Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with valid metadata

[Daniel Markstedt]

Package: netatalk
Version: 3.1.12~ds-3+deb10u1
X-Debbugs-Cc: t...@security.debian.org

The code that addressed CVE-2022-23123 introduced appledouble metadata
validity assertions that were too strict and caused instant segfaults
with valid metadata for a large number of users.

These two commits in upstream addressed this:
https://github.com/Netatalk/netatalk/commit/9d0c21298363e8174cdfca657e66c4d10819507b
https://github.com/Netatalk/netatalk/commit/4140e5495bac42ecb9b11975229c81e84762cc98

For the full discussion see this PR:
https://github.com/Netatalk/netatalk/pull/174

I would recommend accepting these patches into oldstable, as well as
stable once the CVE patches get ported there too.

Bug#1032104: linux: ppc64el iouring corrupted read

[Salvatore Bonaccorso]

Hi Otto,

On Sun, Apr 09, 2023 at 03:30:35PM -0700, Otto Kekäläinen wrote:
> > > > Paul Gevers asked if the issues are gone as well with 6.1.12-1
> > > > (or later 6.1.y series versions, which will land in bookworm). That
> > > > would be valuable information to know as well to exclude we do not
> > > > have the issue as well in bookworm.
> > >
> > > Were you able to verify this?
> 
> Yes and new kernel did not fix it.
> 
> I reviewed now all ppc64el autopkgtest runs of src:mariadb at
> https://ci.debian.net/packages/m/mariadb/testing/ppc64el/
> 
> This is still happening on latest kernel and latest src:mariadb in
> bookworm. The failing test varies, but they all have in common that
> they error on 'Database page corruption on disk'.
> 
> autopkgtest [20:11:55]: starting date and time: 2023-04-08 20:11:55+
> autopkgtest [20:12:17]: testbed running kernel: Linux
> 6.1.0-7-powerpc64le #1 SMP Debian 6.1.20-1 (2023-03-19)
> autopkgtest [20:12:39]: testing package mariadb version 1:10.11.2-1
> Completed: Failed 6/1021 tests, 99.41% were successful.
> Failing test(s): main.innodb_ext_key main.statistics_upgrade_not_done
> 
> Attached summary of downloading all recent logs and running:
> $ zgrep -e 'starting date' -e 'running kernel' -e 'testing package
> mariadb version' -e 'Completed: ' -e 'Failing test(s)' *.gz | tee
> mariadb-autopkgtest-ppc64el-summary.txt

Are those issues still present with recent kernels? There were again
enough io_uring based changes which make worth rebase our checking on
those.

Regards,
Salvatore

Bug#1036739: ITP: gnucap-modelgen-verilog -- Verilog-AMS behavioural modelling for Gnucap

[Felix Salfelder]

Package: wnpp
Severity: wishlist
Owner: Felix Salfelder 
X-Debbugs-Cc: debian-de...@lists.debian.org, fe...@salfelder.org

* Package name: gnucap-modelgen-verilog
  Version : 20230520-dev
  Upstream Contact: gnucap-devel 
* URL : http://www.gnucap.org/
* License : GPL
  Programming Lang: C++, Verilog-AMS
  Description : Verilog-AMS behavioural modelling for Gnucap

This package provides support for Verilog-AMS behavioural models in
Gnucap as well as supplementary plugins.
  Verilog-AMS is a standardised hardware description language suitable for
analog and mixed signal system modelling.
  Gnucap is a general purpose circuit simulator. It performs nonlinear
dc and transient analyses, Fourier analysis, and ac analysis
linearized at an operating point. It is fully interactive and
command driven. It can also be run in batch mode or as a server.

> usefulness/relevance

This package supplements ADMS, the automatic device model synthesizer.
Unlike ADMS, modelgen-verilog uses a programming language for the model
generation instead of XML template driven text substitution. ADMS is
limited to the analog/SPICE subsection of Verilog-AMS, while
modelgen-verilog is designed to support mixed features and post-spice
architectures.

> maintenance

I will maintain this packgage as a pkg-electronics team member.

Bug#1001001: linux-image-5.10.0-9-arm64: kernel BUG at include/linux/swapops.h:204!

[Salvatore Bonaccorso]

Hi Paul,

On Sun, Jul 03, 2022 at 09:57:59PM +0200, Paul Gevers wrote:
> Hi all,
> 
> Just a minor follow-up. I just had to restart one of my arm64 workers again.
> 
> root@ci-worker-arm64-05:~# uname -a
> Linux ci-worker-arm64-05 5.10.0-15-arm64 #1 SMP Debian 5.10.120-1
> (2022-06-09) aarch64 GNU/Linux
> 
> Anything you want me to extract from the current logs?

Replicating our short discussion this morning, assuming you have not
seen the issue anymore in recent updates and runs, can we close this
issue? (Still sad, that we cannot isolate the cause ...)

Regards,
Salvatore

Bug#1036738: digikam: New upstream available - 8.0

[Karl Schmidt]

Package: digikam
Version: 4:7.1.0-2
Severity: normal

Dear Maintainer,
 There is a new version that probably should be in sid these days:
https://download.kde.org/stable/digikam/8.0.0/

Bug#1036737: libsoapysdr0.8: please add Breaks: libsoapysdr0.7 for smoother upgrades from bullseye

[Andreas Beckmann]

Package: libsoapysdr0.8
Version: 0.8.1-2
Severity: serious
Tags: patch
User: debian...@lists.debian.org
Usertags: piuparts

The soapysdr library stacks from bullseye and bookworm are not
co-installable, but the transitive conflict behind longer dependency
chains is not always easy detectable by apt. Therefore several upgrade
paths result in old libraries being kept installed and some upgradable
packages being kept at an older version.

Making the conflict explicit between higher scoring packages helps apt
finding a better upgrade path.

Please consider applying the attached patch.

Andreas
>From 25ca6005f2c4afec53e20d7f5cb2529e1887f218 Mon Sep 17 00:00:00 2001
From: Andreas Beckmann 
Date: Wed, 24 May 2023 09:37:52 +0200
Subject: [PATCH] libsoapysdr0.8: add Breaks: libsoapysdr0.7 for smoother
 upgrades from bullseye

---
 debian/changelog | 7 +++
 debian/control   | 1 +
 2 files changed, 8 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index c75c280..c78de26 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+soapysdr (0.8.1-3) UNRELEASED; urgency=medium
+
+  * libsoapysdr0.8: Add Breaks: libsoapysdr0.7 for smoother upgrades from
+bullseye.  (Closes: #)
+
+ -- Andreas Beckmann   Wed, 24 May 2023 09:35:42 +0200
+
 soapysdr (0.8.1-2) unstable; urgency=medium
 
   * Upload to unstable
diff --git a/debian/control b/debian/control
index 5971f7f..40193f8 100644
--- a/debian/control
+++ b/debian/control
@@ -24,6 +24,7 @@ Architecture: any
 Multi-Arch: same
 Depends: ${shlibs:Depends}, ${misc:Depends}
 Recommends: soapysdr0.8-module-all | soapysdr0.8-module
+Breaks: libsoapysdr0.7
 Description: software defined radio interface library
  SoapySDR is a library providing a common interface to SDR (software
  defined radio) hardware. Support for different hardware is added through
-- 
2.20.1

Bug#1036736: tre-agrep reports out of memory despite plenty of swap

[Al Ma]

Package: tre-agrep
Version: 0.8.0-6+b1
How to reproduce:
1) Download a Windows 11 installation .iso for test purposes
2) run `tre-agrep --color -i -1 Maschineneigenschaft` on this file
3) Observe “Out of memory” although plenty of swap is present.
Log:
$ free -h
total    used    free  shared  buff/cache   available
Mem:    31Gi   3.8Gi   3.5Gi   540Mi    23Gi    26Gi
Swap:   14Gi  0B    14Gi
$ ls -lh Win10_21H1_German_x64_2021-06-25.iso
… 5.5G Apr 14 2021 Win10_21H1_German_x64_2021-06-25.iso
$ tre-agrep --color -i -1 Maschineneigenschaft 
Win10_21H1_German_x64_2021-06-25.iso
tre-agrep: Out of memory

Bug#1032995: spyder: Spyder on startup says there is a missing dependency (pylsp_black) but it is correctly installed

[Brian Vaughan]

I'm seeing the same issue, on two different systems, both running Debian 
Sid.


On one system, there were some libraries under ~/.local/lib/python3.10; 
I deleted those, deleted the config files for spyder, reinstalled it, 
and rebooted, but still saw the error.

Bug#1036735: spyder: Spyder on startup says there is a missing dependency (pylsp_black) but it is correctly installed

[Brian Vaughan]

Package: spyder
Version: 5.4.2+ds-5
Severity: minor
X-Debbugs-Cc: bgvaug...@gmail.com



-- System Information:
Debian Release: 12.0
  APT prefers unstable
  APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-9-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages spyder depends on:
ii  python3 3.11.2-1+b1
ii  python3-spyder  5.4.2+ds-5

spyder recommends no packages.

Versions of packages spyder suggests:
pn  python3-spyder-unittest  

Versions of packages python3-spyder depends on:
ii  ipython3   8.5.0-4
ii  libjs-jquery   3.6.1+dfsg+~3.5.14-1
ii  libjs-mathjax  2.7.9+dfsg-1
ii  pyflakes3  2.5.0-1
ii  pylint 2.16.2-2
ii  python33.11.2-1+b1
ii  python3-atomicwrites   1.4.1-1
ii  python3-autopep8   2.0.1-1
ii  python3-chardet5.1.0+dfsg-2
ii  python3-cloudpickle2.2.0-1
ii  python3-cookiecutter   1.7.3-3
ii  python3-diff-match-patch   20200713-2
ii  python3-docutils   0.19+dfsg-6
ii  python3-flake8 5.0.4-4
ii  python3-intervaltree   3.0.2-1.1
ii  python3-ipython8.5.0-4
ii  python3-jedi   0.18.2-1
ii  python3-jellyfish  0.8.9-1+b4
ii  python3-jsonschema 4.10.3-1
ii  python3-keyring23.9.3-2
ii  python3-mccabe 0.7.0-1
ii  python3-nbconvert  6.5.3-3
ii  python3-numpydoc   1.5.0-1
ii  python3-parso  0.8.3-1
ii  python3-pexpect4.8.0-4
ii  python3-pickleshare0.7.5-5
ii  python3-pkg-resources  66.1.1-1
ii  python3-psutil 5.9.4-1+b1
ii  python3-pycodestyle2.10.0-1
ii  python3-pydocstyle 6.2.3-3
ii  python3-pygments   2.15.1+dfsg-1
ii  python3-pylint-venv2.3.0-2
ii  python3-pyls-spyder0.4.0-2
ii  python3-pylsp  1.7.1-1
ii  python3-pylsp-black1.2.1-2
ii  python3-pyqt5  5.15.9+dfsg-1
ii  python3-pyqt5.qtwebengine  5.15.6-1
ii  python3-qdarkstyle 3.1+ds1-1
ii  python3-qstylizer  0.2.2-1
ii  python3-qtawesome  1.2.2+dfsg-1
ii  python3-qtconsole  5.4.0-1
ii  python3-qtpy   2.3.0-1
ii  python3-rope   1.7.0-1
ii  python3-rtree  1.0.1-1
ii  python3-setuptools 66.1.1-1
ii  python3-sphinx 5.3.0-4
ii  python3-spyder-kernels 2.4.2-1
ii  python3-textdistance   4.5.0-1
ii  python3-three-merge0.1.1-4
ii  python3-watchdog   2.2.1-1
ii  python3-xdg0.28-2
ii  python3-zmq24.0.1-4+b1
ii  spyder-common  5.4.2+ds-5
ii  yapf3  0.32.0-1

python3-spyder recommends no packages.

Versions of packages python3-spyder suggests:
pn  cython3 
ii  python3-matplotlib  3.6.3-1+b1
ii  python3-numpy   1:1.24.2-1
pn  python3-pandas  
ii  python3-pil 9.4.0-1.1+b1
ii  python3-scipy   1.10.1-2
ii  python3-sympy   1.11.1-1

Versions of packages python3-pyqt5 depends on:
ii  libc6 2.36-9
ii  libgcc-s1 12.2.0-14
ii  libpython3.11 3.11.2-6
ii  libqt5core5a [qtbase-abi-5-15-8]  5.15.8+dfsg-10
ii  libqt5dbus5   5.15.8+dfsg-10
ii  libqt5designer5   5.15.8-2
ii  libqt5gui55.15.8+dfsg-10
ii  libqt5help5   5.15.8-2
ii  libqt5network55.15.8+dfsg-10
ii  libqt5printsupport5   5.15.8+dfsg-10
ii  libqt5test5   5.15.8+dfsg-10
ii  libqt5widgets55.15.8+dfsg-10
ii  libqt5xml55.15.8+dfsg-10
ii  libstdc++612.2.0-14
ii  python3   3.11.2-1+b1
ii  python3-pyqt5.sip 12.11.1-1

-- no debconf information

Bug#1036734: RFP: astro -- a gemini web browser

[Brian Mayer]

Package: astro
Severity: wishlist

* Package name: astro
  Version : 0.20.0
  Upstream Author : blmayer
* URL : https://github.com/blmayer/astro
* License : MIT
  Programming Lang: Shell
  Description : A Gemini web browser written in POSIX shell script

Hi Debian Team.

The Gemini web is a new protocol for content publishing that is focused on
content and user privacy. It stays between Gopher and HTTP, as the authors
describe it.

Astro is a browser that helps users to find and navigate the Gemini web, it
is a FOSS  with a stable version with all needed features described on the
protocol. Using only a few utilities it has minimal dependencies, as it is
written in POSIX shell script it is know to work well on many platforms.
Currently it is being packaged for Archlinux and it's user base is
increasing, hence, having it on Debian systems would be a great addition to
the community.

The Gemini community is growing fast and having astro packaged will
continue this movement.

Thank you!

Bug#1036646: libhyperscan5: prevents rspamd from starting

[Sebastien Badia]

severity -1 important
thanks

Hello,

Thank you Antoine for this bug report !

Indeed this issue is tracked upstream in #4409 (and merged in Rspamd 3.5).

I'm maybe wrong, but Bookworm will be released with libhyperscan5 = 5.4.0-2 
(like bullseye).
So this bug (#1036646) is a RC for Trixie but not for Bookworm ?

Cheers,

Sebastien

Bug#1036530: linux-signed-amd64: Hard lock up of system

[Nick Hastings]

Hi,

* Salvatore Bonaccorso  [230524 19:26]:
>
> Given you were able to bisect it so far, can you try to isolate the
> commit from the merge commit causing it?

I guess I can try. The commit message states:

Merge: c77f54a9bcec a1cf1fd62ae7 562163595a91 018d6711c26e 6cc401be1648

Is there a way extract out each of those?

> One remotely related might be "ACPI: x86: Add a quirk for Dell
> Inspiron 14 2-in-1 for StorageD3Enable".

Manually looking at the diff with
git diff e996c7e01892ac18ec0db447294d4f591c325efe~  
e996c7e01892ac18ec0db447294d4f591c325efe 
I guess that means the following:

--- a/drivers/acpi/x86/utils.c
+++ b/drivers/acpi/x86/utils.c
@@ -207,9 +207,26 @@ static const struct x86_cpu_id storage_d3_cpu_ids[] = {
{}
 };
 
+static const struct dmi_system_id force_storage_d3_dmi[] = {
+   {
+   /*
+* _ADR is ambiguous between GPP1.DEV0 and GPP1.NVME
+* but .NVME is needed to get StorageD3Enable node
+* https://bugzilla.kernel.org/show_bug.cgi?id=216440
+*/
+   .matches = {
+   DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+   DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 14 7425 2-in-1"),
+   }
+   },
+   {}
+};
+
 bool force_storage_d3(void)
 {
-   return x86_match_cpu(storage_d3_cpu_ids);
+   const struct dmi_system_id *dmi_id = 
dmi_first_match(force_storage_d3_dmi);
+
+   return dmi_id || x86_match_cpu(storage_d3_cpu_ids);
 }
 

Thanks,

Nick.

Bug#1016827: fixed 5.10.0-23-amd64 Bullseye

[ng]

Hello!

I just noticed this bug can't be reproduced anymore since linux 
5.10.0-23-amd64 (5.10.179-1).   Hopefully this will help to track what 
was the exact issue and how did it got fixed.



Thanks!.

Bug#1036733: base-passwd: prvide a way for legacy installations to align to _apt’s global UID

[Christoph Anton Mitterer]

Package: base-passwd
Version: 3.6.1
Severity: wishlist


Hey there.

Back then when #969631 was discussed, a number of arguments
were brought forward why it would be nice and maybe even possible
to migrate the UID of the _apt user on legacy installations to
it's new UID from the globally reserved range.

The changelog entry even says:
> Note that this currently makes no attempt to migrate existing installations
… currently.


I just stumbled over this deviation when upgrading some servers
at the university from bullseye to bookworm... and wondered whether
there are still any plans to have such migration?


As far as I understood the whole thread of #969631 it seems to me
that all cases where a migration would actually cause problems are
either very obscure (correct me if I'm wrong, but with file:/ and
copy:/ ... isn't it typically so that these files will be world-
readable?) and/or one would quickly notice them (i.e. when apt
errors out because it cannot read something as _apt, unless it
anyway falls back to do that as root).

Not sure, but wouldn't the same be also the case with certificates
(that cannot be automatically migrated to the new UID and thus
may no longer be readable if that changes)? I mean a) this is quite
an "advanced" setup so I think one can demand that people doing
something like that read the release notes and would see a section
about the changed UIDs... and even if not, their apt would either
error out or fallback to root.

Maybe I'm just too naive, but the biggest problem seems to me, if
the sandboxing is silently lost (as people may indeed not see or
ignore the warnings that it runs as root instead as _apt).



Anyway... I'm not even asking for an automatic migration (though
that would of course be the best if it could be done), but wouldn't
it be possible to add some release notes for trixie, where people
are advised about what happened, and how and under which circumstances
they can manual migrate?


E.g. AFAICS, all the servers I administer, have only three files owned
by APT:
/var/lib/apt/lists/partial
/var/lib/apt/lists/auxfiles
/var/cache/apt/archives/partial

I don't do anything special with firewall or certs (like I guess many
people will not),... so what if one simply instructs people, that, if
they don't have any of these specific setups,
they could simply bring their system "up-to-date" with a list of
given steps?


That would give people at least the chance to align their setups with
the "new" defaults... and even if many people may not read and/or do
it, that still wouldn't make things worse as they're now.


Cheers,
Chris.

Bug#1036730: u-boot-menu: Search for fdt files in version specific directory

[Vagrant Cascadian]

On 2023-05-22, Markus Burri wrote:
> The update script search in a kernel version specific directory for 
> fdt overlay files.
> This allows to install fdt overlay files for multiple kernel version in
> parallel.

Thanks for the patch!


> diff --git a/u-boot-update b/u-boot-update
> index f887560..a93da3e 100755
> --- a/u-boot-update
> +++ b/u-boot-update
> @@ -217,25 +217,34 @@ do
>   _FDT=""
>   fi
>  
> - if [ -d "${_BOOT_PATH}/${U_BOOT_FDT_OVERLAYS_DIR}" ]
> + if [ -d "${_BOOT_PATH}/${U_BOOT_FDT_OVERLAYS_DIR}/" ]
> + then
> + _U_BOOT_FDT_OVERLAYS_DIR=${U_BOOT_FDT_OVERLAYS_DIR}
> + elif [ -d "${_BOOT_PATH}/${U_BOOT_FDT_OVERLAYS_DIR}${_VERSION}/" ]
> + then
> + _U_BOOT_FDT_OVERLAYS_DIR=${U_BOOT_FDT_OVERLAYS_DIR}${_VERSION}
> + else
> + _U_BOOT_FDT_OVERLAYS_DIR=""
> + fi
> + if [ -d "${_BOOT_PATH}/${_U_BOOT_FDT_OVERLAYS_DIR}" ]

Seems like it should first check for a version-specific directory, only
falling back to an unversioned directory?

