Bug#966621: Make /tmp/ a tmpfs and cleanup /var/tmp/ on a timer by default [was: Re: systemd: tmpfiles.d not cleaning /var/tmp by default]

2024-05-07 Thread Carsten Leonhardt 
Luca Boccassi  writes:

> Defaults are defaults, they are trivially and fully overridable where
> needed if needed. Especially container and VM managers these days can
> super trivially override them via SMBIOS Type11 strings or
> Credentials, ephemerally and without changing the guest image at all.

That argument goes both ways and I prefer safe defaults. What
you/upstream propose are unsafe defaults, as was shown by several
comments in this thread. Whoever wants the unsafe defaults of deleting
old files and risking OOM situations can than "trivially and fully
override" the safe defaults.

Bug#1052049: bacula-director: Please amend bacula-dir.conf to include subfiles

2024-02-01 Thread Carsten Leonhardt 
Hi Niels,

"Niels S. Richthof"  writes:

> The bacula director configuration file can get very big and messy, especially 
> when backing up many clients.
[...]
> 1. Create a new (empty) directory "/etc/bacula/bacula-dir.conf.d/"
> 2. Add the following snipped to "/etc/bacula/bacula-dir.conf":
>
># Include subfiles associated with configuration of clients.
># They define the bulk of the Clients, Jobs, and FileSets.
># Remember to "reload" the Director after adding a client file.
>#
>@|"sh -c 'for f in /etc/bacula/bacula-dir.conf.d/*.conf ; do echo @${f} ; 
> done'"

I agree that this is good practice, I myself manage my configurations in
a similar way.

My feeling is that it's up to the local administrator to decide how they
want to manage their configurations and implement it accordingly.

One of the gains from the strategy of configuration directories is that
the main configuration does not need to be touched by the local
administrator and so local configuration changes do not conflict with
updated configuration files that are provided in the packages. In the
case of Bacula, all installations I manage have modified main
configuration files because I deviate from many things that are
configured in the default configuration.

If the main config file would be mostly empty or defaults could be
overridden, I'd be in favour of this change, but as it stands now, I'd
rather leave it to the local admin.

As an aside, I'm aware that getting asked to replace the configuration
files on each update is not handy and finding a solution is on my todo
list.

Regards

Carsten

Bug#1057044: xymon: ntpdate no longer supports the -p option

2023-11-28 Thread Carsten Leonhardt 
Hi Axel,

>> If you prefer, I can also commit directly to salsa.
>
> Fine for me, thanks!

I just realized that I messed it up, I'll fix it (the change is in upstream
code...)

Regards

Carsten

Bug#1057044: xymon: ntpdate no longer supports the -p option

2023-11-28 Thread Carsten Leonhardt 
Package: xymon
Version: 4.3.30-1
Severity: normal
Tags: patch

Dear maintainers,

ntpdate emits a warning when called with the -p option. I've attached a
patch to drop that option from xymonserver.cfg.

If you prefer, I can also commit directly to salsa.

Regards

Carsten

>From 6df3ff8215dd4c3d848f9ec22de3f94d84767a95 Mon Sep 17 00:00:00 2001
From: Carsten Leonhardt 
Date: Tue, 28 Nov 2023 16:15:16 +0100
Subject: [PATCH] xymon: update xymonserver.cfg: ntpdate no longer supports the
 "-p" option (cf. #926877).

---
 debian/changelog | 2 ++
 xymond/etcfiles/xymonserver.cfg.DIST | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index b83b5d6..c440bc8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -34,6 +34,8 @@ xymon (4.3.30-2) UNRELEASED; urgency=medium
   [ Carsten Leonhardt ]
   * Update xymon-client.init: add "reload" to usage message as that is
 supported, too.
+  * xymon: update xymonserver.cfg: ntpdate no longer supports the "-p"
+option.
 
  -- Axel Beckert   Mon, 10 Aug 2020 04:39:28 +0200
 
diff --git a/xymond/etcfiles/xymonserver.cfg.DIST b/xymond/etcfiles/xymonserver.cfg.DIST
index 53ff592..3a9229b 100644
--- a/xymond/etcfiles/xymonserver.cfg.DIST
+++ b/xymond/etcfiles/xymonserver.cfg.DIST
@@ -134,7 +134,7 @@ NONETPAGE=""	# Network tests that go YELLOW upon failure
 FPING="@FPING@"	# Path and options for the ping program.
 FPINGOPTS="-Ae"	# Standard options to fping/xymonping
 NTPDATE="ntpdate"# Path to the 'ntpdate' program
-NTPDATEOPTS="-u -q -p 1"			# Standard options to ntpdate
+NTPDATEOPTS="-u -q"# Standard options to ntpdate
 TRACEROUTE="traceroute" # How to do traceroute on failing ping tests. Requires "trace" in hosts.cfg .
 TRACEROUTEOPTS="-n -q 2 -w 2 -m 15"		# Standard options to traceroute
 XYMONROUTERTEXT="router"			# What to call a failing intermediate network device.
-- 
2.39.2

Bug#1055184: python3-kerberos: Please update to at least version 1.2.4

2023-11-01 Thread Carsten Leonhardt 
Package: python3-kerberos
Version: 1.1.14-3.1+b7
Severity: wishlist
X-Debbugs-Cc: l...@debian.org

Dear maintainer,

starting with at least version 1.2.1 pykerberos gained the ability to
do message encryption. This is very useful when trying to setup
ansible to control windows hosts. See
e.g. https://github.com/diyan/pywinrm/issues/300

I have locally packaged version 1.2.4 that I'm using without problems
so far.

You may want to have a look at https://pypi.org/project/kerberos/ too.

Regards

Carsten

Bug#1020506: RM: pound -- ROM; No further development and support from upstream after the end of the year, should not be part of the next Debian stable release

2022-09-22 Thread Carsten Leonhardt 
Package: ftp.debian.org
Severity: normal

Bug#1012301: bacula: Corruption of File media during concurrent backups

2022-08-15 Thread Carsten Leonhardt 
Hi Julien,

Julien Chiaramello  writes:

> This bug did not happen before we implemented Concurrent Jobs
>
> The bug has been declared upstream : https://bugs.bacula.org/view.php?id=2664

thanks for your bug report. Just one thing - can you confirm the
upstream bug number? Currently the highest bug number is 2659, so you
probably have a typo in there.

Regards

Carsten

Bug#1017417: Exceptions for needrestart

2022-08-15 Thread Carsten Leonhardt 
Package: needrestart
Version: 3.5-4+deb11u2
Severity: wishlist

Dear Patrick,

I maintain the package "bacula", a backup program. It consists of
several daemons that shouldn't be restarted while a backup is
running. Today I've once again accidentally restarted the main daemon
during a backup run, which brings me to my wish: Please either add the
daemons to the override_rc list or (my preference) make it possible for
packages to contain config snippets to manage the default
selection. Maybe it's already possible to do with a config snippet in
/etc/needrestart/conf.d/ - in that case some documentation or an example
would be great.

