From 362079beb2f7f3362eec103dafb20356bf3838e6 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 1 Sep 2024 14:29:55 +0100 Subject: [PATCH] Free software activity in August 2024 --- content/activity-2024-08.md | 170 ++++++++++++++++++++++++++++++++++++ 1 file changed, 170 insertions(+) create mode 100644 content/activity-2024-08.md diff --git a/content/activity-2024-08.md b/content/activity-2024-08.md new file mode 100644 index 00000000..53c54da5 --- /dev/null +++ b/content/activity-2024-08.md @@ -0,0 +1,170 @@ +Title: Free software activity in August 2024 +Slug: activity-2024-08 +Date: 2024-09-01 14:29:32 +01:00 +Category: columbiform +Tags: activity, columbiform, freexian, planet-debian, planet-ubuntu + +All but about four hours of my Debian contributions this month were +[sponsored](https://www.freexian.com/about/debian-contributions/) by +Freexian. (I ended up going a bit over my 20% billing limit this month.) + +You can also support my work directly via +[Liberapay](https://liberapay.com/cjwatson). + +## man-db and friends + +I released [libpipeline +1.5.8](https://gitlab.com/libpipeline/libpipeline/-/releases/1.5.8) and +[man-db 2.13.0](https://gitlab.com/man-db/man-db/-/releases/2.13.0). + +Since autopkgtests are great for making sure we spot regressions caused by +changes in dependencies, I added one to man-db that runs the upstream tests +against the installed package. This required some preparatory work +upstream, but otherwise was surprisingly easy to do. + +## OpenSSH + +I fixed the various 9.8 regressions I mentioned [last +month]({filename}/activity-2024-07.md): socket activation, libssh2, and +Twisted. There were a few other regressions reported too: [TCP wrappers +support](https://bugs.debian.org/1077799), +[openssh-server-udeb](https://salsa.debian.org/ssh-team/openssh/-/merge_requests/28), +and [xinetd](https://bugs.debian.org/1078429) were all broken by changes +related to the listener/per-session binary split, and I fixed all of those. + +Once all that had made it through to testing, I finally uploaded the first +stage of my [plan to split out GSS-API +support](https://lists.debian.org/debian-devel/2024/04/msg00044.html): there +are now `openssh-client-gssapi` and `openssh-server-gssapi` packages in +unstable, and if you use either GSS-API authentication or key exchange then +you should install the corresponding package in order for upgrades to +trixie+1 to work correctly. I'll write a release note once this has reached +testing. + +## Multiple identical results from getaddrinfo + +I expect this is really a bug in a chroot creation script somewhere, but I +haven't been able to track down what's causing it yet. My sbuild chroots, +and apparently Lucas Nussbaum's as well, have an `/etc/hosts` that looks +like this: + + :::console + $ cat /var/lib/schroot/chroots/sid-amd64/etc/hosts + 127.0.0.1 localhost + 127.0.1.1 [...] + 127.0.0.1 localhost ip6-localhost ip6-loopback + +The last line clearly ought to be `::1` rather than `127.0.0.1`; but things +mostly work anyway, since most code doesn't really care which protocol it +uses to talk to localhost. However, a few things try to set up test +listeners by calling `getaddrinfo("localhost", ...)` and binding a socket +for each result. This goes wrong if there are duplicates in the resulting +list, and the test output is typically very confusing: it looks just like +what you'd see if a test isn't tearing down its resources correctly, which +is a much more common thing for a test suite to get wrong, so it took me a +while to spot the problem. + +I ran into this in both python-asyncssh +([#1052788](https://bugs.debian.org/1052788), [upstream +PR](https://github.com/ronf/asyncssh/pull/679)) and Ruby +([ruby3.1/#1069399](https://bugs.debian.org/1069399), +[ruby3.2/#1064685](https://bugs.debian.org/1064685), +[ruby3.3/#1077462](https://bugs.debian.org/1077462), [upstream +PR](https://github.com/ruby/ruby/pull/11456)). The latter took a while +since Ruby isn't one of my languages, but hey, I've tackled [much harder +side quests]({filename}/porting-ghc-a-tale-of-two-architectures.md). I +NMUed ruby3.1 for this since it was showing up as a blocker for openssl +testing migration, but haven't done the other active versions (yet, anyway). + +## openssl vs. cryptography + +I tend to care about openssl migrating to testing promptly, since openssh +uploads have a habit of getting stuck on it otherwise. + +Debian's OpenSSL packaging recently split out some legacy code (cryptography +that's