Language Selection

English French German Italian Portuguese Spanish


Syndicate content
Planet Debian -
Updated: 2 hours 30 min ago

Thorsten Alteholz: My Debian Activities in June 2019

Friday 5th of July 2019 07:08:03 PM

FTP master

As you might have noticed as well, this month has been a month with the highest average temperature of all June so far. So I spent more time in the lake than in NEW. I only accepted 12 packages and rejected 1 upload. The rest of the team probably did the same because the overall number of packages that got accepted was only 22. Let’s see whether July will be the same …

Debian LTS

This was my sixtieth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 17h. During that time I did LTS uploads or prepared security uploads of:

  • [DLA 1830-1] znc security update for one CVE
  • [DLA 1833-1] bzip2 security update for two CVEs
  • [DLA 1841-1] gpac security update for three CVEs

I also prepared bzip2 debdiffs for Buster and Stretch and sent them to the maintainer and security team.
Further I created new packages for testing the patches of bind9 and wpa. I would be more confident to upload those if more people could give it a try. Especially after the python issue, I would really like to have some more people to do smoke tests …

Last but not least I did some days of frontdesk duties.

Debian ELTS

This month was the thirteenth ELTS month.

During my allocated time I uploaded:

  • ELA-132-1 of bzip2 for two CVEs
  • ELA-138-1 of ntfs-3g for one CVE

As like LTS, I am a bit hesitant to upload bind9

I also did some days of frontdesk duties.

Other stuff

As already written above, I did not do much work in front of a computer, so there is nothing to report here.
Ok, maybe I can mention this email here instead of the LTS section above. This is a script to obtain the correct build order of Go packages in case of security patches. As well as mentioned in the other paragraphs I would like more people to have a look at it, but please be kind :-).

Reproducible Builds: Reproducible Builds in June 2019

Friday 5th of July 2019 01:58:08 PM

Welcome to the June 2019 report from the Reproducible Builds project! In our reports we outline the most important things that we have been up to over the past month.

In order that everyone knows what this is about, whilst anyone can inspect the source code of free software for malicious flaws, almost all software is distributed to end users as pre-compiled binaries. The motivation behind the reproducible builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

In June’s report, we will cover:

  • Media coverageLego bricks, pizza and… Reproducible Builds‽
  • Upstream newsIs Trusting Trust close to a ‘rebuttal’?
  • EventsWhat happened at MiniDebConf Hamburg, the OpenWrt Summit, etc.
  • Software developmentPatches patches patches, etc.
  • Misc newsFrom our mailing list…
  • Getting in touchand how to contribute.
Media coverage
  • The Prototype Fund, an initiative to “aid software developers, hackers and creatives in furthering their ideas from concept to demo” produced a video featuring Holger Levsen explaining Reproducible Builds… using Lego bricks and pizza!

One key motivation for reproducible builds is to enable peak efficiency for the build caches used in modern build systems.

Upstream news


There were a number of events that included or incorporated members of the Reproducible Builds community this month. If you know of any others, please do get in touch. In addition, a number of members of the Reproducible Builds project will be at DebConf 2019 in Curitiba, Brazil and will present on the status of their work.

MiniDebConf Hamburg 2019

Holger Levsen, Jelle van der Waa, kpcyrd and Alexander Couzens attended MiniDebConf Hamburg 2019 and worked on Reproducible Builds. As part of this, Holger gave a status update on the Project with a talk entitled Reproducible Builds aiming for bullseye, referring to the next Debian release name:

Jelle van der Waa kindly gifted Holger with a Reproducible Builds display:

In addition, Lukas Puehringer gave a talk titled Building reproducible builds into apt with in-toto:

As part of various hacking sessions:

  • Jelle van der Waa:

    • Improved the script to generate distribution-specific JSON, leading to the availability of an ArchLinux JSON file.
    • Investigated why the Arch Linux kernel package is not reproducible, finding out that KBUILD_BUILD_HOST and KGBUILD_BUILD_TIMESTAMP should be set. The enabling of CONFIG_MODULE_SIG_ALL causes the kernel modules to be signed with a (non-deterministic) build-time key if none is provided, leading to unreproducibility.
    • keyutils was fixed with respect to it embedding the build date in its binary. []
    • nspr was made reproducible in Arch Linux. []
  • kpcyrd:
    • Created various Jenkins jobs to generate Alpine build chroots, schedule new packages and to ultimately build them. [][][]
    • Created an Alpine reproducible testing overview page.
    • Provided a proof of concept SOURCE_DATE_EPOCH patch for abuild to fix timestamp issues in Alpine packages. []
  • Alexander Couzens:
    • Rewrote the database interaction routines for OpenWrt.
    • Migrated the OpenWrt package parser to use Python 3.x as Python 2.x will be reaching end-of-life at the end of this year.
    • Setup a test environment using a new README.development file.

Holger Levsen was on-hand to review and merge all the above commits, providing support and insight into the codebase. He additionally split out a README.development from the regular, more-generic README file.

OpenWrt summit

The OpenWrt project is a Linux operating system targeting embedded devices, particularly wireless network routers. In June, they hosted a summit that took place from 10th to 12th of the month.

