You are here

Agreguesi i feed

How I Got Paid $0 From the Uber Security Bug Bounty

LinuxSecurity.com - Hën, 05/02/2018 - 11:46pd
LinuxSecurity.com: So Uber partners with HackerOne to offer a public bug bounty program, advertising a $500 minimum guaranteed payout if a security vulnerability is found within an Uber app or information asset. Fair enough,

Why cops won't need a warrant to pull the data off your autonomous car

LinuxSecurity.com - Hën, 05/02/2018 - 11:23pd
LinuxSecurity.com: Lt. Saul Jaeger, who commands the traffic unit at the Mountain View Police Department, remembers the first time a few years ago when he was given a demo of Waymo's self-driving cars.

Open source turns 20 years old, looks to attract normal people

LinuxSecurity.com - Hën, 05/02/2018 - 11:21pd
LinuxSecurity.com: Twenty years ago, the Open Source Definition (OSD) was published, providing a framework for the most significant trend in software development since then, and building upon Richard Stallman's prior advocacy for "free software."

David Tomaschik: Security Is Not an Absolute

Planet Ubuntu - Hën, 05/02/2018 - 9:00pd

If there’s one thing I wish people from outside the security industry knew when dealing with information security, it’s that Security is not an absolute. Most of the time, it’s not even quantifiable. Even in the case of particular threat models, it’s often impossible to make statements about the security of a system with certainty.

Read more...

Jono Bacon: Open Collaboration Conference CFP Now Open

Planet Ubuntu - Hën, 05/02/2018 - 8:27pd

Earlier last year I announced last year that I was partnering up with the Linux Foundation to create the Open Community Conference as part of their Open Source Summit events in North America and Europe.

Well, the events happened, and it was (in my humble opinion) an enormous success. We had 120+ papers submitted to the North American event and 85+ papers submitted to the European event. From there I whittled it down to around 40 sessions for each event which resulted in some fantastic content and incredible discussions/networking.

Not only was I delighted with the eagerness of people to speak, but we also had a tremendously diverse range of people submitting from a range of genders, backgrounds, cultures, experience levels, and beyond. I was proud to see this, and I am similarly proud to see the fantastically diverse attendees we have at the Community Leadership Summit each year (note: CFP is open there too). So, thanks to everyone who submitted, and sorry we couldn’t squeeze you all in to speak.

A Name Change: Open Collaboration Conference

I am delighted to announce we are doing it all again, with one small change: the name.

As the event has evolved, I have wanted it to incorporate as many elements focused on people collaborating together. While one component of this is certainly people building communities, other elements such as governance, remote working, innersource, cultural development, and more fit under the banner of “collaboration”, but don’t necessarily fit under the traditional banner of “community”.

As such, we decided to change the name of the conference to the Open Collaboration Conference. I am confident this will then provide both a home to the community strategy and tactics content, as well as these other related areas. This way the entire event services as a comprehensive capsule for collaboration in technology.

Call For Papers

So, I wanted to let you all know the key details right now of how to get involved in the events. Firstly, when the events are (as part of the Open Source Summit):

As usual, there is a deadline for the call for papers and they are:

  • North America – 29th April 2018
  • Europe – 1st July 2018

In terms of topics, I encourage you all submit papers that relate to:

  • Open Source Metrics
  • Incentivization and Engagement
  • Software Development Methodologies and Platforms
  • Building Internal Innersource Communities
  • Remote Team Management and Methods
  • Bug/Issue Management and Triage
  • Communication Platforms and Methods
  • Open Source Governance and Models
  • Mentoring and Training
  • Event Strategy
  • Content Management and Social Media
  • DevOps Culture
  • Community Management
  • Advocacy and Evangelism
  • Government and Compliance

I look forward to seeing you submissions and seeing you there!

The post Open Collaboration Conference CFP Now Open appeared first on Jono Bacon.

Costales: Ubucon Europe 2018: Last call for papers & current status event

Planet Ubuntu - Dje, 04/02/2018 - 1:36md
You're on time for submit a conference, workshop, stand or podcast for the next Ubucon!!


Main room. With no edits ;) Just checking things in situ for April
We're working hard for the next Ubucon Europe 2018 and we would like to tell you the current status:

  • Official webpage updated. 
  • You have especial discounts for your travel in bus, train and hotel. More info here.
  • The conferences will be for free. 
  • Social event of Saturday: It will be a traditional espicha. If you are coming, you need to pay that dinner in advance as soon as possible, because there are limited places! More info here.
  • You can follow the last news here: Telegram, Twitter, Google + & Facebook.
  • We'll publish the complete schedule soon.

