FOSS Activites in August 2020

Here’s my (eleventh) monthly update about the activities I’ve done in the F/L/OSS world.

Debian

This was my 20th month of contributing to Debian. I became a DM in late March last year and a DD last Christmas! \o/

Well, this month we had DebConf! \o/
(more about this later this week!)

Anyway, here are the following things I did in Debian this month:

Uploads and bug fixes:

• rubocop (0.89.1+dfsg-1) - New upstream version for RuboCop::Packaging.
• ruby-rubocop-ast (0.3.0+dfsg-1) - New upstream version for RuboCop's latest version.
• ruby-rubocop-packaging (0.3.0-1) - Shouldn’t check lib/ and gemspec file.
• bidi-clojure (2.1.3-1) - New upstream version for Puppet6.
• Source-only uploads for ruby-anima, ruby-uniform-notifier, ruby-unparser, ruby-morpher, and ruby-path-expander.

Other $things:

• Mentoring for newcomers.
• FTP Trainee reviewing.
• Moderation of -project mailing list.
• Sponsored php-dasprid-enum and php-bacon-baconqrcode for William and ruby-unparser, ruby-morpher, and ruby-path-exapander for Cocoa.

Goodbye GSoC! \o/

In May, I got selected as a Google Summer of Code student for Debian again! \o/
I am working on the Upstream-Downstream Cooperation in Ruby project.

The other 5 blogs can be found here:

• GSoC Phase 1 (part 1).
• GSoC Phase 1 (part 2).
• GSoC Phase 2 (part 1).
• GSoC Phase 2 (part 2).
• GSoC Phase 3 (part 1).
• And this is GSoC Phase 3 (part 2).

Also, I log daily updates at gsocwithutkarsh2102.tk.

Since this is a wrap and whilst the daily updates are already available at the above site^, I’ll quickly mention the important points and links here.

• The git repository is hosted on GitHub: https://github.com/utkarsh2102/rubocop-packaging.
• It is a linter, an extension of RuboCop, focused on enforcing upstream best practices and coding conventions.
• There have been 5 releases in all, including 4 cops and other bug fixes (including false-positives and false-negatives).
• The entire source code is documented with a separate docs/ directory, which is hosted at https://docs.rubocop.org/rubocop-packaging.
• The packaging style guide is hosted at https://packaging.rubystyle.guide.
• At the time of writing this, it is being used by around 30 other projects ^.^
• Not only could you install this via gem install rubocop-packaging, but also via apt install ruby-rubocop-packaging.
• The total work consists of around 85 commits with 15 PRs, contributed by 4 amazing people (including me :P) in the last 3 months (June ‘20 to August ‘20).
• And finally, many thanks to two amazing people (the mentors for this project), Antonio Terceiro and David Rodríguez! 💖

Continuation of GSoC for other Ruby related stuff!

Whilst working on Rubocop::Packaging, I contributed to more Ruby projects, refactoring their library a little bit and mostly fixing RuboCop issues and fixing issues that the Packaging extension reports as “offensive”.
Following are the PRs that I raised:

• PR #170 for autoprefixer-rails to drop git ls-files in gemspec.
• PR #479 for cucumber-rails to update RuboCop and RuboCop::Packaging.
• PR #1465 for cucumber-ruby for updating RuboCop to v0.89.
• PR #208 for cucumber-ruby-core to fix .rubocop.yml and add RuboCop::Packaging as a development dependency.
• PR #178 for webdrivers to update the RuboCop and RuboCop::RSpec version to the latest.
• PR #179 for webdrivers to drop git ls-files in gemspec.

Debian (E)LTS

Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.

And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).

This was my eleventh month as a Debian LTS and my second as a Debian ELTS paid contributor.
I was assigned 21.75 hours for LTS and 14.25 hours for ELTS and worked on the following things:

LTS CVE Fixes and Announcements:

• Issued DLA 2304-1, fixing CVE-2015-9542, for libpam-radius-auth.
  For Debian 9 Stretch, these problems have been fixed in version 1.3.16-5+deb9u1.
• Issued DLA 2305-1, fixing CVE-2018-10756, for transmission.
  For Debian 9 Stretch, these problems have been fixed in version 2.92-2+deb9u2.
• Issued DLA 2307-1, fixing CVE-2018-1000544, for ruby-zip.
  For Debian 9 Stretch, these problems have been fixed in version 1.2.0-1.1+deb9u1.
• Issued DLA 2308-1, fixing CVE-2019-17113, for libopenmpt.
  For Debian 9 Stretch, these problems have been fixed in version 0.2.7386~beta20.3-3+deb9u4.
• Issued DLA 2317-1, fixing CVE-2020-10177, for pillow.
  For Debian 9 Stretch, these problems have been fixed in version 4.0.0-4+deb9u2.
• Issued DLA 2318-1, fixing CVE-2019-10064 and CVE-2020-12695, for wpa.
  For Debian 9 Stretch, these problems have been fixed in version 2:2.4-1+deb9u7.
• Started working on uwsgi update for CVE-2020-11984. It seems that src:apache2 wasn’t affected by that, but src:uwsgi was.

ELTS CVE Fixes and Announcements:

• Issued ELA 255-1, fixing CVE-2020-14344, for libx11.
  For Debian 8 Jessie, these problems have been fixed in version 2:1.6.2-3+deb8u3.
• Issued ELA 259-1, fixing CVE-2020-10177, for pillow.
  For Debian 8 Jessie, these problems have been fixed in version 2.6.1-2+deb8u5.
• Issued ELA 269-1, fixing CVE-2020-11985, for apache2.
  For Debian 8 Jessie, these problems have been fixed in version 2.4.10-10+deb8u17.
• Started working on clamAV update, it’s a major bump from v0.101.5 to v0.102.4. There were lots of movings parts. Contacted upstream maintainers to help reduce the risk of regression. Came up with a patch to loosen the libcurl version requirement. Hopefully, the update could be rolled out soon!

Other (E)LTS Work:

• I spent an additional 11.15 hours working on compiling the responses of the LTS survey and preparing a gist of it for its presentation during the Debian LTS BoF at DebConf20.
• Triaged qemu, pillow, gupnp, clamav, apache2, and uwsgi.
• Marked CVE-2020-11538/pillow as not-affected for Stretch.
• Marked CVE-2020-11984/apache2 as not-affected for Stretch.
• Marked CVE-2020-10378/pillow as not-affected for Jessie.
• Marked CVE-2020-11538/pillow as not-affected for Jessie.
• Marked CVE-2020-3481/clamav as not-affected for Jessie.
• Marked CVE-2020-11984/apache2 as not-affected for Jessie.
• Marked CVE-2020-{9490,11993}/apache2 as not-affected for Jessie.
• Hosted Debian LTS BoF at DebConf20. Recording here.
• General discussion on LTS private and public mailing list.

Until next time.
:wq for today.