Dieser Blog Aggregator enthält sowohl die aktuellen Meldungen aus unserem offiziellen Blog als auch meinen persönlichen Blog mit technischen Beiträgen rund um Open Source und Freie Software.

Debian LTS

April marked the 24th month I contributed to Debian LTS under the Freexian umbrella. I had 8 hours allocated plus 4 hours left from March which I used by:

  • releasing DLA-881-1 for ejabberd. The actual package was prepared by Philipp Huebner fixing two CVEs
  • preparing and releasing DLA-896-1 for icedove. This update involved the debranding of Icedove back to Thunderbird fixing 17 CVEs
  • preparing and releasing DLA-895-1 of openoffice.org-dictionaries so the provided dictionaries stay installable with the new thunderbird package
  • preparing and releasing DLA-903-1 of hunspell-en-us so the provided dictionary stays intallable with the new thunderbird package
  • preparing and releasing DLA-904-1 of uzbek-wordlist so the provided dictionaries stay installable with the new thunderbird package
  • handling the communication with credativ regarding XSA-212
  • triaging of several QEMU/KVM CVEs
  • backporting large amounts of the cirrus_vga driver to Wheezy's qemu-kvm to fix 3 cirrus_vga related CVEs. The DLA is not released yet since I'm awaiting some more feedback about the test packages. Give them a try!
  • Looking into the 9pfs related CVEs in qemu-kvm. Work will be resumed in May.

Other Debian stuff

  • organized the 10th installment of the Debian Groupware Meeting. A more detailed report on this is pending.
  • uploaded osinfo-db 0.20170225-2 to unstable which builds now reproducibly (thanks Chris Lamb) and has support added for the Stretch RC3 installer
  • uploaded libvirt 1.2.9-9+deb8u4 to jessie which now works with newer QEMU (thanks Hilko Bengen)
  • uploaded libvirt 3.0.0-4 to unstable unbreaking it for architectures that don't support probing CPU definitions in QEMU (like mips) and unbreaking the use of qemu-bridge-helper with apparmor so gnome-boxes works apparmored now too
  • uploaded python-vobject to experimental. The package was prepared by Jelmer Vernooij. I made some minor cleaups and added a autopkgtest.
  • uploaded hunspell-en-us, uzbek-wordlist, openoffice.org-dictionaries to jessie-security to not conflict with the new thunderbird package (see above)
  • sponsored the upload of icedove 1:45.8.0-3~deb8u1 to jessie-security.
  • sponsored the upload of python-selenium 2.53.2+dfsg1-2 to experimental


Released versions 0.8.14 and 0.8.15. Notable changes besides bug fixes:

  • gbp buildpackage will now default to --merge-mode=replace for 3.0 (quilt) packages to avoid merges where no merge is necessary.
  • gbp buildpackage --git-export=WC now implies --git-ignore-new --git-ignore-branch to make it simpler to use
  • gbp buildpackge now has a "sloppy" mode to create a upstream tarball that uses the debian branch as base. This can help to test build from a patched tree. The main reason was to give people a way to not care about 3.0 (quilt) intrinsics when getting started with packaging.
  • gbp clone now supports vcsgit: and github: pseudo URLs:

    $ gbp clone vcsgit:libvirt
    gbp:info: Cloning from 'https://anonscm.debian.org/git/pkg-libvirt/libvirt.git'
    $ gbp clone github:agx/libvirt-debian
    gbp:info: Cloning from 'https://github.com/agx/libvirt-debian.git'

The versions are also available on pypi.

Posted Thu 04 May 2017 03:42:29 PM CEST

Debian LTS

February marked the 22nd month I contributed to Debian LTS under the Freexian umbrella. I had 8 hours allocated which I used by:

  • the 2nd half of a LTS frontdesk week
  • an update to lts-cve-triage.py so we don't ignore undetermined issues anymore
  • testing the bind9 update prepared by Thorsten Alteholz
  • testing of apache2 packages prepared by Jonas Meurer and Antoine Beaupré
  • triaging of QEMU CVEs and fixing most if them resulting in DLA-842-1

Other Debian stuff

  • libvirt and gtk-vnc uploads to fix CVEs in unstable and stretch
  • A git-buildpackage upload to unstable to unbreak importing large histories with import-dsc
  • Some CSS improvements for git-buildpackage to (hopefully) make the manual easier to read.