no longer considered a good idea to use, but that's sometimes needed +for compatibility) to an `openssl-legacy-provider` package, and added a +Recommends on it. Most users install Recommends, but package build +processes don't; and the Python `cryptography` package requires this code +unless you set the `CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1` environment variable, +which caused a bunch of packages that build-depend on it to fail to build. + +After playing whack-a-mole setting that environment variable in a few +packages' build process, I decided I didn't want to be caught in the middle +here and filed an [upstream +issue](https://github.com/pyca/cryptography/issues/11450) to see if I could +get Debian's OpenSSL team and cryptography's upstream talking to each other +directly. There was some moderately spirited discussion and the issue +remains open, but for the time being the OpenSSL team has [effectively +reverted the +change](https://tracker.debian.org/news/1557087/accepted-openssl-331-7-source-into-unstable/) +so it's no longer a pressing problem. + +## GCC 14 regressions + +Continuing from [last month]({filename}/activity-2024-07.md), I fixed build +failures in [pccts](https://bugs.debian.org/1075363) (NMU) and +[trn4](https://bugs.debian.org/1078145). + +## Python team + +I upgraded alembic, automat, gunicorn, incremental, referencing, pympler +(fixing [compatibility with Python >= +3.10](https://bugs.debian.org/1002173)), python-aiohttp, python-asyncssh +(fixing [CVE-2023-46445](https://bugs.debian.org/1056000), +[CVE-2023-46446](https://bugs.debian.org/1055999), and +[CVE-2023-48795](https://bugs.debian.org/1059007)), python-avro, +python-multidict (fixing a [build failure with GCC +14](https://bugs.debian.org/1075418)), python-tokenize-rt, python-zipp, +pyupgrade, twisted (fixing [CVE-2024-41671](https://bugs.debian.org/1077679) +and [CVE-2024-41810](https://bugs.debian.org/1077680)), zope.exceptions, +zope.interface, zope.proxy, zope.security, zope.testrunner. In the process, +I added myself to `Uploaders` for zope.interface; I'm reasonably comfortable +with the Zope Toolkit and I seem to be gradually picking up much of its +maintenance in Debian. + +A few of these required their own bits of yak-shaving: + + * python-aiohttp 3.10.0 needed fixes in blinkpy + ([#1077981](https://bugs.debian.org/1077981), [upstream + PR](https://github.com/fronzbot/blinkpy/pull/974)) and python-yalexs + ([#1077985](https://bugs.debian.org/1077985), [upstream + PR](https://github.com/bdraco/yalexs/pull/134)). + * twisted 24.7.0 needed fixes in pytest-twisted (cherry-picked existing + [upstream + commit](https://github.com/pytest-dev/pytest-twisted/commit/ee97014a5b70977cc93d0a5c93e99b770c91ab7f)), + python-daphne (cherry-picked existing [upstream + PR](https://github.com/django/daphne/pull/526)), and python-tornado + ([#1078411](https://bugs.debian.org/1078411), [upstream + PR](https://github.com/tornadoweb/tornado/pull/3417)). + +I improved some `Multi-Arch: foreign` tagging +([python-importlib-metadata](https://bugs.debian.org/1078041), +[python-typing-extensions](https://bugs.debian.org/1078035), +[python-zipp](https://bugs.debian.org/1078038)). + +I fixed build failures in [pipenv](https://bugs.debian.org/1076903), +[python-stdlib-list](https://bugs.debian.org/1067325), +[psycopg3](https://bugs.debian.org/1077918), and +[sen](https://bugs.debian.org/1067287), and fixed autopkgtest failures in +[autoimport](https://salsa.debian.org/python-team/packages/autoimport/-/commit/2669881195b78c66d6232d0518f61b69734ca8f4) +([upstream PR](https://github.com/lyz-code/autoimport/pull/259)), +[python-semantic-release](https://salsa.debian.org/python-team/packages/python-semantic-release/-/commit/bafa7e7e51f79ec8268cc8bc24368e03c06d1eb4) +and [rstcheck](https://bugs.debian.org/1061841). + +Upstream for zope.file (not in Debian) filed an issue about a [test failure +with Python 3.12](https://github.com/zopefoundation/zope.file/issues/13), +which I tracked down to a [Python 3.12 compatibility +PR](https://github.com/zopefoundation/zope.security/pull/112) in +zope.security. + +I made python-nacl build reproducibly ([upstream +PR](https://github.com/pyca/pynacl/pull/836)). + +I moved aliased files from `/` to `/usr` in timekpr-next +([#1073722](https://bugs.debian.org/1073722)). + +## Installer team + +I applied a patch from Ubuntu to make os-prober support building with the +`noudeb` profile ([#983325](https://bugs.debian.org/983325)). -- 2.30.2