Colin King: stress-ng V0.09.15

Planet Ubuntu - Sht, 03/02/2018 - 6:28md
It has been a while since my last post about stress-ng so I thought it would be useful to provide an update on the changes since V0.08.09.

I have been focusing on making stress-ng more portable so it can build with various versions of clang and gcc as well as run against a wide range of kernels.   The portability shims and config detection added to stress-ng allow it to build and run on a wide range of Linux systems, as well as GNU/HURD, Minix, Debian kFreeBSD, various BSD systems, OpenIndiana and OS X.

Enabling stress-ng to work on a wide range of architectures and kernels with a range of compiler versions has helped me to find and fix various corner case bugs.  Also, static analysis with a various set of tools has helped to drive up the code quality. As ever, I thoroughly recommend using static analysis tools on any project to find bugs.

Since V0.08.09 I've added the following stressors:
  • inode-flags  - (using the FS_IOC_GETFLAGS/FS_IOC_SETFLAGS ioctl, see ioctl_iflags(2) for more details.
  • sockdiag - exercise the Linux sock_diag netlink socket diagnostics
  • branch - exercise branch prediction
  • swap - exercise adding and removing variously sized swap partitions
  • ioport - exercise I/O port read/writes to try and cause CPU I/O bus delays
  • hrtimers - high resolution timer stressor
  • physpage - exercise the lookup of a physical page address and page count of a virtual page
  • mmapaddr - mmap pages to randomly unused VM addresses and exercise mincore and segfault handling
  • funccall - exercise function calling with a range of function arguments types and sizes, for benchmarking stack/CPU/cache and compiler.
  • tree - BSD tree (red/black and splay) stressor, good for exercising memory/cache
  • rawdev - exercise raw block device I/O reads
  • revio - reverse file offset random writes, causes lots of fragmentation and hence many file extents
  • mmap-fixed - stress fixed address mmaps, with a wide range of VM addresses
  • enosys - exercise a wide range of random system call numbers that are not wired up, hence generating ENOSYS errors
  • sigpipe - stress SIGPIPE signal generation and handling
  • vm-addr - exercise a wide range of VM addresses for fixed address mmaps with thorough address bit patterns stressing
Stress-ng has nearly 200 stressors and many of these have various stress methods than can be selected to perform specific stress testing.  These are all documented in the manual.  I've also updated the stress-ng project page with various links to academic papers and presentations that have used stress-ng in various ways to stress computer systems.  It is useful to find out how stress-ng is being used so that I can shape this tool in the future.

As ever, patches for fixes and improvements are always appreciated.  Keep on stressing!

Carla Sella

Planet Ubuntu - Sht, 03/02/2018 - 2:50md

Ubuntu Insights: Snapcraft Summit summary – day 5

Planet Ubuntu - Sht, 03/02/2018 - 6:54pd

This Snapcraft Summit is coming to an end. We had five days full of hard and fun work, together with many friends from many other projects that are part of our ecosystem.

It was amazing to see the kind of collaboration that snapcraft brings to the Linux world. The engineering, advocacy, desktop and design teams of snapcraft spent every day working next to developers from Microsoft, Skype, Slack, Electron, CircleCI, Plex and ROSHub on improving the experience to deliver their applications continuously, in a way that fits perfectly into their release process and that will make their users feel secure and confident. It was great to see the mix of languages, cultures and operating systems, all working together to solve this common delivery problem, now with a tool that is very open and welcoming, and that evolves quickly as new applications bring new requirements.

We are making packaging a problem of the past, so developers can just focus on the exciting part of the job: writing features. This week ended with a lot of improvements to get us there. Sergio was supposed to summarize what happened on Thursday, but has instead been hard at work preparing those improvements to be released in snapcraft 2.39, coming to an automatic update near you early next week. So we’ll excuse him, and I’ll summarize the things that happened on these last two days.

Kyle is in the middle of a deployment provider for Travis, that will make it super simple to release applications to the Snap Store for projects already using Travis for their CI. He also vastly improved the way we generate the snapcraft docker images. He also worked on a super-secret, soon-to-be released snap, more good news coming soon!

Leo started experimenting with a new language: typescript, with a new snap that was a nice proof of concept: tslint. He met with members of other teams at Canonical to make a big improvement on the testing infrastructure for snapcraft itself, focusing on tests that will run on Mac and Windows. Finally, he started a call for testing to get more people from the community exploring the features of 2.39 before the stable release.