Here, Holger participated in the discussions regarding .buildinfo build-attestation documents. As a result of this, Paul Spooren (aparcar) made a pull request to introduce/create a feeds.buildinfo (etc) for reproducibility in OpenWrt.

Software development

Chris Lamb spent significant time working on, his experiment into how to process, store and distribute .buildinfo files after the Debian archive software has processed them. This included:

  • Started making the move to Python 3.x (and Django 2.x) [][][][][][][] additionally performing a large number of adjacent cleanups including dropping the authentication framework [], fixing a number of flake8 warnings [], adding a setup.cfg to silence some warnings [], moving to __str__ and str.format(...) over %-style interpolation and u"Unicode" strings [], etc.

  • Added a number of (as-yet unreleased…) features, including caching the expensive landing page queries. []

  • Took the opportunity to start migrating the hosting from its current GitHub home to a more-centralised repository on, moving from the Travis to the GitLab continuous integration platform, updating the URL to the source in the footer [] and many other related changes [].

  • Applied the Black “uncompromising code formatter” to the codebase. []

Project website

There was a significant amount of effort on our website this month.

  • Chris Lamb:

    • Moved the remaining site to the newer website design. This was a long-outstanding task (#2) and required a huge number of changes, including moving all the event and documentation pages to the new design [] and migrating/merging the old _layouts/page.html into the new design [] too. This could then allow for many cleanups including moving/deleting files into cleaner directories, dropping a bunch of example layouts [] and dropping the old “home” layout. []

    • Added reports to the homepage. (#16)

    • Re-ordered and merged various top-level sections of the site to make the page easier to parse/navigate [][] and updated the documentation for SOURCE_DATE_EPOCH to clarify that the alternative -r call to date(1) is for compatibility with BSD variants of UNIX [].

    • Made a large number of visual fixups, particularly to accommodate the principles of responsive web design. [][][][][]

    • Updated the lint functionality of the build system to check for URIs that are not using /foo/-style relative URLs. []

  • Jelle van der Waa updated the Events page to correct invalid Markdown [] and fixed a typo of “distribution” on a previous event page [].

  • Thomas Vincent added a huge number of videos and slides to the Resources page [][][][][][] etc. as well as added a button to link to subtitles [] and fixing a bug when displaying metadata links [].

In addition, Atharva Lele added the Buildroot embedded Linux project to the “Who’s involved” page. []

Test framework

We operate a comprehensive Jenkins-based testing framework that powers The following changes were done in the last month:

  • Alexander Couzens (OpenWrt):
  • Holger Levsen:
    • Show Alpine-related jobs on the job health page. []
    • Alpine needs the jq command-line JSON processor for the new scheduler. []
    • Start a dedicated README.development file. []
    • Add support for some nodes running Debian buster already. []
  • Jelle van der Waa:
    • Change Arch Linux and Alpine BLACKLIST status to blacklist [] and GOOD to reproducible [] respectfully.
    • Add a Jenkins job to generate Arch Linux HTML pages. []
    • Fix the Arch Linux suites in the reproducible.ini file. []
    • Add an Arch JSON export Jenkins job. []
    • Create per-distribution reproducible JSON files. []
  • kpcyrd (Alpine):

    • Start adding an Alpine theme. []
    • Add an Alpine website. [][][][]
    • Add #alpine-reproducible to the KGB chat bot. []
    • Use the apk version instead of vercmp. []
    • Install/configure various parts of the chroot including passing in Git options [], adding the abuild group onto more servers [][], installing GnuPG []
    • Build packages using its own scheduler. [] [][]
    • Misc maintenance and fixups. [][]
  • Mattia Rizzolo:
    • Adjust the setup_pbuilder script to use [check-valid-until=no] instead of Acquire::Check-Valid-Until (re. (#926242)). []
Upstream patches

The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:

Distribution work

In Debian, 39 reviews of packages were added, 3 were updated and 8 were removed this month, adding to our knowledge about identified issues.

Chris Lamb also did more work testing of the reproducibility status of Debian Installer images. In particular, he was working around and patching an issue stemming from us testing builds far into the “future”. (#926242)

In addition, following discussions at MiniDebConf Hamburg, Ivo De Decker reviewed the situation around Debian bug #869184 again (“dpkg: source uploads including _amd64.buildinfo cause problems”) and updated the bug with some recommendations for the next Debian release cycle.

Bernhard M. Wiedemann posted his monthly Reproducible Builds status update for the openSUSE distribution.

Other tools

In diffoscope (our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues) Chris Lamb documented that run_diffoscope should not be considered a stable API [] and adjusted the configuration to build our Docker image from the current Git checkout, not the Debian archive []

Lastly, Chris Lamb added support for the clamping of tIME chunks in .png files [] to strip-nondeterminism, our tool to remove specific non-deterministic results from a completed build.

Misc news

On our mailing list this month Lars Wirzenius continued conversation regarding various questions about reproducible builds and their bearing on building a distributed continuous integration system which received many replies (thread index for May & June). In addition, Sebastian Huber asked whether anyone has attempted a reproducible build of a GCC compiler itself.

