My Work on Debian LTS (May 2020)

In May 2020, I have worked on the Debian LTS project for 14.5 hours (of 14.5 hours planned).

LTS Work

  • Frontdesk: CVE bug triaging for Debian jessie LTS: exim4, cups, log4net, apt, openconnect, libexif, json-c, tomcat8, and graphicsmagick.
  • review and sponsor upload to jessie-security: libexif (DLA-2214-1 [1], 5 CVEs)
  • review and sponsor upload to jessie-security: libexif (DLA-2222-1 [2], 4 CVEs)
  • upload to jessie-security: json-c (DLA-2228-1 [3] and DLA-2228-2 [4], 1 CVE)
  • upload to jessie-security: php-horde-gollem (DLA-2228-1 [5], 1 CVE)
  • upload to jessie-security: php-horde (DLA-2280-1) [6], 1 CVE)
  • start looking into the current FreeRDP (v1.1) and FreeRDP (v2) CVE hell...

Other security related work for Debian

  • review and sponsor uploads of libexif to stretch, buster and unstable (8 CVE fixes for stretch, 5 CVE fixes for buster) [7]
  • revisit long overdue uploads of ssvnc to stretch and buster (4 CVE fixes each) [8]
  • upload php-horde-gollem to stretch and buster (1 CVE fix each) [9]
  • upload php-horde to stretch and buster (1 CVE fix each) [10]


  • Many thanks to Hugh McMaster for handling all the libexif security upload preparations himself. This was really good work.

Q: Remote Support Framework for the GNU/Linux Desktop?

TL;DR; For those (admins) of you who run GNU/Linux on staff computers: How do you organize your graphical remote support in your company? Get in touch, share your expertise and experiences.

Researching on FLOSS based Linux Desktops

When bringing GNU/Linux desktops to a generic folk of productive office users on a large scale, graphical remote support is a key feature when organizing helpdesk support teams' workflows.

In a research project that I am currently involved in, we investigate the different available remote support technologies (VNC screen mirroring, ScreenCasts, etc.) and the available frameworks that allow one to provide a remote support infrastructure 100% on-premise.

In this research project we intend to find FLOSS solutions for everything required for providing a large scale GNU/Linux desktop to end users, but we likely will have to recommend non-free solutions, if a FLOSS approach is not available for certain demands. Depending on the resulting costs, bringing forth a new software solution instead of dumping big money in subscription contracts for non-free software is seen as a possible alternative.

As a member of the X2Go upstream team and maintainer of several remote desktop related tools and frameworks in Debian, I'd consider myself as sort of in-the-topic. The available (as FLOSS) underlying technologies for plumbing a remote support framework are pretty much clear (x11vnc, recent pipewire-related approaches in Wayland compositors, browser-based screencasting).

My Work on Debian LTS (April 2020)

Due to sickness I was not able to complete my 8 hours of work on Debian LTS as planned. I only worked 1.5 hours this month, moving the remaining 6.5 hours over to May.


  • Triage sqlite3, nginx, libsixel.
  • Drop EOL'ed libperlspeak-perl from dla-needed.txt.
  • Update security tracker's metadata (patch URLs) for ansible

Other security related work for Debian

  • Upload to buster: gosa 2.7.4+reloaded3-8+deb10u2 (1 CVE)
  • Upload to stretch: gosa 2.7.4+reloaded2-13+deb9u2 (1 CVE plus many bug fixes)
  • Upload to stretch: gosa 2.7.4+reloaded2-13+deb9u3 (1 more CVE)

Q: RoamingProfiles under GNU/Linux? What's your Best Practice?

This post is an open question to the wide range of GNU/Linux site admins out there. Possibly some of you have the joy of maintaining GNU/Linux also on user endpoint devices (i.e. user workstations, user notebooks, etc.), not only on corporate servers.

TL;DR; In the context of a customer project, I am researching ways of mimicking (or inventing anew) a feature well known (and sometimes also well hated) from the MS Windows world: Roaming User Profiles. If anyone does have any input on that, please contact me (OFTC/Freenode IRC, Telegram, email). I am curious what your solution may be.

The Use Case Scenario

In my use case, all user machines shall be mobile (notebooks, convertibles, etc). The machines maybe on-site most of the time, but they need offline capabilities so that the users can transparently move off-site and continue their work. At the same time, a copy of the home directory (or the home directory itself) shall be stored on some backend fileservers (for central backups as well as for providing the possibility to the user to login to another machine and be up-and-running +/- out-of-the-box).

The Vision

Initial Login

Ideally, I'd like to have a low level file system feature for this that handles it all.