This will probably have to wait till after bookworm release.


live well,
  vagrant


signature.asc
Description: PGP signature

Bug#1036565: debian-installer-12-netboot-amd64: Installers needed b43 ucode16_mimo.fw, had to eth0 net install + manual firmware-b43-installer, MacBookPro5,5

[Cyril Brulebois]

Hi,

Fan Naibed  (2023-05-24):
> May 23, 2023 at 3:17 AM, "Cyril Brulebois"  wrote:
> > How would this work? firmware-b43-installer is just a downloader,
> > so for it to do anything, you need to have a working connection in
> > the first place. It's basically an empty shell, with its postinst
> > doing the downloading.
> 
> Installing onto slightly older Macbooks, using Wi-Fi, just worked(TM).
> So, their WiFi fw was included.

Do you know which firmware files/packages were involved on those?

> The b43 installer/downloader would need to be changed to a firmware
> file that can be included with the installer. :)

Presumably those are working this way because the license doesn't
allow for redistribution. Feel free to get that part resolved!

Also, see https://wiki.debian.org/bcm43xx


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#1036731: python3-debian: fails to parse some debian/control.in files

[Jelmer Vernooij]

On Wed, May 24, 2023 at 10:56:21PM +0200, Dylan Aïssi wrote:
> python3-debian is not able anymore to parse correctly some debian/control.in.
> The first version with this issue is 0.1.44, so I suppose it is related to the
> new RTS parser. The consequence of this bug is wrap-and-sort crashes when it
> run on these files. Below is the error message:
> 
> Traceback (most recent call last):
>   File "/usr/bin/wrap-and-sort", line 496, in 
> main()
>   File "/usr/bin/wrap-and-sort", line 481, in main
> modified_files = wrap_and_sort(args)
>  ^^^
>   File "/usr/bin/wrap-and-sort", line 312, in wrap_and_sort
> control = WrapAndSortControl(control_file, args)
>   ^^
>   File "/usr/bin/wrap-and-sort", line 99, in __init__
> super().__init__(filename, use_rts_parser=args.rts_parser)
>   File "/usr/lib/python3/dist-packages/devscripts/control.py", line
> 210, in __init__
> self._deb822_file = parse_deb822_file(sequence)
> ^^^
>   File "/usr/lib/python3/dist-packages/debian/_deb822_repro/parsing.py",
> line 3095, in parse_deb822_file
> deb822_file = Deb822FileElement(LinkedList(tokens))
> ^^
>   File "/usr/lib/python3/dist-packages/debian/_util.py", line 159, in __init__
> self.extend(values)
>   File "/usr/lib/python3/dist-packages/debian/_util.py", line 272, in extend
> for v in values:
>   File "/usr/lib/python3/dist-packages/debian/_deb822_repro/_util.py",
> line 104, in _impl
> for token in token_stream:
>   File "/usr/lib/python3/dist-packages/debian/_deb822_repro/_util.py",
> line 104, in _impl
> for token in token_stream:
>   File "/usr/lib/python3/dist-packages/debian/_deb822_repro/parsing.py",
> line 2991, in _build_field_with_value
> value_element = next(buffered_stream, None)
> ^^^
>   File "/usr/lib/python3/dist-packages/debian/_deb822_repro/_util.py",
> line 143, in __next__
> return next(self._stream)
>^^
>   File "/usr/lib/python3/dist-packages/debian/_deb822_repro/_util.py",
> line 104, in _impl
> for token in token_stream:
>   File "/usr/lib/python3/dist-packages/debian/_deb822_repro/parsing.py",
> line 2939, in _build_value_line
> tokens_in_value = list(buffered_stream.takewhile(_non_end_of_line_token))
>   ^^^
>   File "/usr/lib/python3/dist-packages/debian/_deb822_repro/_util.py",
> line 149, in takewhile
> while buffer or self._fill_buffer(5):
> 
>   File "/usr/lib/python3/dist-packages/debian/_deb822_repro/_util.py",
> line 198, in _fill_buffer
> self._buffer.append(next(self._stream))
> ^^
>   File "/usr/lib/python3/dist-packages/debian/_deb822_repro/_util.py",
> line 104, in _impl
> for token in token_stream:
>   File "/usr/lib/python3/dist-packages/debian/_deb822_repro/parsing.py",
> line 3031, in _abort_on_error_tokens
> raise SyntaxOrParseError(
> debian._deb822_repro.types.SyntaxOrParseError: Syntax or Parse error
> on the line: "%if USE_SYSTEM_ZLIB\n"
> 
> An easy way to reproduce the crash is to run wrap-and-sort on the
> debian/ folder of
> firefox-esr:
> > wget 
> > http://deb.debian.org/debian/pool/main/f/firefox-esr/firefox-esr_102.11.0esr-1.debian.tar.xz
> > tar -xvf firefox-esr
> > wrap-and-sort
> 
> It crashes in a similar way on these packages: babel-minify and 
> xapian-bindings.

Thanks for the bug report.

FWIW Deb822 isn't really built to support parsing deb822 files with
arbitrary data in the middle. This means it doesn't do well with at
least some .in files (which use a variety of styles).

That said, it would be good to handle this particular case better.

Cheers,

Jelmer

Bug#1036732: xml2rfc: Autopkgtest failures due to needing Internet

[Scott Kitterman]

Package: xml2rfc
Version: 3.16.0-1
Severity: important

Currently xml2rfc ocassionally fails its autopkgtest with an error like
this:

ERROR: setUpClass (__main__.PdfWriterTests)
--
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/xml2rfc/writers/base.py", line 1857, in 
xinclude
self.tree.xinclude()
  File "src/lxml/etree.pyx", line 2384, in lxml.etree._ElementTree.xinclude
  File "src/lxml/xinclude.pxi", line 64, in lxml.etree.XInclude.__call__
lxml.etree.XIncludeError: could not load 
https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2634.xml, and no fallback 
was found, line 1387

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/tmp/autopkgtest-lxc.gdypcr8w/downtmp/build.sgY/src/xxx/test.py", line 
489, in setUpClass
elements_pdfdoc = elements_writer.pdf() # has side effects on .root
  ^
  File "/usr/lib/python3/dist-packages/xml2rfc/writers/pdf.py", line 68, in pdf
tree = prep.prep()
   ^^^
  File "/usr/lib/python3/dist-packages/xml2rfc/writers/preptool.py", line 213, 
in prep
self.xinclude()
  File "/usr/lib/python3/dist-packages/xml2rfc/writers/base.py", line 1859, in 
xinclude
self.die(None, "XInclude processing failed: %s" % e)
  File "/usr/lib/python3/dist-packages/xml2rfc/writers/base.py", line 1842, in 
die
raise RfcWriterError(msg)
xml2rfc.writers.base.RfcWriterError: Error: XInclude processing failed: could 
not load https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2634.xml, and no 
fallback was found, line 1387

Not all of the Debian CI servers have internet access.  I think we need
to add the needs-internet restriction to debian/tests/control.

Scott K

Bug#1036565: debian-installer-12-netboot-amd64: Installers needed b43 ucode16_mimo.fw, had to eth0 net install + manual firmware-b43-installer, MacBookPro5,5

[Fan Naibed]

May 23, 2023 at 3:17 AM, "Cyril Brulebois"  wrote:

> 
> Fan Naibed  (2023-05-22):
> 
> > 
> > Package: debian-installer-12-netboot-amd64
> > 
> >  Tried to install with live installer on USB stick, plain installer on USB
> >  stick, then net installer on USB stick
> > 
> 
> None of those are relatd to debian-installer-12-netboot-amd64, which
> ships files to boot the installer via PXE.

Sorry. 
Feel free to change to the correct debian installer 12 amd64 installers.
It applies to a few. Reportbug and I guessed wrong.


> 
> > 
> > Installers popped up error - wanted subject firmware to continue;
> >  putting downloaded (standard) firmware on a second USB stick also
> >  failed. Finally connected to ethernet over cable and installed with
> >  net installer on USB stick.
> >  
> >  Needed firmware included with installers so install using WiFi would
> >  just work.
> > 
> 
> How would this work? firmware-b43-installer is just a downloader, so for
> it to do anything, you need to have a working connection in the first
> place. It's basically an empty shell, with its postinst doing the
> downloading.
> 

Installing onto slightly older Macbooks, using Wi-Fi, just worked(TM).
So, their WiFi fw was included.
The b43 installer/downloader would need to be changed to a firmware file 
that can be included with the installer. :)

Cheers

Bug#932957: #932957 Please migrate Release Notes to reStructuredText

[Holger Wansing]

[ Sending this to #932957 as well, as it contains valueable info on that topic ]


Jeremy Stanley  wrote (Wed, 24 May 2023 18:22:09 +):
> On 2023-05-24 19:40:56 +0200 (+0200), Agathe Porte wrote:
> [...]
> > Maybe the idea was to introduce %OLD_RELEASE_NAME% and to call sed to
> > replace this kind of strings in a build step, and not rely on sphinx
> > substitution at all.
> > 
> > I know that I have done this a few times and it works fine as a very
> > simple preprocessor.
> 
> Similar things can be done at sphinx-build time with a custom Sphinx
> extension (can be a trivial Python module). We do that for the
> published security advisories list upstream in OpenStack:
> 
> https://opendev.org/openstack/ossa/src/commit/136b24c/doc/source/conf.py#L31
> 
> https://opendev.org/openstack/ossa/src/commit/136b24c/doc/source/_exts/vmt.py
> 
> That's a more complex example because we generate a ton of content
> out of structured data (YAML) files by splatting the relevant fields
> into substitutions in a Jinja2 template, but for basic string
> substitution you could get away with something far simpler, or even
> use a canned one like (this was simply my first web search result):
> 
> https://pypi.org/project/Sphinx-Substitution-Extensions/
> 
> The examples in its readme look to be along the lines of the Debian
> Release Notes use case anyway. There's also basic substitutions
> support in the reStructuredText specification, which might be useful
> to reduce the amount of actual content you need to swap at build
> time:
> 
> https://docutils.sourceforge.io/docs/ref/rst/restructuredtext.html#substitution-definitions

The above seem related to the issue in question, but the solution pointed
out by James Addison in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932957#90
(use parsed-literal ('.. parsed-literal::') blocks)
seems to be the easier one (at least for this document) and it works fine
here. So I would go for it.

Thanks anyway

Holger



-- 
Holger Wansing 
PGP-Fingerprint: 496A C6E8 1442 4B34 8508  3529 59F1 87CA 156E B076

Bug#932957: Please migrate Release Notes to reStructuredText

[Holger Wansing]

Hi,

James Addison  wrote (Tue, 23 May 2023 00:22:16 +0100):
> Followup-For: Bug #932957
> X-Debbugs-Cc: hwans...@mailbox.org
> 
> On Mon, 22 May 2023 23:40:46 +0100, James wrote:
> > On Sun, 21 May 2023 10:16:36 +0200, Holger wrote:
> > > There is also a problem using entities (or now called substitutions) in 
> > > quoted lines like
> >
> > >   deb https://deb.debian.org/debian RELEASENAME main contrib
> >
> > Ok, yep - I understand the problem there now, and have experimented with it 
> > a
> > bit locally.  Roughly speaking: substitutions aren't possible within literal
> > quote blocks (there is a '::' a couple of lines before the mentioned line, 
> > and
> > adding the pipe '|' symbols around the substitution label doesn't make a
> > difference within literal blocks)
> 
> It looks like the fix for that is to convert those literal ('::') blocks into
> parsed-literal[1] ('.. parsed-literal::') blocks.
> 
> [1] - 
> https://docutils.sourceforge.io/docs/ref/rst/directives.html#parsed-literal

Yes, that works! Thanks for this!

I have therefore changed all literal ('::') blocks into parsed-literal
('.. parsed-literal::') blocks.
In output, there seems to be no difference (at least in this document), and
this way it's easier for future editors (no need to distinguish between
two different versions of quoted blocks).


Holger



-- 
Holger Wansing 
PGP-Fingerprint: 496A C6E8 1442 4B34 8508  3529 59F1 87CA 156E B076

Bug#1035522: debian-security-support 11+2023.05.04 flagged for acceptance

[Adam D. Barratt]

On Tue, 2023-05-23 at 19:34 +, Holger Levsen wrote:
> On Tue, May 23, 2023 at 05:44:30PM +0100, Adam D. Barratt wrote:
> > In the interests of not blocking on things other than SRM's free
> > time,
> > how does this sound as some blurb for an announcement mail?
> > 
> > 
> > The debian-security-support package tracks the level of security
> > support
> > available for packages within Debian releases, allowing
> > administrators to
> > be alerted to installed packages for which support has had to be
> > limited
> > or prematurely ended.
> > 
> > The version of the package in bullseye can lead to the production
> > of a
> > large number of warning messages during an upgrade to the upcoming
> > bookworm release. This update resolves that issue.
> > 
> 
> sounds pretty good to me, thank you.

Great. That's now 
https://lists.debian.org/debian-stable-announce/2023/05/msg0.html

Regards,

Adam

Bug#1034168: RFS: profile-cleaner/2.44-1 [ITP] -- Reduces browser profile size by cleaning their sqlite databases

[Tobias Frost]

Package: sponsorship-requests
Followup-For: Bug #1034168
Control: tags -1 moreinfo

Hi Peter,

some review:
- d/postinst is not a place to post messages to users; also is does
not have the #DEBHELPER# token. dh_installdeb(1)
(For that, the lintian override is wrong too)

doc/pc.1 says:
".\" Text automatically generated by txt2man"

It seems that the source is missing (the input file for txt2man)?
It would be nice to have this and create the manpage at build time.
(Can you ask upstream to include the source file of the manpage?)


-- 
tobi

Bug#1036731: python3-debian: fails to parse some debian/control.in files

[Dylan Aïssi]

Package: python3-debian
Version: 0.1.49

Hello,

python3-debian is not able anymore to parse correctly some debian/control.in.
The first version with this issue is 0.1.44, so I suppose it is related to the
new RTS parser. The consequence of this bug is wrap-and-sort crashes when it
run on these files. Below is the error message:

Traceback (most recent call last):
  File "/usr/bin/wrap-and-sort", line 496, in 
main()
  File "/usr/bin/wrap-and-sort", line 481, in main
modified_files = wrap_and_sort(args)
 ^^^
  File "/usr/bin/wrap-and-sort", line 312, in wrap_and_sort
control = WrapAndSortControl(control_file, args)
  ^^
  File "/usr/bin/wrap-and-sort", line 99, in __init__
super().__init__(filename, use_rts_parser=args.rts_parser)
  File "/usr/lib/python3/dist-packages/devscripts/control.py", line
210, in __init__
self._deb822_file = parse_deb822_file(sequence)
^^^
  File "/usr/lib/python3/dist-packages/debian/_deb822_repro/parsing.py",
line 3095, in parse_deb822_file
deb822_file = Deb822FileElement(LinkedList(tokens))
^^
  File "/usr/lib/python3/dist-packages/debian/_util.py", line 159, in __init__
self.extend(values)
  File "/usr/lib/python3/dist-packages/debian/_util.py", line 272, in extend
for v in values:
  File "/usr/lib/python3/dist-packages/debian/_deb822_repro/_util.py",
line 104, in _impl
for token in token_stream:
  File "/usr/lib/python3/dist-packages/debian/_deb822_repro/_util.py",
line 104, in _impl
for token in token_stream:
  File "/usr/lib/python3/dist-packages/debian/_deb822_repro/parsing.py",
line 2991, in _build_field_with_value
value_element = next(buffered_stream, None)
^^^
  File "/usr/lib/python3/dist-packages/debian/_deb822_repro/_util.py",
line 143, in __next__
return next(self._stream)
   ^^
  File "/usr/lib/python3/dist-packages/debian/_deb822_repro/_util.py",
line 104, in _impl
for token in token_stream:
  File "/usr/lib/python3/dist-packages/debian/_deb822_repro/parsing.py",
line 2939, in _build_value_line
tokens_in_value = list(buffered_stream.takewhile(_non_end_of_line_token))
  ^^^
  File "/usr/lib/python3/dist-packages/debian/_deb822_repro/_util.py",
line 149, in takewhile
while buffer or self._fill_buffer(5):

  File "/usr/lib/python3/dist-packages/debian/_deb822_repro/_util.py",
line 198, in _fill_buffer
self._buffer.append(next(self._stream))
^^
  File "/usr/lib/python3/dist-packages/debian/_deb822_repro/_util.py",
line 104, in _impl
for token in token_stream:
  File "/usr/lib/python3/dist-packages/debian/_deb822_repro/parsing.py",
line 3031, in _abort_on_error_tokens
raise SyntaxOrParseError(
debian._deb822_repro.types.SyntaxOrParseError: Syntax or Parse error
on the line: "%if USE_SYSTEM_ZLIB\n"

An easy way to reproduce the crash is to run wrap-and-sort on the
debian/ folder of
firefox-esr:
> wget 
> http://deb.debian.org/debian/pool/main/f/firefox-esr/firefox-esr_102.11.0esr-1.debian.tar.xz
> tar -xvf firefox-esr
> wrap-and-sort

It crashes in a similar way on these packages: babel-minify and xapian-bindings.

Best regards,
Dylan

Bug#1034558: rnp: CVE-2023-29479 VE-2023-29480

[Daniel Kahn Gillmor]

On Wed 2023-05-24 07:32:31 +0200, Salvatore Bonaccorso wrote:
> Thanks! Note the deadline for unblock requests will be on 28th. So the
> unblock needs to be granted by then so we have the fixes in bookworm.
 
The associated unblock request for 1034558 is #1036721

--dkg


signature.asc
Description: PGP signature

Bug#1036730: u-boot-menu: Search for fdt files in version specific directory

[Markus Burri]

Source: u-boot-menu
Version: 4.2.2
Severity: normal

Dear Maintainer,
The update script search in a kernel version specific directory for 
fdt overlay files.
This allows to install fdt overlay files for multiple kernel version in
parallel.

Signed-off-by: Markus Burri 
---
 u-boot-update | 19 ++-
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/u-boot-update b/u-boot-update
index f887560..a93da3e 100755
--- a/u-boot-update
+++ b/u-boot-update
@@ -217,25 +217,34 @@ do
_FDT=""
fi
 
-   if [ -d "${_BOOT_PATH}/${U_BOOT_FDT_OVERLAYS_DIR}" ]
+   if [ -d "${_BOOT_PATH}/${U_BOOT_FDT_OVERLAYS_DIR}/" ]
+   then
+   _U_BOOT_FDT_OVERLAYS_DIR=${U_BOOT_FDT_OVERLAYS_DIR}
+   elif [ -d "${_BOOT_PATH}/${U_BOOT_FDT_OVERLAYS_DIR}${_VERSION}/" ]
+   then
+   _U_BOOT_FDT_OVERLAYS_DIR=${U_BOOT_FDT_OVERLAYS_DIR}${_VERSION}
+   else
+   _U_BOOT_FDT_OVERLAYS_DIR=""
+   fi
+   if [ -d "${_BOOT_PATH}/${_U_BOOT_FDT_OVERLAYS_DIR}" ]
then
_DTBO_LIST=""
if [ -n "${U_BOOT_FDT_OVERLAYS}" ]
then
for _DTBO in ${U_BOOT_FDT_OVERLAYS}
do
-   if [ -f 
"${_BOOT_PATH}/${U_BOOT_FDT_OVERLAYS_DIR}/${_DTBO}" ]
+   if [ -f 
"${_BOOT_PATH}/${_U_BOOT_FDT_OVERLAYS_DIR}/${_DTBO}" ]
then
-   _DTBO_LIST="${_DTBO_LIST} 
${U_BOOT_FDT_OVERLAYS_DIR}/${_DTBO}"
+   _DTBO_LIST="${_DTBO_LIST} 
${_U_BOOT_FDT_OVERLAYS_DIR}/${_DTBO}"
fi
done
else
-   for _DTBO_PATH in 
"${_BOOT_PATH}/${U_BOOT_FDT_OVERLAYS_DIR}/"*.dtbo
+   for _DTBO_PATH in 
"${_BOOT_PATH}/${_U_BOOT_FDT_OVERLAYS_DIR}/"*.dtbo
do
if [ -f "${_DTBO_PATH}" ]
then
_DTBO=$(basename "${_DTBO_PATH}")
-   _DTBO_LIST="${_DTBO_LIST} 
${U_BOOT_FDT_OVERLAYS_DIR}/${_DTBO}"
+   _DTBO_LIST="${_DTBO_LIST} 
${_U_BOOT_FDT_OVERLAYS_DIR}/${_DTBO}"
fi
done
fi
-- 
2.39.2

Bug#1036705: override: adduser:admin/required

[Sebastian Ramacher]

Control: tags -1 trixie

On 2023-05-24 19:40:48 +0200, Helmut Grohne wrote:
> On Wed, May 24, 2023 at 06:54:01PM +0200, Cyril Brulebois wrote:
> > Watching from the sideline, this seems to come in horribly late.
> 
> How am I not to agree with this?
> 
> > > apt used to depend on adduser and apt is required, so adduser is
> > > transitively required in bullseye. Johannes and myself worked towards
> > > making apt not depend on adduser and that work succeeded.
> > 
> > FSVO “success” then, given the rest of the mail…
> 
> I'm really sorry about this. None of us saw the deluser breakage coming.
> After all, we were "just" killing a dependency. We should have noticed
> that it was the last and thus possibly having bad effects, yes. We did
> not. When I caught one of Andreas' bug reports about this, I immediately
> informed the release team to not loose any further time. It was already
> horribly late back then. :-(
> 
> > Via olasd/#debian-release: adduser got that field, not apt.
> 
> Thanks.
> 
> > Same question as before, why not just add the dependency back?
> 
> That dependency is conceptually wrong now. apt does not need adduser
> anymore. I think the initial idea was to add it back, but Julian rightly
> pushed back on this.
> 
> A major technical goal was to push adduser out of the essential+apt
> package set (which hints that we should have paid more attention,
> sorry). Adding this dependency breaks that goal while adding protected
> or required does not, so we'd actually get what we wanted.
> 
> > Aren't we risking a redux of “we turned another knob, and now we're
> > discovering yet another issue”?
> 
> It is very difficult to disagree with this one given that I thought
> "Protected: yes" to be harmless earlier.
> 
> > But I'm very much worried about possible side effects at this critical
> > stage of the freeze.
> 
> I will not stand in the way of turning this back and adding the
> dependency back to apt. It seemed to me though that this was not the
> preferred solution and that a (FSVO) better solution was available.
> 
> In theory, "Protected: yes" should solve the issue for purging. It just
> happens that piuparts does deal well with this, so the remaining issue
> is one of having broken a QA tool rather than having broken something
> for real. I can try talking to Nicolas about possibilites of adapting
> piuparts instead.

