Bug#924704:

[Danfun360]

In case you don't want to click on the Github link (which for some reason
has an additional space that needs to be removed before entering it on your
URL bar), here is the bumblebee-bugreport.
https://github.com/Bumblebee-Project/Bumblebee/files/2973323/bumblebee-bugreport-20190315_204845.tar.gz

Bug#924707: pgmodeler FTCBFS: runs qmake for the build architecture

[Helmut Grohne]

Source: pgmodeler
Version: 0.9.1-2
Tags: patch
User: helm...@debian.org
Usertags: rebootstrap

pgmodeler fails to cross build from source, because debian/rules runs
plain qmake with no cross options. The easiest way of fixing that is
using qtmake's cross wrapper through dh_auto_configure. After doing so,
pgmodeler cross builds successfully. Please consider applying the
attached patch.

Helmut
diff --minimal -Nru pgmodeler-0.9.1/debian/changelog 
pgmodeler-0.9.1/debian/changelog
--- pgmodeler-0.9.1/debian/changelog2019-02-11 09:39:59.0 +0100
+++ pgmodeler-0.9.1/debian/changelog2019-03-16 05:58:45.0 +0100
@@ -1,3 +1,10 @@
+pgmodeler (0.9.1-2.1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix FTCBFS: Let dh_auto_configure select a cross qmake. (Closes: #-1)
+
+ -- Helmut Grohne   Sat, 16 Mar 2019 05:58:45 +0100
+
 pgmodeler (0.9.1-2) unstable; urgency=medium
 
   * Move maintainer address to team+postgre...@tracker.debian.org.
diff --minimal -Nru pgmodeler-0.9.1/debian/rules pgmodeler-0.9.1/debian/rules
--- pgmodeler-0.9.1/debian/rules2018-01-31 08:56:22.0 +0100
+++ pgmodeler-0.9.1/debian/rules2019-03-16 05:58:45.0 +0100
@@ -15,7 +15,7 @@
dh $@ --parallel
 
 override_dh_auto_configure:
-   qmake PREFIX=/usr CONFIG+=debug pgmodeler.pro
+   dh_auto_configure -- CONFIG+=debug pgmodeler.pro
 
 override_dh_auto_install:
dh_auto_install

Bug#615807: dpkg-www case sesitivity issue

[Osamu Aoki]

Hi,

The situation of case sensitivity can be summarized for web browser page
opened by the "dpkg-www" as:

Search term with tailing "*": case sensitive

Search term without tailing "*": case insensitive

As I read Policy 4.3.0
  https://www.debian.org/doc/debian-policy/ch-controlfields.html#source

| Package names (both source and binary, see Package) must consist only of
| lower case letters (a-z), digits (0-9), plus (+) and minus (-) signs,
| and periods (.). They must be at least two characters long and must
| start with an alphanumeric character.  Search term with tailintg "*":
| case sensitive

So search should be forced to case insensitive by lower casing the
search term for package name before doing anything to be more friendly.

But inputting mC or aPt is known bad input. This program just sanitizes
its input for a select case only.   The current behavior isn't too bad
at all while it can be improved.

Osamu




 

Bug#924706: icedtea-netx: javaws symlink is broken

[Jon DeVree]

Package: icedtea-netx
Version: 1.7.2-1
Severity: grave

Dear Maintainer,

The files in /usr/share/icedtea-web/bin have the wrong file names in the
new package and this breaks javaws. itweb-settings and policyeditor are
also broken.

In the old 1.7.1-1 package:
lrwxrwxrwx 1 root root   33 Mar 15 23:53 /etc/alternatives/javaws -> 
/usr/share/icedtea-web/bin/javaws*
lrwxrwxrwx 1 root root   24 Mar 15 23:53 /usr/bin/javaws -> 
/etc/alternatives/javaws*
-rwxr-xr-x 1 root root 5432 Oct 24 08:42 /usr/share/icedtea-web/bin/javaws*

In the new 1.7.2-1 package:
ls: cannot access '/usr/share/icedtea-web/bin/javaws': No such file or directory
lrwxrwxrwx 1 root root   33 Mar 15 23:53 /etc/alternatives/javaws -> 
/usr/share/icedtea-web/bin/javaws
lrwxrwxrwx 1 root root   24 Mar 15 23:53 /usr/bin/javaws -> 
/etc/alternatives/javaws

This is because the file is (presumably incorrectly) named with a .sh suffix in
the new package:
-rwxr-xr-x 1 root root 6287 Mar 15 18:44 /usr/share/icedtea-web/bin/javaws.sh*


If you do a fresh install instead of an upgrade you don't get any
symlinks at all:
ls: cannot access '/usr/bin/javaws': No such file or directory
ls: cannot access '/etc/alternatives/javaws': No such file or directory
ls: cannot access '/usr/share/icedtea-web/bin/javaws': No such file or directory


-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages icedtea-netx depends on:
ii  default-jre  2:1.11-71
ii  librhino-java1.7.7.1-1
ii  libtagsoup-java  1.2.1+-1

icedtea-netx recommends no packages.

icedtea-netx suggests no packages.

-- no debconf information

Bug#924701: debdiff

[dann frazier]

diff -Nru edk2-0~20181115.85588389/debian/changelog 
edk2-0~20181115.85588389/debian/changelog
--- edk2-0~20181115.85588389/debian/changelog   2018-11-26 16:34:54.0 
-0700
+++ edk2-0~20181115.85588389/debian/changelog   2019-03-15 18:37:44.0 
-0600
@@ -1,3 +1,12 @@
+edk2 (0~20181115.85588389-3) unstable; urgency=medium
+
+  * Security fixes (Closes: #924615):
+- Fix buffer overflow in BlockIo service (CVE-2018-12180)
+- DNS: Check received packet size before using (CVE-2018-12178)
+- Fix stack overflow with corrupted BMP (CVE-2018-12181)
+
+ -- dann frazier   Fri, 15 Mar 2019 18:37:44 -0600
+
 edk2 (0~20181115.85588389-2) unstable; urgency=medium
 
   * debian/rules: Factor out common feature flags across builds.
diff -Nru 
edk2-0~20181115.85588389/debian/patches/0001-MdeModulePkg-HiiDatabase-Fix-potential-integer-overf.patch
 
edk2-0~20181115.85588389/debian/patches/0001-MdeModulePkg-HiiDatabase-Fix-potential-integer-overf.patch
--- 
edk2-0~20181115.85588389/debian/patches/0001-MdeModulePkg-HiiDatabase-Fix-potential-integer-overf.patch
 1969-12-31 17:00:00.0 -0700
+++ 
edk2-0~20181115.85588389/debian/patches/0001-MdeModulePkg-HiiDatabase-Fix-potential-integer-overf.patch
 2019-03-15 18:37:44.0 -0600
@@ -0,0 +1,247 @@
+From ffe5f7a6b4e978dffbe1df228963adc914451106 Mon Sep 17 00:00:00 2001
+From: Ray Ni 
+Date: Thu, 7 Mar 2019 18:35:13 +0800
+Subject: [PATCH] MdeModulePkg/HiiDatabase: Fix potential integer overflow
+ (CVE-2018-12181)
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1135
+
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Ray Ni 
+Cc: Dandan Bi 
+Cc: Hao A Wu 
+Reviewed-by: Hao Wu 
+Reviewed-by: Jian J Wang 
+---
+ MdeModulePkg/Universal/HiiDatabaseDxe/Image.c | 126 ++
+ 1 file changed, 103 insertions(+), 23 deletions(-)
+
+diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c 
b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
+index 71ebc559c0..80a4ec1114 100644
+--- a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
 b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
+@@ -16,6 +16,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER 
EXPRESS OR IMPLIED.
+ 
+ #include "HiiDatabase.h"
+ 
++#define MAX_UINT240xFF
+ 
+ /**
+   Get the imageid of last image block: EFI_HII_IIBT_END_BLOCK when input
+@@ -651,8 +652,16 @@ HiiNewImage (
+ 
+   EfiAcquireLock ();
+ 
+-  NewBlockSize = sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof 
(EFI_HII_RGB_PIXEL) +
+- BITMAP_LEN_24_BIT ((UINT32) Image->Width, Image->Height);
++  //
++  // Calcuate the size of new image.
++  // Make sure the size doesn't overflow UINT32.
++  // Note: 24Bit BMP occpuies 3 bytes per pixel.
++  //
++  NewBlockSize = (UINT32)Image->Width * Image->Height;
++  if (NewBlockSize > (MAX_UINT32 - (sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - 
sizeof (EFI_HII_RGB_PIXEL))) / 3) {
++return EFI_OUT_OF_RESOURCES;
++  }
++  NewBlockSize = NewBlockSize * 3 + (sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) 
- sizeof (EFI_HII_RGB_PIXEL));
+ 
+   //
+   // Get the image package in the package list,
+@@ -671,6 +680,18 @@ HiiNewImage (
+ //
+ // Update the package's image block by appending the new block to the end.
+ //
++
++//
++// Make sure the final package length doesn't overflow.
++// Length of the package header is represented using 24 bits. So MAX 
length is MAX_UINT24.
++//
++if (NewBlockSize > MAX_UINT24 - ImagePackage->ImagePkgHdr.Header.Length) {
++  return EFI_OUT_OF_RESOURCES;
++}
++//
++// Because ImagePackage->ImageBlockSize < 
ImagePackage->ImagePkgHdr.Header.Length,
++// So (ImagePackage->ImageBlockSize + NewBlockSize) <= MAX_UINT24
++//
+ ImageBlocks = AllocatePool (ImagePackage->ImageBlockSize + NewBlockSize);
+ if (ImageBlocks == NULL) {
+   EfiReleaseLock ();
+@@ -701,6 +722,13 @@ HiiNewImage (
+ PackageListNode->PackageListHdr.PackageLength += NewBlockSize;
+ 
+   } else {
++//
++// Make sure the final package length doesn't overflow.
++// Length of the package header is represented using 24 bits. So MAX 
length is MAX_UINT24.
++//
++if (NewBlockSize > MAX_UINT24 - (sizeof (EFI_HII_IMAGE_PACKAGE_HDR) + 
sizeof (EFI_HII_IIBT_END_BLOCK))) {
++  return EFI_OUT_OF_RESOURCES;
++}
+ //
+ // The specified package list does not contain image package.
+ // Create one to add this image block.
+@@ -902,8 +930,11 @@ IGetImage (
+ // Use the common block code since the definition of these structures is 
the same.
+ //
+ CopyMem (, CurrentImageBlock, sizeof 
(EFI_HII_IIBT_IMAGE_1BIT_BLOCK));
+-ImageLength = sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL) *
+-  ((UINT32) Iibt1bit.Bitmap.Width * Iibt1bit.Bitmap.Height);
++ImageLength = (UINTN) Iibt1bit.Bitmap.Width * Iibt1bit.Bitmap.Height;
++if (ImageLength > MAX_UINTN / sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)) {
++  

Bug#924705: Please enable PKCS8_PRIVATE_KEY_PARSER

[Paul Tagliamonte]

Package: linux
Severity: wishlist
thanks

It would be nice to add the PKCS8_PRIVATE_KEY_PARSER to the Debian
build. Currently, importing a private key is not possible, and
generates the error `add_key: Bad message` when a key is attempted to
be loaded.

Thanks for your hard work and maintenance of such an important package!
  Paul


-- 
:wq

Bug#924686: reopen (debian-reference)

[Osamu Aoki]

control: reopen -1
control: tags -1 pending
control: reassign 900360 src:debian-reference
control: forcemerge 924686 900360

See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900360#10

Osamu

Bug#924446: mlconfig: segfault with uim

[أحمد المحمودي]

On Wed, Mar 13, 2019 at 01:45:08PM +0900, HAMANO Tsukasa wrote:
> mlconfig get segfault with uim input method.
> This bug already fixed by upstream.
> Please apply uim.patch or update to 3.8.7.
---end quoted text---

Unfortunately, this can't be fixed for upcoming release. Since it has 
entered in freeze stage.

-- 
‎أحمد المحمودي (Ahmed El-Mahmoudy)
 Digital design engineer
GPG KeyIDs: 4096R/A7EF5671 2048R/EDDDA1B7
GPG Fingerprints:
 6E2E E4BB 72E2 F417 D066  6ABF 7B30 B496 A7EF 5761
 8206 A196 2084 7E6D 0DF8  B176 BC19 6A94 EDDD A1B7


signature.asc
Description: PGP signature

Bug#924704: bumblebee-nvidia: nvidia-driver 410 doesn't appear to allow the unloading of the nvidia module

[Daniel O.]

Package: bumblebee-nvidia
Version: 3.2.1-20
Severity: grave
Justification: renders package unusable

Dear Maintainer, I write this bug report because this bumblebee/bumblebeed
doesn't work as it should.

   * What led up to the situation? Bumblebee used to work correctly when the
nvidia driver was at 390. A few days ago it was upgraded to 410. At the time I
was running Debian Buster (testing as of this writing). That's where things
started to get problematic. It appears that the nvidia module couldn't be
unloaded or something. bbswitch reported as "ON" without optirun, and as the
nvidia drivers were considered in use, I was unable to unbind the nvidia driver
for VGA Passthrough as I had been doing before.
   * What exactly did you do (or not do) that was effective (or
 ineffective)? I uninstalled every bumblebee and nvidia package. I then
reinstalled everything. No luck. I then uninstalled everything and went for the
legacy 390 package. Unfortunately there were problems with that: nvidia-cuba-
toolkit and nvidia-cuba-dev require the latest nvidia driver installed. On top
of that, bumblebee refused to see the legacy 390 drivers as a glx alternative.
I uninstalled all the nvidia stuff again, switched to Debian Sid, and installed
the latest nvidia drivers again (they were slightly more up to date on Sid than
in Buster). Still no change.
   * What was the outcome of this action? Bumblebee should be able to blacklist
the nvidia driver and isolate it from the operating system in such a way that
the system would run on the integrated GPU and run the discrete GPU for
applications when called for.
   * What outcome did you expect instead? The nvidia driver is not blacklisted,
and the discrete GPU is in control.

On a different note, I tried posting a bug report upstream. It has some
information this report might not have (vice versa is definitely the case,
unfortunately). It can be found at https://github.com/Bumblebee-
Project/Bumblebee/issues/1023



-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages bumblebee-nvidia depends on:
ii  bumblebee   3.2.1-20
ii  glx-alternative-nvidia  0.9.1
ii  nvidia-driver   410.104-1
ii  nvidia-kernel-dkms  410.104-1

bumblebee-nvidia recommends no packages.

bumblebee-nvidia suggests no packages.

-- no debconf information

Bug#900360: doc-debian compatibility

[Osamu Aoki]

control: reopen -1

Hi,

I see this is different from other bugs reported.

With current CGI script, files outside of /usr/share/doc are not
accessible.

So doc-debian data should always use file path under /usr/share/doc

I think policy for doc-debian should be updated accordingly.

Bug#924703: usr.bin.totem: pressing F1 in totem gives an error failing to run gio-launch-desktop

[Paul Wise]

Package: apparmor-profiles-extra
Version: 1.26
Severity: normal
File: /etc/apparmor.d/usr.bin.totem

When I press F1 in the totem video player I get a dialog with the
following error, but it should load the documentation into the GNOME
help app, yelp. The F1 key does this in a lot of different
applications, including evince, which is confined by apparmor. The
evince apparmor profile says that gio-launch-desktop can be run and
this is binary is launched by the g_app_info_launch function.

Totem could not display the help contents.
Failed to execute child process 
"/usr/lib/x86_64-linux-gnu/glib-2.0/gio-launch-desktop" (Permission denied)

-- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (900, 'testing-debug'), (900, 'testing'), (800, 
'unstable-debug'), (800, 'unstable'), (790, 'buildd-unstable'), (700, 
'experimental-debug'), (700, 'experimental'), (690, 'buildd-experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-3-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8), 
LANGUAGE=en_AU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apparmor-profiles-extra depends on:
ii  apparmor  2.13.2-9

apparmor-profiles-extra recommends no packages.

apparmor-profiles-extra suggests no packages.

-- no debconf information

-- 
bye,
pabs

https://wiki.debian.org/PaulWise



signature.asc
Description: This is a digitally signed message part

Bug#254909: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=254909

[Nichola Williams]

Sent from my iPhone

Bug#924702: unblock: gdnsd/2.4.2-1

[Faidon Liambotis]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi team,

Please unblock package gdnsd, 2.4.2-1. It includes an important fix that
reverts the rejection of post-2018 GeoIP databases and restores an
important part of the package's functionality (auto_dc_coords), as well
as a printf formatting error fix.

Unfortunately, the upload includes a few other small but unrelated
changes (both upstream, behind an #ifdef __FreeBSD__, and in Debian
packaging). My intention was to upload this well before the freeze, but
unfortunately did not manage to until a couple days before :(

Hopefully they're small and easy to review and won't be a huge waste of
your precious time. Apologies on my end for this! I'd appreciate to not
have to go through s-p-u just to revert these tiny changes...

unblock gdnsd/2.4.2-1

Regards,
Faidon
diff --git a/NEWS b/NEWS
index 76e108f..152edad 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,17 @@
+2.4.2 - 2019-02-11
+* FreeBSD: Fix EADDRNOTAVAIL issue for IPv6 sockets when the listening IP
+  is bound to the loopback and traffic is routed indirectly, by resetting
+  ifindex to zero for non-link-local IPv6 IPs in the cmsg structure passed
+  between recvmsg() and sendmsg().
+
+2.4.1 - 2019-01-10
+* These two fixes are backports from master branch work towards 3.x:
+* Reverted the detection and rejection of post-2018 GeoLite2-City databases
+  with auto_dc_coords that was added in 2.3.1, as MaxMind later reversed
+  course and decided to keep the coordinates in the databases.
+* Bugfix for a bad printf() format specifier in the case that strerror()
+  failed on non-GNU platforms.
+
 2.4.0 - 2018-02-15
 * plugin_multifo: added "ignore_health" parameter. If "ignore_health" is
   true, all addresses are added to the result set regardless of health, but
diff --git a/configure.ac b/configure.ac
index 48e01f9..3ce9ee8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ([2.63])
-AC_INIT([gdnsd],[2.4.0],[https://github.com/gdnsd/gdnsd/issues])
+AC_INIT([gdnsd],[2.4.2],[https://github.com/gdnsd/gdnsd/issues])
 AC_CONFIG_SRCDIR([src/main.c])
 AC_CONFIG_AUX_DIR([acaux])
 AM_INIT_AUTOMAKE([1.11.1 dist-xz no-dist-gzip foreign tar-ustar subdir-objects -Wall])
diff --git a/debian/changelog b/debian/changelog
index f18427c..e4ec3c9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+gdnsd (2.4.2-1) unstable; urgency=medium
+
+  * New upstream point release.
+  * Bump Standards-Version to 4.3.0, no changes needed.
+  * Build-Depend on debhelper 11~ to ease backports.
+  * Drop [linux-any] from liburcu-dev Build-Depends, as it's now available on
+kFreeBSD.
+  * Add 2019 to debian/copyright years.
+  * Misc source package changes:
+- Drop overlay/tarballs/build-area from gbp.conf.
+- Remove custom compression setting from source/options.
+- Sort Build-Depends.
+
+ -- Faidon Liambotis   Tue, 05 Mar 2019 16:37:21 +0200
+
 gdnsd (2.4.0-1) unstable; urgency=medium
 
   * New upstream release.
diff --git a/debian/control b/debian/control
index ffce03f..a54578d 100644
--- a/debian/control
+++ b/debian/control
@@ -2,15 +2,20 @@ Source: gdnsd
 Section: net
 Priority: optional
 Maintainer: Faidon Liambotis 
-Build-Depends: debhelper (>= 11),
- libltdl-dev, perl,
- ragel, libev-dev,
- liburcu-dev [linux-any],
+Build-Depends:
+ debhelper (>= 11~),
+ ragel,
+ libev-dev,
+ libltdl-dev,
  libmaxminddb-dev (>= 1.2.0),
  libunwind-dev [i386 amd64 ppc64 ppc64el powerpc powerpcspe armel armhf arm64 mips mipsel mips64el],
- libsocket6-perl, libio-socket-inet6-perl,
- libwww-perl, libhttp-daemon-perl
-Standards-Version: 4.1.4
+ liburcu-dev,
+ perl,
+ libhttp-daemon-perl,
+ libio-socket-inet6-perl,
+ libsocket6-perl,
+ libwww-perl
+Standards-Version: 4.3.0
 Homepage: http://gdnsd.org/
 Vcs-Browser: https://github.com/paravoid/gdnsd
 Vcs-Git: https://github.com/paravoid/gdnsd.git
diff --git a/debian/copyright b/debian/copyright
index 70f02cd..b2f9385 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -3,7 +3,7 @@ Upstream-Name: gdnsd
 Source: https://github.com/gdnsd/gdnsd
 
 Files: *
-Copyright: 2012-2013, Brandon L Black 
+Copyright: 2012-2019, Brandon L Black 
 License: GPL-3+
 
 Files: t/Net/*
@@ -23,7 +23,7 @@ License: Artistic or GPL-1+
  "/usr/share/common-licenses/Artistic".
 
 Files: debian/*
-Copyright: 2012-2018, Faidon Liambotis 
+Copyright: 2012-2019, Faidon Liambotis 
 License: GPL-3+
 
 License: GPL-3+
diff --git a/debian/gbp.conf b/debian/gbp.conf
index bedf34d..81b6d6d 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -2,9 +2,6 @@
 upstream-tree=tag
 debian-branch=debian
 upstream-tag = v%(version)s
-overlay = True
 no-create-orig = True
 compression = xz
-tarball-dir = ../tarballs
-export-dir = ../build-area
 prebuild = rm -f .travis.yml
diff --git a/debian/source/options b/debian/source/options
deleted file mode 100644
index b7bc1f2..000
--- 

Bug#854889: same on s390x

[David Bremner]

David Bremner  writes:

> I just encountered what is probably the same bug trying to debootstrap
> an ubuntu/s390x chroot.
>
> I: Extracting zlib1g...
> I: Running command: chroot /srv/chroot/bionic-s390x /debootstrap/debootstrap 
> --second-stage
> qemu-s390x-static: /build/qemu-2.8+dfsg/translate-all.c:175: tb_lock: 
> Assertion `!have_tb_lock' failed.
> Segmentation fault

I should have mentioned versions.

That failure is with qemu-user-static in stretch, which I guess should
be 1:2.8+dfsg-6+deb9u5.

With 1:3.1+dfsg-4 it seems to be ok; I managed to debootstrap an ubuntu
bionic chroot and build a package there.

I don't know what the important difference is, but I've previously
successfully debootstapped debian stable s390x using the qemu in
stretch.

