Free software activity in February 2026
My Debian contributions this month were all sponsored by Freexian.
You can also support my work directly via Liberapay or GitHub Sponsors.
OpenSSH
I released bookworm and trixie fixes for CVE-2025-61984 and CVE-2025-61985, both allowing code execution via ProxyCommand in some cases. The trixie update also included a fix for openssh-server: refuses further connections after having handled PerSourceMaxStartups connections.
bugs.debian.org administration
Gioele Barabucci reported that some messages to the bug tracking system generated by the bts command were being discarded. While the regression here was on the client side, I found and fixed a typo in our SpamAssassin configuration that was failing to apply a bonus specifically to forwarded commands, mitigating the problem.
Python packaging
New upstream versions:
- aiosmtplib
- bitstruct
- diff-cover
- django-q
- isort
- multipart
- poetry (adding support for Dulwich >= 0.25)
- poetry-core
- pydantic-settings
- python-build
- python-certifi
- python-datamodel-code-generator
- python-flatdict
- python-holidays
- python-maggma
- python-pytokens
- python-scruffy
- python-urllib3 (fixing CVE-2025-66471 and a chunked decoding bug)
- responses
- yarsync
- zope.component
- zope.deferredimport
Porting away from the deprecated (and now removed from upstream setuptools) pkg_resources:
- genshi (contributed upstream)
- germinate
- mopidy
- nose2
- pokrok (contributed upstream)
- pylama
- python-flask-seeder
- python-maggma (contributed upstream)
- python-pybadges
- python-scruffy (contributed upstream)
- thumbor (contributed upstream)
- zope.deprecation (contributed upstream a while ago, but there hasn’t been an upstream release yet)
Other build/test failures:
- flask-dance: FTBFS: No module named ‘pkg_resources’ (actually fixed by adding a missing dependency to python3-sphinxcontrib.seqdiag)
- paramiko: autopkgtest regression on i386 (contributed upstream)
- poetry: autopkgtest regression on i386
- python-argh
- python-django-celery-beat: FTBFS: FAILED t/unit/test_models.py::HumanReadableTestCase::test_long_name
- python-maturin: rust-itertools update
- python-msrest: FTBFS: FAILED tests/asynctests/test_async_client.py::TestServiceClient::test_client_send (contributed upstream, though not very successfully)
- python-typing-inspect
Other bugs:
- python-datamodel-code-generator: Depends: python3-isort (< 8) but 8.0.0-1 is to be installed (contributed upstream)
- python-typeguard: Mark python3-typeguard Multi-Arch: foreign
- wheel: Mark python3-wheel Multi-Arch: foreign
- zope.deferredimport: Please make the build reproducible (contributed upstream, with a follow-up fix)
I added a manual page symlink to make the documentation for Testsuite: autopkgtest-pkg-pybuild easier to find.
I backported python-pytest-unmagic and a more recent version of pytest-django to trixie.
Rust packaging
I also packaged rust-garde and rust-garde-derive, which are part of the pile of work needed to get the ruff packaging back in shape (which is a project I haven’t decided if I’m going to take on for real, but I thought I’d at least chip away at a bit of it).
Other bits and pieces
Code reviews
- debconf: Add BMP version of debian-logo (merged and uploaded)
- openssh: Reorder pam_selinux(7) usage (merged and uploaded)
- openssh-client: use sysusers.d, drop superflous dependencies (merged and uploaded)
- openssh: Stop deleting system user on remove/purge (merged and uploaded)
- openssh: Do not link against libcrypt on GNU/Hurd (merged and uploaded)
- partman-prep: Align PReP descriptions with other partition types (merged)
- python-better-exceptions (sponsored upload for Seyed Mohamad Amin Modaresi)
Comments
With an account on the Fediverse or Mastodon, you can respond to this post. Since Mastodon is decentralized, you can use your existing account hosted by another Mastodon server or compatible platform if you don't have an account on this one. Known non-private replies are displayed below.
Learn how this is implemented here.