At this stage of freeze, it's too late to experiment with Protected: yes
in required that would work in theory, but where we know that one of
them fail in practice (by breaking at least piuparts) and for the other
we don't have any data.

So, as discussed in today's RT meeting, let's postpone this change to
trixie (or any other solution that isn't apt depending on adduser).

Cheers
-- 
Sebastian Ramacher

Bug#927747: bind9_dlz backend is entirely broken in Debian

[Michael Tokarev]

This is https://bugzilla.samba.org/show_bug.cgi?id=14030
and also #1036587 .

/mjt

Bug#1035654: non-essential adduser poses problems to purging packages

[Sebastian Ramacher]

Hi Julian,

On 2023-05-16 22:15:33 +0200, Sebastian Ramacher wrote:
> On 2023-05-07 20:30:03 +0200, Helmut Grohne wrote:
> > On Sun, May 07, 2023 at 08:16:14PM +0200, Julian Andres Klode wrote:
> > > I don't have a problem pushing a 2.6.1 out with this in the coming days. 
> > > Is
> > > this the best solution though - maybe setting Essential on adduser might 
> > > be
> > > easier and formally fix the issue for now.
> > 
> > I was also thinking that maybe it really should be essential for now.
> > 
> > > We generally do not expect stuff to depend on apt. This seems to be a gap
> > > in piuparts, that it has apt installed while testing packages.
> > 
> > Even if we made apt depend on adduser again, packages would still fail
> > purging if you removed apt and adduser beforehand. Julian also pointed
> > out another advantage on IRC: By using the Essential flag, we can
> > forcefully remove adduser while keeping apt. This option is unavailable
> > given a dependency.
> 
> If you agree that making it Essential: yes or Protected: yes, then
> please go ahead with implementing this change. The window to fix this is
> closing quickly.

Adding Protected: yes to adduser has broken piuparts (and maybe other
tools that we do not know about). As the time is running out to
experiment with other solutions to this bug, please put back the
dependency on adduser for bookworm. This change restores the state from
bullseye and was agreed on in today's RT meeting.

After the release, dropping the adduser from Depends and all other
changes can be revisisted.

Cheers
-- 
Sebastian Ramacher

Bug#1036729: ITP: libfuture-xs-perl -- experimental XS implementation of Future

[gregor herrmann]

Package: wnpp
Owner: gregor herrmann 
Severity: wishlist
X-Debbugs-CC: debian-de...@lists.debian.org, debian-p...@lists.debian.org

* Package name: libfuture-xs-perl
  Version : 0.10
  Upstream Author : Paul Evans 
* URL : https://metacpan.org/release/Future-XS
* License : Artistic or GPL-1+
  Programming Lang: Perl
  Description : experimental XS implementation of Future

Future::XS provides an XS-based implementation of the Future class. It is
currently experimental and shipped in its own distribution for testing
purposes, though once it seems stable the plan is to move it into the main
Future distribution and load it automatically in favour of the pureperl
implementation on supported systems.

The package will be maintained under the umbrella of the Debian Perl Group.

--
Generated with the help of dpt-gen-itp(1) from pkg-perl-tools.


signature.asc
Description: Digital Signature

Bug#1036723: [pkg-php-pear] Bug#1036723: RM: php-finder-facade/experimental -- ROM; Useless in Debian

[David Prévot]

Le 24/05/2023 à 21:07, David Prévot a écrit :

Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: php-finder-fac...@packages.debian.org, Debian PHP PEAR Maintainers 

Control: affects -1 + src:php-finder-facade


[ Forgot to add the rationales, same as #1036724, sorry. ]

Hi,

As explained three years ago in #977801, this package is not used
anymore, and has not been updated upstream since. Thanks in advance for
removing it.

Regards,

taffit

Bug#1036728: unblock: fai/6.0.3

[Thomas Lange]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package fai


I've added a small patch, which prevents overwriting a variable
with an empty value. Now we only write if the variable is not empty.

The PR for this says: do not write an (always empty) SERVER= line to bootlog


 debian/changelog  |7 +++
 lib/get-boot-info |4 +++-
 2 files changed, 10 insertions(+), 1 deletion(-)


[ Reason ]
>From the PR:

when i dug around a little it appears that the problem is in the
setnet function of /usr/lib/fai/get-boot-info. it looks like commit
6e1cbda removed the line in setnet where $SERVER was previously
defined but left in the bit where the (now empty) variable is written
to boot.log (which is consumed later). if i remove that leftover line
fai reports the expected/desired:


[ Impact ]

[ Tests ]
I've reviewed the code change.

[ Risks ]
No risks expected.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

unblock fai/6.0.3



diff -Nru fai-6.0.2/debian/changelog fai-6.0.3/debian/changelog
--- fai-6.0.2/debian/changelog  2023-05-07 17:25:35.0 +0200
+++ fai-6.0.3/debian/changelog  2023-05-24 11:57:11.0 +0200
@@ -1,3 +1,10 @@
+fai (6.0.3) unstable; urgency=high
+
+  *  get-boot-info: write $SERVER only if string is non-epmty
+ fixes https://github.com/faiproject/fai/pull/118
+
+ -- Thomas Lange   Wed, 24 May 2023 11:57:11 +0200
+
 fai (6.0.2) unstable; urgency=high
 
   [ Thomas Lange ]
diff -Nru fai-6.0.2/lib/get-boot-info fai-6.0.3/lib/get-boot-info
--- fai-6.0.2/lib/get-boot-info 2022-11-13 00:32:00.0 +0100
+++ fai-6.0.3/lib/get-boot-info 2023-05-24 11:56:44.0 +0200
@@ -86,9 +86,11 @@
IPADDR=$IPADDR
CIDR=$CIDR
GATEWAYS=$GATEWAYS
-   SERVER=$SERVER
 EOF
 fi
+if [ -n "$SERVER" ]; then
+   echo "SERVER=$SERVER" >> $bootlog
+fi
 
 if [ -n "$DOMAIN" ]; then
 # DOMAIN was specified on the kernel command line

Bug#1036727: ITP: libfuture-queue-perl -- FIFO queue of values that uses Futures

[gregor herrmann]

Package: wnpp
Owner: gregor herrmann 
Severity: wishlist
X-Debbugs-CC: debian-de...@lists.debian.org, debian-p...@lists.debian.org

* Package name: libfuture-queue-perl
  Version : 0.51
  Upstream Author : Paul Evans 
* URL : https://metacpan.org/release/Future-Queue
* License : Artistic or GPL-1+
  Programming Lang: Perl
  Description : FIFO queue of values that uses Futures

Objects in this class provide a simple FIFO queue the stores arbitrary perl
values. Values may be added into the queue using the push method, and
retrieved from it using the shift method.

Values may be stored within the queue object for shift to retrieve later, or
if the queue is empty then the future that shift returns will be completed
once an item becomes available.

The package will be maintained under the umbrella of the Debian Perl Group.

--
Generated with the help of dpt-gen-itp(1) from pkg-perl-tools.


signature.asc
Description: Digital Signature

Bug#1036726: RM: php-doctrine-bundle -- ROM; Useless in Debian

[David Prévot]

Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: php-doctrine-bun...@packages.debian.org, Debian PHP PEAR 
Maintainers 
Control: affects -1 + src:php-doctrine-bundle

Hi,

As explained two years ago in #996108, this package is not used
anymore. Thanks in advance for removing it.

Regards,

taffit


signature.asc
Description: PGP signature

Bug#1036725: RM: php-token-stream -- ROM; Useless in Debian

[David Prévot]

Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: php-token-str...@packages.debian.org, Debian PHP PEAR Maintainers 

Control: affects -1 + src:php-token-stream

Hi,

As explained three years ago in #977802, this package is not used
anymore, and has not been updated upstream since. Thanks in advance for
removing it.

Regards,

taffit


signature.asc
Description: PGP signature

Bug#1036705: override: adduser:admin/required

[Sean Whitton]

control: tag -1 + moreinfo

Hello,

On Wed 24 May 2023 at 04:03PM +02, Helmut Grohne wrote:

> Package: ftp.debian.org
> Severity: normal
> User: ftp.debian@packages.debian.org
> Usertags: override
> X-Debbugs-Cc: addu...@packages.debian.org, debian-b...@lists.debian.org,
> debian-rele...@lists.debian.org, jo...@debian.org, de...@lists.debian.org,
> piuparts-de...@alioth-lists.debian.net
> Control: affects -1 + src:adduser
>
> Hi,
>
> I am requesting to override the priority of adduser to become required.

This requires a release team ACK.

-- 
Sean Whitton


signature.asc
Description: PGP signature

Bug#1036676: transition: nvidia-cuda-toolkit 12

[Cyril Brulebois]

Hi Andreas,

Andreas Beckmann  (2023-05-24):
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: transition

> Ben file: 
> https://release.debian.org/transitions/html/auto-nvidia-cuda-toolkit.html
> (there are some more packages that B-D: nvidia-cuda-toolkit but have
> no library dependencies)

Just for the avoidance of doubt since this topic came up during our
meeting: this is definitely post-bookworm, right?


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#1036676: transition: nvidia-cuda-toolkit 12

[Andreas Beckmann]

On 24/05/2023 21.13, Cyril Brulebois wrote:

Just for the avoidance of doubt since this topic came up during our
meeting: this is definitely post-bookworm, right?


Yes.

Andreas

Bug#1035099: RFS: sentrypeer/3.0.0-1 -- SIP peer to peer honeypot for VoIP

[Tobias Frost]

Control: tags -1 moreinfo

Hi Henry,

this is an quick and very likely incomplete review of sentrypeer.
(I do not intent to sponsor this package.)

- you need to file an ITP bug and close it in the debian changelog.
- you need to target unstable in the debian changelog.
- postinst: please read in policy about users and groups creation.
  (maybe you could also use systemd's DynamicUser feature to avoid
static user/group generation)
- postrm: don't delete the user.
- d/rules:  --with autoreconf is default in modern debhelper, shoudln't
be needed.

-- 
Cheers
tobi

Bug#1036723: RM: php-finder-facade/experimental -- ROM; Useless in Debian

[David Prévot]

Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: php-finder-fac...@packages.debian.org, Debian PHP PEAR 
Maintainers 
Control: affects -1 + src:php-finder-facade


signature.asc
Description: PGP signature

Bug#1036724: RM: php-finder-facade -- ROM; Useless in Debian

[David Prévot]

Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: php-finder-fac...@packages.debian.org, Debian PHP PEAR 
Maintainers 
Control: affects -1 + src:php-finder-facade

Hi,

As explained three years ago in #977801, this package is not used
anymore, and has not been updated upstream since. Thanks in advance for
removing it.

Regards,

taffit


signature.asc
Description: PGP signature

Bug#1036722: unblock: thunderbird/1:102.11.0-1

[Carsten Schoenert]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: thunderb...@packages.debian.org
Control: affects -1 + src:thunderbird

Please unblock package thunderbird

[ Reason ]
Upstream released a new ESR version of Thunderbird which included as
usual some CVE fixes a few days ago.
https://www.mozilla.org/en-US/security/advisories/mfsa2023-18/

[ Impact ]
Users of bookworm would need to stay with the previous release
1:102.10.0-1 without the latest fixes.

[ Tests ]
The package build has a small set of tests which are successfully
succeeded.
I also use the new version on various devices without any problems.

[ Risks ]
The risk is nearly zero, the same version was build for Debian stable
and oldstable are in the archive and are used without reported problems.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [ ] attach debdiff against the package in testing

[ Other info ]
I don't have added a debdiff as this would be a rather hughe diff due
the included changes from the underlying changes from firefox.
The changes between 102.10.0 and 102.11.0 can be viewed on Salsa on

https://salsa.debian.org/mozilla-team/thunderbird/-/commit/0626d725e05e7c6a4ef4fb204dddbbd0d1e116c9

unblock thunderbird/1:102.11.0-1

Bug#1023472: Workaround implemented for live images

[Cyril Brulebois]

Hi,

Holger Wansing  (2023-05-20):
> Do you think, that just changing the order in the Recommends packages
> list like in
> 
>   Depends: ${misc:Depends},
>task-desktop,
> + # Mention the preferred theme before sddm, otherwise another theme will be 
> used
> +  sddm-theme-debian-elarun | sddm-theme,
>sddm,
> -  sddm-theme-debian-elarun | sddm-theme-debian-elarun,

Oh, the existing alternative is… interesting!

> changes the result?
> My guess would be that the order is of no relevance.

My initial reply started like this:
 - Order matters when it comes to an alternative, with the first package
   listed possibly getting preferential treatment.
 - Outside alternatives, as far as I know, order shouldn't matter.

Reality disagrees though, as apt's resolution gives wildly different
results.

I repacked task-lqxt-desktop manually, leading to this debdiff:

Depends: tasksel (= 3.72), task-desktop, [-sddm,-] sddm-theme-debian-elarun 
| sddm-theme-debian-elarun, {+sddm,+} lxqt
Version: [-3.72-] {+3.72+reorder+}

then created a sid chroot via debootstrap, and compared the simulation
of installing both packages (without accepting):

apt-get install -s /tmp/task-lxqt-desktop_3.72_all.deb  /tmp/1
apt-get install -s /tmp/task-lxqt-desktop_3.72+reorder_all.deb  
/tmp/2

(This isn't really tasksel/pkgsel but still…)

Comparing packages getting Inst-alled, we get the following results:

-accountsservice
-aha
-appstream
-apt-config-icons
-apt-config-icons-hidpi
-apt-config-icons-large
-apt-config-icons-large-hidpi
-bluedevil
-bluez-obexd
-bolt
-breeze
-breeze-cursor-theme
-breeze-gtk-theme
-breeze-icon-theme
-bup
-bup-doc
-catdoc
-cryfs
-debconf-kde-data
-debconf-kde-helper
-distro-info-data
-dnsmasq-base
-dns-root-data
-docbook-xsl
-drkonqi
-fonts-noto
-fonts-noto-cjk
-fonts-noto-cjk-extra
-fonts-noto-color-emoji
-fonts-noto-core
-fonts-noto-extra
-fonts-noto-hinted
-fonts-noto-ui-core
-fonts-noto-ui-extra
-fonts-noto-unhinted
-frameworkintegration
-fwupd
-fwupd-amd64-signed
-gdb-minimal
-git
-git-man
-ibus-data
-jq
-kaccounts-providers
-kde-cli-tools
-kde-cli-tools-data
-kde-config-gtk-style
-kde-config-screenlocker
-kde-config-sddm
-kde-config-updates
-kdeconnect
-kde-style-breeze
-kde-style-oxygen-qt5
-kdoctools5
-keditbookmarks
-kgamma5
-khelpcenter
-khotkeys
-khotkeys-data
-kinfocenter
-kinit
-kio-extras
-kio-extras-data
-kmenuedit
-kpeople-vcard
-kscreen
-ksshaskpass
-ksystemstats
-ktexteditor-data
-ktexteditor-katepart
-kup-backup
-kuserfeedback-doc
-kwalletmanager
-kwin-common
-kwin-data
-kwin-style-breeze
-kwin-wayland
-kwin-x11
-kwrited
-layer-shell-qt
-libaccounts-glib0
-libaccounts-qt5-1
-libaccountsservice0
-libappimage1.0abi1
-libappstream4
-libappstreamqt2
-libaribb24-0
-libbluetooth3
-libboost-chrono1.74.0
-libboost-program-options1.74.0
-libcanberra-pulse
-libcbor0.8
-libcolorcorrect5
-libdebconf-kde1
-libdebuginfod1
-libdebuginfod-common
-libdmtx0b
-libdvbpsi10
-libebml5
-libeditorconfig0
-libefiboot1
-libefivar1
-libepub0
-liberror-perl
-libfakekey0
-libfido2-1
-libflashrom1
-libfmt9
-libftdi1-2
-libfuse2
-libfwupd2
-libgcab-1.0-0
-libgif7
-libgit2-1.5
-libgps28
-libgrantlee-templates5
-libgsettings-qt1
-libhttp-parser2.9
-libibus-1.0-5
-libical3
-libipt2
-libixml10
-libjaylink0
-libjcat1
-libjq1
-libjs-jquery
-libjs-underscore
-libkaccounts2
-libkdecorations2-5v5
-libkdecorations2private10
-libkdsoap1
-libkf5activitiesstats1
-libkf5baloo5
-libkf5balooengine5
-libkf5bluezqt6
-libkf5bluezqt-data
-libkf5bookmarks5
-libkf5bookmarks-data
-libkf5calendarevents5
-libkf5configqml5
-libkf5contacts5
-libkf5contacts-data
-libkf5dnssd5
-libkf5dnssd-data
-libkf5filemetadata3
-libkf5filemetadata-bin
-libkf5filemetadata-data
-libkf5holidays5
-libkf5holidays-data
-libkf5i18nlocaledata5
-libkf5js5
-libkf5kdelibs4support5
-libkf5kdelibs4support5-bin
-libkf5kdelibs4support-data
-libkf5kexiv2-15.0.0
-libkf5khtml5
-libkf5khtml-bin
-libkf5khtml-data
-libkf5kiofilewidgets5
-libkf5modemmanagerqt6
-libkf5networkmanagerqt6
-libkf5newstuff5
-libkf5newstuff-data
-libkf5newstuffwidgets5
-libkf5parts5
-libkf5parts-data
-libkf5parts-plugins
-libkf5people5
-libkf5peoplebackend5
-libkf5people-data
-libkf5peoplewidgets5
-libkf5plasmaquick5
-libkf5prison5
-libkf5prisonscanner5
-libkf5pty5

Bug#1036702: qtbase-opensource-src-gles: CVE-2023-32762

[Dmitry Shachnev]

Control: retitle -1 qtbase-opensource-src-gles: CVE-2023-32763

On Wed, May 24, 2023 at 04:00:31PM +0200, Moritz Mühlenhoff wrote:
> Confused the CVE IDs, this is for CVE-2023-32763, which is the SVG issue.
> CVE-2023-32762 being about HSTS should not affect -gles.