Some other Free Software activities

Nothing exciting, just some minor fixes at several places:

Posted Thu 02 Mar 2017 11:15:22 AM CET

Debian LTS

November marked the 21st month I contributed to Debian LTS under the Freexian umbrella. I had 8 hours allocated which I used for:

  • the first half of a LTS front desk week
  • updating icedove 45.6.0 resulting in DLA-782-1 fixing 8 CVEs
  • releasing DLA-783-1 for XEN, the actual update was provided by credativ
  • testing the bind9 update prepared by Thorsten Alteholz
  • fixing 8 CVEs in imagemagick resulting in DLA-807-1.
  • work on recent qemu CVEs

Other Debian stuff

  • Usual bunch of libvirt and related uploads
  • Uploaded git-buildpackage 0.8.10 to to experimental and unstable fixing (among other things) a long standing bug when using multiple tarballs with filters and pristine-tar as well as making generated orig tarballs reproducible so one gets identical tarballs even without pristine-tar.
  • Ran a gbp import-dsc of unstable and filed bugs for cases where pristine-tar would not import the package. Started to look into git-apply errors.

Some other Free Software activites

  • libplanfahr: switched the example to python3 and made it parse arguments without date as "today":

    $ ./run python examples/trip-query.py --when=21:00 Essen Gelsenkirchen
    Loaded provider de_db
    Start: Essen Hbf
    End: Gelsenkirchen Hbf
    Trip #1
           Start:     Essen Hbf
           Departure: 2017-02-02 21:18
           Delay:     0
           End:       Gelsenkirchen Hbf
           Arrival:   2017-02-02 21:26
           Delay:     0
           Switches:  0
    Trip #2
           Start:     Essen Hbf
           Departure: 2017-02-02 21:22
           Delay:     0
           End:       Gelsenkirchen Hbf
           Arrival:   2017-02-02 21:33
           Delay:     0
           Switches:  0
    Trip #3
           Start:     Essen Hbf
           Departure: 2017-02-02 21:44
           Delay:     0
           End:       Gelsenkirchen Hbf
           Arrival:   2017-02-02 21:52
           Delay:     0
           Switches:  0
  • Proposed a workaround to rbvmomi to massively speedup cloning under certain conditions when using CachedOVFDeployer

  • Proposed a fix to unbreak ansible's zypper module on first installations
  • Made ausroller use git-buildpackage from pypi on non Debian based distros
  • Made further progess on the Merkur board clones
Posted Thu 02 Feb 2017 05:48:57 PM CET

Debian LTS

November marked the 20th month I contributed to Debian LTS under the Freexian umbrella. I had 8 hours allocated which I used by:

  • some rather quiet frontdesk days
  • updating icedove to 45.5.1 resulting in DLA-752-1 fixing 7 CVEs
  • looking whether Wheezy is affected by xsa-202, xsa-203, xsa-204 and handling the communication with credativ for these (update not yet released)
  • Assessing cURL/libcURL CVE-2016-9586
  • Assessing whether Wheezy's QEMU is affeced by security issues in 9pfs "proxy" and "handle" code
  • Releasing DLA-776-1 for samba fixing CVE-2016-2125

Other Debian stuff

Some other Free Software activites

Posted Mon 09 Jan 2017 09:24:01 AM CET

Debian LTS

November marked the nineteenth month I contributed to Debian LTS under the Freexian umbrella. I had 7 hours allocated which I used completely by:

  • Being at LTS frontdesk twice (at the beginning and end of November) triaging about ~30 CVEs.
  • Preparing and releasing DLA-698-1 for QEMU fixing 9 CVEs
  • Putting out DLA-699-1 for xen, the acutal xen update was prepared by Bastian Blank

Other Debian stuff

  • Usual bunch of libvirt and related uploads (osinfo-db-tools, libvirt-python, libosinfo)
  • Sponsored svn2git upload
  • Uploaded git-buildpackage 0.8.7 to unstable (list of changes)