Bug#924621: [Pkg-openssl-devel] Bug#924621: openssl 1.1.1b-1 make fetchmail unusable

[Atsuhito Kohda]

Hi Sebastian,

On Fri, 15 Mar 2019 22:08:13 +0100, Sebastian Andrzej Siewior wrote:

> Do you have somewhere more information what failed on the fetchmail
> side? 

Yes, I have error messages of fetchmail but they contains
some Japanese characters. (I added simple translations of
them but not precise translations.)

fetchmail: System error during SSL_connect(): 接続が相手からリセットされました
fetchmail: SSL による接続に失敗しました。
fetchmail: socketエラーが **server name** よりメールを受信している最中に発生しました。
fetchmail: Query status=2 (SOCKET)

line #1:connection is reset by server
line #2:connection by SSL is failed
line #3:during receiving mail from **server name**, a socket error occured

> Is the server using by any chance a small DH key?

Not sure but on the server dovecot (of Debian package) is running.

Thanks for your response.
Best regards,   2019-3-16(Sat)

-- 
 **
 Atsuhito Kohda
 atsuhito_k AT tokushima-u.ac.jp

Bug#254909: 254...@bugs.debian.org

[Nichola Williams]

Sent from my iPhone

Bug#254909: (no subject)

[Nichola Williams]

Sent from my iPhone

Bug#924700: ITP: libsql-tiny-perl -- simple SQL-building library

[gregor herrmann]

Package: wnpp
Owner: gregor herrmann 
Severity: wishlist
X-Debbugs-CC: debian-de...@lists.debian.org, debian-p...@lists.debian.org

* Package name: libsql-tiny-perl
  Version : 0.02
  Upstream Author : Andy Lester 
* URL : https://metacpan.org/release/SQL-Tiny
* License : Artistic-2.0
  Programming Lang: Perl
  Description : simple SQL-building library

SQL::Tiny is a very simple SQL-building library. It's not for all SQL needs,
only the very simple ones.

SQL::Tiny is for generating SQL code for simple cases. It doesn't handle
JOINs. It doesn't handle GROUP BY. It doesn't handle subselects. It's only
for simple SQL.

The trade-off for that brevity of code is that SQL::Tiny has to make new SQL
and binds from the input every time. You can't cache the SQL that comes back
from SQL::Tiny because the placeholders could vary depending on what the
input data is. Therefore, you don't want to use SQL::Tiny where speed is
essential.

The package will be maintained under the umbrella of the Debian Perl Group.

--
Generated with the help of dpt-gen-itp(1) from pkg-perl-tools.


signature.asc
Description: Digital Signature

Bug#924701: unblock: edk2/0~20181115.85588389-3

[dann frazier]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package edk2

Addresses 3 CVEs.

unblock edk2/0~20181115.85588389-3

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.20.0-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#919812: hotspot: FTBFS on hppa - undefined reference

[John David Anglin]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
On 2019-03-15 5:00 p.m., Dmitry Shachnev wrote:
> Explicitly casting QDataStream::Qt_DefaultCompiledVersion to an integer type 
> > should make GCC find the right implementation. Try this: > > qint32 
> dataStreamVersion =
qToLittleEndian(static_cast(QDataStream::Qt_DefaultCompiledVersion));
The attached change fixed build:
https://buildd.debian.org/status/fetch.php?pkg=hotspot=hppa=1.1.0%2Bgit20190211-1=1552694126=0

Thanks,
Dave

- -- 
John David Anglin  dave.ang...@bell.net
-BEGIN PGP SIGNATURE-
 
iQIzBAEBCAAdFiEEnRzl+6e9+DTrEhyEXb/Nrl8ZTfEFAlyMPCsACgkQXb/Nrl8Z
TfExJg/9FtlkIw2enkDf5H6mgdLO9F+jrmQAyjTYYcPtoxgdOYp8K2+YY2Wt7cLg
Yd1XQJLS9ho95ZOEymV5OMgsuCsXgrLyjyM7KrGVa9iGefQuGtYd8/njqkydmLsf
r6o2si7NAERLOkkwzV467XpT7rtwFSbzlEpL0mJknU4Q1Q6+i3lSKKy15z7TjOtV
OjQV1ScM7gZxulqlT6zk5NS6TCB/jtd58GMmsl+aZDZILOd3zQZabD3Iyfo/wUAo
wQvdRNWSnJsqEHC/zYgtqhcn9/3+NQtxX1sJusH8Wf9GdR1MI0nEovTzf2xGI7Cr
3YLpWEhgvS9Lon9XMU6drhn7pmSCqtQRY3+BMazCZFoQch+Cgd0HoxsjTWk4RTdX
JKhGBRvN6DcjgFzgZT5GJ5SoJMaF7H8qasxM5H4l1SmZPTYZee0y5aRT+PxbgRaC
C/Mc3mBee7vp375DT63Nh8I5YojDmRspAtHi6LLEVVEOGzPtSnMTObGoAXREZHZU
1ry4rvayNcTruWh2OWMpyzchXFdjkQbAyxqf+cVweaKn3Io45EuZ/m++fSIlVFXd
wUgibo/k1crXHR+VYKlnDtdiPZHBlSMzzlxHZ8QRA6kHdNliDC249RPNra2MejtX
Ocjlm6S0LihuvV4jh2j8HJ/0fVgtUJcvscy5KF6B1P2vReko71Y=
=q9bC
-END PGP SIGNATURE-

Index: hotspot-1.1.0+git20190211/3rdparty/perfparser/app/perfunwind.cpp
===
--- hotspot-1.1.0+git20190211.orig/3rdparty/perfparser/app/perfunwind.cpp
+++ hotspot-1.1.0+git20190211/3rdparty/perfparser/app/perfunwind.cpp
@@ -126,7 +126,7 @@ PerfUnwind::PerfUnwind(QIODevice *output
 // Write minimal header, consisting of magic and data stream version 
we're going to use.
 const char magic[] = "QPERFSTREAM";
 output->write(magic, sizeof(magic));
-qint32 dataStreamVersion = 
qToLittleEndian(QDataStream::Qt_DefaultCompiledVersion);
+qint32 dataStreamVersion = 
qToLittleEndian(static_cast(QDataStream::Qt_DefaultCompiledVersion));
 output->write(reinterpret_cast(), 
sizeof(qint32));
 }
 }

Bug#921607: mupdf shell script [correction]

[Kan-Ru Chen]

On Sat, Mar 9, 2019, at 4:24 PM, Mike wrote:
> the patch should be:

 $cmd || true
else
-$cmd "$file" || true
+$cmd "$file" $2
fi

There is a start page param after the file:

usage: /usr/lib/mupdf/mupdf-x11 [options] file.pdf [page]


- the proposed 'exec' leaves a tmp-file in /tmp !

(- I see no reason for the 'true'?)
> 


The script was using 'exec' and reads from a file descriptor but I changed it 
to current approach in this commit 
https://salsa.debian.org/koster/mupdf/commit/7e6cc9123f8b619799cfe1de4e765b22606c373a

I think reading from '/dev/fd/3' is not portable and I don't know if there is a 
way to reliably get a unused file descriptor.

I'll upload a version to fix the [page] options.

If anyone has idea how to improve the script please let me know!

Kanru

Bug#924657: kbdnames are generated with incorrect translations

[Cyril Brulebois]

Hi Iain,

Iain Lane  (2019-03-15):
> Package: keyboard-configuration
> Version: 1.188
> Severity: serious
> Tags: patch
> 
> Control: forwarded -1 
> https://salsa.debian.org/installer-team/console-setup/merge_requests/2
> 
> I'm reporting from my Ubuntu system but I've confirmed this also affects
> 1.188 in buster, or any version that was built with perl ≥ 5.28.
> 
> The generated names in keyboard-configuration.config are translated
> incorrectly:
> 
>   laney@raleigh> dpkg --ctrl-tarfile keyboard-configuration_1.188_all.deb | 
> tar xO- ./config | grep "en_GB\*model\*sun_type6_jp"
>   en_GB*model*sun_type6_jp*Sun Type 6 (Japonesa)
>   en_GB*model*sun_type6_jp_usb*Sun Type 6 USB (Japonesa)
> 
> That should be "(Japanese)". Very many other entries are also affected.
> I've provided a patch on the referenced salsa URL.

Thanks for the report and the patch/MR.

Looping in the Perl team for additional eyes and also awareness. Other
packages might be affected, and it might make sense to conduct some
sources.d.o/codesearch-based check…


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#924699: installer doesn't include "/usr/sbin/" in the PATH environment

[Brian Wengel]

Package: debian buster installer (debian-testing-amd64-DVD-1.iso,
2019-03-16)

I assume it's not on purpose not to include "/usr/sbin/" in the PATH.
(I assume it's the installer that setup the path?)

On my new installed Debian Buster directly from DVD iso:

/# echo $PATH
*/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games*

Best regards
Brian W., Denmark

Bug#924698: debian-faq: please enable build for Japanese translation

[Holger Wansing]

Package: debian-faq
Severity: wishlist
Tags: l10n, patch
X-Debbugs-CC: debian-...@lists.debian.org


debian-faq has a japanese translation, which is in not-that-bad shape (compared
to others) for more than two years.

Please activate the build for it, so that users can benefit from this
translation.

This also adds a new binary package for Japanese.



Cheers
Holger


-- 
Holger Wansing 
PGP-Fingerprint: 496A C6E8 1442 4B34 8508  3529 59F1 87CA 156E B076
diff --git a/debian/README.devel b/debian/README.devel
index e58279a..093ed88 100644
--- a/debian/README.devel
+++ b/debian/README.devel
@@ -39,6 +39,10 @@ we install these as separate packages:
 Claudio Cattazzo ,
 debian-l10n-ital...@lists.debian.org,
 
+** ja(last update (as of 2017-11) 2016-12,
+ victory ,
+ Takuma Yamada ).
+
 ** fr(last update (as of 2008-09) 2008-08)
 
 Simon Paillard 
@@ -88,11 +92,6 @@ not in SVN, hopelessly out of date:
http://bugs.debian.org/327764
"RM: doc-debian-ko -- RoM; Orphaned, outdated" (Sep 2005)
 
-# ja   doc-debian-ja - Debian FAQ and other documents (Japanese)
-   http://bugs.debian.org/327663
-   "RM: doc-debian-ja -- RoQA; old, unused, very outdated documentation"
-   (Sep 2005)
-
 
 
 peeksheet
diff --git a/debian/changelog b/debian/changelog
index ea80a30..7d559b8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -13,6 +13,8 @@ debian-faq (9.1) UNRELEASED; urgency=medium
   * Fix file server URL in control file, as mentioned in
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892244#38.
 Closes: #892246, #892247.
+  * Activate package build for Japanese translation; translation is po-based.
+(Closes: #xxxyyy)
 
   [ Jean-Philippe MENGUAL ]
   * Update French translation (reported as #920492)
diff --git a/debian/control b/debian/control
index d22cba6..c032b00 100644
--- a/debian/control
+++ b/debian/control
@@ -107,6 +107,24 @@ Description: Debian Frequently Asked Questions, in Italian
  This is the translation in Italian of the original English FAQ (available in
  the package debian-faq.)
 
+Package: debian-faq-ja
+Priority: optional
+Architecture: all
+Suggests: www-browser, postscript-viewer
+Depends: ${misc:Depends}
+Description: Debian Frequently Asked Questions, in Japanese
+ In this package you will find the Debian GNU/Linux FAQ, which gives
+ frequently asked questions (with their answers!) about the Debian distribution
+ (Debian GNU/Linux and others) and about the Debian project.
+ Some answers assume some knowledge of Unix-like operating systems.
+ However, as little prior knowledge as possible is assumed: answers to general
+ beginners questions will be kept simple.
+ .
+ The document is supplied in HTML, PDF, PostScript and plain text.
+ .
+ This is the translation in Japanese of the original English FAQ (available in
+ the package debian-faq.)
+
 Package: debian-faq-nl
 Priority: optional
 Architecture: all


files-to-add
Description: Binary data

Bug#919296: git-daemon-run: fails with 'warning: git-daemon: unable to open supervise/ok: file does not exist'

[Lorenzo Puliti]

Package: git-daemon-run
Version: 1:2.20.1-2
Followup-For: Bug #919296

Hi!

>Severity: grave
>Justification: renders package unusable

Jonathan wrote:
>adding a Depends by git-daemon-run on
>'runit-init | runit-systemd | runit-sysv' should do the trick.

This should allow to lower the severity to non-RC: I have the same error
as the bug title but with runit-init installed git-daemon is far from being
unusable. In fact it's running as it's supposed to be despite the error. 

> Celejar wrote:
>Okay, I've installed runit-systemd:
>
>~# dpkg-reconfigure git-daemon-run
>Service git-daemon already added.
>warning: git-daemon: unable to open supervise/ok: file does not exist

disregard the warning, please test with
# sv status git-daemon
to check if git-daemon it's really not running

>Bogatov wrote:
>Dear git maintainer, you could plug this bug by adding
>`/var/lib/supervise/git-daemon' into `debian/git-daemon-run.dirs'.

Dmitry, are you sure? runsv can create the 'git-daemon' directory if 
it's not there, and a dangling symlink won't stop it.
You can do a test:
# update-service --remove /etc/sv/git-daemon
# rm -r /var/lib/supervise/git-daemon
# update-service --add /etc/sv/git-daemon
wait at least 5 seconds, than do
# sv term git-daemon

> Jonathan Nieder wrote:
> Unfortunately, this doesn't work.  /var/lib/supervise/git-daemon ought
> to contain a definition of a supervise service, whereas this produces
> an empty directory so it still fails.

Yes, as you enable a service, you have to wait at least 5 seconds before
safely sending signals with sv. See runsvdir(8), it pools every 5 seconds.
It's a flaw in runit design. 

Lorenzo


-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.20.3-van (SMP w/4 CPU cores; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: runit (via /run/runit.stopit)

Versions of packages git-daemon-run depends on:
ii  adduser  3.118
ii  git  1:2.20.1-2
ii  runit2.1.2-25helpers1

git-daemon-run recommends no packages.

git-daemon-run suggests no packages.

-- no debconf information

Bug#924696: debian-faq on debian website: chinese translation not updated to latest version

[Holger Wansing]

Package: www.debian.org
Severity: normal
Tags: l10n
X-Debbugs-CC: debian-...@lists.debian.org


Under https://www.debian.org/doc/user-manuals#faq
most debian-faq translations are from 18. Nov 2018
(like https://www.debian.org/doc/manuals/debian-faq/index.en.html
or https://www.debian.org/doc/manuals/debian-faq/index.de.html,
look of the bottom of the first page),

while the Chinese one is from 01. May 2015
(see https://www.debian.org/doc/manuals/debian-faq/index.zh-cn.html)

However, the debian-faq package version 9.0 has correct Chinese version included
in it (even though it has large untranslated parts).

So the problem seems to be somewhere in the ../cron/parts/... scripts.



Cheers
Holger


-- 
Holger Wansing 
PGP-Fingerprint: 496A C6E8 1442 4B34 8508  3529 59F1 87CA 156E B076

Bug#924697: elpa-cider: broken by leiningen 2.9.0

[Sean Whitton]

Package: elpa-cider
Version: 0.19.0+dfsg-1
Severity: grave
Tags: sid patch upstream
X-debbugs-cc: pkg-clojure-maintain...@lists.alioth.debian.org
Control: forwarded -1 https://github.com/clojure-emacs/cider/issues/2581

Hello,

CIDER crashes against leiningen 2.9.0, which is now in sid.

Cherry-picking upstream commit a48af155d8acf64e7c3025146027ef2d62f1cc2e
fixes the problem, and the test suite passes, though that commit does
cause CIDER to use cider-middleware 0.21.0, which is somewhat
uncomfortable.

-- 
Sean Whitton


signature.asc
Description: PGP signature

Bug#924398: corekeeper can be confused with whitespace in executable names

[Jakub Wilk]

* Jakub Wilk , 2019-03-15, 23:35:

+for arg; do
+   case "$1" in


Ooops, that should be "$arg", not "$1".

BTW, what is the uid variable for? It's not used anywhere...

--
Jakub Wilk

Bug#924695: ITP: libnginx-mod-http-brotli-filter -- Brotli compression filter module for Nginx

[Jérémy Lal]

Package: wnpp
Severity: wishlist
Owner: Jérémy Lal 

* Package name: libnginx-mod-http-brotli-filter
  Version : 0.1.3.4.g8104036
  Upstream Author : Piotr Sikora, Eugene Kliuchnikov
* URL : https://github.com/eustas/ngx_brotli
* License : BSD-2-clause
  Programming Lang: C
  Description : Brotli compression filter module for Nginx

Brotli compression module, similar to gzip module.
.
Brotli is similar in speed with deflate but offers more dense
compression.
.
Brotli encoding is well supported by current web browsers.

I'm looking for co-maintainers in the nginx team.

Bug#920492: debian-faq: French documentation translation update

[Holger Wansing]

Hi,

Holger Wansing  wrote:
> 
> Jean-Philippe MENGUAL  wrote:
> > Please find attached the French translation update, proofread by the
> > debian-l10n-french mailing list contributors.
> > 
> > This file should be put as po4a/po/fr.po in your package build tree.
> 
> I have committed the file to GIT.
> However the file apparently is not in sync with the English original.
> 
> So there is some more update work needed. But I would recommend to not start
> with this now, since there seems to be a problem with the process of
> updating the po files, which leads to new changings appearing over and over
> again. So, to prevent from needless work, I recommend to not work on
> translations updates now.
> I will keep you informed...

I'm sorry, apparently I made wrong assumptions when it comes to how the
tools within the debian-faq package work.
So, everything seems fine so far.

That being said:

Jean-Philippe: could you please update the fr.po file from
https://salsa.debian.org/ddp-team/debian-faq/tree/master/po4a/po 
and sent it to this bug (#920492)?


Thanks
Holger


-- 
Holger Wansing 
PGP-Fingerprint: 496A C6E8 1442 4B34 8508  3529 59F1 87CA 156E B076

Bug#924398: corekeeper can be confused with whitespace in executable names

[Jakub Wilk]

* Paul Wise , 2019-03-15, 12:56:
I decided to just check if the arguments are integers, attached the 
patch.


I like the idea, but how about the attached patch instead?

It's less repetitive, the diff is smaller, and it's hopefully slightly 
easier to understand.


--
Jakub Wilk
diff --git a/debian/dump b/debian/dump
index e8fc3fd..0492ac4 100644
--- a/debian/dump
+++ b/debian/dump
@@ -28,15 +28,22 @@ if [ "$(id -u)" != "0" ]; then
 	exit 1
 fi
 
-# Check how many arguments the kernel sent us.
-if [ $# -eq 2 ] ; then
+# Check how many numeric arguments the kernel sent us.
+numargs=0
+for arg; do
+	case "$1" in
+		(*[!0-9]*|'') break;;
+		(*) numargs=$((numargs + 1));;
+	esac
+done
+if [ $numargs -eq 1 ] ; then
 	# Awww, old kernel that does not support %d
 	# Cannot set the core file owner safely, use root
 	# See v3.6-6800-g12a2b4b in linux.git for more info
 	uid="$1"
 	core="$2"
 	owner="0"
-elif [ $# -eq 3 ] ; then
+elif [ $numargs -eq 2 ] ; then
 	# Yay! A kernel that does support %d
 	uid="$2"
 	core="$3"

Bug#924351: mupdf: diff for NMU version 1.14.0+ds1-3.1

[Salvatore Bonaccorso]

Hi,

On Fri, Mar 15, 2019 at 06:22:30PM -0400, Kan-Ru Chen wrote:
> Hey,
> 
> On Sat, Mar 16, 2019, at 7:09 AM, Salvatore Bonaccorso wrote:
> > Control: tags 924351 + patch
> > Control: tags 924351 + pending
> > 
> > 
> > Dear maintainer,
> > 
> > I've prepared an NMU for mupdf (versioned as 1.14.0+ds1-3.1) and
> > uploaded it to DELAYED/2. Please feel free to tell me if I
> > should delay it longer.
> > 
> > The previously mentioned issue was actually caused to a additional
> > missing commit unrelated to the security fixes, which I as well
> > cherry-picked in this update now.
> > 
> > Apart of the attached debdiff, the single commits can be as well taken
> > from the merge request at
> > https://salsa.debian.org/koster/mupdf/merge_requests/1 .
> 
> Thanks for the NMU!
> 
> Actually I can take a look today and upload to the normal queue.

Ack, thank you.

> It is full-freeze now so my understanding is I'll need to file a
> unblock request later.  Is that correct?

Yes exactly. You can use reportbug to recieve a template for the
unblock request.

Regards,
Salvatore

Bug#924351: mupdf: diff for NMU version 1.14.0+ds1-3.1

[Kan-Ru Chen]

Hey,

On Sat, Mar 16, 2019, at 7:09 AM, Salvatore Bonaccorso wrote:
> Control: tags 924351 + patch
> Control: tags 924351 + pending
> 
> 
> Dear maintainer,
> 
> I've prepared an NMU for mupdf (versioned as 1.14.0+ds1-3.1) and
> uploaded it to DELAYED/2. Please feel free to tell me if I
> should delay it longer.
> 
> The previously mentioned issue was actually caused to a additional
> missing commit unrelated to the security fixes, which I as well
> cherry-picked in this update now.
> 
> Apart of the attached debdiff, the single commits can be as well taken
> from the merge request at
> https://salsa.debian.org/koster/mupdf/merge_requests/1 .

Thanks for the NMU!

Actually I can take a look today and upload to the normal queue.

It is full-freeze now so my understanding is I'll need to file a unblock 
request later.
Is that correct?

Kanru

Bug#818506: tone down warnings about GUI-based upgrades

[Antoine Beaupré]

On 2019-03-15 23:03:05, Paul Gevers wrote:
> Hi,
>
> On 15-03-2019 22:45, Antoine Beaupré wrote:
>> I don't know what the treshold should be, but for me if X crashes during
>> upgrades, that's a bug that should be fixed in X or whatever crashes it,
>> not something that should just be mentioned in passing in the release
>> notes.
>> 
>> So I'm tempted to say we should just remove this and stop pretending
>> that's okay. If that's still a problem, we need to fix it, not just say
>> "oops we did it again" in the relnotes. ;)
>
> And how about remote updates? Are the notes about VPN, telnet, rlogin,
> and rsh still valid? I would apply the same logic here.

VPN I don't know, but I would definitely ditch anything mentioning
telne, rlogin or rsh, really. :)

A.

-- 
The problem is not a lack of highly educated workers, the problem is a
lack of highly educated workers willing to work for the minimum wage or
lower in the U.S. Costs are driving outsourcing, not the quality of
American schools.   - Scott Kirwin, IT Professionals Association

Bug#924694: unblock: gnulib/20140202+stable-3.2

[Salvatore Bonaccorso]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi,

Moritz Muehlenhoff filled #924613 to raise CVE-2009-5155 issue in
gnulib to the BTS. The issue is already fixed in the experimental
version and the update to sid includes the cherry-picked patch as per
http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272
from upstream.

