FOSS Activites in June 2020

Here’s my (ninth) monthly update about the activities I’ve done in the F/L/OSS world.

Debian

This was my 16th month of contributing to Debian. I became a DM in late March last year and a DD last Christmas! \o/

This month was a little intense. I did a lot of different kinds of things in Debian this month. Whilst most of my time went on doing security stuff, I also sponsored a bunch of packages.

Here are the following things I did this month:

Uploads and bug fixes:

• rails (2:5.2.4.3+dfsg-1) - fix a bunch of CVEs in Sid and Bullseye.
• ruby-json (2.1.0+dfsg-2+deb10u1) - backport CVE-2020-10663 fix to Buster.
• ruby-json (2.0.1+dfsg-3+deb9u1) - backport CVE-2020-10663 fix to Stretch.
• ruby-kaminari (1.0.1-6) - add patch to fix CVE-2020-11082.
• ruby2.3 (2.3.3-1+deb9u8) - backport CVE-2020-10663 fix to Stretch.
• python-libusb1 (1.8-1.1) - NMU for a source-only upload.
• pry (0.13.1-1) - Fix failing tests & new upstream version.
• ruby-rubocop-packaging (0.1.0-1) - NEW (#963016).
• batalert (0.4.0-1) - fixes against RuboCop.
• json-schema-test-suite (2.0.0-1.1) - NMU for a source-only upload on request.
• ruby-ahoy-email (1.1.0-1) - Disable tests temporarily (#959060).
• micro (2.0.6-1) - fix crashing at startup (#961853).
• golang-github-zyedidia-tcell (1.4.8-1) - new upstream version.
• micro (2.0.6-1~bpo10+1) - backport the fix for (#961853).
• micro (2.0.6-2) - fix the reintroduced versioning issue (#953400).
• ruby-whitequark-parser (2.7.1.4-1) - new upstream version.

Other $things:

• Hosted Ruby team meeting. Logs here.
• Mentoring for newcomers.
• FTP Trainee reviewing.
• Moderation of -project mailing list.
• Sponsored ruby-ast for Abraham, libexif for Hugh, djangorestframework-gis and karlseguin-ccache for Nilesh, and twig-extensions, twig-i18n-extension, and mariadb-mysql-kbs for William.

GSoC Phase 1, Part 2!

Last month, I got selected as a Google Summer of Code student for Debian again! \o/
I am working on the Upstream-Downstream Cooperation in Ruby project.

The first half of the first month is blogged here, titled, GSoC Phase 1.
Also, I log daily updates at gsocwithutkarsh2102.tk.

Whilst the daily updates are available at the above site^, I’ll breakdown the important parts of the later half of the first month here:

• Documented the first cop, GemspecGit via PR #2.
• Made an initial release, v0.1.0! 💖
• Spread the word/usage about this tool/library via adding them in the official RuboCop docs.
• We had our third weekly meeting where we discussed the next steps and the things that are supposed to be done for the next set of cops.
• Wrote more tests so as to cover different aspects of the GemspecGit cop.
• Opened PR #4 for the next Cop, RequireRelativeToLib.
• Introduced rubocop-packaging to the outer world and requested other upstream projects to use it! It is being used by 6 other projects already 😭💖
• Had our fourth weekly meeting where we pair-programmed (and I sucked :P) and figured out a way to make the second cop work.
• Found a bug, reported at issue #5 and raised PR #6 to fix it.
• And finally, people loved the library/tool (and it’s outcome):
  
  
  
  (for those who don’t know, @bbatsov is the author of RuboCop, @lienvdsteen is an amazing fullstack engineer at GitLab, and @pboling is the author of some awesome Ruby tools and libraries!)

Continuation of GSoC for other Ruby related stuff!

Whilst I have already mentioned it multiple times but it’s still not enough to stress how amazing Antonio Terceiro and David Rodríguez are! 💖
They’re more than just mentors to me!

Well, only they know how much I trouble them with different things, which are not only related to my GSoC project but also extends to the projects they maintain! :P
David maintains rubygems and bundler and Antonio maintains debci.

So on days when I decide to hack on rubygems or debci, only I know how kind and nice David and Anotonio are to me!
They very patiently walk me through with whatever I am stuck on, no matter what and no matter when.

Thus, with them around, I contributed to these two projects and more, with regards to working on rubocop-packaging.
Following are a few things that I raised:

• PR #3731 for rubygems/bundler to ship default .rubocop.yml file.
• PR #2140 for pry to fix bundler_spec test.
• PR #3740 for rubygems/bundler to fix all RuboCop offenses.
• MR #114 for debci to show package details on the retry page.
• Issue #356 against rake to request to support all gitignore rule patterns in rake/file_list.
• PR #9 for fast_ignore to use fast_ignore instead of git ls-files.
• PR #3748 for rubygems/bundler to add actions to automatically bump man page month.
• PR #8160 for rubocop to add rubocop-packaging as a known extension.
• PR #3754 for rubygems/bundler to constrain the shipped RuboCop’s version.
• Issue #8 against fast_ignore to clarify the strange behavior of include_files.
• PR #3765 for rubygems/bundler to fix remaining RuboCop issues and add tests.