Right. Retitling accordingly.

--
Dmitry Shachnev


signature.asc
Description: PGP signature

Bug#1036213: apache2: frequent SIGSEGV in mod_http2.so (purge_consumed_buckets)

[Stefan Eissing]

> Am 24.05.2023 um 16:10 schrieb Bastien Durel :
> 
> Le mercredi 24 mai 2023 à 14:50 +0200, Stefan Eissing a écrit :
>> I continue to improve mod_proxy_http2:
>> https://github.com/icing/mod_h2/releases/tag/v2.0.17
>> 
>> Added more edge case tests for the module, fixed observed bugs. But
>> have not replicated your crashes which look weird. Sorry.
> 
> Hello,
> 
> I've put it in use on my server.
> 
> Do you need the configuration I use to serve these requests ?

I could use it to try to reproduce, yes.

> 
> Thanks,
> 
> -- 
> Bastien
> 

Bug#1036721: unblock: rnp/0.16.3-1

[Daniel Kahn Gillmor]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: r...@packages.debian.org, d...@fifthhorseman.net
Control: affects -1 + src:rnp
Control: blocks -1 + 1034558

Please unblock package rnp

[ Reason ]

RNP upstream provided a narrowly-targeted point release (0.16.3) for
fixing two CVEs.  It is a small diff from 0.16.2, which is already in
testing.

[ Impact ]

Without this fix, the two CVEs will remain open:

 - CVE-2023-29479 (possible hang on malformed inputs)
 - CVE-2023-29480 (some secret keys may remain unlocked after use) 

Anyone using thunderbird (the most prominent consumer of librnp for
OpenPGP messages) will be vulnerable to them.

>From a debian perspective, debian RC bug #1034558 could cause the
ejection of librnp from testing, which would damage our ability to
ship thunderbird.

[ Tests ]

librnp upstream ships a substantial test suite in src/tests/ --
src/tests/ffi-enc.cpp has been updated to ensure that secret keys
remain locked (CVE-2023-29480).  I haven't seen a test for
CVE-2023-29479, but i've asked upstream for one (they might not want
to include a PoC artifact until the fix is more widely distributed):

   https://github.com/rnpgp/rnp/issues/2082

[ Risks ]

The code changes are small and relatively compact.  there are a few
other source changes beyond the CVE fixes, mostly either shell script
cleanup or improvements to builds on MacOS.  I've opted to go with
upstream's 0.16.3 rather than cherry-picking the CVE fixes because the
differences are relatively small and it's better for the user to see
that they're running the upstream bugfix release explicitly.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock rnp/0.16.3-1
diff -Nru rnp-0.16.2/CHANGELOG.md rnp-0.16.3/CHANGELOG.md
--- rnp-0.16.2/CHANGELOG.md 2022-09-22 05:27:54.0 -0400
+++ rnp-0.16.3/CHANGELOG.md 2023-04-12 20:27:38.0 -0400
@@ -1,5 +1,12 @@
 ## Changelog
 
+### 0.16.3 [2023-04-11]
+
+ Security
+
+* Fixed issue with possible hang on malformed inputs (CVE-2023-29479).
+* Fixed issue where in some cases, secret keys remain unlocked after use 
(CVE-2023-29480).
+
 ### 0.16.2 [2022-09-20]
 
  General
diff -Nru rnp-0.16.2/ci/lib/install_functions.inc.sh 
rnp-0.16.3/ci/lib/install_functions.inc.sh
--- rnp-0.16.2/ci/lib/install_functions.inc.sh  2022-09-22 05:27:54.0 
-0400
+++ rnp-0.16.3/ci/lib/install_functions.inc.sh  2023-04-12 20:27:38.0 
-0400
@@ -19,6 +19,11 @@
 : "${RECOMMENDED_CMAKE_VERSION:=3.20.5}"
 : "${RECOMMENDED_PYTHON_VERSION:=3.9.2}"
 : "${RECOMMENDED_RUBY_VERSION:=2.5.8}"
+# Bundler version to use if Ruby version is less then
+# FALLBACK_BUNDLER_RUBY_VERSION
+: "${FALLBACK_BUNDLER_VERSION:=2.3.26}"
+: "${FALLBACK_BUNDLER_RUBY_VERSION:=2.6.0}"
+
 : "${RECOMMENDED_BOTAN_VERSION_MSYS:=${RECOMMENDED_BOTAN_VERSION}-1}"
 
 : "${CMAKE_VERSION:=${RECOMMENDED_CMAKE_VERSION}}"
@@ -69,6 +74,17 @@
   rm /usr/local/Cellar/openssl || true
   # homebrew fails to update python 3.9.1 to 3.9.1.1 due to unlinking failure
   rm /usr/local/bin/2to3 || true
+  # homebrew fails to update python from 3.9 to 3.10 due to another unlinking 
failure
+  rm /usr/local/bin/idle3 || true
+  rm /usr/local/bin/pydoc3 || true
+  rm /usr/local/bin/python3 || true
+  rm /usr/local/bin/python3-config || true
+  # homebrew fails to update python from 3.11.0 to 3.11.1
+  rm /usr/local/bin/2to3-3.11 || true
+  rm /usr/local/bin/idle3.11 || true
+  rm /usr/local/bin/pydoc3.11 || true
+  rm /usr/local/bin/python3.11 || true
+  rm /usr/local/bin/python3.11-config || true
   # homebrew fails to update openssl@1.1 1.1.1l to 1.1.1l_1 due to linking 
failure of nghttp2.h
   brew unlink nghttp2 || true
   brew update
@@ -252,6 +268,7 @@
 }
 
 linux_install_centos8() {
+  "${SUDO}" "${YUM}" -y -q install 'dnf-command(config-manager)'
   "${SUDO}" "${YUM}" config-manager --set-enabled powertools
   yum_prepare_repos epel-release
   yum_install_build_dependencies \
@@ -492,7 +509,7 @@
   automake_build=${LOCAL_BUILDS}/automake
   mkdir -p "${automake_build}"
   pushd "${automake_build}"
-  curl -L -o automake.tar.xz 
https://ftp.gnu.org/gnu/automake/automake-${AUTOMAKE_VERSION}.tar.xz
+  curl -L -o automake.tar.xz 
"https://ftp.gnu.org/gnu/automake/automake-${AUTOMAKE_VERSION}.tar.xz;
   tar -xf automake.tar.xz --strip 1
   ./configure --enable-optimizations --prefix=/usr && ${MAKE} 
-j"${MAKE_PARALLEL}" && ${SUDO} make install
   popd
@@ -687,7 +704,11 @@
 
 # ruby-rnp
 install_bundler() {
-  gem_install bundler bundle
+  if is_version_at_least ruby "${FALLBACK_BUNDLER_RUBY_VERSION}" command ruby 
-e 'puts RUBY_VERSION'; then
+gem_install bundler bundle
+  else
+gem_install "bundler:${FALLBACK_BUNDLER_VERSION}" bundle
+  fi
 }
 
 install_asciidoctor() {
@@ -747,7 +768,7 @@
   ;;
 *)
   # TODO: handle 

Bug#1036705: override: adduser:admin/required

[Helmut Grohne]

On Wed, May 24, 2023 at 06:54:01PM +0200, Cyril Brulebois wrote:
> Watching from the sideline, this seems to come in horribly late.

How am I not to agree with this?

> > apt used to depend on adduser and apt is required, so adduser is
> > transitively required in bullseye. Johannes and myself worked towards
> > making apt not depend on adduser and that work succeeded.
> 
> FSVO “success” then, given the rest of the mail…

I'm really sorry about this. None of us saw the deluser breakage coming.
After all, we were "just" killing a dependency. We should have noticed
that it was the last and thus possibly having bad effects, yes. We did
not. When I caught one of Andreas' bug reports about this, I immediately
informed the release team to not loose any further time. It was already
horribly late back then. :-(

> Via olasd/#debian-release: adduser got that field, not apt.

Thanks.

> Same question as before, why not just add the dependency back?

That dependency is conceptually wrong now. apt does not need adduser
anymore. I think the initial idea was to add it back, but Julian rightly
pushed back on this.

A major technical goal was to push adduser out of the essential+apt
package set (which hints that we should have paid more attention,
sorry). Adding this dependency breaks that goal while adding protected
or required does not, so we'd actually get what we wanted.

> Aren't we risking a redux of “we turned another knob, and now we're
> discovering yet another issue”?

It is very difficult to disagree with this one given that I thought
"Protected: yes" to be harmless earlier.

> But I'm very much worried about possible side effects at this critical
> stage of the freeze.

I will not stand in the way of turning this back and adding the
dependency back to apt. It seemed to me though that this was not the
preferred solution and that a (FSVO) better solution was available.

In theory, "Protected: yes" should solve the issue for purging. It just
happens that piuparts does deal well with this, so the remaining issue
is one of having broken a QA tool rather than having broken something
for real. I can try talking to Nicolas about possibilites of adapting
piuparts instead.

Helmut

Bug#1036720: unblock: sxmo-utils/1.12.0-7

[Jochen Sprickerhof]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: sxmo-ut...@packages.debian.org
Control: affects -1 + src:sxmo-utils

Please unblock package sxmo-utils

[ Reason ]
Removing sxmo-utils but not purging it leaves behind a
/etc/profile.d/sxmo_init.sh that fails to run cause it can't find
dependent files.

[ Impact ]
Users that removed sxmo-utils can't login any longer.

[ Tests ]
Manual tests.

[ Risks ]
None

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

unblock sxmo-utils/1.12.0-7
diff --git a/debian/changelog b/debian/changelog
index fdc3418..ffb3f4f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+sxmo-utils (1.12.0-7) unstable; urgency=medium
+
+  * Add patch to fix login when sxmo is removed
+
+ -- Jochen Sprickerhof   Wed, 24 May 2023 19:15:29 +0200
+
 sxmo-utils (1.12.0-6) unstable; urgency=medium
 
   * Replace pn by pnc
diff --git 
a/debian/patches/0023-Don-t-fail-when-sxmo-utils-is-removed-but-not-purged.patch
 
b/debian/patches/0023-Don-t-fail-when-sxmo-utils-is-removed-but-not-purged.patch
new file mode 100644
index 000..1cfd500
--- /dev/null
+++ 
b/debian/patches/0023-Don-t-fail-when-sxmo-utils-is-removed-but-not-purged.patch
@@ -0,0 +1,20 @@
+From: Jochen Sprickerhof 
+Date: Wed, 24 May 2023 19:12:45 +0200
+Subject: Don't fail when sxmo-utils is removed (but not purged)
+
+---
+ configs/profile.d/sxmo_init.sh | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/configs/profile.d/sxmo_init.sh b/configs/profile.d/sxmo_init.sh
+index d4792e6..3906c7f 100644
+--- a/configs/profile.d/sxmo_init.sh
 b/configs/profile.d/sxmo_init.sh
+@@ -4,6 +4,7 @@
+ 
+ # This script is meant to be sourced on login shells
+ # shellcheck source=scripts/core/sxmo_common.sh
++test -f /usr/bin/sxmo_common.sh || return 0
+ . sxmo_common.sh
+ 
+ _sxmo_is_running() {
diff --git a/debian/patches/series b/debian/patches/series
index 5e3ae5a..21d7a8b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -20,3 +20,4 @@ no_doas.patch
 0020-Fix-Bluetooth-toogle.patch
 0021-replace-pn-with-pnc.patch
 0022-add-missing-pn-pnc.patch
+0023-Don-t-fail-when-sxmo-utils-is-removed-but-not-purged.patch

Bug#1036719: minuet-data: The file /usr/share/minuet/soundfonts/GeneralUser-v1.47.sf2 has unclean license

[Anatoliy Gunya]

Package: minuet-data
Version: 17.08.3-2
Severity: minor

Dear Maintainer,

Package minuet-data contains file
/usr/share/minuet/soundfonts/GeneralUser-v1.47.sf2. The origin of this 
file is [1]. This file has unclean GeneralUser license which contains 
such text



** License of the complete work **
You may use GeneralUser GS without restriction for your own music creation, 
private or commercial.  This SoundFont bank is provided to the community free 
of charge.  Please feel free to use it in your software projects, and to modify 
the SoundFont bank or its packaging to suit your needs.
** License of contained samples **
GeneralUser GS inherits the usage rights of the samples contained within, all 
of which allow full use in music production, including the ability to make 
profit from musical recordings created with GeneralUser GS.

Many of the samples are original, but some were taken from other banks freely (and 
legally) available on the Internet from various SoundFont websites. Because GeneralUser 
GS originated as a personal project with no intention for publication, I cannot be 100% 
sure where all of the samples originated, although I do know that none of them came from 
commercially published SoundFont packages or sample CDs. Regardless, many 
"free" SoundFonts available on the web may indeed contain samples of 
questionable origin.  My understanding of the copyrights of all samples is only as good 
as the information provided by the original sources. If you become aware of any 
restricted samples being used in GeneralUser GS, please let me know so I can replace them.



Is that license suitable for Debian? Does debian/copyright file from 
minuet package have to contain this license?


Also there is a thread about this license [2] at 
debian-le...@lists.debian.org where there is an opinion that this 
license is not DFSG.


--

[1] https://www.schristiancollins.com/generaluser.php

[2] https://lists.debian.org/debian-legal/2023/03/msg2.html

-- no debconf information

Bug#1035082: RFS: libfilezilla/0.42.2-1 -- build high-performing platform-independent programs (runtime lib)

[Tobias Frost]

Control: tags -1 moreinfo

Hi Philip,

On Sat, 29 Apr 2023 08:40:07 +0100 Philip Wyett 
> 
>   dget -x
https://mentors.debian.net/debian/pool/main/libf/libfilezilla/libfilezilla_0.42.2-1.dsc
> 

>    * Soname bump rename package to libfilezilla38

There seems to be a mismatch with the SONAME:

W: libfilezilla38: package-name-doesnt-match-sonames libfilezilla36

Package contains indeed /usr/lib/x86_64-linux-
gnu/libfilezilla.so.36.2.0

-- 
Cheers,
tobi

Bug#1036718: unblock: slurm-wlm-contrib/22.05.8-4

[Gennaro Oliva]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: oliv...@na.icar.cnr.it

Please unblock package slurm-wlm-contrib

This release provide the same version level of the free package
slurm-wlm

[ Reason ]
This package has no change, this transition is only needed to align its
version to the main version of the package in in the free section.

[ Impact ]
There is no impact

[ Tests ]
The usual test I do before releasing were successfully conducted.

[ Risks ]
I see no risk in upgrading this package.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock slurm-wlm-contrib/22.05.8-4
-- 
Gennaro Oliva

Bug#237675: possible interest

[Jose Custodio Rodriguez Ardila]

I have a brief project that will be of interest to you. Reach me back via email 
(azzopa...@sonic.net) to know more details.

































AVISO LEGAL:
- Las opiniones expresadas en el presente mensaje no representan necesariamente 
la opinión oficial de La Universidad de La Salle.
- Este mensaje es confidencial, puede contener información privilegiada y no 
puede ser usado ni divulgado por personas distintas de su destinatario. Si 
obtiene esta transmisión por error, por favor destruya su contenido y avise al 
remitente. Está prohibida su retención, grabación, utilización o divulgación 
con cualquier propósito.
- Este mensaje ha sido sometido a programas antivirus. No obstante, La 
Universidad de La Salle no asume ninguna responsabilidad por eventuales daños 
generados por el recibo y uso de este material, siendo responsabilidad del 
destinatario verificar con sus propios medios de la existencia de virus u otros 
defectos.

LEGAL WARNING:
- The opinions stated in the present message do not necessarily represent the 
official opinion of Universidad de La Salle.
- This message is confidential and may contain privileged information, it 
cannot be used or disclosed by any person other than the individual to whom it 
is addressed. If obtained by error, please destroy the information received and 
contact the sender. Its retention, recording, use or distribution with any 
intention are prohibited.
- This message has been tested by antivirus software. Nonetheless, the 
Universidad de La Salle assumes no responsibility for damages caused by the 
receptor or use of the material, given that it is the responsibility of the 
addressee to verify by his own means the presence of a virus or any other 
harmful defect.
'.

Bug#1036584: libopenjpip-viewer: broken symlink: /usr/bin/opj_jpip_viewer -> ../share/opj_jpip_viewer/opj_jpip_viewer.jar

[Andreas Metzler]

On 2023-05-24 Mathieu Malaterre  wrote:
> On Wed, May 24, 2023 at 6:21 PM Andreas Metzler  wrote:
[...]
> > Correct patch attached. Stuff was built but the respective dh_install
> > call was shadowed and therefore content was not shipped in the package.

> [...]
> -override_dh_install-indep:
> - dh_install -p$(pkg_doc) debian/tmp/usr/share/doc
> -
> [...]

> Isn't this going to break the openjpeg-doc package ?

Hello Mathieu,

No, replaced by the second part of the patch

8X---
--- openjpeg2-2.5.0/debian/openjpeg-doc.install 1970-01-01 01:00:00.0 
+0100
+++ openjpeg2-2.5.0/debian/openjpeg-doc.install 2023-05-24 12:45:48.0 
+0200
@@ -0,0 +1 @@
+usr/share/doc
8X---

| ametzler@argenau:/dev/shm/JPI$ debdiff openjpeg-doc_2.5.0-{1,2}_all.deb
| File lists identical (after any substitutions)
| 
| Control files: lines which differ (wdiff format)
| 
| Version: [-2.5.0-1-] {+2.5.0-2+}

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

Bug#1036717: unblock: slurm-wlm/22.05.8-4

[Gennaro Oliva]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: oliv...@na.icar.cnr.it

Please unblock package slurm-wlm

This release simply fix Breaks/Replaces deps and reintroduce a
configuration file removed accidentally

[ Reason ]
This release will ensure a smoother update from bullseye

[ Impact ]
No impact is expected

[ Tests ]
Although there are no changes in the packages code, but only
dependencies are better specified, I did the usual tests I make for
every release of the package.

