{"id":9782,"date":"2016-05-06T16:12:04","date_gmt":"2016-05-06T14:12:04","guid":{"rendered":"https:\/\/www.gambaru.de\/blog\/?p=9782"},"modified":"2016-05-06T16:12:04","modified_gmt":"2016-05-06T14:12:04","slug":"my-free-software-activities-in-april-2016","status":"publish","type":"post","link":"https:\/\/gambaru.de\/blog\/2016\/05\/06\/my-free-software-activities-in-april-2016\/","title":{"rendered":"My Free Software Activities in April 2016"},"content":{"rendered":"<p>My monthly report covers what I have been doing for Debian. I write it for Debian's Long Term Support sponsors but also for the wider free software community in the hope that it might inspire people to get more involved with Debian or free software in general.<\/p>\n<h3>Debian LTS<\/h3>\n<p>This was my third month as a paid contributor and I have been paid to work 16 hours on <a href=\"https:\/\/wiki.debian.org\/LTS\/\">Debian LTS<\/a>. During this month I worked on the following things:<\/p>\n<ul>\n<li><a href=\"https:\/\/lists.debian.org\/debian-security-announce\/2016\/msg00128.html\">DSA-3552-1<\/a>: I finished my work on <a href=\"https:\/\/tracker.debian.org\/pkg\/tomcat7\">Tomcat 7<\/a> which I started back in March. Debian's Security Team eventually reviewed the package and issued DSA-3552-1. This update fixed 9 CVEs in Wheezy and 7 CVEs in Jessie.<\/li>\n<li><a href=\"https:\/\/lists.debian.org\/debian-security-announce\/2016\/msg00115.html\">DSA-3541-1<\/a>: My security update for <a href=\"https:\/\/tracker.debian.org\/pkg\/roundcube\">roundcube<\/a> (Wheezy) fixing 1 CVE was issued by the Security Team.<\/li>\n<li><a href=\"https:\/\/lists.debian.org\/debian-lts-announce\/2016\/04\/msg00003.html\">DLA-449-1<\/a>. I worked on <a href=\"https:\/\/tracker.debian.org\/pkg\/botan1.10\">botan1.10<\/a>, a C++ library which provides support for many common cryptographic operations and fixed 7 CVEs in Wheezy. I also sent an updated package for Jessie to the Security Team and they issued <a href=\"https:\/\/lists.debian.org\/debian-security-announce\/2016\/msg00141.html\">DSA-3565-1<\/a> for it. For Jessie 6 CVEs could be closed.\u00a0 I am currently investigating a possible regression (<a href=\"https:\/\/bugs.debian.org\/cgi-bin\/bugreport.cgi?bug=823297\">#823297<\/a>) that might require a rebuild of monotone.<\/li>\n<li><a href=\"https:\/\/lists.debian.org\/debian-lts-announce\/2016\/04\/msg00004.html\">DLA-450-1<\/a>. I prepared an update for <a href=\"https:\/\/tracker.debian.org\/pkg\/gdk-pixbuf\">gdk-pixbuf<\/a> fixing 1 CVE. While I was working on this issue I discovered that Debian's fix for CVE-2015-7674 was incomplete and thus I added another patch to prevent possible heap-based overflows in pixops\/pixops.c. Thanks to SUSE's Security Team for their initial work on this issue.<\/li>\n<li><a href=\"https:\/\/lists.debian.org\/debian-lts-announce\/2016\/05\/msg00001.html\">DLA-451-1<\/a>. I backported and tested a security update for <a href=\"https:\/\/tracker.debian.org\/pkg\/openjdk-7\">OpenJDK-7<\/a> fixing 7 CVEs. Thanks to Matthias Klose and Tiago St\u00fcrmer Daitx for their initial work.<\/li>\n<li><a href=\"https:\/\/lists.debian.org\/debian-lts-announce\/2016\/05\/msg00002.html\">DLA-452-1<\/a>. I fixed a bug in smarty3 (Wheezy), a template engine for PHP, that allowed remote attackers to bypass the secure mode restrictions and to execute arbitrary PHP code.