The daemons are:

bacula-dir
bacula-sd
bacula-fd

Best Regards,

Carsten

Bug#1008978: bsdjson segmentation fault

2022-05-30 Thread Carsten Leonhardt 
Control: forwarded -1 https://bugs.bacula.org/view.php?id=2669

> Error message: bacula-sd: bsdjson.c:530-0 No Storage resource defined in /. 
> Cannot continue. 05-апр 16:42 bacula-sd JobId 0: Error: bsdjson.c:530 No 
> Storage resource defined in /. Cannot continue. bacula-sd: bsdjson.c:541-0 No 
> Director resource defined in /. Cannot continue. 05-апр 16:42 bacula-sd JobId 
> 0: Error: bsdjson.c:541 No Director resource defined in /. Cannot continue. 
> bacula-sd: bsdjson.c:546-0 No Device resource defined in /. Cannot continue. 
> 05-апр 16:42 bacula-sd JobId 0: Error: bsdjson.c:546 No Device resource 
> defined in /. Cannot continue. 
> Segmentation fault 

Hi Эрик,

thanks for your bug report, I have forwared it to upstreams bug tracker.

Regards

Carsten

Bug#1000174: reassign to dbconfig-pgsql

2022-05-30 Thread Carsten Leonhardt 
Control: reassign 1000174 dbconfig-pgsql
Control: reassign 1000176 dbconfig-pgsql

Hi Paul,

these two bugs happen during the dbconfig actions, so I'm reassigning
them there.

Regards

Carsten

Bug#999985: [pound] Bug#999985: pound: depends on obsolete pcre3 library

2021-11-23 Thread Carsten Leonhardt 
Hi Robert,

indeed, the package names in Debian are a bit confusing. Debian's
libpcre3-dev contains "pcreposix.h" and libpcre2-dev contains
pcre2posix.h. The latter, as you note, is not picked up by configure.

For the moment I'll disable linking to pcre in Debian unstable until
pcre2posix.h works automatically.

Thanks

Carsten

Robert Segall via pound  writes:

> Hallo Carsten
>
> Thank you for the information. A few points:
>
> - Pound uses pcreposix, which in turn pulls in whatever version of pcre
> is available. There is no usage of pcre per se.
>
> - The component is optional. If pcreposix is not found, Pound will
> happily use the libc regex.
>
> I'll add a test for pcre2posix if available to the build process.

Bug#999985: pound: depends on obsolete pcre3 library

2021-11-18 Thread Carsten Leonhardt 
Hi Robert,

apparently the pcre library (named pcre3 in Debian) is obsolete and it
is recommended to switch to pcre2. See the Debian bug report below.

"Bookworm" is the next Debian release, which is planned for 2023. "In
time for the release of Bookworm" would probably mean a removal from the
development version of Debian in 2022. As Ubuntu and probably other
Debian derivatives base themselves on Debian's development version, this
might affect those distributions earlier than 2023.

Regards

Carsten


Matthew Vernon  writes:

> Source: pound
> Severity: important
> User: matthew-pcre...@debian.org
> Usertags: obsolete-pcre3
>
> Dear maintainer,
>
> Your package still depends on the old, obsolete PCRE3[0] libraries
> (i.e. libpcre3-dev). This has been end of life for a while now, and
> upstream do not intend to fix any further bugs in it. Accordingly, I
> would like to remove the pcre3 libraries from Debian, preferably in
> time for the release of Bookworm.
>
> The newer PCRE2 library was first released in 2015, and has been in
> Debian since stretch. Upstream's documentation for PCRE2 is available
> here: https://pcre.org/current/doc/html/
>
> Many large projects that use PCRE have made the switch now (e.g. git,
> php); it does involve some work, but we are now at the stage where
> PCRE3 should not be used, particularly if it might ever be exposed to
> untrusted input.
>
> This mass bug filing was discussed on debian-devel@ in
> https://lists.debian.org/debian-devel/2021/11/msg00176.html
>
> Regards,
>
> Matthew [0] Historical reasons mean that old PCRE is packaged as
> pcre3 in Debian

Bug#995251: xymon-client: missing /etc/xymon/graphs.d/mq.cfg

2021-09-28 Thread Carsten Leonhardt 
Package: xymon-client
Version: 
Severity: normal

Dear Maintainer,

the plugin mq reports data for graphing, but there is no corresponding
file for the server side (/etc/xymon/graphs.d/mq.cfg). Since one of the
maintainers wrote the plugin, maybe you have the file and just forgot to
include it?

Regards

Carsten

Bug#992452: Links between documents broken

2021-08-18 Thread Carsten Leonhardt 
Package: bacula-doc
Version: 9.6.7-1

Links between the documents point to, for example,
../utility/utility.pdf but in the package the directory structure isn't
used and the pdfs are gzipped.

Example: main.pdf.gz, Chapter 25.1, there are links to bextract and
bscan.

Bug#990774: runit-init: /lib/runit/shutdown does nothing when called with parameters

2021-07-06 Thread Carsten Leonhardt 
Package: runit-init
Version: 2.1.2-40
Severity: important

Hi Lorenzo,

running runit as PID 1, my habitual "shutdown -r now" doesn't work, it
does nothing at all.

This also prevents acpi-support-base from handling the pressing of the
power button to shutdown, the package calls

/sbin/shutdown -h -P now "Power button pressed"

(see /etc/acpi/powerbtn-acpi-support.sh)

In extension, that prevents libvirt to shutdown/reboot a VM running
with runit-init ("virsh shutdown "). That's the reason I switched
back to sysvinit-core for now.

Regards,

Carsten

-- System Information:
Debian Release: 11.0
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-7-amd64 (SMP w/4 CPU threads)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages runit-init depends on:
pn  getty-run
ii  initscripts  2.96-7
pn  runit
ii  sysv-rc  2.96-7

runit-init recommends no packages.

runit-init suggests no packages.

Bug#987285: pound FTCBFS: runs cmake for the build architecture

2021-04-21 Thread Carsten Leonhardt 
Hi Helmut,

> Source: pound
> Version: 3.0-2
> Tags: patch
> User: debian-cr...@lists.debian.org
> Usertags: ftcbfs
>
> pound fails to cross build from source since the 3.0-2 upload to
> unstable, because it does not pass cross flags to cmake. The easiest way
> of doing so - using dh_auto_configure - makes pound cross buildable.
> Please consider applying the attached patch.

thanks for the patch - do you think I should try to get this into
bullseye?

Regards

Carsten

Bug#930931: [pkg-bacula-devel] Bug#930931: /usr/sbin/btape: btape crashes on "fill" test

2020-09-30 Thread Carsten Leonhardt 
Hi Sebastian,

more than a year ago you reported a crash in btape. Would you be able to
re-test if the problem still exists in the newest version in backports
for Debian 10? Upstream said they couldn't reproduce it in the newest
version.

Regards,

Carsten

Bug#971381: bacula-director-mysql: db_name assignement properly

2020-09-29 Thread Carsten Leonhardt 
Hi Josu,

> Please, do db_name assignement properly for scripts in
> /usr/share/bacula-director/ as in package bacula-director-pgsql
>
> It should be db_name=${db_name:-bacula} instead of db_name=@db_name@ in
> order to use enviroment variables
>
> As is, scritps can not be used

thank you for taking the time to report this bug.

However, it seems that you have answered the debconf questions about
your database. Your databases should have been set up / updated
automatically.

What exactly were you trying to do? And what is the exact error you are
getting?

The scripts you found there are only for people that don't want to have
their database handled automatically.

Regards,

Carsten

Bug#970025: squid: configuration reads *~ files from /etc/squid/conf.d

2020-09-10 Thread Carsten Leonhardt 
Package: squid
Version: 4.6-1+deb10u4
Severity: normal

Dear Maintainer,

in /etc/squid/squid.conf the directive

include /etc/squid/conf.d/*

also loads backup files created by editors (files ending with
"~"). That's at least surprising, to avoid unintended results it shouldd
be changed to something like

include /etc/squid/conf.d/*.conf

Otherwise it's necessary to always check if the editor created a backup
file and delete it before squid reads it's configuration.