If you are interested in contributing the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:

This month’s report was written by Alexander Borkowski, Arnout Engelen, Bernhard M. Wiedemann, Chris Lamb, heinrich5991, Holger Levsen, Jelle van der Waa, kpcyrd & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Patrick Matthäi: Maintainance of GeoIP legacy databases

Friday 5th of July 2019 01:19:39 PM

Since 9 months now Maxmind is not providing the CSV sources for their legacy database format, but only for their new GeoLite2 database. That is legitimate in my opinion, because the API is quite old and software projects should move to the new format, but mostly all (IMHO) important software projects still only support the old API.. :-(

So I have decided to spend again some more work in my geoip and geoip-database packages and I can say, that I will upload after the Buster release a new geoip source package, which also provides the converter I took from here:

Using this converter (and some more magic etc) I am now able to build the country v4+v6 legacy edition by using the GeoLite2 CSV database source :-)

So testing will be welcome and if everything is fine buster and stretch will get backports from this work in the future.

But I had to drop now the geoip-database-extra package, which includes also the AS and City (v4) database. I didn’t find a way to convert the sources and IMO they are not so important.

Bits from Debian: Upcoming Debian 10 "buster"!

Friday 5th of July 2019 06:00:00 AM

The Debian Release Team in coordination with several other teams are preparing the last bits needed for releasing Debian 10 "buster" on Saturday 6 July 2019. Please, be patient! Lots of steps are involved and some of them take some time, such as building the images, propagating the release through the mirror network, and rebuilding the Debian website so that "stable" points to Debian 10.

If you are considering create some artwork on the occasion of buster release, feel free to send us links to your creations to the (publicly archived) debian-publicity mailing list, so that we can disseminate them throughout our community.

Follow the live coverage of the release on or the @debian profile in your favorite social network! We'll spread the word about what's new in this version of Debian 10, how the release process is progressing during the weekend and facts about Debian and the wide community of volunteer contributors that make it possible.

If you want to celebrate the release of Debian 10 buster, join one of the many release parties or consider organizing one in your city! Celebration will also happen online on the Debian Party Line.

Petter Reinholdtsen: Teach kids to protect their privacy - the EDRi way

Thursday 4th of July 2019 05:10:00 PM

Childs need to learn how to guard their privacy too. To help them, European Digital Rights (EDRi) created a colorful booklet providing information on several privacy related topics, and tips on how to protect ones privacy in the digital age.

The 24 page booklet titled Digital Defenders is available in several languages. Thanks to the valuable contributions from members of the Electronic Foundation Norway (EFN) and others, it is also available in Norwegian Bokmål. If you would like to have it available in your language too, contribute via Weblate and get in touch.

But a funny, well written and good looking PDF do not have much impact, unless it is read by the right audience. To increase the chance of kids reading it, I am currently assisting EFN in getting copies printed on paper to distribute on the street and in class rooms. Print the booklet was made possible thanks to a small et of great sponsors. Thank you very much to each and every one of them! I hope to have the printed booklet ready to hand out on Tuesday, when the Norwegian Unix Users Group is organizing its yearly barbecue for geeks and free software zealots in the Oslo area. If you are nearby, feel free to come by and check out the party and the booklet.

If the booklet prove to be a success, it would be great to get more sponsoring and distribute it to every kid in the country. :)

As usual, if you use Bitcoin and want to show your support of my activities, please send Bitcoin donations to my address 15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b.

Dirk Eddelbuettel: digest 0.6.20

Thursday 4th of July 2019 04:42:00 PM

This morning, digest version 0.6.20 went to CRAN, and I will send a package to Debian shortly as well.

digest creates hash digests of arbitrary R objects (using the md5, sha-1, sha-256, sha-512, crc32, xxhash32, xxhash64, murmur32, and spookyhash algorithms) permitting easy comparison of R language objects.

This version contains only internal changes with a switch to the (excellent) tinytest package. This now allows you, dear user of the package, to run tinytest::test_package("digest") at any point post-installation to reassure yourself that all standard assertions and tests are still met in your installation. No other changes were made.

CRANberries provides the usual summary of changes to the previous version.

For questions or comments use the issue tracker off the GitHub repo.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Charles Plessy: Inbox zero

Thursday 4th of July 2019 12:52:28 PM

I accidentally erased all the emails in my inbox. This is very easy with mutt. I have some experience in recovering files, but last time I did, it was not so useful in the end. So please send me a reminder if you were expecting some answer from me!

Eddy Petrișor: HOWTO: Rustup: Overriding the rustc compiler version just for some directory

Thursday 4th of July 2019 10:02:47 AM
If you need to use a specific version of the rustc compiler instead of the default, the rustup documentation tells you how to do that.