<\/li>\n<li>I triaged CVE-2015-7496 in GDM3 and marked this issue as &lt;not affected&gt; in Wheezy because the vulnerable code was neither present nor was the issue reproducible.<\/li>\n<li>I triaged two more CVEs in Swift, <a href=\"https:\/\/security-tracker.debian.org\/tracker\/CVE-2016-0738\">CVE-2016-0738<\/a> and <a href=\"https:\/\/security-tracker.debian.org\/tracker\/CVE-2016-0737\">CVE-2016-0737 <\/a>and marked both CVEs as fixed in Wheezy because the vulnerable code was not present. I also had a closer look at Xymon. This package appears to be partly affected by the open security issues and needs further investigation.<\/li>\n<li>The security support for Wheezy was handed over to the LTS team on 26 April 2016. I drafted an official announcement which <a href=\"https:\/\/www.debian.org\/News\/2016\/20160425\">was published on debian.org<\/a> and <a href=\"https:\/\/lists.debian.org\/debian-lts-announce\/2016\/04\/msg00000.html\">debian-lts-announce<\/a>. Before I started a <a href=\"https:\/\/lists.debian.org\/debian-lts\/2016\/04\/msg00054.html\">call for review<\/a> on debian-lts. Thanks for all the feedback and especially for the reviews from the English language team.<\/li>\n<li><strong>Making OpenJDK 7 the default-java implementation in Wheezy-LTS<\/strong>. I <a href=\"https:\/\/lists.debian.org\/debian-lts-announce\/2016\/05\/msg00007.html\">uploaded a new revision of java-common<\/a> with the sole intention to increase the user awareness for our intended switch to OpenJDK 7 as the default Java implementation. Moreover I updated 14 Java packages in Wheezy that strictly depended on openjdk-6-jre or openjdk-6-jdk. The requirements were relaxed so that users will be able to install OpenJDK 7 now without the need for installing the unsupported OpenJDK 6 too. Three Java packages are still pending due to a bug in Debian's archive software that will hopefully be resolved soon. I think we could have uploaded those packages sooner but the Release Team did not deem these issues to be important enough. (<a href=\"https:\/\/bugs.debian.org\/cgi-bin\/bugreport.cgi?bug=819247\">#819247<\/a>)<\/li>\n<\/ul>\n<h3>Debian Android<\/h3>\n<ul>\n<li><strong>apktool and libsmali-java.\u00a0<\/strong>I packaged the latest upstream release of <a href=\"https:\/\/tracker.debian.org\/pkg\/apktool\">Apktool<\/a>, 2.1.0. Smali is now a dependency of Apktool and no longer included in the official tarballs. That's the reason why I decided to package <a href=\"https:\/\/tracker.debian.org\/pkg\/libsmali-java\">libsmali-java<\/a>.<\/li>\n<li>I will be a Mentor for Google Summer of Code again together with Hans-Christoph Steiner. I presume this year will be quite exciting and we will try to package more Android software for Debian.<\/li>\n<\/ul>\n<h3>Debian Java<\/h3>\n<ul>\n<li>Emmanuel Bourg set up <a href=\"http:\/\/java.debian.net\/blog\/\">a blog<\/a> about Debian Java. We intend to do regular updates from now on to increase the visibility of the Java ecosystem in Debian. I assisted with the first blog post. I will post something about the switch to OpenJDK 7 in Wheezy shortly. My next goal is to improve our documentation about packaging Java software for Debian and I intend to write a series of blog posts in the near future.