The location to patch would be in:

debian/patches/0001-Default-configuration-file-for-debian.patch

As the fix is trivial, I'm not including a patch.

Regards,

Carsten

-- System Information:
Debian Release: 10.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-10-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages squid depends on:
ii  adduser  3.118
ii  libc62.28-10
ii  libcap2  1:2.25-2
ii  libcom-err2  1.44.5-1+deb10u3
ii  libdb5.3 5.3.28+dfsg1-0.5
ii  libdbi-perl  1.642-1+b1
ii  libecap3 1.0.1-3.2
ii  libexpat12.2.6-2+deb10u1
ii  libgcc1  1:8.3.0-6
ii  libgnutls30  3.6.7-4+deb10u5
ii  libgssapi-krb5-2 1.17-3
ii  libkrb5-31.17-3
ii  libldap-2.4-22.4.47+dfsg-3+deb10u2
ii  libltdl7 2.4.6-9
ii  libnetfilter-conntrack3  1.0.7-1
ii  libnettle6   3.4.1-1
ii  libpam0g 1.3.1-5
ii  libsasl2-2   2.1.27+dfsg-1+deb10u1
ii  libstdc++6   8.3.0-6
ii  libxml2  2.9.4+dfsg1-7+b3
ii  logrotate3.14.0-4
ii  lsb-base 10.2019051400
ii  netbase  5.6
ii  squid-common 4.6-1+deb10u4

Versions of packages squid recommends:
ii  ca-certificates  20200601~deb10u1
ii  libcap2-bin  1:2.25-2

Versions of packages squid suggests:
pn  resolvconf   
pn  smbclient
pn  squid-cgi
pn  squid-purge  
pn  squidclient  
pn  ufw  
pn  winbind  

-- no debconf information

Bug#969272: buster-pu: package bacula/9.4.2-2

2020-08-30 Thread Carsten Leonhardt 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Dear Release Team,

I'd like to fix CVE-2020-11061 for bacula in buster. The DSA team
recommends fixing it via point release (according to the security
tracker).

The version in testing/unstable already includes the fix. Stretch was
fixed by the LTS team.

Thanks,

Carsten


bacula_9.4.2-2+deb10u1.debdiff
Description: Binary data

Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6

2020-06-16 Thread Carsten Leonhardt 
Julien Cristau  writes:

> Control: tag -1 confirmed

> Sorry for the delay, please go ahead.

For information, I've uploaded the package some time ago and it's
waiting in the NEW queue for FTP master review.

Regards,

Carsten

Bug#962918: ITP: bacula-libs3 -- S3 library for Bacula

2020-06-15 Thread Carsten Leonhardt 
Package: wnpp
Severity: wishlist
Owner: Carsten Leonhardt 

* Package name: bacula-libs3
  Version : 0~20200523
  Upstream Author : Bryan Ischo , modified by Bacula Systems
* URL : https://www.bacula.org/downloads/
* License : LGPL 3+
  Programming Lang: C
  Description : S3 library for Bacula
This is a C library to access S3 storage with Bacula. This version
is modified version of libs3 and maintained by Bacula Systems to
work with Bacula.
  

We, the Debian Bacula Packaging Team are packaging and will be
maintaining this as an enhancement for Bacula. The possibility to use
S3 storage is often asked about on the Bacula mailing lists and is also
mentioned in #928343.

To not get in the way of the libs3 package, we plan to use a private
location for the library.

Bug#954987: ITP: locker -- Container

2020-03-27 Thread Carsten Leonhardt 
Hi Amit,

"Amit"  writes:

> Package: wnpp
> Severity: wishlist
> Owner: Amit 
>
> * Package name: locker
>   Version : 0.0~git20200313.1210f0e-1
>   Upstream Author : amit
> * URL : https://www.gitlab.com/amit-yuval/locker
> * License : Apache-2.0
>   Programming Lang: Go
>   Description : Container

please include a description that explains what the package is for.

Thanks,

Carsten

Bug#954971: should not try to send a traceback in production

2020-03-27 Thread Carsten Leonhardt 
Antoine Beaupré  writes:

>> Could you explain how you would want this improved?
>
> I would prefer that no email is sent at all, or have that
> configurable. I would prefer, in fact, that TRACEBACK is disabled at
> compile time, unless the debugging symbols are shipped.

At compile time we can't know if debugging symbols will be available
later, as they are installable anytime from the -dbgsym packages.

What would be possible is to adapt the script "btraceback" to not send
the email if so requested by some mechanism. I don't think embedding a
parser for the configuration file in the script would make sense, it
would need to be something simple like checking the existence of a file
"/etc/bacula/no_tracebacks_please".


I'm curious though to understand your motivation for not wanting the
emails, would you care to explain?

Best regards,

Carsten

Bug#954971: should not try to send a traceback in production

2020-03-26 Thread Carsten Leonhardt 
Hi Antoine,

> Bacula seems to be configured to unconditionnally send a backtrace
> when it crashes. The TRACEBACK define seems to be unconditionnally set
> in `version.h`, regardless of any configuration flag. (Same with
> DEBUG, by the way.)
>
> Production software should require us to ship with debugging
> symbols. If it fails and crashes and burn, it should send a proper,
> actionable, error message instead of going crazy.

the crash you see happens after clear error messages are given, see the
transcript at the end. Even if not run in the foreground, clear error
messages are sent to syslog.

It's neither required to have debugging symbols installed nor to have
gdb installed. The report will just be less useful for debugging
purposes. Usually an email is generated when a crash happens, whatever
the exact content is, it does alert the admin to the fact that there is
a problem.

Could you explain how you would want this improved?

Regards,

Carsten



# /usr/sbin/bacula-fd -f -c /etc/bacula/bacula-fd.conf
cixi: Warning: Cannot bind port 22: ERR=Address already in use: Retrying ...
cixi: ABORTING due to ERROR in bnet_server.c:132
Cannot bind port 22: ERR=Address already in use.
26-Mar 19:59 cixi: ABORTING due to ERROR in bnet_server.c:132
Cannot bind port 22: ERR=Address already in use.
Bacula interrupted by signal 11: Segmentation violation
Kaboom! bacula-fd, cixi got signal 11 - Segmentation violation at 26-Mar-2020 
19:59:48. Attempting traceback.
Kaboom! exepath=/usr/sbin/
Calling: /usr/sbin/btraceback /usr/sbin/bacula-fd 4576 /var/lib/bacula
It looks like the traceback worked...
LockDump: /var/lib/bacula/bacula.4576.traceback
cixi: lockmgr.c:1221-0 lockmgr disabled
free(): invalid next size (fast)

Bug#949366: bacula-fd: bacula-rd crashes if can't bind to port

2020-03-26 Thread Carsten Leonhardt 
Control: forwarded -1 https://bugs.bacula.org/view.php?id=2528

Hi Lukas,

> bacula-fd crashes with SIGSEGV if it can't bind to the configure port on the 
> configured network interface.

thanks for your report, I've forwarded it upstream.

Out of curiosity: the standard port 9102 is registered with IANA for use
with bacula-fd. What is conflicting with it?

Regards,

Carsten

Bug#953030: bacula-sd.postinst fails on systems with protected_regular=2 enabled

2020-03-03 Thread Carsten Leonhardt 
Control: tag -1 pending

Hi,

> bacula-sd.postinst currently uses mktemp, chowns to bacula.bacula, and
> then attempts to write to the temporary file using a shell redirection.
>
> If a system has /proc/sys/fs/protected_regular set to 2, then this
> fails[1].

thanks for the patch. I've commited a change to our git repository based
on it. For consistency I changed the order in similar postinst files
too.

