FOSS Activities in April 2026

Here’s my monthly but brief update about the activities I’ve done in the FOSS world.

Debian

Whilst I didn’t get a chance to do much, here are still a few things that I worked on:

  • Leading the DebConf Bursary team along with PEB.
    • This took most of my Debian time this month and I think it’ll be the same next month, too.
  • Assisted a few folks in getting their patches submitted via Salsa.
  • Mentoring for newcomers.
  • Moderation of -project mailing list.

Ubuntu

I joined Canonical to work on Ubuntu full-time back in February 2021.

Whilst I can’t give a full, detailed list of things I did, here’s a quick TL;DR of what I did:

  • Successfully released 26.04 LTS!
    • It was a smooth release - thank you to everyone who helped get us here. \o/
  • Started working on 26.10 archive opening.
    • It’s codenamed Stonking Stingray!
  • Assisted a bunch of folks with my Archive Admin and Release team hats to:
    • Review and grant FFes.
    • Accepted bug fixes during the freezes.
    • Coordinating weekly syncs.
    • Promoting/demoting binaries to/from main.
    • Taking care of package removals and so on.
  • Was pretty occupied with the new release process architecture and design.
  • Preparing for the Madrid sprints.

Debian (E)LTS

This month I have worked 9 hours on Debian Long Term Support (LTS) and on its sister Extended LTS project and did the following things:

Work in Progress

  • php-phpseclib: Affected by CVE-2023-52892 and CVE-2026-32935, at the moment.

    • [LTS]: Prepared 2.0.30-2+deb11u3 with the two CVEs mentioned above.
    • There might be more CVEs coming. I’ll carry over the work to next month.
  • knot-resolver: Affected by CVE-2023-26249, CVE-2023-46317, and CVE-2022-40188, leading to Denial of Service.

  • node-lodash: Affected by CVE-2025-13465, prototype pollution in the baseUnset function.

    • [stable]: Xavier from the JS team ACK’d the patch. The trixie and bookworm uploads will follow.
    • [LTS]: The bullseye test and upload will follow once the stable uploads are in and ACK’d by the SRMs.
    • Carry-over’d from last month.

Other Activities

  • [E/LTS] Front Desk duties: Performed a large batch of CVE triage, marking numerous packages for bullseye, buster, and stretch as either postponed, end-of-life, not-affected, or added them to the Xla-needed.txt files.

    • Also replied to certain mails and IRC texts around FD related tasks.
  • [ELTS] Still looking at ruby-rack and its monstrosity. :)

  • [E/LTS] Monitored discussions on mailing lists, IRC, and all the documentation updates.


Until next time.
:wq for today.