Martin and Alan have been non-stop working with all the special guests of this summit, testing the early builds, offering advice on ways to improve the packaging, integrating the release of the snap into their pipelines, and removing unnecessary parts of the snaps to make them smaller. They were also constantly seen using an audio chat to talk to each other, despite being at the same table. Expect a new and shiny release to the mumble snap!

James has been working on the much expected feature to let users give access to individual files/directories, instead of granting the applications full access to your home. He’s also doing an amazing job at reducing the amount of time that it will take snapcraft to generate a fully self-contained application. That is work in progress, so something to look forward for the 2.40 release, later in the month.

Sergio, as mentioned before, worked on the 2.39 release. Get it on Linux with sudo snap install snapcraft –candidate, or on Mac with brew install snapcraft.

And now is time for us to celebrate. Cheers for a bright year full of snaps!

Simos Xenitellis: Installing the Go programming language in Ubuntu

Planet Ubuntu - Pre, 02/02/2018 - 10:34md
Go is a programming language and is available in most Linux distributions. Sometime Go is preinstalled, other times we need to install ourselves, or we need to update the existing version to a newer version. Go in Ubuntu 16.04 Ubuntu 16.04 comes with Go version 1.6. The package name is golang (same as their website …

Continue reading

Simos Xenitellis: How to use lxc remote with the LXD snap

Planet Ubuntu - Enj, 01/02/2018 - 9:01md
Background: LXD is a hypervisor that manages machine containers on Linux distributions. You install LXD on your Linux distribution and then you can launch machine containers into your distribution running all sort of (other) Linux distributions. You have installed the LXD snap and you are happy using it. However, you are developing LXD and you …

Continue reading

Raphaël Hertzog: My Free Software Activities in January 2018

Planet Ubuntu - Enj, 01/02/2018 - 4:08md

My monthly report covers a large part of what I have been doing in the free software world. I write it for my donors (thanks to them!) but also for the wider Debian community because it can give ideas to newcomers and it’s one of the best ways to find volunteers to work with me on projects that matter to me.

Debian LTS

While I continue to manage the administrative side of Debian LTS, I’m taking a break of the technical work (i.e. preparing and releasing security updates). The hope is that it will help me focus more on my book which (still) needs to be updated for stretch. In truth, this did not happen in January but I hope to do better in the upcoming months.

Salsa and related

The switch to salsa.debian.org is a major event in our community. Last month I started with the QA team and the distro-tracker repository as an experiment. This month I took this opportunity to bring to fruition a merge between the pkg-security team and the forensics team that I already proposed in the past and that we postponed because it was deemed busy work for no gains. Now that both teams had to migrate anyway, it was easier to migrate everything at once under a single project.

All our repositories are now managed under the same team in salsa: https://salsa.debian.org/pkg-security-team/ But for the mailing list we are still waiting for the new list to be created on lists.debian.org (#888136).

As part of this work, I contributed some fixes to the scripts maintained by Mehdi Dogguy. I also filed a wishlist request for a new script to make it easy to share repositories with the Debian group.

With the expected demise of alioth mailing lists, there’s some interest in getting the Debian package tracker to host the official maintainer email. As the central hub for most emails related to packages, it seems natural indeed. We made some progress lately on making it possible to use @packages.debian.org emails (with the downside of receiving duplicate emails currently) but that’s not an really an option when you maintain many packages and want to see them grouped under the same maintainer email. Furthermore it doesn’t allow for automatic association of a package to its maintainer team. So I implemented a team+slug@tracker.debian.org email that works for each team registered on the package tracker and that will automatically associate the package to its team. The email is just a black hole for now (not really a problem as most automatic emails are already received through another email) but I expect to forward non-automatic mails to team members to make it useful as a way to discuss between team members.

The package tracker also learned to recognize commit mails generated by GitLab and it will now forward them to the source package whose name is matching the name of the GitLab project that generated them (see #886114).

Misc Debian stuff

Distro Tracker. I got my two first merge requests which I reviewed and merged. One adds native HTML support to toggle action items (i.e. without javascript on recent browsers) and the other improves some of the messages shown by the vcswatch integration. In #886450, we discussed how to better filter build failure mails sent by the build daemons. New headers have been added.

Bug reports and patches. I forwarded and/or got moving a couple of bugs that we encountered in Kali (glibc: new data brought to #820826, raspi3-firmware: #887062, glibc: tracking down #886506 to a glibc regression affecting busybox, gr-fcdproplus: #888853 new watch file, gjs: upstream bug #33). I also needed a new feature in live-build so I filed #888507 which I implemented almost immediately (but released only in Kali because it’s not documented yet and can possibly be improved a bit further).

