Dieser Blog Aggregator enthält sowohl die aktuellen Meldungen aus unserem offiziellen Blog als auch meinen persönlichen Blog mit technischen Beiträgen rund um Open Source und Freie Software.

Debian LTS

November marked the 21st month I contributed to Debian LTS under the Freexian umbrella. I had 8 hours allocated which I used for:

  • the first half of a LTS front desk week
  • updating icedove 45.6.0 resulting in DLA-782-1 fixing 8 CVEs
  • releasing DLA-783-1 for XEN, the actual update was provided by credativ
  • testing the bind9 update prepared by Thorsten Alteholz
  • fixing 8 CVEs in imagemagick resulting in DLA-807-1.
  • work on recent qemu CVEs

Other Debian stuff

  • Usual bunch of libvirt and related uploads
  • Uploaded git-buildpackage 0.8.10 to to experimental and unstable fixing (among other things) a long standing bug when using multiple tarballs with filters and pristine-tar as well as making generated orig tarballs reproducible so one gets identical tarballs even without pristine-tar.
  • Ran a gbp import-dsc of unstable and filed bugs for cases where pristine-tar would not import the package. Started to look into git-apply errors.

Some other Free Software activites

  • libplanfahr: switched the example to python3 and made it parse arguments without date as "today":

    $ ./run python examples/trip-query.py --when=21:00 Essen Gelsenkirchen
    Loaded provider de_db
    Start: Essen Hbf
    End: Gelsenkirchen Hbf
    Trip #1
           Start:     Essen Hbf
           Departure: 2017-02-02 21:18
           Delay:     0
           End:       Gelsenkirchen Hbf
           Arrival:   2017-02-02 21:26
           Delay:     0
           Switches:  0
    Trip #2
           Start:     Essen Hbf
           Departure: 2017-02-02 21:22
           Delay:     0
           End:       Gelsenkirchen Hbf
           Arrival:   2017-02-02 21:33
           Delay:     0
           Switches:  0
    Trip #3
           Start:     Essen Hbf
           Departure: 2017-02-02 21:44
           Delay:     0
           End:       Gelsenkirchen Hbf
           Arrival:   2017-02-02 21:52
           Delay:     0
           Switches:  0
  • Proposed a workaround to rbvmomi to massively speedup cloning under certain conditions when using CachedOVFDeployer

  • Proposed a fix to unbreak ansible's zypper module on first installations
  • Made ausroller use git-buildpackage from pypi on non Debian based distros
  • Made further progess on the Merkur board clones
Posted Do 02 Feb 2017 17:48:57 CET

Debian LTS

November marked the 20th month I contributed to Debian LTS under the Freexian umbrella. I had 8 hours allocated which I used by:

  • some rather quiet frontdesk days
  • updating icedove to 45.5.1 resulting in DLA-752-1 fixing 7 CVEs
  • looking whether Wheezy is affected by xsa-202, xsa-203, xsa-204 and handling the communication with credativ for these (update not yet released)
  • Assessing cURL/libcURL CVE-2016-9586
  • Assessing whether Wheezy's QEMU is affeced by security issues in 9pfs "proxy" and "handle" code
  • Releasing DLA-776-1 for samba fixing CVE-2016-2125

Other Debian stuff

Some other Free Software activites

Posted Mo 09 Jan 2017 09:24:01 CET

Debian LTS

November marked the nineteenth month I contributed to Debian LTS under the Freexian umbrella. I had 7 hours allocated which I used completely by:

  • Being at LTS frontdesk twice (at the beginning and end of November) triaging about ~30 CVEs.
  • Preparing and releasing DLA-698-1 for QEMU fixing 9 CVEs
  • Putting out DLA-699-1 for xen, the acutal xen update was prepared by Bastian Blank

Other Debian stuff

  • Usual bunch of libvirt and related uploads (osinfo-db-tools, libvirt-python, libosinfo)
  • Sponsored svn2git upload
  • Uploaded git-buildpackage 0.8.7 to unstable (list of changes)

Some other Free Software activites

Posted Fr 09 Dez 2016 15:18:59 CET

Debian LTS

October marked the eighteenth month I contributed to Debian LTS under the Freexian umbrella. I spent 10 hours (out of allocated 9)

  • updating Icedove to 45.4 resulting in DLA-658-1
  • looking into current xen issues and handling the communication with credativ
  • investigating QEMU CVE-2016-7466 in Wheezy and Jessie
  • backporting patches for qemu-kvm to fix 9 CVEs resulting in DLA-689-1
  • starting with lts frontdesk (more on that next month)