The changelog entry reads as (note I did not choose it as QA upload as
the QA upload was done for experimental):

 gnulib (20140202+stable-3.2) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Diagnose ERE '()|\1' (CVE-2009-5155) (Closes: #924613)

unblock gnulib/20140202+stable-3.2

Regards,
Salvatore
diff -Nru gnulib-20140202+stable/debian/changelog 
gnulib-20140202+stable/debian/changelog
--- gnulib-20140202+stable/debian/changelog 2019-02-09 11:11:06.0 
+0100
+++ gnulib-20140202+stable/debian/changelog 2019-03-15 21:08:27.0 
+0100
@@ -1,3 +1,10 @@
+gnulib (20140202+stable-3.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Diagnose ERE '()|\1' (CVE-2009-5155) (Closes: #924613)
+
+ -- Salvatore Bonaccorso   Fri, 15 Mar 2019 21:08:27 +0100
+
 gnulib (20140202+stable-3.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru gnulib-20140202+stable/debian/patches/04-Diagnose-ERE-1.patch 
gnulib-20140202+stable/debian/patches/04-Diagnose-ERE-1.patch
--- gnulib-20140202+stable/debian/patches/04-Diagnose-ERE-1.patch   
1970-01-01 01:00:00.0 +0100
+++ gnulib-20140202+stable/debian/patches/04-Diagnose-ERE-1.patch   
2019-03-15 21:08:27.0 +0100
@@ -0,0 +1,45 @@
+From: Paul Eggert 
+Date: Sat, 19 Sep 2015 13:53:34 -0700
+Subject: Diagnose ERE '()|\1'
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: 
http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2009-5155
+Bug-Debian: https://bugs.debian.org/924613
+
+Problem reported by Hanno Böck in: http://bugs.gnu.org/21513
+* lib/regcomp.c (parse_reg_exp): While parsing alternatives, keep
+track of the set of previously-completed subexpressions available
+before the first alternative, and restore this set just before
+parsing each subsequent alternative.  This lets us diagnose the
+invalid back-reference in the ERE '()|\1'.
+---
+
+--- a/lib/regcomp.c
 b/lib/regcomp.c
+@@ -2187,6 +2187,7 @@ parse_reg_exp (re_string_t *regexp, rege
+ {
+   re_dfa_t *dfa = preg->buffer;
+   bin_tree_t *tree, *branch = NULL;
++  bitset_word_t initial_bkref_map = dfa->completed_bkref_map;
+   tree = parse_branch (regexp, preg, token, syntax, nest, err);
+   if (BE (*err != REG_NOERROR && tree == NULL, 0))
+ return NULL;
+@@ -2197,6 +2198,8 @@ parse_reg_exp (re_string_t *regexp, rege
+   if (token->type != OP_ALT && token->type != END_OF_RE
+ && (nest == 0 || token->type != OP_CLOSE_SUBEXP))
+   {
++bitset_word_t accumulated_bkref_map = dfa->completed_bkref_map;
++dfa->completed_bkref_map = initial_bkref_map;
+ branch = parse_branch (regexp, preg, token, syntax, nest, err);
+ if (BE (*err != REG_NOERROR && branch == NULL, 0))
+   return NULL;
+@@ -2398,6 +2401,7 @@ parse_expression (re_string_t *regexp, r
+ *err = REG_ESPACE;
+ return NULL;
+   }
++dfa->completed_bkref_map |= accumulated_bkref_map;
+   }
+   else
+   {
diff -Nru gnulib-20140202+stable/debian/patches/series 
gnulib-20140202+stable/debian/patches/series
--- gnulib-20140202+stable/debian/patches/series2019-02-09 
11:11:06.0 +0100
+++ gnulib-20140202+stable/debian/patches/series2019-03-15 
21:08:27.0 +0100
@@ -1,3 +1,4 @@
 01-gnulib-directory.patch
 02-shebang.patch
 03-vasnprintf-Fix-heap-memory-overrun-bug.patch
+04-Diagnose-ERE-1.patch

Bug#924659: ITP: fossology -- FOSSology is an open source license compliance software system and toolkit.

[Guillem Jover]

Hi!

On Fri, 2019-03-15 at 20:27:57 +0530, Gaurav Mishra wrote:
> Package: wnpp
> Severity: wishlist
> Owner: Gaurav Mishra 

>   Package name : fossology
>   Version : 3.4.0
>   Upstream Author : Michael Jaeger 
>   URL : https://www.fossology.org/
>   License : GPL-2.0-only, LGPL-2.1-only
>   Programming Lang: C, C++, PHP
>   Description : FOSSology is an open source license compliance software
> system and toolkit.
> 
>  FOSSology is an open source license compliance software system and
> toolkit. As a toolkit you can run license, copyright and export control
> scans from the command line. As a system, a database and web ui are
> provided to give you a compliance workflow. License, copyright and export
> scanners are tools used in the workflow.
> 
>  - Why is this package useful/relevant?
>- FOSSology is a famous tool used for open source license compliance.
>  We have a large database of users which can be benifited by
>  publishing this as a Debian package.
>  - Do you use it?
>- You can check https://www.fossology.org/ to get a list of compaines
>  and organizations using FOSSology.
>  - How do you plan to maintain it?
>- FOSSology is currently maintained at
>  https://github.com/fossology/fossology. I have created a mirror for
>  the same at https://salsa.debian.org/fossology-team/fossology.
>  - Are you looking for co-maintainers or a sponsor?
>- We are looking for a sponsor to help us publish FOSSology as a
>  Debian package.

JFYI:

  ,---
  $ deb-why-removed fossology
  Date: Sun, 10 Jun 2012 09:58:31 +
  Ftpmaster: Luca Falavigna
  Suite: unstable
  Sources:
   fossology_1.2.0-3.1
  Binaries:
   fossology_1.2.0-3.1 [all]
   fossology-agents_1.2.0-3.1 [amd64, armel, armhf, i386, ia64, kfreebsd-amd64, 
kfreebsd-i386, mips, mipsel, powerpc, s390, s390x, sparc]
   fossology-agents-single_1.2.0-3.1 [amd64, armel, armhf, i386, ia64, 
kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, s390x, sparc]
   fossology-common_1.2.0-3.1 [amd64, armel, armhf, i386, ia64, kfreebsd-amd64, 
kfreebsd-i386, mips, mipsel, powerpc, s390, s390x, sparc]
   fossology-db_1.2.0-3.1 [all]
   fossology-dev_1.2.0-3.1 [amd64, armel, armhf, i386, ia64, kfreebsd-amd64, 
kfreebsd-i386, mips, mipsel, powerpc, s390, s390x, sparc]
   fossology-scheduler_1.2.0-3.1 [amd64, armel, armhf, i386, ia64, 
kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, s390x, sparc]
   fossology-scheduler-single_1.2.0-3.1 [amd64, armel, armhf, i386, ia64, 
kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, s390x, sparc]
   fossology-web_1.2.0-3.1 [all]
   fossology-web-single_1.2.0-3.1 [all]
  Reason: RoQA; unmaintained, RC buggy
  Bug: 656591
  Also-Bugs: 591107 592025 595593 627771 639468 658953 674381
  `---

Thanks,
Guillem

Bug#924351: mupdf: diff for NMU version 1.14.0+ds1-3.1

[Salvatore Bonaccorso]

Control: tags 924351 + patch
Control: tags 924351 + pending


Dear maintainer,

I've prepared an NMU for mupdf (versioned as 1.14.0+ds1-3.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

The previously mentioned issue was actually caused to a additional
missing commit unrelated to the security fixes, which I as well
cherry-picked in this update now.

Apart of the attached debdiff, the single commits can be as well taken
from the merge request at
https://salsa.debian.org/koster/mupdf/merge_requests/1 .

Regards,
Salvatore
diff -Nru mupdf-1.14.0+ds1/debian/changelog mupdf-1.14.0+ds1/debian/changelog
--- mupdf-1.14.0+ds1/debian/changelog	2019-01-19 04:01:19.0 +0100
+++ mupdf-1.14.0+ds1/debian/changelog	2019-03-15 22:53:36.0 +0100
@@ -1,3 +1,14 @@
+mupdf (1.14.0+ds1-3.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Avoid being smart about keeping only a single reference to the buffer
+(CVE-2018-16647) (Closes: #924351)
+  * Fix text used as clip mask in pdfwrite device (CVE-2018-16648)
+(Closes: #924351)
+  * Fix typo in pdf write device
+
+ -- Salvatore Bonaccorso   Fri, 15 Mar 2019 22:53:36 +0100
+
 mupdf (1.14.0+ds1-3) unstable; urgency=high
 
   * d/patches: import upstream fixes for various bugs.
diff -Nru mupdf-1.14.0+ds1/debian/patches/0011-Avoid-being-smart-about-keeping-only-a-single-refere.patch mupdf-1.14.0+ds1/debian/patches/0011-Avoid-being-smart-about-keeping-only-a-single-refere.patch
--- mupdf-1.14.0+ds1/debian/patches/0011-Avoid-being-smart-about-keeping-only-a-single-refere.patch	1970-01-01 01:00:00.0 +0100
+++ mupdf-1.14.0+ds1/debian/patches/0011-Avoid-being-smart-about-keeping-only-a-single-refere.patch	2019-03-15 22:53:36.0 +0100
@@ -0,0 +1,79 @@
+From: Sebastian Rasmussen 
+Date: Mon, 1 Oct 2018 15:13:13 +0800
+Subject: Avoid being smart about keeping only a single reference to the
+ buffer.
+Origin: http://www.ghostscript.com/cgi-bin/findgit.cgi?351c99d8ce23bbf7099dbd52771a095f67e45a2c
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-16647
+Bug-Debian: https://bugs.debian.org/924351
+Bug: https://bugs.ghostscript.com/show_bug.cgi?id=699686
+
+When pdf_dev_pop() is called it will drop the reference to the buffer.
+pdf_dev_push_new_buf() will either create a new buffer reference or take a reference to the existing buffer.
+When pdf_dev_pop() is called unbalance this creates a problem as the
+top level buffer will be unreferenced too many times.
+
+fails-32.pdf
+---
+ source/pdf/pdf-device.c | 15 +--
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/source/pdf/pdf-device.c b/source/pdf/pdf-device.c
+index 31a7a10f2722..0103e9a7d9be 100644
+--- a/source/pdf/pdf-device.c
 b/source/pdf/pdf-device.c
+@@ -66,7 +66,6 @@ struct pdf_device_s
+ 
+ 	pdf_document *doc;
+ 	pdf_obj *resources;
+-	fz_buffer *buffer;
+ 
+ 	int in_text;
+ 
+@@ -1061,7 +1060,10 @@ pdf_dev_drop_device(fz_context *ctx, fz_device *dev)
+ 	int i;
+ 
+ 	for (i = pdev->num_gstates-1; i >= 0; i--)
++	{
++		fz_drop_buffer(ctx, pdev->gstates[i].buf);
+ 		fz_drop_stroke_state(ctx, pdev->gstates[i].stroke_state);
++	}
+ 
+ 	for (i = pdev->num_cid_fonts-1; i >= 0; i--)
+ 		fz_drop_font(ctx, pdev->cid_fonts[i]);
+@@ -1069,7 +1071,6 @@ pdf_dev_drop_device(fz_context *ctx, fz_device *dev)
+ 	for (i = pdev->num_groups - 1; i >= 0; i--)
+ 		pdf_drop_obj(ctx, pdev->groups[i].ref);
+ 
+-	fz_drop_buffer(ctx, pdev->buffer);
+ 	pdf_drop_obj(ctx, pdev->resources);
+ 	fz_free(ctx, pdev->cid_fonts);
+ 	fz_free(ctx, pdev->image_indices);
+@@ -,10 +1112,13 @@ fz_device *pdf_new_pdf_device(fz_context *ctx, pdf_document *doc, fz_matrix topc
+ 	dev->super.begin_tile = pdf_dev_begin_tile;
+ 	dev->super.end_tile = pdf_dev_end_tile;
+ 
++	fz_var(buf);
++
+ 	fz_try(ctx)
+ 	{
+-		dev->buffer = fz_keep_buffer(ctx, buf);
+-		if (!buf)
++		if (buf)
++			buf = fz_keep_buffer(ctx, buf);
++		else
+ 			buf = fz_new_buffer(ctx, 256);
+ 		dev->doc = doc;
+ 		dev->resources = pdf_keep_obj(ctx, resources);
+@@ -1136,8 +1140,7 @@ fz_device *pdf_new_pdf_device(fz_context *ctx, pdf_document *doc, fz_matrix topc
+ 	}
+ 	fz_catch(ctx)
+ 	{
+-		if (dev->gstates && dev->buffer == NULL)
+-			fz_drop_buffer(ctx, dev->gstates[0].buf);
++		fz_drop_buffer(ctx, buf);
+ 		fz_free(ctx, dev);
+ 		fz_rethrow(ctx);
+ 	}
+-- 
+2.20.1
+
diff -Nru mupdf-1.14.0+ds1/debian/patches/0012-Fix-text-used-as-clip-mask-in-pdfwrite-device.patch mupdf-1.14.0+ds1/debian/patches/0012-Fix-text-used-as-clip-mask-in-pdfwrite-device.patch
--- mupdf-1.14.0+ds1/debian/patches/0012-Fix-text-used-as-clip-mask-in-pdfwrite-device.patch	1970-01-01 01:00:00.0 +0100
+++ mupdf-1.14.0+ds1/debian/patches/0012-Fix-text-used-as-clip-mask-in-pdfwrite-device.patch	2019-03-15 22:53:36.0 +0100
@@ -0,0 +1,50 @@
+From: Tor Andersson 
+Date: Mon, 22 Oct 2018 17:16:35 +0200
+Subject: Fix text used as clip mask in pdfwrite device.
+Origin: 

Bug#818506: tone down warnings about GUI-based upgrades

[Paul Gevers]

Hi,

On 15-03-2019 22:45, Antoine Beaupré wrote:
> I don't know what the treshold should be, but for me if X crashes during
> upgrades, that's a bug that should be fixed in X or whatever crashes it,
> not something that should just be mentioned in passing in the release
> notes.
> 
> So I'm tempted to say we should just remove this and stop pretending
> that's okay. If that's still a problem, we need to fix it, not just say
> "oops we did it again" in the relnotes. ;)

And how about remote updates? Are the notes about VPN, telnet, rlogin,
and rsh still valid? I would apply the same logic here.

Paul



signature.asc
Description: OpenPGP digital signature

Bug#896717: buster release notes: python2 will be EOL upstream by 2020

[Paul Gevers]

Control: tags -1 patch

Hi all,

On Tue, 24 Apr 2018 06:08:08 + Holger Levsen 
wrote:
> i'm not sure we have consensus that buster is the last release to
> support python2, but it's definitly time to have a note there saying
> that python2 will be EOL upstream by 2020.

How about the attached patch?

Paul
From 20b9ff8526bedf95d6482d90a11f2b33b1debdc3 Mon Sep 17 00:00:00 2001
From: Paul Gevers 
Date: Fri, 15 Mar 2019 22:55:16 +0100
Subject: [PATCH] en/issues.dbk: add note about Python 2 becoming EOL in 2020

Closes: #896717
---
 en/issues.dbk | 10 --
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/en/issues.dbk b/en/issues.dbk
index 4bf9b8dd..71790676 100644
--- a/en/issues.dbk
+++ b/en/issues.dbk
@@ -99,8 +99,14 @@ information mentioned in .
 
 
   
-	TODO: Add items if any
-	
+
+  Python 2 will stop being supported by its upstream on https://www.python.org/dev/peps/pep-0373/;>January 1,
+  2020.  hopes to drop python-2.7 for . If users
+  have functionality that relies on python, they
+  should prepare to migrate to python3.
+
   
   
 
-- 
2.20.1



signature.asc
Description: OpenPGP digital signature

Bug#924635: libactivemq-java depends on the removed libspring-jms-java

[Emmanuel Bourg]

On 15/03/2019 09:56, Matthias Klose wrote:
> Package: libactivemq-java
> Version: 5.15.8-2
> Severity: serious
> Tags: sid buster
> 
> libactivemq-java depends on the removed libspring-jms-java.
> 

Errr why was libspring-jms-java removed? That seems wrong, this will
cause the removal of activemq.

Emmanuel Bourg

Bug#818506: tone down warnings about GUI-based upgrades

[Antoine Beaupré]

Control: tags -1 -moreinfo

On 2019-03-15 22:36:18, Paul Gevers wrote:
> Control: tags -1 moreinfo
>
> Hi Antoine,
>
> On Thu, 17 Mar 2016 13:26:36 -0400 =?utf-8?q?Antoine_Beaupr=C3=A9?=
>  wrote:
>> http://www.debian.org/releases/jessie/amd64/release-notes/ch-upgrading.en.html#upgrade-preparations
>> 
>> "The distribution upgrade should be done either locally from a
>> textmode virtual console (or a directly connected serial terminal), or
>> remotely via an ssh link."
>
> The source [1] used to say this:
> TODO: surely gdm/kdm are sane?
> (vorlon) haha, no, gdm is not; I had that thought, and tested a gdm
>  restart on my live session ;)
>
> That note was from before 2008.

That is a long time ago.

>> While the first time I did a jessie upgrade, my X session exploded and
>> I was left with a half-upgraded system (recovered fine, however), now
>> I just upgraded a fairly regular laptop to the latest jessie release,
>> through a full gnome session, without any interruption or issues.
>> 
>> So I think that wording could be changed to a recommendation. It will
>> make upgrading Debian more accessible to users less familiar with the
>> "textmode virtual consoles" (which is, I suspect, a surprisingly large
>> proportion). :)
>
> Is one experience enough to say this? Is the remark from 2008 still a
> thing? I don't know how to judge. I would expect that a lot has improved
> in this area over the last decade.

I also expect that as well.

I don't know what the treshold should be, but for me if X crashes during
upgrades, that's a bug that should be fixed in X or whatever crashes it,
not something that should just be mentioned in passing in the release
notes.

So I'm tempted to say we should just remove this and stop pretending
that's okay. If that's still a problem, we need to fix it, not just say
"oops we did it again" in the relnotes. ;)

A.

-- 
There has been only one Christian.
They caught him and crucified him -- early.
- Mark Twain

Bug#924693: apport: /var/crash/.lock is world-writable

[Jakub Wilk]

Package: apport
Version: 2.20.4-5
Tags: security

Apport creates /var/crash/.lock as readable and writable for anyone:

  # ls -l /var/crash/.lock
  -rwxrwxrwx 1 root root 0 Mar 15 22:30 /var/crash/.lock

This allows malicious local users to do bad things:

* They could fill up the disk, bypassing quotas.

* They could acquire lock on the file and never release it, effectively 
disabling core dumping for everyone.


* They could use the file as an aid in exploitation other 
vulnerabilities, such as this:

http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/


Please make the lock file accessible only to root.

--
Jakub Wilk

Bug#924692: apport: /var/crash/.lock created insecurely

[Jakub Wilk]

Package: apport
Version: 2.20.4-5
Tags: security

Apport tries to create /var/crash/.lock if doesn't exist already. But 
/var/crash/ is world-writable, so a malicious local user could do:


  ln -sf /nonexistent /var/crash/.lock

to prevent Apport from creating the lock file.

--
Jakub Wilk

Bug#818506: tone down warnings about GUI-based upgrades

[Paul Gevers]

Control: tags -1 moreinfo

Hi Antoine,

On Thu, 17 Mar 2016 13:26:36 -0400 =?utf-8?q?Antoine_Beaupr=C3=A9?=
 wrote:
> http://www.debian.org/releases/jessie/amd64/release-notes/ch-upgrading.en.html#upgrade-preparations
> 
> "The distribution upgrade should be done either locally from a
> textmode virtual console (or a directly connected serial terminal), or
> remotely via an ssh link."

The source [1] used to say this:
TODO: surely gdm/kdm are sane?
(vorlon) haha, no, gdm is not; I had that thought, and tested a gdm
 restart on my live session ;)

That note was from before 2008.

> While the first time I did a jessie upgrade, my X session exploded and
> I was left with a half-upgraded system (recovered fine, however), now
> I just upgraded a fairly regular laptop to the latest jessie release,
> through a full gnome session, without any interruption or issues.
> 
> So I think that wording could be changed to a recommendation. It will
> make upgrading Debian more accessible to users less familiar with the
> "textmode virtual consoles" (which is, I suspect, a surprisingly large
> proportion). :)

Is one experience enough to say this? Is the remark from 2008 still a
thing? I don't know how to judge. I would expect that a lot has improved
in this area over the last decade.

Paul

[1] https://salsa.debian.org/ddp-team/release-notes/commit/9292bbf



signature.asc
Description: OpenPGP digital signature

Bug#865215: release-notes: Perform upgrades with apt(8) instead of apt-get(8)

[Paul Gevers]

Control: tags -1 patch moreinfo

Hi Julian,

On Mon, 19 Jun 2017 22:37:06 +0200 Julian Andres Klode 
wrote:
> Upgrades are really an interactive situation, and the apt tool should allow 
> upgrades to go
> a bit more smoothly because it has the APT::Get::Upgrade-Allow-New default to 
> true, allowing
> additional packages to be installed in the upgrade command.

I have replaced all references to apt-get by apt and added a note in the
section where we recommend apt. Can you please check that I didn't say
anything stupid and that all cases are supported?

Paul
From 4dd6344909cee5a8ed683f52c816ba3d6e8996b6 Mon Sep 17 00:00:00 2001
From: Paul Gevers 
Date: Fri, 15 Mar 2019 22:22:41 +0100
Subject: [PATCH] Replace apt-get by apt

Closes: #865215
---
 en/issues.dbk|  4 ++--
 en/old-stuff.dbk |  4 ++--
 en/upgrading.dbk | 61 +++-
 3 files changed, 38 insertions(+), 31 deletions(-)

diff --git a/en/issues.dbk b/en/issues.dbk
index 4bf9b8dd..5f49a728 100644
--- a/en/issues.dbk
+++ b/en/issues.dbk
@@ -125,14 +125,14 @@ information mentioned in .
 Things to do post upgrade before rebooting
 
 
-  When apt-get dist-upgrade has finished, the
+  When apt dist-upgrade has finished, the
   formal upgrade is complete.  For the upgrade to
   , there are no special actions needed before
   performing a reboot.
 
 
 
-  When apt-get dist-upgrade has finished, the formal upgrade
+  When apt dist-upgrade has finished, the formal upgrade
   is complete, but there are some other things that should be taken care of
   before the next reboot.
 
diff --git a/en/old-stuff.dbk b/en/old-stuff.dbk
index 89207647..0a53d737 100644
--- a/en/old-stuff.dbk
+++ b/en/old-stuff.dbk
@@ -33,7 +33,7 @@ If any of the lines in your /etc/apt/sources.list
 refer to stable, it effectively
 points to  already. This might not be what you want if
 you are not ready yet for the upgrade.  If you have already run
-apt-get update, you can still get back without
+apt update, you can still get back without
 problems by following the procedure below.
 