<\/li>\n<li>We finally started the <a href=\"https:\/\/tracker.debian.org\/pkg\/insubstantial\">insubstantial<\/a> transition and <a href=\"https:\/\/bugs.debian.org\/cgi-bin\/bugreport.cgi?bug=822298\">removed libasm-2 java<\/a>. Thanks to Felix Natter, who packaged insubstantial, I could request the removal of the old source packages that depended on ASM2. (<a href=\"https:\/\/bugs.debian.org\/cgi-bin\/bugreport.cgi?bug=821163\">flamingo<\/a>, <a href=\"https:\/\/bugs.debian.org\/cgi-bin\/bugreport.cgi?bug=821165\">liblaf-plugin-java<\/a>, <a href=\"https:\/\/bugs.debian.org\/cgi-bin\/bugreport.cgi?bug=821167\">liblaf-widget-java<\/a>, <a href=\"https:\/\/bugs.debian.org\/cgi-bin\/bugreport.cgi?bug=821168\">trident<\/a> and <a href=\"https:\/\/bugs.debian.org\/cgi-bin\/bugreport.cgi?bug=821169\">substance<\/a>.)<\/li>\n<li>I requested the removal of <a href=\"https:\/\/bugs.debian.org\/cgi-bin\/bugreport.cgi?bug=822417\">libcommons-net2-java<\/a> after fixing <a href=\"https:\/\/tracker.debian.org\/pkg\/pixelmed\">Pixelmed, <\/a>the last reverse-dependency.<\/li>\n<li>I packaged new upstream releases of <a href=\"https:\/\/tracker.debian.org\/pkg\/jboss-xnio\">jboss-xnio<\/a>, <a href=\"https:\/\/tracker.debian.org\/pkg\/jboss-jdeparser2\">jboss-jdeparser2<\/a>, <a href=\"https:\/\/tracker.debian.org\/pkg\/libjide-oss-java\">libjide-oss-java<\/a>, <a href=\"https:\/\/tracker.debian.org\/pkg\/mediathekview\">MediathekView<\/a>, <a href=\"https:\/\/tracker.debian.org\/pkg\/undertow\">undertow<\/a>, <a href=\"https:\/\/tracker.debian.org\/pkg\/commons-javaflow\">commons-javaflow<\/a>, <a href=\"https:\/\/tracker.debian.org\/pkg\/libjgoodies-animation-java\">libjgoodies-animation-java<\/a>, <a href=\"https:\/\/tracker.debian.org\/pkg\/libjgoodies-binding-java\">libjgoodies-binding-java<\/a>, <a href=\"https:\/\/tracker.debian.org\/pkg\/lombok\">lombok<\/a>, <a href=\"https:\/\/tracker.debian.org\/pkg\/svnkit\">svnkit<\/a>, <a href=\"https:\/\/tracker.debian.org\/pkg\/triplea\">triplea<\/a>, <a href=\"https:\/\/tracker.debian.org\/pkg\/stapler\">stapler<\/a>, <a href=\"https:\/\/tracker.debian.org\/pkg\/jftp\">jftp<\/a>, <a href=\"https:\/\/tracker.debian.org\/pkg\/hawtjni\">hawtjni<\/a>, <a href=\"https:\/\/tracker.debian.org\/pkg\/felix-bundlerepository\">felix-bundlerepository<\/a>, <a href=\"https:\/\/tracker.debian.org\/pkg\/jackrabbit\">jackrabbit<\/a> and <a href=\"https:\/\/tracker.debian.org\/pkg\/lwjgl\">lwjgl<\/a>.<\/li>\n<li>I updated and triaged several Java packages and fixed open bugs in: <a href=\"https:\/\/tracker.debian.org\/pkg\/wsdl4j\">wsdl4j<\/a>, <a href=\"https:\/\/tracker.debian.org\/pkg\/jcifs\">jcifs<\/a>, <a href=\"https:\/\/tracker.debian.org\/pkg\/jasperreports\">jasperreports<\/a>, <a href=\"https:\/\/tracker.debian.org\/pkg\/entagged\">entagged<\/a><\/li>\n<li>I filed an RC bug against <a href=\"https:\/\/bugs.debian.org\/cgi-bin\/bugreport.cgi?bug=822091\">libxmlbeans-java<\/a> because the package embeds classes without source.