ZARZA We are Zarza, the prestigious firm behind major projects in information technology.
Listen "Colin Watson: Free software activity in October 2025"
Episode Synopsis
About 95% of my Debian contributions this month were
sponsored by Freexian.
You can also support my work directly via
Liberapay or GitHub
Sponsors.
OpenSSH
OpenSSH upstream released
10.1p1 this month, so I
upgraded to that. In the process, I reverted a Debian patch that changed IP
quality-of-service defaults, which made sense at the
time but has since been reworked upstream
anyway, so it makes sense to find out whether we still have similar
problems. So far I haven’t heard anything bad in this area.
10.1p1 caused a regression in the ssh-agent-filter package’s tests, which I
bisected and chased up with
upstream.
10.1p1 also had a few other user-visible regressions
(#1117574,
#1117594,
#1117638,
#1117720); I upgraded to
10.2p1 which fixed some of
these, and contributed some upstream debugging
help to clear up the
rest. While I was there, I also fixed ssh-session-cleanup: fails due to
wrong $ssh_session_pattern in our packaging.
Finally, I got all this into trixie-backports, which I intend to keep up to
date throughout the forky development cycle.
Python packaging
For some time, ansible-core has had occasional autopkgtest failures that
usually go away before anyone has a chance to look into them properly. I
ran into these via openssh recently and decided to track them down. It
turns out that they only happened when the libpython3.13-stdlib package
had different versions in testing and unstable, because an integration test
setup script made a change that would be reverted if that package was ever
upgraded in the testbed, and one of the integration tests accidentally
failed to disable system apt sources comprehensively enough while testing
the behaviour of the ansible.builtin.apt module. I fixed this in
Debian
and contributed the relevant part
upstream.
We’ve started working on enabling Python 3.14 as a supported version in
Debian. I fixed or helped to fix a number of packages for this:
cxxopt
cython
m2crypto
pymongo (already fixed by Alexandre
Detiste, but after checking this I took the opportunity to simplify its
arrangements for disabling broken tests and to switch to autopkgtest-pkg-pybuild)
python-cytoolz
python-lz4
python-msgspec
I upgraded these packages to new upstream versions:
aiomysql (fixing CVE-2025-62611)
audioread
bitstruct
black (fixing a build failure)
blake3-py
buildbot (fixing a regression)
cxxopt
django-cte
django-pipeline
django-q
isort
khard
lazy-object-proxy (fixing a build
failure)
psycopg3 (fixing a build failure)
pydantic
pydantic-core
pydantic-extra-types
pytest-mock
pytest-rerunfailures
python-bcrypt
python-bitarray
python-confluent-kafka (#1089748)
python-crispy-bootstrap4
python-crispy-bootstrap5
python-django-mptt
python-ewoksppf (fixing a build
failure)
python-greenlet (fixing a build failure on
powerpc and a Python 3.14 build
failure)
python-gssapi
python-holidays
python-persistent
python-pyluach
python-pytest-asyncio
python-pytest-run-parallel
python-pytokens (contributed supporting fix
upstream)
python-semantic-release
python-stdlib-list
python-tblib
python-telethon
python-treq
python-typing-inspection
python-watchfiles
pyupgrade
rpds-py (fixing a build failure)
zope.hookable
zope.schema
zope.testrunner (removing run-time dependency on
setuptools)
I packaged python-blockbuster and
python-pytokens, needed as new
dependencies of various other packages.
Santiago Vila filed a batch of
bugs
about packages that fail to build when using the nocheck build
profile, and I fixed several of
these (generally just a matter of adjusting build-dependencies):
pastedeploy (#1116833)
python-ewokscore (#1116858)
python-ewoksdask (#1116859)
python-ewoksorange (#1116862)
python-odmantic (#1116866)
python-processview (#1116871)
python-semantic-release (#1116881)
sqlfluff (#1116916)
I helped out with the scikit-learn 1.7
transition:
python-gplearn (contributed
upstream)
scikit-optimize (contributed
upstream)
sklearn-pandas
I fixed or helped to fix several other build/test failures:
beangulp (contributed
upstream)
beanquery
buildbot (contributed
upstream)
celery (contributed
upstream)
cython (only on i386; involved a rather
slow bisection process first)
django-measurement
django-select2
ocrmypdf (partial investigation, still open)
poetry-plugin-export
pytest-aiohttp
python-aiohttp-session
python-cups (cross-building)
python-django-postgres-extra (actually
needed a fix in python-django)
python-fabio
python-jellyfish (contributed
upstream)
python-maturin (thanks to a patch from
Peter Michael Green in #1115459)
python-requests-oauthlib
python-telethon
python-webargs
silx
sphinx-inline-tabs
I fixed some other bugs:
cython: The man page is /usr/bin/env: 'python': No such file or
directory
depthcharge-tools: SyntaxWarnings with Python 3.12 about invalid escape
sequences (contributed
upstream a while ago)
django-auditlog: Please drop dependencies on python3-pytzdata
pysmi: Might trigger: AttributeError: module ‘importlib’ has no attribute
‘machinery’ (attempted to contribute
upstream, although that
repository is dead)
python-msgspec: Please use pseudo-packages for architecture whitelisting
python-tomlkit: Binary package rejected
I investigated a python-py build failure,
which turned out to have been fixed in Python 3.13.9.