 
@@ -75,7 +75,7 @@ to check for yourself if the location they refer to contains an
 If you've made any changes, save the file and execute
 
 
-# apt-get update
+# apt update
 
 
 to refresh the package list.
diff --git a/en/upgrading.dbk b/en/upgrading.dbk
index aa1f0b76..a93378c6 100644
--- a/en/upgrading.dbk
+++ b/en/upgrading.dbk
@@ -303,7 +303,7 @@ instructions in .
   recommended and the text below was mostly already there in 2008.
 
 
-In some cases, the use of apt-get for installing packages
+In some cases, the use of apt for installing packages
 instead of aptitude might make aptitude
 consider a package as unused and schedule it for removal.  In general, you
 should make sure the system is fully up-to-date and clean before proceeding
@@ -371,7 +371,7 @@ essential for the upgrade is on hold, the upgrade will fail.
 
 
 Note that aptitude uses a different method for registering
-packages that are on hold than apt-get and
+packages that are on hold than apt and
 dselect.  You can identify packages on hold for
 aptitude with
 
@@ -380,7 +380,7 @@ packages that are on hold than apt-get and
 
 
 If you want to check which packages you had on hold for
-apt-get, you should use
+apt, you should use
 
 
 # dpkg --get-selections | grep 'hold$'
@@ -391,7 +391,7 @@ epoch in the version, you must put it on hold to prevent it from being
 upgraded.
 
 
-The hold package state for apt-get can be changed using:
+The hold package state for apt can be changed using:
 
 
 # echo package_name hold | dpkg --set-selections
@@ -617,8 +617,15 @@ database.
 Upgrading packages
 
 The recommended way to upgrade from previous  releases is to
-use the package management tool apt-get.
+use the package management tool apt.
 
+
+  
+apt is meant for interactive use, and should not be used
+in scripts. In scripts one should use apt-get, which has
+a stable output better suitable for parsing.
+  
+
 
 Don't forget to mount all needed partitions (notably the root and
 /usr partitions) read-write, with a command like:
@@ -694,7 +701,7 @@ First the list of available packages for the new release needs to be fetched.
 This is done by executing:
 
 
-# apt-get update
+# apt update
 
 
 
@@ -717,12 +724,12 @@ sufficient space you might end up with an incomplete upgrade that is
 difficult to recover from.
 
 
-apt-get can show you detailed information about the disk
+apt can show you detailed information about the disk
 space needed for the installation.  Before executing the upgrade, you can see
 this estimate by running:
 
 
-# apt-get -o APT::Get::Trivial-Only=true dist-upgrade
+# apt -o APT::Get::Trivial-Only=true dist-upgrade
 [ ... ]
 XXX upgraded, XXX newly installed, XXX to remove and XXX not upgraded.
 Need to get xx.xMB of archives. 
@@ -739,7 +746,7 @@ disk space.
 
 
 
-If you do not have enough space for the 

Bug#924691: unblock: potool/0.16-4

[Marcin Owsiany]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package potool

I was not able to upload this update earlier in the freeze cycle, but I
think our users will be better served by having -4 in buster than -3:
- these are rather low risk changes,
- the added autopkgtests means we now actually check whether it does
  work,
- it's a leaf package, so no impact to other packages.

Summary of key changes between 0.16-3 and 0.16-4:
- add a missing depends on sensible-utils
- properly pass all hardening flags (by using a more recent DH compat
  level and dropping explicit *FLAGS variables from debian/rules)

While at it, I also:
- added DEP8 tests
- bumped standards-version
- moved Homepage field to where it belongs
- added vcs-* fields
- bumped copyright years

Src debdiff attached.

unblock potool/0.16-4
diff -Nru potool-0.16/debian/changelog potool-0.16/debian/changelog
--- potool-0.16/debian/changelog	2017-09-24 21:00:55.0 +0200
+++ potool-0.16/debian/changelog	2019-03-04 21:42:07.0 +0100
@@ -1,3 +1,14 @@
+potool (0.16-4) unstable; urgency=medium
+
+  * Bumped debhelper compat level to 9
+  * Bumped Standards-Version, no changes needed
+  * Added Vcs-* headers, moved the Homepage one to the top stanza
+  * Declared a dependency on sensible-utils
+  * Removed explicit setting of *FLAGS, as dh does this more correctly
+  * Enabled all hardening options
+
+ -- Marcin Owsiany   Mon, 04 Mar 2019 21:42:07 +0100
+
 potool (0.16-3) unstable; urgency=medium
 
   * Updated standards-version, no changes needed
diff -Nru potool-0.16/debian/compat potool-0.16/debian/compat
--- potool-0.16/debian/compat	2013-02-27 07:37:29.0 +0100
+++ potool-0.16/debian/compat	2019-03-04 20:13:06.0 +0100
@@ -1 +1 @@
-8
+9
diff -Nru potool-0.16/debian/control potool-0.16/debian/control
--- potool-0.16/debian/control	2017-09-24 21:00:48.0 +0200
+++ potool-0.16/debian/control	2019-03-04 21:42:07.0 +0100
@@ -2,14 +2,16 @@
 Section: utils
 Priority: optional
 Maintainer: Marcin Owsiany 
-Standards-Version: 4.1.0
-Build-Depends: libglib2.0-dev, bison, flex, debhelper (>= 8), rename
+Standards-Version: 4.3.0
+Build-Depends: libglib2.0-dev, bison, flex, debhelper (>> 9), rename
+Vcs-Git: https://github.com/porridge/potool -b debian
+Vcs-Browser: https://github.com/porridge/potool/tree/debian
+Homepage: http://marcin.owsiany.pl/potool-page
 
 Package: potool
 Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}
+Depends: ${shlibs:Depends}, ${misc:Depends}, sensible-utils
 Breaks: poedit (<< 1.0.3-2)
-Homepage: http://marcin.owsiany.pl/potool-page
 Description: program to aid manipulation of gettext po files
  This package contains the filter program 'potool', as well
  as a few helper scripts:
diff -Nru potool-0.16/debian/copyright potool-0.16/debian/copyright
--- potool-0.16/debian/copyright	2013-02-27 07:37:29.0 +0100
+++ potool-0.16/debian/copyright	2019-03-04 21:15:59.0 +0100
@@ -11,7 +11,7 @@
 
 potool is a program aiding editing of po files
 Copyright (C) 1999-2000 Zbigniew Chyla 
-Copyright (C) 2000-2012 Marcin Owsiany 
+Copyright (C) 2000-2019 Marcin Owsiany 
 
 License information:
 
diff -Nru potool-0.16/debian/rules potool-0.16/debian/rules
--- potool-0.16/debian/rules	2013-02-27 07:37:29.0 +0100
+++ potool-0.16/debian/rules	2019-03-04 21:36:18.0 +0100
@@ -1,10 +1,8 @@
 #!/usr/bin/make -f
-# Copyright 2012 Marcin Owsiany 
+# Copyright 2012,2019 Marcin Owsiany 
 
 export DH_VERBOSE=1
-export CFLAGS   := $(shell dpkg-buildflags --get CFLAGS)
-export CPPFLAGS := $(shell dpkg-buildflags --get CPPFLAGS)
-export LDFLAGS  := $(shell dpkg-buildflags --get LDFLAGS)
+export DEB_BUILD_MAINT_OPTIONS=hardening=+all
 %:
 	dh $@
 
diff -Nru potool-0.16/debian/tests/control potool-0.16/debian/tests/control
--- potool-0.16/debian/tests/control	1970-01-01 01:00:00.0 +0100
+++ potool-0.16/debian/tests/control	2019-03-04 21:13:41.0 +0100
@@ -0,0 +1,2 @@
+Test-Command: test $(potool -n ctxt -n str -n dcmt -n linf -s -fnt debian/tests/data/smoke-test-input.po) -eq 0
+Features: test-name=smoke
diff -Nru potool-0.16/debian/tests/data/smoke-test-input.po potool-0.16/debian/tests/data/smoke-test-input.po
--- potool-0.16/debian/tests/data/smoke-test-input.po	1970-01-01 01:00:00.0 +0100
+++ potool-0.16/debian/tests/data/smoke-test-input.po	2019-03-04 21:12:12.0 +0100
@@ -0,0 +1,25 @@
+# file comment
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: blah 0.0.1\n"
+"Language: pl\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=3; plural=(n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 "
+"|| n%100>=20) ? 1 : 2);\n"
+
+#: src/simple.c:757
+msgid "one"
+msgstr "two"
+
+#: src/a.c:52 src/b.c:69
+#: src/c.c:305
+#, c-format
+msgid ""
+"fo%so \n"
+"\\bar"
+msgstr ""
+"blah\n"
+"\\boom%s"

Bug#924689: linux-image-4.19.0-4-amd64: Many instances of "PKCS#7 signature not signed with a trusted key" printed while booting

[Arjan Opmeer]

Package: src:linux
Version: 4.19.28-1
Severity: normal

Dear Maintainer,

After upgrading from linux-image-4.19.0-3-amd64 to linux-image-4.19.0-4-amd64
booting the kernel now prints a whole host of these messages:

   PKCS#7 signature not signed with a trusted key

ultimately slowing down the entire booting proces. This problem does not
occur when booting the previous 4.19.0-3 kernel.

I noticed this difference in kernel configuration:

   diff -u config-4.19.0-3-amd64 config-4.19.0-4-amd64

   @@ -8252,7 +8252,7 @@
#
CONFIG_MODULE_SIG_KEY=""
CONFIG_SYSTEM_TRUSTED_KEYRING=y
   -CONFIG_SYSTEM_TRUSTED_KEYS="debian/certs/test-signing-certs.pem"
   +CONFIG_SYSTEM_TRUSTED_KEYS="debian/certs/debian-uefi-ca.pem"

Could it be that this new "debian-uefi-ca.pem" is indeed not trusted and the
source of this problem?


Thanks,

Arjan


-- Package-specific info:
** Version:
Linux version 4.19.0-4-amd64 (debian-ker...@lists.debian.org) (gcc version 
8.3.0 (Debian 8.3.0-2)) #1 SMP Debian 4.19.28-1 (2019-03-12)

** Command line:
BOOT_IMAGE=/boot/vmlinuz-4.19.0-4-amd64 
root=UUID=5e2c758e-8075-4033-be8d-07693c5cc6f0 ro acpi_backlight=vendor quiet

** Tainted: E (8192)
 * Unsigned module has been loaded.

** Kernel log:
[   23.425002] [TTM] Zone   dma32: Available graphics memory: 2097152 kiB
[   23.425003] [TTM] Initializing pool allocator
[   23.425016] [TTM] Initializing DMA pool allocator
[   23.425060] [drm] radeon: 512M of VRAM memory ready
[   23.425062] [drm] radeon: 1024M of GTT memory ready.
[   23.425095] [drm] Loading CEDAR Microcode
[   23.451043] PKCS#7 signature not signed with a trusted key
[   23.471056] PKCS#7 signature not signed with a trusted key
[   23.564778] ath: phy0: ASPM enabled: 0x42
[   23.564785] ath: EEPROM regdomain: 0x65
[   23.564786] ath: EEPROM indicates we should expect a direct regpair map
[   23.564791] ath: Country alpha2 being used: 00
[   23.564792] ath: Regpair used: 0x65
[   23.676657] PKCS#7 signature not signed with a trusted key
[   23.684798] ieee80211 phy0: Selected rate control algorithm 'minstrel_ht'
[   23.685510] ieee80211 phy0: Atheros AR9287 Rev:2 mem=0xb260013d, 
irq=17
[   24.186675] radeon :02:00.0: firmware: direct-loading firmware 
radeon/CEDAR_pfp.bin
[   24.486637] radeon :02:00.0: firmware: direct-loading firmware 
radeon/CEDAR_me.bin
[   24.853546] radeon :02:00.0: firmware: direct-loading firmware 
radeon/CEDAR_rlc.bin
[   24.911318] radeon :02:00.0: firmware: direct-loading firmware 
radeon/CEDAR_smc.bin
[   24.911337] [drm] Internal thermal controller with fan control
[   24.945520] [drm] radeon: dpm initialized
[   25.050646] radeon :02:00.0: firmware: direct-loading firmware 
radeon/CYPRESS_uvd.bin
[   25.050740] [drm] GART: num cpu pages 262144, num gpu pages 262144
[   25.053824] [drm] enabling PCIE gen 2 link speeds, disable with 
radeon.pcie_gen2=0
[   25.069221] [drm] PCIE GART of 1024M enabled (table at 0x0014C000).
[   25.069342] radeon :02:00.0: WB enabled
[   25.069350] radeon :02:00.0: fence driver on ring 0 use gpu addr 
0x2c00 and cpu addr 0xccc78879
[   25.069355] radeon :02:00.0: fence driver on ring 3 use gpu addr 
0x2c0c and cpu addr 0x96aee0c2
[   25.069740] radeon :02:00.0: fence driver on ring 5 use gpu addr 
0x0005c418 and cpu addr 0xa1f960b6
[   25.069745] [drm] Supports vblank timestamp caching Rev 2 (21.10.2013).
[   25.069747] [drm] Driver supports precise vblank timestamp query.
[   25.069750] radeon :02:00.0: radeon: MSI limited to 32-bit
[   25.069840] radeon :02:00.0: radeon: using MSI.
[   25.069883] [drm] radeon: irq initialized.
[   25.086445] [drm] ring test on 0 succeeded in 0 usecs
[   25.086453] [drm] ring test on 3 succeeded in 2 usecs
[   25.273442] [drm] ring test on 5 succeeded in 1 usecs
[   25.273448] [drm] UVD initialized successfully.
[   25.273763] [drm] ib test on ring 0 succeeded in 0 usecs
[   25.273806] [drm] ib test on ring 3 succeeded in 0 usecs
[   25.444809] [drm] ib test on ring 5 succeeded
[   25.506328] [drm] radeon atom DIG backlight initialized
[   25.506335] [drm] Radeon Display Connectors
[   25.506339] [drm] Connector 0:
[   25.506341] [drm]   LVDS-1
[   25.506345] [drm]   DDC: 0x6560 0x6560 0x6564 0x6564 0x6568 0x6568 0x656c 
0x656c
[   25.506346] [drm]   Encoders:
[   25.506348] [drm] LCD1: INTERNAL_UNIPHY
[   25.506350] [drm] Connector 1:
[   25.506352] [drm]   HDMI-A-1
[   25.506354] [drm]   HPD1
[   25.506358] [drm]   DDC: 0x6440 0x6440 0x6444 0x6444 0x6448 0x6448 0x644c 
0x644c
[   25.506359] [drm]   Encoders:
[   25.506361] [drm] DFP1: INTERNAL_UNIPHY1
[   25.506362] [drm] Connector 2:
[   25.506364] [drm]   VGA-1
[   25.506367] [drm]   DDC: 0x6430 0x6430 0x6434 0x6434 0x6438 0x6438 0x643c 
0x643c
[   25.506368] [drm]   Encoders:
[   25.506370] [drm] CRT1: INTERNAL_KLDSCP_DAC1
[   25.796742] PKCS#7 signature not signed with a trusted key
[   25.800172] 

Bug#924688: runit: Supervise path not consistent with dh-runit

[Lorenzo Puliti]

Package: runit
Version: 2.1.2-25helpers1
Severity: normal
Tags: patch

Hi,

I've just find out about #919296, so I realised that runit's update-service
(used in git-daemon maint scripts) is using a different path for supervise
directory.
In the attached patch i'm changing that path to be consistent with the one
used by dh-runit (both service and log).

But also I spot another difference:
a directory inside supervise created by dh-runit has mode 755 while the one
created by runsv (with update-service) has mode 700.
For example:
# ls -l /var/lib/supervise/ | grep elogind
drwx-- 2 root root 4096 Mar 15 19:11 elogind
drwx-- 2 root root 4096 Mar 15 19:11 elogind.log

# ls -l /var/lib/runit/supervise/ | grep getty-tty2
drwxr-xr-x 2 root root 4096 Mar 15 19:11 getty-tty2

With mode 755 both the pid file and the stat file are world readable..
Maybe mode 700 is safer?

Thanks,
Lorenzo


-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.20.3-van (SMP w/4 CPU cores; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: runit (via /run/runit.stopit)

Versions of packages runit depends on:
ii  libc6   2.28-8
ii  runit-helper2.8.9
ii  sysuser-helper  1.3.3

Versions of packages runit recommends:
ii  runit-init  2.1.2-25helpers1

runit suggests no packages.

-- Configuration Files:
/etc/runit/3 changed [not included]

-- no debconf information
>From 365ed42d2e6840cd531d534bb94c27d12f7ee39d Mon Sep 17 00:00:00 2001
From: Lorenzo Puliti 
Date: Thu, 14 Mar 2019 22:29:41 +0100
Subject: [PATCH] Change the supervise path in update-service

Change the supervise directory path of update-service
to be consistent with the path used in dh-runit.
---
 debian/contrib/update-service | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/debian/contrib/update-service b/debian/contrib/update-service
index 01d10da..7e72501 100644
--- a/debian/contrib/update-service
+++ b/debian/contrib/update-service
@@ -63,11 +63,11 @@ case "$opt" in
 if test "${svdir#/etc/}" != "$svdir"; then
   if test ! -h "$svdir"/supervise; then
 rm -rf "$svdir"/supervise
-ln -s /var/lib/supervise/"$sv" "$svdir"/supervise
+ln -s /var/lib/runit/supervise/"$sv" "$svdir"/supervise
   fi
   if test -d "$svdir"/log && test ! -h "$svdir"/log/supervise; then
 rm -rf "$svdir"/log/supervise
-ln -s /var/lib/supervise/"$sv".log "$svdir"/log/supervise
+ln -s /var/lib/runit/log/supervise/"$sv" "$svdir"/log/supervise
   fi
 fi
 ln -s "$svdir" "$servicedir"/"$sv"
-- 
2.20.1

Bug#924687: akregator: tabs crash interacting with particular sites

[John Scott]

Package: akregator
Version: 4:18.08.3-2
Severity: important

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

In my case, Akregator crashes when I open web pages
and interact with buttons on them. An example I can
share is Purism's RSS feed, https://puri.sm/feed/

Open a post by an author that has a Twitter account,
like "Lockdown Mode on the Librem 5". Clicking on the
author's Twitter icon near the right crashes Akregator
every time.

To be clear, this bug was present in the previous
upload. I just waited for the fix for #910852 to land
before reporting.

#0  0x702367ff in 
QtWebEngineCore::BrowserContextAdapter::httpUserAgent() const ()
from /lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5
#1  0x702a848f in 
QtWebEngineCore::WebContentsAdapter::initialize(content::SiteInstance*) ()
from /lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5
#2  0x702b1730 in 
QtWebEngineCore::WebContentsDelegateQt::AddNewContents(content::WebContents*, 
content::WebContents*, WindowOpenDisposition, gfx::Rect const&, bool, bool*) () 
from /lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5
#3  0x70d84b25 in content::WebContentsImpl::ShowCreatedWindow(int, int, 
WindowOpenDisposition, gfx::Rect const&, bool) () from 
/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5
#4  0x70ac8f63 in 
content::RenderFrameHostImpl::OnMessageReceived(IPC::Message const&) ()
from /lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5
#5  0x70c65eae in 
content::RenderProcessHostImpl::OnMessageReceived(IPC::Message const&) ()
from /lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5
#6  0x720dc664 in 
IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) ()
from /lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5
#7  0x7181b688 in base::debug::TaskAnnotator::RunTask(char const*, 
base::PendingTask*) ()
from /lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5
#8  0x7183c10a in base::MessageLoop::RunTask(base::PendingTask*) ()
from /lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5
#9  0x7183cbaf in 
base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) ()
from /lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5
#10 0x7183cd48 in base::MessageLoop::DoWork() [clone .part.202] ()
from /lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5
#11 0x7024a58d in QtWebEngineCore::(anonymous 
namespace)::MessagePumpForUIQt::customEvent(QEvent*) ()
from /lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5
#12 0x769f9e0b in QObject::event (this=0x55b31b50, e=) at kernel/qobject.cpp:1232
#13 0x77346491 in QApplicationPrivate::notify_helper 
(this=this@entry=0x55566e80, 
receiver=receiver@entry=0x55b31b50, e=e@entry=0x7fffd800e620) at 
kernel/qapplication.cpp:3726
#14 0x7734dac0 in QApplication::notify (this=0x7fffe020, 
receiver=0x55b31b50, e=0x7fffd800e620)
at kernel/qapplication.cpp:3485
#15 0x769d0479 in QCoreApplication::notifyInternal2 
(receiver=0x55b31b50, event=0x7fffd800e620)
at 
../../include/QtCore/5.11.3/QtCore/private/../../../../../src/corelib/thread/qthread_p.h:307
#16 0x769d346b in QCoreApplication::sendEvent (event=0x7fffd800e620, 
receiver=)
at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:234
#17 QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, 
data=0x55565490)
at kernel/qcoreapplication.cpp:1744
#18 0x76a22a03 in postEventSourceDispatch (s=0x555e1780) at 
kernel/qeventdispatcher_glib.cpp:276
#19 0x7fffee160f2e in g_main_dispatch (context=0x7fffd8004ff0) at 
../../../glib/gmain.c:3182
#20 g_main_context_dispatch (context=context@entry=0x7fffd8004ff0) at 
../../../glib/gmain.c:3847
#21 0x7fffee1611c8 in g_main_context_iterate 
(context=context@entry=0x7fffd8004ff0, block=block@entry=1, 
dispatch=dispatch@entry=1, self=) at ../../../glib/gmain.c:3920
#22 0x7fffee16125c in g_main_context_iteration (context=0x7fffd8004ff0, 
may_block=may_block@entry=1) at ../../../glib/gmain.c:3981
#23 0x76a22033 in QEventDispatcherGlib::processEvents 
(this=0x555e14a0, flags=...) at kernel/qeventdispatcher_glib.cpp:422
#24 0x7fffdfe068d1 in QPAEventDispatcherGlib::processEvents 
(this=0x555e14a0, flags=...) at qeventdispatcher_glib.cpp:69
#25 0x769cf14b in QEventLoop::exec (this=this@entry=0x7fffde80, 
flags=..., flags@entry=...) at 
../../include/QtCore/../../src/corelib/global/qflags.h:140
#26 0x769d72b2 in QCoreApplication::exec () at 
../../include/QtCore/../../src/corelib/global/qflags.h:120
#27 0xcde8 in main (argc=, argv=) at 
./src/main.cpp:122

- -- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-2-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND

Bug#924621: [Pkg-openssl-devel] Bug#924621: openssl 1.1.1b-1 make fetchmail unusable

[Sebastian Andrzej Siewior]

On 2019-03-15 11:42:37 [+0900], Atsuhito Kohda wrote:
> A bit precise info:
> I upgraded openssl on both server and local macheines.
> Then the problem happened so, first, I downgraded openssl
> on local machine but the problem remained. So I downgraded
> openssl on server machine then fetchmail worked fine.