Some other Free Software activites

Posted Fri 09 Dec 2016 03:18:59 PM CET

Debian LTS

October marked the eighteenth month I contributed to Debian LTS under the Freexian umbrella. I spent 10 hours (out of allocated 9)

  • updating Icedove to 45.4 resulting in DLA-658-1
  • looking into current xen issues and handling the communication with credativ
  • investigating QEMU CVE-2016-7466 in Wheezy and Jessie
  • backporting patches for qemu-kvm to fix 9 CVEs resulting in DLA-689-1
  • starting with lts frontdesk (more on that next month)

Other Debian stuff

  • Carsten and myself had the chance to talk at the Kopano conference about Debian and the state of Kopano in Debian (slides)
  • Uploaded kopanocore to unstable, currently waiting in new
  • Several Libvirt and Libvirt (2.3.0, 2.4.0~rc*) related uploads (libvirt 2.3.0, libvirt-python, ruby-libvirt 0.7.0)
  • Uploaded libosinfo 1.0.0 to experimental. This version has the osinfo database split out into its own source package (osinfo-db, waiting in new) so the operating system and hypervisor information is updateable during a stable release without having to update the library itself

Some other Free Software activities

Posted Thu 03 Nov 2016 07:09:03 PM CET

Debian LTS

September marked the seventeenth month I contributed to Debian LTS under the Freexian umbrella. I spent 6 hours (out of 7) working on

  • updating Icedove to 45.3 resulting in DLA-640-1
  • finishing my work on bringing rails into shape security wise resulting in DLA-641-1 for ruby-activesupport-3.2 and DLA-642-1 for ruby-activerecord-3.2.
  • enhancing the autopkgtests for qemu a bit

Other Debian stuff

  • Uploaded libvirt 2.3.0~rc1 to experimental
  • Uploaded whatmaps to 0.0.12 in unstable.
  • Uploaded git-buildpackage 0.8.4 to unstable.

Other Free Software activities

  • Ansible: got the foreman callback plugin needed for foreman_ansible merged upstream.
  • Made several improvements to foreman_ansible_inventory (a ansible dynamic inventory querying Foreman): Fixing an endless loop when Foreman would miscalculate the number of hosts to process, flake8 cleaniness and some work on python3 support
  • ansible-module-foreman:
    • unbreak defining subnets by setting the default boot mode.
    • add support for configuring realms
  • Foreman: add some robustness to the nice rebuild host feature when DNS entries are already there
  • Released whatmaps 0.0.12.
    • Errors related to a single package don't abort the whole program but rather skip over it now.
    • Systemd user sessions are filtered out
    • The codebase is now checked with flake8.
Posted Sun 09 Oct 2016 04:59:37 PM CEST

Debian LTS

August marked the sixteenth month I contributed to Debian LTS under the Freexian umbrella. I spent 9 hours (of allocated 8) mostly on Rails related CVEs which resulted in DLA-603-1 and DLA-604-1 fixing 6 CVEs and marking others as not affecting the packages. The hardest part was proper testing since the split packages in Wheezy don't allow to run the upstream test suite as is. There's still CVE-2016-0753 which I need to check if it affects activerecord or activesupport.

Additionally I had one relatively quiet week of LTS frontdesk work triaging 10 CVEs.

Other Debian stuff

  • I uploaded git-buildpackage 0.8.2 to experimental and 0.8.3 to unstable. The later bringing all the enhanements and bugfixes since Debconf 16 to sid and testing.
  • The usual bunch of libvirt related uploads
Posted Tue 06 Sep 2016 08:08:51 PM CEST

Gathering from some recent discussions it seems to be not that well known that Foreman (a lifecycle tool for your virtual machines) does not only integrate well with Puppet but also with ansible. This is a list of tools I find useful in this regard:

  • The ansible-module-foreman ansible module allows you to setup all kinds of resources like images, compute resources, hostgroups, subnets, domains within Foreman itself via ansible using Foreman's REST API. E.g. creating a hostgroup looks like:

    - foreman_hostgroup:
        name: AHostGroup
        architecture: x86_64
        domain: a.domain.example.com
        foreman_host: "{{ foreman_host }}"
        foreman_user: "{{ foreman_user }}"
        foreman_pass: "{{ foreman_pw }}"
  • The foreman_ansible plugin for Foreman allows you to collect reports and facts from ansible provisioned hosts. This requires an additional hook in your ansible config like:

    callback_plugins = path/to/foreman_ansible/extras/

    The hook will report to Foreman back after a playbook finished.

