My free software activities, November and December 2016

My free software activities, November and December 2016

My free software activities, November and December 2016 Debian Long Term Support (LTS) Other free software work Debian Long Term Support (LTS)

Those were 8th and 9th months working on Debian LTS started by Raphael Hertzog at Freexian . I had trouble resuming work in November as I had taken a long break during the month and started looking at issues only during the last week of November.

Imagemagick, again

I have, again, spent a significant amount of time fighting the ImageMagick (IM) codebase. About 15 more vulnerabilities were found since the last upload, which resulted in DLA-756-1 where I unfortunately forgot to mention that CVE-2016-8677 and CVE-2016-9559 , something that was noticed by my colleague Roberto after the upload... More details about the upload are available in the announcement .

When you consider that I worked on IM back in october, which lead to an upload near the end of November covering around 80 more vulnerabilities, it doesn't look good for the project at all. Of the 15 vulnerabilities I worked on, only 6 had CVEs assigned and I had to request CVEs for the other 9 vulnerabilities plus 11 more that were still unassigned. This lead to the assignment of 25 distinct CVE identifiers as a lot of issues were found to be distinct enough to warrant their own CVEs.

One could also question how many of those issues affect the fork, Graphicsmagick . A lot of the vulnerabilities were found through fuzzing searches and the lack of a complete and public corpus for those issues makes me wonder if anyone actually tests those thoroughly. It's already hard enough to track issues withing IM itself, I can't imagine what it would be for the fork to keep track of those issues, especially since upstream doesn't systematically request CVEs for issues that they find, a questionable practice considering the number of issues we all need to keep track of.

I have also worked on the Nagios package and produced DLA 751-1 which fixed two fairly major issues ( CVE-2016-9565 and CVE-2016-9566 ) that could allow remote root access under certain conditions. Fortunately, the restricted permissions setup by default in the Debian package made both exploits limited to information disclosure and privilege escalation if the debug log is enabled.

This says a lot about how Debian packaging can help in limiting the attack surface of certain vulnerabilities. It was also "interesting" to have to re-learn dpatch to add patches to the package: I regret not converting it to quilt, as the operation is simple and quilt is so much easier to use. This reminded me that the number of patching systems historically used in Debian is just staggering...

I had already worked on the package in November and continued the work in December, thanks to Raphael, which fixed a lot of issues with the test suite. I tried to wrap this up by fixing the build on armel and the test suite. Unfortunately, I had to stop again because I ran out of hours and the fips test suite was still failing, but fortunately Raphael was able to complete the work with DLA-759-1 .

As things stand now, the package is in better shape than in other suites as the test suite ( Debian bug #806639 ) and autopkgtest ( Debian bug #806207 ) are still not shipped in the sid or stable releases.

Other work

For the second time, I forgot to formally assign myself a package before working on it, which meant that I wasted part of my hours working on the monit package. Those hours, of course, were not billed to the project. I still spent some time reviewing mejo's patch to ensure it was done properly and it turned out we both made similar patches working independently, always a good sign.

As I reported in my preliminary November report , I have also triaged issues in libxml2, ntp, openssl and tiff.

Finally, I should mention my short review of the phpMyAdmin upload .

Other free software work

One reason why I had so much trouble getting paid work done in November is that I was busy with unpaid work...

manpages.debian.org

A major time hole for me was trying to tackle the manpages.debian.org service , which had been offline since August when I started looking at the project in November. After a thorough evaluation of the available codebases, I figured the problem space wasn't so hard and it was worth trying to do a cleanroom implementation. The result is a tool called debmans .

It took, obviously, way longer than I expected, as I experimented with python libraries I had been keeping an eye on for a while. For the commanline interface, I used the click library, which is really a breeze to use, but a bit heavy for smaller scripts. For a web search service prototype, I looked at flask , which was also very interesting, as it is light and simple enough to use that I could get started quickly. It also, surprisingly, fares pretty well in the global TechEmpower benchmarking tests .

Debmans is the first project for which I have tried the CII Best Practices Badge program , an interesting questionnaire to review best practices in software engineering. It is an excellent checklist for new and old projects I recommend everyone get familiar with.

I still need to complete my work on Debmans: as I write this, I couldn't get access to the new server the DSA team setup for this purpose. It was a bit of a frustrating experience to wait for all the bits to get into place while I had a product ready to test. In the end, the existing manpages maintainer decided to deploy the existing codebase on the new server while the necessary dependencies are installed and accesses are granted. There's obviously still a bunch of work to be done for this to be running in production so I have postponed all this work to January.

My hope is that this tool can be reused by other distributions, but after talking with Ubuntu folks, I am not holding my breath: it seems everyone has something that is "good enough" and that they don't want to break it...

Monkeysign

I spent a good chunk of time giving a kick in the Monkeysign project, with the 2.2.2 release , which features contributions from two other developers, which may be a record.

I am especially happy to have adopted a new code of conduct - it has been an interesting process to adapt the code of conduct for such a relatively small project. Monkeysign is becoming a bit of a template on how to do things properly for my Python projects: documentation on readthedocs.org including a code of conduct, support and contribution information, and so on.

LWN publishing

As you may have noticed if you follow this blog at all, I have started publishing articles for the LWN magazine , filed here under thelwn tag. It is a way for me to actually get paid for some of my blogging work that used to be done for free. Those reports, for example, take up a significant amount of my time and are done without being paid. Converting parts of this work into paid work is part of my recent effort toreduce the amount of time I spend on the computer.

An funny note: I always found the layout of the site to be a bit odd, until I looked at my articles posted there in a different web browser, which didn't have my normal ad blocker configuration. It turns out LWN uses ads, and Google ones at that, which surprised me. I definitely didn't want to publish my work under Google ads, and will never do so on this blog. But it seems fair that, since I get paid for this work, there is some sort of revenue stream associated with it. If you prefer to see my work without ads, you can wait for it to be published here or become a subscriber which allows you to get rid of the ads.

Debian packaging

I have added a few packages to the Debian archive:

magic-wormhole : easy file-transfer tool, co-maintained with Jamie Rollins slop : screenshot tool xininfo : utility used by teiler teiler (currently in NEW ): GUI for screenshot and screencast tools

I have also updated sopel and atheme-services .

Other work

Against my better judgment, I worked again on the borg project, this time to try and improve the documentation. I generated a surprising 18 commits of documentation during that time, mainly to fix display issues and streamline the documentation. My final attempt at refactoring the docs eventually failed , unfortunately, again reminding me of the difficulty I have in collaborating on that project.

Github also tells me that I have opened 19 issues in 14 different repositories in November, a mind-boggling number of projects if you ask me. I would like to particularly bring your attention to the linkchecker project which seems to be dead upstream and for which I am looking for collaborators in order to create a healthy fork.

Finally, I started working on reviving the stressant project and changing all my passwords, stay tuned for more!