I adopted zope.hookable and
zope.location for the Python team.
Following an IRC question, I ported linux-gpib-user to
pybuild-plugin-pyproject,
and added tests to make sure the resulting binary package layout is correct.
Rust packaging
Another Pydantic upgrade meant I had to upgrade a corresponding stack of
Rust packages to new upstream versions:
rust-idna
rust-jiter
rust-pyo3
rust-regex
rust-regex-automata
rust-speedate
rust-uuid
I also upgraded rust-archery and rust-rpds.
Other bits and pieces
I fixed a few bugs in other packages I maintain:
halibut: FTCBFS: passes host flags to the build compiler
iprutils: No package available for other architectures
I investigated a malware report against
tini, which I think we can prove to be a
false positive (at least under the reasonable assumption that there isn’t
malware hiding in libgcc or glibc). Yay for reproducible builds!
I noticed and fixed a small UI deficiency in
debbugs,
making the checkboxes under “Misc options” on package pages easier to hit.
This is merged but we haven’t yet deployed it.
I notced and fixed a
typo
in the Being kind to
porters
section of the Debian Developer’s Reference.
Code reviews
base-passwd: Add clock
group (rejected)
debbugs: Fix dep8 autopkgtests, make Salsa CI fully
green
(reviewed, awaiting revisions)
python-gmpy2: FTBFS (sponsored fix for
Martin Kelly)
sponsored by Freexian.
You can also support my work directly via
Liberapay or GitHub
Sponsors.
OpenSSH
OpenSSH upstream released
10.1p1 this month, so I
upgraded to that. In the process, I reverted a Debian patch that changed IP
quality-of-service defaults, which made sense at the
time but has since been reworked upstream
anyway, so it makes sense to find out whether we still have similar
problems. So far I haven’t heard anything bad in this area.
10.1p1 caused a regression in the ssh-agent-filter package’s tests, which I
bisected and chased up with
upstream.
10.1p1 also had a few other user-visible regressions
(#1117574,
#1117594,
#1117638,
#1117720); I upgraded to
10.2p1 which fixed some of
these, and contributed some upstream debugging
help to clear up the
rest. While I was there, I also fixed ssh-session-cleanup: fails due to
wrong $ssh_session_pattern in our packaging.
Finally, I got all this into trixie-backports, which I intend to keep up to
date throughout the forky development cycle.
Python packaging
For some time, ansible-core has had occasional autopkgtest failures that
usually go away before anyone has a chance to look into them properly. I
ran into these via openssh recently and decided to track them down. It
turns out that they only happened when the libpython3.13-stdlib package
had different versions in testing and unstable, because an integration test
setup script made a change that would be reverted if that package was ever
upgraded in the testbed, and one of the integration tests accidentally
failed to disable system apt sources comprehensively enough while testing
the behaviour of the ansible.builtin.apt module. I fixed this in
Debian
and contributed the relevant part
upstream.