[ Risks ]
I see no risks

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock slurm-wlm/22.05.8-4
-- 
Gennaro Oliva
diff -Nru slurm-wlm-22.05.8/debian/changelog slurm-wlm-22.05.8/debian/changelog
--- slurm-wlm-22.05.8/debian/changelog  2023-02-08 07:50:18.0 +0100
+++ slurm-wlm-22.05.8/debian/changelog  2023-05-10 00:14:41.0 +0200
@@ -1,3 +1,11 @@
+slurm-wlm (22.05.8-4) unstable; urgency=medium
+
+  * Fix Breaks/Replaces dependencies (Closes: #1034950,
+#1034955, #1034978, #1034987, #1034992)
+  * Restore plugstack.conf (Closes: #1035562)
+
+ -- Gennaro Oliva   Wed, 10 May 2023 00:14:41 +0200
+
 slurm-wlm (22.05.8-3) unstable; urgency=medium
 
   * Source only upload for testing
diff -Nru slurm-wlm-22.05.8/debian/control slurm-wlm-22.05.8/debian/control
--- slurm-wlm-22.05.8/debian/control2023-02-08 07:49:20.0 +0100
+++ slurm-wlm-22.05.8/debian/control2023-05-09 23:27:05.0 +0200
@@ -307,6 +307,8 @@
  ${shlibs:Depends},
  ${misc:Depends},
  slurm-wlm-basic-plugins (= ${binary:Version})
+Breaks: slurm-wlm-basic-plugins (<< 22.05.7-1), slurm-client (<< 22.05.7-1)
+Replaces: slurm-wlm-basic-plugins (<< 22.05.7-1), slurm-client (<< 22.05.7-1)
 Description: Slurm HDF5 plugin
  The Slurm Workload Manager is an open-source cluster resource management and
  job scheduling system that strives to be simple, scalable, portable,
@@ -371,8 +373,8 @@
  ${shlibs:Depends},
  ${misc:Depends},
  slurm-wlm-basic-plugins (= ${binary:Version})
-Breaks: slurm-wlm-basic-plugins-dev (<< 22.05.7-1)
-Replaces: slurm-wlm-basic-plugins-dev (<< 22.05.7-1)
+Breaks: slurm-wlm-basic-plugins (<< 22.05.7-1)
+Replaces: slurm-wlm-basic-plugins (<< 22.05.7-1)
 Description: Slurm InfluxDB plugin
  The Slurm Workload Manager is an open-source cluster resource management and
  job scheduling system that strives to be simple, scalable, portable,
@@ -404,8 +406,8 @@
  ${shlibs:Depends},
  ${misc:Depends},
  slurm-wlm-basic-plugins (= ${binary:Version})
-Breaks: slurm-wlm-basic-plugins-dev (<< 22.05.7-1)
-Replaces: slurm-wlm-basic-plugins-dev (<< 22.05.7-1)
+Breaks: slurm-wlm-basic-plugins (<< 22.05.7-1)
+Replaces: slurm-wlm-basic-plugins (<< 22.05.7-1)
 Description: Slurm RRD plugin
  The Slurm Workload Manager is an open-source cluster resource management and
  job scheduling system that strives to be simple, scalable, portable,
@@ -437,8 +439,8 @@
  ${shlibs:Depends},
  ${misc:Depends},
  slurm-wlm-basic-plugins (= ${binary:Version})
-Breaks: slurm-wlm-basic-plugins-dev (<< 22.05.7-1)
-Replaces: slurm-wlm-basic-plugins-dev (<< 22.05.7-1)
+Breaks: slurm-wlm-basic-plugins (<< 22.05.7-1)
+Replaces: slurm-wlm-basic-plugins (<< 22.05.7-1)
 Description: Slurm Elasticsearch job-completion plugin
  The Slurm Workload Manager is an open-source cluster resource management and
  job scheduling system that strives to be simple, scalable, portable,
@@ -470,8 +472,8 @@
  ${shlibs:Depends},
  ${misc:Depends},
  slurm-wlm-basic-plugins (= ${binary:Version})
-Breaks: slurm-wlm-basic-plugins-dev (<< 22.05.7-1)
-Replaces: slurm-wlm-basic-plugins-dev (<< 22.05.7-1)
+Breaks: slurm-wlm-basic-plugins (<< 22.05.7-1)
+Replaces: slurm-wlm-basic-plugins (<< 22.05.7-1)
 Description: Slurm JWT authentication plugins
  The Slurm Workload Manager is an open-source cluster resource management and
  job scheduling system that strives to be simple, scalable, portable,
diff -Nru slurm-wlm-22.05.8/debian/slurm-wlm-basic-plugins.install 
slurm-wlm-22.05.8/debian/slurm-wlm-basic-plugins.install
--- slurm-wlm-22.05.8/debian/slurm-wlm-basic-plugins.install1970-01-01 
01:00:00.0 +0100
+++ slurm-wlm-22.05.8/debian/slurm-wlm-basic-plugins.install2023-05-09 
23:27:05.0 +0200
@@ -0,0 +1 @@
+debian/plugstack.conf etc/slurm

Bug#1036716: pingus: MR to update d/watch and build with libboost>=1.69

[Patrice Duroux]

Source: pingus
Version: 0.7.6-5.1
Severity: wishlist

Dear Maintainer,

It is here:
https://salsa.debian.org/games-team/pingus/-/merge_requests/5

Regards,
Patrice


-- System Information:
Debian Release: 12.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.3.0-0-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#1036705: override: adduser:admin/required

[Cyril Brulebois]

Hi,

With only my random DD and d-i hats, leaving the release one aside…

Helmut Grohne  (2023-05-24):
> I am requesting to override the priority of adduser to become
> required.

Watching from the sideline, this seems to come in horribly late.

> apt used to depend on adduser and apt is required, so adduser is
> transitively required in bullseye. Johannes and myself worked towards
> making apt not depend on adduser and that work succeeded.

FSVO “success” then, given the rest of the mail…

> We've now fixed such postrm scripts to no longer do that, but we agreed
> with the release team that it should be difficult to remove for bookworm
> in order to make purging packages left over from bullseye just work
> after and upgrade to bookworm. Originally, the idea was to add back the
> dependency from apt.

Out of curiosity, why wasn't that easy fix implemented?

> Instead, we made apt "Protected: yes".

Via olasd/#debian-release: adduser got that field, not apt.

> This still doesn't install it by default, but makes removal difficult
> which is what saves postrm purge scripts, so all should be good.
> Except that this makes piuparts unhappy as it tries to remove adduser
> and apt being unhappy about it. This is presently breaking testing
> migration for a number of packages. So now we thought about it again
> and got to the conclusion that adduser should also be Priority:
> required for bookworm (and unstable until bookworm is released).

Same question as before, why not just add the dependency back?

> Doing so is a late change, I know. However, it gets us back to the
> bullseye state and in being required, debootstrap --variant=minbase
> will install adduser again, which will fix piuparts. So an we do that?

Aren't we risking a redux of “we turned another knob, and now we're
discovering yet another issue”?


I'm not particularly worried about people using d-i to install minbase
specifically, and even with the open questions above, I wouldn't
normally object to the proposed change from a d-i perspective.

But I'm very much worried about possible side effects at this critical
stage of the freeze.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#1036715: grub-efi-arm64: i.MX8QM Synchronous Abort on EFI boot

[Andrew LaMarche]

Package: grub-efi-arm64
Version: 2.06-3~deb11u5
Severity: important
X-Debbugs-Cc: andrewjlamar...@gmail.com

Dear Maintainer,

[Impact]
When using GRUB as a second stage bootloader on an i.MX SPEAR-MX8 with the 
CustomBoard dev kit, a Synchronous Abort occurs. U-Boot is the first stage. 
This board has 4x A53, 2x A72 and 2x Cortex M4 CPUs.

[Tests]
* "Vanilla" kernels from https://github.com/varigit/linux-imx on 5.10 and 5.15 
fail to boot.
* Using U-Boot from https://github.com/varigit/uboot-imx is fine, able to boot 
kernel directly without issue, and is compiled with EFI support

Seems to maybe be related to 
https://bugs.launchpad.net/ubuntu/+source/grub2-unsigned/+bug/1987924, only 
this abort happens every time.

Here's the debug trace:

kern/efi/fdt.c:38: found registered FDT @ 0x8810
loader/efi/fdt.c:63: allocating 136192 bytes for fdt
loader/arm64/linux.c:89: Initrd @ 0xdc0e8000-0xdca8e2ad
loader/efi/fdt.c:97: Installed/updated FDT configuration table @ 0xdc0c6000
loader/arm64/linux.c:144: linux command line: 'BOOT_IMAGE=/boot/image/vmlinuz 
boot=live cgroup_enable=cpuset cgroup_memory=1 cgroup_enable=memory quiet 
rootdelay=5 noautologin net.ifnames=0 biosdevname=0 coherent_pool=4M 
console=ttyLP0,115200n8 systemd.show_status=1'
loader/arm64/linux.c:159: starting image 0xfd24d530
"Synchronous Abort" handler, esr 0x96000210
elr: 8005b890 lr : 8005b880 (reloc)
elr: ff631890 lr : ff631880
x0 :  x1 : fd1e10d0
x2 :  x3 : ff63184c
x4 :  x5 : 0001
x6 : ff63d0e8 x7 : 
x8 : 0100 x9 : 0001f028
x10: fd1e13bc x11: 0001f01c
x12: fd1e14b8 x13: da35
x14: fd1e145c x15: 67616d692f746f6f
x16: ff63184c x17: fbf31300
x18: fd1f3d50 x19: 5b01
x20:  x21: fd1e10d0
x22: fd1fc7e0 x23: fd1fb260
x24: ff7f x25: dbca5000
x26: fd1e1640 x27: fd1fb280
x28: dbca x29: fd1e1000

Code: aa0003f6 1280 f94002d3 b9003260 (b9402660) 
UEFI image [0xfc0eb000:0xfc1c0fff] '/EFI\debian\grubarm.efi'
UEFI image [0xda55:0xdc0b]
Resetting CPU ...

### ERROR ### Please RESET the board ###


-- System Information:
Debian Release: 11.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: arm64 (aarch64)

Versions of packages grub-efi-arm64 depends on:
ii  debconf [debconf-2.0]  1.5.77
ii  grub-common2.06-3~deb11u5
ii  grub-efi-arm64-bin 2.06-3~deb11u5
ii  grub2-common   2.06-3~deb11u5
ii  ucf3.0043

grub-efi-arm64 recommends no packages.

grub-efi-arm64 suggests no packages.

-- debconf information excluded

Bug#1036714: linux: Add Intel Speed Select Tool to linux-cpupower

[Miguel Bernal Marin]

Source: linux
Version: 6.3.2-1~exp1
Severity: wishlist
Tags: patch
X-Debbugs-Cc: miguel.bernal.ma...@linux.intel.com, jair.gonza...@linux.intel.com

Dear Maintainer,

The Intel Speed Select Technology [1] was requested at Bug #1028344, and
enabled at 5a0e7e75be81 ("[x86] Enable Intel Speed Select Technology") in
salsa. This technology can be set via sysfs, but there is a tool [2] which
helps on this setup.

The tool can be integrated in the actual linux-cpupower package.

A MR was created with this proposal:

https://salsa.debian.org/kernel-team/linux/-/merge_requests/732

[1] 
https://www.intel.la/content/www/xl/es/architecture-and-technology/speed-select-technology-article.html
[2] https://docs.kernel.org/admin-guide/pm/intel-speed-select.html

Thanks,
Miguel

Bug#1036713: debdiff

[Martin-Éric Racine]

Two diffs attached.
diff -purN xserver-xorg-video-geode-2.11.20/debian/changelog 
xserver-xorg-video-geode-2.11.21/debian/changelog
--- xserver-xorg-video-geode-2.11.20/debian/changelog   2022-02-14 
04:44:09.0 +0200
+++ xserver-xorg-video-geode-2.11.21/debian/changelog   2023-05-20 
20:55:53.0 +0300
@@ -1,3 +1,18 @@
+xserver-xorg-video-geode (2.11.21-1) unstable; urgency=medium
+
+  * New upstream release.
+- Drop all patches (merged upstream).
+  * [watch]
+= Monitor xz instead of gz tarballs.
+  * [upstream]
++ Import Alan Coopersmith's GPG key.
+  * [control]
+= Bump Standards-Version to 4.6.2 (no change required).
+  * [patches]
++ 0001_migrate_ac_prog_libtool_to_lt_init.patch (libtool 2.60 to 2.71).
+
+ -- Martin-Éric Racine   Sat, 20 May 2023 20:55:53 
+0300
+
 xserver-xorg-video-geode (2.11.20-9) unstable; urgency=medium
 
   * Merged patches from Git:
diff -purN xserver-xorg-video-geode-2.11.20/debian/control 
xserver-xorg-video-geode-2.11.21/debian/control
--- xserver-xorg-video-geode-2.11.20/debian/control 2021-09-20 
09:40:24.0 +0300
+++ xserver-xorg-video-geode-2.11.21/debian/control 2023-05-20 
17:24:52.0 +0300
@@ -17,7 +17,7 @@ Build-Depends: debhelper-compat (= 13),
xserver-xorg-dev (>= 2:1.4~),
xutils-dev
 Rules-Requires-Root: no
-Standards-Version: 4.6.0.1
+Standards-Version: 4.6.2
 
 Package: xserver-xorg-video-geode
 Architecture: any-i386
diff -purN xserver-xorg-video-geode-2.11.20/debian/copyright 
xserver-xorg-video-geode-2.11.21/debian/copyright
--- xserver-xorg-video-geode-2.11.20/debian/copyright   2022-02-14 
04:44:09.0 +0200
+++ xserver-xorg-video-geode-2.11.21/debian/copyright   2023-05-20 
20:55:49.0 +0300
@@ -29,7 +29,7 @@ License: Expat
   DEALINGS IN THE SOFTWARE.
 
 Files: debian/*
-Copyright: © 2007-2022 Martin-Éric Racine 
+Copyright: © 2007-2023 Martin-Éric Racine 
 License: GPL-2+
   On Debian systems, the complete text of the GNU General Public License
   can be found in .
diff -purN 
xserver-xorg-video-geode-2.11.20/debian/patches/0001_migrate_ac_prog_libtool_to_lt_init.patch
 
xserver-xorg-video-geode-2.11.21/debian/patches/0001_migrate_ac_prog_libtool_to_lt_init.patch
--- 
xserver-xorg-video-geode-2.11.20/debian/patches/0001_migrate_ac_prog_libtool_to_lt_init.patch
   1970-01-01 02:00:00.0 +0200
+++ 
xserver-xorg-video-geode-2.11.21/debian/patches/0001_migrate_ac_prog_libtool_to_lt_init.patch
   2023-05-20 18:50:12.0 +0300
@@ -0,0 +1,51 @@
+Description: Migrate libtool from 2.60 to 2.71
+Author: Martin-Éric Racine 
+Last-Update: 2023-05-20
+
+Migrate configure.ac from libtool 2.60 to 2.71 and remove trailing space.
+
+--- xserver-xorg-video-geode-2.11.21.orig/configure.ac
 xserver-xorg-video-geode-2.11.21/configure.ac
+@@ -21,7 +21,7 @@
+ # Process this file with autoconf to produce a configure script
+ 
+ # Initialize Autoconf
+-AC_PREREQ(2.60)
++AC_PREREQ([2.71])
+ AC_INIT([xf86-video-geode],
+ [2.11.21],
+ 
[https://gitlab.freedesktop.org/xorg/driver/xf86-video-geode/-/issues],
+@@ -39,17 +39,17 @@ AM_MAINTAINER_MODE
+ 
+ # Initialize libtool
+ AC_DISABLE_STATIC
+-AC_PROG_LIBTOOL
++LT_INIT
+ 
+ # Require xorg-macros: XORG_DEFAULT_OPTIONS
+-m4_ifndef([XORG_MACROS_VERSION], 
++m4_ifndef([XORG_MACROS_VERSION],
+   [m4_fatal([must install xorg-macros 1.4 or later before running 
autoconf/autogen])])
+ XORG_MACROS_VERSION(1.4)
+ XORG_DEFAULT_OPTIONS
+ 
+ # Checks for programs.
+ AC_DISABLE_STATIC
+-AC_PROG_LIBTOOL
++LT_INIT
+ 
+ AH_TOP([#include "xorg-server.h"])
+ 
+@@ -65,10 +65,10 @@ AC_ARG_WITH(xorg-module-dir,
+ AC_SUBST([moduledir])
+ 
+ # Define a configure option to enable/disable lcd panel support
+-AC_ARG_ENABLE(geodegx-panel, 
++AC_ARG_ENABLE(geodegx-panel,
+ AS_HELP_STRING([--disable-geodegx-panel],
+[Disable support for flatpanels with the Geode 
GX]),
+-[ ], 
++[ ],
+ [ PANEL_CPPFLAGS=-DPNL_SUP ])
+ AC_SUBST(PANEL_CPPFLAGS)
+ 
diff -purN xserver-xorg-video-geode-2.11.20/debian/patches/01_fno-common.patch 
xserver-xorg-video-geode-2.11.21/debian/patches/01_fno-common.patch
--- xserver-xorg-video-geode-2.11.20/debian/patches/01_fno-common.patch 
2020-12-03 18:39:09.0 +0200
+++ xserver-xorg-video-geode-2.11.21/debian/patches/01_fno-common.patch 
1970-01-01 02:00:00.0 +0200
@@ -1,93 +0,0 @@
-From 24b27b11b6dcb0946159ad0fb644e30a16f910d6 Mon Sep 17 00:00:00 2001
-From: Christian Gmeiner 
-Date: Thu, 3 Dec 2020 14:22:23 +0100
-Subject: [PATCH] fix 'multiple definition of' linker error
-
-Fix for FTBFS due to -fno-common on GCC 10.
-
-Signed-off-by: Christian Gmeiner 

- src/geode.h | 8 
- src/gx_driver.c | 2 +-
- src/gx_video.c  | 2 +-
- src/lx_driver.c | 2 +-
- 4 files changed, 7 insertions(+), 7 deletions(-)
-
-diff --git a/src/geode.h b/src/geode.h
-index eb61c28..1b144ff 100644
 

Bug#1036584: libopenjpip-viewer: broken symlink: /usr/bin/opj_jpip_viewer -> ../share/opj_jpip_viewer/opj_jpip_viewer.jar

[Mathieu Malaterre]

Control: tags -1 - patch

On Wed, May 24, 2023 at 6:21 PM Andreas Metzler  wrote:
>
> Control: retitle -1 libopenjpip-viewer is basically empty
>
> On 2023-05-23 Mathieu Malaterre  wrote:
> > On Tue, May 23, 2023 at 10:46 AM Mathieu Malaterre  wrote:
> > >
> > > Control: retitle -1 No java compiler found. Won't be able to build java 
> > > viewer
> > >
> > > openjpeg2/java compilation appears to be broken:
> [...]
>
> > default-jdk is defined in B-D-I which looks wrong IMHO:
>
> > * 
> > https://salsa.debian.org/debian-phototools-team/openjpeg2/-/blob/master/debian/control#L16
>
> > [...]
> > Build-Depends-Indep: default-jdk,
> > [...]
>
> Why does this look wrong? libopenjpip-viewer is arch-all.
>
> Correct patch attached. Stuff was built but the respective dh_install
> call was shadowed and therefore content was not shipped in the package.

[...]
-override_dh_install-indep:
- dh_install -p$(pkg_doc) debian/tmp/usr/share/doc
-
[...]

Isn't this going to break the openjpeg-doc package ?

Bug#984927: Control

[Julius Clasen]

Control: owner -1 !

Bug#1024693: Any news after 6 months?

[Alan Barros de Oliveira]

This is just to stress that this bug is affecting more people. We are (almost) 
on Debian 12 and  the currently Firefix ESR is 112, where this bug still... 
bugs. 



Sent with Proton Mail secure email.

Bug#1036713: unblock: xserver-xorg-video-geode/2.11.21-1

[Martin-Éric Racine]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: xserver-xorg-video-ge...@packages.debian.org
Control: affects -1 + src:xserver-xorg-video-geode

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Please unblock package xserver-xorg-video-geode

Cherry-picks in last upload (February 2022) include everything short of the 3 
last upstream commits listed below.

[ Reason ]
1) Ensure build from source on recent autoconf.
2) Merge years of cherry-picked patches.

[ Impact ]
None. What's in Testing still works as-is.

[ Tests ]
Manually verified to work on Geode video hardware. No visible change compared 
to Testing version.

[ Risks ]
1) Trivial code changes (character-set conversion of comments from ISO-8859-1 
to UTF-8).
2) Addition of a gitlab CI testcase (no effect on package, only used upstream).
3) Upgraded macros for autoconf 2.70 or more recent.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
Two diffs follow:
1) Last cherry-pick in Testing to HEAD in this version.
2) Content of debian/ between versions.

unblock xserver-xorg-video-geode/2.11.21-1


-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEyJACx3qL7GpObXOQrh+Cd8S017YFAmRuPtEACgkQrh+Cd8S0
17aXxg//Vikd8ZkpL1zyBulpiZw8yv/kqvL/soCTc7YB+g6X1Y61hBkLkaLBXz+Q
du2LIXPa4qCCpYj9KKulJtJwHSnISqtXdg4FgBZcrQ5cmRucb5caevNPFG+pg3FG
7qWZG9+khrQ9xDnIW4JvMRx2bMqhRJBS2kz2GS8+b7wpMaiy/oTs5LzA6xEN5ONl
IaA2pBGZg+lY7mGuwv3M61p1jLOVGy4MOxu5Y4+88+0sDvCV43zI2D0Y4yIbiNdt
uiG7s7EhyQA5V9zj2ONFDjbT+08n3W8g23HiLhozvVkwhT8fKPlniz/kzFD2AQiS
4DURle0H6SCeF92+ko4YbyZX0F2DAOccAc7xuvNQK2lYQi+1g4cLYTcRxZjYWfu+
zQsmAs+1GNMGStGW5YR8B7QE7eB74uJ6qkzcajZl0qoDalkqBZR9M8A2jEgTLRkJ
cO+DGNyvOyQ6jogsMiKqH4FrIHC4/6vw4Wi/Im3c8FZ0CcDXApOlkeqUbR8qt2VX
Bdja+w6tAUQ2qEmYN4jXqhiCswWu7uE6wyZ45MBr/AD7KwbMC0K78sq4pDG82UY/
HVHdLxYuE9gBHq6V5IMbdWWtMYHtd9Z+mRgp6uEfnJyrrgw/ohrGPNBsAazS4LVO
OQdiImE3BWiz0Ui6Mzd5xzpsyTZsXbUwq0LnjP+c+iIq3l1gDzk=
=zk/v
-END PGP SIGNATURE-

Bug#1030571: RFS: vfu/5.07-2 -- Versatile text-based file-manager (common files)

[Tobias Frost]

Control: tags -1 moreinfo

On Thu, 06 Apr 2023 13:28:45 +0300 Boian Bonev 
wrote:

> This was intended to happen before the freeze, and it was -1 at that
> time. Time was not enough and that couldn't happen, then I made
another
> -1 upload, excluding the introduction of new binary packages and only
> bumped this to -2  

It should still be -1

> because a new upstream release will come in the
> meantime and the target now is unstable after the release.

