FOSS Activites in August 2022

Here’s my (thirty-fifth) monthly but brief update about the activities I’ve done in the F/L/OSS world.

Debian

This was my 44th month of actively contributing to Debian. I became a DM in late March 2019 and a DD on Christmas ‘19! \o/

There’s a bunch of things I do, both, technical and non-technical. Here are the things I did this month:

Debian Uploads

• rails (2:6.1.6.1+dfsg-1) - New upstream version, v6.1.6.1+dfsg to fix CVE-2022-22577, CVE-2022-27777, and CVE-2022-32224 and thereby, bug #1011941, #1016982, and #1016140.
• python-pbcommand (2.1.1+git20220616.3f2e6c2-2) - Add python3-avro to Depends to fix autopkgtest.

Other $things:

• Being an AM for Arun Kumar, process #1024.
• Sponsoring stuff for non-DDs.
• Mentoring for newcomers.
• Moderation of -project mailing list.

Ubuntu

This was my 19th month of actively contributing to Ubuntu. Now that I joined Canonical to work on Ubuntu full-time, there’s a bunch of things I do! \o/

I mostly worked on different things, I guess.

I was too lazy to maintain a list of things I worked on so there’s no concrete list atm. Maybe I’ll get back to this section later or will start to list stuff from the fall, as I was doing before. :D

Debian (E)LTS

Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.

And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).

This was my thirty-fifth month as a Debian LTS and twenty-sixth month as a Debian ELTS paid contributor.
I worked for 14.00 hours for LTS and 19.00 hours for ELTS.

LTS CVE Fixes and Announcements:

• Issued DLA 3094-1, fixing CVE-2021-0561, for flac.
  For Debian 10 buster, these problems have been fixed in version 1.3.2-3+deb10u2.
• Issued DLA 3095-1, fixing CVE-2022-30122 and CVE-2022-30123, for ruby-rack.
  For Debian 10 buster, these problems have been fixed in version 2.0.6-3+deb10u1.
• Uploaded rails/2:6.1.6.1+dfsg-1 to unstable for fixing CVE-2022-22577, CVE-2022-27777, and CVE-2022-32224 and thereby, bug #1011941, #1016982, and #1016140.
• Also looked at src:samba and how Ubuntu is looking at it. It’s a mess, really. And it’s different for both, LTS and ELTS. Worse for LTS with 36 opened issues. :)

ELTS CVE Fixes and Announcements:

• Issued ELA 671-1, fixing CVE-2022-31163, for ruby-tzinfo.
  For Debian 9 stretch, these problems have been fixed in version 1.2.2-2+deb9u1.
• Issued ELA 672-1, fixing CVE-2022-0436, for grunt.
  For Debian 9 stretch, these problems have been fixed in version 1.0.1-5+deb9u2.
• Started to look at src:tiff again. There are a lot of open CVEs piled up now. Drafted some fixes but halted the process to look at src:tiff in buster first - which I’ll do next month.
  I might do the update in two cycles. But more on that later.
• Also looked at src:samba and how Ubuntu is looking at it. It’s a mess, really. Probably should write to the list. :/

Other (E)LTS Work:

• Triaged grunt, flac, ruby-rack, ruby-tzinfo, and mbedtls.
• Helped and assisted new (and fellow) contributors joining Freexian (LTS/ELTS).
• Answered questions (& discussions) on IRC (#debian-lts and #debian-elts) and Matrix.
• General and other discussions on LTS private and public mailing list.

Until next time.
:wq for today.