My LTS work in October

In October 2018 sadly I just managed to spend 1h working on jessie LTS on:

Today while writing this I also noticed that https://lists.debian.org/debian-lts-announce/2018/10/threads.html currently misses DLAs 1532 until DLA 1541, which I have just reported to the #debian-lists IRC channel and as #913426. Update: as that bug was closed quickly, I guess instead we need to focus on #859123 and #859122, so that DLAs are accessable to everyone in future.

Posted Sat Nov 10 21:47:10 2018

My LTS work in September

In September I only managed to spend 2.5h working on jessie LTS on:

  • finishing work on patches for samba, but then failed to release the DLA for it until now. Expect an upload soon. Sorry for the delay, various RL issues took their toll.
Posted Tue Oct 9 17:49:59 2018

Reproducible Builds 2018 Paris meeting

Many lovely people interested in reproducible builds will meet again at a three-day event in Paris we will welcome both previous attendees and new projects alike! We hope to discuss, connect and exchange ideas in order to grow the reproducible builds effort and we would be delighted if you'd join! And this is the space we'll bring into life:

And whilst the exact content of the meeting will be shaped by the participants when we do it, the main goals will include:

  • Updating & exchanging the status of reproducible builds in various projects.
  • Improving collaboration both between and inside projects.
  • Expanding the scope and reach of reproducible builds to more projects.
  • Working and hacking together on solutions.
  • Brainstorming designs for tools enabling end-users to get the most benefits from reproducible builds.
  • Discussing how reproducible builds will be usable and meaningful to users and developers alike.

Please reach out if you'd like to participate in hopefully interesting, inspiring and intense technical sessions about reproducible builds and beyond!

Posted Thu Sep 13 23:54:54 2018

My LTS work in August 2018

In August I spend 10h working on jessie LTS on:

  • review and sponsor the regresstion update for slurm-llnl and writing DLA-1437-2, and then learning the hard way that jessie-security is not configured to build arch:all packages and that one needs to use '--debbuildopts "-g"' with pbuilder.
  • update https://wiki.debian.org/LTS/Development#Prepare_regression_updates_for_Jessie_LTS
  • claimed a DLA for wpa but Andrew Shadura (one of the maintainers) just went ahead and uploaded it, as I didn't claim it via dla-needed. Following processes is important... (and I didn't)
  • work on sam2p, merge upstream commits fixing CVE-2018-12601 and CVE-2018-12571 into usable patches for the jessie package. Write DLA-1463-1 and release it. I also updated #891527, which is a meta bug asking for several upstream issues to be fixed.
  • drop src:tiff3 from dla-needed.txt as it's only present in wheezy, which is gone / in eLTS.
  • work on patches for samba, which then caused the test suite to fail. Need to follow up on this in September.
  • work on confuse to fix CVE-2018-14447 and upload it and write and release DLA-1470-1, uploaded needed -g -sa, narf.
  • review upload for dropbear by Guilhem Moulin and notice CVE-2018-15599 isn't fixed in sid yet, thus held back sponsoring the upload at first, then uploaded, wrote and released DLA-1476-1.
  • building fixed mariadb-10.0 packages (to address CVE-2018-3058, CVE-2018-3063, CVE-2018-3064 and CVE-2018-3066) which thankfully were prepared by Otto Kekäläinen was more tedious then expected: first I had to fiddle with sbuild and git-buildpackage, which I dont use normally, to get the orig.tar.gz from git, then I ran into diskspace issues with sbuild, then I switched to build with pbuilder, then learned that 7gb diskspace are not enough but 12gb are. Then the testsuite still failed (after hours) because my system was too slow. To address this Otto helpfully recommended to build with DEB_BUILD_OPTIONS="nocheck parallel=4"... and that was all, testing and writing DLA-1488-1 was rather easy and joyfull ;)
  • writing this blog post.
Posted Tue Sep 4 17:39:29 2018

Rise of the machines

Last week I was in a crowd of 256 people watching and cheering Compressorhead, some were stage-diving, many pogo dancing. Truely awesome.

Posted Fri Jul 6 14:12:14 2018

My LTS work in May 2018

Organizing the MiniDebConf 2018 in Hamburg definitly took more time than planned, and then some things didnt work out as I had imagined so I could only start working on LTS at the end of May, and then there was this Alioth2Salsa migration too… But at least I managed to get started working on LTS gain \o/

I managed to spend 6.5h working on:

  • reviewing the list of open CVEs against tiff and tiff3 in wheezy
  • prepare tiff 4.0.2-6+debu21, test and upload to wheezy-security, fixing CVE-2017-11613 and CVE-2018-5784.

  • review procps 1:3.3.3-3+deb7u1 by Abhijith PA, spot an error, re-review, quick test and upload to wheeze-security, then re-upload after building with -sa :) This upload fixes CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125 and CVE-2018-1126.

  • write and release DLA-1390-1 and DLA-1301 for those two uploads.

I still need to mark CVE-2017-9815 as fixed in wheezy, as the fix for CVE-2017-9403 also fixes this issue.

