Free software activity in March 2026
My Debian contributions this month were all sponsored by Freexian.
You can also support my work directly via Liberapay or GitHub Sponsors.
OpenSSH
I fixed CVE-2026-3497 in unstable, thanks to a fix in Ubuntu by Marc Deslauriers. Relatedly, I applied an Ubuntu patch by Athos Ribeiro to not default to weak GSS-API exchange algorithms.
I’m looking forward to being able to split out GSS-API key exchange support in OpenSSH once Ubuntu 26.04 LTS has been released! This stuff will still be my problem, but at least it won’t be in packages that nearly everyone has installed.
Python packaging
New upstream versions:
- dill
- django-modeltranslation
- isort
- langtable
- pathos
- pendulum
- pox
- ppft
- pydantic-extra-types
- pytango
- python-asyncssh
- python-datamodel-code-generator
- python-evalidate
- python-packaging (including fixes for python-hatch-requirements-txt and python-pyproject-examples)
- python-zxcvbn-rs-py
- rpds-py
- smart-open
- trove-classifiers
I packaged pybind11-stubgen, needed for new upstream versions of pytango. Tests of reproducible builds revealed that it didn’t generate imports in a stable order; I contributed a fix for that upstream.
I worked with the security team to release DSA-6161-1 in multipart, fixing CVE-2026-28356 (upstream discussion). (Most of the work for this was in February, but the vulnerability was still embargoed when I published my last monthly update.)
In trixie-backports, I updated pytest-django to 4.12.0.
I fixed a number of packages to support building with pyo3 0.28:
- pendulum
- pydantic-core
- python-jellyfish
- python-zxcvbn-rs-py
- rpds-py
Other build/test failures:
- python-bcrypt: Upcoming rust-getrandom update
- python-cotengrust: FTBFS: error[E0432]: unresolved import
rand::rngs::OsRng - austin: FTBFS: E ModuleNotFoundError: No module named ‘pycparser.plyparser’ (contributed upstream)
- taurus: FTBFS: dh_auto_build: error: pybuild —build -i python{version} -p “3.14 3.13” returned exit code 13
- python-datamodel-code-generator: Depends: python3-isort (< 8) but 8.0.0-1 is to be installed (contributed upstream)
Rust packaging
New upstream versions:
- rust-rpds
Other bits and pieces
I upgraded tango to 10.1.2, and yubihsm-shell to 2.7.2.
Code reviews
- python-backports.zstd: Obsolete with Python 3.14 (sponsored partial fix from YOKOTA Hiroshi)
Comments
With an account on the Fediverse or Mastodon, you can respond to this post. Since Mastodon is decentralized, you can use your existing account hosted by another Mastodon server or compatible platform if you don't have an account on this one. Known non-private replies are displayed below.
Learn how this is implemented here.