Regards,

Carsten

Bug#662942: New upstream version and new upstream location

2020-01-09 Thread Carsten Leonhardt 
Hi,

the upstream project is now located at:

https://github.com/chaos/powerman

and the latest version is 2.3.25 at the moment.

The next person to upload this package should update the location.

 - Carsten

Bug#930931: /usr/sbin/btape: btape crashes on "fill" test with kernel panic

2020-01-07 Thread Carsten Leonhardt 
Hi,

Sebastian Suchanek  writes:

> Update 2019-12-08:

I've forwarded your additional information to upstream's bug tracker:

https://bugs.bacula.org/view.php?id=2480

 - Carsten

Bug#945990: RM: inosync -- ROM; Dead upstream, Python 2

2019-12-02 Thread Carsten Leonhardt 
Package: ftp.debian.org
Severity: normal

Please remove the package "inosync", upstream is dead and it's still
using python 2.

Thanks.

Bug#931610: stretch-pu: package pound/2.7-1.3+deb9u1

2019-08-22 Thread Carsten Leonhardt 
Control: tags -1 - confirmed

Hi Adam,

> On Sat, 2019-07-13 at 12:36 +0200, Carsten Leonhardt wrote:
>> Control: tags -1 - moreinfo
>> 
>> Hi,
>> 
>> attached is a new debdiff, the only change is that I removed some
>> cruft
>> from the "Origin" field in the patch metadata.
>> 
>> I've deployed this version on live servers this morning and tested
>> them.
>> 
>
> Please go ahead; thanks.

longer testing revealed a regression (CPU load built up slowly, finally
reaching 100%).

I found a fix and have applied it, the fixed version is running on live
servers since at least a week now, without a sign of abnormal CPU load.

To see just the fix:

https://salsa.debian.org/debian/pound/commit/bdd20196df7ff52f65c57c83c1ae5a56e74bca03

A full debdiff is attached.

Sorry for the complication, I should have written earlier.

Regards,

Carsten

diff -Nru pound-2.7/debian/changelog pound-2.7/debian/changelog
--- pound-2.7/debian/changelog	2017-02-19 14:13:02.0 +
+++ pound-2.7/debian/changelog	2019-07-07 21:44:04.0 +
@@ -1,3 +1,10 @@
+pound (2.7-1.3+deb9u1) stretch; urgency=medium
+
+  * Fix request smuggling via crafted headers, CVE-2016-10711
+(Closes: #888786).
+
+ -- Carsten Leonhardt   Sun, 07 Jul 2019 23:44:04 +0200
+
 pound (2.7-1.3) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru pound-2.7/debian/patches/0003-CVE-2016-1071.patch pound-2.7/debian/patches/0003-CVE-2016-1071.patch
--- pound-2.7/debian/patches/0003-CVE-2016-1071.patch	1970-01-01 00:00:00.0 +
+++ pound-2.7/debian/patches/0003-CVE-2016-1071.patch	2019-07-07 21:44:04.0 +
@@ -0,0 +1,210 @@
+Description: Backport fix for CVE-2016-10711
+Author: Robert Segall
+Origin: upstream, http://www.apsis.ch/pound/Pound-2.8a.tgz
+Last-Update: 2019-07-07
+--- a/http.c
 b/http.c
+@@ -31,7 +31,8 @@
+ static char *h500 = "500 Internal Server Error",
+ *h501 = "501 Not Implemented",
+ *h503 = "503 Service Unavailable",
+-*h414 = "414 Request URI too long";
++*h414 = "414 Request URI too long",
++*h400 = "Bad Request";
+ 
+ static char *err_response = "HTTP/1.0 %s\r\nContent-Type: text/html\r\nContent-Length: %d\r\nExpires: now\r\nPragma: no-cache\r\nCache-control: no-cache,no-store\r\n\r\n%s";
+ 
+@@ -83,7 +84,7 @@
+ safe_url, safe_url);
+ snprintf(rep, sizeof(rep),
+ "HTTP/1.0 %d %s\r\nLocation: %s\r\nContent-Type: text/html\r\nContent-Length: %d\r\n\r\n",
+-code, code_msg, safe_url, strlen(cont));
++code, code_msg, safe_url, (int)strlen(cont));
+ BIO_write(c, rep, strlen(rep));
+ BIO_write(c, cont, strlen(cont));
+ BIO_flush(c);
+@@ -126,11 +127,11 @@
+ get_line(BIO *const in, char *const buf, const int bufsize)
+ {
+ chartmp;
+-int i, n_read;
++int i, n_read, seen_cr;
+ 
+ memset(buf, 0, bufsize);
+-for(n_read = 0;;)
+-switch(BIO_gets(in, buf + n_read, bufsize - n_read - 1)) {
++for(i = 0, seen_cr = 0; i < bufsize - 1; i++)
++switch(BIO_read(in, , 1)) {
+ case -2:
+ /* BIO_gets not implemented */
+ return -1;
+@@ -138,24 +139,49 @@
+ case -1:
+ return 1;
+ default:
+-for(i = n_read; i < bufsize && buf[i]; i++)
+-if(buf[i] == '\n' || buf[i] == '\r') {
+-buf[i] = '\0';
++if(seen_cr)
++if(tmp != '\n') {
++/* we have CR not followed by NL */
++do {
++if(BIO_read(in, , 1) < 0)
++return 1;
++} while(tmp != '\n');
++return 1;
++} else {
++buf[i - 1] = '\0';
+ return 0;
+ }
+-if(i < bufsize) {
+-n_read = i;
++
++if(!iscntrl(tmp) || tmp == '\t') {
++buf[i] = tmp;
++continue;
++}
++
++if(tmp == '\r') {
++seen_cr = 1;
+ continue;
+ }
+-logmsg(LOG_NOTICE, "(%lx) line too long: %s", pthread_self(), buf);
+-/* skip rest of "line" */
+-tmp = '\0';
+-while(tmp != '\n')
+-if(BIO_read(in, , 1) != 1)
++
++if(tmp == '\n') {
++/* line ends in NL only (no CR) */
++buf[i] = 0;
++return 0;
++}
++
++/* all other control characters cause an error */
++do {
++if(BIO_read(in, , 1) < 0)
+ return 1;
+-break;
++} while(tmp != '\n');
++return 1;
+ }
+-r

Bug#930931: /usr/sbin/btape: btape crashes on "fill" test with segmentation fault

2019-07-13 Thread Carsten Leonhardt 
Control: tag -1 + upstream
Control: forwarded -1 https://bugs.bacula.org/view.php?id=2480

Hi Sebastian,

thank you for your bug report.

Because this is an upstream issue, I've forwarded it to the Bacula bug
tracker at https://bugs.bacula.org/view.php?id=2480. To view it, you can
log in with user and password "anonymous". In case you want to add
comments there yourself, you need to create a login.

Regards,

Carsten

Bug#931610: stretch-pu: package pound/2.7-1.3+deb9u1

2019-07-13 Thread Carsten Leonhardt 
Control: tags -1 - moreinfo

Hi,

attached is a new debdiff, the only change is that I removed some cruft
from the "Origin" field in the patch metadata.

I've deployed this version on live servers this morning and tested them.

Also, the bug is now fixed in sid.