My Work on Debian LTS (March 2020)

In March 2020, I have worked on the Debian LTS project for 10.25 hours (of 10.25 hours planned).

LTS Work

  • Frontdesk: CVE Bug Triaging for Debian jessie LTS: libpam-krb5, symfony, edk2 (EOL), icu, twisted, yubikey-val, netkit-telnet(-ssl), libperlspeak-perl (new EOL). and glibc.
  • Upload to jessie-security: tinyproxy (DLA-2163-1 [1], 1 CVE, 1 severe bug [2]).
  • Revisit CVE-2015-9541 in jessie's qtbase-opensource-src and agree with Dmitry Shachnev from Debian's KDE/Qt Team about tagging this CVE '<ignored>' in Debian's security tracker. The proposed upstream patch uses an API not available in jessie's Qt5 version (QStringView API) and the serious of patched ot be applied would be quite invasive.
  • Prepare upload of libpam-krb5 4.6-3+deb8u1 (1 CVE) (will be uploaded during the day).
  • Look closer into CVE-2019-17177 for FreeRDP v1.1 (and decide to ignore it, as patchwork would have to be applied all over the code).

UBports: Packaging of Lomiri Operating Environment for Debian (part 02)

Before and during FOSDEM 2020, I agreed with the people (developers, supporters, managers) of the UBports Foundation to package the Unity8 Operating Environment for Debian. Since 27th Feb 2020, Unity8 has now become Lomiri.

Recent Uploads to Debian related to Lomiri

Over the past 7-8 weeks the packaging progress has been slowed down due to other projects I am working on in parallel.

Mailman3 - Call for Translations (@Weblate)

TL;DR; please help localizing Mailman3 [1]. You can find it on hosted Weblate [2].The next component releases are planned in 1-2 weeks from now. Thanks for your contribution! If you can't make it now, please consider working on Mailman3 translations at some later point of time. Thanks!

Time has come for Mailman3

Over the last months I have found an interest in Mailman3. Given the EOL of Python2 in January 2020 and also being a heavy Mailman2 provider for various of my projects and also for customers, I felt it was time to look at Mailman2's successor: Mailman3 [1].

One great novelty in Mailman3 is the strict split up between backend (Mailman Core), and the frontend components (django-mailman3, Postorius, Hyperkitty). All three are Django applications. Postorius is the list management web frontend whereas Hyperkitty is an archive viewer. Other than in Mailman2, you can also drop list posts into Hyperkitty directly (instead of sending a mail to the list). This makes Hyperkitty also some sort of forum software with a mailing list core in the back. The django-mailman3 module knits the previous two together (and handles account management, login dialog, profile settings, etc.).

Looking into Mailman3 Upstream Code

Some time back in midst 2019 I decided to deploy Mailman3 at a customer's site and also for my own business (which still is the test installation). Living and working in Germany, my customers' demand often is a fully localized WebUI. And at that time, Mailman3 could not provide this.


Today's address to the public by the German chancellor. I am totally chiming in with here. Please all across the world, help to #FlattenTheCurve:

light+love & sei gesund!

Time for home office! Time for X2Go?

Most of us IT people should be in home office by now. If not, make sure you'll arrange that with your employers, cooperation partners, contractors, etc. Please help flatten the curve.

X2Go as your Home Office solution

If your computer at work runs a GNU/Linux desktop and you can SSH into it, then it might be time for you to try out X2Go [1]. Remote desktop access under GNU/Linux.

Free Support for simple Client-Server Setups

If your daily work is related to health care, municipal work, medical research, etc. (all those fields that are currently working under very high demands), please join the #x2go IRC channel on Freenode [2] and I'll do my very best to help you with setting up X2Go.

Professional Support for Large Scale Setups

If you run a business and need X2Go support site-wide, brokerage support, etc. please consider asking for professional support [3].


My Work on Debian LTS (February 2020)

In February 2020, I have worked on the Debian LTS project only for 5.75 hours (of 20 hours planned). I gave back 12 hours to the pool and reduced my availability to 8 hours per month.

Unfortunately, last month I got too distracted by other interesting and challenging projects, and also by some intense personal topics.

I herewith send my apology to all LTS team members and all Debian LTS users for not having completed my planned LTS workload.

LTS Work

  • Take a deeper look at cacti and mark cacti Debian jessie LTS as not affected by CVE-2020-8813
  • Study open vulnerability reports in ansible (no fixes available, yet, as of end of February 2020)
  • Work on fixing CVE-2015-9541 in qtbase-opensource-src (still work in progress)


Syndicate content