Posted Sat Jun 2 19:55:23 2018

So, the MiniDebConf Hamburg 2018 is about to end, it's sunny, no clouds are visible and people seem to be happy.

And, I have time to write this blog post! So, just as a teaser for now, I'll present to you the content of some slides of our "Reproducible Buster" talk today. Watch the video!

Debian is wrong

93% is a lie. We need infrastructure, processes and policies. (And testing. Currently we only have testing and a vague goal.)

With the upcoming list of bugs (skipped here) we don't want to fingerpoint at individual teams, instead I think we can only solve this if we as Debian decide we want to solve it for buster.

I think this is not happening because people believe things have been sorted out and we take care of them. But we are not, we can't do this alone.

Debian stretch

the 'reproducibly in theory but not in practice' release

Debian buster

the 'we should be reproducible but we are not' release?

Debian bullseye

the 'we are almost there but still haven't sorted out...' release???


I rather hope for:

Debian buster

the release is still far away and we haven't frozen yet! ;-)

Posted Sun May 20 18:00:36 2018

Trouble in techno hippie paradise

So I'm in some 'jungle' in Brasil, enjoying a good time with some friends which another friend jokingly labeled as cryptohippies, enjoying the silence, nature, good food, some cats & dogs and 3g internet. Life is good here.

And then we decided to watch "Stare into the lights my pretties" and while it is a very good and insightful movie, it's also disturbing to see just how much we, as human societies, have changed ourselves mindlessly (or rather, out of our own minds) in very recent history.

Even though not a smartphone user myself and while seemingly aware and critical of many changes happening in the last two decades, the movie was still eyeopening to me. Now if there only werent 100 distractions per day I would maybe be able to build up on this. Or maybe I need to watch it every week, though this wouldn't work neither, as the movie explains so well...

The movie also reminded me why I dislike being cc:ed on email so much (unless urgent and when I'm subscribed to the list being posted to). Because usually during the day I (try to) ignore list mails, but I do check my personal inboxes. And if someone cc:s me, this breaks my lines of thoughts. So it seems I still need to get better at ignoring stuff, even if something is pushed to me. Maybe especially then. (And hints for good .procmail rules for this much appreciated.)

Another interesting point: while the number of people addicted to nicotine has been going down globally lately, the number of network addicts has outnumbered those by far now. And yet the long term effects of being online almost 24/365 have not yet been researched at all. The cigarette companies claimed that most doctors smoke. The IT industry claims it's normal to be online. What's your wakeup2smartphone time? Do you check email every day?

This movie also made me wonder what Debian's role will, can and should be in this future. (And where of course I don't only mean Debian, but free software, free societies, in general.)

So, this movie brings up many questions. (And nicely explains why people rather don't like that.) So go watch this movie! You will be touched, think and check your email/smartphone afterwards.

(Least, of course it's ironic that the movie is on youtube. I learned that to download subtitles you need to tell youtube-dl to do so, and it's easiest by using --all-subs. And btw, youtube-dl-gui needs help with running with python3 and thus with getting into Debian.)

Update: it's on archive.org as well.

Posted Tue Apr 24 02:25:06 2018

My LTS work in March

So in March I resumed contributing to LTS again, after 2 years of taking a break, due to being overwhelmed with work on Reproducible Builds... Reproducible Builds is still eating a lot of my time, but as we currently are unfunded I had to pick up some other sources of funding.

And then, due to Reproducible Builds still requiring a lot of my attention (both actual work as well as work on getting funded again) and other stuff happening in my life, I was also mostly unable to find time to really dive into LTS again, so while I managed to renew my knowledge of the procedures etc, I only managed to find 1.5h work to be done :/ Which in turn made me feel quite bad, so that I also postponed writing about this until now.

So, in March I only managed to mark libcdio as no-DSA and upload samba to fix CVE-2018-1050.

On the plus side and despite the above, I'm very happy to be able to work on LTS again, because a.) I consider it interesting (to fix bugs in old packages, yes!) and b.) because I use LTS myself and c.) because the LTS crowd is actually a nice and helpful one.

And now let's see how much LTS work I'll manage in April...!

Posted Mon Apr 16 15:01:05 2018

Some problems with Code of Conducts

shiromarieke took her time and wrote an IMHO very good text about problems with Code of Conducts, which I wholeheartly recommend to read.

I'll just quote two sentences which I think are essential:

Quote 1: "This is not a rant - it is a call for action: Let's gather, let's build the structures we need to make all people feel safe and respected in our communities." - in that sense, if you have feedback, please share it with shiromarieke as suggested by her. I'm very thankful she is taking the time to discuss her critism and work on possible improvements! (I'll likely not discuss this online though I'll be happy to discuss offline.) I just wanted to share this link with the Debian communities, as I agree with many of shiromarieke's points and because I want to support effords to improve this, as I believe those efforts will benefit everyone (as diversity and a welcoming athmospehre benefits everyone).

Quote 2: "Although I don't believe CoC are a good solution to help fix problems I have and will always do my best to respect existing CoC of workplaces, events or other groups I am involved with and I am thankful for your attempt to make our places and communities safer." - me too.

Posted Tue Mar 20 13:26:27 2018