Do you have somewhere more information what failed on the fetchmail
side? Is the server using by any chance a small DH key?

> Thanks for your maintenance.
> Best regards, 2019-3-15(Fri)
> 
>   Atsuhito Kohda

Sebastian

Bug#919812: hotspot: FTBFS on hppa - undefined reference

[Dmitry Shachnev]

Hi John!

On Sat, Jan 19, 2019 at 03:26:08PM -0500, John David Anglin wrote:
> Dear Maintainer,
>
> The hotspot build fails on hppa and some other targets:
>
> [...]
> /usr/bin/ld: 
> CMakeFiles/hotspot-perfparser.dir/perfparser/app/perfunwind.cpp.o:
> in function `QDataStream::Version 
> qToLittleEndian(QDataStream::Version)':
> /usr/include/hppa-linux-gnu/qt5/QtCore/qendian.h:168:
> undefined reference to `QDataStream::Version 
> qbswap(QDataStream::Version)'
> collect2: error: ld returned 1 exit status
>
> Probably, the problem is in Qtcore.

I think it is a bug in either hotspot or in the compiler.

Anyway, I think it should be easy to fix it in hotspot. It currently has
this line in src/corelib/serialization/qdatastream.h:

  qint32 dataStreamVersion = 
qToLittleEndian(QDataStream::Qt_DefaultCompiledVersion);

Explicitly casting QDataStream::Qt_DefaultCompiledVersion to an integer type
should make GCC find the right implementation. Try this:

  qint32 dataStreamVersion = 
qToLittleEndian(static_cast(QDataStream::Qt_DefaultCompiledVersion));

--
Dmitry Shachnev


signature.asc
Description: PGP signature

Bug#924686: debian-reference

[sixerjman]

Source: debian-reference
Version: 7.5.2
Severity: normal

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate
***

   * What led up to the situation?
   Trying to access debian-reference from dwww
   * What exactly did you do (or not do) that was effective (or
 ineffective)?
   Click on DR link under the 'Debian' section of dwww
   * What was the outcome of this action?
   dwww denied access to directory /usr/share
   * What outcome did you expect instead?
   DR HTML index

*** End of the template - remove these template lines ***


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#924685: RFP: cumin -- An automation and orchestration framework

[Antoine Beaupre]

Package: wnpp
Severity: wishlist

* Package name: cumin
  Version : 3.0.2
  Upstream Author : Wikimedia foundation
* URL : https://wikitech.wikimedia.org/wiki/Cumin
* License : GPLv3
  Programming Lang: Python
  Description : An automation and orchestration framework

Cumin provides a flexible and scalable automation framework to execute
multiple commands on multiple hosts in parallel.

It allows to easily perform complex selections of hosts through a
user-friendly query language which can interface with different
backend modules and combine their results for a fine grained
selection. The transport layer can also be selected, and can provide
multiple execution strategies. The executed commands outputs are
automatically grouped for an easy-to-read result.

It can be used both via its command line interface (CLI) cumin and as
a Python 3 only library.

---

This is an interesting project that fills a gap between Puppet
configuration management and hand-made batch commands on mutliple
hosts. It allows sysadmins to leverage information stored in multiple
backends to selectively run jobs on subsets of the infrastructure
efficiently.

Upstream (in CC) already ships Debian packages on their Github
releases page, but it would be great to see this in Debian.

I'd be happy to sponsor this package if upstream is willing to act as
maintainers, otherwise I will look at packaging this myself.

Bug#924684: libmp3-info-perl: Unescaped left brace in regex is deprecated

[Martin Schuster]

Package: libmp3-info-perl
Version: 1.24-1.2
Severity: normal

Dear Maintainer,

   * What led up to the situation?

Using get_mp3tag()

   * What was the outcome of this action?

Unescaped left brace in regex is deprecated here (and will be fatal in
Perl 5.32), passed through in regex; marked by <-- HERE in m/^\??({ <--
HERE ([^{}]+)}|.)/ at /usr/share/perl5/MP3/Tag.pm line 2944.
Unescaped left brace in regex is deprecated here (and will be fatal in
Perl 5.32), passed through in regex; marked by <-- HERE in m/^({ <--
HERE [^{}]+}|\w)/ at /usr/share/perl5/MP3/Tag.pm line 2956.


Suggested fix:

--- Tag.pm.orig 2017-07-12 21:25:22.0 +0200
+++ Tag.pm  2019-03-15 21:16:44.760013512 +0100
@@ -2941,7 +2941,7 @@
   local $self->{ms} = int($time * 1000 + 0.5) if defined $time;
   my ($out, %have, $c) = '';
   for my $f (@_) {
-$have{$+}++ if $f =~ /^\??({([^{}]+)}|.)/;
+$have{$+}++ if $f =~ /^\??(\{([^{}]+)\}|.)/;
   }
   for my $f (@_) {
 if (!$c++ and $f =~ /^=>(\w)$/) {
@@ -2953,7 +2953,7 @@
 }
 my $ff = $f;   # Modifiable
 my $opt = ($ff =~ s/^\?//);
-$ff =~ s/^({[^{}]+}|\w)// or die "unexpected time format: <<$f>>";
+$ff =~ s/^(\{[^{}]+\}|\w)// or die "unexpected time format: <<$f>>";
 my ($what, $format) = ($1, '');
 if ($opt) {
   if ($what eq 'H') {


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.20.15-martin (SMP w/12 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)

Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libmp3-info-perl depends on:
ii  libunicode-string-perl  2.10-1+b4
ii  perl5.28.1-4

libmp3-info-perl recommends no packages.

libmp3-info-perl suggests no packages.

-- no debconf information

Bug#924683: binnmus for multiarch coinstallability

[Helmut Grohne]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: binnmu

Dear release team,

We don't epxect much churn in unstable anymore, so it is a good time to
cover up for past mistakes in binNMUing Multi-Arch: same packages and
make them coinstallable again. I know that you dislike excessive binNMUs
just to get the versions right, but the last time I asked was before the
release of stretch. It turns out than there are only 7 skewed packages
left. Would you be so kind and binNMU them to make their versions match?

# 61 affected
nmu libxt . amd64 arm64 armel armhf i386 mips64el ppc64el s390x . unstable . -m 
"multiarch sync"
# 32 affected
nmu libxdamage . amd64 arm64 armel armhf i386 mips mipsel ppc64el s390x . 
unstable . -m "multiarch sync"
# 19 affected
nmu rustc . amd64 arm64 armel armhf i386 mips64el ppc64el s390x . unstable . -m 
"multiarch sync"
# 8 affected
nmu libxkbfile . amd64 arm64 armel armhf i386 mips64el ppc64el s390x . unstable 
. -m "multiarch sync"
# 5 affected
nmu libxmu . amd64 arm64 armel armhf i386 mips64el ppc64el s390x . unstable . 
-m "multiarch sync"
# 3 affected
nmu libidl . amd64 arm64 armel armhf i386 mips64el ppc64el s390x . unstable . 
-m "multiarch sync"
# 1 affected
nmu libglu . amd64 arm64 armel armhf i386 mips64el ppc64el s390x . unstable . 
-m "multiarch sync"

I expect this to be my only binNMU request for multiarch syncing during
the buster cycle.

Helmut

Bug#693841: dput: Catch mismatch between Distribution: and the Changes: fields in .changes

[Ben Finney]

Control: found -1 dput/1.0.3

On 22-Nov-2012, Simon McVittie wrote:
> See also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542747
> where I sent a patch to Lintian to check for this mismatch.
> 
> Earlier [in bug#542747], Russ said "there are valid use cases for a
> mismatch [when the Changes distribution isn't UNRELEASED]" but didn't
> elaborate on what those valid use cases were.

In Message-ID: <87d2hslclm@windlord.stanford.edu> (in the BTS at
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542747#31>),
Russ elaborates:

> The use case that I was thinking of is not really a Debian use case.
> It's relatively common for people with separate repositories to
> build once and upload multiple times to different distributions if
> the same package can work on multiple distributions and their
> archive software requires that (as debarchiver, for example, did, or
> at least it was the easiest way to make the right thing happen).
>
> That said, one, this is an outside-of-Debian use case, so per
> Lintian's normal design philosophy, we should only take those into
> account if they don't stand in the way of detecting bugs in Debian.
> This clearly would detect bugs in Debian. Also, now that reprepro is
> more widespread and doesn't require this sort of workaround for not
> having simple distribution migration, it's not clear that use case
> is particularly important any more.

I agree, and we can take the same advice here: the Debian version of
DPut can (and, this bug report argues, should) fail a package whose
Distribution field does not match the distribution value in the
Changes field.

-- 
 \  “Software patents provide one more means of controlling access |
  `\  to information. They are the tool of choice for the internet |
_o__) highwayman.” —Anthony Taylor |
Ben Finney 

signature.asc
Description: PGP signature

Bug#853035: fixed in node-liftoff 2.3.0-3

[Chris Lamb]

Chris Lamb wrote:

> > I didn't find other ways to fix these FTBFS than:
> 
> 
> 
> Thank you. However, can I just underline:
> 
> > > If this was the "only" way to fix the problem, that should be
> > > documented in the package and in the changelog, not simply on
> > > this issue.

Another gentle ping on this? This has a "danger" of being closed
without a real/proper resolution, alas.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org  chris-lamb.co.uk
   `-

Bug#920824: libunistring: please disable --as-needed

[Bruno Haible]

> Maybe eventually Debian will use --as-needed by default too

In this case, I would suggest to apply the fix that has been done
upstream:
https://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=commitdiff;h=cca32830b57e91f837c01d15b8732f23ff97fc36

Bruno

Bug#924680: Test procedure

[Mauricio Oliveira]

Test Procedure with KVM guests + iPXE
=

- 2 guests: iSCSI target/server and iSCSI initiator/client.
- 1 bridge for iSCSI traffic (virbr-iscsi, new), static ip.
- 1 bridge for internet access (virbr0, exists), dhcp ip.
- Release/Installer: Debian Buster Alpha 5 (netinst)


Host:


Configure the iSCSI bridge and QEMU access in the host:

# ip link add dev virbr-iscsi type bridge
# ip link set dev virbr-iscsi up
# echo 'allow virbr-iscsi' >>/etc/qemu/bridge.conf


iSCSI target:


This guest serves an iSCSI target with one LUN
in iSCSI NIC with IP 10.0.0.1 for IP 10.0.0.2.

$ qemu-system-x86_64 \
  -nodefaults \
  -enable-kvm \
  -smp 2 -m 4096 \
  -serial stdio \
  -nographic -vga none \
  -netdev bridge,id=bridge-world,br=virbr0 \
  -netdev bridge,id=bridge-iscsi,br=virbr-iscsi \
  -device 
virtio-net-pci,netdev=bridge-world,id=nic-world,mac=52:54:00:00:00:11
\
  -device 
virtio-net-pci,netdev=bridge-iscsi,id=nic-iscsi,mac=52:54:00:00:00:22
\
  -drive file=debian-iscsi-target.qcow2,if=virtio \
  -drive 
file=debian-buster-DI-alpha5-amd64-netinst.iso,media=cdrom,read-only,if=scsi

# lsb_release -d
Description:Debian GNU/Linux buster/sid

Configure iSCSI NIC:

# cat 
link/ether 52:54:00:00:00:22 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.1/24 brd 10.0.0.255 scope global ens4
...

Configure iSCSI target/lun:

# apt-get install -y tgt

# mkdir /var/lib/iscsi
# dd if=/dev/zero of=/var/lib/iscsi/disk bs=1 count=0 seek=8G

# tgtadm --lld iscsi --op new --mode target --tid 1 -T
iqn.2019-03.com.example:target1
# tgtadm --lld iscsi --op new --mode logicalunit --tid 1 --lun 1
-b /var/lib/iscsi/disk

# tgtadm --lld iscsi --op bind --mode target --tid 1 -I 10.0.0.2
# tgt-admin --dump >/etc/tgt/conf.d/target1.conf



iSCSI initiator:
---

This guest first boots iPXE to configure iBFT,
and then boots/chainloads to debian-installer.

Later we install the patched disk-detect udeb.

(The netboot installer didn't find modules no
matter what, so this uses netinst iso's files)

$ wget http://boot.ipxe.org/ipxe.lkrn
$ cp 
debian-buster-DI-alpha5-amd64-netinst.iso:install.amd/{vmlinuz,initrd.gz}
.

$ python3 -m http.server &
Serving HTTP on 0.0.0.0 port 8000 ...

$ qemu-system-x86_64 \
  -nodefaults \
  -enable-kvm \
  -smp 2 -m 4096 \
  -serial stdio \
  -vga virtio \
  -display vnc=0.0.0.0:1 \
  -netdev bridge,id=bridge-world,br=virbr0 \
  -netdev bridge,id=bridge-iscsi,br=virbr-iscsi \
  -device 
virtio-net-pci,netdev=bridge-world,id=nic-world,mac=52:54:00:00:00:01
\
  -device 
virtio-net-pci,netdev=bridge-iscsi,id=nic-iscsi,mac=52:54:00:00:00:02
\
  -drive 
file=debian-buster-DI-alpha5-amd64-netinst.iso,media=cdrom,read-only,if=scsi
\
  -kernel ipxe.lkrn

Connect to VNC for iPXE shell:

$ vncviewer :1
iPXE <...>


Press Ctrl-B for iPXE command line.
^B

iPXE>

Configure iSCSI NIC:

iPXE> ifopen net1
iPXE> set net1/ip 10.0.0.2
iPXE> set net1/netmask 255.255.255.0

Configure iBFT: (iSCSI portal 10.0.0.1, LUN 1 on target iqn.<...>:target1)

iPXE> sanhook iscsi:10.0.0.1:::1:iqn.2019-03.com.example:target1
Registered SAN device 0x80

Boot the installer
(add option 'disk-detect/ibft/enable=true' for installer
 and option 'iscsi_auto' for system to boot with iBFT):

iPXE> ifopen net0
iPXE> kernel http://192.168.122.1:8000/vmlinuz initrd=initrd.gz
--- console=ttyS0
iPXE> initrd http://192.168.122.1:8000/initrd.gz
iPXE> boot

Back to serial console.
Proceed with the installer.

In 'Users and passwords' dialogs, select 'Go back', and 'Execute a
shell', and 'Continue'.




Bring up the iSCSI devices with iBFT
(manually or with patch in bug 924675)

~ # modprobe iscsi_ibft

~ # iscsistart -N
Setting up software interface ens5

~ # iscsistart -b
iscsistart: Logging into iqn.2019-03.com.example:target1 10.0.0.1:3260,1
iscsistart: can not connect to iSCSI daemon (111)!
iscsistart: version 2.0-874
iscsistart: Connection1:0 to [target:
iqn.2019-03.com.example:target1, portal: 10.0.0.1,3260] through
[iface: default] is operational now

~ # dmesg | grep -e iBFT -e sd
[0.015043] iBFT found at 0x9e520.
[   59.892884] iBFT detected.
[   67.254818] sd 3:0:0:1: Power-on or device reset occurred
[   67.257239] sd 3:0:0:1: [sda] 16777216 512-byte logical blocks:
(8.59 GB/8.00 GiB)
[   67.257242] sd 3:0:0:1: [sda] 4096-byte physical blocks
[   67.257474] sd 3:0:0:1: [sda] Write Protect is off
[   67.257476] sd 3:0:0:1: [sda] Mode Sense: 69 00 10 08
[   67.257886] sd 3:0:0:1: [sda] Write cache: enabled, read cache:
enabled, 

Bug#924680: Support different network interface for iSCSI and option for ISCSI_AUTO=true for iSCSI iBFT

[Mauricio Oliveira]

Package: partman-iscsi
Version: 60
Severity: wishlist
Tags: patch

Hi,

These 2 patches help with the iSCSI iBFT support in installer
(basic support for iBFT in disk-detect posted in bug #924675).

iBFT provides iSCSI configuration in the system firmware tables,
often used for automatic installs, mainly in larger deployments.

It can be made available to userspace with a kernel module, and
used accordingly by the iscsistart tool to configure networking,
iSCSI sessions, that brings up the intended target's iSCSI LUNs.

The network configuration stage can actually set up any network
interface, other than the installer's default/primary interface.


Patch 1 addresses a couple of problems with another interface:
-

Currently, partman-iscsi/finish.d/iscsi_settings assumes that
the default network interface in the installer is used by the
the iSCSI devices.

That is a reasonable assumption, as currently the installer
only configures one, primary network interface (afaik), and
thus it is used for all network traffic, iSCSI included.

However, if another network interface is configured somehow
(e.g., automation scripts, or iSCSI iBFT -- see bug #924675)
and that non-primary/different network interface is used to
provide access to iSCSI LUNs there are currently 2 problems:

1) The HWADDR field in iscsi.initramfs refers to the default
   network interface.

2) The /etc/network/interfaces file is changed to disable DHCP
   on the default network interface so not to disrupt an iSCSI
   connection from the initramfs.
   *But*  if another interface is used for iSCSI, that is not
   protecting the right interface.
   *And worse* the default interface doesn't get DHCP address
   even if it is supposed to (ie, it effectively lost network).

Patch 1 uses 'ip route' to detect which network interface is
used to the iSCSI portal address, or fallback to the default
interface if it can't detect it. That resolves both problems.


Patch 2 adds an option to set ISCSI_AUTO=true in iscsi.initramfs
---

In an iSCSI iBFT scenario, the system is expected to boot with
ISCSI_AUTO=true, but currently the installer doesn't set it up.

Patch 2 adds the 'partman-iscsi/iscsi_auto' preseed option for
doing that, which writes just that line into iscsi.initramfs.

That way, an automated installation (where iBFT is often used)
can just add that option to its preseed file/cmdline for iBFT.



P.S.: I understand the timing may not be good for new features,
but I would really appreciate any feedback about this patch if
at all possible.   Coming in shortly: test procedure.

Thank you,
Mauricio

-- 
Mauricio Faria de Oliveira
From 02ada1e3b0d447de59c3673dc7962581ab07c492 Mon Sep 17 00:00:00 2001
From: Mauricio Faria de Oliveira 
Date: Thu, 7 Mar 2019 17:46:12 -0300
Subject: [PATCH 1/3] Handle non-default interface for iSCSI

Signed-off-by: Mauricio Faria de Oliveira 
---
 finish.d/iscsi_settings | 35 +++
 1 file changed, 27 insertions(+), 8 deletions(-)

diff --git a/finish.d/iscsi_settings b/finish.d/iscsi_settings
index 9e44fdb2b5c1..110a4f2e47b1 100755
--- a/finish.d/iscsi_settings
+++ b/finish.d/iscsi_settings
@@ -15,6 +15,17 @@ get_default_interface () {
 	fi
 }
 
+get_address_interface () {
+	local address="$1"
+	[ -n "$address" ] || return 1
+
+	local dev="$(ip route get "$address" 2>/dev/null | \
+			grep -w dev | tr -s ' ' | cut -d' ' -f3)"
+	[ -d "/sys/class/net/$dev" ] || return 1
+
+	address_interface="$dev"
+}
+
 have_iscsi=
 portal=
 target=
@@ -64,10 +75,21 @@ if [ "$portal" ]; then
 	ip="${portal%%:*}"
 	port="${portal#*:}"
 	mkdir -p /target/etc/iscsi
-	get_default_interface
-	if [ -f "/sys/class/net/$default_interface/address" ]; then
+
+	# The network interface for iSCSI may not be the default interface.
+	# Try to detect it based on iSCSI portal IP address, and prefer it.
+	if get_address_interface "$ip"; then
+		iscsi_interface="$address_interface"
+	elif get_default_interface; then
+		iscsi_interface="$default_interface"
+	else
+		iscsi_interface=""
+	fi
+
+	if [ -n "$iscsi_interface" ] &&
+	   [ -f "/sys/class/net/$iscsi_interface/address" ]; then
 		cat >>/target/etc/iscsi/iscsi.initramfs <>/target/etc/iscsi/iscsi.initramfs 

Bug#924682: apt: strange multi-arch provides/conflicts resolver issue

[Helmut Grohne]

Package: apt
Version: 1.8.0
User: helm...@debian.org
Usertags: rebootstrap
Control: affects -1 + src:slxfig

apt has issues installing cross Build-Depends for slxfig.

Relevant resolver output:
http://crossqa.subdivi.de/build/slxfig_0.2.0%7E.117-2_armel_20190313155756.log
| Starting pkgProblemResolver with broken count: 1
| Starting 2 pkgProblemResolver with broken count: 1
| Investigating (0) sbuild-build-depends-slxfig-dummy:armel < none -> 
0.invalid.0 @un puN Ib >
| Broken sbuild-build-depends-slxfig-dummy:armel Depends on 
slang-histogram:armel < none | 0.3.2a-4 @un uH >
|   Considering slang-histogram:armel 0 as a solution to 
sbuild-build-depends-slxfig-dummy:armel 1
|   Re-Instated slang-histogram:armel
| Investigating (0) libslang2-modules:amd64 < none -> 2.3.2-2 @un uN Ib >
| Broken libslang2-modules:amd64 Conflicts on slang-histogram:armel < none -> 
0.3.2a-4 @un uN >
|   Considering slang-histogram:armel 0 as a solution to 
libslang2-modules:amd64 0
|   MarkKeep libslang2-modules:amd64 < none -> 2.3.2-2 @un uN Ib > FU=0
|   Holding Back libslang2-modules:amd64 rather than change 
slang-histogram:armel
| Investigating (0) slsh:amd64 < none -> 2.3.2-2 @un uN Ib >

slxfig has a Build-Depends on slang-histogram and slsh. slang-histogram
is a real package. slsh is a real Multi-Arch: foreign package that
depends on libslang2-modules. libslang2-modules is Multi-Arch: same and
provides and conflicts slang-histogram.

dose-builddebcheck finds a solution to this problem by choosing
slsh:build, libslang2-modules:build and libslang2-modules:host.

apt fails to find this solution even though it can coinstall
libslang2-modules. It seems that its strong preference for real packages
is posing a problem here.

Thanks to Don, Julian and Johannes for helping me understand this.

We all agreed that this is not a high priority problem. slxfig could
simply drop its dependency on slang-histogram and we should likely
remove slang-histogram from the archive given that it is provided by
libslang2-modules.

Helmut

Bug#924681: slang-histogram should be removed

[Helmut Grohne]

Package: slang-histogram
Version: 0.3.2a-4
Severity: serious
Control: affects -1 + src:slxfig

slang-histogram contains an old version of the histogram module for
slang. A more recent version of it is shipped with libslang2-modules.
Indeed, libslang2-modules provides and conflicts slang-histogram.

