Colin Watson: Free software activity in February 2026

My Debian contributions this month were all sponsored by Freexian.

You can also support my work directly via Liberapay or GitHub Sponsors.

OpenSSH

• openssh: Please remove/replace usage of dh_movetousr

I released bookworm and trixie fixes for CVE-2025-61984 and CVE-2025-61985, both allowing code execution via ProxyCommand in some cases. The trixie update also included a fix for openssh-server: refuses further connections after having handled PerSourceMaxStartups connections.

bugs.debian.org administration

Gioele Barabucci reported that some messages to the bug tracking system generated by the bts command were being discarded. While the regression here was on the client side, I found and fixed a typo in our SpamAssassin configuration that was failing to apply a bonus specifically to forwarded commands, mitigating the problem.

Python packaging

New upstream versions:

• aiosmtplib
• bitstruct
• diff-cover
• django-q
• isort
• multipart
• poetry (adding support for Dulwich >= 0.25)
• poetry-core
• pydantic-settings
• python-build
• python-certifi
• python-datamodel-code-generator
• python-flatdict
• python-holidays
• python-maggma
• python-pytokens
• python-scruffy
• python-urllib3 (fixing CVE-2025-66471 and a chunked decoding bug)
• responses
• yarsync
• zope.component
• zope.deferredimport

Porting away from the deprecated (and now removed from upstream setuptools) pkg_resources:

• genshi (contributed upstream)
• germinate
• mopidy
• nose2
• pokrok (contributed upstream)
• pylama
• python-flask-seeder
• python-maggma (contributed upstream)
• python-pybadges
• python-scruffy (contributed upstream)
• thumbor (contributed upstream)
• zope.deprecation (contributed upstream a while ago, but there hasn’t been an upstream release yet)

Other build/test failures:

• flask-dance: FTBFS: No module named ‘pkg_resources’ (actually fixed by adding a missing dependency to python3-sphinxcontrib.seqdiag)
• paramiko: autopkgtest regression on i386 (contributed upstream)
• poetry: autopkgtest regression on i386
• python-argh
• python-django-celery-beat: FTBFS: FAILED t/unit/test_models.py::HumanReadableTestCase::test_long_name
• python-maturin: rust-itertools update
• python-msrest: FTBFS: FAILED tests/asynctests/test_async_client.py::TestServiceClient::test_client_send (contributed upstream, though not very successfully)
• python-typing-inspect

Other bugs:

• python-datamodel-code-generator: Depends: python3-isort (< 8) but 8.0.0-1 is to be installed (contributed upstream)
• python-typeguard: Mark python3-typeguard Multi-Arch: foreign
• wheel: Mark python3-wheel Multi-Arch: foreign
• zope.deferredimport: Please make the build reproducible (contributed upstream, with a follow-up fix)

I added a manual page symlink to make the documentation for Testsuite: autopkgtest-pkg-pybuild easier to find.

I backported python-pytest-unmagic and a more recent version of pytest-django to trixie.

Rust packaging

• librust-pyo3-ffi-dev: Cannot be installed for foreign architectures

I also packaged rust-garde and rust-garde-derive, which are part of the pile of work needed to get the ruff packaging back in shape (which is a project I haven’t decided if I’m going to take on for real, but I thought I’d at least chip away at a bit of it).

Other bits and pieces

• arch-test: Remove build dependency on binutils-mips64el-linux-gnuabi64 (NMU)

Code reviews

• debconf: Add BMP version of debian-logo (merged and uploaded)
• openssh: Reorder pam_selinux(7) usage (merged and uploaded)
• openssh-client: use sysusers.d, drop superflous dependencies (merged and uploaded)
• openssh: Stop deleting system user on remove/purge (merged and uploaded)
• openssh: Do not link against libcrypt on GNU/Hurd (merged and uploaded)
• partman-prep: Align PReP descriptions with other partition types (merged)
• python-better-exceptions (sponsored upload for Seyed Mohamad Amin Modaresi)