Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:pdns-recursor
User: [email protected]
Usertags: pu
[ Reason ]
I'd like to fix two issues:
1) #1113814 which is -DPACKAGEVERSION ending up empty, and causing
non-default configs to log exceptions.
2) Static-Built-Using gets underfilled
[ Impact ]
#1113814 is certainly annoying, but can be worked around by using
the default config which turns off the security status polling
feature.
[ Tests ]
I've manually tested the changes. As the results are impossible to
spot from the source debdiff, here:
Relevant change for 1):
5.2.4-2:
% /usr/sbin/pdns_recursor --version
PowerDNS Recursor 5.2.4 (C) PowerDNS.COM BV
Using 64-bits mode. Built using gcc 14.2.0.
PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it according to the terms of the GPL version 2.
Features: libcrypto-ecdsa libcrypto-ed25519 libcrypto-ed448 libcrypto-eddsa lua
nod protobuf dnstap-framestream snmp sodium curl DoT scrypt
Configured with: " '--build=aarch64-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
'--disable-option-checking' '--libdir=${prefix}/lib/aarch64-linux-gnu'
'--runstatedir=/run' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--sysconfdir=/etc/powerdns' '--enable-systemd'
'--with-systemd=' '--enable-reproducible' '--disable-silent-rules'
'--enable-unit-tests' '--with-service-user=pdns' '--with-service-group=pdns'
'--with-libcap' '--with-libsodium' '--with-lua' '--with-net-snmp'
'--with-protobuf=yes' '--enable-dns-over-tls' '--enable-dnstap'
'--with-libcrypto=/usr' 'build_alias=aarch64-linux-gnu' 'CFLAGS=-g -O2
-Werror=implicit-function-declaration
-ffile-prefix-map=/build/reproducible-path/pdns-recursor-5.2.4=.
-fstack-protector-strong -fstack-clash-protection -Wformat
-Werror=format-security -mbranch-protection=standard' 'LDFLAGS=-Wl,-z,relro
-Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2
-ffile-prefix-map=/build/reproducible-path/pdns-recursor-5.2.4=.
-fstack-protector-strong -fstack-clash-protection -Wformat
-Werror=format-security -mbranch-protection=standard
-DPACKAGEVERSION='\''"."'\'''"
5.2.4-2+deb13u1:
% /usr/sbin/pdns_recursor --version
PowerDNS Recursor 5.2.4 (C) PowerDNS.COM BV
Using 64-bits mode. Built using gcc 14.2.0.
PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it according to the terms of the GPL version 2.
Features: libcrypto-ecdsa libcrypto-ed25519 libcrypto-ed448 libcrypto-eddsa lua
nod protobuf dnstap-framestream snmp sodium curl DoT scrypt
Configured with: " '--build=aarch64-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
'--disable-option-checking' '--libdir=${prefix}/lib/aarch64-linux-gnu'
'--runstatedir=/run' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--sysconfdir=/etc/powerdns' '--enable-systemd'
'--with-systemd=' '--enable-reproducible' '--disable-silent-rules'
'--enable-unit-tests' '--with-service-user=pdns' '--with-service-group=pdns'
'--with-libcap' '--with-libsodium' '--with-lua' '--with-net-snmp'
'--with-protobuf=yes' '--enable-dns-over-tls' '--enable-dnstap'
'--with-libcrypto=/usr' 'build_alias=aarch64-linux-gnu' 'CFLAGS=-g -O2
-Werror=implicit-function-declaration
-ffile-prefix-map=/build/reproducible-path/pdns-recursor-5.2.4=.
-fstack-protector-strong -fstack-clash-protection -Wformat
-Werror=format-security -mbranch-protection=standard' 'LDFLAGS=-Wl,-z,relro
-Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2
-ffile-prefix-map=/build/reproducible-path/pdns-recursor-5.2.4=.
