE-2017-5666 and CVE-2017-6542 as no-dsa because the impact was very low.
  • DLA-975-1. I uploaded the security update for wordpress which I prepared last month fixing 6 CVE.
  • DLA-986-1. Issued a security update for zookeeper fixing 1 CVE.
  • DLA-989-1. Issued a security update for jython fixing 1 CVE.
  • DLA-996-1. Issued a security update for tomcat7 fixing 1 CVE.
  • DLA-1002-1. Issued a security update for smb4k fixing 1 CVE.
  • DLA-1013-1. Issued a security update for graphite2 fixing 8 CVE.
  • DLA-1020-1. Issued a security update for jetty fixing 1 CVE.
  • DLA-1021-1. Issued a security update for jetty8 fixing 1 CVE.

Misc

  • I updated wbar, fixed #829981 and uploaded mediathekview and osmo to unstable. For the Buster release cycle I decided to package the fork of xarchiver's master branch which receives regular updates and bug fixes. Besides being an GTK-3 application now, a lot of older bugs could be fixed.

Thanks for reading and see you next time.

My Free Software Activities in May 2017

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in  Java, Games and LTS topics, this might be interesting for you.

Debian Games

Bug fixes

  • ufoai (RC #861979) : Robert Hackbauer discovered that ufoai crashed as soon as one player joined a game. I had never seen this crash before and the bug probably surfaced due to the recompilation last month but fortunately I could get a meaningful backtrace and upstream was able to provide a patch within 24 hours.
  • pixbros (RC #861612): The RC bug in pixbros was a rather sad story as it was claimed that the level design (the design, not the artwork) was non-free. The bug submitter argued that there was a high degree of resemblance with one of the original games (pixbros is an amalgamation of several games) thus making pixbros unsuitable for Debian and non-free. This was the kind of bug report which you will probably only see in the games section. We have many games in the archive that try to be a clone and free software alternative of a more popular commercial and non-free game. Not only are they sometimes developed in a completely different programming language, their new artwork, even the gameplay can differ heavily. In this case the level design was just two-dimensional horizontal and vertical bars on which the protagonists perform their actions and in my opinion this is not what we call non-free in Debian. The sad part was, because it happens rather frequently, that random people think they are copyright and trademark experts although they are neither lawyers nor the original copyright holder and, to underline the layman status, often end their sentences with the ominous IANAL. I would like to see that people focus more on improving the games section by packaging new games and maintaining existing ones instead of playing hobby lawyer and creating issues where issues don't exist.
  • doomsday (RC #847651, #863536): Doomsday failed to start but Bernhard Übelacker provided a patch to fix #847651. If nobody beats me to it, I will also upload the fix for #863536 very soon.

New upstream release

  • I mentioned torcs in my last report which I adopted earlier. It turned out that some car models were non-free (not like pixbros but this time for real) because the license didn't allow modification. I repacked the tarball and released version 1.3.3+dfsg2-1 for Stretch (#861959) and pushed the latest upstream release to experimental. I also discovered that torcs would FTBFS due to a bug in debhelper and reported it. (#861852)
  • I packaged new upstream versions of freeorion, springlobby, freeciv and bzflag.

Debian Java

  • Elana Hashman is working on the clojure eco-system in Debian. I reviewed and sponsored libbultitude-clojure for her.
  • I fixed a follow-up bug in pdfsam (#855324) and documented in a NEWS file that the config file in $HOME must be updated by hand when a user upgrades from Jessie to Stretch.
  • I uploaded a new upstream release of activemq to experimental and fixed a minor changelog typo bug.

Debian LTS

This was my fifteenth month as a paid contributor and I have been paid to work 27,25 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 1. May until 7. May I was in charge of our LTS frontdesk. I triaged security issues in rxvt, imagemagick, libtirpc, rpcbind, binutils, wordpress, eglibc and tiff3.
  • I prepared a security update for wordpress fixing 6 CVE. I contacted the maintainer, Craig Small, for feedback and intend to release the update soon.
  • I have been working on smb4k which is currently affected by a root privilege vulnerability. Backporting the fix is non-trivial and requires more testing.
  • I triaged libarchive and fixed CVE-2016-10349 and CVE-2016-10350 but decided to postpone the release until more important issues are discovered.
  • DLA-933-1. Issued a security update for roundcube fixing 1 CVE.
  • DLA-936-1. Issued a security update for libtirpc fixing 1 CVE.
  • DLA-937-1. Issued a security update for rpcbind fixing 1 CVE.
  • DLA-938-1. Issued a security update for git fixing 1 CVE.
  • DLA-924-1. Issued a regression update for tomcat7 and fixed bug #861872.
  • DLA-941-1. Issued a security update for squirrelmail fixing 1 CVE.
  • DLA-945-1. Issued a security update for mysql-connector-java fixing 3 CVE.
  • DLA-953-1. Issued a security update for graphicsmagick fixing 1 CVE.
  • DLA-968-1. Issued a security update for libpodofo fixing 10 CVE.
  • DLA-969-1. Issued a security update for tiff fixing 2 CVE.

