HMS Blueberry

Royals are my favourite ships in No Man's Sky. The HMS Blueberry is not my first Exotic/Royal ship (that was the Gravity Hirakao XVI, and a story for another time).

After years of on-off playing, I recently found my first Royal multitool: Blue, with gold detailing. I have a Royal-style jetpack (I don't remember where I got that). I thought I'd try and colour-match my multitool, ship, jetpack and outfit. Since I only had one multitool, I matched the others to it. And the HMS Blueberry (credit for the name goes to Beatrice) was the Exotic in my collection which matched.

The HMS Blueberry is in viewable in my showroom, Honest Jon's Lightly-Used Starships.

The Debian LTS Team, funded by Freexian’s Debian LTS offering, is pleased to report its activities for April.

Activity summary

During the month of April, 21 contributors have been paid to work on Debian LTS (links to individual contributor reports are located below).

The team released 37 DLAs fixing 145 CVEs.

The team continued preparing security updates in its usual rhythm. Beyond the updates targeting Debian 11 (“bullseye”), which is the current release under LTS, the team also proposed updates for more recent releases (Debian 12 (“bookworm”) and Debian 13 (“trixie”)), including Debian unstable. We highlight several notable security updates here below.

• Andrej Shadura prepared DLA 4525-1 for libyaml-syck-perl to fix a vulnerability related to a memory leak.
• Andrej also prepared DLA 4551-1 for mbedtls to fix a leak of secrets.
• Arnaud Rebillout prepared DLA 4532-1 for python3.9 to fix a use-after-free issue in several decompressors.
• Arnaud also prepared DLA 4533-1 for systemd to fix multiple vulnerabilities, which might be also used to execute arbitrary code.
• Bastien Roucariès prepared DLA 4529-1 for bind9 to fix a DNSSEC issues, which can cause the resolver to consume excessive CPU.
• Bastien also prepared DLA 4539-1 for imagemagick to fix 21 vulnerabilities.
• Emilio Pozuelo Monfort prepared DLA 4535-1 for openssh to fix a potentially execution of arbitrary code.
• Emilio also Monfort prepared DLA 4526-1, DLA 4546-1 and DLA 4555-1 for firefox-esr to fix 31 vulnerabilities.
• Jochen Sprickerhof prepared DLA 4524-1 for postgresql-13 to fix multiple vulnerabilities, which might be also used to execute arbitrary code.
• Sylvain Beucler prepared DLA 4538-1 for perl to fix unauthorized access to data or arbitrary code execution.
• Thorsten Alteholz prepared DLA 4545-1 for packagekit to fix a local privilege escalation.
• Thorsten also prepared DLA 4544-1 for ntfs-3g to fix a local privilege escalation.
• Tobias Frost prepared DLA 4521-1 for libpng1 to fix multiple vulnerabilities, which might be also used to execute arbitrary code.

Contributions from outside the LTS Team:

• As usual, the thunderbird updates, released as DLA 4534-1 and DLA 4549-1, were prepared by its maintainer Christoph Goehre. This month 28 CVEs has been fixed. Thanks a lot for his continuous contributions. The DLAs have been sent by Emilio.
• Thanks alot as well to Mathias Behrle for providing DLA 4543-1 for package simpleeval. The DLA has been sent by Santiago.

The LTS Team has also contributed with updates to the latest Debian releases:

• Andreas Henriksson completed the upload of gvfs for trixie and bookworm
• Ben Hutchings did uploads of several kernel packages to unstable and the corresponding backports repositories.
• Sylvain took care of uploads of awstats to trixie and bookworm. He also did the same for 7zip-rar with an upload to bookworm-backports).

Some milestones in the lifecycle of two Debian releases are just around the corner. The support of Debian 12 will be handed over to the LTS team on June 11th 2026. After August 31st, support for Debian 11 will move from Debian LTS to ELTS managed by Freexian.

Individual Debian LTS contributor reports

• Abhijith PA
• Andreas Henriksson
• Andrej Shadura
• Arnaud Rebillout
• Bastien Roucariès
• Ben Hutchings
• Carlos Henrique Lima Melara
• Chris Lamb
• Daniel Leidert
• Emmanuel Arias
• Emilio Pozuelo Monfort
• Guilhem Moulin
• Jochen Sprickerhof
• Lucas Kanashiro
• Lukas Märdian
• Markus Koschany
• Santiago Ruano Rincón
• Stefano Rivera
• Sylvain Beucler
• Thorsten Alteholz
• Tobias Frost

Thanks to our sponsors

Sponsors that joined recently are in bold.