-fstack-protector-strong -fstack-clash-protection -Wformat
-Werror=format-security -mbranch-protection=standard
-DPACKAGEVERSION='\''"5.2.4-2+deb13u1.Debian"'\'''"
For 2) Static-Built-Using:
% debdiff pdns-recursor_5.2.4-2_arm64.deb
pdns-recursor_5.2.4-2+deb13u1_arm64.deb
File lists identical (after any substitutions)
Control files: lines which differ (wdiff format)
------------------------------------------------
Static-Built-Using: {+rust-base64 (= 0.22.1-1),+} rust-cxx (= 1.0.141-1),
{+rust-equivalent (= 1.0.1-1), rust-foldhash (= 0.1.4-1), rust-hashbrown (=
0.14.5-5), rust-indexmap (= 2.7.0-1), rust-ipnet (= 2.11.0-1), rust-itoa (=
1.0.14-1),+} rust-link-cplusplus (= 1.0.10-1), {+rust-once-cell (= 1.20.2-1),
rust-ryu (= 1.0.19-1), rust-serde (= 1.0.217-1), rust-serde-yaml (= 0.9.34-1),
rust-unsafe-libyaml (= 0.2.11-1),+} rustc (= 1.85.0+dfsg3-1)
Version: [-5.2.4-2-] {+5.2.4-2+deb13u1+}
[ Risks ]
I think the risk is minimal.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
For 1) I switch from including dpkg/architecture.mk,
dpkg/buildflags.mk to dpkg/default.mk. In older versions this was
used, but was lost when adding the Rust build runes.
For 2) I unset CARGO_REGISTRY, which fixes dh-cargo-built-using.
This was pointed out to me by Fabian Gruenbichler in
https://salsa.debian.org/debian/dnsdist/-/merge_requests/4/diffs
[ Other info ]
Nothing I'm aware of.
Thanks!
Chris
diff -Nru pdns-recursor-5.2.4/debian/changelog
pdns-recursor-5.2.4/debian/changelog
--- pdns-recursor-5.2.4/debian/changelog 2025-07-25 03:03:18.000000000
+0200
+++ pdns-recursor-5.2.4/debian/changelog 2025-09-07 13:22:57.000000000
+0200
@@ -1,3 +1,13 @@
+pdns-recursor (5.2.4-2+deb13u1) trixie; urgency=medium
+
+ * d/gbp.conf: update for trixie branch
+ * d/rules: fix DEB_VERSION/DEB_VENDOR being empty.
+ Thanks to Steve Mokris <[email protected]> (Closes: #1113814)
+ * d/rules: stop setting CARGO_REGISTRY, fixes Static-Built-Using
+ Thanks to Fabian Gruenbichler.
+
+ -- Chris Hofstaedtler <[email protected]> Sun, 07 Sep 2025 13:22:57 +0200
+
pdns-recursor (5.2.4-2) unstable; urgency=medium
* Upload to unstable.
diff -Nru pdns-recursor-5.2.4/debian/gbp.conf
pdns-recursor-5.2.4/debian/gbp.conf
--- pdns-recursor-5.2.4/debian/gbp.conf 2025-07-21 23:52:45.000000000 +0200
+++ pdns-recursor-5.2.4/debian/gbp.conf 2025-09-07 13:19:54.000000000 +0200
@@ -1,4 +1,4 @@
[DEFAULT]
pristine-tar = True
-debian-branch = debian/latest
-upstream-branch = upstream/latest
+debian-branch = debian/trixie
+upstream-branch = upstream/trixie
diff -Nru pdns-recursor-5.2.4/debian/rules pdns-recursor-5.2.4/debian/rules
--- pdns-recursor-5.2.4/debian/rules 2025-07-21 23:52:45.000000000 +0200
+++ pdns-recursor-5.2.4/debian/rules 2025-09-07 13:22:55.000000000 +0200
@@ -4,15 +4,13 @@
# Note: blhc (build log hardening check) will find these false positives:
CPPFLAGS 2 missing, LDFLAGS 1 missing
export DEB_BUILD_MAINT_OPTIONS = hardening=+all
-include /usr/share/dpkg/architecture.mk
-include /usr/share/dpkg/buildflags.mk
+include /usr/share/dpkg/default.mk
include /usr/share/rustc/architecture.mk
export CFLAGS CXXFLAGS CPPFLAGS LDFLAGS
export DEB_HOST_RUST_TYPE DEB_HOST_GNU_TYPE
export CARGO=/usr/share/cargo/bin/cargo
export CARGO_HOME=$(CURDIR)/debian/cargo_home
-export CARGO_REGISTRY=$(CURDIR)/debian/cargo_registry
export DEB_CARGO_CRATE=$(DEB_SOURCE)_$(DEB_VERSION_UPSTREAM)
# for pdns makefile