Regards,

Carsten

diff -Nru pound-2.7/debian/changelog pound-2.7/debian/changelog
--- pound-2.7/debian/changelog	2017-02-19 14:13:02.0 +
+++ pound-2.7/debian/changelog	2019-07-07 21:44:04.0 +
@@ -1,3 +1,10 @@
+pound (2.7-1.3+deb9u1) stretch; urgency=medium
+
+  * Fix request smuggling via crafted headers, CVE-2016-10711
+(Closes: #888786).
+
+ -- Carsten Leonhardt   Sun, 07 Jul 2019 23:44:04 +0200
+
 pound (2.7-1.3) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru pound-2.7/debian/patches/0003-CVE-2016-1071.patch pound-2.7/debian/patches/0003-CVE-2016-1071.patch
--- pound-2.7/debian/patches/0003-CVE-2016-1071.patch	1970-01-01 00:00:00.0 +
+++ pound-2.7/debian/patches/0003-CVE-2016-1071.patch	2019-07-07 21:44:04.0 +
@@ -0,0 +1,210 @@
+Description: Backport fix for CVE-2016-10711
+Author: Robert Segall
+Origin: upstream, http://www.apsis.ch/pound/Pound-2.8a.tgz
+Last-Update: 2019-07-07
+--- a/http.c
 b/http.c
+@@ -31,7 +31,8 @@
+ static char *h500 = "500 Internal Server Error",
+ *h501 = "501 Not Implemented",
+ *h503 = "503 Service Unavailable",
+-*h414 = "414 Request URI too long";
++*h414 = "414 Request URI too long",
++*h400 = "Bad Request";
+ 
+ static char *err_response = "HTTP/1.0 %s\r\nContent-Type: text/html\r\nContent-Length: %d\r\nExpires: now\r\nPragma: no-cache\r\nCache-control: no-cache,no-store\r\n\r\n%s";
+ 
+@@ -83,7 +84,7 @@
+ safe_url, safe_url);
+ snprintf(rep, sizeof(rep),
+ "HTTP/1.0 %d %s\r\nLocation: %s\r\nContent-Type: text/html\r\nContent-Length: %d\r\n\r\n",
+-code, code_msg, safe_url, strlen(cont));
++code, code_msg, safe_url, (int)strlen(cont));
+ BIO_write(c, rep, strlen(rep));
+ BIO_write(c, cont, strlen(cont));
+ BIO_flush(c);
+@@ -126,11 +127,11 @@
+ get_line(BIO *const in, char *const buf, const int bufsize)
+ {
+ chartmp;
+-int i, n_read;
++int i, n_read, seen_cr;
+ 
+ memset(buf, 0, bufsize);
+-for(n_read = 0;;)
+-switch(BIO_gets(in, buf + n_read, bufsize - n_read - 1)) {
++for(i = 0, seen_cr = 0; i < bufsize - 1; i++)
++switch(BIO_read(in, , 1)) {
+ case -2:
+ /* BIO_gets not implemented */
+ return -1;
+@@ -138,24 +139,49 @@
+ case -1:
+ return 1;
+ default:
+-for(i = n_read; i < bufsize && buf[i]; i++)
+-if(buf[i] == '\n' || buf[i] == '\r') {
+-buf[i] = '\0';
++if(seen_cr)
++if(tmp != '\n') {
++/* we have CR not followed by NL */
++do {
++if(BIO_read(in, , 1) < 0)
++return 1;
++} while(tmp != '\n');
++return 1;
++} else {
++buf[i - 1] = '\0';
+ return 0;
+ }
+-if(i < bufsize) {
+-n_read = i;
++
++if(!iscntrl(tmp) || tmp == '\t') {
++buf[i] = tmp;
++continue;
++}
++
++if(tmp == '\r') {
++seen_cr = 1;
+ continue;
+ }
+-logmsg(LOG_NOTICE, "(%lx) line too long: %s", pthread_self(), buf);
+-/* skip rest of "line" */
+-tmp = '\0';
+-while(tmp != '\n')
+-if(BIO_read(in, , 1) != 1)
++
++if(tmp == '\n') {
++/* line ends in NL only (no CR) */
++buf[i] = 0;
++return 0;
++}
++
++/* all other control characters cause an error */
++do {
++if(BIO_read(in, , 1) < 0)
+ return 1;
+-break;
++} while(tmp != '\n');
++return 1;
+ }
+-return 0;
++
++/* line too long */
++do {
++if(BIO_read(in, , 1) < 0)
++return 1;
++} while(tmp != '\n');
++return 1;
+ }
+ 
+ /*
+@@ -393,22 +419,16 @@
+ 
+ /* HTTP/1.1 allows leading CRLF */
+ memset(buf, 0, MAXBUF);
+-while((res = BIO_gets(in, buf, MAXBUF - 1)) > 0) {
+-has_eol = strip_eol(buf);
++while((res = get_line(in, buf, MAXBUF)) == 0)
+ if(buf[0])
+ break;
+-}
+ 
+-if(res <= 0) {
++if(res < 0) {
+ /* this is expected to occur only on client reads */
+ /* logmsg(LOG_NOTICE, "headers: bad starting

Bug#931743: developers-reference: Improve documentation for stable updates (5.5.1)

2019-07-09 Thread Carsten Leonhardt 
Package: developers-reference
Version: 3.4.25
Severity: normal

It would be helpful if chapter 5.5.1 would include more information,
especially either explicitly the update criteria that can be found in
the message below or a link/reference leading there.

https://lists.debian.org/debian-devel-announce/2018/04/msg7.html
(linked from https://release.debian.org )

Making these criteria more accessible would probably also reduce the
workload of the release-team.

Regards,

Carsten

Bug#931610: stretch-pu: package pound/2.7-1.3+deb9u1

2019-07-08 Thread Carsten Leonhardt 
Control: tags -1 - moreinfo

> On 2019-07-08 09:40, Carsten Leonhardt wrote:
>> pound is affected by non-dsa CVE-2016-10711.
>
> The metadata for #888786 indicates that the issue affects the package
> in unstable, and is not yet fixed there. Is that correct?

No, the package was removed from unstable. I reintroduced it only in
experimental so far.

Regards,

Carsten

Bug#931610: stretch-pu: package pound/2.7-1.3+deb9u1

2019-07-08 Thread Carsten Leonhardt 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

pound is affected by non-dsa CVE-2016-10711. 

Attached is the diff, backported from pound 2.8a, same as the
diff being used by SUSE.
(c.f. https://security-tracker.debian.org/tracker/CVE-2016-10711 )

Thanks!

diff --git a/debian/changelog b/debian/changelog
index d5946a9..d59d80c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+pound (2.7-1.3+deb9u1) stretch; urgency=medium
+
+  * Fix request smuggling via crafted headers, CVE-2016-10711
+(Closes: #888786).
+
+ -- Carsten Leonhardt   Sun, 07 Jul 2019 23:44:04 +0200
+
 pound (2.7-1.3) unstable; urgency=medium
 