  • There are several options for creating hosts in Foreman via the ansible API. I'm currently using ansible_foreman_module tailored for image based installs. This looks in a playbook like:

    - name: Build 10 hosts
        name: "{{ item }}"
        hostgroup: "a/host/group"
        compute_resource: "hopefully_not_esx"
        subnet: "webservernet"
        environment: "{{ env|default(omit) }}"
        ipv4addr: {{ from_ipam|default(omit) }}"
        # Additional params to tag on the host
            app: varnish
            tier: web
            color: green
        api_user: "{{ foreman_user }}"
        api_password: "{{ foreman_pw }}"
        api_url: "{{ foreman_url }}"
      with_sequence:  start=1 end=10 format="newhost%02d"
  • The foreman_ansible_inventory is a dynamic inventory script for ansible that fetches all your hosts and groups via the Foreman REST APIs. It automatically groups hosts in ansible from Foreman's hostgroups, environments, organizations and locations and allows you to build additional groups based on any available host parameter (and combinations thereof). So using the above example and this configuration:

    group_patterns = ["{app}-{tier}",

    it would build the additional ansible groups varnish-web, green and put the above hosts into them. This way you can easily select the hosts for e.g. blue green deployments. You don't have to pass the parameters during host creation, if you have parameters on e.g. domains or hostgroups these are available too for grouping via group_patterns.

  • If you're grouping your hosts via the above inventory script and you use lots of parameters than having these displayed in the detail page can be useful. You can use the foreman_params_tab plugin for that.

There's also support for triggering ansible runs from within Foreman itself but I've not used that so far.

Posted Fri 19 Aug 2016 11:16:03 AM CEST

Debian LTS

July marked the fifteenth month I contributed to Debian LTS under the Freexian umbrella. As usual I spent the 8 hours working on these LTS things:

  • Updated QEMU and QEMU-KVM packages to fix CVE-2016-5403, CVE-2016-4439, CVE-2016-4020, CVE-2016-2857 and CVE-2015-5239 resulting in DLA-573-1 and DLA-574-1
  • Updated icedove to 45.2.0 fixing CVE-2016-2818 resulting in DLA-574-1
  • Reviewed and uploaded xen 4.1.6.lts1-1. The update itself was prepared by Bastian Blank.
  • The little bit of remaining time I spent on further work the ruby-active{model,record}-3.2 and ruby-actionpack-3.2 (aka rails) CVEs. Although I have fixes for most of the CVEs already there are still some left where I'm not yet clear if the packages are affected.
  • Added some trivial autopkgtest for qemu-img (#832982) (on non LTS time)

Other Debian stuff

  • Fixed CVE-2016-5008 by uploading libvirt 2.0.0 to sid and 1.2.9-9+deb8u3 to stable-p-u
  • Uploaded libvirt 2.1.0~rc1 to experimental
  • Uploaded libvirt-python 2.0.0 to sid
  • Uploaded libosinfo 0.3.1 to sid preparing for the upcoming upstream package split
  • Uploaded virt-manager 1.4.0 to sid
  • Uploaded network-manager-iodine 1.2.0 to sid
  • Uploaded cups-pk-helper 0.2.6 to sid
  • Triaged apparmor related bugs in libvirt most notably the one affecting hotplugging of disks (#805002) which turned out to be rooted in the kernel not reloading profiles properly.
  • Uploaded git-buildpackage 0.8.0, 0.8.1 to experimental adding additional tarball support to gbp import-orig among other things
Posted Wed 03 Aug 2016 09:02:49 AM CEST