chiark / gitweb /
~cjwatson / blog.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ffc994c)
Free software activity in August 2024
authorColin Watson <cjwatson@debian.org>
Sun, 1 Sep 2024 13:29:55 +0000 (14:29 +0100)
committerColin Watson <cjwatson@debian.org>
Sun, 1 Sep 2024 13:29:55 +0000 (14:29 +0100)
content/activity-2024-08.md [new file with mode: 0644] patch | blob

diff --git a/content/activity-2024-08.md b/content/activity-2024-08.md
new file mode 100644 (file)
index 0000000..53c54da
--- /dev/null
+++ b/content/activity-2024-08.md
@@ -0,0 +1,170 @@
+Title: Free software activity in August 2024
+Slug: activity-2024-08
+Date: 2024-09-01 14:29:32 +01:00
+Category: columbiform
+Tags: activity, columbiform, freexian, planet-debian, planet-ubuntu
+
+All but about four hours of my Debian contributions this month were
+[sponsored](https://www.freexian.com/about/debian-contributions/) by
+Freexian.  (I ended up going a bit over my 20% billing limit this month.)
+
+You can also support my work directly via
+[Liberapay](https://liberapay.com/cjwatson).
+
+## man-db and friends
+
+I released [libpipeline
+1.5.8](https://gitlab.com/libpipeline/libpipeline/-/releases/1.5.8) and
+[man-db 2.13.0](https://gitlab.com/man-db/man-db/-/releases/2.13.0).
+
+Since autopkgtests are great for making sure we spot regressions caused by
+changes in dependencies, I added one to man-db that runs the upstream tests
+against the installed package.  This required some preparatory work
+upstream, but otherwise was surprisingly easy to do.
+
+## OpenSSH
+
+I fixed the various 9.8 regressions I mentioned [last
+month]({filename}/activity-2024-07.md): socket activation, libssh2, and
+Twisted.  There were a few other regressions reported too: [TCP wrappers
+support](https://bugs.debian.org/1077799),
+[openssh-server-udeb](https://salsa.debian.org/ssh-team/openssh/-/merge_requests/28),
+and [xinetd](https://bugs.debian.org/1078429) were all broken by changes
+related to the listener/per-session binary split, and I fixed all of those.
+
+Once all that had made it through to testing, I finally uploaded the first
+stage of my [plan to split out GSS-API
+support](https://lists.debian.org/debian-devel/2024/04/msg00044.html): there
+are now `openssh-client-gssapi` and `openssh-server-gssapi` packages in
+unstable, and if you use either GSS-API authentication or key exchange then
+you should install the corresponding package in order for upgrades to
+trixie+1 to work correctly.  I'll write a release note once this has reached
+testing.
+
+## Multiple identical results from getaddrinfo
+
+I expect this is really a bug in a chroot creation script somewhere, but I
+haven't been able to track down what's causing it yet.  My sbuild chroots,
+and apparently Lucas Nussbaum's as well, have an `/etc/hosts` that looks
+like this:
+
+    :::console
+    $ cat /var/lib/schroot/chroots/sid-amd64/etc/hosts
+    127.0.0.1       localhost
+    127.0.1.1       [...]
+    127.0.0.1       localhost ip6-localhost ip6-loopback
+
+The last line clearly ought to be `::1` rather than `127.0.0.1`; but things
+mostly work anyway, since most code doesn't really care which protocol it
+uses to talk to localhost.  However, a few things try to set up test
+listeners by calling `getaddrinfo("localhost", ...)` and binding a socket
+for each result.  This goes wrong if there are duplicates in the resulting
+list, and the test output is typically very confusing: it looks just like
+what you'd see if a test isn't tearing down its resources correctly, which
+is a much more common thing for a test suite to get wrong, so it took me a
+while to spot the problem.
+
+I ran into this in both python-asyncssh
+([#1052788](https://bugs.debian.org/1052788), [upstream
+PR](https://github.com/ronf/asyncssh/pull/679)) and Ruby
+([ruby3.1/#1069399](https://bugs.debian.org/1069399),
+[ruby3.2/#1064685](https://bugs.debian.org/1064685),
+[ruby3.3/#1077462](https://bugs.debian.org/1077462), [upstream
+PR](https://github.com/ruby/ruby/pull/11456)).  The latter took a while
+since Ruby isn't one of my languages, but hey, I've tackled [much harder
+side quests]({filename}/porting-ghc-a-tale-of-two-architectures.md).  I
+NMUed ruby3.1 for this since it was showing up as a blocker for openssl
+testing migration, but haven't done the other active versions (yet, anyway).
+
+## openssl vs. cryptography
+
+I tend to care about openssl migrating to testing promptly, since openssh
+uploads have a habit of getting stuck on it otherwise.