Other Debian stuff

  • Carsten and myself had the chance to talk at the Kopano conference about Debian and the state of Kopano in Debian (slides)
  • Uploaded kopanocore to unstable, currently waiting in new
  • Several Libvirt and Libvirt (2.3.0, 2.4.0~rc*) related uploads (libvirt 2.3.0, libvirt-python, ruby-libvirt 0.7.0)
  • Uploaded libosinfo 1.0.0 to experimental. This version has the osinfo database split out into its own source package (osinfo-db, waiting in new) so the operating system and hypervisor information is updateable during a stable release without having to update the library itself

Some other Free Software activities

Posted Do 03 Nov 2016 19:09:03 CET

Debian LTS

September marked the seventeenth month I contributed to Debian LTS under the Freexian umbrella. I spent 6 hours (out of 7) working on

  • updating Icedove to 45.3 resulting in DLA-640-1
  • finishing my work on bringing rails into shape security wise resulting in DLA-641-1 for ruby-activesupport-3.2 and DLA-642-1 for ruby-activerecord-3.2.
  • enhancing the autopkgtests for qemu a bit

Other Debian stuff

  • Uploaded libvirt 2.3.0~rc1 to experimental
  • Uploaded whatmaps to 0.0.12 in unstable.
  • Uploaded git-buildpackage 0.8.4 to unstable.

Other Free Software activities

  • Ansible: got the foreman callback plugin needed for foreman_ansible merged upstream.
  • Made several improvements to foreman_ansible_inventory (a ansible dynamic inventory querying Foreman): Fixing an endless loop when Foreman would miscalculate the number of hosts to process, flake8 cleaniness and some work on python3 support
  • ansible-module-foreman:
    • unbreak defining subnets by setting the default boot mode.
    • add support for configuring realms
  • Foreman: add some robustness to the nice rebuild host feature when DNS entries are already there
  • Released whatmaps 0.0.12.
    • Errors related to a single package don't abort the whole program but rather skip over it now.
    • Systemd user sessions are filtered out
    • The codebase is now checked with flake8.
Posted So 09 Okt 2016 16:59:37 CEST

Debian LTS

August marked the sixteenth month I contributed to Debian LTS under the Freexian umbrella. I spent 9 hours (of allocated 8) mostly on Rails related CVEs which resulted in DLA-603-1 and DLA-604-1 fixing 6 CVEs and marking others as not affecting the packages. The hardest part was proper testing since the split packages in Wheezy don't allow to run the upstream test suite as is. There's still CVE-2016-0753 which I need to check if it affects activerecord or activesupport.

Additionally I had one relatively quiet week of LTS frontdesk work triaging 10 CVEs.

Other Debian stuff

  • I uploaded git-buildpackage 0.8.2 to experimental and 0.8.3 to unstable. The later bringing all the enhanements and bugfixes since Debconf 16 to sid and testing.
  • The usual bunch of libvirt related uploads
Posted Di 06 Sep 2016 20:08:51 CEST

Gathering from some recent discussions it seems to be not that well known that Foreman (a lifecycle tool for your virtual machines) does not only integrate well with Puppet but also with ansible. This is a list of tools I find useful in this regard:

  • The ansible-module-foreman ansible module allows you to setup all kinds of resources like images, compute resources, hostgroups, subnets, domains within Foreman itself via ansible using Foreman's REST API. E.g. creating a hostgroup looks like:

    - foreman_hostgroup:
        name: AHostGroup
        architecture: x86_64
        domain: a.domain.example.com
        foreman_host: "{{ foreman_host }}"
        foreman_user: "{{ foreman_user }}"
        foreman_pass: "{{ foreman_pw }}"
  • The foreman_ansible plugin for Foreman allows you to collect reports and facts from ansible provisioned hosts. This requires an additional hook in your ansible config like:

    callback_plugins = path/to/foreman_ansible/extras/

    The hook will report to Foreman back after a playbook finished.

  • There are several options for creating hosts in Foreman via the ansible API. I'm currently using ansible_foreman_module tailored for image based installs. This looks in a playbook like:

    - name: Build 10 hosts
        name: "{{ item }}"
        hostgroup: "a/host/group"
        compute_resource: "hopefully_not_esx"
        subnet: "webservernet"
        environment: "{{ env|default(omit) }}"
        ipv4addr: {{ from_ipam|default(omit) }}"
        # Additional params to tag on the host
            app: varnish
            tier: web
            color: green
        api_user: "{{ foreman_user }}"
        api_password: "{{ foreman_pw }}"
        api_url: "{{ foreman_url }}"
      with_sequence:  start=1 end=10 format="newhost%02d"
  • The foreman_ansible_inventory is a dynamic inventory script for ansible that fetches all your hosts and groups via the Foreman REST APIs. It automatically groups hosts in ansible from Foreman's hostgroups, environments, organizations and locations and allows you to build additional groups based on any available host parameter (and combinations thereof). So using the above example and this configuration:

    group_patterns = ["{app}-{tier}",

    it would build the additional ansible groups varnish-web, green and put the above hosts into them. This way you can easily select the hosts for e.g. blue green deployments. You don't have to pass the parameters during host creation, if you have parameters on e.g. domains or hostgroups these are available too for grouping via group_patterns.