Misc

  • Nikolaus Rath discovered that adding files to a tar archive with xarchiver would actually delete the existing archive (#862593). The issue occured when the archive name contained shell meta characters which were improperly escaped. While I was trying to find the root cause for this issue Chris Lamb provided an alternative solution to fix this problem.

Thanks for reading and see you next time.

My Free Software Activities in April 2017

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in  Java, Games and LTS topics, this might be interesting for you.

Debian Games

  • I released the final version 2 of debian-games for Stretch, a collection of metapackages that make it easier to install one's favorite games. No surprises here, but two games were removed from Debian and some others didn't make it into Stretch, so an update of the debian/control file was necessary.
  • I could close three RC bugs in ufoai (#860680) and slashem (#860393), thanks to the analysis and help from Bernhard Übelacker, and one in tecnoballz. (#861268)
  • I reviewed and sponsored gnome-games-app and retro-gtk for Jeremy Bicha. The Gnome application is basically a game browser and a unified interface to access various games, engines and emulators.
  • I adopted torcs, a racing car simulator, updated the package to the latest upstream release and completely overhauled the packaging. This is still work in progress but I think I can upload the new version in May.

Debian Java

  • I prepared security updates for bouncycastle, logback, activemq, tomcat 7 and tomcat 8 which were later accepted for Stretch and Jessie.
  • New upstream releases this month: hsqldb and robocode.
  • We had to deal with a weird bug in libnb-platform18-java respectively libjna-jni (#858876). We are still not sure why the JNA system library was not found by Netbeans but we could find a way to resolve it. I took the opportunity to fix another annoying bug in Netbeans and added the missing dependencies for some symlinked system JAR files.
  • Last but not least I made the test results in jnr-posix non-fatal (#860691) until we receive more information from upstream why two tests fail on i386. Since the package is arch:all and completes all tests on amd64 successfully, the RC bug was later marked as "stretch ignore" by the release team.

Debian LTS

This was my fourteenth month as a paid contributor and I have been paid to work 23,75 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 10. April until 16. April I was in charge of our LTS frontdesk. I triaged security issues in wavpack, binutils, tiff, tiff3, imagemagick, wireshark, elfutils, libosip2, feh, freetype, web2py and libplist.
  • DLA-888-1. Issued a security update for logback fixing 1 CVE.
  • DLA-893-1. Issued a security update for bouncycastle fixing 1 CVE.
  • DLA-924-1. Issued a security update for tomcat7 fixing 2 CVE.
  • DLA-900-1. Issued a security update for freetype. Later it was determined that freetype in Wheezy was not affected and the change was reverted.
  • DLA-899-1. Issued a security update for feh fixing 1 CVE.
  • DLA-902-1. Issued a security update for imagemagick fixing 2 CVE.
  • DLA-911-1. Issued a security update for tiff fixing 11 CVE.
  • DLA-912-1. Issued a security update for tiff3 fixing 8 CVE.
  • DLA-913-1. Issued a security update for activemq fixing 1 CVE.
  • DLA-929-1. Issued a security update for libpodofo fixing 7 CVE.

Misc

  • I packaged a new major version of Osmo, a personal organizer and calendar application. It has been completely converted to GTK3 and WebKitGtk2 now.

Thanks for reading and see you next time.

My Free Software Activities in March 2017

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in Android, Java, Games and LTS topics, this might be interesting for you.

Debian Android

  • A new upstream release of apktool was uploaded to experimental.