It appears that this package is utterly useless now. If this analysis is
wrong in any way, please downgrade the severity immediately. Otherwise,
please ask ftp master to remove the package from unstable.

The presence of this package breaks cross building of slxfig due to an
apt bug (bugnum pending).

Helmut

Bug#924659: ITP: fossology -- FOSSology is an open source license compliance software system and toolkit.

[Moritz Mühlenhoff]

On Fri, Mar 15, 2019 at 08:27:57PM +0530, Gaurav Mishra wrote:
> Package: wnpp
> Severity: wishlist
> Owner: Gaurav Mishra 
> 
>   Package name : fossology
>   Version : 3.4.0
>   Upstream Author : Michael Jaeger 
>   URL : https://www.fossology.org/
>   License : GPL-2.0-only, LGPL-2.1-only
>   Programming Lang: C, C++, PHP
>   Description : FOSSology is an open source license compliance software
> system and toolkit.
> 
>  FOSSology is an open source license compliance software system and
> toolkit. As a toolkit you can run license, copyright and export control
> scans from the command line. As a system, a database and web ui are
> provided to give you a compliance workflow. License, copyright and export
> scanners are tools used in the workflow.
> 
>  - Why is this package useful/relevant?
>- FOSSology is a famous tool used for open source license compliance.
>  We have a large database of users which can be benifited by
>  publishing this as a Debian package.
>  - Do you use it?
>- You can check https://www.fossology.org/ to get a list of compaines
>  and organizations using FOSSology.
>  - How do you plan to maintain it?
>- FOSSology is currently maintained at
>  https://github.com/fossology/fossology. I have created a mirror for
>  the same at https://salsa.debian.org/fossology-team/fossology.
>  - Are you looking for co-maintainers or a sponsor?
>- We are looking for a sponsor to help us publish FOSSology as a
>  Debian package.

Cool! fossology already used to be in Debian until 2012, BTW:
https://packages.qa.debian.org/f/fossology.html

Cheers,
Moritz

Bug#924679: guacamole: Does not start on Tomcat8 with message "Error deploying configuration descriptor"

[Dmitry Katsubo]

Package: guacamole
Version: 0.9.9+dfsg-1

After update from Stretch (Tomcat 8.5.14-1+deb9u3) to Buster (Tomcat 8.5.38-2) 
Guacamole does not deploy anymore:

[2019-03-14 23:42:08] [info] 14-Mar-2019 23:42:05.234 SEVERE 
[localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDescriptor 
Error deploying configuration descriptor 
[/etc/tomcat8/Catalina/localhost/guacamole.xml]
[2019-03-14 23:42:08] [info]  java.lang.IllegalStateException: 
ContainerBase.addChild: start: org.apache.catalina.LifecycleException: Failed 
to start component 
[StandardEngine[Catalina].StandardHost[localhost].StandardContext[/guacamole]][2019-03-14
 23:42:08] [info] #011at 
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:758)
[2019-03-14 23:42:08] [info] #011at 
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:730)
[2019-03-14 23:42:08] [info] #011at 
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:734)
[2019-03-14 23:42:08] [info] #011at 
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:629)
[2019-03-14 23:42:08] [info] #011at 
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1839)
[2019-03-14 23:42:08] [info] #011at 
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
[2019-03-14 23:42:08] [info] #011at 
java.util.concurrent.FutureTask.run(FutureTask.java:266)
[2019-03-14 23:42:08] [info] #011at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
...
[2019-03-14 23:42:08] [info] 14-Mar-2019 23:42:05.241 INFO 
[localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDescriptor 
Deployment of configuration descriptor 
[/etc/tomcat8/Catalina/localhost/guacamole.xml] has finished in [690] ms

The problem reports I found ([1], [2]) suggest updating to Guacamole v0.9.14 or 
later (see bug #887465).

[1] 
http://mail-archives.apache.org/mod_mbox/guacamole-user/201808.mbox/%3cCALKeL-Pmqh7VvF=jdw02xcqd3axuta-qachistmosum4mcw...@mail.gmail.com%3e
[2] https://www.mail-archive.com/user@guacamole.apache.org/msg01168.html

-- 
With best regards,
Dmitry

Bug#924659: ITP: fossology -- FOSSology is an open source license compliance software system and toolkit.

[Chris Lamb]

[Adding 924...@bugs.debian.org to CC]

Gaurav Mishra wrote:

> Package: wnpp
> Severity: wishlist
> Owner: Gaurav Mishra 

For debian-devel, this got filed as:

  https://bugs.debian.org/924659

Guarav, just a friendly note to say that you CC'd debian-devel explicitly
when filing this bug instead of using the X-Debbugs-CC mechanism.

See:

  https://www.debian.org/Bugs/Reporting

… specifically the "Sending copies of bug reports to other addresses"
section for the rationale here.


Best wishes,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org  chris-lamb.co.uk
   `-

Bug#854889: same on s390x

[David Bremner]

I just encountered what is probably the same bug trying to debootstrap
an ubuntu/s390x chroot.

I: Extracting zlib1g...
I: Running command: chroot /srv/chroot/bionic-s390x /debootstrap/debootstrap 
--second-stage
qemu-s390x-static: /build/qemu-2.8+dfsg/translate-all.c:175: tb_lock: Assertion 
`!have_tb_lock' failed.
Segmentation fault

Bug#924678: libjpeg-turbo: CVE-2018-14498: denial of service in get_8bit_row in rdbmp.c

[Salvatore Bonaccorso]

Source: libjpeg-turbo
Version: 1:1.5.2-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/258

Hi,

The following vulnerability was published for libjpeg-turbo.

CVE-2018-14498[0]:
| get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG
| through 3.3.1 allows attackers to cause a denial of service (heap-based
| buffer over-read and application crash) via a crafted 8-bit BMP in
| which one or more of the color indices is out of range for the number
| of palette entries.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

Build with ASAN one sees the issue as

$ ASAN_OPTIONS="detect_leaks=0" ./cjpeg -outfile /dev/null ~/CVE-2018-14498
=
==31997==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x60d000d3 at pc 0x56029bfc9ff7 bp 0x7ffe52f5e400 sp 0x7ffe52f5e3f8
READ of size 1 at 0x60d000d3 thread T0
#0 0x56029bfc9ff6 in get_8bit_row /tmp/libjpeg-turbo-1.5.2/rdbmp.c:145
#1 0x56029bfcaf1b in preload_image /tmp/libjpeg-turbo-1.5.2/rdbmp.c:270
#2 0x56029bfc3c40 in main /tmp/libjpeg-turbo-1.5.2/cjpeg.c:616
#3 0x7f8be200109a in __libc_start_main ../csu/libc-start.c:308
#4 0x56029bfc1359 in _start (/tmp/libjpeg-turbo-1.5.2/.libs/cjpeg+0x5359)

0x60d000d3 is located 12 bytes to the right of 135-byte region 
[0x60d00040,0x60d000c7)
allocated by thread T0 here:
#0 0x7f8be23d6350 in __interceptor_malloc 
(/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9350)
#1 0x7f8be229b437 in jpeg_get_large /tmp/libjpeg-turbo-1.5.2/jmemnobs.c:56
#2 0x7f8be2296e9f in alloc_large /tmp/libjpeg-turbo-1.5.2/jmemmgr.c:393
#3 0x7f8be22971fc in alloc_sarray /tmp/libjpeg-turbo-1.5.2/jmemmgr.c:477
#4 0x56029bfcce5a in start_input_bmp /tmp/libjpeg-turbo-1.5.2/rdbmp.c:401
#5 0x56029bfc3b5d in main /tmp/libjpeg-turbo-1.5.2/cjpeg.c:595
#6 0x7f8be200109a in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow 
/tmp/libjpeg-turbo-1.5.2/rdbmp.c:145 in get_8bit_row
Shadow bytes around the buggy address:
  0x0c1a7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c1a7fff8010: 00 00 00 00 00 00 00 00 07 fa[fa]fa fa fa fa fa
  0x0c1a7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:   00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:   fa
  Freed heap region:   fd
  Stack left redzone:  f1
  Stack mid redzone:   f2
  Stack right redzone: f3
  Stack after return:  f5
  Stack use after scope:   f8
  Global redzone:  f9
  Global init order:   f6
  Poisoned by user:f7
  Container overflow:  fc
  Array cookie:ac
  Intra object redzone:bb
  ASan internal:   fe
  Left alloca redzone: ca
  Right alloca redzone:cb
==31997==ABORTING

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-14498
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14498
[1] https://github.com/libjpeg-turbo/libjpeg-turbo/issues/258

Please adjust the affected versions in the BTS as needed.

Attaching a preliminary backported patch which should apply on top of 1:1.5.2-2
(not yet checked it is fully correct backport).

Regards,
Salvatore
From: DRC 
Date: Fri, 20 Jul 2018 17:21:36 -0500
Subject: cjpeg: Fix OOB read caused by malformed 8-bit BMP
Origin: 
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9c78a04df4e44ef6487eee99c4258397f4fdca55
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-14498
Bug: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/258

... in which one or more of the color indices is out of range for the
number of palette entries.

Fix partly borrowed from jpeg-9c.  This commit also adopts Guido's
JERR_PPM_OUTOFRANGE enum value in lieu of our project-specific
JERR_PPM_TOOLARGE enum value.

Fixes #258
---
 ChangeLog.md |  5 +
 cderror.h|  5 +++--
 rdbmp.c  | 13 -
 rdppm.c  | 12 ++--
 4 files changed, 26 insertions(+), 9 deletions(-)

--- a/cderror.h
+++ b/cderror.h
@@ -49,6 +49,7 @@ JMESSAGE(JERR_BMP_COLORSPACE, "BMP outpu
 JMESSAGE(JERR_BMP_COMPRESSED, "Sorry, compressed BMPs not yet supported")
 

Bug#924670: unblock: augustus/3.3.2+dfsg-2

[Ivo De Decker]

Control: tags -1 moreinfo

Hi,

On Fri, Mar 15, 2019 at 05:22:45PM +0100, Sascha Steinbiss wrote:
> please unblock package augustus.

First of all, the package isn't in unstable, so it can't be unblocked. I guess
it was rejected due to the issue below.

> The only change I have made in the current version in unstable is making
> sure that no hardcoded value for Built-Using is used any more,
> calculating it from the version used at build time instead. I have also
> corrected the name of the respective package referenced by this Built-Using.
> 
> Please find attached a debdiff with my changes.

The built-using field has to refer to the source package, not the binary
package, so the reference to libbam-dev in the Built-Using header is wrong.
A package with a non-existant reference in built-using will be rejected by the
archive.

Please remove the moreinfo tag from this bug once a new version is in unstable.

Thanks,

Ivo

Bug#920492: debian-faq: French documentation translation update

[Holger Wansing]

Jean-Philippe MENGUAL  wrote:
> Please find attached the French translation update, proofread by the
> debian-l10n-french mailing list contributors.
> 
> This file should be put as po4a/po/fr.po in your package build tree.

I have committed the file to GIT.
However the file apparently is not in sync with the English original.

So there is some more update work needed. But I would recommend to not start
with this now, since there seems to be a problem with the process of
updating the po files, which leads to new changings appearing over and over
again. So, to prevent from needless work, I recommend to not work on
translations updates now.
I will keep you informed...


Holger


-- 
Holger Wansing 
PGP-Fingerprint: 496A C6E8 1442 4B34 8508  3529 59F1 87CA 156E B076

Bug#924502: systemd: system.conf is ignore multiplicative suffixes K, M, G, T, P, E.

[Игорь Охрименко]

I tested on these keys:
DefaultLimitNOFILE=
DefaultLimitNPROC=

bash:
systemctl show | grep LimitNO && \
(echo "DefaultLimitNOFILE=1G" & echo "DefaultLimitNPROC=1G") >>
/etc/systemd/system.conf && \
systemctl daemon-reexec && \
systemctl show | grep LimitNO && \
(echo "DefaultLimitNOFILE=1048576" & echo "DefaultLimitNPROC=1048576")
>> /etc/systemd/system.conf && \
systemctl daemon-reexec && \
systemctl show | grep LimitNO

output command:
DefaultLimitNOFILE=4096
DefaultLimitNOFILESoft=1024
DefaultLimitNOFILE=4096
DefaultLimitNOFILESoft=1024
DefaultLimitNOFILE=1048576
DefaultLimitNOFILESoft=1048576

DefaultLimitNPROC=1G and DefaultLimitNOFILE=1G are ignored.

пт, 15 мар. 2019 г. в 01:05, Michael Biebl :
>
> Control: tags -1 + moreinfo
>
> Am 13.03.19 um 18:14 schrieb Igor Ohrimenko:
> > Package: systemd
> > Version: 232-25+deb9u9
> > Severity: important
> >
> > Dear Maintainer, I read man system.conf and found multiplicative suffixes. 
> > I tried to use it, like 1G, but DefaultLimit does not change. I have to use 
> > the long, ugly number 1048576.
>
> which DefaultLimit?
>
> #DefaultLimitCPU=
> #DefaultLimitFSIZE=
> #DefaultLimitDATA=
> #DefaultLimitSTACK=
> #DefaultLimitCORE=
> #DefaultLimitRSS=
> #DefaultLimitNOFILE=
> #DefaultLimitAS=
> #DefaultLimitNPROC=
> #DefaultLimitMEMLOCK=
> #DefaultLimitLOCKS=
> #DefaultLimitSIGPENDING=
> #DefaultLimitMSGQUEUE=
> #DefaultLimitNICE=
> #DefaultLimitRTPRIO=
> #DefaultLimitRTTIME=
>
> --
> Why is it that all of the instruments seeking intelligent life in the
> universe are pointed away from Earth?
>

Bug#924675: Test procedure and syslog

[Mauricio Oliveira]

Test Procedure with KVM guests + iPXE
=

- 2 guests: iSCSI target/server and iSCSI initiator/client.
- 1 bridge for iSCSI traffic (virbr-iscsi, new), static ip.
- 1 bridge for internet access (virbr0, exists), dhcp ip.
- Release/Installer: Debian Buster Alpha 5 (netinst)


Host:


Configure the iSCSI bridge and QEMU access in the host:

# ip link add dev virbr-iscsi type bridge
# ip link set dev virbr-iscsi up
# echo 'allow virbr-iscsi' >>/etc/qemu/bridge.conf


iSCSI target:


This guest serves an iSCSI target with one LUN
in iSCSI NIC with IP 10.0.0.1 for IP 10.0.0.2.

$ qemu-system-x86_64 \
  -nodefaults \
  -enable-kvm \
  -smp 2 -m 4096 \
  -serial stdio \
  -nographic -vga none \
  -netdev bridge,id=bridge-world,br=virbr0 \
  -netdev bridge,id=bridge-iscsi,br=virbr-iscsi \
  -device 
virtio-net-pci,netdev=bridge-world,id=nic-world,mac=52:54:00:00:00:11
\
  -device 
virtio-net-pci,netdev=bridge-iscsi,id=nic-iscsi,mac=52:54:00:00:00:22
\
  -drive file=debian-iscsi-target.qcow2,if=virtio \
  -drive 
file=debian-buster-DI-alpha5-amd64-netinst.iso,media=cdrom,read-only,if=scsi

# lsb_release -d
Description:Debian GNU/Linux buster/sid

Configure iSCSI NIC:

# cat 
link/ether 52:54:00:00:00:22 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.1/24 brd 10.0.0.255 scope global ens4
...

Configure iSCSI target/lun:

# apt-get install -y tgt

# mkdir /var/lib/iscsi
# dd if=/dev/zero of=/var/lib/iscsi/disk bs=1 count=0 seek=4G

# tgtadm --lld iscsi --op new --mode target --tid 1 -T
iqn.2019-03.com.example:target1
# tgtadm --lld iscsi --op new --mode logicalunit --tid 1 --lun 1
-b /var/lib/iscsi/disk

# tgtadm --lld iscsi --op bind --mode target --tid 1 -I 10.0.0.2
# tgt-admin --dump >/etc/tgt/conf.d/target1.conf



iSCSI initiator:
---

This guest first boots iPXE to configure iBFT,
and then boots/chainloads to debian-installer.

Later we install the patched disk-detect udeb.

(The netboot installer didn't find modules no
matter what, so this uses netinst iso's files)

$ wget http://boot.ipxe.org/ipxe.lkrn
$ cp 
debian-buster-DI-alpha5-amd64-netinst.iso:install.amd/{vmlinuz,initrd.gz}
.

$ python3 -m http.server &
Serving HTTP on 0.0.0.0 port 8000 ...

$ qemu-system-x86_64 \
  -nodefaults \
  -enable-kvm \
  -smp 2 -m 4096 \
  -serial stdio \
  -vga virtio \
  -display vnc=0.0.0.0:1 \
  -netdev bridge,id=bridge-world,br=virbr0 \
  -netdev bridge,id=bridge-iscsi,br=virbr-iscsi \
  -device 
virtio-net-pci,netdev=bridge-world,id=nic-world,mac=52:54:00:00:00:01
\
  -device 
virtio-net-pci,netdev=bridge-iscsi,id=nic-iscsi,mac=52:54:00:00:00:02
\
  -drive 
file=debian-buster-DI-alpha5-amd64-netinst.iso,media=cdrom,read-only,if=scsi
\
  -kernel ipxe.lkrn

Connect to VNC for iPXE shell:

$ vncviewer :1
iPXE <...>


Press Ctrl-B for iPXE command line.
^B

iPXE>

Configure iSCSI NIC:

iPXE> ifopen net1
iPXE> set net1/ip 10.0.0.2
iPXE> set net1/netmask 255.255.255.0

Configure iBFT: (iSCSI portal 10.0.0.1, LUN 1 on target iqn.<...>:target1)

iPXE> sanhook iscsi:10.0.0.1:::1:iqn.2019-03.com.example:target1
Registered SAN device 0x80

Boot the installer
(add option 'disk-detect/ibft/enable=true' for installer
 and option 'iscsi_auto' for system to boot with iBFT):

iPXE> ifopen net0
iPXE> kernel http://192.168.122.1:8000/vmlinuz initrd=initrd.gz
disk-detect/ibft/enable=true --- console=ttyS0 iscsi_auto
iPXE> initrd http://192.168.122.1:8000/initrd.gz
iPXE> boot

Back to serial console.
Proceed with the installer.

In 'Users and passwords' dialogs, select 'Go back', and 'Execute a
shell', and 'Continue'.

~ # wget 192.168.122.1:8000/disk-detect_1.136+ibft1_amd64.udeb
~ # udpkg --unpack disk-detect_1.136+ibft1_amd64.udeb

~ # debconf-get disk-detect/ibft/enable
true

(Use this if you need it.)
~ # debconf-set disk-detect/ibft/enable true

Start another installer menu with the new debconf templates/question:

~ # debconf -o d-i /usr/bin/main-menu

Proceed with the installer.

In the 'Partition disks' dialog, the iSCSI LUN should be present:

SCSI4 (0,0,1) (sda) - 4.3 GB IET VIRTUAL-DISK

Proceed with the installer.
System reboots.

Back to VNC console, go again to iPXE shell:

$ vncviewer :1
iPXE <...>


Press Ctrl-B for iPXE command line.
^B

iPXE>

Configure iSCSI NIC:

iPXE> ifopen net1
iPXE> set net1/ip 10.0.0.2
iPXE> set net1/netmask 255.255.255.0

Boot from iSCSI (iSCSI portal 10.0.0.1, LUN 1 on target iqn.<...>:target1)

iPXE> sanboot iscsi:10.0.0.1:::1:iqn.2019-03.com.example:target1
Registered 

Bug#924675: Patch

[Mauricio Oliveira]

Patch attached.

-- 
Mauricio Faria de Oliveira
From f31f72dded8c83ce14d342096773891820698585 Mon Sep 17 00:00:00 2001
From: Mauricio Faria de Oliveira 
Date: Wed, 30 Jan 2019 17:26:59 -0200
Subject: [PATCH] Add iSCSI iBFT support to disk-detect

This patch adds support for iSCSI LUNs configured with
iBFT to disk-detect via 'disk-detect/ibft/enable=true'.

Signed-off-by: Mauricio Faria de Oliveira 
---
 debian/changelog |  9 +
 debian/disk-detect.templates |  6 ++
 disk-detect.sh   | 34 ++
 3 files changed, 49 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index a2884a045aac..01565db69aab 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+hw-detect (1.136+ibft1) unstable; urgency=medium
+
+  * disk-detect.templates: add the option
+'disk-detect/ibft/enable' for preseed.
+  * disk-detect.sh: add support for iSCSI iBFT
+with 'disk-detect/ibft/enable=true' option.
+
+ -- Mauricio Faria de Oliveira   Thu, 07 Mar 2019 15:47:55 -0300
+
 hw-detect (1.136) unstable; urgency=medium
   * Team upload
 
diff --git a/debian/disk-detect.templates b/debian/disk-detect.templates
index e42bfa2f95ae..7d4710680569 100644
--- a/debian/disk-detect.templates
+++ b/debian/disk-detect.templates
@@ -42,3 +42,9 @@ Default: false
 Description: for internal use; can be preseeded
  Check for the presence of multipath devices?
 
+Template: disk-detect/ibft/enable
+Type: boolean
+Default: false
+Description: for internal use; can be preseeded
+ Check for the presence of iSCSI devices with
+ the iSCSI Boot Firmware Table (iBFT)?
diff --git a/disk-detect.sh b/disk-detect.sh
index e97def78afa4..25d4fe807340 100755
--- a/disk-detect.sh
+++ b/disk-detect.sh
@@ -120,10 +120,44 @@ EOF
 	fi
 }
 
+iscsi_ibft_probe() {
+
+	if is_not_loaded iscsi_ibft; then
+		depmod -a >/dev/null 2>&1 || true
+		module_probe iscsi_ibft || true
+	fi
+
+	if ! log-output -t disk-detect iscsistart -f; then
+		logger -t disk-detect "Error: iBFT information not found"
+		return 1
+	fi
+
+	if ! log-output -t disk-detect iscsistart -N; then
+		logger -t disk-detect "Error: iBFT network configuration failed"
+		return 1
+	fi
+
+	if ! log-output -t disk-detect iscsistart -b; then
+		logger -t disk-detect "Error: iBFT login failed"
+		return 1
+	fi
+
+	# Done
+	update-dev --settle
+	logger -t disk-detect "iBFT disk detection finished."
+	return 0
+}
+
 if ! hw-detect disk-detect/detect_progress_title; then
 	log "hw-detect exited nonzero"
 fi
 
+# Activate support for iSCSI iBFT
+db_get disk-detect/ibft/enable
+if [ "$RET" = true ]; then
+	iscsi_ibft_probe || true
+fi
+
 while ! disk_found; do
 	CHOICES=""
 	for mod in $(list_disk_modules | sort); do
-- 
2.17.1

Bug#924563: resolved

[Gabriel]

I re-installed by disconnecting my other hard drive and it worked well.