Tagging moreinfo then, remove it when you say it is now time for the
upload (after the release.)

--
tobi

Bug#1036474: unblock: debian-edu-fai/2023.05.16.1

[Paul Gevers]

control: tags -1 moreinfo

Hi Mike,

On 21-05-2023 21:38, Mike Gabriel wrote:

In addition to the adduser changes, the diff to testing also includes a simple
directory-exists test before writing to it.


See below, I see more. Please elaborate.


+  * bin/debian-edu-faiinstall: Make sure FAI_CONFIGDIR_REAL is set before it
+is accessed.


What does this mean functionally? The change was made in 2022-09, was it 
not a problem all that time?


Paul

diff -Nru debian-edu-fai-2022.04.14.1/fai/config/class/FAIBASE.var 
debian-edu-fai-2023.05.16.1/fai/config/class/FAIBASE.var
--- debian-edu-fai-2022.04.14.1/fai/config/class/FAIBASE.var 
2022-09-16 18:38:21.0 +
+++ debian-edu-fai-2023.05.16.1/fai/config/class/FAIBASE.var 
1970-01-01 00:00:00.0 +

@@ -1,27 +0,0 @@
-# default values for installation. You can override them in your *.var 
files

-
-# allow installation of packages from unsigned repositories
-FAI_ALLOW_UNSIGNED=1
-
-# Set UTC=yes if your system clock is set to UTC (GMT), and UTC=no if not.
-UTC=yes
-TIMEZONE=Europe/Berlin
-
-# the hash of the root password for the new installed linux system
-# pw is "fai"
-ROOTPW='$1$kBnWcO.E$djxB128U7dMkrltJHPf6d1'
-ROOTPW='$1$2fO2Hkud$nuSo8D5iUzgzUXBs8afZ8.'
-
-# errors in tasks greater than this value will cause the installation 
to stop

-STOP_ON_ERROR=700
-
-# set parameter for install_packages(8)
-MAXPACKAGES=800
-
-# a user account will be created
-username='spguser'
-USERPW='$1$xwwADosf$LiKds1UMtKaYpHC91FAcy.'
-
-# user / server to use for storing FAI installation logs... (e.g. 
fai@faiserver.intern)

-LOGUSER='fai'
-LOGSERVER='faiserver.intern'


OpenPGP_signature
Description: OpenPGP digital signature

Bug#1036584: libopenjpip-viewer: broken symlink: /usr/bin/opj_jpip_viewer -> ../share/opj_jpip_viewer/opj_jpip_viewer.jar

[Andreas Metzler]

Control: retitle -1 libopenjpip-viewer is basically empty

On 2023-05-23 Mathieu Malaterre  wrote:
> On Tue, May 23, 2023 at 10:46 AM Mathieu Malaterre  wrote:
> >
> > Control: retitle -1 No java compiler found. Won't be able to build java 
> > viewer
> >
> > openjpeg2/java compilation appears to be broken:
[...]

> default-jdk is defined in B-D-I which looks wrong IMHO:

> * 
> https://salsa.debian.org/debian-phototools-team/openjpeg2/-/blob/master/debian/control#L16

> [...]
> Build-Depends-Indep: default-jdk,
> [...]

Why does this look wrong? libopenjpip-viewer is arch-all.

Correct patch attached. Stuff was built but the respective dh_install
call was shadowed and therefore content was not shipped in the package.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
diff -Nru openjpeg2-2.5.0/debian/changelog openjpeg2-2.5.0/debian/changelog
--- openjpeg2-2.5.0/debian/changelog	2022-06-20 16:05:24.0 +0200
+++ openjpeg2-2.5.0/debian/changelog	2023-05-24 12:45:48.0 +0200
@@ -1,3 +1,10 @@
+openjpeg2 (2.5.0-2) UNRELEASED; urgency=medium
+
+  * Team upload.
+  * Fix broken symlink. Closes: #1036584
+
+ -- Andreas Metzler   Wed, 24 May 2023 12:45:48 +0200
+
 openjpeg2 (2.5.0-1) unstable; urgency=medium
 
   * New upstream version 2.5.0
diff -Nru openjpeg2-2.5.0/debian/openjpeg-doc.install openjpeg2-2.5.0/debian/openjpeg-doc.install
--- openjpeg2-2.5.0/debian/openjpeg-doc.install	1970-01-01 01:00:00.0 +0100
+++ openjpeg2-2.5.0/debian/openjpeg-doc.install	2023-05-24 12:45:48.0 +0200
@@ -0,0 +1 @@
+usr/share/doc
diff -Nru openjpeg2-2.5.0/debian/rules openjpeg2-2.5.0/debian/rules
--- openjpeg2-2.5.0/debian/rules	2022-06-20 16:01:30.0 +0200
+++ openjpeg2-2.5.0/debian/rules	2023-05-24 12:45:48.0 +0200
@@ -50,9 +50,6 @@
 pkg_vwr = libopenjpip-viewer
 pkg_dsrv = libopenjpip-dec-server
 
-override_dh_install-indep:
-	dh_install -p$(pkg_doc) debian/tmp/usr/share/doc
-
 override_dh_install-arch:
 	# annoying cmake-fatal-error export stuff:
 	sed -i -e "s/FATAL_ERROR/STATUS/g" debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/openjpeg-2.5/OpenJPEGTargets*.cmake

Bug#1036712: lintian: please warn about unversioned Replaces without matching Breaks nor Conflicts

[Helmut Grohne]

Package: lintian
Severity: wishlist
Tags: patch
X-Debbugs-Cc: de...@debian.org

Hi,

I would like lintian to complain a bit more about Replaces.

Correct uses of Replaces


The most common way to use Replaces is matching it up with Breaks as
this is recommeded by policy. Another use (also detailed by policy) is
matching it up with Conflicts. A lesser known, but also frequent use
(thanks to David Kalnischkies) is combining versioned Replaces with
precluding Depends.

I want lintian to not moan about any of these.

Debatable uses of Replaces
==

Sometimes, Replaces are used with a << version constraint but without
matching them up with Breaks nor Conflicts. This can be useful for
taking over non-essential files from a package (e.g. splitting
documentation from a library). Such cases are still broken if you try to
reinstall the replaced package, but that's not a frequent use and having
less Breaks is beneficial to upgrade paths.

I think it is best for lintian to not moan about any of these unless we
grow consensus that we need to do something about it.

Bad uses of Replaces


The remaining Replaces are thus unversioned and not matched up with
Breaks nor Conflicts. In these case, one could remove the replaced
package and later install it again. While the janitor is able to
eventually delete versioned Replaces, it cannot assist with cleaning up
unversioned ones. Finally, Replaces pose a vital role in the /usr-merge
transition as they can be broken when moving files from / to /usr, so we
want to reduce the use of Replaces to the cases that really need them.

For these reasons, I think that this third class of Replaces really is
harmful enough to the project that it is worth fixing them. In a lot of
cases, I expect that these Replaces are leftovers from the last decade
and we can probably just drop them. In other cases, we can add a version
restriction and improve reasoning about it.

I hope you agree with this reasoning. I've discussed this with a number
of participants on the Debian Reunion Hamburg 2023 and with some people
on IRC. I think what I am presenting here is close to consensus.

I'm also attaching a patch to implement the proposed check.
Unfortunately, neither me nor gregoa nor carnil were able to please
perlcritic (which for some reason is complaining about unrelated code
and we couldn't understand what it is complaining about), so this patch
currently fails one test.  Would you be able to figure out why
perlcritic is mad at this patch?

Thanks in advance

Helmut
diff -Nru lintian-2.116.3/debian/changelog lintian-2.116.3+nmu1/debian/changelog
--- lintian-2.116.3/debian/changelog2023-02-05 09:10:20.0 +0100
+++ lintian-2.116.3+nmu1/debian/changelog   2023-05-24 08:21:25.0 
+0200
@@ -1,3 +1,10 @@
+lintian (2.116.3+nmu1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * New tag unguarded-replaces: Complain about unversiond Replaces that
+are matched with neither Breaks nor Conflicts. (Closes: #-1)
+
+ -- Helmut Grohne   Wed, 24 May 2023 08:21:25 +0200
+
 lintian (2.116.3) unstable; urgency=medium
 
   The "FFP3 (Fixing False Positives, Three Small Changes)" Release.
diff -Nru lintian-2.116.3/lib/Lintian/Check/Fields/PackageRelations.pm 
lintian-2.116.3+nmu1/lib/Lintian/Check/Fields/PackageRelations.pm
--- lintian-2.116.3/lib/Lintian/Check/Fields/PackageRelations.pm
2022-07-02 15:47:11.0 +0200
+++ lintian-2.116.3+nmu1/lib/Lintian/Check/Fields/PackageRelations.pm   
2023-05-24 08:13:03.0 +0200
@@ -219,6 +219,15 @@
 && !$VIRTUAL_PACKAGES->recognizes($d_pkg)
 && !$replaces->satisfies($part_d_orig));
 
+$self->hint('unguarded-replaces', $part_d_orig)
+  if ( $field eq 'Replaces'
+&& !$d_version->[0]
+&& !any {
+  any {
+$_->satisfies($part_d_orig)
+  } $processable->relation($_)
+} qw(Breaks Conflicts));
+
 $self->hint('conflicts-with-version', $part_d_orig)
   if ($field eq 'Conflicts' && $d_version->[0]);
 
diff -Nru 
lintian-2.116.3/t/recipes/checks/fields/package-relations/fields-depends-general/eval/hints
 
lintian-2.116.3+nmu1/t/recipes/checks/fields/package-relations/fields-depends-general/eval/hints
--- 
lintian-2.116.3/t/recipes/checks/fields/package-relations/fields-depends-general/eval/hints
 2022-12-22 12:47:19.0 +0100
+++ 
lintian-2.116.3+nmu1/t/recipes/checks/fields/package-relations/fields-depends-general/eval/hints
2023-05-24 08:21:25.0 +0200
@@ -28,3 +28,4 @@
 fields-depends-general (binary): conflicts-with-dependency Depends conflict-dep
 fields-depends-general (binary): breaks-without-version package-without-version
 fields-depends-general (binary): binary-package-depends-on-toolchain-package 
Depends: debhelper

Bug#1036709: unblock: libsepol/3.4-2.1

[Tobias Frost]

Forgot to add the debdiff… 
diff -Nru libsepol-3.4/debian/changelog libsepol-3.4/debian/changelog
--- libsepol-3.4/debian/changelog	2022-06-15 09:56:48.0 +0200
+++ libsepol-3.4/debian/changelog	2023-05-24 16:43:03.0 +0200
@@ -1,3 +1,10 @@
+libsepol (3.4-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix "Inaccurate copyright file" (Closes: #1031798)
+
+ -- Tobias Frost   Wed, 24 May 2023 16:43:03 +0200
+
 libsepol (3.4-2) unstable; urgency=medium
 
   * fix validation of user declarations in modules, patch proposed upstream
diff -Nru libsepol-3.4/debian/copyright libsepol-3.4/debian/copyright
--- libsepol-3.4/debian/copyright	2022-06-15 09:56:48.0 +0200
+++ libsepol-3.4/debian/copyright	2023-05-24 16:36:19.0 +0200
@@ -1,49 +1,83 @@
-This is the Debian package for libsepol, and it is built from sources
-obtained from http://userspace.selinuxproject.org/releases/current/devel/
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Comment:
+ This is the Debian package for libsepol.
+ .
+ This package was debianized by Russell Coker  on
+ Fri, 20 Aug 2004 17:26:18 +1000.
+Source: https://github.com/SELinuxProject/selinux/wiki/Releases
 
-
-
-This package was debianized by Russell Coker  on
-Fri, 20 Aug 2004 17:26:18 +1000.
-
-libsepol is
+Files: *
+Copyright: libsepol is
  Copyright (C) 2003, 2004 Stephen Smalley 
  Copyright (C) 2003-2007  Red Hat, Inc.
  Copyright (C) 2004, 2005 Trusted Computer Solutions, Inc.
- Copyright (C) 2003-2008  Tresys Technology, LLC
-
-
+ Copyright (C) 2003-2008, 2011 Tresys Technology, LLC
+ Copyright (C) 2017 Mellanox Techonolgies Inc.
+ Copyright (c) 2008 NEC Corporation
+License: LGPL-2.1+
 This library is free software; you can redistribute it and/or
 modify it under the terms of the GNU Lesser General Public
 License as published by the Free Software Foundation; either
 version 2.1 of the License, or (at your option) any later version.
-
+ .
 This library is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 Lesser General Public License for more details.
-
+ .
 You should have received a copy of the GNU Lesser General Public
 License along with this library; if not, write to the Free Software
 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
-On Debian GNU/Linux systems, the complete text of the Lesser GNU General
-Public License can be found in `/usr/share/common-licenses/LGPL'.
-
- This package is maintained by Manoj Srivastava .
-
- The Debian specific changes are © 2005-2008, Manoj Srivastava
- , and distributed under the terms of the GNU
- General Public License, version 2.
-
-
-On Debian GNU/Linux systems, the complete text of the GNU General
-Public License can be found in `/usr/share/common-licenses/GPL'.
-
+Comment:
+ On Debian GNU/Linux systems, the complete text of the Lesser GNU General
+ Public License version 2.1 can be found in `/usr/share/common-licenses/LGPL-2.1'.
+
+Files: cil/test/unit/CuTest.*
+Copyright: (c) 2003 Asim Jalis
+License: Zlib
+ This software is provided 'as-is', without any express or implied
+ warranty. In no event will the authors be held liable for any damages
+ arising from the use of this software.
+ .
+ Permission is granted to anyone to use this software for any purpose,
+ including commercial applications, and to alter it and redistribute it
+ freely, subject to the following restrictions:
+ .
+ 1. The origin of this software must not be misrepresented; you must not
+ claim that you wrote the original software. If you use this software in
+ a product, an acknowledgment in the product documentation would be
+ appreciated but is not required.
+ .
+ 2. Altered source versions must be plainly marked as such, and must not
+ be misrepresented as being the original software.
+ .
+ 3. This notice may not be removed or altered from any source
+ distribution.
+
+Files: debian/*
+Copyright: © 2005-2008, Manoj Srivastava 
+ 2012-2022  Laurent Bigonville 
+ 2011-2018  Russell Coker 
+License: GPL-2
+The Debian specific changes are distributed under the terms of the
+GNU General Public License, version 2.
+ .
 A copy of the GNU General Public License is also available at
 http://www.gnu.org/copyleft/gpl.html>.  You may also obtain
 it by writing to the Free Software Foundation, Inc., 51 Franklin
 St, Fifth Floor, Boston, MA 02110-1301 USA
-
-Manoj Srivastava 
-arch-tag: d4250e44-a0e0-4ee0-adb9-2bd74f6eeb27
+Comment:
+ On Debian GNU/Linux systems, the complete text of the GNU General
+ Public License version 2 can be found in `/usr/share/common-licenses/GPL-2'.
+
+Files: man/*man8/chkcon.8
+   man/man8/genpolusers.8
+Copyright: (c) 1997 Manoj Srivastava 
+License: GPL-2+
+This is free documentation; you can redistribute it 

Bug#1036708: ITS: dosbox is dead, move to active, high quality dosbox-staging successor

[David Heidelberg]

Hi!

I had no idea DOSBox-x exist.

Anyway, we had currently only `dosbox` package which working very poorly 
on mobile devices.


My intent is fix that by replacing DOSBox with better quality codebase.

Feel free to close then.

David

On 24/05/2023 17:34, Stephen Kitt wrote:

Hi,

On Wed, 24 May 2023 16:43:56 +0200, David Heidelberg  wrote:

DOSBox upstream is dead for a long time. Since upstream is dead,
multiple good or worse quality forks emerged over the time.

One of serious ones is DOSBox-staging, which implemented testing, using
recent SDL 2, modern programming language and tries hard to solve issues
previously carried patch by patch from downstream forks.

I (and probably few others listed in [1]) would love to see working
DOSBox.

Current DOSBox due to usage of SDL 1.2 is hardly usable on Wayland based
environments, so my main motivation is use DOSBox on Wayland and
Mobian/PureOS (Debian adapted to mobile phones).

DOSBox-X is in NEW:
https://ftp-master.debian.org/new/dosbox-x_2023.05.01%2Bdfsg-1.html

You have an existing ITP for dosbox-staging, https://bugs.debian.org/973822.
Are you still working on that?

It’s not clear to me why you want to salvage the dosbox package, could you
clarify?

Regards,

Stephen


--
David Heidelberg
Consultant Software Engineer

Bug#1036711: unblock: camping/2.3-1.1

[Tobias Frost]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: camp...@packages.debian.org
Control: affects -1 + src:camping

Please unblock package camping

It fixes a broken symlink to a font. (#861040)
This had been fixed already earlier, (2.1.580-1.1)
but that NMU has not been incoroporated in the package and lost.
The nmu is using the original patch from the BTS.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

[ Other info ]
The package has been uploaded to DELAYED/2, ETA May 26th, 18:00 CET


unblock camping/2.3-1.1
diff -Nru camping-2.3/debian/changelog camping-2.3/debian/changelog
--- camping-2.3/debian/changelog2023-01-31 16:26:42.0 +0100
+++ camping-2.3/debian/changelog2023-05-24 17:43:23.0 +0200
@@ -1,3 +1,10 @@
+camping (2.3-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix broken font symlink (Closes: #861040)
+
+ -- Tobias Frost   Wed, 24 May 2023 17:43:23 +0200
+
 camping (2.3-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru camping-2.3/debian/rules camping-2.3/debian/rules
--- camping-2.3/debian/rules2023-01-31 16:26:42.0 +0100
+++ camping-2.3/debian/rules2023-05-24 17:38:44.0 +0200
@@ -43,7 +43,7 @@
ln -s /usr/share/fonts/truetype/lato/Lato-Light.ttf 
debian/camping/usr/share/doc/camping/rdoc/fonts/
ln -s /usr/share/fonts/truetype/lato/Lato-LightItalic.ttf 
debian/camping/usr/share/doc/camping/rdoc/fonts/
ln -s /usr/share/fonts/truetype/lato/Lato-Regular.ttf 
debian/camping/usr/share/doc/camping/rdoc/fonts/
-   ln -s /usr/share/fonts/truetype/lato/Lato-RegularItalic.ttf 
debian/camping/usr/share/doc/camping/rdoc/fonts/
+   ln -s /usr/share/fonts/truetype/lato/Lato-Italic.ttf 
debian/camping/usr/share/doc/camping/rdoc/fonts/Lato-RegularItalic.ttf
 
 override_dh_auto_clean:
dh_auto_clean


signature.asc
Description: PGP signature

Bug#861040: camping: diff for NMU version 2.3-1.1

[Tobias Frost]

Control: tags 861040 + pending

Dear maintainer,

It seems that the NMU fixing this bug has not been imported into
the package, therefore the bug reappeared.