Debian Games

  • I packaged new upstream releases of megaglest and megaglest-data.
  • I fixed a bug in pangzero (#857474) that crashed the game when someone pressed the pause key. The updated package will be part of Stretch.
  • The severity was inflated and the issue debatable but since it took less time to "fix" bug #857801 in dopewars than writing this sentence, I did it anyway.
  • I fixed bug #857236 and #857845 in holotz-castle. Background: There are various packages in Debian that ship a considerable amount of documentation which is usually a good thing. We always strive to optimize packages and reducing the package size is one option. In the past people thought that symlinking the doc directory of an arch:all (architecture-independent) package to an an arch:any (architecture-dependent) package saves disk space because it is not necessary to duplicate the same content on every architecture. Unfortunately this feature, dh-installdocs --link-doc, is broken by design (#766711) and in its current state not usable for this use case. As a consequence I filed a bug report against tracker.debian.org #857851, asked for an improvement of piuparts' status reports and also filed #857852 against dpkg which was later cloned into #858036 for debhelper. In a nutshell I would like to see better documentation how to use dh-maintscript-helper and *.maintscript files. I also believe it would be nice to simplify the latter by using only one file.

Debian Java

  • I packaged version 5.4 of sweethome3d and added myself to Uploaders and closed two bugs (#854030),(#856769)
  • I fixed an RC bug (#856626) in lucene-solr, more precisely in one of the configuration files of solr-tomcat, a search engine with Tomcat integration, that prevented the server from starting.
  • I am still investigating an RC issue (#857343) in logback. This is a potential security vulnerability that allows remote attackers to execute arbitrary code. My first patch was incomplete and more backported code from the latest upstream release is required. Unfortunately upstream was not very helpful in tracking down the necessary code changes. My question still remains unanswered.
  • Netbeans (#837081): Netbeans has been crashing from time to time. It is not easy to trigger the issue but it is related to libatk-wrapper-java-jni and the Accessibility ToolKit (ATK). I have cloned bug number #837081 as #858700 for now because I don't think it can be fixed in Netbeans.

Debian LTS

This was my thirteenth month as a paid contributor and I have been paid to work 14,75 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 06. March until 13. March I was in charge of our LTS frontdesk. I triaged security issues in qbittorrent, imagemagick, freetype, glibc, vim, suricada, texlive-base, web2py, lxc, r-base, mysql-5.5, partclone, irrsi, wordpress, mupdf and php5.
  • DLA-846-1. Issued a security update for libzip-ruby fixing 1 CVE.
  • DLA-853-1. Issued a security update for pidgin fixing 1 CVE.
  • DLA-855-1. Issued a security update for roundcube fixing 1 CVE.
  • DLA-860-1. Issued a security update for wordpress fixing 3 CVE.
  • DLA-870-1. Issued a security update for libplist fixing 3 CVE.
  • DLA-872-1. Issued a security update for xrdp fixing 1 CVE.
  • DLA-875-1. Issued a security update for php5 fixing 3 CVE.

Misc

  • March 2017 also saw a new version of MediathekView (now in experimental).

Thanks for reading and see you next time.

My Free Software Activities in February 2017

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in Java, Games and LTS topics, this might be interesting for you.
We have reached the end of Stretch's development cycle, a phase called full freeze. That means packages may only migrate to Testing aka Stretch after approval by the release team. Changes must be minimal and only address important or release critical bugs. This is usually the time when I stop uploading new upstream releases to unstable to avoid any disruptions. Of course there are exceptions but if you are unsure best practice is to use experimental instead. A lot of RC bugs are still open and affect the next release. In February I could close five one and triage two more.

Debian Games

  • I packaged new upstream releases of Bullet (2.86 and 2.86.1), a 3D physics engine, after I was informed by Debian's OpenMW maintainer (who is also one of the upstream developers) that this would fix a couple of issues for them.
  • Debian Bug #848063 - ri-li: FTBFS randomly (Impossible d'initialiser SDL:Couldn't open X11 display): I usually note bug fixes very briefly but this one deserves some extra information. Apparently ri-li randomly failed to build from source on the bug reporter's build system. The error message indicated that an X11 display could not be opened. For those who wonder why an X11 display is required to build a package from source; ri-li is a game and comes with a small development program, MakeDat, to build the data files from source. The program is only needed at build time but it requires some SDL functions to work properly. During the compilation step MakeDat tries to initialize SDL and it requires an X11 display for doing that. Ri-Li uses the xvfb-run wrapper to create a virtual X server environment and then executes MakeDat. I didn't need to touch the package for more than two years and needless to say ri-li has always worked so far.  I agreed that this was probably a regression in one of ri-li's dependencies. I immediately suspected xvfb and the xvfb-run script being the most likely cause for the build failures and after some investigation on the Internet I uploaded a new revision using the "-a" switch for xvfb-run. Unfortunately that didn't work as expected. On the other hand I noticed that the package built fine on the official buildd network for all release architectures, not to mention on my own system. I decided that severity important would be the appropriate severity level for this issue because the majority of users was unaffected and the claim the package failed to build 99 % of the time was just wrong.

