FOSS Activites in September 2020

Here’s my (twelfth) monthly update about the activities I’ve done in the F/L/OSS world.

Debian

This was my 21st month of contributing to Debian. I became a DM in late March last year and a DD last Christmas! \o/

I’ve been busy with my undergraduation stuff but I still squeezed out some time for the regular Debian work. Here are the following things I did in Debian this month:

Uploads and bug fixes:

• rails (2:6.0.3.3+dfsg-1) - Fixing CVE-2020-15169/bug #970040.
• ruby-openid-connect (1.1.8-1) - New upstream version, v1.1.8.
• ruby-mini-magick (4.10.1-1) - Fixing FTBFS, bug #966936.
• ruby-open-graph-reader (0.7.0+dfsg-1) - New upstream version, v0.7.0.
• ruby-string-direction (1.2.2-1) - New upstream version, v1.2.2.
• ruby-jquery-rails (4.3.5-1) - New upstream version, v4.3.5.
• ruby-leaflet-rails (1.6.0+dfsg-1) - New upstream version, v1.6.0.
• ruby-jquery-rails (4.3.5-2) - Fixing FTBFS, bug #956604.
• ruby-rubocop-packaging (0.5.0-1) - Add support for auto-correct.

Other $things:

• Attended the Debian Ruby team meeting. Logs here.
• Mentoring for newcomers.
• FTP Trainee reviewing.
• Moderation of -project mailing list.
• Sponsored trace-cmd for Sudip, ruby-asset-sync for Nilesh, and mariadb-mysql-kbs for William.

RuboCop::Packaging - Helping the Debian Ruby team! \o/

This Google Summer of Code, I worked on writing a linter that could flag offenses for lines of code that are very troublesome for Debian maintainers while trying to package and maintain Ruby libraries and applications!

Whilst the GSoC period is over, I’ve been working on improving that tool and have extended that linter to now “auto-correct” these offenses by itself! \o/
You can now just use the -A flag and you’re done! Boom! The ultimate game-changer!

Here’s a quick demo for this feature:

A few quick updates on RuboCop::Packaging:

• Has 4 cops, solving 4 different issues.
• 3 of them support auto-correction. Just use the -A flag.
• 5 releases so far, latest being v0.5.0.
• GitHub Repository: https://github.com/utkarsh2102/rubocop-packaging/
• Release notes: https://github.com/utkarsh2102/rubocop-packaging/releases/
• Documentation: https://docs.rubocop.org/rubocop-packaging/
• Style guide: https://packaging.rubystyle.guide/
• Being used by over 55 projects! \o/

I’ve also spent a considerable amount of time in raising awareness about this and in more general sense, about downstream maintenance.
As a result, I raised a bunch of PRs which got really good response. I got all of the 20 PRs merged upstream, fixing these issues.

Debian (E)LTS

Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.

And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).

This was my twelfth month as a Debian LTS and third month as a Debian ELTS paid contributor.
I was assigned 19.75 hours for LTS and 15.00 hours for ELTS and worked on the following things:
(for LTS, I over-worked for 11 hours last month on the survey so only had 8.75 hours this month!)

LTS CVE Fixes and Announcements:

• Issued DLA 2362-1, fixing CVE-2020-11984, for uwsgi.
  For Debian 9 Stretch, these problems have been fixed in version 2.0.14+20161117-3+deb9u3.
• Issued DLA 2363-1, fixing CVE-2020-17446, for asyncpg.
  For Debian 9 Stretch, these problems have been fixed in version 0.8.4-1+deb9u1.
• Started working on ruby-kaminari, ruby-rack-cors, and ruby-json-jwt.

ELTS CVE Fixes and Announcements:

• Issued ELA 274-1, fixing CVE-2020-11984, for uwsgi.
  For Debian 8 Jessie, these problems have been fixed in version 2.0.7-1+deb8u3.
• Issued ELA 275-1, fixing CVE-2020-14363, for libx11.
  For Debian 8 Jessie, these problems have been fixed in version 2:1.6.2-3+deb8u4.
• Issued ELA 278-1, fixing CVE-2020-8184, for ruby-rack.
  For Debian 8 Jessie, these problems have been fixed in version 1.5.2-3+deb8u4.
• Also worked on updating the version of clamAV from v0.101.5 to v0.102.4.
  This was a bit tricky package to work on since it involved an ABI/API change and was more or less a transition. Super thanks to Emilio for his invaluable help and him taking over the package, finishing, and uploading it in the end.

Other (E)LTS Work:

• Front-desk duty from 31-08 to 06-09 and from 28-09 onward for both LTS and ELTS.
• Triaged apache2, cryptsetup, nasm, node-bl, plinth, qemu, rsync, ruby-doorkeeper, and uwsgi.
• Marked CVE-2020-15094/symfony as not-affected for Stretch.
• Marked CVE-2020-{9490,11993}/apache2 as ignored for Stretch.
• Marked CVE-2020-8244/node-bl as no-dsa for Stretch.
• Marked CVE-2020-24978/nasm as no-dsa for Stretch.
• Marked CVE-2020-25073/plinth as no-dsa for Stretch.
• Marked CVE-2020-15094/symfony as not-affected for Jessie.
• Marked CVE-2020-14382/cryptsetup as not-affected for Jessie.
• Marked CVE-2020-14387/rsync as not-affected for Jessie.
• Auto EOL’ed ark, collabtive, linux, nasm, node-bl, and thunderbird for Jessie.
• Use mktemp instead of tempfile in bin/auto-add-end-of-life.sh.
• Attended the fifth LTS meeting. Logs here.
• General discussion on LTS private and public mailing list.

Until next time.
:wq for today.