The NMU uses the patch from Christoph (#861040#32)

I've prepared an NMU for camping (versioned as 2.3-1.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards.
tobi
diff -Nru camping-2.3/debian/changelog camping-2.3/debian/changelog
--- camping-2.3/debian/changelog	2023-01-31 16:26:42.0 +0100
+++ camping-2.3/debian/changelog	2023-05-24 17:43:23.0 +0200
@@ -1,3 +1,10 @@
+camping (2.3-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix broken font symlink (Closes: #861040)
+
+ -- Tobias Frost   Wed, 24 May 2023 17:43:23 +0200
+
 camping (2.3-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru camping-2.3/debian/rules camping-2.3/debian/rules
--- camping-2.3/debian/rules	2023-01-31 16:26:42.0 +0100
+++ camping-2.3/debian/rules	2023-05-24 17:38:44.0 +0200
@@ -43,7 +43,7 @@
 	ln -s /usr/share/fonts/truetype/lato/Lato-Light.ttf debian/camping/usr/share/doc/camping/rdoc/fonts/
 	ln -s /usr/share/fonts/truetype/lato/Lato-LightItalic.ttf debian/camping/usr/share/doc/camping/rdoc/fonts/
 	ln -s /usr/share/fonts/truetype/lato/Lato-Regular.ttf debian/camping/usr/share/doc/camping/rdoc/fonts/
-	ln -s /usr/share/fonts/truetype/lato/Lato-RegularItalic.ttf debian/camping/usr/share/doc/camping/rdoc/fonts/
+	ln -s /usr/share/fonts/truetype/lato/Lato-Italic.ttf debian/camping/usr/share/doc/camping/rdoc/fonts/Lato-RegularItalic.ttf
 
 override_dh_auto_clean:
 	dh_auto_clean


signature.asc
Description: PGP signature

Bug#1036081: pre-unblock: mariadb/1:10.11.3-1

[Paul Gevers]

Hi Otto,

On 24-05-2023 17:44, Otto Kekäläinen wrote:

The CI
detected a couple days ago a regression in Piuparts, potentially due
to recent adduser 1.133 upload, which I still need to debug and decide
what to do on.


You can ignore it. It's known and being worked on.

Paul


OpenPGP_signature
Description: OpenPGP digital signature

Bug#1036081: pre-unblock: mariadb/1:10.11.3-1

[Otto Kekäläinen]

Hi!

> On 15-05-2023 07:55, Otto Kekäläinen wrote:
> > This pre-unblock request is to get a decision from the Bookworm
> > release team if you prefer to accept this 10.11.3 into Bookworm, or if
> > you wish it to be postponed to a stable update in Bookworm some time
> > later in fall 2023.
>
> I just discussed with the security team (live, here in Hamburg), and
> mariadb is on their list for taking upstream releases, so I'm of the
> opinion that the release team should follow that. Having said that,

Thanks for the guidance. The new upstream import pending at
https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/46
has already been polished by me and reviewed by several people,
including MariaDB.org staff and the MySQL maintainer in Ubuntu. The CI
detected a couple days ago a regression in Piuparts, potentially due
to recent adduser 1.133 upload, which I still need to debug and decide
what to do on.

Hopefully tomorrow I can upload this to Debian experimental for an
extra round of QA, and then to Debian unstable on Friday if nothing
new shows up.

I know we have no time left, so I am trying to move as fast as it is
safe and reasonable to do.

> we're now so close to the release date that I want you to have *no*
> changes in the debian sub-directory that are not absolutely required to
> support the new upstream version. It's just too late.

Based on feedback in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033811#34 I opened
https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/45,
which is now pending feedback on what to revert.

I understand that you highly value stability and absolutely do not
want anything to regress this late in the release cycle. I have the
same concern, and thus I have only done changes that aim to fix bugs
or docs/translations (in February/March). I would argue that the
bugfixes have been well tested by now and by reverting those bugfixes
the chance of a regression actually might go up. I will try to collect
more feedback on what commits to revert from a larger pool of peope
who hopefully have bandwidth to read the commits and assess them more
in !45.

Bug#1036708: ITS: dosbox is dead, move to active, high quality dosbox-staging successor

[Stephen Kitt]

Hi,

On Wed, 24 May 2023 16:43:56 +0200, David Heidelberg  wrote:
> DOSBox upstream is dead for a long time. Since upstream is dead,
> multiple good or worse quality forks emerged over the time.
> 
> One of serious ones is DOSBox-staging, which implemented testing, using
> recent SDL 2, modern programming language and tries hard to solve issues
> previously carried patch by patch from downstream forks.
> 
> I (and probably few others listed in [1]) would love to see working
> DOSBox.
> 
> Current DOSBox due to usage of SDL 1.2 is hardly usable on Wayland based
> environments, so my main motivation is use DOSBox on Wayland and
> Mobian/PureOS (Debian adapted to mobile phones).

DOSBox-X is in NEW:
https://ftp-master.debian.org/new/dosbox-x_2023.05.01%2Bdfsg-1.html

You have an existing ITP for dosbox-staging, https://bugs.debian.org/973822.
Are you still working on that?

It’s not clear to me why you want to salvage the dosbox package, could you
clarify?

Regards,

Stephen


pgpxGGh8zP9ce.pgp
Description: OpenPGP digital signature

Bug#1036591: reaver: segmentation fault

[Leandro Cunha]

Hi,

On Wed, May 24, 2023 at 5:00 AM Andrey Rakhmatullin  wrote:
>
> On Tue, May 23, 2023 at 08:07:45PM -0300, Leandro Cunha wrote:
> > There was a user who reported that the problem also occurs in Debian
> > 11 (Bullseye).
> > But I can't confirm because I don't use stable.
> > Samuel, I know you use testing.
> > Andrey Rakhmatullin, do you use stable or do you have machines with stable?
> No.
> But if you don't have a fix suitable for stable it doesn't matter that
> much to confirm the bug there.

I made a scheme that I did in the past, to do tests here, virtualize
Bullseye and for that to work with WiFi I will need a USB card that I
also have. And I did the steps that reproduce the Bookworm bug in the
current stable which is Debian 11 (Bullseye). And I didn't have any
problems and I'm going to take advantage of the city's birthday
holiday to finalize, the only thing missing was the unlock request
email.

-- 
Cheers,
Leandro Cunha

Bug#1036687: debbugs-web: pages for bugs against source packages miss links

[Paul Gevers]

Nitpicking, but...

On 24-05-2023 14:15, Paul Gevers wrote:

I just discussed with josch here at the Debian Reunion Hamburg an


not josch, but jochensp. Mea culpa.

Paul


OpenPGP_signature
Description: OpenPGP digital signature

Bug#1036710: unblock: reserialize/20220929-2

[Andrej Shadura]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: reserial...@packages.debian.org
Control: affects -1 + src:reserialize

Please unblock package reserialize

In November, I added a custom patch which I hoped would have allowed to
use toml2* and *2toml scripts without an external toml dependency, but
apparently I didn’t test it properly (or at all?!), and it didn’t work.

This upload disables this patch, reverting toml support to what it was
before November 2022.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock reserialize/20220929-2
diff -Nru reserialize-20220929/debian/changelog 
reserialize-20220929/debian/changelog
--- reserialize-20220929/debian/changelog   2022-11-21 09:38:50.0 
+0100
+++ reserialize-20220929/debian/changelog   2023-05-24 17:01:40.0 
+0200
@@ -1,3 +1,10 @@
+reserialize (20220929-2) unstable; urgency=medium
+
+  * Drop tomllib patch, it never properly worked
+(Closes: #1036536, #1036537).
+
+ -- Andrej Shadura   Wed, 24 May 2023 17:01:40 +0200
+
 reserialize (20220929-1) unstable; urgency=medium
 
   * New upstream snapshot.
diff -Nru reserialize-20220929/debian/patches/series 
reserialize-20220929/debian/patches/series
--- reserialize-20220929/debian/patches/series  2022-11-21 09:38:50.0 
+0100
+++ reserialize-20220929/debian/patches/series  2023-05-24 17:01:40.0 
+0200
@@ -1,4 +1,4 @@
 0001-Accept-a-file-from-argv-recognise-help-and.patch
 0002-Drop-broken-plist-support.patch
 0003-Enable-the-use-of-bson-impl-without-dumps.patch
-0004-Add-Python-3.11-tomllib-support.patch
+#0004-Add-Python-3.11-tomllib-support.patch

Bug#1036709: unblock: libsepol/3.4-2.1

[Tobias Frost]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: libse...@packages.debian.org
Control: affects -1 + src:libsepol

Please unblock package libsepol

It fixes #1031798, inaccurate copyright file.

No other changes done.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
The package has been uploaded to DELAYED/2, ETA May 26th 2023, ~16:45

unblock libsepol/3.4-2.1


-- 
tobi


signature.asc
Description: PGP signature

Bug#1031798: libsepol: diff for NMU version 3.4-2.1

[Tobias Frost]

Control: tags 1031798 + pending


Dear maintainer,

I've prepared an NMU for libsepol (versioned as 3.4-2.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards.

diff -Nru libsepol-3.4/debian/changelog libsepol-3.4/debian/changelog
--- libsepol-3.4/debian/changelog	2022-06-15 09:56:48.0 +0200
+++ libsepol-3.4/debian/changelog	2023-05-24 16:43:03.0 +0200
@@ -1,3 +1,10 @@
+libsepol (3.4-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix "Inaccurate copyright file" (Closes: #1031798)
+
+ -- Tobias Frost   Wed, 24 May 2023 16:43:03 +0200
+
 libsepol (3.4-2) unstable; urgency=medium
 
   * fix validation of user declarations in modules, patch proposed upstream
diff -Nru libsepol-3.4/debian/copyright libsepol-3.4/debian/copyright
--- libsepol-3.4/debian/copyright	2022-06-15 09:56:48.0 +0200
+++ libsepol-3.4/debian/copyright	2023-05-24 16:36:19.0 +0200
@@ -1,49 +1,83 @@
-This is the Debian package for libsepol, and it is built from sources
-obtained from http://userspace.selinuxproject.org/releases/current/devel/
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Comment:
+ This is the Debian package for libsepol.
+ .
+ This package was debianized by Russell Coker  on
+ Fri, 20 Aug 2004 17:26:18 +1000.
+Source: https://github.com/SELinuxProject/selinux/wiki/Releases
 
-
-
-This package was debianized by Russell Coker  on
-Fri, 20 Aug 2004 17:26:18 +1000.
-
-libsepol is
+Files: *
+Copyright: libsepol is
  Copyright (C) 2003, 2004 Stephen Smalley 
  Copyright (C) 2003-2007  Red Hat, Inc.
  Copyright (C) 2004, 2005 Trusted Computer Solutions, Inc.
- Copyright (C) 2003-2008  Tresys Technology, LLC
-
-
+ Copyright (C) 2003-2008, 2011 Tresys Technology, LLC
+ Copyright (C) 2017 Mellanox Techonolgies Inc.
+ Copyright (c) 2008 NEC Corporation
+License: LGPL-2.1+
 This library is free software; you can redistribute it and/or
 modify it under the terms of the GNU Lesser General Public
 License as published by the Free Software Foundation; either
 version 2.1 of the License, or (at your option) any later version.
-
+ .
 This library is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 Lesser General Public License for more details.
-
+ .
 You should have received a copy of the GNU Lesser General Public
 License along with this library; if not, write to the Free Software
 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
-On Debian GNU/Linux systems, the complete text of the Lesser GNU General
-Public License can be found in `/usr/share/common-licenses/LGPL'.
-
- This package is maintained by Manoj Srivastava .
-
- The Debian specific changes are © 2005-2008, Manoj Srivastava
- , and distributed under the terms of the GNU
- General Public License, version 2.
-
-
-On Debian GNU/Linux systems, the complete text of the GNU General
-Public License can be found in `/usr/share/common-licenses/GPL'.
-
+Comment:
+ On Debian GNU/Linux systems, the complete text of the Lesser GNU General
+ Public License version 2.1 can be found in `/usr/share/common-licenses/LGPL-2.1'.
+
+Files: cil/test/unit/CuTest.*
+Copyright: (c) 2003 Asim Jalis
+License: Zlib
+ This software is provided 'as-is', without any express or implied
+ warranty. In no event will the authors be held liable for any damages
+ arising from the use of this software.
+ .
+ Permission is granted to anyone to use this software for any purpose,
+ including commercial applications, and to alter it and redistribute it
+ freely, subject to the following restrictions:
+ .
+ 1. The origin of this software must not be misrepresented; you must not
+ claim that you wrote the original software. If you use this software in
+ a product, an acknowledgment in the product documentation would be
+ appreciated but is not required.
+ .
+ 2. Altered source versions must be plainly marked as such, and must not
+ be misrepresented as being the original software.
+ .
+ 3. This notice may not be removed or altered from any source
+ distribution.
+
+Files: debian/*
+Copyright: © 2005-2008, Manoj Srivastava 
+ 2012-2022  Laurent Bigonville 
+ 2011-2018  Russell Coker 
+License: GPL-2
+The Debian specific changes are distributed under the terms of the
+GNU General Public License, version 2.
+ .
 A copy of the GNU General Public License is also available at
 http://www.gnu.org/copyleft/gpl.html>.  You may also obtain
 it by writing to the Free Software Foundation, Inc., 51 Franklin
 St, Fifth Floor, Boston, MA 02110-1301 USA
-
-Manoj Srivastava 
-arch-tag: d4250e44-a0e0-4ee0-adb9-2bd74f6eeb27
+Comment:
+ On Debian GNU/Linux systems, the complete text of the GNU General
+ Public License version 2 can be found in 

Bug#1036708: ITS: dosbox is dead, move to active, high quality dosbox-staging successor

[David Heidelberg]

Package: dosbox
Version: 0.74-3-4+b1
Severity: normal
X-Debbugs-Cc: sk...@debian.org

Dear Maintainer,

DOSBox upstream is dead for a long time. Since upstream is dead,
multiple good or worse quality forks emerged over the time.

One of serious ones is DOSBox-staging, which implemented testing, using
recent SDL 2, modern programming language and tries hard to solve issues
previously carried patch by patch from downstream forks.

I (and probably few others listed in [1]) would love to see working
DOSBox.

Current DOSBox due to usage of SDL 1.2 is hardly usable on Wayland based
environments, so my main motivation is use DOSBox on Wayland and
Mobian/PureOS (Debian adapted to mobile phones).

Thank you!

[1] https://github.com/dosbox-staging/dosbox-staging/issues/664


-- System Information:
Debian Release: 12.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing'), (10, 'unstable'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-9-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages dosbox depends on:
ii  libasound2   1.2.8-1+b1
ii  libc62.36-9
ii  libgcc-s112.2.0-14
ii  libgl1   1.6.0-1
ii  libpng16-16  1.6.39-2
ii  libsdl-net1.21.2.8-6+b1
ii  libsdl-sound1.2  1.0.3-9+b2
ii  libsdl1.2debian  1.2.15+dfsg2-8
ii  libstdc++6   12.2.0-14
ii  libx11-6 2:1.8.4-2
ii  zlib1g   1:1.2.13.dfsg-1

dosbox recommends no packages.

dosbox suggests no packages.

-- no debconf information

Bug#1036658: release-notes: 5.1.8. rsyslog creates fewer log files - mail.log is not dropped

[Michael Biebl]

Am 24.05.23 um 15:25 schrieb Christoph Anton Mitterer:

On Wed, 2023-05-24 at 15:19 +0200, Michael Biebl wrote:



Sorry, I meant: It (the expresssion like /var/log/lpr.log.*) only
matches rotated files, but not the actual log file itself.


But for that I would have had both:
/var/log/mail.{info,warn,err}   /var/log/lpr.log   
/var/log/{messages,debug,daemon.log}
/var/log/mail.{info,warn,err}.* /var/log/lpr.log.* 
/var/log/{messages,debug,daemon.log}.*



Indeed, I overlooked that part.


Anyway... if everyone agrees that we should leave out the rotated files
and leave that up to the user (which a note bout that being the case in
the release notes)... it would IMO be safer.

I could make a PR if desired so.


In the interest of keeping the list of file names short, I wouldn't 
duplicate them (one with .* and one without). But that's just a personal 
preference.


OpenPGP_signature
Description: OpenPGP digital signature

Bug#1026169: dhcpcd5: Please rename source package to dhcpcd

[Martin-Éric Racine]

On Fri, 20 Jan 2023 17:18:38 + Benjamin Drung  wrote:
> On Sun, 2023-01-08 at 14:18 +0200, Martin-Éric Racine wrote:
> > On Thu, Dec 15, 2022 at 8:44 PM Martin-Éric Racine
> >  wrote:
> > >
> > > On Thu, Dec 15, 2022 at 8:30 PM Benjamin Drung  wrote:
> > > > The source package name `dhcpcd5` does not reflect the reality any more.
> > > > Debian stable ships version 7 and testing/unstable version 9, but the
> > > > source package name indicates that is the version 5.
> > > >
> > > > Please rename the source package from `dhcpcd5` back to `dhcpcd` and
> > > > probably also the binary package.
> > >
> > > I fully agree. I've been meaning to do that at the same time as I
> > > upload 9.4.2, pending upstream release. Now that upstream has informed
> > > me that the next release is unlikely to happen until some time next
> > > month (too close to the freeze), I might do it during the Christmas
> > > vacations instead.
> >
> > I just uploaded a package that handles the binary transition to
> > Mentors. Sponsors are welcome.
> >
> > Beyond that, renaming the src package will be a tad more involved,
> > since Git repositories on Salsa and on my development host need to be
> > migrated to the new namespace, and the content of d/control and
> > d/copyright upgraded to match.
>
> Thanks. Let me know if you need help renaming the Git repositories on
> Salsa.

Git repository on Salsa migrated (dhcpcd instead of dhcpcd5. Thanks
for your help.

The src:package will implement this change in 10.0.1-1, which I should
be able to upload once Bookworm has been released.

Martin-Éric

Bug#1036707: RM: python-ppft -- ROM; packaged by mistake

[Agathe Porte]

Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: python-p...@packages.debian.org, deb...@microjoe.org
Control: affects -1 + src:python-ppft


Please remove python-ppft. It was packaged by mistake after misreading a
dependency list while introducing other packages. The package has no
reverse dependencies.

It has also been asked to the release team that this package is removed
from testing to not make it into bookworm (discussed with tobi and
elbrus).

Bug#1035745: unblock: dash/0.5.12-4 (preapproval)

[Luca Boccassi]

On Wed, 24 May 2023 at 15:14, Paul Gevers  wrote:
>
> Hi Luca,
>
> On 08-05-2023 17:54, Luca Boccassi wrote:
> > Filing this on request of the dash maintainer. We have recently
> > implemented a much needed cleanup that removes an unnecessary diversion
> > on /bin/sh, that makes the essential set nice and clean and diversion-
> > free, so that it can be set up without complex machinery.
>
> Let's do this in trixie. This request has been uneasy since you filed
> it, that's why it took so long to reply. Today I discussed with Andrej
> and we agreed this is too late for bookworm.

Ok, no worries. I had hoped that two weeks ago when I filed it there
was still enough time, but today it is indeed very late.

Kind regards,
Luca Boccassi

Bug#1025011: fixed in netatalk 3.1.15~ds-1

[Moritz Mühlenhoff]

reopen 1025011
thanks

Am Tue, May 02, 2023 at 07:03:55PM + schrieb Debian FTP Masters:
>[ Jonas Smedegaard ]
>* adopt package, thanks to renewed interest in the Netatalk team;
>  add Daniel Markstedt as uploader;
>  closes: bug#1013308;
>  closes: bug#1025011, thanks to Moritz Mühlenhoff

It's nice that there's renewed interest, but this involves also taking
care of netatalk in stable, there's a range of issues (full list at
https://security-tracker.debian.org/tracker/source-package/netatalk)
which need to be backported to bullseye-security.

I'm reopening the bug, it can be closed with the respective upload
to bullseye-security.

Cheers,
Moritz

Bug#1036706: xerial-sqlite-jdbc: CVE-2023-32697

[Salvatore Bonaccorso]

Source: xerial-sqlite-jdbc
Version: 3.40.1.0+dfsg-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team 

Hi,

The following vulnerability was published for xerial-sqlite-jdbc.

CVE-2023-32697[0]:
| SQLite JDBC is a library for accessing and creating SQLite database
| files in Java. Sqlite-jdbc addresses a remote code execution
| vulnerability via JDBC URL. This issue impacting versions 3.6.14.1
| through 3.41.2.1 and has been fixed in version 3.41.2.2.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-32697
https://www.cve.org/CVERecord?id=CVE-2023-32697
[1] 
https://github.com/xerial/sqlite-jdbc/security/advisories/GHSA-6phf-6h5g-97j2

Regards,
Salvatore

Bug#1036213: apache2: frequent SIGSEGV in mod_http2.so (purge_consumed_buckets)

[Bastien Durel]

Le mercredi 24 mai 2023 à 14:50 +0200, Stefan Eissing a écrit :
> I continue to improve mod_proxy_http2:
> https://github.com/icing/mod_h2/releases/tag/v2.0.17
> 
> Added more edge case tests for the module, fixed observed bugs. But
> have not replicated your crashes which look weird. Sorry.

