sunweaver's NET

One of my Debian Edu customers has recently been on German television...

https://www.ndr.de/fernsehen/sendungen/schleswig-holstein_magazin/Kathar...

(URL is valid until 24th May 2020).

Have fun watching. (Access might not be possible world-wide).

Last week, Martin Wimpress (from Ubuntu MATE) and I did a 2.5-day packaging sprint and after that I bundle-uploaded all MATE 1.24 related components to Debian unstable. Thus, MATE 1.24 landed in Debian unstable only four days after the upstream release. I think this was the fastest version bump of MATE in Debian ever.

Packages should have been built by now for most of the 22 architectures supported by Debian. The current/latest build status can be viewed on the DDPO page of the Debian+Ubuntu MATE Packaging Team [1].

Please also refer to the MATE 1.24 upstream release notes for details on what's new and what's changed [2].

Credits

One big thanks goes to Martin Wimpress. Martin and I worked on all the related packages hand in hand. Only this team work made this very fast upload possible. Martin especially found the fix for a flaw in Python Caja that caused all Python3 based Caja extensions to fail in Caja 1.24 / Python Caja 1.24. Well done!

Another big thanks goes to the MATE upstream team. You again did an awesome job, folks. Much, much appreciated.

Last but not least, a big thanks goes to Svante Signell for providing Debian architecture specific patches for Debian's non-Linux distributions (GNU/Hurd, GNU/kFreeBSD). We will wait now until all MATE 1.24 packages have initially migrated to Debian testing and then follow-up upload his fixes. As in the past, MATE shall be available on as many Debian architectures as possible (ideally: all of them).

Before and during FOSDEM 2020, I agreed with the people (developers, supporters, managers) of the UBports Foundation to package the Unity8 Desktop Environment for Debian.

Why the hack???

Why Unity8? Because of its convergent desktop feature: Just one code base, usable on a phone, tablet and desktop. Unity8 currently is very well tested on the Ubuntu phone and on various tablet devices. The desktop implementation is lagging a bit behind, but that will be amended soonish, too.

Why Unity8 for Debian? Because there is no real good solution for tablets in Debian at the moment. If I see this wrong, please correct me.

Why Unity8 for Debian derivatives? Uploading software to Debian is always the best approach for bringing software into other distributions that are constantly derived from Debian (e.g. just like Ubuntu).

Making Progress

The progress documentation of the packaging work (something around 40 packages need to be touched / uploaded / adopted, at least, to get this task done) I will publish in +/- regular intervals on my blog (aggregated on https://planet.debian.org).

In January 2020, I have worked on the Debian LTS project for 20 hours (of 20 hours planned).

Due to a reduced need of developers in Freexian's ELTS project for Debian wheezy, I have moved my activity completely over to the LTS project (and also took the amount of assigned hours with me).

LTS Work

• LTS: Frontdesk: Follow-up on emails, send out DLAs on behalf of Utkarsh Gupta (due to keyring issues).
• LTS: CVE Bug Triaging for Debian jessie LTS: puppet, openjpeg2, suricata, hiredis, ksh, python-pysaml2, qemu, salt, wireshark, wordpress.
• Upload to jessie-security: openjpeg2 (DLA-2081-1 [1], 1 CVE).
• Upload to jessie-security: suricata (DLA-2087-1 [2], 1 CVE).
• Upload to jessie-security: libsolv (DLA-2088-1 [3], 1 CVE).
• Upload to jessie-security: openjpeg2 (DLA-2089-1 [4], 1 CVE).
• Upload to jessie-security: qtbase-opensource-src (DLA-2092-1 [5], 1 CVE).
• CVE Bug Triaging / Introspection spamassassin, prepare upstream backport for jessie LTS (not yet clear, if that is the way to go) [6].

Other security related work for Debian

• Prepare libsolv oldstable-pu and stable-pu uploads (1 CVE).
• Do an italc oldstable-pu upload (14 CVEs) [package prepared earlier].

