Debian Contributions: 2025-12

Contributing to Debian
is part of Freexian’s mission. This article
covers the latest achievements of Freexian and their collaborators. All of this
is made possible by organizations subscribing to our
Long Term Support contracts and
consulting services.

dh-python development, by Stefano Rivera

In Debian we build our Python packages with the help of a debhelper-compatible
tool, dh-python. Before starting the
3.14 transition (that would rebuild many packages) we landed some updates to
dh-python to fix bugs and add features. This started
a month of attention
on dh-python, iterating through several bug fixes, and a couple of unfortunate
regressions.

dh-python is used by almost all packages containing Python (over 5000). Most
of these are very simple, but some are complex and use dh-python in unexpected
ways. It’s hard to avoid almost any change (including obvious bug fixes) from
causing some unexpected knock-on behaviour. There is a fair amount of complexity
in dh-python, and some rather “clever” code, which can make it tricky to work on.

All of this means that good QA is important. Stefano spent some time
adding type annotations
and specialized types to make it easier to see what the code is doing and catch
mistakes. This has already made work on dh-python easier.

Now that Debusine has built-in repositories
and debdiff support, Stefano could quickly test the effects of changes on many
other packages. After each big change, he could upload dh-python to
a repository,
rebuild e.g. 50 Python packages with it, and see what differences appeared in
the output. Reviewing the diffs is still a manual process, but can be improved.

Stefano did a small test
on what it would take to replace direct setuptools setup.py calls with
PEP-517 (pyproject-style) builds. There is
more work to do here.

Python 3.14 transition, by Stefano Rivera (et al.)

In December the transition to add
Python 3.14 as a supported version started in Debian unstable. To do this, we
update the list of supported versions in python3-defaults,
and then start rebuilding modules with C extensions from the leaves inwards.
This had already been tested in a PPA and Ubuntu, so many of the biggest
blocking compatibility issues with 3.14 had already been found and fixed. But
there are always new issues to discover.

Thanks to a number of people in the Debian Python team, we got through the first
bit of the transition fairly quickly. There are still a number of
open bugs
that need attention and many failed tests
blocking migration to testing.

Python 3.14.1 released just after we started the transition, and very soon
after, a follow-up 3.14.2 release came out to address a regression. We ran into
another regression in
Python 3.14.2.

Ruby 3.4 transition, by Lucas Kanashiro (et al.)

The Debian Ruby team just started the preparation to move the default Ruby
interpreter version to 3.4. At the moment, ruby3.4 source package is already
available in experimental, also ruby-defaults added support to
Ruby 3.4. Lucas rebuilt all reverse dependencies against this new version of the
interpreter and published the results here.
Lucas also reached out to some stakeholders to coordinate the work.

Next steps are: 1) announcing the results to the whole team and asking for help
to fix packages failing to build against the new interpreter; 2) file bugs
against packages FTBFSing against Ruby 3.4 which are not fixed yet; 3) once we
have a low number of build failures against Ruby 3.4, ask the Debian Release
team to start the transition in unstable.

Surviving scraper traffic in Debian CI, by Antonio Terceiro

Like most of the open web, Debian Continuous Integration
has been struggling for a while to keep up with the insatiable hunger from data
scrapers everywhere. Solving this involved a lot of trial and error; the final
result seems to be stable, and consists of two parts.

First, all Debian CI data pages, except the direct links to test log files
(such as those provided by the Release Team’s testing migration excuses), now
require users to be authenticated before being accessed. This means that the
Debian CI data is no longer publicly browseable, which is a bit sad. However,
this is where we are now.

Additionally, there is now a fail2ban powered firewall-level access limitation
for clients that display an abusive access pattern. This went through several
iterations, with some of them unfortunately blocking legitimate Debian
contributors, but the current state seems to strike a good balance between
blocking scrapers and not blocking real users. Please get in touch with the team
on the #debci OFTC channel if you are affected by this.

A hybrid dependency solver for crossqa.debian.net, by Helmut Grohne

crossqa.debian.net continuously cross builds
packages from the Debian archive. Like Debian’s native build infrastructure, it
uses dose-builddebcheck to determine whether a package’s dependencies can be
satisfied before attempting a build. About one third of Debian’s packages fail
this check, so understanding the reasons is key to improving cross building.
Unfortunately, dose-builddebcheck stops after reporting the first problem and
does not display additional ones.

