Hi all, Here's my early LTS report. The TL;DR: is:
* website work * python-gpg * golang * libarchive * netmask * libreoffice * enigmail # Website work I again worked on the website this month, doing one more mass import ([MR 53][]) which was finally merged by Holger Levsen, after I [fixed an issue with PGP signatures][] showing up on the website. [fixed an issue with PGP signatures]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/51 I also polished the misnamed "audit" script that checks for missing announcements on the website and published it as [MR 1][] on the "cron" project of the webmaster team. It's still a "work in progress" because it is still too noisy: there are a few DLAs missing already and we haven't published the latest DLAs on the website. [MR 1]: https://salsa.debian.org/webmaster-team/cron/merge_requests/1 [MR 53]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/53 The remaining work here is to automate the import of new announcements on the website ([bug #859123][]). I've done what is hopefully the [last mass import][] and updated the workflow in the wiki. Finally, I have also done a bit of [cleanup][] on the website that was necessary after the mass import which also required [rewrite rules][] at the server level. Hopefully, I will have this fairly well wrapped up for whoever picks this up next. [rewrite rules]: https://salsa.debian.org/anarcat/dsa-puppet/merge_requests/1 [cleanup]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/55 [last mass import]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/58 [bug #859123]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859123 # Python GPG concerns Following a new vulnerability (CVE-2019-6690) disclosed in the python-gnupg library, I have [expressed concerns][] at the security reliability of the project in future updates, refering to wider issues identified by Isis Lovecroft in [this post][]. I suggested we should simply drop security support for the project, citing it didn't have many reverse dependencies. But it seems that wasn't practical and the [response][] was that it was actually possible to keep on maintaining it an such an update was issued for jessie. [response]: https://lists.debian.org/20190209103913.e45eqo3gax5g3...@manillaroad.local.home.trueelena.org [this post]: https://blog.patternsinthevoid.net/pretty-bad-protocolpeople.html [expressed concerns]: https://lists.debian.org/87r2cj4kg2....@curie.anarc.at # Golang concerns Similarly, I have [expressed more concerns][] about the maintenance of Golang packages following the disclosure of a vulnerability (CVE-2019-6486) regarding elliptic curve implementations in the core Golang libraries. An update (DLA-1664-1) was issued for the core, but because Golang is statically compiled, I was worried the update wasn't sufficient: we also needed to upload updates for any build dependency using the affected code as well. [expressed more concerns]: https://lists.debian.org/87sgx0czxg....@curie.anarc.at Holger asked the golang team for help and i also asked on irc. Apparently, all the non-dev packages (with some exceptions) were binNMU'd in stretch but the process needs to be clarified. I also wondered if this maintenance problem could be resolved in the long term by switching to dynamic linking. Ubuntu tried to switch to dynamic linking but abandoned the effort, so it seems Golang will be quite difficult to maintain for security updates in the forseeable future. # Libarchive updates I have reproduced the problem described in CVE-2019-1000020 and CVE-2019-1000019 in jessie. I published a fix as [DLA-1668-1][]. I had to build the update without sbuild's overlay system (in a tar chroot) otherwise the cpio tests fail. [DLA-1668-1]: https://lists.debian.org/20190207192754.ga14...@curie.anarc.at # Netmask updates This one was minimal: a patch was [sent by the maintainer][] so I only wrote and sent [DLA 1665-1][]. Interestingly, I didn't have access to the `.changes` file which made writing the DLA a little harder, as my workflow normally involves calling `gen-DLA --save` with the .changes file which autopopulates a template. I learned that `.changes` files are normally archived on `coccia.debian.org` (specifically in `/srv/ftp-master.debian.org/queue/done/`), but not in the case of security uploads. [DLA 1665-1]: https://lists.debian.org/20190206222753.ga28...@curie.anarc.at [sent by the maintainer]: https://lists.debian.org/20190206005958.ga7...@debian.org # Libreoffice I once again tried to tackle an issue (CVE-2018-16858) with Libreoffice. The [last time][] I tried to work on LibreOffice, the test suite was failing and the linker was *crashing* after hours of compilation and I never got anywhere. But that was wheezy, so I figured jessie might be in better shape. [last time]: https://anarc.at/blog/2017-11-30-free-software-activities-november-2017 I quickly got into trouble with sbuild: I ran out of space on *both* `/` and `/home` so I moved all my photos to external drive (!). The patch ended up being trivial. I could reproduce with a simple proof of concept, but could not quite get code execution going. It might just be I haven't found the right Python module to load, so I assumed the code was vulnerable and, given the patch was simple, it was worth doing an update. The build ended up taking close to nine hours and 35GiB of disk space. I published [DLA-1669-1][] as a result. I also opened a [bug report against dput-ng][] against dput-ng because it still doesn't warn users about uploads to security-master the same way dput does. [bug report against dput-ng]: https://bugs.debian.org/921750 [DLA-1669-1]: https://lists.debian.org/20190208212911.ga10...@curie.anarc.at # Enigmail Finally, Enigmail was finally taken off the official support list in jessie when the debian-security-support proposed update was [approved][]. [approved]: https://lists.debian.org/81f630a358a5c6da6b3a02c3a2c18...@mail.adam-barratt.org.uk -- It is capitalism and government which stand for disorder and violence. Anarchism is the very reverse of it; it means order without government and peace without violence. - Alexander Berkman