We’ve started working on enabling Python 3.14 as a supported version in
Debian. I fixed or helped to fix a number of packages for this:
cxxopt
cython
m2crypto
pymongo (already fixed by Alexandre
Detiste, but after checking this I took the opportunity to simplify its
arrangements for disabling broken tests and to switch to autopkgtest-pkg-pybuild)
python-cytoolz
python-lz4
python-msgspec
I upgraded these packages to new upstream versions:
aiomysql (fixing CVE-2025-62611)
audioread
bitstruct
black (fixing a build failure)
blake3-py
buildbot (fixing a regression)
cxxopt
django-cte
django-pipeline
django-q
isort
khard
lazy-object-proxy (fixing a build
failure)
psycopg3 (fixing a build failure)
pydantic
pydantic-core
pydantic-extra-types
pytest-mock
pytest-rerunfailures
python-bcrypt
python-bitarray
python-confluent-kafka (#1089748)
python-crispy-bootstrap4
python-crispy-bootstrap5
python-django-mptt
python-ewoksppf (fixing a build
failure)
python-greenlet (fixing a build failure on
powerpc and a Python 3.14 build
failure)
python-gssapi
python-holidays
python-persistent
python-pyluach
python-pytest-asyncio
python-pytest-run-parallel
python-pytokens (contributed supporting fix
upstream)
python-semantic-release
python-stdlib-list
python-tblib
python-telethon
python-treq
python-typing-inspection
python-watchfiles
pyupgrade
rpds-py (fixing a build failure)
zope.hookable
zope.schema
zope.testrunner (removing run-time dependency on
setuptools)
I packaged python-blockbuster and
python-pytokens, needed as new
dependencies of various other packages.
Santiago Vila filed a batch of
bugs
about packages that fail to build when using the nocheck build
profile, and I fixed several of
these (generally just a matter of adjusting build-dependencies):
pastedeploy (#1116833)
python-ewokscore (#1116858)
python-ewoksdask (#1116859)
python-ewoksorange (#1116862)
python-odmantic (#1116866)
python-processview (#1116871)
python-semantic-release (#1116881)
sqlfluff (#1116916)
I helped out with the scikit-learn 1.7
transition:
python-gplearn (contributed
upstream)
scikit-optimize (contributed
upstream)
sklearn-pandas
I fixed or helped to fix several other build/test failures:
beangulp (contributed
upstream)
beanquery
buildbot (contributed
upstream)
celery (contributed
upstream)
cython (only on i386; involved a rather
slow bisection process first)
django-measurement
django-select2
ocrmypdf (partial investigation, still open)
poetry-plugin-export
pytest-aiohttp
python-aiohttp-session
python-cups (cross-building)
python-django-postgres-extra (actually
needed a fix in python-django)
python-fabio
python-jellyfish (contributed
upstream)
python-maturin (thanks to a patch from
Peter Michael Green in #1115459)
python-requests-oauthlib
python-telethon
python-webargs
silx
sphinx-inline-tabs
I fixed some other bugs:
cython: The man page is /usr/bin/env: 'python': No such file or
directory
depthcharge-tools: SyntaxWarnings with Python 3.12 about invalid escape
sequences (contributed
upstream a while ago)
django-auditlog: Please drop dependencies on python3-pytzdata
pysmi: Might trigger: AttributeError: module ‘importlib’ has no attribute
‘machinery’ (attempted to contribute
upstream, although that
repository is dead)
python-msgspec: Please use pseudo-packages for architecture whitelisting
python-tomlkit: Binary package rejected
I investigated a python-py build failure,
which turned out to have been fixed in Python 3.13.9.
I adopted zope.hookable and
zope.location for the Python team.
Following an IRC question, I ported linux-gpib-user to
pybuild-plugin-pyproject,
and added tests to make sure the resulting binary package layout is correct.
Rust packaging
Another Pydantic upgrade meant I had to upgrade a corresponding stack of
Rust packages to new upstream versions:
rust-idna
rust-jiter
rust-pyo3
rust-regex
rust-regex-automata
rust-speedate
rust-uuid
I also upgraded rust-archery and rust-rpds.
Other bits and pieces
I fixed a few bugs in other packages I maintain:
halibut: FTCBFS: passes host flags to the build compiler
iprutils: No package available for other architectures
I investigated a malware report against
tini, which I think we can prove to be a
false positive (at least under the reasonable assumption that there isn’t
malware hiding in libgcc or glibc). Yay for reproducible builds!
I noticed and fixed a small UI deficiency in
debbugs,
making the checkboxes under “Misc options” on package pages easier to hit.
This is merged but we haven’t yet deployed it.
I notced and fixed a
typo
in the Being kind to
porters
section of the Debian Developer’s Reference.
Code reviews
base-passwd: Add clock
group (rejected)
debbugs: Fix dep8 autopkgtests, make Salsa CI fully
green
(reviewed, awaiting revisions)
python-gmpy2: FTBFS (sponsored fix for
Martin Kelly)
In God we trust