    So much for the prologue. The bug reporter disagreed with the bug severity and insisted to make #848063 release critical again. Since nobody of the Games Team wanted to do that and there were more people in a similar situation who disagreed with such a move, a thread was started on the debian-devel mailing list. I stayed away from it mainly because I already participated in the same discussions before where I got the impression that concerns were simply ignored. Also other people made a good response and expressed my views, for instance here , here and here.

    In my opinion Debian is more than just an operating system and "not an academic exercise". I really do think that a package which fails to build from source is a bug and should be fixed but not every FTBFS is release critical, that's why we have for example release architectures and ports. We already make distinctions and we don't support every possible hardware configuration.  If a package FTBFS on my laptops because 64 MB RAM or a 6 GB hard disk don't cut it anymore I'm not going to file RC bugs against the package in question, I'll try with a slightly more powerful machine again. RC bugs are a big hammer and we should be really considerate when we file them because as a consequence, if we can't fix them in time the package will not be part of the next stable release or even removed from Debian. We certainly don't have a shortage of bugs and if there is disagreement we should make case-by-case decisions and not blindly act "by the book". Threatening people to escalate bugs to Debian's Technical Committee isn't helpful either. I am not saying that random build failures should be ignored. There are tests which are designed to fail 50 % of the time. Obviously they are not very useful for Debian. But we have also many tests that check for real life situations, which require a specific amount of memory and disk space. I think it is a shame that we have to disable those tests or even the whole test suite if they work locally and on the official buildd network but not in a custom build environment.  I fear we don't make Debian better but instead we "verschlimmbessern" (to improve sth. for the worse) it. Last but not least bug #848063 was never about a single vs. multi-core CPU issue, even the bug reporter agreed with this statement but apparently a lot of people who commented on debian-devel never fully read the bug report or followed closely enough.

Debian Java

Debian LTS

This was my twelfth month as a paid contributor and I have been paid to work 13 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 06. February until 13. February I was in charge of our LTS frontdesk. I triaged security issues in mp3splt, spice, gnome-keyring, irssi, gtk-vnc, php5, openpyxl, postfixadmin, sleekxmpp, mcabber, psi-plus, vim, mupdf, netpbm-free and libplist.
  • DLA-820-1. Issued a security update for viewvc fixing 1 CVE.
  • DLA-823-1. Issued a security update for tomcat7 fixing 1 CVE.
  • DLA-825-1. Issued a security update for spice fixing 2 CVE.
  • DLA-823-2. Issued a regression update for tomcat7.
  • DLA-834-1. Issued a security update for phpmyadmin fixing 1 CVE.
  • DLA-835-1. Issued a security update for cakephp fixing 1 CVE.
  • DLA-840-1. Issued a security update for libplist fixing 2 CVE.

Non-maintainer uploads

Thanks for reading and see you next time.

My Free Software Activities in January 2017

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in Java, Games and LTS topics, this might be interesting for you.

Debian Games

  • In January 2017 we had the last chance to get new upstream releases into the next stable release of Debian 9 aka Stretch. Hence I packaged new versions of pygame-sdl2, renpy, fife, unknown-horizons, redeclipse and redeclipse-data and also backported Red Eclipse to Jessie.
  • I uploaded fifechan to unstable and applied an upstream patch to fix a segmentation fault (#852247) in Unknown Horizons.
  • Package cleanups and improvements: freeorion (#843538), I enabled support for mips64el again; I tidied up gtkatlantic, powermanga, lincity-ng, opencity and tecnoballz; I applied a patch from Reiner Herrmann to make the build of netpanzer reproducible (#827150); In spring I changed the build-dependency of asciidoc to asciidoc-base (#850387) although it turned out later that this wasn't strictly needed. I also removed ConvertUTF8 related code from spring because it might be non-free. I don't think this is necessarily true but I didn't want to argue with Lintian in this case.
  • I sponsored a new upstream release of pentobi for Juhani Numminen.
  • I backported minetest 0.4.5 to jessie-backports and fixed #851114, which I think was not really an issue since we already provide the font sources in Debian and Minetest depends on the respective package.
  • I triaged RC bug #847812 in pysolfc, provided a patch and reassigned the issue to src:pillow. Apparently this affected a lot more 32 bit applications written in Python.