• Platinum sponsors:
  • Toshiba Corporation (for 127 months)
  • Civil Infrastructure Platform (CIP) (for 95 months)
  • VyOS Inc (for 59 months)
• Gold sponsors:
  • F. Hoffmann-La Roche AG (for 137 months)
  • CONET Deutschland GmbH (for 121 months)
  • University of Oxford (for 77 months)
  • EDF SA (for 49 months)
  • Dataport AöR (for 24 months)
  • CERN (for 22 months)
• Silver sponsors:
  • Domeneshop AS (for 142 months)
  • Nantes Métropole (for 136 months)
  • Akamai - Linode (for 131 months)
  • Univention GmbH (for 128 months)
  • Université Jean Monnet de St Etienne (for 128 months)
  • Ribbon Communications, Inc. (for 122 months)
  • Exonet B.V. (for 111 months)
  • Leibniz Rechenzentrum (for 106 months)
  • Ministère de l’Europe et des Affaires Étrangères (for 89 months)
  • Dinahosting SL (for 77 months)
  • Upsun Formerly Platform.sh (for 71 months)
  • Moxa Inc. (for 65 months)
  • Deveryware (for 64 months)
  • sipgate GmbH (for 63 months)
  • OVH US LLC (for 61 months)
  • Tilburg University (for 61 months)
  • GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 52 months)
  • THINline s.r.o. (for 25 months)
  • Copenhagen Airports A/S (for 19 months)
  • Conseil Départemental de l’Isère (for 5 months)
• Bronze sponsors:
  • Evolix (for 142 months)
  • Seznam.cz, a.s. (for 142 months)
  • Intevation GmbH (for 139 months)
  • Linuxhotel GmbH (for 139 months)
  • Daevel SARL (for 138 months)
  • Megaspace Internet Services GmbH (for 137 months)
  • Greenbone AG (for 136 months)
  • NUMLOG (for 136 months)
  • WinGo AG (for 135 months)
  • Entr’ouvert (for 126 months)
  • Adfinis AG (for 124 months)
  • Plat’Home (for 120 months)
  • Tesorion (for 119 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 118 months)
  • Bearstech (for 110 months)
  • LiHAS (for 110 months)
  • Catalyst IT Ltd (for 105 months)
  • Demarcq SAS (for 99 months)
  • Université Grenoble Alpes (for 85 months)
  • TouchWeb SAS (for 77 months)
  • SPiN AG (for 74 months)
  • CoreFiling (for 70 months)
  • Observatoire des Sciences de l’Univers de Grenoble (for 61 months)
  • Tem Innovations GmbH (for 56 months)
  • WordFinder.pro (for 55 months)
  • CNRS DT INSU Résif (for 54 months)
  • Soliton Systems K.K. (for 49 months)
  • Alter Way (for 47 months)
  • SOBIS Software GmbH (for 22 months)
  • Tuxera Inc. (for 13 months)
  • OPM-OP AS (for 5 months)

Back when we started with a signed shim in Debian, the tooling was Windows-only and required me to do a reboot dance and it was all quite tedious. Over time, more and more of the tooling has migrated to Linux and it all works quite well.

The signing is done with an EV code signing cert from SSL.com and stored on a Yubikey. Getting the certificate onto the key is a bit tedious, but reasonably well-explained in the ssl.com docs.

Microsoft wants the shim binaries uploaded to their partner portal wrapped in a .cab file, which should be signed.

The wrapping in a .cab file is easy enough: lcab shim.efi shim-unsigned.cab. It’s fine to put shims for multiple architectures in the same .cab file.

Signing of the file is a little bit of a rune:

osslsigncode sign -pkcs11module /usr/lib/x86_64-linux-gnu/libykcs11.so -key "pkcs11:serial=XXX" -askpass -certs chain.crt -h sha256 -ts http://ts.ssl.com shim-unsigned.cab shim-unsigned.signed.cab

chain.crt contains first our EV code signing cert, then the ssl.com intermediate EV code signing cert, then the ssl.com EV root cert. The naming of the packages is a tiny bit confusing, but it’s because the package name in Debian is shim-unsigned.

Occasionally, processing of uploaded binaries just stops in the validation stage in the portal, but I’ve so far been able to unstuck them by re-signing and uploading again, and I saw the same with the MS/Windows toolchain, so I suspect it’s just flakiness on the portal side.