FOSS Activites in June 2021

Here’s my (twenty-first) monthly but brief update about the activities I’ve done in the F/L/OSS world.

Debian

This was my 30th month of actively contributing to Debian. I became a DM in late March 2019 and a DD on Christmas ‘19! \o/

However, this wasn’t really a good month for mental health. And so apparently lesser work but still more than nothing, heh. :D

As a side note, this month, I spent a lot of time on Clubhouse, the new social audio app, at least in India. (I am sure you’d have heard?) Anyway, I made some friends there; more on that later, maybe? (ik, I say that a lot, but ugh, I’ll get to it!)

Anyway, I did the following stuff in Debian:

Uploads and bug fixes:

• rails (2:5.2.2.1+dfsg-1+deb10u3) - Fix for CVE-2021-22885/#988214, CVE-2021-22904/#988214, and CVE-2021-22880.
• eterm (0.9.6-6.1) - Fix CVE-2021-33477/#989041 for Debian unstable, a.k.a. sid.
• eterm (0.9.6-5+deb10u1) - Fix CVE-2021-33477/#989041 for Debian 10, buster.
• micro (2.0.9-1) - New upstream version, v2.0.9.
• ruby-httpclient (2.8.3-3) - Disable tests related to HTTP_PROXY as Launchpad builders don’t like them.

Other $things:

• Mentoring for newcomers.
• Moderation of -project mailing list.

Ubuntu

This was my 5th month of actively contributing to Ubuntu. Now that I’ve joined Canonical to work on Ubuntu full-time, there’s a bunch of things I do! \o/

This month, again, was dedicated to PHP 8.0, transitioning from PHP 7.4 to 8.0. And finally, I and Bryce were able to complete the transition! \o/

This month, I also became an Ubuntu Core Developer. :D I’ll write about it in sometime; lol, yet another promise. Heh.

That said, the things that I mostly worked on are:

Uploads & Syncs:

• [2021-06-01] No-change rebuild for php-email-validator/3.1.1-2build1.
• [2021-06-01] php-cache-integration-tests/0.17.0-1ubuntu1 (fix build w/ symfony & php-twig.
• [2021-06-02] php-league-mime-type-detection/1.5.1+ds-2ubuntu1 (fix tests w/ PHP 8.0).
• [2021-06-02] php-sabredav/1.8.12-9ubuntu1 (fix autopkgtest w/ PHP 8.0).
• [2021-06-03] sync-request/php-doctrine-annotations (1.12.1-1) (from experimental) - LP: #1929738.
• [2021-06-03] php-twig/3.3.2-1ubuntu2 (make it build; circular-dependency breakthrough! \o/).
• [2021-06-03] symfony/5.2.6+dfsg-1ubuntu1 (make it build; circular-dependency breakthrough! \o/).
• [2021-06-04] php-cache-tag-interop/1.0.1-1ubuntu1 (fix FTBFS w/ Psr/Cache).
• [2021-06-04] php-doctrine-bundle/2.2.3-1ubuntu1 (make it build; circular-test-dependency breakthrough! \o/).
• [2021-06-07] symfony/5.2.6+dfsg-1ubuntu2 (fix FTBFS & tests w/ PHP 8 & Psr/Cache).
• [2021-06-09] No-change rebuild for phpmyadmin/4:5.0.4+dfsg2-2ubuntu3.
• [2021-06-09] php-twig/3.3.2-1ubuntu3 (re-enable tests & re-add symfony-based extensions).
• [2021-06-11] No-change rebuild for zeroc-ice/3.7.5-2build1.
• [2021-06-11] No-change rebuild for php-uopz/6.1.2-4build2.
• [2021-06-17] php-text-captcha/1.0.2-8ubuntu1 (fix FTBFS w/ PHP 8).
• [2021-06-17] php-imagick/3.4.4+php8.0+3.4.4-2+deb11u2ubuntu1 (fix FTBFS w/ PHP 8).
• [2021-06-18] sync’d/doctrine (2.8.4+dfsg-1) (from experimental).
• [2021-06-18] php-symfony-security-acl/3.1.1-1ubuntu1 (fix FTBFS w/ PHP 8).
• [2021-06-19] phpmyadmin/4:5.0.4+dfsg2-2ubuntu5 (fix uninstallability issues for php-defaults).
• [2021-06-19] php-zend-stdlib/3.3.1-3ubuntu1 (fix tests w/ PHP 8).
• [2021-06-21] phpseclib/1.0.19-3ubuntu2 (fix build & tests w/ PHP 8).
• [2021-06-22] filed hints w/ Iain (laney) to make php-defaults migrate - MP #404519.
• [2021-06-23] announced the end of PHP 8.0’s successful tranisition on ubuntu-devel@. Thread here! \o/

+1 Maintenance:

• Shadowed Christian Ehrhardt on his +1. My report here.
  • Added hints for schleuder; MP #404025.
  • Fixed ruby-httpclient via 2.8.3-3 in Debian.
  • Requested removal of ruby-gitlab-pg-query from Impish (-proposed) - LP: #1931257.
  • Re-triggered python-django-debug-toolbar/1:3.2.1-1 for amd64 and it passed & migrated.
  • Fixed ruby-rails-html-sanitizer via 1.3.0-2 in Debian to make it work with newer API of ruby-loofah.
  • Re-triggered ruby-stackprof with glibc as triggers on amd64; it passed & unblocked glibc.
  • Re-triggered ruby-ferret with glibc as triggers on amd64; it passed & unblocked glibc.
  • Re-triggered ruby-hiredis with glibc as triggers on armhf; it passed & unblocked glibc.
  • Added hints for ruby-excon on s390x; MP #404113.