To address this, a greedy solver implemented in Python now examines each
build-dependency individually and can report multiple causes. dose-builddebcheck
is still used as a fall-back when the greedy solver does not identify any
problems. The report for bazel-bootstrap
is a lengthy example.

rebootstrap, by Helmut Grohne

Due to the changes suggested by Loongson earlier, rebootstrap now adds
debhelper to its final installability test and builds a few more packages
required for installing it. It also now uses a variant of build-essential that
has been marked Multi-Arch: same
(see foundational work
from last year).

This in turn made the use of a non-default GCC version more difficult and
required more work to make it work for gcc-16 from experimental. Ongoing
archive changes temporarily regressed building fribidi and dash.
libselinux and groff have received patches for architecture specific changes
and libverto has been NMUed to remove the glib2.0 dependency.

Miscellaneous contributions

• Stefano did some administrative work on debian.social and debian.net
  instances and Debian reimbursements.
• Stefano did routine updates of python-authlib, python-mitogen, xdot.
• Stefano spent several hours discussing Debian’s Python package layout with the
  PyPA upstream community. Debian has ended up with a very different on-disk
  installed Python layout than other distributions, and this continues to cause
  some frustration in many communities that have to have special workarounds to
  handle it. This ended up impacting cross builds as Helmut discovered.
• Raphaël set up Debusine workflows
  for the various backports repositories on debusine.debian.net.
• Zulip is not yet in Debian (RFP in #800052),
  but Raphaël helped on the French translation as he is experimenting with that
  discussion platform.
• Antonio performed several routine Salsa maintenance tasks, including
  fixing salsa-nm-sync,
  the service that synchronizes project members data from LDAP to Salsa, which had
  been broken since salsa.debian.org was upgraded to
  “trixie”.
• Antonio deployed a new amd64 worker host for Debian CI.
• Antonio did several DebConf technical and administrative bits, including but
  adding support for custom check-in/check-out dates
  in the MiniDebConf registration module, publishing a
  call for bids for DebConf27.
• Carles reviewed and submitted 14 Catalan translations using
  po-debconf-manager.
• Carles improved po-debconf-manager: added “delete-package” command,
  “show-information” now uses properly formatted output (YAML), it now attaches
  the translation on the bug reports for which a merge request has been opened too
  long.
• Carles investigated why some packages appeared in po-debconf-manager but not
  in the Debian l10n list.
  Turns out that some packages had debian/po/templates.pot (appearing in
  po-debconf-manager) but not the POTFILES.in file as expected.
  Created a script
  to find out which packages were in this or similar situation and
  reported bugs.
• Carles tested and documented how to set
  up voices (mbrola and festival) if using Orca speech synthesizer. Commented
  a few issues and possible improvements in the debian-accessibility list.
• Helmut sent patches for 48 cross build failures and initiated discussions on
  how to deal with two non-trivial matters. Besides Python mentioned above,
  CMake introduced a cmake_pkg_config builtin which is
  not aware of the host architecture. He also
  forwarded a Meson patch upstream.
• Thorsten uploaded a new upstream version of cups to fix a nasty bug that was
  introduced by the latest security update.
• Along with many other Python 3.14 fixes, Colin
  fixed a
  tricky segfault in python-confluent-kafka
  after a helpful debugging hint from upstream.
• Colin upstreamed an improved version of an OpenSSH patch we’ve been carrying
  since 2008 to fix misleading verbose output from scp.
• Colin used Debusine to coordinate transitions for astroid and pygments,
  and wrote up the astroid case
  on his blog.
• Emilio helped with various transitions, and provided a build fix for opencv
  for the ffmpeg 8 transition.
• Emilio tested the GNOME updates for “trixie” proposed updates (gnome-shell,
  mutter, glib2.0).
• Santiago helped to review the status of how to test different build profiles
  in parallel on the same pipeline, using the test-build-profiles job. This means,
  for example, to simultaneously test build profiles such as nocheck and nodoc
  for the same git tree. Finally, Santiago provided
  MR !685
  to fix the documentation.
• Anupa prepared a bits post for Outreachy interns
  announcement
  along with Tássia Camões Araújo and worked on publicity team tasks.