Hello,

I've put it in use on my server.

Do you need the configuration I use to serve these requests ?

Thanks,

-- 
Bastien

Bug#1036705: override: adduser:admin/required

[Helmut Grohne]

Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: override
X-Debbugs-Cc: addu...@packages.debian.org, debian-b...@lists.debian.org, 
debian-rele...@lists.debian.org, jo...@debian.org, de...@lists.debian.org, 
piuparts-de...@alioth-lists.debian.net
Control: affects -1 + src:adduser

Hi,

I am requesting to override the priority of adduser to become required.

Rationale

apt used to depend on adduser and apt is required, so adduser is
transitively required in bullseye. Johannes and myself worked towards
making apt not depend on adduser and that work succeeded. Unfortunately,
that also removed adduser from the transitively required set and now
debootstrap --variant=minbase no longer contains adduser while it
earlier did. In the mean time, packages started using deluser for postrm
purge, so they effectively assume that it was essential, which it isn't.
We've now fixed such postrm scripts to no longer do that, but we agreed
with the release team that it should be difficult to remove for bookworm
in order to make purging packages left over from bullseye just work
after and upgrade to bookworm. Originally, the idea was to add back the
dependency from apt. Instead, we made apt "Protected: yes". This still
doesn't install it by default, but makes removal difficult which is what
saves postrm purge scripts, so all should be good. Except that this
makes piuparts unhappy as it tries to remove adduser and apt being
unhappy about it. This is presently breaking testing migration for a
number of packages. So now we thought about it again and got to the
conclusion that adduser should also be Priority: required for bookworm
(and unstable until bookworm is released). Doing so is a late change, I
know. However, it gets us back to the bullseye state and in being
required, debootstrap --variant=minbase will install adduser again,
which will fix piuparts. So an we do that?

Helmut

Bug#1036704: unblock: dhcpcd5/9.4.1-22

[Shengjing Zhu]

On Wed, May 24, 2023 at 9:57 PM Shengjing Zhu  wrote:
> [ Checklist ]
>   [x] attach debdiff against the package in testing

Sorry, missing attachment...


dhcpcd5_9.4.1-22.debdiff
Description: Binary data

Bug#1036702: qtbase-opensource-src-gles: CVE-2023-32762

[Moritz Mühlenhoff]

Am Wed, May 24, 2023 at 03:50:06PM +0200 schrieb Moritz Mühlenhoff:
> Source: qtbase-opensource-src-gles
> X-Debbugs-CC: t...@security.debian.org
> Severity: important
> Tags: security
> 
> Hi,
> 
> The following vulnerability was published for qtbase-opensource-src-gles.
> 
> CVE-2023-32762[0]:
> https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
> 
> Per IRC thus likely also affects the -gles variant

Confused the CVE IDs, this is for CVE-2023-32763, which is the SVG issue.
CVE-2023-32762 being about HSTS should not affect -gles.

Cheers,
Moritz

Bug#1036704: unblock: dhcpcd5/9.4.1-22

[Shengjing Zhu]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: dhcp...@packages.debian.org, z...@debian.org, 
martin-eric.rac...@iki.fi
Control: affects -1 + src:dhcpcd5

Please unblock package dhcpcd5

[ Reason ]
The packages fails to run on ppc64el (syscall is blocked by seccomp
policy).
And `dhcpcd -U` command also fails to run on all arch (newfstatat syscall
introduced by glibc is blocked by seccomp policy)

While trying to run autopkgtests to verify these issues, I find it contains
isolation-machine tests, which never run Debian infra, but are broken.
So this version contains fixes for autopkgtests too.

[ Impact ]
Without the unblock, the package is not functional entirely on ppc64el,
and one subcommand is not functional on all arch.

[ Tests ]
It has autopkgtests, but non-trival ones need isolation-machine.
I've run them on Ubuntu autopkgtest infra.

[ Risks ]
Code is trival and easy to review.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
None

unblock dhcpcd5/9.4.1-22

Bug#1036703: teeworlds: CVE-2023-31517 CVE-2023-31518

[Moritz Mühlenhoff]

Source: teeworlds
X-Debbugs-CC: t...@security.debian.org
Severity: normal
Tags: security

Hi,

The following vulnerabilities were published for teeworlds.

CVE-2023-31517[0]:
| Teeworlds v0.7.5 was discovered to contain memory leaks.

https://gist.github.com/manba-bryant/9ca95d69c65f4d2c55946932c946fb9b

CVE-2023-31518[1]:
| A heap use-after-free in the component CDataFileReader::GetItem of
| teeworlds v0.7.5 allows attackers to cause a Denial of Service (DoS)
| via a crafted map file.

https://gist.github.com/manba-bryant/9ca95d69c65f4d2c55946932c946fb9b
https://github.com/teeworlds/teeworlds/issues/2970


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-31517
https://www.cve.org/CVERecord?id=CVE-2023-31517
[1] https://security-tracker.debian.org/tracker/CVE-2023-31518
https://www.cve.org/CVERecord?id=CVE-2023-31518

Please adjust the affected versions in the BTS as needed.

Bug#1036702: qtbase-opensource-src-gles: CVE-2023-32762

[Moritz Mühlenhoff]

Source: qtbase-opensource-src-gles
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for qtbase-opensource-src-gles.

CVE-2023-32762[0]:
https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305

Per IRC thus likely also affects the -gles variant

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-32762
https://www.cve.org/CVERecord?id=CVE-2023-32762

Please adjust the affected versions in the BTS as needed.

Bug#1036701: gpac: CVE-2023-2837 CVE-2023-2838 CVE-2023-2839 CVE-2023-2840

[Moritz Mühlenhoff]

Source: gpac
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for gpac.

CVE-2023-2837[0]:
| Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to
| 2.2.2.

https://huntr.dev/bounties/a6bfd1b2-aba8-4c6f-90c4-e95b1831cb17/
https://github.com/gpac/gpac/commit/6f28c4cd607d83ce381f9b4a9f8101ca1e79c611

CVE-2023-2838[1]:
| Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.2.2.

https://huntr.dev/bounties/711e0988-5345-4c01-a2fe-1179604dd07f/
https://github.com/gpac/gpac/commit/c88df2e202efad214c25b4e586f243b2038779ba

CVE-2023-2839[2]:
| Divide By Zero in GitHub repository gpac/gpac prior to 2.2.2.

https://huntr.dev/bounties/42dce889-f63d-4ea9-970f-1f20fc573d5f/
https://github.com/gpac/gpac/commit/047f96fb39e6bf70cb9f344093f5886e51dce0ac

CVE-2023-2840[3]:
| NULL Pointer Dereference in GitHub repository gpac/gpac prior to
| 2.2.2.

https://huntr.dev/bounties/21926fc2-6eb1-4e24-8a36-e60f487d0257/
https://github.com/gpac/gpac/commit/ba59206b3225f0e8e95a27eff41cb1c49ddf9a3

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-2837
https://www.cve.org/CVERecord?id=CVE-2023-2837
[1] https://security-tracker.debian.org/tracker/CVE-2023-2838
https://www.cve.org/CVERecord?id=CVE-2023-2838
[2] https://security-tracker.debian.org/tracker/CVE-2023-2839
https://www.cve.org/CVERecord?id=CVE-2023-2839
[3] https://security-tracker.debian.org/tracker/CVE-2023-2840
https://www.cve.org/CVERecord?id=CVE-2023-2840

Please adjust the affected versions in the BTS as needed.

Bug#1036700: unblock: openstructure/2.3.1-9

[Andrius Merkys]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: openstruct...@packages.debian.org
Control: affects -1 + src:openstructure

Please unblock package openstructure

[ Reason ]
* #1036639: libost-base2.3: please add Breaks: libost-base2.2 for 
smoother upgrades from bullseye


[ Impact ]
* openstructure library stacks from bullseye and bookworm are not
co-installable
* fresh installs of/in bookworm are not affected

[ Tests ]
I have tested install of openstructure library stack on bullseye and 
bookworm. I have not tested the upgrade procedure from bullseye to 
bookworm, however I do trust that adding Breaks will signal apt to 
resolve the underlying conflict of different versions of 
libboost-regex1.74.0.


[ Risks ]
None that I am aware of.

[ Checklist ]
   [x] all changes are documented in the d/changelog
   [x] I reviewed all changes and I approve them
   [x] attach debdiff against the package in testing

unblock openstructure/2.3.1-9diff -Nru openstructure-2.3.1/debian/changelog 
openstructure-2.3.1/debian/changelog
--- openstructure-2.3.1/debian/changelog2022-08-16 03:15:29.0 
-0400
+++ openstructure-2.3.1/debian/changelog2023-05-24 00:56:53.0 
-0400
@@ -1,3 +1,10 @@
+openstructure (2.3.1-9) unstable; urgency=medium
+
+  * libost-base2.3: Add Breaks: libost-base2.2 for smoother upgrades from
+bullseye. (Closes: #1036639)
+
+ -- Andrius Merkys   Wed, 24 May 2023 00:56:53 -0400
+
 openstructure (2.3.1-8) unstable; urgency=medium
 
   * Install shlibs into multiarch locations using debian/rules.
diff -Nru openstructure-2.3.1/debian/control openstructure-2.3.1/debian/control
--- openstructure-2.3.1/debian/control  2022-08-16 03:15:29.0 -0400
+++ openstructure-2.3.1/debian/control  2023-05-24 00:54:37.0 -0400
@@ -41,6 +41,8 @@
 Depends:
  ${misc:Depends},
  ${shlibs:Depends},
+Breaks:
+ libost-base2.2,
 Description: Open-Source Computational Structural Biology Framework
  OpenStructure aims to provide an open-source, modular, flexible, molecular
  modelling and visualization environment. It is targeted at interested method

Bug#1036658: release-notes: 5.1.8. rsyslog creates fewer log files - mail.log is not dropped

[Christoph Anton Mitterer]

On Wed, 2023-05-24 at 15:19 +0200, Michael Biebl wrote:
> Am 24.05.23 um 14:52 schrieb Christoph Anton Mitterer:
> > On Wed, 2023-05-24 at 09:47 +0200, Michael Biebl wrote:
> > > > The following would be at least a bit more restrictive:
> > > >    /var/log/mail.{info,warn,err} /var/log/lpr.log
> > > > /var/log/{messages,debug,daemon.log}
> > > >    /var/log/mail.{info,warn,err}.* /var/log/lpr.log.*
> > > > /var/log/{messages,debug,daemon.log}.*
> > > > 
> > > > not perfect though, cause it could still select unrelated files
> > > 
> > > It only matches compressed files though
> > 
> > Mine? That I don't understand... I have the ones with just the name
> > of
> > the logfile itself... and then .*, which should match the non-
> > compressed .0, .1, etc. as any .0.xz, .1.xz, etc.?
> 
> Sorry, I meant: It (the expresssion like /var/log/lpr.log.*) only 
> matches rotated files, but not the actual log file itself.

But for that I would have had both:
   /var/log/mail.{info,warn,err}   /var/log/lpr.log   
/var/log/{messages,debug,daemon.log}
   /var/log/mail.{info,warn,err}.* /var/log/lpr.log.* 
/var/log/{messages,debug,daemon.log}.*


Anyway... if everyone agrees that we should leave out the rotated files
and leave that up to the user (which a note bout that being the case in
the release notes)... it would IMO be safer.

I could make a PR if desired so.


Cheers,
Chris.

Bug#1036699: unblock: ruby-terser/1.1.12+dfsg-2

[Mohammed Bilal]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: ruby-ter...@packages.debian.org, mdbi...@disroot.org, 
prav...@debian.org
Control: affects -1 + src:ruby-terser

Please unblock package ruby-terser


[ Reason ]
This fixes the FTBFS in testing See #1036261

[ Impact ]
Ruby terser upstream uses a patched version of terser.js.
This has to be updated according to the version of node-terser in Debian as 
well else this will render the gem unusable.

[ Tests ]
Tests pass

[ Risks ]
No risk


[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing


unblock ruby-terser/1.1.12+dfsg-2
diff -Nru ruby-terser-1.1.12+dfsg/debian/changelog 
ruby-terser-1.1.12+dfsg/debian/changelog
--- ruby-terser-1.1.12+dfsg/debian/changelog2022-09-07 22:43:41.0 
+0530
+++ ruby-terser-1.1.12+dfsg/debian/changelog2023-05-24 11:17:00.0 
+0530
@@ -1,3 +1,10 @@
+ruby-terser (1.1.12+dfsg-2) unstable; urgency=medium
+
+  * Team upload.
+  * Refresh patch wrt node-terser 5.16.5 (Closes: #1036261)
+
+ -- Mohammed Bilal   Wed, 24 May 2023 05:47:00 +
+
 ruby-terser (1.1.12+dfsg-1) unstable; urgency=medium
 
   [ Yadd ]
diff -Nru ruby-terser-1.1.12+dfsg/debian/patches/terser-sync.patch 
ruby-terser-1.1.12+dfsg/debian/patches/terser-sync.patch
--- ruby-terser-1.1.12+dfsg/debian/patches/terser-sync.patch2022-09-06 
19:51:14.0 +0530
+++ ruby-terser-1.1.12+dfsg/debian/patches/terser-sync.patch2023-05-24 
11:12:47.0 +0530
@@ -1,14 +1,14 @@
 Description: import upstream patches to render terser sync
 Origin: upstream,
  https://github.com/ahorek/terser-ruby/blob/master/patches/terser-sync.patch
- 
https://github.com/ahorek/terser-ruby/blob/master/patches/revert-source-maps.patch
+ 
https://github.com/ahorek/terser-ruby/blob/master/patches/revert-source-maps.p>
 Bug-Debian: https://bugs.debian.org/1017609
 Forwarded: not-needed
 Reviewed-By: Yadd 
 
 --- a/terser.js
 +++ b/terser.js
-@@ -21156,7 +21156,7 @@
+@@ -21517,7 +21517,7 @@
   ***/
  
  // a small wrapper around source-map and @jridgewell/source-map
@@ -17,7 +17,7 @@
  options = defaults(options, {
  file : null,
  root : null,
-@@ -21164,31 +21164,20 @@
+@@ -21525,31 +21525,20 @@
  files: {},
  });
  
@@ -55,7 +55,7 @@
  
  function add(source, gen_line, gen_col, orig_line, orig_col, name) {
  let generatedPos = { line: gen_line, column: gen_col };
-@@ -21245,10 +21234,9 @@
+@@ -21606,10 +21595,9 @@
  }
  
  return {
@@ -69,7 +69,7 @@
  };
  }
  
-@@ -29459,6 +29447,10 @@
+@@ -29824,6 +29812,10 @@
  }
  
  async function minify(files, options, _fs_module) {
@@ -80,7 +80,23 @@
  if (
  _fs_module
  && typeof process === "object"
-@@ -29650,15 +29642,21 @@
+@@ -29995,13 +29987,10 @@
+ if (options.format.spidermonkey) {
+ result.ast = toplevel.to_mozilla_ast();
+ }
+-let format_options;
+ if (!HOP(options.format, "code") || options.format.code) {
+-// Make a shallow copy so that we can modify without mutating the 
user's input.
+-format_options = {...options.format};
+-if (!format_options.ast) {
++if (!options.format.ast) {
+ // Destroy stuff to save RAM. (unless the deprecated `ast` option 
is on)
+-format_options._destroy_ast = true;
++options.format._destroy_ast = true;
+ 
+ walk(toplevel, node => {
+ if (node instanceof AST_Scope) {
+@@ -30018,38 +30007,34 @@
  }
  
  if (options.sourceMap) {
@@ -89,12 +105,13 @@
 +if (typeof options.sourceMap.content == "string") {
 +options.sourceMap.content = 
JSON.parse(options.sourceMap.content);
  }
--options.format.source_map = await SourceMap({
-+options.format.source_map = SourceMap({
+-format_options.source_map = await SourceMap({
++  options.format.source_map = SourceMap({
  file: options.sourceMap.filename,
  orig: options.sourceMap.content,
- root: options.sourceMap.root,
+-root: options.sourceMap.root,
 -files: options.sourceMap.includeSources ? files : null,
++root: options.sourceMap.root
  });
 +if (options.sourceMap.includeSources) {
 +if (files instanceof AST_Toplevel) {
@@ -104,9 +121,14 @@
 +}
 +}
  }
- delete options.format.ast;
- delete options.format.code;
-@@ -29667,21 +29665,11 @@
+-delete format_options.ast;
+-delete format_options.code;
+-delete format_options.spidermonkey;
+-var stream = OutputStream(format_options);
++

Bug#1036658: release-notes: 5.1.8. rsyslog creates fewer log files - mail.log is not dropped

[Michael Biebl]

Am 24.05.23 um 14:52 schrieb Christoph Anton Mitterer:

On Wed, 2023-05-24 at 09:47 +0200, Michael Biebl wrote:

The following would be at least a bit more restrictive:
   /var/log/mail.{info,warn,err} /var/log/lpr.log
/var/log/{messages,debug,daemon.log}
   /var/log/mail.{info,warn,err}.* /var/log/lpr.log.*
/var/log/{messages,debug,daemon.log}.*

not perfect though, cause it could still select unrelated files


It only matches compressed files though


Mine? That I don't understand... I have the ones with just the name of
the logfile itself... and then .*, which should match the non-
compressed .0, .1, etc. as any .0.xz, .1.xz, etc.?


Sorry, I meant: It (the expresssion like /var/log/lpr.log.*) only 
matches rotated files, but not the actual log file itself.




OpenPGP_signature
Description: OpenPGP digital signature

Bug#1036698: RFS: fortune-dhp/0.1-1 -- Dhammapada Fortune

[Ko Ko Ye`]

Package: sponsorship-requests
Severity: wishlist

Dear mentors,

I am looking for a sponsor for my package "fortune-dhp":

 * Package name : fortune-dhp
   Version  : 0.1-1
   Upstream contact : kokoye2...@gmail.com
 * URL  : https://github.com/kokoye2007/fortune-dhp
 * License  : LGPL-3.0+
 * Vcs  : https://github.com/kokoye2007/fortune-dhp
   Section  : games

The source builds the following binary packages:

  fortune-dhp - Dhammapada Fortune

To access further information about this package, please visit the
following URL:

  https://mentors.debian.net/package/fortune-dhp/

Alternatively, you can download the package with 'dget' using this command:

  dget -x
https://mentors.debian.net/debian/pool/main/f/fortune-dhp/fortune-dhp_0.1-1.dsc

Changes for the initial release:

 fortune-dhp (0.1-1) unstable; urgency=medium
 .
   * Initial release

Regards,

Bug#1036658: release-notes: 5.1.8. rsyslog creates fewer log files - mail.log is not dropped

[Christoph Anton Mitterer]

On Wed, 2023-05-24 at 09:47 +0200, Michael Biebl wrote:
> See 
> https://salsa.debian.org/ddp-team/release-notes/-/merge_requests/177

Ah... sorry I hadn't looked there.


> > The following would be at least a bit more restrictive:
> >   /var/log/mail.{info,warn,err} /var/log/lpr.log
> > /var/log/{messages,debug,daemon.log}
> >   /var/log/mail.{info,warn,err}.* /var/log/lpr.log.*
> > /var/log/{messages,debug,daemon.log}.*
> > 
> > not perfect though, cause it could still select unrelated files 
> 
> It only matches compressed files though 

Mine? That I don't understand... I have the ones with just the name of
the logfile itself... and then .*, which should match the non-
compressed .0, .1, etc. as any .0.xz, .1.xz, etc.?


> Maybe just drop the “*” and leave it up to the user 

I personally would even tend to that... and add a note like:

"Beware, that these don't match any rotated files which may have
extensions like .0, .1, .0.xz, .1.xz, et cetera."

Especially as there not even a guarantee that the extension for
compressed files will be the well-known ones (given logrotate has
`compressext` option).


Cheers,
Chris.