While doing my yearly accounting, I opened an issue on tryton and pushed a fix after approval. While running unit tests on distro-tracker, I got an unexpected warning that seems to be caused by virtualenv (see upstream issue #1120).

Debian Packaging. I uploaded zim 0.68~rc1-1 to experimental.

Thanks

See you next month for a new summary of my activities.

No comment | Liked this article? Click here. | My blog is Flattr-enabled.

Our future relationship with FSFE

Planet Debian - Enj, 01/02/2018 - 2:19md

Below is an email that has been distributed to the FSFE community today. FSFE aims to be an open organization and people are welcome to discuss it through the main discussion group (join, thread and reply) whether you are a member or not.

For more information about joining FSFE, local groups, campaigns and other activities please visit the FSFE web site. The "No Cloud" stickers and the Public Money Public Code campaign are examples of initiatives started by FSFE - you can request free stickers and posters by filling in this form.

Dear FSFE Community,

I'm writing to you today as one of your elected fellowship representatives rather than to convey my own views, which you may have already encountered in my blog or mailing list discussions.

The recent meeting of the General Assembly (GA) decided that the annual elections will be abolished but this change has not yet been ratified in the constitution.

Personally, I support an overhaul of FSFE's democratic processes and the bulk of the reasons for this change are quite valid. One of the reasons proposed for the change, the suggestion that the election was a popularity contest, is an argument I don't agree with: the same argument could be used to abolish elections anywhere.

One point that came up in discussions about the elections is that people don't need to wait for the elections to be considered for GA membership. Matthias Kirschner, our president, has emphasized this to me personally as well, he looks at each new request with an open mind and forwards it to all of the GA for discussion. According to our constitution, anybody can write to the president at any time and request to join the GA. In practice, the president and the existing GA members will probably need to have seen some of your activities in one of the FSFE teams or local groups before accepting you as a member. I want to encourage people to become familiar with the GA membership process and discuss it within their teams and local groups and think about whether you or anybody you know may be a good candidate.

According to the minutes of the last GA meeting, several new members were already accepted this way in the last year. It is particularly important for the organization to increase diversity in the GA at this time.

The response rate for the last fellowship election was lower than in previous years and there is also concern that emails don't reach everybody thanks to spam filters or the Google Promotions tab (if you use gmail). If you had problems receiving emails about the last election, please consider sharing that feedback on the discussion list.

Understanding where the organization will go beyond the extinction of the fellowship representative is critical. The Identity review process, championed by Jonas Oberg and Kristi Progri, is actively looking at these questions. Please contact Kristi if you wish to participate and look out for updates about this process in emails and Planet FSFE. Kristi will be at FOSDEM this weekend if you want to speak to her personally.

I'll be at FOSDEM this weekend and would welcome the opportunity to meet with you personally. I will be visiting many different parts of FOSDEM at different times, including the FSFE booth, the Debian booth, the real-time lounge (K-building) and the Real-Time Communications (RTC) dev-room on Sunday, where I'm giving a talk. Many other members of the FSFE community will also be present, if you don't know where to start, simply come to the FSFE booth. The next European event I visit after FOSDEM will potentially be OSCAL in Tirana, it is in May and I would highly recommend this event for anybody who doesn't regularly travel to events outside their own region.

Changing the world begins with the change we make ourselves. If you only do one thing for free software this year and you are not sure what it is going to be, then I would recommend this: visit an event that you never visited before, in a city or country you never visited before. It doesn't necessarily have to be a free software or IT event. In 2017 I attended OSCAL in Tirana and the Digital-Born Media Carnival in Kotor for the first time. You can ask FSFE to send you some free stickers and posters (online request with optional donation) to give to the new friends you meet on your travels. Change starts with each of us doing something new or different and I hope our paths may cross in one of these places.

For more information about joining FSFE, local groups, campaigns and other activities please visit the FSFE web site.

Please feel free to discuss this through the FSFE discussion group (join, thread and reply)

Daniel.Pocock https://danielpocock.com/tags/debian DanielPocock.com - debian

Daniel Pocock: Our future relationship with FSFE

Planet Ubuntu - Enj, 01/02/2018 - 2:19md

Below is an email that has been distributed to the FSFE community today. FSFE aims to be an open organization and people are welcome to discuss it through the main discussion group (join, thread and reply) whether you are a member or not.