Bug#924675: Add iSCSI iBFT support to disk-detect

[Mauricio Oliveira]

Package: disk-detect
Version: 1.136
Severity: wishlist
Tags: patch

Hi,

This patch adds support for iSCSI iBFT (iSCSI Boot Firmware Table).

iBFT provides iSCSI configuration in the system firmware tables,
often used for automatic installs, mainly in larger deployments.

It can be made available to userspace with a kernel module, and
used accordingly by the iscsistart tool to configure networking,
iSCSI sessions, that brings up the intended target's iSCSI LUNs.

If the (new) option 'disk-detect/ibft/enable' is set to 'true'
(similarly to other options) disk-detect performs those steps,
and the iSCSI LUNs become available to the installer.

This is done before the check for disks detected (differently
from other options), so that diskless systems with only iSCSI
disks (e.g., guests) do not stall in the detect/retry loop as
there are no other disks.

P.S.: I understand the timing may not be good for new features,
but I would really appreciate any feedback about this patch if
at all possible.  Coming in shortly: test procedure and syslog.

Thank you,
Mauricio

-- 
Mauricio Faria de Oliveira

Bug#924676: pypy: Move namespace files to /usr/share/pypy/ns

[Stefano Rivera]

Package: pypy
Version: 6.0.0+dfsg-4
Severity: important

When namespace support was added in 6.0.0+dfsg-4, we used
/usr/lib/pypy/ns. However dh_pypy is not using that path, it's using
/usr/share/pypy/ns (which matches where it puts pydist files).

See: #920899

Let's sort this out before buster release, so we have an API we can live
with for the future.

SR

Bug#924655: liblivemedia: CVE-2019-9215: invalid memory access in parseAuthorizationHeader

[Sebastian Ramacher]

On 2019-03-15 16:26:25, Hugo Lefeuvre wrote:
> > liblivemedia provides an implementation of the server and client side of
> > RTSP. So, unless a CVE affects the code path used by the RTSP client (as
> > for example used by vlc), I won't spend any time on it.
> 
> Ok, I thought live555 was also known as one of the main free rtsp
> server implementations. Is this actually wrong ?

I don't know, but at least ffmpeg and vlc use alternative RTSP server
implementations.

Cheers

> 
> > Before you start cherry-picking the patches from experimental, I'd
> > suggest to get in contact with the release team to do a proper
> > transition to the new upstream version (maybe even to the 2019.03.xx
> > release that's not yet packaged). Those new release effectively only
> > consists of the fixes for the recent CVEs. (Yes, I know that the freeze
> > already started.)
> 
> Agree. I will look into it if I manage to find time for this.
> 
> thanks
> 
> regards,
> Hugo
> 
> -- 
> Hugo Lefeuvre (hle)|www.owl.eu.com
> RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
> ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C



-- 
Sebastian Ramacher


signature.asc
Description: PGP signature

Bug#924674: ITP: ruby-jaeger-client -- OpenTracing Tracer implementation for Jaeger in Ruby

[Manas Kashyap]

Package: wnpp
Severity: wishlist
Owner: Manas Kashyap 
X-Debbugs-CC: debian-de...@lists.debian.org, debian-r...@lists.debian.org

* Package name: ruby-jaeger-client
  Version : 0.10.0
  Upstream Author : Indrek Juhkam .
* URL : *https://github.com/salemove/jaeger-client-ruby
*
* License : MIT
  Programming Lang: Ruby
Description: OpenTracing Tracer implementation for Jaeger
 This package is Opentracing Tracer implementaion in Ruby for Jaeger
 In order to understand this implementation, one must first be familiar with
 the OpenTracing API and terminology.
 .
 With this package the user can easily use this implementation of
Opentracing
 API using keywords like .global_tracer , .start_active_span .

Bug#924092: open-infrastructure-container-tools: leaves alternatives after purge: /usr/share/open-infrastructure/container/scripts/default

[Daniel Baumann]

tag 924092 + pending
thanks

Hi Andreas,

thanks! unfortunately, I didn't got around to it this week, but have
other changes pending and will upload new packages tomorrow (and ask for
unblocks accordingly).

Regards,
Daniel

Bug#924673: libopencsd0:amd64: New flag needed to compile CoreSight support in the perf tools

[Mathieu Poirier]

Package: libopencsd0
Severity: normal

Dear Maintainer,

Starting with the 5.1 Linux kernel cycle it is mandatory to add the command line
option "CORESIGHT=1" to enable CoreSight support when compiling the perf tools.

Before kernel 5.1:

$ make -C tools/perf 

For kernel 5.1 and after:

$ make -C tools/perf CORESIGHT=1

Nothing else has changed.

Many thanks for looking into this.

Mathieu


-- System Information:
Debian Release: buster/sid
  APT prefers bionic-updates
  APT policy: (500, 'bionic-updates'), (500, 'bionic-security'), (500, 
'bionic'), (100, 'bionic-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.15.0-45-generic (SMP w/8 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_CA:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#924664: ejabberd: node migration broken

[Anton Ivanov]

On 15/03/2019 16:17, Philipp Huebner wrote:

Hi there,


Can't restore backup from "/var/lib/ejabberd/restore.erl" at node 
'ejabb...@jabber.kot-begemot.co.uk': Table config does not exist.

The backup is taken off an up-to-date stretch and is being restored on an
up-to-date stretch.

this could be caused by a number of different issues,
please state the full commands you have been using as well as the user
you have been issuing them as.

Kind regards,


On original host (smaug):

ejabberdctl backup ejabberd.backup

On new host (jabber is a cname to jain):

ejabberdctl mnesia-change-nodename ejabberd@smaug 
ejabb...@jabber.kot-begemot.co.uk ejabberd.backup ejabberd.restore


root@jain:/var/lib/ejabberd# ejabberdctl restore restore.erl
Can't restore backup from "/var/lib/ejabberd/restore.erl" at node 
'ejabb...@jabber.kot-begemot.co.uk': Table config does not exist.


--
Anton R. Ivanov
https://www.kot-begemot.co.uk/

Bug#924663: ejabberd: default apparmour profile broken

[Anton Ivanov]

On 15/03/2019 16:15, Philipp Huebner wrote:

Hi there,

AFAIK apparmor is not enabled by default on Debian Stretch,


I built a machine from scratch without touching any defaults and the 
apparmor is on. I can try retracing what got it enabled, but it got 
enabled by something in the default build, not by me manually.



but even if it is, it's both apparmor's and systemd's job to make sure
that ejabberd can not just read/write arbitrary files.

So please state the exact commands and paths you were trying to use as
well as the error messages you got in response.


ejabberdctl restore restore.erl

with the original apparmour profile results in a core dump

Changing su to rx as in the profile attached to the bug report makes the 
command execute, but it fails on the other bug I filed.


Everything is being executed as root.



Regards,



--
Anton R. Ivanov
https://www.kot-begemot.co.uk/

Bug#924672: unblock: wpa/2:2.7+git20190128+0c1e29f-3

[Andrej Shadura]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Please unblock package wpa.

This upload fixes two issues:

* #924666: warning is printed using a function defined in a file sourced
  a few lines later, resulting in an error when a configuration file
  has not yet been created — or has been already deleted (e.g. when
  purging).
* #924632: OpenSSL backend in 2.7 and later breaks engine support when
  linking against OpenSSL 1.1.

unblock wpa/2:2.7+git20190128+0c1e29f-3

-BEGIN PGP SIGNATURE-

iQFIBAEBCAAyFiEEeuS9ZL8A0js0NGiOXkCM2RzYOdIFAlyL2FsUHGFuZHJld3No
QGRlYmlhbi5vcmcACgkQXkCM2RzYOdKCEAgAwoV+f4jhHeGdsc4Nu1NY+QBRrfg2
j3pnMsGQ41oX51nx+Xk2piemt+gOcsIq8imnyI2F7RvIETOZOXaWqLIZwKO4+Yzs
7+LY0B3NCRHCZxM/IJC8QJbNmuROXreL9zgwSIveUctGiNhMfCt6LJn/LRIJLC61
/3rorLlP1WK6nnzIz/6jisqENufOFZ1un7Q9ELvk0KRUgLVzYkckDCSnjms/pQPq
gDomSfdrUnZWs4D6AQbgvMKVL33DtwO1cARczecVuypbpc+mwU1T/GeqVBs4H13N
yzFQ7gq9pZ2/fNYrBoL0GkPAKrZGS2+jtjCk4gy0SS6ETsl2Fjn9UsYp6g==
=JzmJ
-END PGP SIGNATURE-
diff --git a/debian/changelog b/debian/changelog
index 1d8177e..7530d0d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+wpa (2:2.7+git20190128+0c1e29f-3) unstable; urgency=medium
+
+  * Print the warning and exit after sourcing /lib/lsb/init-functions
+(Closes: #924666).
+  * Recognise multiple configs in DAEMON_CONF and verify them all.
+  * Fix ENGINE support with OpenSSL 1.1+ (Closes: #924632).
+
+ -- Andrej Shadura   Fri, 15 Mar 2019 17:44:51 +0100
+
 wpa (2:2.7+git20190128+0c1e29f-2) unstable; urgency=medium
 
   * Apply an RFC patch to work around big endian keyidx.
diff --git a/debian/hostapd.init b/debian/hostapd.init
index 6151f22..0d2e970 100644
--- a/debian/hostapd.init
+++ b/debian/hostapd.init
@@ -25,21 +25,24 @@ PIDFILE=/run/hostapd.pid
 [ -s "$DAEMON_DEFS" ] && . /etc/default/hostapd
 [ -n "$DAEMON_CONF" ] || exit 0
 
-if [ ! -r "$DAEMON_CONF" ]
-then
-log_action_msg "No hostapd config found, not starting hostapd."
-exit 0
-fi
-
 DAEMON_OPTS="-B -P $PIDFILE $DAEMON_OPTS $DAEMON_CONF"
 
 . /lib/lsb/init-functions
 
+for conf in $DAEMON_CONF
+do
+if [ ! -r "$conf" ]
+then
+log_action_msg "hostapd config $conf not found, not starting hostapd."
+exit 0
+fi
+done
+
 case "$1" in
   start)
if [ "$DAEMON_CONF" != /etc/hostapd/hostapd.conf ]
then
-   log_warning_msg "hostapd config not in 
/etc/hostapd/hostapd.conf -- read /usr/share/doc/hostapd/NEWS.Debian.gz"
+   log_warning_msg "hostapd config not in 
/etc/hostapd/hostapd.conf -- please read /usr/share/doc/hostapd/NEWS.Debian.gz"
fi
log_daemon_msg "Starting $DESC" "$NAME"
start-stop-daemon --start --oknodo --quiet --exec "$DAEMON_SBIN" \
diff --git a/debian/patches/fix-ENGINE-support-with-openssl-1.1.patch 
b/debian/patches/fix-ENGINE-support-with-openssl-1.1.patch
new file mode 100644
index 000..ba671a0
--- /dev/null
+++ b/debian/patches/fix-ENGINE-support-with-openssl-1.1.patch
@@ -0,0 +1,36 @@
+From: David Woodhouse 
+Date: Thu, 14 Mar 2019 at 18:25
+Subject: [PATCH v2] Fix ENGINE support with OpenSSL 1.1+
+To: Rosen Penev 
+Cc: 
+
+
+Commit 373c7969485 ("OpenSSL: Fix compile with OpenSSL 1.1.0 and
+deprecated APIs") removed a call to ENGINE_load_dynamic() for newer
+versions of OpenSSL, asserting that it should happen automatically.
+
+That appears not to be the case, and loading engines now fails because
+the dynamic engine isn't present.
+
+Fix it by calling ENGINE_load_builtin_engines(), which works for all
+versions of OpenSSL. Also remove the call to ERR_load_ENGINE_strings()
+because that should have happened when SSL_load_error_strings() is
+called anyway.
+
+Signed-off-by: David Woodhouse 
+
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index 705fa29a3..ee7ed7c9b 100644
+@@ -1034,10 +1034,7 @@ void * tls_init(const struct tls_config *conf)
+
+ #ifndef OPENSSL_NO_ENGINE
+   wpa_printf(MSG_DEBUG, "ENGINE: Loading dynamic engine");
+-#if OPENSSL_VERSION_NUMBER < 0x1010L
+-  ERR_load_ENGINE_strings();
+-  ENGINE_load_dynamic();
+-#endif /* OPENSSL_VERSION_NUMBER */
++  ENGINE_load_builtin_engines();
+
+   if (conf &&
+   (conf->opensc_engine_path || conf->pkcs11_engine_path ||
+
diff --git a/debian/patches/series b/debian/patches/series
index 089a1c5..4aee4ed 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,4 @@ networkd-driver-fallback.patch
 wpa_supplicant_fix-dependency-odering-when-invoked-with-dbus.patch
 allow-tlsv1.patch
 PMF-Allow-Key-ID-in-BE-format.patch
+fix-ENGINE-support-with-openssl-1.1.patch

Bug#892246: package page contains invalid URL

[Holger Wansing]

Control: tags -1 + pending


annadane  wrote:
> On https://packages.debian.org/sid/doc-debian the "All of these files are 
> available at fttp://ftp.debian.org/debian/doc/" text is an invalid url. 
> This is solved by chanting it to http://ftp.debian.org/debian/doc/

This has been partly fixed in version 9.0, and now really in GIT, as
mentioned in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892244#38


Tagging this bugs (two duplicate bugs!) as pending.



Holger


-- 
Holger Wansing 
PGP-Fingerprint: 496A C6E8 1442 4B34 8508  3529 59F1 87CA 156E B076

Bug#924664: ejabberd: node migration broken

[Anton Ivanov]

On 15/03/2019 16:35, Philipp Huebner wrote:

On original host (smaug):

ejabberdctl backup ejabberd.backup

On new host (jabber is a cname to jain):

ejabberdctl mnesia-change-nodename ejabberd@smaug
ejabb...@jabber.kot-begemot.co.uk ejabberd.backup ejabberd.restore

root@jain:/var/lib/ejabberd# ejabberdctl restore restore.erl

^^^


Can't restore backup from "/var/lib/ejabberd/restore.erl" at node
'ejabb...@jabber.kot-begemot.co.uk': Table config does not exist.


Shouldn't 'restore.erl' be 'ejabberd.restore' or did you rename the file
somewhere in between?


I did. Mea culpa. Cut-n-pasting from history.

All files exist, retried several times with files both in /tmp/ and in 
/var/lib/jabberd/ no difference in either case. It failes with "Table 
config" message.







--
Anton R. Ivanov
https://www.kot-begemot.co.uk/

Bug#924664: ejabberd: node migration broken

[Philipp Huebner]

> On original host (smaug):
> 
> ejabberdctl backup ejabberd.backup
> 
> On new host (jabber is a cname to jain):
> 
> ejabberdctl mnesia-change-nodename ejabberd@smaug
> ejabb...@jabber.kot-begemot.co.uk ejabberd.backup ejabberd.restore
> 
> root@jain:/var/lib/ejabberd# ejabberdctl restore restore.erl
   ^^^

> Can't restore backup from "/var/lib/ejabberd/restore.erl" at node
> 'ejabb...@jabber.kot-begemot.co.uk': Table config does not exist.


Shouldn't 'restore.erl' be 'ejabberd.restore' or did you rename the file
somewhere in between?



signature.asc
Description: OpenPGP digital signature

Bug#924583: razor.cloudmark.com service no longer available?

[Francois Marier]

I tried to re-initialize my razor config and found that there are no
available servers anymore:

# sudo -u debian-spamd razor-admin -d -register
 Razor-Log: Computed razorhome from env: /var/lib/spamassassin/.razor
 Razor-Log: Found razorhome: /var/lib/spamassassin/.razor
 Razor-Log: No /var/lib/spamassassin/.razor/razor-agent.conf found, skipping.
 Razor-Log: read_file: 2 items read from /etc/razor/razor-agent.conf
mar 15 09:17:27.054097 admin[21405]: [ 2] [bootup] Logging initiated 
LogDebugLevel=9 to stdout
mar 15 09:17:27.054204 admin[21405]: [ 5] computed 
razorhome=/var/lib/spamassassin/.razor, conf=/etc/razor/razor-agent.conf, 
ident=/var/lib/spamassassin/.razor/identity
mar 15 09:17:27.054234 admin[21405]: [ 2]  Razor-Agents v2.84 starting 
razor-admin -d -register
mar 15 09:17:27.054286 admin[21405]: [ 5] Can't read file 
/var/lib/spamassassin/.razor/servers.discovery.lst: No such file or directory
mar 15 09:17:27.054324 admin[21405]: [ 5] Can't read file 
/var/lib/spamassassin/.razor/servers.nomination.lst: No such file or directory
mar 15 09:17:27.054360 admin[21405]: [ 5] Can't read file 
/var/lib/spamassassin/.razor/servers.catalogue.lst: No such file or directory
mar 15 09:17:27.054447 admin[21405]: [ 5] no listfile: 
/var/lib/spamassassin/.razor/servers.nomination.lst
mar 15 09:17:27.054483 admin[21405]: [ 6] no discovery listfile: 
/var/lib/spamassassin/.razor/servers.discovery.lst
mar 15 09:17:27.054516 admin[21405]: [ 8] Checking with Razor Discovery Server 
discovery.razor.cloudmark.com
mar 15 09:17:27.054550 admin[21405]: [ 6] No port specified, using 2703
mar 15 09:17:27.054573 admin[21405]: [ 5] Connecting to 
discovery.razor.cloudmark.com ...
mar 15 09:17:27.183271 admin[21405]: [ 8] Connection established
mar 15 09:17:27.183658 admin[21405]: [ 4] discovery.razor.cloudmark.com >> 25 
server greeting: sn=C=43861=l=cg
mar 15 09:17:27.183907 admin[21405]: [ 4] discovery.razor.cloudmark.com << 12
mar 15 09:17:27.184024 admin[21405]: [ 6] a=g=csl
mar 15 09:17:27.257879 admin[21405]: [ 4] discovery.razor.cloudmark.com >> 9
mar 15 09:17:27.258087 admin[21405]: [ 6] response to sent.1
err=240
mar 15 09:17:27.258328 admin[21405]: [ 5] Razor Discovery Server 
discovery.razor.cloudmark.com had no valid csl servers
mar 15 09:17:27.258519 admin[21405]: [ 4] discovery.razor.cloudmark.com << 12
mar 15 09:17:27.258634 admin[21405]: [ 6] a=g=nsl
mar 15 09:17:27.322748 admin[21405]: [ 4] discovery.razor.cloudmark.com >> 9
mar 15 09:17:27.322955 admin[21405]: [ 6] response to sent.2
err=240
mar 15 09:17:27.323186 admin[21405]: [ 5] Razor Discovery Server 
discovery.razor.cloudmark.com had no valid nsl servers
mar 15 09:17:27.323318 admin[21405]: [ 5] Couldn't talk to discovery servers.  
Will force a bootstrap...
mar 15 09:17:27.323632 admin[21405]: [ 6] no discovery listfile: 
/var/lib/spamassassin/.razor/servers.discovery.lst
mar 15 09:17:27.323812 admin[21405]: [ 5] no listfile: 
/var/lib/spamassassin/.razor/servers.nomination.lst
mar 15 09:17:27.323939 admin[21405]: [ 6] no discovery listfile: 
/var/lib/spamassassin/.razor/servers.discovery.lst
mar 15 09:17:27.324065 admin[21405]: [ 8] Checking with Razor Discovery Server 
discovery.razor.cloudmark.com
mar 15 09:17:27.324266 admin[21405]: [ 4] discovery.razor.cloudmark.com << 12
mar 15 09:17:27.324375 admin[21405]: [ 6] a=g=csl
mar 15 09:17:27.389030 admin[21405]: [ 4] discovery.razor.cloudmark.com >> 9
mar 15 09:17:27.389239 admin[21405]: [ 6] response to sent.3
err=240
mar 15 09:17:27.389501 admin[21405]: [ 5] Razor Discovery Server 
discovery.razor.cloudmark.com had no valid csl servers
mar 15 09:17:27.389690 admin[21405]: [ 4] discovery.razor.cloudmark.com << 12
mar 15 09:17:27.389804 admin[21405]: [ 6] a=g=nsl
mar 15 09:17:27.453982 admin[21405]: [ 4] discovery.razor.cloudmark.com >> 9
mar 15 09:17:27.454193 admin[21405]: [ 6] response to sent.4
err=240
mar 15 09:17:27.454477 admin[21405]: [ 5] Razor Discovery Server 
discovery.razor.cloudmark.com had no valid nsl servers
mar 15 09:17:27.454717 admin[21405]: [ 1] razor-admin error: nextserver: 
Bootstrap discovery failed. Giving up.
nextserver: Bootstrap discovery failed. Giving up.

Has this service shutdown? Are there alternative servers that can be used?

Incidentally, I have noticed a much lower average spam score on the emails I
run through SpamAssassin now. It seems like razor had a big impact.

Francois

-- 
https://fmarier.org/

Bug#924670: unblock: augustus/3.3.2+dfsg-2

[Sascha Steinbiss]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Dear release team,

please unblock package augustus.
The only change I have made in the current version in unstable is making
sure that no hardcoded value for Built-Using is used any more,
calculating it from the version used at build time instead. I have also
corrected the name of the respective package referenced by this Built-Using.

Please find attached a debdiff with my changes.

unblock augustus/3.3.2+dfsg-2

Many thanks
Sascha
diff -Nru augustus-3.3.2+dfsg/debian/changelog 
augustus-3.3.2+dfsg/debian/changelog
--- augustus-3.3.2+dfsg/debian/changelog2018-10-06 14:24:12.0 
+0200
+++ augustus-3.3.2+dfsg/debian/changelog2019-03-15 17:11:10.0 
+0100
@@ -1,3 +1,10 @@
+augustus (3.3.2+dfsg-2) unstable; urgency=medium
+
+  * Use dynamic Built-Using in d/control.
+Closes: #924359
+
+ -- Sascha Steinbiss   Fri, 15 Mar 2019 17:11:10 +0100
+
 augustus (3.3.2+dfsg-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru augustus-3.3.2+dfsg/debian/control augustus-3.3.2+dfsg/debian/control
--- augustus-3.3.2+dfsg/debian/control  2018-10-06 14:24:12.0 +0200
+++ augustus-3.3.2+dfsg/debian/control  2019-03-13 16:48:17.0 +0100
@@ -28,7 +28,7 @@
 Depends: ${shlibs:Depends},
  ${misc:Depends},
  augustus-data
-Built-Using: samtools-legacy (= 0.1.19-2)
+Built-Using: libbam-dev (= ${libbam-dev:Version})
 Description: gene prediction in eukaryotic genomes
  AUGUSTUS is a software for gene prediction in eukaryotic genomic sequences
  that is based on a generalized hidden Markov model (HMM), a probabilistic
diff -Nru augustus-3.3.2+dfsg/debian/rules augustus-3.3.2+dfsg/debian/rules
--- augustus-3.3.2+dfsg/debian/rules2018-10-06 14:24:12.0 +0200
+++ augustus-3.3.2+dfsg/debian/rules2019-03-13 17:04:28.0 +0100
@@ -3,6 +3,7 @@
 export DEB_BUILD_MAINT_OPTIONS = hardening=+all
 export TOOLDIR = /usr/include
 export AUGUSTUS_CONFIG_PATH=$(CURDIR)/config
+export LIBBAM_PKG_VERSION=$(shell apt-cache policy libbam-dev | grep Installed 
| cut -f2 -d: | cut -c2-)
 .PHONY: bam2hints homGeneMapping checkTargetSortedness joingenes
 
 %:
@@ -45,6 +46,7 @@
$(MAKE) -C auxprogs/compileSpliceCands clean
$(MAKE) -C auxprogs/filterBam clean
rm -rf bin
+   rm -f debian/*substvars
 
 override_dh_auto_build: aln2wig bam2hints bam2wig checkTargetSortedness 
compileSpliceCands filterBam homGeneMapping joingenes
dh_auto_build
@@ -85,3 +87,7 @@
 
 override_dh_compress:
dh_compress -Xtutorial
+
+override_dh_gencontrol:
+   echo "libbam-dev:Version=$(LIBBAM_PKG_VERSION)" >> 
debian/augustus.substvars
+   dh_gencontrol

Bug#909715: glam2: Please provide autopkgtest

[Michael Crusoe]

Dear Saira,

A pull request on salsa would be great! We can also add you to the team as
well; if you request membership through the salsa interface.