Debian Java

Debian LTS

This was my eleventh month as a paid contributor and I have been paid to work 12,75 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 16. January until 22. January I was in charge of our LTS frontdesk. I triaged security issues in imagemagick, wordpress, hesiod, opus, mysql-5.5, netbeans, groovy and zoneminder.
  • DLA-779-1. Issued a security update for Tomcat 7 fixing 1 CVE and a regression when running Tomcat with SecurityManager enabled.
  • DLA-761-2. Issued a regression update for python-bottle. (Debian bug #850176).
  • DLA-781-1 and DLA-781-2. Issued a security update for Asterisk fixing 2 CVE after I had prepared the package last month. Later Brad Barnett discovered a regression when using SIP communication and provided assistance with debugging the issue. I corrected this one in DLA-781-2.
  • DLA-792-1. Issued a security update for libphp-swiftmailer fixing 1 CVE.
  • DLA-793-1. Issued a security update for opus fixing 1 CVE.
  • DLA-794-1. Issued a security update for groovy fixing 1 CVE.
  • DLA-797-1. Issued a security update for mysql-5.5 fixing 10 CVE. The update was prepared by Lars Tangvald.
  • DLA-813-1. Issued a security update for wordpress fixing 9 CVE.

Misc

  • In xarchiver (#850103) I added binutils to the list of suggested packages, in  iftop (#850040) I applied a patch from Brian Russell and I packaged a new upstream release of mediathekview, a Java application to watch and download broadcasts from German television stations. I had to make some major packaging changes because the build system switched from Ant to Gradle but there were fewer issues than expected.

My Free Software Activities in December 2016

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in Android, Java, Games and LTS topics, this might be interesting for you.

Debian Android

Debian Games

  • We have entered the final straight for Stretch, so I kept a close eye on new game releases and bug reports in packages which I think should be part of the next stable release. Bzflag is certainly one of them, a tank battling game that can be played in the first-person perspective and which has arrived in version 2.4.8. I also packaged new releases of trigger-rally, a racing game, Renpy, pygame-sdl2 and Minetest
  • Bálint Réczey introduced libopenhmd to Debian a while ago and asked me in #845657 to enable OpenHMD support for neverball. Neverball is now the first game in the archive, at least as far as I know, that is ready for virtual reality. I have never tried it though because I don't own the necessary gear from Oculus myself but it sounds like a cool feature.
  • A user of caveexpress reported a bug (#847147) in one level that prevented him from finishing it. I forwarded this one to upstream and he was able to quickly fix the issue and I could release 2.4+git20160609-3 later.
  • I triaged several RC bugs which were reported against our D language games and it turned out that the bug was in gdc (#845377).
  • I also made some small improvements to monopd's packaging and applied a patch from Laurent Bigonville to Freeciv that corrected a problem with AppData files (#848720).
  • I worked around another RC FTBFS bug in spring (#846921) which is apparently a regression in binutils (#847356) but its maintainer does not consider this to be release critical.
  • I tried to fix #848063 in ri-li but it seems to surface again under special circumstances. Since compilation works on all buildds for all release architectures and on my systems I downgraded the severity to important.
  • I uploaded Bullet 2.85.1 to experimental. It is currently waiting in the NEW queue due to the SONAME bump and because I decided to simplify the packaging. I don't think it is longer worth it to provide several standalone binary packages. All Bullet 2 and 3 core libraries can be found in libbullet2.85 now while all the extra stuff is part of libbullet-extras2.85.
  • Last but not least I released debian-games 1.7 and updated the list of games. Castle Combat was removed this month from Debian.

Debian Java

Debian LTS

This was my tenth month as a paid contributor and I have been paid to work 13,5 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 12. December until 18. December I was in charge of our LTS frontdesk. I triaged bugs in jasper, openjdk-6, bluez, game-music-emu, simplesamlphp, imagemagick, nagios3, most, rabbitmq-server, html5lib and dcmtk.
  • DLA-742-1. Issued a security update for chrony fixing 1 CVE. This update was prepared by Vincent Blut.
  • DLA-745-1. Issued a security update for most fixing 1 CVE.
  • DLA-746-1. Issued a security update for tomcat6 fixing 1 CVE and two regressions from previous updates which were reported to Debian's bug tracker.
  • DLA-747-1. Issued a security update for libupnp fixing 1 CVE.
  • DLA-748-1. Issued a security update for libupnp4 fixing 1 CVE.
  • DLA-746-2. Issued a regression update for tomcat6.
  • DLA-753-1. Issued a security update for tomcat7 fixing 1 CVE and three regressions that were similar in nature to the ones fixed in Tomcat 6.
  • DLA-761-1. Issued a security update for python-bottle fixing 1 CVE.
  • DLA-763-1. Issued a security update for squid3 fixing 1 CVE.
  • DLA-766-1. Issued a security update for libcrypto++ fixing 1 CVE.
  • I also worked on two CVEs for Asterisk, an Open Source PBX and telephony toolkit. The work is done and can currently be found at this location. I asked on the debian-lts mailing list for feedback and testing and already got some positive feedback. I will wait a few more days before I release the security update.