References

• [1] https://lists.debian.org/debian-lts-announce/2020/01/msg00025.html
• [2] https://lists.debian.org/debian-lts-announce/2020/01/msg00032.html
• [3] https://lists.debian.org/debian-lts-announce/2020/01/msg00034.html
• [4] https://lists.debian.org/debian-lts-announce/2020/01/msg00035.html
• [5] https://lists.debian.org/debian-lt

In December 2019, I have worked on the Debian LTS project for 15 hours (of 15 hours planned) and on the Debian ELTS project for 5 hours (of 5 hours planned) as a paid contributor.

LTS Work

• Triage 14 packages during my frontdesk week (tomcat7, tomcat8, lout, apache-log4j1.2, x2goclient (libssh regression), nethack, nethack, cyrus-sasl2, php5, libjpeg-turbo, transfig, ruby-rack, ruby-excon)
• Upload to jessie-security: cyrus-sasl2 (DLA-2044-1 [1]), 1 CVE
• Deeply dive into tightvnc CVE issue hunting and help matching various CVEs between src:libvncserver and src:tightvnc, digging out patches, etc.
• Upload to jessie-security: tightvnc (DLA-2045-1 [2]), 9 CVEs
• Upload to jessie-security: x2goclient (DLA-2038-2 [7]) (fixing a regression caused by a recent libssh security upload; see DLA_2038-1 / CVE-2019-14889) [3]
• Ping DLange and ggings about getting the libssh regression regarding x2goclient fixed in Ubuntu (LTS) [4]
• Ping the release team on security update status regarding CVE-2019-14889/libssh (bundled with an X2Go Client update) for stretch + buster.
• NMU-upload (to DELAYED/10) tightvnc targetting Debian unstable [5]. Waiting for the former maintainer to ACK the NMU or re-do it himself.

In November 2019, I have worked on the Debian LTS project for 15 hours (of 15 hours planned) and on the Debian ELTS project for 5 hours (of 5 hours planned) as a paid contributor.

For LTS, I, in fact, pulled over 1.7 hours from October, so I realy only did 13.3 hours for LTS in November.

(This is only half-true, I worked a considerable amount of hours on this libvncserver code bundle audit, but I am just not invoicing all of it).

LTS Work

• Triage jhead, libapache2-mod-auth-openidc, mailutils, python-psutil, ruby-rack-cors during (actually one day after, in coordination with Thorsten Alteholz) my first LTS frontdesk week this month.
• Triage asterisk, gnome-font-viewer, gnome-sushi, libjackson-json-java, proftpd-dfsg during my second week at LTS frontdesk this month.

In October 2019, I have worked on the Debian LTS project for 11.75 hours (of 11.75 hours planned) and on the Debian ELTS project for 0 hours (of 5 hours planned) as a paid contributor. I have given back those 5 ELTS hours to the pool.

LTS Work

• Work on a pre-OpenSSL-1.0.2 patch, adding hostname validation support to imapfilter as found in Debian jessie (built against OpenSSL 1.0.1t) [1]
• File a Github PR against imapfilter upstream that got OpenSSL versioned #ifdef'ed code sections straight [2]
• upload imapfilter 2.5.2-2+deb8u1 to jessie-security (DLA-1976-1 [3], 1 CVE)
• upload libvncserver 0.9.9+dfsg2+deb8u6 to jessie-security (DLA-1977-1 [4], 1 CVE)
• do a security audit of libvncserver-derived packages in Debian [5]
• upload italc 1:2.0.2+dfsg1-2+deb8u1 to jessie-security (DLA-1979-1 [6], 21 CVEs)

In fact, preparing the italc security upload needed more time (an extra of 1.7h) than available for my LTS work in October. In my mind, I will move over these 1.7h to November and invoice them then.

In November, I plan to follow-up on the VNC security audit and prepare several VNC related package uploads to Debian jessie LTS.