For more information about joining FSFE, local groups, campaigns and other activities please visit the FSFE web site. The "No Cloud" stickers and the Public Money Public Code campaign are examples of initiatives started by FSFE - you can request free stickers and posters by filling in this form.

Dear FSFE Community,

I'm writing to you today as one of your elected fellowship representatives rather than to convey my own views, which you may have already encountered in my blog or mailing list discussions.

The recent meeting of the General Assembly (GA) decided that the annual elections will be abolished but this change has not yet been ratified in the constitution.

Personally, I support an overhaul of FSFE's democratic processes and the bulk of the reasons for this change are quite valid. One of the reasons proposed for the change, the suggestion that the election was a popularity contest, is an argument I don't agree with: the same argument could be used to abolish elections anywhere.

One point that came up in discussions about the elections is that people don't need to wait for the elections to be considered for GA membership. Matthias Kirschner, our president, has emphasized this to me personally as well, he looks at each new request with an open mind and forwards it to all of the GA for discussion. According to our constitution, anybody can write to the president at any time and request to join the GA. In practice, the president and the existing GA members will probably need to have seen some of your activities in one of the FSFE teams or local groups before accepting you as a member. I want to encourage people to become familiar with the GA membership process and discuss it within their teams and local groups and think about whether you or anybody you know may be a good candidate.

According to the minutes of the last GA meeting, several new members were already accepted this way in the last year. It is particularly important for the organization to increase diversity in the GA at this time.

The response rate for the last fellowship election was lower than in previous years and there is also concern that emails don't reach everybody thanks to spam filters or the Google Promotions tab (if you use gmail). If you had problems receiving emails about the last election, please consider sharing that feedback on the discussion list.

Understanding where the organization will go beyond the extinction of the fellowship representative is critical. The Identity review process, championed by Jonas Oberg and Kristi Progri, is actively looking at these questions. Please contact Kristi if you wish to participate and look out for updates about this process in emails and Planet FSFE. Kristi will be at FOSDEM this weekend if you want to speak to her personally.

I'll be at FOSDEM this weekend and would welcome the opportunity to meet with you personally. I will be visiting many different parts of FOSDEM at different times, including the FSFE booth, the Debian booth, the real-time lounge (K-building) and the Real-Time Communications (RTC) dev-room on Sunday, where I'm giving a talk. Many other members of the FSFE community will also be present, if you don't know where to start, simply come to the FSFE booth. The next European event I visit after FOSDEM will potentially be OSCAL in Tirana, it is in May and I would highly recommend this event for anybody who doesn't regularly travel to events outside their own region.

Changing the world begins with the change we make ourselves. If you only do one thing for free software this year and you are not sure what it is going to be, then I would recommend this: visit an event that you never visited before, in a city or country you never visited before. It doesn't necessarily have to be a free software or IT event. In 2017 I attended OSCAL in Tirana and the Digital-Born Media Carnival in Kotor for the first time. You can ask FSFE to send you some free stickers and posters (online request with optional donation) to give to the new friends you meet on your travels. Change starts with each of us doing something new or different and I hope our paths may cross in one of these places.

For more information about joining FSFE, local groups, campaigns and other activities please visit the FSFE web site.

Please feel free to discuss this through the FSFE discussion group (join, thread and reply)

Richard Hughes: Firmware Telemetry for Vendors

Planet GNOME - Enj, 01/02/2018 - 1:20md

We’ve shipped nearly 1.2 MILLION firmware updates out to Linux users since we started the LVFS project.

I found out this nugget of information using a new LVFS vendor feature, soon to be deployed: Telemetry. This builds on the previously discussed success/failure reporting and adds a single page for the vendor to get statistics about each bit of hardware. Until more people are running the latest fwupd and volunteering to share their update history it’s less useful, but still interesting until then.

Richard Hughes: No new batches of ColorHug2

Planet GNOME - Enj, 01/02/2018 - 10:51pd

I was informed by AMS (the manufacturer that makes the XYZ sensor that’s the core of the CH2 device) that the AS73210 (aka MTCSiCF) and the MTI08D are end of life products. The replacement for the sensor the vendor offers is the AS73211, which of course is more expensive and electrically incompatible with the AS73210.

The somewhat-related new AS7261 sensor does look interesting as it somewhat crosses the void between a colorimeter and something that can take non-emissive readings, but it’s a completely different sensor to the one on the ColorHug2, and mechanically to the now-abandoned ColorHug+. I’m also feeling twice burned buying specialist components from single-source suppliers.