   * Non-maintainer upload.
diff --git a/debian/patches/0003-CVE-2016-1071.patch b/debian/patches/0003-CVE-2016-1071.patch
new file mode 100644
index 000..09da940
--- /dev/null
+++ b/debian/patches/0003-CVE-2016-1071.patch
@@ -0,0 +1,210 @@
+Description: Backport fix for CVE-2016-10711
+Author: Robert Segall
+Origin: upstream, http://www.apsis.ch/pound/Pound-2.8a.tgz
+Last-Update: 2019-07-07
+--- a/http.c
 b/http.c
+@@ -31,7 +31,8 @@
+ static char *h500 = "500 Internal Server Error",
+ *h501 = "501 Not Implemented",
+ *h503 = "503 Service Unavailable",
+-*h414 = "414 Request URI too long";
++*h414 = "414 Request URI too long",
++*h400 = "Bad Request";
+ 
+ static char *err_response = "HTTP/1.0 %s\r\nContent-Type: text/html\r\nContent-Length: %d\r\nExpires: now\r\nPragma: no-cache\r\nCache-control: no-cache,no-store\r\n\r\n%s";
+ 
+@@ -83,7 +84,7 @@
+ safe_url, safe_url);
+ snprintf(rep, sizeof(rep),
+ "HTTP/1.0 %d %s\r\nLocation: %s\r\nContent-Type: text/html\r\nContent-Length: %d\r\n\r\n",
+-code, code_msg, safe_url, strlen(cont));
++code, code_msg, safe_url, (int)strlen(cont));
+ BIO_write(c, rep, strlen(rep));
+ BIO_write(c, cont, strlen(cont));
+ BIO_flush(c);
+@@ -126,11 +127,11 @@
+ get_line(BIO *const in, char *const buf, const int bufsize)
+ {
+ chartmp;
+-int i, n_read;
++int i, n_read, seen_cr;
+ 
+ memset(buf, 0, bufsize);
+-for(n_read = 0;;)
+-switch(BIO_gets(in, buf + n_read, bufsize - n_read - 1)) {
++for(i = 0, seen_cr = 0; i < bufsize - 1; i++)
++switch(BIO_read(in, , 1)) {
+ case -2:
+ /* BIO_gets not implemented */
+ return -1;
+@@ -138,24 +139,49 @@
+ case -1:
+ return 1;
+ default:
+-for(i = n_read; i < bufsize && buf[i]; i++)
+-if(buf[i] == '\n' || buf[i] == '\r') {
+-buf[i] = '\0';
++if(seen_cr)
++if(tmp != '\n') {
++/* we have CR not followed by NL */
++do {
++if(BIO_read(in, , 1) < 0)
++return 1;
++} while(tmp != '\n');
++return 1;
++} else {
++buf[i - 1] = '\0';
+ return 0;
+ }
+-if(i < bufsize) {
+-n_read = i;
++
++if(!iscntrl(tmp) || tmp == '\t') {
++buf[i] = tmp;
++continue;
++}
++
++if(tmp == '\r') {
++seen_cr = 1;
+ continue;
+ }
+-logmsg(LOG_NOTICE, "(%lx) line too long: %s", pthread_self(), buf);
+-/* skip rest of "line" */
+-tmp = '\0';
+-while(tmp != '\n')
+-if(BIO_read(in, , 1) != 1)
++
++if(tmp == '\n') {
++/* line ends in NL only (no CR) */
++buf[i] = 0;
++return 0;
++}
++
++/* all other control characters cause an error */
++do {
++if(BIO_read(in, , 1) < 0)
+ return 1;
+-break;
++} while(tmp != '\n');
++return 1;
+ }
+-return 0;
++
++/* line too long */
++do {
++if(BIO_read(in, , 1) < 0)
++return 1;
++} while(tmp != '\n');
++return 1;
+ }
+ 
+ /*
+@@ -393,22 +419,16 @@
+ 
+ /* HTTP/1.1 allows leading CRLF */
+ memset(buf, 0, MAXBUF);
+-while((res = BIO_gets(in, buf, MAXBUF - 1)) > 0) {
+-has_eol = strip_eol(buf);
++while((res = get_line(in, buf, MAXBUF)) == 0)
+ if(buf[0])
+ break;
+-}
+ 
+-if(res <= 0) {
++if(res < 0) {
+ /* this is expected to occur only on client reads */
+ /* logmsg(LOG_NOTICE, "headers: bad starting read"); */
+ return NULL;
+-} else if(!has_eol) {
+-/* check for request length limit */
+-lo

Bug#931328: RFA: inosync -- notification-based directory synchronization daemon

2019-07-01 Thread Carsten Leonhardt 
Package: wnpp
Severity: normal

I request an adopter for the inosync package. It is written in
Python 2 and the original upstream maintainer hasn't been active in
more than four years. If nobody picks this package up, it will
probably be removed when Python 2 will be removed.

The package description is:
 The inosync daemon uses the inotify service available in recent Linux
 kernels to monitor and synchronize changes within directories to
 remote nodes using rsync.
 .
 System administrators have relied on cron+rsync for years to
 constantly synchronize files and directories to remote machines. It
 is not feasible to let authors wait for their content to get
 synchronized every x hours with regard to the enormous pace of
 articles and podcasts nowadays.

Bug#923444: bacula: autopkgtest regressed in buster

2019-03-08 Thread Carsten Leonhardt 
Hi all,

Paul Gevers  writes:

>> Or are we trying to fix a problem at the whole wrong level?
>
> I am not sure about the answer. If anybody has the time and energy,
> maybe they can check with the dpkg maintainers if they are aware of the
> situation and if that is intentional. Maybe they consider this issue
> something they can (and should) fix.

I encountered a solution to a problem that might be similar.

While installing an apache module, I got the message:

"Package apache2 is not configured yet. Will defer actions by package xyz."

It's source is:

https://salsa.debian.org/apache-team/apache2/blob/master/debian/debhelper/apache2-maintscript-helper#L80

Maybe there's something to be learned from there?

(I don't have time to have a closer look in the next days, so putting it
into the bug report to not have it forgotten.)

Regards,

Carsten

Bug#923511: [pkg-bacula-devel] Bug#923511: make_catalog_backup.pl doesn't sanitize $args{db_name}

2019-03-03 Thread Carsten Leonhardt 
Control: tags -1 upstream
Control: forwarded -1 https://bugs.bacula.org/view.php?id=2458

Hi Sergio,

> /etc/bacula/scripts/make_catalog_backup.pl uses a temporary file with a name
> based on $args{db_name}. This fails if the database name contains / 
> characters,
> as it well might if it is a URI like
> postgresql://host/db?sslmode=verify-full=/etc/ssl/certs/host-ca.crt

I've written a patch to base the filename on the catalog name as you
suggested (although I'm not good at perl), but the script
"delete_catalog_backup" needs to be changed too.

I've submitted your bug report upstream.

Regards,

Carsten

--- make_catalog_backup-orig.pl	2018-09-22 20:24:38.0 +0200
+++ make_catalog_backup.pl	2019-03-03 12:48:04.217637851 +0100
@@ -30,11 +30,15 @@
 my $dir_conf='/usr/sbin/dbcheck -B -c /etc/bacula/bacula-dir.conf';
 my $wd = "/var/lib/bacula";
 
+# sanitize catalog name for use as filename
+my $dump_filename = $cat;
+$dump_filename =~ s/[^A-Za-z0-9_\-]//g;
+
 sub dump_sqlite3
 {
 my %args = @_;
 
-exec("echo .dump | sqlite3 '$wd/$args{db_name}.db' > '$wd/$args{db_name}.sql'");
+exec("echo .dump | sqlite3 '$wd/$args{db_name}.db' > '$wd/$dump_filename.sql'");
 print "Error while executing sqlite dump $!\n";
 return 1;
 }
@@ -69,7 +73,7 @@
 {
 my %args = @_;
 setup_env_pgsql(%args);
-exec("HOME='$wd' pg_dump -c > '$wd/$args{db_name}.sql'");
+exec("HOME='$wd' pg_dump -c > '$wd/$dump_filename.sql'");
 print "Error while executing postgres dump $!\n";
 return 1;   # in case of error
 }
@@ -117,7 +121,7 @@
 my %args = @_;
 
 setup_env_mysql(%args);
-exec("HOME='$wd' mysqldump -f --opt $args{db_name} > '$wd/$args{db_name}.sql'");
+exec("HOME='$wd' mysqldump -f --opt $args{db_name} > '$wd/$dump_filename.sql'");
 print "Error while executing mysql dump $!\n";
 return 1;
 }

Bug#923444: bacula: autopkgtest regressed in buster

2019-03-03 Thread Carsten Leonhardt 
Hi Paul,

Paul Gevers  writes:

> On 02-03-2019 15:34, Carsten Leonhardt wrote:
>> maybe using a trigger can help us:
>
> This sounds like an idea we should try to implement in dbconfig-common,
> to enable other packages to benefit from it as well. If done, this is
> for after buster release though.