Over the past month I worked on re-scripting the installation process of a Debian Edu system (minimal installation profile and workstation installation profile for now) by utilizing FAI [1].

My goal on this is to get the Debian Edu FAI config space into Debian bullseye (as package: debian-edu-fai) and provide an easy setup method for the FAI installation server on an existing Debian Edu site.

Note: I do not intend to bootstrap a complete Debian Edu site via FAI. The use case is: get your Debian Edu main server up and running, add host faiserver.intern and install all your site's client systems via this FAI installation server.

Debian Edu Installation Methods (until today)

Currently, we only have a D-I based installation method (over PXE or ISO image) at hand with several disadvantages:

• requires interaction
• not really customizable
• comparingly slow (now that I have seen FAI do these things)

All of the above problems can be solved by installing Debian Edu via a FAI configuration.

Debian Edu Installation via FAI ( This rocks so much!!! )

As you may guess, but I need to repeat the above (because I am so excited about it), here are the advantages of installing Debian Edu via FAI:

• Debian Edu installation via FAI is incredibly fast
• Customization: drop in some more files into the FAI config space and you have a customized setup.

In September 2019, I have worked on the Debian LTS project for 11 hours (of 12 hours planned) and on the Debian ELTS project for another 2 hours (of 12 hours planned) as a paid contributor. I have given back the 10 ELTS hours, but will keep the 1 LTS hour and move it over to October. As I will be gone on family vacation during two weeks of Octobre I have reduced my workload for the coming months accordingly (10 hours LTS, 5 hours ELTS).

LTS Work

• Patch review on qemu (regarding DLA-1927-1)
• Perform regression tests on previous LTS uploads of 389-ds-base (see [1,2] for results/statements)
• Upload netty 3.2.6.Final-2+deb8u1 to jessie-security (DLA-1941-1 [3]), fixing 1 CVE
• Triage nghttp2, probably not affected by CVE-2019-9511 and CVE-2019-9513. The code base is really different around the passages where the fixing patches have been applied by upstream. I left a comment in dla-needed.txt plus asked for a second opinion. [4]
• Go over all 2019 LTS announcements in the webwml.git repository and ping LTS team members (including myself) on missing webwml DLAs.
• Upload phpbb3 3.0.12-5+deb8u4 to jessie-security (DLA-1942-1 [5]), fixing 1 (or 2) CVE(s). Regarding the phpbb3 upload, Sylvain Beucler and I are currently discussing [6] whether CVE-2019-13376 got actually fixed with this upload or not.

From one of my customers, I received the request to figure out an installation pathway for ActivInspire, the Promethean smart board software suite. ActivInspire is offered as DEB builds for Ubuntu 18.04. On a Debian 10 (aka buster) system the installation requires some hack-around (utilizing packages from Debian jessie LTS).

Here is the quick-n-dirty recipe:

APT Key for "Promethean Ltd <support@prometheanworld.com>"

The APT key you need for downloading packages from Promethean's package archive can be obtained like this:

$ gpg --search-keys 0x300035F2484C6FED
$ gpg --export -a 0x300035F2484C6FED | sudo apt-key add -

Afterwards, you should find the key added to APT's GnuPG keyring. Verify that:

$ sudo apt-key adv --fingerprint D3CDA26CC37F568DD4A8DE68300035F2484C6FED
Executing: /tmp/user/0/apt-key-gpghome.HMo8gCMGUG/gpg.1.sh --fingerprint D3CDA26CC37F568DD4A8DE68300035F2484C6FED
pub   rsa4096 2017-03-02 [SC]
      D3CD A26C C37F 568D D4A8  DE68 3000 35F2 484C 6FED
uid        [ unbekannt ] PrometheanLtd <support@prometheanworld.com>
sub   rsa4096 2017-03-02 [E]

Tweak APT's Installation Sources

Next, add the below lines to a new file called /etc/apt/sources.list.d/promethean.list. The software will require to grab some packages (e.g.