+
+Debian's OpenSSL packaging recently split out some legacy code (cryptography
+that's no longer considered a good idea to use, but that's sometimes needed
+for compatibility) to an `openssl-legacy-provider` package, and added a
+Recommends on it.  Most users install Recommends, but package build
+processes don't; and the Python `cryptography` package requires this code
+unless you set the `CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1` environment variable,
+which caused a bunch of packages that build-depend on it to fail to build.
+
+After playing whack-a-mole setting that environment variable in a few
+packages' build process, I decided I didn't want to be caught in the middle
+here and filed an [upstream
+issue](https://github.com/pyca/cryptography/issues/11450) to see if I could
+get Debian's OpenSSL team and cryptography's upstream talking to each other
+directly.  There was some moderately spirited discussion and the issue
+remains open, but for the time being the OpenSSL team has [effectively
+reverted the
+change](https://tracker.debian.org/news/1557087/accepted-openssl-331-7-source-into-unstable/)
+so it's no longer a pressing problem.
+
+## GCC 14 regressions
+
+Continuing from [last month]({filename}/activity-2024-07.md), I fixed build
+failures in [pccts](https://bugs.debian.org/1075363) (NMU) and
+[trn4](https://bugs.debian.org/1078145).
+
+## Python team
+
+I upgraded alembic, automat, gunicorn, incremental, referencing, pympler
+(fixing [compatibility with Python >=
+3.10](https://bugs.debian.org/1002173)), python-aiohttp, python-asyncssh
+(fixing [CVE-2023-46445](https://bugs.debian.org/1056000),
+[CVE-2023-46446](https://bugs.debian.org/1055999), and
+[CVE-2023-48795](https://bugs.debian.org/1059007)), python-avro,
+python-multidict (fixing a [build failure with GCC
+14](https://bugs.debian.org/1075418)), python-tokenize-rt, python-zipp,
+pyupgrade, twisted (fixing [CVE-2024-41671](https://bugs.debian.org/1077679)
+and [CVE-2024-41810](https://bugs.debian.org/1077680)), zope.exceptions,
+zope.interface, zope.proxy, zope.security, zope.testrunner.  In the process,
+I added myself to `Uploaders` for zope.interface; I'm reasonably comfortable
+with the Zope Toolkit and I seem to be gradually picking up much of its
+maintenance in Debian.
+
+A few of these required their own bits of yak-shaving:
+
+ * python-aiohttp 3.10.0 needed fixes in blinkpy
+   ([#1077981](https://bugs.debian.org/1077981), [upstream
+   PR](https://github.com/fronzbot/blinkpy/pull/974)) and python-yalexs
+   ([#1077985](https://bugs.debian.org/1077985), [upstream
+   PR](https://github.com/bdraco/yalexs/pull/134)).
+ * twisted 24.7.0 needed fixes in pytest-twisted (cherry-picked existing
+   [upstream
+   commit](https://github.com/pytest-dev/pytest-twisted/commit/ee97014a5b70977cc93d0a5c93e99b770c91ab7f)),
+   python-daphne (cherry-picked existing [upstream
+   PR](https://github.com/django/daphne/pull/526)), and python-tornado
+   ([#1078411](https://bugs.debian.org/1078411), [upstream
+   PR](https://github.com/tornadoweb/tornado/pull/3417)).
+
+I improved some `Multi-Arch: foreign` tagging
+([python-importlib-metadata](https://bugs.debian.org/1078041),
+[python-typing-extensions](https://bugs.debian.org/1078035),
+[python-zipp](https://bugs.debian.org/1078038)).
+
+I fixed build failures in [pipenv](https://bugs.debian.org/1076903),
+[python-stdlib-list](https://bugs.debian.org/1067325),
+[psycopg3](https://bugs.debian.org/1077918), and
+[sen](https://bugs.debian.org/1067287), and fixed autopkgtest failures in
+[autoimport](https://salsa.debian.org/python-team/packages/autoimport/-/commit/2669881195b78c66d6232d0518f61b69734ca8f4)
+([upstream PR](https://github.com/lyz-code/autoimport/pull/259)),
+[python-semantic-release](https://salsa.debian.org/python-team/packages/python-semantic-release/-/commit/bafa7e7e51f79ec8268cc8bc24368e03c06d1eb4)
+and [rstcheck](https://bugs.debian.org/1061841).
+
+Upstream for zope.file (not in Debian) filed an issue about a [test failure
+with Python 3.12](https://github.com/zopefoundation/zope.file/issues/13),
+which I tracked down to a [Python 3.12 compatibility
+PR](https://github.com/zopefoundation/zope.security/pull/112) in
+zope.security.
+
+I made python-nacl build reproducibly ([upstream
+PR](https://github.com/pyca/pynacl/pull/836)).
+
+I moved aliased files from `/` to `/usr` in timekpr-next
+([#1073722](https://bugs.debian.org/1073722)).
+
+## Installer team
+
+I applied a patch from Ubuntu to make os-prober support building with the
+`noudeb` profile ([#983325](https://bugs.debian.org/983325)).
Colin Watson's blog