Being a parents to a 16 week old baby doesn’t put Ania and I in a position where I can go through the various phases of testing, prototypes, test batch, production batch etc for a device refresh like we did with the ColorHug -> ColorHug2. I’m hoping I can get a chance to play with some more kinds of sensors from different vendors, although that’s not going to happen before I start getting my free time back. At the moment I have about 50 fully completed ColorHug2 devices in boxes ready to be sold.

In the true spirit of OpenHardware and free enterprise, if anyone does want to help with the design of a new ColorHug device I’m open for ideas. ColorHug was really just a hobby that got out of control, and I’d love for someone else to have the thrill and excitement of building a nano-company from scratch. Taking me out the equation completely, I’d be as equally happy referring on people who want to buy a ColorHug upgrade or replacement to a different project, if the new product met with my approval :)

So, 50 ColorHugs should last about 3 months before stock runs out, but I know a few people are using devices on production lines and other sorts of industrial control — if that sounds familiar, and you’d like to buy a spare device, now is the time to do so. Of course, I’ll continue supporting all the existing 3162 devices well into the future. I hope to be back building OpenHardware soon, and hopefully with a new and improved ColorHug3.

FLOSS Activities January 2018

Planet Debian - Enj, 01/02/2018 - 1:12pd
Changes Issues Review Administration
  • Debian: try to regain OOB access to a host, try to connect with a hoster, restart bacula after db restart, provide some details to a hoster, add debsnap to snapshot host, debug external email issue, redirect users to support channels
  • Debian mentors: redirect to sponsors, teach someone about dput .upload files, check why a package disappeared
  • Debian wiki: unblacklist IP address, whitelist email addresses, whitelist email domain, investigate DocBook output crash
Communication
  • Initiate discussion about ingestion of more security issue feeds
  • Invite LinuxCNC to the Debian derivatives census
Sponsors

I renewed my support of Software Freedom Conservancy.

The Discord related uploads (harmony, librecaptcha, purple-discord) and the Debian fakeupstream change were sponsored by my employer. All other work was done on a volunteer basis.

Paul Wise http://bonedaddy.net/pabs3/log/ Log

Joaquim Rocha: Attending FOSDEM 2018

Planet GNOME - Mër, 31/01/2018 - 11:53md

On Friday I will attend FOSDEM 2018 after having missing last year’s (but I had a good excuse).

It’s pretty sad that there’s no longer a Desktop devroom, but there is still plenty of other interesting topics to follow.

Thanks to my company Endless for making my attendance easier, and if you’re willing to know more about the problems we’re solving just reach out, as FOSDEM is the perfect place for that!

Free software activities in January 2018

Planet Debian - Mër, 31/01/2018 - 11:20md

Here is my monthly update covering what I have been doing in the free software world in January 2018 (previous month):

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds effort is to allow verification that no flaws have been introduced — either maliciously or accidentally — during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

I have generously been awarded a grant from the Core Infrastructure Initiative to fund my work in this area.

This month I:



I also made the following changes to our tooling:

diffoscope

diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.

  • New features:
    • Compare JSON files using the jsondiff module. (#888112)
    • Report differences in extended file attributes when comparing files. (#888401)
    • Show extended filesystem metadata when directly comparing two files not just when we specify two directories. (#888402)
    • Do some fuzzy parsing to detect JSON files not named .json. [...]
  • Bug fixes:
    • Return unknown if we can't parse the readelf version number for (eg.) FreeBSD. (#886963)
    • If the LLVM disassembler does not work, try the internal one. (#886736)
  • Misc:
    • Explicitly depend on e2fsprogs. (#887180)
    • Clarify Unidentified file log message as we did try and lookup via the comparators first. [...]

I also fixed an issue in the "trydiffoscope" command-line client that was preventing installation on non-Debian systems (#888882).


disorderfs

disorderfs is our FUSE-based filesystem that deliberately introduces non-determinism into directory system calls in order to flush out reproducibility issues.

  • Correct "explicitly" typo in disorderfs.1.txt. [...]
  • Bump Standards-Version to 4.1.3. [...]
  • Drop trailing whitespace in debian/control. [...]


Debian

My activities as the current Debian Project Leader are covered in my "Bits from the DPL" email to the debian-devel-announce mailing list.