Cheers and thanks,

--
Michael R. Crusoe
Co-founder & Lead,
Common Workflow Language project
https://impactstory.org/u/-0002-2961-9670
m...@commonwl.org

On Fri, Mar 15, 2019, 16:30 Saira Hussain  wrote:

> On Thu, 27 Sep 2018 08:08:54 +0200 Andreas Tille  wrote:
> > Package: glam2
> > Severity: minor
> > Tags: newcomer
> >
> > Please provide autopkgtest for this package.
> Hi, I am Saira and I want to apply for the current Outreachy.
>
> I just wrote autopkgtest by adding the folder including some basic tests.
> I would like to submit this file. What is the best way?
> Should I send a patch here or can you add me to the salsa-debian-med?
>
> Best
> S.H.
> >
> > -- System Information:
> > Debian Release: 9.5
> > APT prefers stable-updates
> > APT policy: (500, 'stable-updates'), (500, 'stable')
> > Architecture: amd64 (x86_64)
> >
> > Kernel: Linux 4.9.0-6-amd64 (SMP w/1 CPU core)
> > Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
> LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
> > Shell: /bin/sh linked to /bin/dash
> > Init: systemd (via /run/systemd/system)
> >
> > Versions of packages glam2 depends on:
> > ii libc6 2.24-11+deb9u3
> > pn libfftw3-double3 
> >
> > glam2 recommends no packages.
> >
> > glam2 suggests no packages.
> >
> >
>
>
>

Bug#924671: unblock: skimage/0.14.2-2

[Ole Streicher]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package skimage.

The package fixes the important bug #924606, "skimage: autopkgtest needs
update for new version of python-scipy: ValueError: No warning raised
matching: matrix subclass". The debdiff is attached. The package
currently fails on the testing CI, because it is still tested against
the old python-scipy (which was the cause of the bug). Once python-scipy
migrated, the test will succeed (see result in unstable).

unblock skimage/0.14.2-2

Best regards

Ole

diff -Nru skimage-0.14.2/debian/changelog skimage-0.14.2/debian/changelog
--- skimage-0.14.2/debian/changelog 2019-02-08 20:32:08.0 +0100
+++ skimage-0.14.2/debian/changelog 2019-03-14 22:58:01.0 +0100
@@ -1,3 +1,10 @@
+skimage (0.14.2-2) unstable; urgency=medium
+
+  * Team upload
+  * Disable numpy matrix deprecation warnings (Closes: #924606)
+
+ -- Ole Streicher   Thu, 14 Mar 2019 22:58:01 +0100
+
 skimage (0.14.2-1) unstable; urgency=medium
 
   * Team upload
diff -Nru skimage-0.14.2/debian/patches/no-numpy-warnings.patch 
skimage-0.14.2/debian/patches/no-numpy-warnings.patch
--- skimage-0.14.2/debian/patches/no-numpy-warnings.patch   1970-01-01 
01:00:00.0 +0100
+++ skimage-0.14.2/debian/patches/no-numpy-warnings.patch   2019-03-14 
22:56:59.0 +0100
@@ -0,0 +1,23 @@
+From: Ole Streicher 
+Date: Thu, 14 Mar 2019 22:53:56 +0100
+Subject: Disable numpy matrix deprecation warnings
+
+Numpy matrix deprecation warnings are disabled by python-scipy 1.1.0-4,
+so we shall make sure that the tests don't fail then.
+
+Closes: #924606
+
+--- a/skimage/segmentation/tests/test_random_walker.py
 b/skimage/segmentation/tests/test_random_walker.py
+@@ -15,10 +15,7 @@
+ PYAMG_MISSING_WARNING = r'pyamg|\A\Z'
+ PYAMG_OR_SCIPY_WARNING = SCIPY_RANK_WARNING + '|' + PYAMG_MISSING_WARNING
+ 
+-if (Version(np.__version__) >= '1.15.0'):
+-NUMPY_MATRIX_WARNING = 'matrix subclass'
+-else:
+-NUMPY_MATRIX_WARNING = None
++NUMPY_MATRIX_WARNING = None
+ 
+ 
+ def make_2d_syntheticdata(lx, ly=None):
diff -Nru skimage-0.14.2/debian/patches/series 
skimage-0.14.2/debian/patches/series
--- skimage-0.14.2/debian/patches/series2019-02-08 20:32:08.0 
+0100
+++ skimage-0.14.2/debian/patches/series2019-03-14 22:49:00.0 
+0100
@@ -5,3 +5,4 @@
 Allow-warnings-on-dask.patch
 Don-t-download-intersphinx-mapping.patch
 fix-wrong-condition-on-prebuilt-c-files.patch
+no-numpy-warnings.patch

Bug#924401: base-files fails postinst when base-passwd is unpacked

[Santiago Vila]

On Fri, Mar 15, 2019 at 04:51:11PM +0100, Helmut Grohne wrote:

>  Since dpkg will not prevent upgrading of other packages while an
>  ``essential`` package is in an unconfigured state, all ``essential``
>  packages must supply all of their core functionality even when
> -unconfigured. If the package cannot satisfy this requirement it must not
> +unconfigured after being configured at least once.
> +If the package cannot satisfy this requirement it must not
>  be tagged as essential, and any packages depending on this package must
>  instead have explicit dependency fields as appropriate.

More to the point: Packages that may have the "awk" role, which is
considered both essential and virtual, will definitely never work
until configured for the first time, because /usr/bin/awk is handled
by the alternatives mechanism, which runs in the postinst.

In other words, your proposed patch seems completely ok to me, as it
represents (what I think it has always been) Debian Policy accurately.

Thanks.

Bug#924664: ejabberd: node migration broken

[Philipp Huebner]

Hi there,

> Can't restore backup from "/var/lib/ejabberd/restore.erl" at node 
> 'ejabb...@jabber.kot-begemot.co.uk': Table config does not exist.
> 
> The backup is taken off an up-to-date stretch and is being restored on an
> up-to-date stretch.

this could be caused by a number of different issues,
please state the full commands you have been using as well as the user
you have been issuing them as.

Kind regards,
-- 
 .''`.   Philipp Huebner 
: :'  :  pgp fp: 6719 25C5 B8CD E74A 5225  3DF9 E5CA 8C49 25E4 205F
`. `'`
  `-



signature.asc
Description: OpenPGP digital signature

Bug#924663: ejabberd: default apparmour profile broken

[Philipp Huebner]

Hi there,

AFAIK apparmor is not enabled by default on Debian Stretch,
but even if it is, it's both apparmor's and systemd's job to make sure
that ejabberd can not just read/write arbitrary files.

So please state the exact commands and paths you were trying to use as
well as the error messages you got in response.

Regards,
-- 
 .''`.   Philipp Huebner 
: :'  :  pgp fp: 6719 25C5 B8CD E74A 5225  3DF9 E5CA 8C49 25E4 205F
`. `'`
  `-



signature.asc
Description: OpenPGP digital signature

Bug#886955: gedit: gedit does not share clipboard with other applications, such as google chrome, gnome terminal

[Salman Mohammadi]

Hi,

I also couldn't reproduce this bug on Debian Stretch (gedit = 3.22.0-2)
or Debian Buster (gedit = 3.30.2-2).


On Thu, 11 Jan 2018 13:59:17 -0500 Dongliang Mu
 wrote:

> Package: gedit
> Version: 3.22.1-2
> Severity: important
> Tags: upstream
>
> As the title shows, gedit does not share clipboard with other
applications.
> When I copy some text from gedit with "Ctrl+C" or right click of
mouse, and
> paste it to gnome terminal or google chrome, the text does not show up
in the
> application.
>
>
>
> -- Package-specific info:
> Active plugins:
> - 'docinfo'
> - 'spell'
> - 'filebrowser'
> - 'modelines'
> - 'time'
>
> No plugin installed in $HOME.
>
> Module versions:
> - glib 2.54.2
> - gtk+ 3.22.26
> - gtksourceview
> - pygobject
> - enchant
> - iso-codes 3.77
>
>
> -- System Information:
> Debian Release: buster/sid
> APT prefers testing-debug
> APT policy: (500, 'testing-debug'), (500, 'testing')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
>
> Kernel: Linux 4.14.0-2-amd64 (SMP w/4 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages gedit depends on:
> ii gedit-common 3.22.1-2
> ii gir1.2-glib-2.0 1.54.1-4
> ii gir1.2-gtk-3.0 3.22.26-2
> ii gir1.2-gtksource-3.0 3.24.6-1
> ii gir1.2-pango-1.0 1.40.14-1
> ii gir1.2-peas-1.0 1.22.0-2
> ii gsettings-desktop-schemas 3.24.1-2
> ii iso-codes 3.77-1
> ii libatk1.0-0 2.26.1-2
> ii libc6 2.25-5
> ii libcairo-gobject2 1.15.8-3
> ii libcairo2 1.15.8-3
> ii libenchant1c2a 1.6.0-11.1
> ii libgdk-pixbuf2.0-0 2.36.11-1
> ii libgirepository-1.0-1 1.54.1-4

Bug#924401: base-files fails postinst when base-passwd is unpacked

[Santiago Vila]

On Fri, Mar 15, 2019 at 04:51:11PM +0100, Helmut Grohne wrote:

>  Since dpkg will not prevent upgrading of other packages while an
>  ``essential`` package is in an unconfigured state, all ``essential``
>  packages must supply all of their core functionality even when
> -unconfigured. If the package cannot satisfy this requirement it must not
> +unconfigured after being configured at least once.
> +If the package cannot satisfy this requirement it must not
>  be tagged as essential, and any packages depending on this package must
>  instead have explicit dependency fields as appropriate.

I think that has always been the spirit of Debian Policy, which is
also consistent with the behaviour of current bootstrap tools.

(Note that it's a paragraph which is talking about upgrades, and
related to the fact that dpkg "unconfigures" a package before
upgrading it).

Thanks.

Bug#924351: CVE-2018-16647 CVE-2018-16648

[Moritz Mühlenhoff]

On Fri, Mar 15, 2019 at 04:08:15PM +0100, Salvatore Bonaccorso wrote:
> Hi
> 
> So the patches are correct, and verified with a build done with
> DEB_BUILD_OPTIONS=noopt. But in the regular build the two issues still
> can be triggered (so -O2 optimes a check away).
> 
> Ideas?

Let's report it upstream.

Cheers,
Moritz

Bug#924669: homepage throws 404

[Toni]

Source: mysqmail
Severity: minor
Tags: upstream


Hi Thomas,

the homepage listed in the package is not correct. If you take a look,
it will result in a 404.

It would be great if you could fix that.


Kind regards,
Toni


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (70, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-2-amd64 (SMP w/12 CPU cores)
Kernel taint flags: TAINT_SOFTLOCKUP
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#924668: bsdmainutils: alt_mon must be used for month name

[sergio]

Package: bsdmainutils
Version: 11.1.2+b1
Severity: normal

There are two month properties in LC_TIME: mon and alt_mon.
mon is the name of month in nominative case and alt_mon is in genitive case.
So mon is for 'April 15' form while alt_mon is for stanalone month name like 
just 'April'.

cal and ncal uses mon but must use alt_mon.

While there are no difference in english or español, in russian it's 
significant.

Good link about:
https://anzwix.com/a/glibc/Implement%20Alternative%20Month%20Names%20(bug%2010871).

Bug#924666: [hostapd] [buster] not possible to start and to uninstall : /etc/init.d/hostapd: 30: /etc/init.d/hostapd: log_action_msg: not found

[Jean-Marc LACROIX]

Package: hostapd
Version: 2:2.7+git20190128+0c1e29f-2

Dear maintaniers,

On  Debian Buster, it seems not  possible to uninstall hostapd package
afterinstallation.

Furthermore, i can not launch daemon.

My current configuration before  installing hostapd is :
(with sysvinit, not systemd !)

ansible@vm-buster-x86-amd64-100:~$ pstree -anp
init,1
  |-dhclient,603 -4 -v -i -pf /run/dhclient.eth-admin.pid -lf 
/var/lib/dhcp/dhclient.eth-admin.leases -I -df...
  |-dhclient,685 -4 -v -i -pf /run/dhclient.eth-srv.pid -lf 
/var/lib/dhcp/dhclient.eth-srv.leases -I -df ...
  |-dhclient,768 -4 -v -i -pf /run/dhclient.eth-user.pid -lf 
/var/lib/dhcp/dhclient.eth-user.leases -I -df ...

  |-cron,1197
  |-dbus-daemon,1206 --system
  |-getty,1476 115200 console
  |-getty,1477 38400 tty2
  |-getty,1478 38400 tty3
  |-getty,1479 38400 tty4
  |-syslog-ng,12916
  |   `-(syslog-ng,13835)
  |-syslog-ng,12939
  |   `-syslog-ng,12940 -p /var/run/syslog-ng.pid --no-caps
  `-sshd,16299
  `-sshd,10843
  `-sshd,10849
  `-bash,10850
  `-pstree,13836 -anp

ansible@vm-buster-x86-amd64-100:~$ cat /etc/debian_version
buster/sid

ansible@vm-buster-x86-amd64-100:~$ cat 
/etc/apt/sources.list.d/debian_apt_v_10_buster_* |grep -v "#"


deb http://ftp.debian.org/debian/ buster main contrib non-free
deb http://ftp.debian.org/debian/ sid main contrib non-free
deb http://ftp.debian.org/debian/ stretch main contrib non-free
deb http://ftp.debian.org/debian/ unstable main contrib non-free

ansible@vm-buster-x86-amd64-100:~$ cat 
/etc/apt/preferences.d/preferences_debian_v_10_buster* |grep -v "#"


Package: *
Pin: release a=buster
Pin-Priority: 900

Package: *
Pin: release a=stretch
Pin-Priority: 400

Package: *
Pin-Priority: -1

Package: *
Pin: release a=unstable
Pin-Priority: -1

Package: dhcpcd5
Pin: release *
Pin-Priority: -1

Package: *systemd*
Pin: release *
Pin-Priority: -1

ansible@vm-buster-x86-amd64-100:~$ sudo  apt update && sudo apt upgrade

ansible@vm-buster-x86-amd64-100:~$ dpkg -l |grep -v ii
Desired=Unknown/Install/Remove/Purge/Hold
| 
Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend

|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ NameVersion 
Architecture Description

+++-===---===


ansible@vm-buster-x86-amd64-100:~$ sudo apt install hostapd
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  libnl-route-3-200
The following NEW packages will be installed:
  hostapd libnl-route-3-200
0 upgraded, 2 newly installed, 0 to remove and 1 not upgraded.
Need to get 939 kB of archives.
After this operation, 2637 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://ftp.debian.org/debian buster/main amd64 libnl-route-3-200 
amd64 3.4.0-1 [162 kB]
Get:2 http://ftp.debian.org/debian buster/main amd64 hostapd amd64 
2:2.7+git20190128+0c1e29f-2 [777 kB]

Fetched 939 kB in 1s (1280 kB/s)
Selecting previously unselected package libnl-route-3-200:amd64.
(Reading database ... 130986 files and directories currently installed.)
Preparing to unpack .../libnl-route-3-200_3.4.0-1_amd64.deb ...
Unpacking libnl-route-3-200:amd64 (3.4.0-1) ...
Selecting previously unselected package hostapd.
Preparing to unpack .../hostapd_2%3a2.7+git20190128+0c1e29f-2_amd64.deb ...
Unpacking hostapd (2:2.7+git20190128+0c1e29f-2) ...
Setting up libnl-route-3-200:amd64 (3.4.0-1) ...
Setting up hostapd (2:2.7+git20190128+0c1e29f-2) ...
/etc/init.d/hostapd: 30: /etc/init.d/hostapd: log_action_msg: not found
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for libc-bin (2.28-8) ...
ansible@vm-buster-x86-amd64-100:~$


Which is very fine 

But...

ansible@vm-buster-x86-amd64-100:~$ sudo apt remove --purge hostapd
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following package was automatically installed and is no longer required:
  libnl-route-3-200
Use 'sudo apt autoremove' to remove it.
The following packages will be REMOVED:
  hostapd*
0 upgraded, 0 newly installed, 1 to remove and 1 not upgraded.
After this operation, 2081 kB disk space will be freed.
Do you want to continue? [Y/n] y
(Reading database ... 131018 files and directories currently installed.)
Removing hostapd (2:2.7+git20190128+0c1e29f-2) ...
/etc/init.d/hostapd: 30: /etc/init.d/hostapd: log_action_msg: not found
Processing triggers for man-db (2.8.5-2) ...
(Reading database ... 130996 files and directories currently installed.)
Purging configuration files for hostapd (2:2.7+git20190128+0c1e29f-2) ...
ansible@vm-buster-x86-amd64-100:~$

Please note following error :

/etc/init.d/hostapd: 30: 

Bug#924667: qemu-user-static: setting up of binfmt_misc is slightly naive about cpu features

[Alex Bennée]

Package: qemu-user-static
Version: 1:3.1+dfsg-4
Severity: normal

Dear Maintainer,

Trying to build gitlab-runner on an ThunderX arm64 box it tries to run a
docker image with armhf binaries which fails:

  standard_init_linux.go:207: exec user process caused "exec format error"

You can replicate by running:

  14:30:41 [root@qemu-test:/v/l/d/info] 1 # uname -a
  Linux qemu-test 4.20.0 #5 SMP Tue Jan 8 10:57:44 UTC 2019 aarch64 aarch64 
aarch64 GNU/Linux
  14:30:46 [root@qemu-test:/v/l/d/info] # arch-test -n armhf
  armhf: not supported on this machine/kernel

The underlying reason is because binfmt_misc isn't set up for armhf
binaries because qemu-user-static.postinst does:

  # find which fmts needs to be filtered out, which is arch-dependent.
  # Drop support for emulating amd64 on i386, http://bugs.debian.org/604712
  case "$DPKG_MAINTSCRIPT_ARCH" in
amd64 | i386) omit="i386|x86_64" ;;
arm | armel | armhf | arm64) omit="arm|aarch64" ;;
mips | mipsel) omit="$DPKG_MAINTSCRIPT_ARCH" ;;
ppc64 | powerpc) omit="ppc|ppc64|ppc64abi32" ;;
ppc64el) omit="ppc64le" ;;
s390x) omit="s390x" ;;
sparc | sparc64) omit="sparc|sparc32plus|sparc64" ;;
*) omit="$DPKG_MAINTSCRIPT_ARCH" ;;
  esac

Which is certainly not true for all aarch64 CPUs. Some do not support
aarch32. The following change makes it work but requires arch-test as a
dependency:

  # find which fmts needs to be filtered out, which is arch-dependent.
  # Drop support for emulating amd64 on i386, http://bugs.debian.org/604712
  case "$DPKG_MAINTSCRIPT_ARCH" in
amd64 | i386) omit="i386|x86_64" ;;
arm | armel | armhf) omit="arm" ;;
arm64 )
if arch-test -n armhf > /dev/null; then
omit="arm|aarch64"
else
omit="aarch64"
fi
;;
mips | mipsel) omit="$DPKG_MAINTSCRIPT_ARCH" ;;
ppc64 | powerpc) omit="ppc|ppc64|ppc64abi32" ;;
ppc64el) omit="ppc64le" ;;
s390x) omit="s390x" ;;
sparc | sparc64) omit="sparc|sparc32plus|sparc64" ;;
*) omit="$DPKG_MAINTSCRIPT_ARCH" ;;
  esac

This logic is repeated in the prerm script so there is probably some
scope in cleaning up and sharing the logic.

-- System Information:
Ubuntu Release: bionic
Debian Release: buster/sid
Architecture: arm64

I found this on bionic but the bug exists upstream as well:

binfmt-support/bionic,now 2.1.8-2 arm64 [installed,automatic]
qemu-user-static/bionic-updates,now 1:2.11+dfsg-1ubuntu7.10 arm64 [installed]

-- no debconf information

--
Alex Bennée

Bug#924401: base-files fails postinst when base-passwd is unpacked

[Helmut Grohne]

Hi Santiago,

On Fri, Mar 15, 2019 at 11:58:12AM +0100, Santiago Vila wrote:
> blame for such bug, is annoying me. (So, Helmut, please file a bug
> in the bootstrapping tool which does not work for you, and do not
> try to fix it here).

I refuse the view that multistrap is buggy. You cite undocumented
behaviour as a reason to mark it buggy. However, multistrap relies on
semantics presently assured by policy. Given that policy talks about
unpacked packages, applying it to bootstrap (in its present wording) is
reasonable. There is a bug somewhere between policy, base-files and
base-passwd, which is exactly how I filed it.  Once this bug is fixed
(in any one of these components), additional bugs can result from that.

I think at least Guillem and Santiago were arguing that policy should
not be applied to bootstrap. While I don't like that view, I do find it
reasonable. It can be made explicit in section 3.8 quite easily:

 Since dpkg will not prevent upgrading of other packages while an
 ``essential`` package is in an unconfigured state, all ``essential``
 packages must supply all of their core functionality even when
-unconfigured. If the package cannot satisfy this requirement it must not
+unconfigured after being configured at least once.
+If the package cannot satisfy this requirement it must not
 be tagged as essential, and any packages depending on this package must
 instead have explicit dependency fields as appropriate.

After doing so, we'll likely need to do something about mmdebstrap and
multistrap as well as furthering our utopia about declarative
replacements for maintainer scripts.

Helmut