Category: Open Source

Esha Patel, 19, was out for a fishing trip with her dad when they saw three of the animals.

The Cardiff University student from Cheltenham., Glos, said two were brown and one “dazzling white”.

Esha described the experience as “breathtaking”.

She said: “The white one came so close – only three metres away! It was beautiful and so cute.

“I think it liked me because I threw it some bread – I loved it.”

If someone said “There’s no easy recipe for a perfect website,” we’d have to argue with that statement. Even more so now that Drupal is bringing a new, exciting concept of Recipes on stage. Recipes are currently in the making, but they have already become the talk of the town as one of the most powerful additions to the CMS on the way from Drupal 10 to Drupal 11.

Free software enables more efficient ways to run large scale software.
F-Droid can serve so many people with minimal resources because of this
super power. Instead of each project handling development and maintenance
of the whole thing, free software enables sharing development and
maintenance. This is why F-Droid is built on
Debian. That only works when projects that use
free software also contribute back. F-Droid works to ensure that as much of
our work as possible goes back upstream to the original projects. For
production code, we use the Debian packages. When we need to use a new
library, we make sure it is added to Debian and maintained there. We use
Debian Backports when we need some new
dependencies in the stable release.

To illustrate this in action, let’s take a look at some recent security
issues in one of our dependencies:
GitPython.
CVE-2022-24439,
CVE-2023-40267
and
CVE-2023-41040
are three vulnerabilities that affect mostly projects that feed untrusted
input in and process it with GitPython. GitPython usages that operate on
known inputs are not really affected. Since our build process accepts Git
repositories from thousands of developers, our code processes inputs from
thousands of people. There are layers of validation those inputs that
provide protection, but no validation is perfect. So we need to ensure that
each step is safe. So we patched the Debian packages that we use in
production. We built on Ubuntu LTS’s patched
package which was in
turn built from the patched
package made for
Debian LTS, as funded by Freexian. It is a
classic example of how free software makes fixing security issues much
easier.

We are of course not alone in this, many other projects are also built on
Debian. Recently, Tor
Project
outlined many key benefits of building off of Debian. What is clear is that
the effort that we put into Debian maintenance more than pays for itself by
reducing work and stress on our core contributors, especially those who are
running servers. Software supply-chain
attacks have become
common across a range of packaging systems. A well configured Debian server
has the strongest protection that exists for any server software
distribution system.

There is a similar trend in software that ships all its own dependencies,
like Android apps. There are a wide variety of bots that check that
projects are including the latest versions of libraries. This is common in
Android apps, since they have to include all of their own dependencies.
Android provides only the core libraries. When we base our systems on
Debian, then we only need to update the dependencies in Debian, and all the
of the projects automatically receive those updates. When combined with
Debian’s
unattended-upgrades, this
approach provides a very low effort way to keep software updated. Normally,
automatic updates without human review are a dangerous thing to do in
software. Silently installing new software provides a channel that can be
exploited by malicious actors. Debian’s free software requirement, stable
releases, reproducible builds, and strong package distribution channels make
it possible to enable unattended upgrades in a trustworthy way.