In addition to this, I:

  • Published whydoesaptnotusehttps.com, an overview of why APT does not rely solely on SSL for validation of downloaded packages as I noticed it was being asked a lot on support forums.
  • Reported a number of issues for the mentors.debian.net review service.
Patches contributed
  • dput: Suggest --force if package has already been uploaded. (#886829)
  • linux: Add link to the Firmware page on the wiki to failed to load log messages. (#888405)
  • markdown: Make markdown exit with a non-zero exit code if cannot open input file. (#886032)
  • spectre-meltdown-checker: Return a sensible exit code. (#887077)
Debian LTS

This month I have been paid to work 18 hours on Debian Long Term Support (LTS). In that time I did the following:

  • Initial draft of a script to automatically detect when CVEs should be assigned to multiple source packages in the case of legacy renames, duplicates or embedded code copies.
  • Issued DLA 1228-1 for the poppler PDF library to fix an overflow vulnerability.
  • Issued DLA 1229-1 for imagemagick correcting two potential denial-of-service attacks.
  • Issued DLA 1233-1 for gifsicle — a command-line tool for manipulating GIF images — to fix a use-after-free vulnerability.
  • Issued DLA 1234-1 to fix multiple integer overflows in the GTK gdk-pixbuf graphics library.
  • Issued DLA 1247-1 for rsync, fixing a command-injection vulnerability.
  • Issued DLA 1248-1 for libgd2 to prevent a potential infinite loop caused by signedness confusion.
  • Issued DLA 1249-1 for smarty3 fixing an arbitrary code execution vulnerability.
  • "Frontdesk" duties, triaging CVEs, etc.
Uploads
  • adminer (4.5.0-1) — New upstream release.
  • bfs (1.2-1) — New upstream release.
  • dbus-cpp (5.0.0+18.04.20171031-1) — Initial upload to Debian.
  • installation-birthday (7) — Add e2fsprogfs to Depends so it can drop Essential: yes. (#887275
  • process-cpp:
    • 3.0.1-1 — Initial upload to Debian.
    • 3.0.1-2 — Fix FTBFS due to symbol versioning.
  • python-django (1:1.11.9-1 & 2:2.0.1-1) — New upstream releases.
  • python-gflags (1.5.1-4) — Always use SOURCE_DATE_EPOCH from the environment.
  • redis:
    • 5:4.0.6-3 — Use --clients argument to runtest to force single-threaded operation over using taskset.
    • 5:4.0.6-4 — Re-add procps to Build-Depends. (#887075)
    • 5:4.0.6-5 — Fix a dangling symlink (and thus a broken package). (#884321)
    • 5:4.0.7-1 — New upstream release.
  • redisearch (1.0.3-1, 1.0.4-1 & 1.0.5-1) — New upstream releases.
  • trydiffoscope (67.0.0) — New upstream release.

I also sponsored the following uploads:

Debian bugs filed
  • gdebi: Invalid gnome-mime-application-x-deb icon in AppStream metadata. (#887056)
  • git-buildpackage: Please make gbp clone not quieten the output by default. (#886992)
  • git-buildpackage: Please word-wrap generated changelog lines. (#887055)
  • isort: Don't install test_isort.py to global Python namespace. (#887816)
  • restrictedpython: Please add Homepage. (#888759)
  • xcal: Missing patches due to 00List != 00list. (#888542)

I also filed 4 bugs against packages missing patches due to incomplete quilt conversions against cernlib geant321, mclibs & paw.

RC bugs
  • gnome-shell-extension-tilix-shortcut: Invalid date in debian/changelog. (#886950)
  • python-qrencode: Missing PIL dependencies due to use of Python 2 substvars in Python 3 package. (#887811)


I also filed 7 FTBFS bugs against lintian, netsniff-ng, node-coveralls, node-macaddress, node-timed-out, python-pyocr & sleepyhead.