  • If you're grouping your hosts via the above inventory script and you use lots of parameters than having these displayed in the detail page can be useful. You can use the foreman_params_tab plugin for that.

There's also support for triggering ansible runs from within Foreman itself but I've not used that so far.

Posted Fr 19 Aug 2016 11:16:03 CEST

Debian LTS

July marked the fifteenth month I contributed to Debian LTS under the Freexian umbrella. As usual I spent the 8 hours working on these LTS things:

  • Updated QEMU and QEMU-KVM packages to fix CVE-2016-5403, CVE-2016-4439, CVE-2016-4020, CVE-2016-2857 and CVE-2015-5239 resulting in DLA-573-1 and DLA-574-1
  • Updated icedove to 45.2.0 fixing CVE-2016-2818 resulting in DLA-574-1
  • Reviewed and uploaded xen 4.1.6.lts1-1. The update itself was prepared by Bastian Blank.
  • The little bit of remaining time I spent on further work the ruby-active{model,record}-3.2 and ruby-actionpack-3.2 (aka rails) CVEs. Although I have fixes for most of the CVEs already there are still some left where I'm not yet clear if the packages are affected.
  • Added some trivial autopkgtest for qemu-img (#832982) (on non LTS time)

Other Debian stuff

  • Fixed CVE-2016-5008 by uploading libvirt 2.0.0 to sid and 1.2.9-9+deb8u3 to stable-p-u
  • Uploaded libvirt 2.1.0~rc1 to experimental
  • Uploaded libvirt-python 2.0.0 to sid
  • Uploaded libosinfo 0.3.1 to sid preparing for the upcoming upstream package split
  • Uploaded virt-manager 1.4.0 to sid
  • Uploaded network-manager-iodine 1.2.0 to sid
  • Uploaded cups-pk-helper 0.2.6 to sid
  • Triaged apparmor related bugs in libvirt most notably the one affecting hotplugging of disks (#805002) which turned out to be rooted in the kernel not reloading profiles properly.
  • Uploaded git-buildpackage 0.8.0, 0.8.1 to experimental adding additional tarball support to gbp import-orig among other things
Posted Mi 03 Aug 2016 09:02:49 CEST

Debian LTS

June marked the fourteenth month I contributed to Debian LTS under the Freexian umbrella. I spent the 8 hours working on these LTS things:

  • Reviewed and tested libxml2 2.8.0+dfsg1-7+wheezy6

  • Fixed #825508 in mozilla-devscripts to prepare for the Icedove update resulting in DLA-518-1.

  • Rebased the proposed Wheezy Icedove update against the Jessie version and uploaded resulting in DLA-519-1.

  • Sent out the DLA-521-1 for Iceweasel, the upload was all done by Mike Hommey.

  • Rebuilt enigmail with the fixed mozilla-devscripts so it can still be used in Wheezy, resulting in DLA-523-1.

  • continue to work on updates for CVE-2016-0753 for ruby-active{record,support}-3.2 - not yet finished.

  • Looked into open qemu-kvm and qemu CVEs marking CVE-2015-8666 as no-dsa and fixing CVE-2016-3710 and CVE-2016-3712 via DLA-540-1 and DLA-539-1.

Other Debian stuff

Besides the usual bunch of libvirt* uploads I addressed several bugs in git-buildpackage, upload pending.

Posted Sa 02 Jul 2016 21:23:44 CEST

Debian LTS

May marked the thirteenth month I contributed to Debian LTS under the Freexian umbrella. I spent the 17.25 hours working on these LTS things:

  • Fixed CVE-2014-7210 in pdns resulting in DLA-492-1
  • Fixed the build failure of Icedove on armhf resulting in DLA 472-2
  • Forward ported our nss, nspr enhancements to to the current versions in testing to continue the discussion on the same nss and nspr versions in all suites including some ABI compliance research (thanks abi-compliance-tester!), resulting in 824872.
  • Backported Icedve 45 and Enigmail to wheezy to check if we can continue to support it - we can with a minor tweaks. Upload will happen in June.
  • While at that added some autpkgtests for Icedove 45 resulting in 809723 (already applied).
  • Released DLA-498-1 for ruby-active-model-3.2 to address CVE-2016-0753.
  • Reviewed the Updates of ruby-active-record-3.2 for CVE-2015-7577 and eglibc.

Other Debian stuff

  • Uploaded libvirt 1.3.4 to sid, 1.3.5~rc1 to experimental
  • Uploaded libosinfo 0.3.0 to sid
  • Uploaded git-buildpackage 0.7.4 to sid including experimental multiple tarball support for gbp buildpackage
Posted Fr 10 Jun 2016 19:38:06 CEST