I already found that we're not the first to run into this problem.

>> In bacula-director-psql/mysql postinst, pseudo code:
>> 
>> 1 if (database server is being installed in the same run)
>> 2   then (install trigger to postpone database setup)
>> 3   else (setup database now)
>> 4 if triggered: (setup database now)
>>
>> Thoughts/explanations:
>> Step 1: I haven't researched yet if it's possible to reliably detect
>> that
>> Step 3: set up now as we won't get triggered later
>> Step 4: But what to trigger on exactly? 
>
> Why not delay configuration until the end in all cases? I don't like the
> added complexity much, unless it has real value.

I haven't used triggers yet so I'm not aware of all the details. If we
can be sure that the setup will be executed even when no local database
server will be installed because a remote server is used, then I'm all
for doing it at the end.

>> An simple but stupid and unelegant alternative would be to generate meta
>> packages "bacula-director-local-psql/mysql" that _depend_ on the database
>> server packages.
>
> I rather propose that we accept the current regression of the bacula
> autopkgtest and we fix the situation properly (in autopkgtest and/or
> dbconfig-common) after the buster release. Can you live with that?

Yes, we can live with that as long as the CI-people can, as Sven
already said.

Would you like me to file a wishlist bug against dbconfig-common?

 - Carsten

Bug#923444: bacula: autopkgtest regressed in buster

2019-03-02 Thread Carsten Leonhardt 
Hi,

maybe using a trigger can help us:

In bacula-director-psql/mysql postinst, pseudo code:

1 if (database server is being installed in the same run)
2   then (install trigger to postpone database setup)
3   else (setup database now)
4 if triggered: (setup database now)

Thoughts/explanations:
Step 1: I haven't researched yet if it's possible to reliably detect
that
Step 3: set up now as we won't get triggered later
Step 4: But what to trigger on exactly? 


An simple but stupid and unelegant alternative would be to generate meta
packages "bacula-director-local-psql/mysql" that _depend_ on the database
server packages.

 - Carsten

Bug#923444: [pkg-bacula-devel] Bug#923444: bacula: autopkgtest regressed in buster

2019-02-28 Thread Carsten Leonhardt 
Hi Paul,

> Somewhere on 2019-02-26 your package bacula started to fail its
> autopkgtest in testing/buster (it started failing in unstable somewhere
> between 23 and 25 February).

thanks for your research. The autopkgtests work in Gitlab's CI, so I
guess there must be some difference in the test environment.

We'll investigate.

Regards,

Carsten

Bug#920519: ITA: mtx -- controls tape autochangers

2019-02-27 Thread Carsten Leonhardt 
Control: retitle -1 ITA: mtx -- controls tape autochangers

I'm going to adopt mtx, probably as part of the Bacula packaging team.

Bug#922025: latex2html: -prefix option broken with math formulas

2019-02-11 Thread Carsten Leonhardt 
Control: tags -1 +upstream +confirmed

Hi Sébastien,

> The -prefix option of latex2html is broken. I attach a minimal LaTeX file
> (foo.tex), to replicate the problem. If I run:

I've forwarded the report to the upstream Author.

Regards,

Carsten

Bug#921076: ITP: pound -- reverse proxy, load balancer and HTTPS front-end for Web servers

2019-02-01 Thread Carsten Leonhardt 
Package: wnpp
Severity: wishlist
Owner: Carsten Leonhardt 

* Package name: pound
  Version : 2.8
  Upstream Author : Robert Segall
* URL : http://www.apsis.ch/pound/
* License : GPL with OpenSSL exemption
  Programming Lang: C
  Description : reverse proxy, load balancer and HTTPS front-end for Web 
servers

Pound was developed to enable distributing the load among several
Web-servers and to allow for a convenient SSL wrapper for those Web
servers that do not offer it natively. Pound can also issue HTTP
redirects.


This is to reintroduce pound into the archive after it had been
removed in February 2018. The problem had been that it didn't build
with OpenSSL 1.1, but patches exist now.

If the previous maintainer (Cc'ed) is still interested, I suggest a
co-maintainership.

Bug#918951: ipv6calc: Please add a package for mod_ipv6calc

2019-01-10 Thread Carsten Leonhardt 
Source: ipv6calc
Severity: wishlist

Dear maintainer,

Please consider adding a package containing mod_ipv6calc.

(Please also consider enhancing the existing package description so that
searching for a tool to anonymize IP addresses, ipv6loganon can be found
more easily)

Thanks,

Carsten

Bug#917654: texlive-latex-base: xr.sty v5.03 causes bacula-doc to FTBFS

2019-01-05 Thread Carsten Leonhardt 
Dear texlive-maintainers,

please update texlive-latex-base to include the newest version of xr
(v5.04), the current version (v5.03) causes bacula-doc to FTBFS.

Regards,

Carsten

Bug#915831: zfsutils-linux: Upgrading to 0.7.12 breaks during dpkg --configure

2019-01-05 Thread Carsten Leonhardt 
Hi,

Chris Zubrzycki  writes:

> Here is the fix, or you can move zfs-share to zfs-zed for some reason:

I can confirm this patch works.


Aron Xu  writes:

> I'm temped to not ship init.d scripts for Buster if there is any
> important issue open when freeze approaches (e.g. bug #915831).

Please let's just stick to fixing bugs instead of introducing new ones
(c.f. policy 9.11.).

Best Regards,

Carsten

Bug#917654: bacula-doc: FTBFS (LaTeX Error: Missing begin{document})

2018-12-29 Thread Carsten Leonhardt 
Control: merge 917654 917735

Hi,

I'm sorry for having used your time by not reporting this myself. As far
as I can say, one of the last TeX updates introduced this FTBFS. I have
yet to find the exact cause.

Regards,

Carsten

Bug#916197: libpaper1: postrm fails, uses ucf unconditionally

2018-12-11 Thread Carsten Leonhardt 
Package: libpaper1
Version: 1.1.25
Severity: serious

Dear Maintainer,

the postrm fails because it uses ucf unconditionally. When executing the
postrm, dependencies are not guaranteed to be installed.

Please see /usr/share/doc/ucf/examples/postrm on how to do it corretly.

See also https://piuparts.debian.org/sid/fail/libpaper1_1.1.25.log

Regards,

Carsten

Bug#840388: fusedav non-functional

2018-11-30 Thread Carsten Leonhardt 
Control: severity -1 grave

This software appears to be non-functional. A tcpdump confirms that no
network traffic between the client and the server is being generated.

Tested on a current Debian 8.11. Only the fuse debug option makes it
emit something.