Debian LTS

Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.

This was my ninth month as a Debian LTS paid contributor. I was assigned 30.00 hours and worked on the following things:

CVE Fixes and Announcements:

• Issued DLA 2215-1, fixing CVE-2020-3327 and CVE-2020-3341, for clamav.
  For Debian 8 “Jessie”, these problems have been fixed in version 0.101.5+dfsg-0+deb8u2.

• Issued DLA 2216-1, fixing CVE-2020-8161, for ruby-rack.
  For Debian 8 “Jessie”, this problem has been fixed in version 1.5.2-3+deb8u3.

• Issued DLA 2234-1, fixing CVE-2005-1513, CVE-2005-1514, CVE-2005-1515, CVE-2020-3811, and CVE-2020-3812, for netqmail.
  For Debian 8 “Jessie”, these problems have been fixed in version 1.06-6.2~deb8u1.

• Uploaded a fix for CVE-2020-8162, CVE-2020-8164, CVE-2020-8165, CVE-2020-8166, and CVE-2020-8167, for rails. This upload was for Sid and Bullseye and these CVE(s) were fixed in version 2:5.2.4.3+dfsg-1.

• Uploaded a fix for CVE-2020-11082, for ruby-kaminari. This upload was for Sid and Bullseye and this CVE was fixed in version 1.0.1-6.

• Uploaded a fix for CVE-2020-10663, for ruby-json, ruby2.1, and ruby2.5. These uploads were for Stretch and Buster and were fixed in the version 2.3.3-1+deb9u8, 2.1.0+dfsg-2+deb10u1, 2.3.3-1+deb9u8, and 2.5.5-3+deb10u2.

• Issued DLA 2237-1, fixing CVE-2019-8842 and CVE-2020-3898, for cups.
  For Debian 8 “Jessie”, these problems have been fixed in version 1.7.5-11+deb8u8.

• Issued DLA 2246-1, fixing CVE-2020-13696, for xawtv.
  For Debian 8 “Jessie”, this problem has been fixed in version 3.103-3+deb8u1.

• Issued DLA 2248-1, fixing CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, for intel-microcode.
  For Debian 8 “Jessie”, these problems have been fixed in version 3.20200609.2~deb8u1.

• Issued DLA 2249-1, fixing CVE-2020-0182 and CVE-2020-0198, for libexif.
  For Debian 8 “Jessie”, these problems have been fixed in version 0.6.21-2+deb8u4.

Other LTS Work:

• Triaged sympa, apache2, qemu, and coturn.
• Add fix for CVE-2020-0198/libexif.
• Requested CVE for bug#60251 against apache2 and prodded further.
• Raised issue #947 against sympa reporting an incomplete patch for CVE-2020-10936. More discussions internally.
• Created the LTS Survey on the self-hosted LimeSurvey instance.
• Attended the third LTS meeting. Logs here.
• General discussion on LTS private and public mailing list.

Other(s)

Sometimes it gets hard to categorize work/things into a particular category.
That’s why I am writing all of those things inside this category.
This includes two sub-categories and they are as follows.

Personal:

This month I did the following things:

• Wrote and published v0.1.0 of rubocop-packaging on RubyGems! 💯
  It’s open-sourced and the repository is here.
  Bug reports and pull requests are welcomed! 😉
• Integrated a tiny (yet a powerful) hack to align images in markdown for my blog.
  Commit here. 🚀
• Released v0.4.0 of batalert on RubyGems! 🤗

Open Source:

Again, this contains all the things that I couldn’t categorize earlier.
Opened several issues and PRs:

• Issue #9 against 100daysof, reporting some broken CSS.
• PR #10 for 100daysof, fixing the above issue^.
• Issue #133 against djangorestframework-api-key, asking to fix copyright years.
• PR #5 for rspec-stubbed_env, dropping git ls-files in gemspec.
• PR #70 for rspec-pending_for, dropping git ls-files in gemspec.
• Issue #74, issue #143, issue #164, and issue #767 against multiple projects, asking them to use RuboCop.
• PR #212 for arbre, dropping git ls-files in gemspec.
• Issue #1749 and issue #1750 against micro, asking for help as the Debian package fails to build in buster-backports.
• PR #1751 for micro, fixing the above issue^.
• Issue #348 against hugo-coder, clarifying the weird timing issue in the blog posts.
• Issue #356 against hugo-coder, reporting the weird display of images and missing twitter cards.
• MR #12 for linter, dropping git ls-files in gemspec.
• MR #13 for linter, doing so minor refactoring.

Thank you for sticking along for so long :)

Until next time.
:wq for today.