First install the desired version, e.g. nightly-2018-01-09

$ rustup install nightly-2018-01-09
info: syncing channel updates for 'nightly-2018-01-09-x86_64-pc-windows-msvc'
info: latest update on 2018-01-09, rust version 1.25.0-nightly (b5392f545 2018-01-08)
info: downloading component 'rustc'
info: downloading component 'rust-std'
info: downloading component 'cargo'
info: downloading component 'rust-docs'
info: installing component 'rustc'
info: installing component 'rust-std'
info: installing component 'cargo'
info: installing component 'rust-docs'

  nightly-2018-01-09-x86_64-pc-windows-msvc installed - rustc 1.25.0-nightly (b5392f545 2018-01-08)

info: checking for self-updates
Then override the default compiler with the desired one in the top directory of your choice:

$ rustup override set nightly-2018-01-09
info: using existing install for 'nightly-2018-01-09-x86_64-pc-windows-msvc'
info: override toolchain for 'C:\usr\src\rust\sbenitez-cs140e' set to 'nightly-2018-01-09-x86_64-pc-windows-msvc'

  nightly-2018-01-09-x86_64-pc-windows-msvc unchanged - rustc 1.25.0-nightly (b5392f545 2018-01-08)That's it.

Daniel Kahn Gillmor: WKD for

Thursday 4th of July 2019 04:00:00 AM
WKD for

You can now fetch the OpenPGP certificate for any Debian developer who uses an e-mail address using Web Key Directory (WKD).


With modern GnuPG, if you're interested in the OpenPGP certificate for dkg just do:

gpg --locate-keys

By default, this will show you any matching certificate that you already have in your GnuPG local keyring. But if you don't have a matching certificate already, it will fall back to using WKD.

These certificates are extracted from the debian keyring and published at, as defined in the WKD spec. We intend to keep them up-to-date when ever the keyring-maint team publishes a new batch of certificates. Our tooling uses some repeated invocations of gpg to extract and build the published tree of files.

Debian is current not implementing the Web Key Directory Update Protocol (and we have no plans to do so). If you are a Debian developer and you want your OpenPGP certificate updated in WKD, please follow the normal procedures for Debian keyring maintenance like you always have.

What about other domains?

Our update here works great for e-mail addresses in the domain, but it has no direct effect for other e-mail addresses.

However, if you have an e-mail address in a domain you control, you can publish your own WKD. If you would rather use an e-mail service in a domain managed by other people, you might also be interested in GnuPG's list of e-mail service providers that offer WKD.


The SKS keyserver network has been vulnerable to abuse for years. The recent certificate flooding attacks make fetching an OpenPGP certificate from that pool a risky operation: potentially causing a denial of service against GnuPG. In particular, anyone can flood any certificate in SKS (or other common keyservers that are not resistant to abuse).

WKD avoids the problem of certificate flooding by arbitrary third parties. It's not a guaranteed defense against flooding though: the domain controller (and whoever they authorize to update the WKD) is still capable of offering a flooded certificate via WKD. On the plus side, at least some WKD clients do aggressive filtering on certificates found via WKD, which should limit the ability of an adversary to flood a certificate in your local keyring.


Setting this up would not have been possible without help from weasel and jcristau from the Debian System Administration team, and Noodles from the keyring-maint team.

WKD was designed and implemented by Werner Koch and the GnuPG team, in anticipation of this specific need.

Thanks to all of these people for making it possible.

What next?

There's some talk about publishing similar OpenPGP certificates in the DNS as well, using RFC 7929 (OPENPGPKEY) records, but we haven't set that up yet.

Junichi Uekawa: I practice French more recently.

Wednesday 3rd of July 2019 12:02:12 PM
I practice French more recently. I don't usually carry a laptop when I travel, which seems to be a change. I thought that would give me better focus but maybe that's not really happening.

Enrico Zini: live-wrapper fork

Wednesday 3rd of July 2019 10:26:59 AM

I might have accidentally forked live-wrapper.

I sometimes need to build Debian live iso images for work, and some time ago got into an inconvenient situation in which live-wrapper required software not available in Debian anymore, and there was no obvious replacement for it, so I forked it and tried to forward-port things and fill the gaps.

Over time this kind of grew: I ported it to python3, removed difficult dependencies, added several new features that I needed, and removed several that I didn't need.

I recently had a chance to document the result, which makes it good enough to be announced, so here it is. The README has an introduction and links to documentation, recipes and examples.

I'm not actively maintaining this except when work requires, so if there's anything extra you need for it, the best way to get it is via a merge request.

I'm not sure how much of live-wrapper is still left in the fork. If anyone starts using it, we should probably look into a new name.

Joey Hess: custom type checker errors for propellor

Tuesday 2nd of July 2019 08:53:16 PM

Since propellor is configured by writing Haskell, type errors are an important part of its interface. As more type level machinery has been added to propellor, it's become more common for type errors to refer to hard to understand constraints. And sometimes simple mistakes in a propellor config result in the type checker getting confused and spewing an error that is thousands of lines of gobbledygook.

Yesterday's release of the new type-errors library got me excited to improve propellor's type errors.

Most of the early wins came from using ghc's TypeError class, not the new library. I wanted custom type errors that were able to talk about problems with Property targets, like these:

• ensureProperty inner Property is missing support for: FreeBSD • This use of tightenTargets would widen, not narrow, adding: ArchLinux + FreeBSD • Cannot combine properties: Property FreeBSD Property HasInfo + Debian + Buntish + ArchLinux

So I wrote a type-level pretty-printer for propellor's MetaType lists. One interesting thing about it is that it rewrites types such as Targeting OSDebian back to the Debian type alias that the user expects to see.

