FOSS Activites in May 2020

Here’s my (eighth) monthly update about the activities I’ve done in the F/L/OSS world.

Debian

This month marks my 15 months of contributing to Debian. And 6th month as a DD! \o/

Whilst I love doing Debian stuff, I have started spending more time on the programming side now. And I hope to keep it this for some time now.
Of course, I’ll keep doing the Debian stuff, but just lesser in amount.

Anyway, the following are the things I did in May.

Uploads:

• ruby-aggregate (0.2.3-1) - got patches merged upstream.
• ruby-whenever (1.0.0-1) - new upstream version + take over maintenance.
• polybar (3.4.3-1) - fix GCC 10 compilation.
• ruby-dbus (0.16.0-1) - new upstream version + fix FTBFS (temporarily).
• ruby-rack (2.1.1-5) - use Dir.entries instead of Dir[glob]. Fixes CVE-2020-8161.
• ruby-espeak (1.0.4-2) - fix FTBFS (#952587).
• ruby-libnotify (0.9.4-1) - NEW (#961577). Needed by batalert.
• batalert (0.3.0-1) - NEW (#961580).
• golang-github-zyedidia-tcell (1.4.5-1) - fix tcell ID for micro.
• micro (2.0.4-1) - new release features + change in build path.

Other $things:

• Hosted Ruby team meeting. Logs here.
• Attended Debian Perl Sprints. Report here.
• Sponsored git-repo-updater and mplcursors for Sudip.
• Mentoring for newcomers.
• FTP Trainee reviewing.
• Moderation of -project mailing list.
• Got selected for GSoC’20 for Debian!

Experimenting and improving Ruby libraries FTW!

I have been very heavily involved with the Debian Ruby team for over an year now.
Thanks to Antonio Terceiro (and GSoC), I’ve started experimenting and taking more interest in upstream development and improvement of these libraries.

This has the sole purpose of learning. It has gotten fun since I’ve started doing Ruby.
And I hope it stays this way.

This month, I opened some issues and proposed a few pull requests. They are:

• Issue #802 against whenever for Ruby2.7 test failures.
• Issue #8 against aggregate asking upstream for a release on rubygems.
• Issue #104 against irb for asking more about Array.join("\n").
• Issue #1391 against mail asking upstream to cut a new release.
• Issue #1655 against rack reporting test failures in the CVE fix.
• Issue #84 against ruby-dbus for help with Debian bug #836296.
• Issue #85 against ruby-dbus asking if they still use rDoc for doc generation.
• PR #9 against aggregate for dropping git from gemspec.
• PR #804 against whenever for dropping git from gemspec.
• Packaged ruby-cmath as it was split from Ruby2.7; cf: (#961213).

Debian LTS

Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.

This was my eighth month as a Debian LTS paid contributor. I was assigned 17.25 hours and worked on the following things:

CVE Fixes and Announcements:

• Issued DLA 2191-1, fixing CVE-2020-10683, for dom4j.
  For Debian 8 “Jessie”, this problem has been fixed in version 1.6.1+dfsg.3-2+deb8u2.

• Issued DLA 2192-1, fixing CVE-2020-10663, for ruby2.1.
  For Debian 8 “Jessie”, this problem has been fixed in version 2.1.5-2+deb8u10.

• Issued DLA 2208-1, fixing CVE-2020-11026, CVE-2020-11027, CVE-2020-11028, and CVE-2020-11029, for wordpress.
  For Debian 8 “Jessie”, these problems have been fixed in version 4.1.30+dfsg-0+deb8u1.

• Issued DLA 2210-1, fixing CVE-2020-3810, for apt.
  This update was prepared by the maintainer, Julian. I just took care of the paperwork.
  For Debian 8 “Jessie”, this problem has been fixed in version 1.0.9.8.6.

Other LTS Work:

• Triaged tika, freerdp, and apache2.
• Mark CVE-2020-12105/openconnect as no-dsa not-affected for Jessie.
• Mark CVE-2020-9489/tika as no-dsa ignored for Jessie.
• Mark CVE-2020-11025/wordpres as not-affected for Jessie.
• Add fix for Add fix for CVE-2019-18823/condor.
• Requested CVE for bug#60251 against apache2.
• Raised issue #947 against sympa reporting an incomplete patch for CVE-2020-10936.
• Created the LTS Survey on the self-hosted LimeSurvey instance.
• Attended the second LTS meeting. Logs here.
• General discussion on LTS private and public mailing list.

Other(s)

Sometimes it gets hard to categorize work/things into a particular category.
That’s why I am writing all of those things inside this category.
This includes two sub-categories and they are as follows.

Personal:

This month I could get the following things done:

• Wrote and published my first Ruby gem/library/tool on RubyGems! 💯
  It’s open-sourced and the repository is here.
  Bug reports and pull requests are welcomed! 😉
• Wrote a small Ruby script (available here) to install Ruby gems from Gemfile(.lock).
  Needed this when I hit a bug while using ruby-standalone, which Antonio fixed pretty quickly! 🚀
• Had a coffee chat with John Coghlan! 🤗
  Tweet here.

Open Source:

Again, this contains all the things that I couldn’t categorize earlier.
Opened several issues and did a PR review:

• Issue #15434 against phantomjs, asking to look into CVE-2019-17221. Still no action :/
• Issue #947 against sympa, reporting an incomplete patch for CVE-2020-10936.
• Issue #2102 against polybar, mentioning that the build is not reproducible.
• Issue #5521 against libgit2, mentioning that the build is not reproducible.
• Reviewed PR #5523 for polybar, which was a fix for the above issue.

Until next time.
:wq for today.