FTP Team

As a Debian FTP assistant I ACCEPTed 173 packages: appmenu-gtk-module, atlas-cpp, canid, check-manifest, cider, citation-style-language-locales, citation-style-language-styles, cloudkitty, coreapi, coreschema, cypari2, dablin, dconf, debian-dad, deepin-icon-theme, dh-dlang, django-js-reverse, flask-security, fpylll, gcc-8, gcc-8-cross, gdbm, gitlint, gnome-tweaks, gnupg-pkcs11-scd, gnustep-back, golang-github-juju-ansiterm, golang-github-juju-httprequest, golang-github-juju-schema, golang-github-juju-testing, golang-github-juju-webbrowser, golang-github-posener-complete, golang-gopkg-juju-environschema.v1, golang-gopkg-macaroon-bakery.v2, golang-gopkg-macaroon.v2, harmony, hellfire, hoel, iem-plugin-suite, ignore-me, itypes, json-tricks, jstimezonedetect.js, libcdio, libfuture-asyncawait-perl, libgig, libjs-cssrelpreload, liblxi, libmail-box-imap4-perl, libmail-box-pop3-perl, libmail-message-perl, libmatekbd, libmoosex-traitfor-meta-class-betteranonclassnames-perl, libmoosex-util-perl, libpath-iter-perl, libplacebo, librecaptcha, libsyntax-keyword-try-perl, libt3highlight, libt3key, libt3widget, libtree-r-perl, liburcu, linux, mali-midgard-driver, mate-panel, memleax, movit, mpfr4, mstch, multitime, mwclient, network-manager-fortisslvpn, node-babel-preset-airbnb, node-babel-preset-env, node-boxen, node-browserslist, node-caniuse-lite, node-cli-boxes, node-clone-deep, node-d3-axis, node-d3-brush, node-d3-dsv, node-d3-force, node-d3-hierarchy, node-d3-request, node-d3-scale, node-d3-transition, node-d3-zoom, node-fbjs, node-fetch, node-grunt-webpack, node-gulp-flatten, node-gulp-rename, node-handlebars, node-ip, node-is-npm, node-isomorphic-fetch, node-js-beautify, node-js-cookie, node-jschardet, node-json-buffer, node-json3, node-latest-version, node-npm-bundled, node-plugin-error, node-postcss, node-postcss-value-parser, node-preact, node-prop-types, node-qw, node-sellside-emitter, node-stream-to-observable, node-strict-uri-encode, node-vue-template-compiler, ntl, olivetti-mode, org-mode-doc, otb, othman, papirus-icon-theme, pgq-node, php7.2, piu-piu, prometheus-sql-exporter, py-radix, pyparted, pytest-salt, pytest-tempdir, python-backports.tempfile, python-backports.weakref, python-certbot, python-certbot-apache, python-certbot-nginx, python-cloudkittyclient, python-josepy, python-jsondiff, python-magic, python-nose-random, python-pygerrit2, python-static3, r-cran-broom, r-cran-cli, r-cran-dbplyr, r-cran-devtools, r-cran-dt, r-cran-ggvis, r-cran-git2r, r-cran-pillar, r-cran-plotly, r-cran-psych, r-cran-rhandsontable, r-cran-rlist, r-cran-shinydashboard, r-cran-utf8, r-cran-whisker, r-cran-wordcloud, recoll, restrictedpython, rkt, rtklib, ruby-handlebars-assets, sasmodels, spectre-meltdown-checker, sphinx-gallery, stepic, tilde, togl, ums2net, vala-panel, vprerex, wafw00f & wireguard.

I additionally filed 4 RC bugs against packages that had incomplete debian/copyright files against: fpylll, gnome-tweaks, org-mode-doc & py-radix.

Chris Lamb https://chris-lamb.co.uk/blog/category/planet-debian lamby: Items or syndication on Planet Debian.

Day three of the pre-FOSDEM Debconf Videoteam sprint

Planet Debian - Mër, 31/01/2018 - 7:46md

This should really have been the "day two" post, but I forgot to do that yesterday, and now it's the end of day three already, so let's just do the two together for now.

Kyle

Has been hacking on the opsis so we can get audio through it, but so far without much success. In addition, he's been working a bit more on documentation, as well as splitting up some data that's currently in our ansible repository into a separate one so that other people can use our ansible configuration more easily, without having to fork too much.

Tzafrir

Did some tests on the ansible setup, and did some documentation work, and worked on a kodi plugin for parsing the metadata that we've generated.

Stefano

Did some work on the DebConf website. This wasn't meant to be much, but yak shaving sucks. Additionally, he's been doing some work on the youtube uploader as well.

Nattie

Did more work reviewing our documentation, and has been working on rewording some of the more awkward bits.

Wouter

Spent much time on improving the SReview installation for FOSDEM. While at it, fixed a number of bugs in some of the newer code that were exposed by full tests of the FOSDEM installation. Additionally, added code to SReview to generate metadata files that can be handed to Stefano's youtube uploader.

Pollo

Although he had less time yesterday than he did on monday (and apparently no time today) to sprint remotely, Pollo still managed to add a basic CI infrastructure to lint our ansible playbooks.

Wouter Verhelst https://grep.be/blog//pd/ pd

Faqet

Subscribe to AlbLinux agreguesi