To generate the first error message above, I used the pretty-printer like this:

(TypeError ('Text "ensureProperty inner Property is missing support for: " ':$$: PrettyPrintMetaTypes (Difference (Targets outer) (Targets inner)) ) )

Often a property constructor in propellor gets a new argument added to it. A propellor config that has not been updated to include the new argument used to result in this kind of enormous and useless error message:

• Couldn't match type ‘Propellor.Types.MetaTypes.CheckCombinable (Propellor.Types.MetaTypes.Concat (Propellor.Types.MetaTypes.NonTargets y0) (Data.Type.Bool.If (Propellor.Types.MetaTypes.Elem ('Propellor.Types.MetaTypes.Targeting 'OSDebian) (Propellor.Types.MetaTypes.Targets y0)) ('Propellor.Types.MetaTypes.Targeting 'OSDebian : Data.Type.Bool.If (Propellor.Types.MetaTypes.Elem ('Propellor.Types.MetaTypes.Targeting 'OSBuntish) -- many, many lines elided • In the first argument of ‘(&)’, namely ‘props & osDebian Unstable’

The type-errors library was a big help. It's able to detect when the type checker gets "stuck" reducing a type function, and is going to dump it all out to the user. And you can replace that with a custom type error, like this one:

• Cannot combine properties: Property <unknown> Property HasInfo + Debian + Buntish + ArchLinux + FreeBSD (Property <unknown> is often caused by applying a Property constructor to the wrong number of arguments.) • In the first argument of ‘(&)’, namely ‘props & osDebian Unstable’

Detecting when the type checker is "stuck" also let me add some custom type errors to handle cases where type inference has failed:

• ensureProperty outer Property type is not able to be inferred here. Consider adding a type annotation. • When checking the inferred type writeConfig :: forall (outer :: [Propellor.Types.MetaTypes.MetaType]) t. • Unable to infer desired Property type in this use of tightenTargets. Consider adding a type annotation.

Unfortunately, the use of TypeError caused one problem. When too many arguments are passed to a property constructor that's being combined with other properties, ghc used to give its usual error message about too many arguments, but now it gives the custom "Cannot combine properties" type error, which is not as useful.

Seems likely that's a ghc bug but I need a better test case to make progress on that front. Anyway, I decided I can live with this problem for now, to get all the other nice custom type errors.

The only other known problem with propellor's type errors is that, when there is a long list of properties being combined together, a single problem can result in a cascade of many errors. Sometimes that also causes ghc to use a lot of memory. While custom error messages don't help with this, at least the error cascade is nicer and individual messages are not as long.

Propellor 5.9.0 has all the custom type error messages discussed here. If you see a hard to understand error message when using it, get in touch and let's see if we can make it better.

This was sponsored by Jake Vosloo and Trenton Cronholm on Patreon.

Thomas Lange: Xterm fonts problems after Buster installation

Tuesday 2nd of July 2019 03:33:10 PM

I've installed a desktop with buster to see if my FAI configuration was working. When I opened a xterm window I say that the font I use looks different than on stretch. It looks not that clean and a little more bold.

I've checked if the correct fonts were used using "xterm -report-fonts" which correctly showed


I'm setting this in my ~/.Xdefaults

Xft.hintstyle: hintfull

but on Buster the hintstyle (reported by xterm -report-fonts) was now 1 instead of 3. I found out that the package fontconfig-config has a now a new debconf question:

fontconfig-config fontconfig/hinting_style

I've set this to hintfull, but still no change. Then I found a very detailed description on FreeType Subpixel Hinting and Debian bug #867657.

The solution was to also set the variable

export FREETYPE_PROPERTIES=truetype:interpreter-version=35


Bits from Debian: DebConf19 Cheese and Wine Party

Tuesday 2nd of July 2019 12:30:00 PM

In less than one month we will be in Curitiba to start DebCamp and DebConf19 \o/

This C&W is the 15th official DebConf Cheese and Wine party. The first C&W was improvised in Helsinki during DebConf 5, in the so-called "French" room. Cheese and Wine parties are now a tradition for DebConf.

The event is very simple: bring good edible stuff from your country. We like cheese and wine, but we love the surprising stuff that people bring from all around the world or regions of Brazil. So, you can bring non-alcoholic drinks or a typical food that you would like to share as well. Even if you don't bring anything, feel free to participate: our priorities are our attendants and free cheese.

We have to organize for a great party. An important part is planning - We want to know what you are bringing, in order to prepare the labels and organizing other things.

So, please go to our wiki page and add what you will bring!

If you don't have time to buy before travel, we list some places where you can buy cheese and wine in Curitiba. There are more information about C&W, what you can bring, vegan cheese, Brazil customs regulations and non-alcoholic drinks at our site.

C&W will happen on July 22nd, 2019 (Monday) after 19h30min.

We are looking forward to seeing you all here!