Non-maintainer uploads

  • I did two NMUs this month. I sponsored an upload of libtorrent for Peter Pentchev fixing #828414 and I fixed a trivial bug in gnash myself (#845847).

My Free Software Activities in November 2016

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in Java, Games and LTS topics, this might be interesting for you.

Debian Android

  • Chris Lamb was so kind to send in a patch for apktool to make the build reproducible (#845475). Although this was not enough to fix the issue it set me on the right path to eventually resolve bug number 845475.

Debian Games

  • I packaged a couple of new upstream releases for extremetuxracer, fifechan, fife, unknown-horizons, freeciv, atanks and armagetronad. Most notably fifechan was accepted by the FTP team which allowed me to package new versions of fife and unknown-horizons which are both back in testing again. I expect that upstream will make their final release sometime in December. Atanks has been orphaned a while ago and since upstream is still active and I kinda like the game I decided to adopt it. I also uploaded a backport of Freeciv 2.5.6 to jessie-backports.
  • In November we received a bunch of RC bug reports again because, hey, it is almost time for the Freeze, let's break some packages. Thus I spent some time fixing freeorion (#843132), pokerth (#843078), simutrans (#828545), freeciv (#844198) and warzone2100 (#844870).
  • I also updated the debian-games blend, we are at version 1.6 now, and made some smaller adjustments. The most important change was adding a new binary package, games-all, that installs..well, all! I know this will make at least one person on this planet happy. Actually I was kind of forced into adding it because blends-dev automatically creates it as a requirement for choosing blends with the Debian Installer. But don't be afraid games-all only recommends games-finest, the rest is suggested.
  • Last but not least I worked on performous and could close a wishlist bug report (#425898). The submitter asked to suggest some free song packages for this karaoke game.

Debian Java

  • I sponsored uncommons-watchmaker for Kai-Chung and also reviewed libnative-platform-java and granted upload rights to him.
  • I packaged new upstream releases of lombok-patcher, electric, undertow, sweethome3d and sweethome3d-furniture-editor.
  • I spent quite some time on reviewing (especially the copyright review took most of the time) and improving the packaging for tycho (#816604) which is a precondition for packaging the latest upstream release of Eclipse, a popular Java IDE. Luca Vercelli has been working on it for the last couple of months and he did most of the initial packaging. Unfortunately I was only able to upload the package last week which means that the chances for updating Eclipse for Stretch are slim.
  • Due to time constraints I could not finish the Netbeans update in time which I had started back in October. This is on my priority list for December now.
  • Several security issues were reported against Tomcat{6,7,8}. I helped with reviewing some of the patches that Emmanuel prepared for Jessie and worked on fixing the same bugs in Wheezy.

Debian LTS

This was my ninth month as a paid contributor and I have been paid to work 11 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 14. November until 21. November I was in charge of our LTS frontdesk. I triaged bugs in teeworlds, libdbd-mysql-perl, bash, libxml2, tiff, firefox-esr, drupal7, moin, libgc, w3m and sniffit.
  • DLA-715-1. Issued a security update for drupal7 fixing 2 CVE.
  • DLA-717-1. Issued a security update for moin fixing 2 CVE.
  • DLA-728-1. Issued a security update for tomcat6 fixing 8 CVE. (Debian bug #845385 was assigned a CVE later).
  • DLA-729-1. Issued a security update for tomcat7 fixing 8 CVE. (Debian bug #845385 was assigned a CVE later).
  • Especially the patches and the subsequent testing for CVE-2016-0762 and CVE-2016-6816 required most of the time.

Non-maintainer uploads

  • I uploaded an NMU for angband to fix #837394. The patch was kindly prepared by Adrian Bunk.

It is already this time of the year again. See you next year for another report. 🙂