Seed Operations:

• [2021-06-01] MP #403562/prips for Impish - MP: #403562.
  • [2021-06-02] MP #403602/prips for Hirsute - MP: #403602.
  • [2021-06-02] MP #403603/prips for Groovy - MP: #403603.
  • [2021-06-02] MP #403604/prips for Focal - MP: #403604.
  • [2021-06-02] MP #403605/prips for Bionic - MP: #403605.
• [2021-06-17] MP #404326/python-aws-requests-auth for Impish - MP #404326.
  • [2021-06-22] MP #404489/python-aws-requests-auth for Hirsute - MP #404489.
  • [2021-06-22] MP #404490/python-aws-requests-auth for Groovy - MP #404490.
  • [2021-06-22] MP #404491/python-aws-requests-auth for Focal - MP #404491.
  • [2021-06-22] MP #404492/python-aws-requests-auth for Bionic - MP #404492.

Bug Triages:

• [2021-06-04] Friday bug triage.
• [2021-06-14] Friday bug triage.
• [2021-06-18] Friday bug triage.

Debian (E)LTS

Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.

And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).

This was my twenty-first month as a Debian LTS and eleventh month as a Debian ELTS paid contributor.
I was assigned 40.00 hours for LTS and 40.00 hours for ELTS and worked on the following things:

LTS CVE Fixes and Announcements:

• Issued DLA 2670-1, fixing CVE-2021-23017, for nginx.
  For Debian 9 stretch, these problems have been fixed in version 1.10.3-1+deb9u6.
• Issued DLA 2671-1, fixing CVE-2021-33477, for rxvt-unicode.
  For Debian 9 stretch, these problems have been fixed in version 9.22-1+deb9u1.
• Issued DLA 2681-1, fixing CVE-2021-33477, for eterm.
  For Debian 9 stretch, these problems have been fixed in version 0.9.6-5+deb9u1.
• Prepped and uploaded a fix for CVE-2021-33477 to Debian unstable. News here.
  For Debian unstable, these problems have been fixed in version 0.9.6-6.1.
• Prepped and uploaded a fix for CVE-2021-33477 to Debian buster-pu. News here.
  For Debian 10 buster, these problems have been fixed in version 0.9.6-5+deb10u1.
• Issued DLA 2682-1, fixing CVE-2021-33477, for mrxvt.
  For Debian 9 stretch, these problems have been fixed in version 0.5.4-2+deb9u1.
• Issued DLA 2683-1, fixing CVE-2017-7483 and CVE-2021-33477, for rxvt.
  For Debian 9 stretch, these problems have been fixed in version 1:2.7.10-7+deb9u2.
• Issued DLA 2700-1, fixing CVE-2019-19630, CVE-2021-20308, CVE-2021-23158, CVE-2021-23165, CVE-2021-23180, CVE-2021-23191, CVE-2021-23206, CVE-2021-26252, CVE-2021-26259, and CVE-2021-26948, for htmldoc.
  For Debian 9 stretch, these problems have been fixed in version 1.8.27-8+deb9u1.

ELTS CVE Fixes and Announcements:

• Issued ELA 437-1, fixing CVE-2021-23017, for nginx.
  For Debian 8 jessie, these problems have been fixed in version 1.6.2-5+deb8u8.
• Issued ELA 448-1, fixing CVE-2021-3429, for cloud-int.
  For Debian 8 jessie, these problems have been fixed in version 0.7.6~bzr976-2+deb8u3.
• Issued ELA 451-1, fixing CVE-2021-20308, CVE-2021-23158, CVE-2021-23165, CVE-2021-23180, CVE-2021-23191, CVE-2021-23206, CVE-2021-26252, CVE-2021-26259, and CVE-2021-26948, for htmldoc.
  For Debian 8 jessie, these problems have been fixed in version 1.8.27-8+deb8u2.
• Issued ELA 452-1, fixing CVE-2021-3572, for python-pip.
  For Debian 8 jessie, these problems have been fixed in version 1.5.6-5+deb8u2.
• Issued ELA 454-1, fixing CVE-2021-3630, for djvulibre.
  For Debian 8 jessie, these problems have been fixed in version 3.5.25.4-4+deb8u4.
• Started working on intel-microcode fixes; have been waiting to see if there are any regressions noticed on sid, bullseye, and buster. Except for 0x906ea processors, everything seems fine so far, at least.

Other (E)LTS Work:

• Front-desk duty from 28-06 until 04-07 for both LTS and ELTS.
• Triaged rails, nginx, eterm, mrxvt, rxvt, ieee-data, cloud-init, intel-microcode, htmldoc, djvulibre, composter, and curl.
• Mark CVE-2021-30535/icu as not-affected for stretch.
• Mark CVE-2017-7483 as fixed via +deb9u2 upload.
• Auto EOL’ed unrar-nonfree, darktable, mruby, htslib, ndpi, dcraw, libspring-security-2.0-java, rabbitmq-server, and linux for jessie.
• [LTS] Discussed ieee-data’s fix for LTS. Thread here.
• [ELTS] Discussed cloud-init’s logs w/ Raphael and ask for a rebuild.
• [(E)LTS] Discussed intel-microcode’s status w/ the maintainer and track regressions, et al.
• [(E)LTS] Discussed htmldoc’s situation; about upgrade problems and prep a fix for that.
• Attended monthly Debian LTS meeting.
• Answered questions (& discussions) on IRC (#debian-lts and #debian-elts).
• General and other discussions on LTS private and public mailing list.

Until next time.
:wq for today.