Keith Packard: Joining-SiFive

Monday 1st of July 2019 10:12:18 PM
Joining SiFive

I've accepted and offer for a full-time position with SiFive. I'll be starting on July 15th, 2019 and will be working on free software for RISC-V-based processors, among other tasks.

I really enjoyed my time at Hewlett Packard Labs and wish all the best for my colleagues there.

Alessio Treglia: Cosmos Hub and Reproducible Builds

Monday 1st of July 2019 04:11:26 PM

Open source software allows us to build trust in a distributed, collaborative software development process, to know that the software behaves as expected and is reasonably secure. But the benefits of open source are strongest for those who directly interact with the source code. These people can use a computer which they trust to compile the source code into an operational version for themselves. Distributing binaries of open source software breaks this trust model, and reproducible builds restores it.

Tendermint Inc is taking the first steps towards a trustworthy binary distribution process. Our investment in reproducible builds makes doing binary distributions of the gaia software a possibility. We envision that the Cosmos Hub community will be our partners in building trust in this process. The governance features of the Cosmos Hub will enable a novel collaboration between Tendermint and that validator community to release only binaries that can be trusted by anyone.

Here is our game plan.

The release of the cosmoshub-3 will support our new reproducible build process. Tendermint developers will make a governance proposal with the hashes of all supported binaries. We will ask ATOM holders to reproduce the builds on computers they control and vote YES if the hashes match.

If the proposal passes, we will make the binaries available here via Github.

The benefits of reproducible builds

Gaia reproducible binaries then bring many significant advantages to developers and end users:

  • Build sanity — the guarantee that the gaia suite can always be built from sources.
  • Enable third-parties to independently verify executables to ensure that no vulnerabilities were introduced at build time.
  • Large body of independent builders can eventually come to consensus on the correct reproducible binary output and protect themselves from targeted attacks.
How to verify that gaia binaries correspond to a repository snapshot

The gaia repository comes with the required tooling to build both server and client applications deterministically. First you need to clone and checkout the release branch or the commit you want to produce the binaries from. For instance, if you intend to build and sign reproducible binaries for all supported platforms of gaia’s master branch, you may want to do the following:

git clone && cd gaia chmod +x contrib/ ./contrib/ -s all

Append the -c flag to the above command if you want to upload your signature to the repository as well.

If you want to build the binaries only without signing the build result, just type:

./contrib/ all

Further information can be found here:…/docs/

References Credits

Co-authored with Zaki Manian

John Goerzen: Treasuring Moments

Monday 1st of July 2019 02:35:36 PM

“Treasure the moments you have. Savor them for as long as you can, for they will never come back again.”

– J. Michael Straczynski

This quote sits on a post-it note on my desk. Here are some moments of our fast-changing little girl that I’m remembering today — she’s almost 2!

Brothers & Sister

Martha loves to play with her siblings. She has names for them — Jacob is “beedoh” and Oliver is “ah-wah”. When she sees them come home, she gets a huge smile and will screech with excitement. Then she will ask them to play with her.

She loves to go down the slide with Jacob. “Beedoh sigh?” (Jacob slide) — that’s her request. He helps her up, then they go down together. She likes to swing side-by-side with Oliver. “Ahwah sing” (Oliver swing) when she wants him to get on the swing next to her. The boys enjoy teaching her new words and games.

[Video: Martha and Jacob on the slide]


Martha loves music! To her, “sing” is a generic word for music. If we’re near a blue speaker, she’ll say “boo sing” (blue sing) and ask for it to play music.

But her favorite request is “daddy sing.” It doesn’t mean she wants me to sing. No, she wants me to play my xaphoon (a sax-like instrument). She’ll start jumping, clapping, and bopping her head to the music. Her favorite spot to do this is a set of soft climbing steps by the piano.

But that’s not enough — next she pulls out our hymnbooks and music books and pretends to sing along. “Wawawawawawa the end!”

If I decide to stop playing, that is most definitely not allowed. “Daddy sing!” And if I don’t comply, she gets louder and more insistent: “DADDY SING.”

[Videos: Martha singing and reading from hymn books, singing her ABCs]


Martha loves airplanes. She started to be able to say “airplane” — first “peen”, then “airpeen”, and now “airpane!” When we’re outside and she hears any kind of buzzing that might possibly be a plane, I’m supposed to instantly pick her up and carry her past our trees so we can look for it. “AIRPANE! AIRPANE! Ho me?” (hold me) Then when we actually see a plane, it’s “Airpane! Hi airpane!” And as it flies off, “Bye-bye airpane. Bye-bye. [sadly] Airpane all done.”

One day, Martha was trying to see airplanes, but it was cloudy. I bundled her up and we went to our local GA airport and stood in the grass watching planes. Now that was a hit! Now anytime Martha sees warehouse-type buildings, she thinks they are hangars, and begs to go to the airport. She loves to touch the airplane, climb inside it, and look at the airport beacon — even if we won’t be flying that day.

[Video: Hi big plane!]

Martha getting ready for a flight

This year, for Mother’s Day, we were going to fly to a nearby airport with a restaurant on the field. I took a photo of our family by the plane before we left. All were excited!