<\/li>\n<\/ul>\n<h3>Debian Games<\/h3>\n<ul>\n<li>This month I was also quite busy with updating some of our games. I packaged new upstream releases of <a href=\"https:\/\/tracker.debian.org\/pkg\/gamine\">gamine<\/a>, <a href=\"https:\/\/tracker.debian.org\/pkg\/extremetuxracer\">extremetuxracer<\/a> and <a href=\"https:\/\/tracker.debian.org\/pkg\/springlobby\">springlobby<\/a>, updated several packages and triaged and fixed open bugs including: <a href=\"https:\/\/tracker.debian.org\/pkg\/airstrike\">airstrike<\/a>, <a href=\"https:\/\/tracker.debian.org\/pkg\/amoebax\">amoebax<\/a>, <a href=\"https:\/\/tracker.debian.org\/pkg\/jester\">jester<\/a>, <a href=\"https:\/\/tracker.debian.org\/pkg\/adonthell\">adonthell<\/a>, <a href=\"https:\/\/tracker.debian.org\/pkg\/adonthell-data\">andonthell-data<\/a>, <a href=\"https:\/\/tracker.debian.org\/pkg\/antigrav\">antigrav<\/a>, <a href=\"https:\/\/tracker.debian.org\/pkg\/btanks\">btanks<\/a>, <a href=\"https:\/\/tracker.debian.org\/pkg\/enemylines3\">enemylines3<\/a>, <a href=\"https:\/\/tracker.debian.org\/pkg\/kobodeluxe\">kobodeluxe<\/a>, <a href=\"https:\/\/tracker.debian.org\/pkg\/late\">late<\/a>, <a href=\"https:\/\/tracker.debian.org\/pkg\/pong2\">pong2<\/a>, <a href=\"https:\/\/tracker.debian.org\/pkg\/raincat\">raincat<\/a>, <a href=\"https:\/\/tracker.debian.org\/pkg\/ketm\">ketm<\/a> and <a href=\"https:\/\/tracker.debian.org\/pkg\/xmahjongg\">xmahjongg<\/a>.<\/li>\n<\/ul>\n<h3>Misc<\/h3>\n<ul>\n<li><strong>gimp-dimage-color.<\/strong> I asked the ftp team to remove <a href=\"https:\/\/bugs.debian.org\/cgi-bin\/bugreport.cgi?bug=527579\">gimp-dimage-color<\/a> because it has not been updated in the past seven years and it is also not part of Debian stable.<\/li>\n<li>I reviewed and sponsored <a href=\"https:\/\/tracker.debian.org\/pkg\/python-adventure\">python-adventure<\/a> for Ben Finney.<\/li>\n<li>I also reviewed <a href=\"https:\/\/tracker.debian.org\/pkg\/freecell-solver\">freecell-solver<\/a> for Shlomi Fish on debian-mentors but the package was eventually uploaded by the actual package maintainer.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>My monthly report covers what I have been doing for Debian. I write it for Debian&#8217;s Long Term Support sponsors but also for the wider free software community in the hope that it might inspire people to get more involved with Debian or free software in general. Debian LTS This was my third month as &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/gambaru.de\/blog\/2016\/05\/06\/my-free-software-activities-in-april-2016\/\" class=\"more-link\"><span class=\"screen-reader-text\">\u201eMy Free Software Activities in April 2016\u201c<\/span> weiterlesen<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[4],"tags":[53,68],"_links":{"self":[{"href":"https:\/\/gambaru.de\/blog\/wp-json\/wp\/v2\/posts\/9782"}],"collection":[{"href":"https:\/\/gambaru.de\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gambaru.de\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gambaru.de\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/gambaru.de\/blog\/wp-json\/wp\/v2\/comments?post=9782"}],"version-history":[{"count":0,"href":"https:\/\/gambaru.de\/blog\/wp-json\/wp\/v2\/posts\/9782\/revisions"}],"wp:attachment":[{"href":"https:\/\/gambaru.de\/blog\/wp-json\/wp\/v2\/media?parent=9782"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gambaru.de\/blog\/wp-json\/wp\/v2\/categories?post=9782"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gambaru.de\/blog\/wp-json\/wp\/v2\/tags?post=9782"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}