Mother’s Day photo Mornings

We generally don’t let Martha watch TV, but make a few exceptions for watching a few videos and looking at family pictures. Awhile back, Martha made asked to play with me while I was getting ready for the day. “Martha, I have to get dressed first. Then I’ll play with you.” “OK,” she said.

She ran off into the closet, and came back with what she could reach of my clothing – a dirty shirt, and handed it up to me to wear. I now make sure to give her the chance to bring me socks, shirts, etc. And especially shoes. She really likes to bring me shoes.

Then we go downstairs. Sometimes she sits on my lap in the office and we watch Youtube videos of owls or fish. Or sometimes we go downstairs and start watching One Six Right, a wonderful aviation documentary. She and I jabber about what we see — she can identify the beacon (“bee”), big hangar door (“bih doh”), airplanes of different colors (“yellow one”), etc. She loves to see a little Piper Cub fly over some cows, and her favorite shot is a plane that flies behind the control tower at sunset. She’ll lean over and look for it as if it’s going around a corner.

Sometimes we look at family pictures and videos. Her favorite is a video of herself in a plane, jabbering and smiling. She’ll ask to watch it again and again.


Part of our bedtime routine is that I read a story to Martha. For a long time, I read her The Very Hungry Caterpillar by Eric Carle. She loved that book, and one night said “geecko” for pickle. She noticed I clapped for it, and so after that she always got excited for the geeckos and would clap for them.

Lately, though, she wants the “airpane book” – Clair Bear’s First Solo. We read through that book, she looks at the airplanes that fly, and always has an eye out for the “yellow one” and “boo one” (blue plane). At the end, she requests “more pane? More pane?”

After that, I wave goodnight to her. She used to wave back, but now she says “Goodnight, daddy!” and heads on up the stairs.

Jonas Meurer: debian lts report 2019.06

Monday 1st of July 2019 12:59:09 PM
Debian LTS report for June 2019

This month I was allocated 17 hours. I also had 1.75 hours left over from May, which makes a total of 18.75 hours. I spent 16.75h of them on the following issues, which means I again carry over 2h to the next month.


Julien Danjou: Handling multipart/form-data natively in Python

Monday 1st of July 2019 09:21:00 AM

RFC7578 (who obsoletes RFC2388) defines the multipart/form-data type that is usually transported over HTTP when users submit forms on your Web page. Nowadays, it tends to be replaced by JSON encoded payloads; nevertheless, it is still widely used.

While you could decode an HTTP body request made with JSON natively with Python — thanks to the json module — there is no such way to do that with multipart/form-data. That's something barely understandable considering how old the format is.

There is a wide variety of way available to encode and decode this format. Libraries such as requests support this natively without making you notice, and the same goes for the majority of Web server frameworks such as Django or Flask.

However, in certain circumstances, you might be on your own to encode or decode this format, and it might not be an option to pull (significant) dependencies.


The multipart/form-data format is quite simple to understand and can be summarised as an easy way to encode a list of keys and values, i.e., a portable way of serializing a dictionary.

There's nothing in Python to generate such an encoding. The format is quite simple and consists of the key and value surrounded by a random boundary delimiter. This delimiter must be passed as part of the Content-Type, so that the decoder can decode the form data.

There's a simple implementation in urllib3 that does the job. It's possible to summarize it in this simple implementation:

import binascii import os def encode_multipart_formdata(fields): boundary = binascii.hexlify(os.urandom(16)).decode('ascii') body = ( "".join("--%s\r\n" "Content-Disposition: form-data; name=\"%s\"\r\n" "\r\n" "%s\r\n" % (boundary, field, value) for field, value in fields.items()) + "--%s--\r\n" % boundary ) content_type = "multipart/form-data; boundary=%s" % boundary return body, content_type

You can use by passing a dictionary where keys and values are bytes. For example:

encode_multipart_formdata({"foo": "bar", "name": "jd"})

Which returns:

--00252461d3ab8ff5c25834e0bffd6f70 Content-Disposition: form-data; name="foo" bar --00252461d3ab8ff5c25834e0bffd6f70 Content-Disposition: form-data; name="name" jd --00252461d3ab8ff5c25834e0bffd6f70-- multipart/form-data; boundary=00252461d3ab8ff5c25834e0bffd6f70

You can use the returned content type in your HTTP reply header Content-Type. Note that this format is used for forms: it can also be used by emails.

Emails did you say?

Encoding with email

Right, emails are usually encoded using MIME, which is defined by yet another RFC, RFC2046. It turns out that multipart/form-data is just a particular MIME format, and that if you have code that implements MIME handling, it's easy to use it to implement this format.

Fortunately for us, Python standard library comes with a module that handles exactly that: email.mime. I told you it was heavily used by email — I guess that's why they put that code in the email subpackage.

Here's a piece of code that handles multipart/form-data in a few lines of code:

from email import message from email.mime import multipart from email.mime import nonmultipart from email.mime import text class MIMEFormdata(nonmultipart.MIMENonMultipart): def __init__(self, keyname, *args, **kwargs): super(MIMEFormdata, self).__init__(*args, **kwargs) self.add_header( "Content-Disposition", "form-data; name=\"%s\"" % keyname) def encode_multipart_formdata(fields): m = multipart.MIMEMultipart("form-data") for field, value in fields.items(): data = MIMEFormdata(field, "text", "plain") data.set_payload(value) m.attach(data) return m

Using this piece of code returns the following:

Content-Type: multipart/form-data; boundary="===============1107021068307284864==" MIME-Version: 1.0 --===============1107021068307284864== Content-Type: text/plain MIME-Version: 1.0 Content-Disposition: form-data; name="foo" bar --===============1107021068307284864== Content-Type: text/plain MIME-Version: 1.0 Content-Disposition: form-data; name="name" jd --===============1107021068307284864==--

This method has several advantages over our first implementation:

  • It handles Content-Type for each of the added MIME parts. We could add other data types than just text/plain like it is implicitly done in the first version. We could also specify the charset (encoding) of the textual data.
  • It's very likely more robust by leveraging the wildly tested Python standard library.

The main downside, in that case, is that the Content-Type header is included with the content. In case of handling HTTP, it is problematic as this needs to be sent as part of the HTTP header and not as part of the payload.

It should be possible to build a particular generator from email.generator that does this. I'll leave that as an exercise to you, reader.


We must be able to use that same email package to decode our encoded data, right? It turns out that's the case, with a piece of code that looks like this:

import email.parser msg = email.parser.BytesParser().parsebytes(my_multipart_data) print({ part.get_param('name', header='content-disposition'): part.get_payload(decode=True) for part in msg.get_payload() })

With the example data above, this returns:

{'foo': b'bar', 'name': b'jd'}

Amazing, right?

The moral of this story is that you should never underestimate the power of the standard library. While it's easy to add a single line in your list of dependencies, it's not always required if you dig a bit into what Python provides for you!

Mike Hommey: Announcing git-cinnabar 0.5.2

Monday 1st of July 2019 05:17:21 AM

Git-cinnabar is a git remote helper to interact with mercurial repositories. It allows to clone, pull and push from/to mercurial remote repositories, using git.

Get it on github.

These release notes are also available on the git-cinnabar wiki.

What’s new since 0.5.1?
  • Updated git to 2.22.0 for the helper.
  • cinnabarclone support is now enabled by default. See details in and mercurial/
  • cinnabarclone now supports grafted repositories.
  • git cinnabar fsck now does incremental checks against last known good state.
  • Avoid git cinnabar sometimes thinking the helper is not up-to-date when it is.
  • Removing bookmarks on a Mercurial server is now working properly.

More in Tux Machines

Audiocasts/Shows: Jupiter (Linux Academy) and TLLTS

Android Leftovers

KMyMoney 5.0.6 released

The KMyMoney development team today announces the immediate availability of version 5.0.6 of its open source Personal Finance Manager. Another maintenance release is ready: KMyMoney 5.0.6 comes with some important bugfixes. As usual, problems have been reported by our users and the development team fixed some of them in the meantime. The result of this effort is the brand new KMyMoney 5.0.6 release. Despite even more testing we understand that some bugs may have slipped past our best efforts. If you find one of them, please forgive us, and be sure to report it, either to the mailing list or on Read more

Games: Don't Starve Together, Cthulhu Saves the World, EVERSPACE 2 and Stadia

  • Don't Starve Together has a big free update adding in boats and a strange island

    Klei Entertainment have given the gift of new features to their co-op survival game Don't Starve Together, with the Turn of Tides update now available. Taking a little inspiration from the Shipwrecked DLC available for the single-player version Don't Starve, this new free update enables you to build a boat to carry you and other survivors across the sea. Turn of Tides is the first part of a larger update chain they're calling Return of Them, so I'm excited to see what else is going to come to DST.

  • Cthulhu Saves the World has an unofficial Linux port available

    In response to an announcement to a sequel to Cthulhu Saves the World, Ethan Lee AKA flibitijibibo has made a unofficial port for the original and a few other previously Windows-only games. As a quick reminder FNA is a reimplementation of the proprietary XNA API created by Micrsosoft and quite a few games were made with that technology. We’ve gotten several ports thanks to FNA over the years though Ethan himself has mostly moved on to other projects like working on FAudio and Steam Play.

  • EVERSPACE 2 announced, with more of a focus on exploration and it will release for Linux

    EVERSPACE is probably one of my absolute favourite space shooters from the last few years, so I'm extremely excited to see EVERSPACE 2 be announced and confirmed for Linux. For the Linux confirmation, I reached out on Twitter where the developer replied with "#Linux support scheduled for full release in 2021!".

  • Google reveal more games with the latest Stadia Connect, including Cyberpunk 2077

    Today, Google went back to YouTube to show off an impressive list of games coming to their Stadia game streaming service, which we already know is powered by Debian Linux and Vulkan. As a reminder, Google said not to see Stadia as if it was the "Netflix of games", as it's clearly not. Stadia Base requires you to buy all your games as normal, with Stadia Pro ($9.99 monthly) giving you a trickle of free games to access on top of 4K and surround sound support.