# fusedav -D -t 10 -o debug  -u username -p password https://webdav/path /mnt
FUSE library version: 2.9.3
nullpath_ok: 0
nopath: 0
utime_omit_ok: 0
unique: 1, opcode: INIT (26), nodeid: 0, insize: 56, pid: 0
INIT: 7.23
flags=0x0003fffb
max_readahead=0x0002
   INIT: 7.19
   flags=0x0010
   max_readahead=0x0002
   max_write=0x0002
   max_background=0
   congestion_threshold=0
   unique: 1, success, outsize: 40
^C*** Caught signal ***
Exiting cleanly.

Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6

2018-11-28 Thread Carsten Leonhardt 
Hi,

is there a chance the fixed package will be accepted?

Maybe you would prefer separate fixes for the two problems?

Regards,

Carsten

Bug#914254: bacula: fails to restore properly

2018-11-20 Thread Carsten Leonhardt 
Package: src:bacula
Version: 9.2.2-1
Severity: serious

On 20.11.18 21:59, Sven Hartge wrote:

[...] when "-u root -g root -k" is set, even though the process runs as
root, it doesn't have the proper capabilities anymore.

Bug#913825: bacula: FTBFS on mips and mipsel

2018-11-15 Thread Carsten Leonhardt 
Package: src:bacula
Version: 9.2.2-1
Severity: serious

postgresql-server-dev-11 depends on clang-7, this depends on
libclang-common-7-dev and this contains 64bit libraries which makes it
in turn depends on other 64bit libraries.

Hence the "if test -d /usr/lib64" in db.m4 
https://sources.debian.org/src/bacula/9.2.2-1/autoconf/bacula-macros/db.m4/#L288-L294
succeeds, leading to

/usr/bin/g++  -fPIC -DPIC -shared -nostdlib 
/usr/lib/gcc/mipsel-linux-gnu/8/../../../mipsel-linux-gnu/crti.o 
/usr/lib/gcc/mipsel-linux-gnu/8/crtbeginS.o  .libs/sqlite.o   -L/usr/lib64 
/usr/lib/mipsel-linux-gnu/libsqlite3.so -L/usr/lib/gcc/mipsel-linux-gnu/8 
-L/usr/lib/gcc/mipsel-linux-gnu/8/../../../mipsel-linux-gnu 
-L/usr/lib/gcc/mipsel-linux-gnu/8/../../../../lib -L/lib/mipsel-linux-gnu 
-L/lib/../lib -L/usr/lib/mipsel-linux-gnu -L/usr/lib/../lib 
-L/usr/lib/gcc/mipsel-linux-gnu/8/../../.. -lstdc++ -lm -lc -lgcc_s 
/usr/lib/gcc/mipsel-linux-gnu/8/crtendS.o 
/usr/lib/gcc/mipsel-linux-gnu/8/../../../mipsel-linux-gnu/crtn.o  -Wl,-z 
-Wl,relro   -Wl,-soname -Wl,libbaccats-sqlite3-9.2.2.so -o 
.libs/libbaccats-sqlite3-9.2.2.so
/usr/bin/ld: /usr/lib64/libgcc_s.so.1: error adding symbols: file in wrong 
format

Note the "-L/usr/lib64".

autoconf/bacula-macros/db.m4 needs to be fixed.

Bug#913795: lsof: new upstream version available

2018-11-15 Thread Carsten Leonhardt 
Package: lsof
Version: 4.89+dfsg-0.1
Severity: wishlist

Dear Maintainer,

there is a new upstream version available (4.91) from
http://www.mirrorservice.org/sites/lsof.itap.purdue.edu/pub/tools/unix/lsof/
or one of the other mirrors (see "mirrors" on the site).

Also you apparently have missed the alioth -> salsa migration.

Additionally, your own last upload was in 2009 which leads to the
question if you are still interested in maintaining the package. Do you
expect to put work into it, maybe even before the buster freeze? Or is
it time to orphan it?

Regards,

Carsten

Bug#837351: tar: FTBFS on kfreebsd: --numeric-owner basic tests FAILED

2018-11-14 Thread Carsten Leonhardt 
Control: tags -1 + patch

Hi,

at the moment it's difflink.at (test number 92) that is failing for
kFreeBSD.

The test assumes "ln -L" is default behaviour, which seems to be correct
on Linux, but not on BSD, where "ln -P" seems to be default (tested on
kFreeBSD, FreeBSD and OpenBSD).

The attached patch adds an explicit "-P" to make sure the correct link
is created.

Build tested successfully on kfreebsd-amd64.

Regards,

Carsten

commit a74558ec0a5f83f952663c706b95905a642fea63
Author: Carsten Leonhardt 
Date:   Wed Nov 14 18:39:37 2018 +0100

fix kfreebsd FTBS

diff --git a/debian/patches/fix-for-difflink.at-failure.diff b/debian/patches/fix-for-difflink.at-failure.diff
index 25f1549..471cdeb 100644
--- a/debian/patches/fix-for-difflink.at-failure.diff
+++ b/debian/patches/fix-for-difflink.at-failure.diff
@@ -5,8 +5,9 @@ index eadfb088..4e011760 100644
 @@ -21,7 +21,7 @@ mkdir a
  genfile -f a/x
  ln -s x a/y
- ln a/y a/z
+-ln a/y a/z
 -tar cf a.tar a
++ln -P a/y a/z
 +tar cf a.tar a/x a/y a/z
  rm a/z
  ln -s x a/z

Bug#911932: micro-httpd: new upstream version available

2018-10-26 Thread Carsten Leonhardt 
Package: micro-httpd
Version: 20051212-15.1
Severity: wishlist

There is a new upstream version available (20140814) from
http://www.acme.com/software/micro_httpd/

Bug#899306: latex2html: Some tables incorrectly translated

2018-10-20 Thread Carsten Leonhardt 
Control: reassign -1 latex2html 2015-debian1-1
Control: retitle -1 Some tables incorrectly translated

Translation of some tables seems broken.

For example, for the table

http://www.bacula.org/git/cgit.cgi/docs/tree/docs/manuals/en/main/table_runscriptshortcuts.tex

only the first column is translated and as second row a spurious "Â" is
displayed:

http://www.bacula.org/9.2.x-manuals/en/main/Configuring_Director.html#SECTION00193
(the table after the text "You can use these following shortcuts:")

Bug#826994: [Pkg-zfsonlinux-devel] Bug#826994: Bug#826994: Missing init-script(s)?

2018-10-17 Thread Carsten Leonhardt 
Aron Xu  writes:

> As said by "upstream", please have all the init scripts incorporated
> to upstream ZoL repository and I can enable them quickly. You can find
> that systemd support is shipped by upstream directly and we don't have
> Debian local changes. I don't want to apply a big patch introducing
> something not blessed by upstream, nor being actively used/tested
> myself.

Isn't this the upstream repository?

https://github.com/zfsonlinux/zfs/tree/master/etc/init.d

Did you look at Chris Dos' patch? It's quite small and as I wrote
earlier, only touches one upstream file, where you made a change for
systemd support too (because of the changed zed location).

Regards,

Carsten

Bug#826994: [Pkg-zfsonlinux-devel] Bug#826994: Missing init-script(s)?

2018-10-17 Thread Carsten Leonhardt 
Dear Aron,

> I'm not against LSB support, please make it upstream. I think this
> statement is clear enough.

Great. In that case, please apply the patch that's being maintained by
Chris Dos for quite some time now. You find it in this bug's history. It
doesn't touch upstream except in zfs-functions.in, and that's only
because the debian package modifies the install location of zed. The
init-scripts are in the upstream source already for a long time. Quite
probably longer than systemd support.

> Control: severity -1 wishlist
>
> Please don't ping-pong here by changing the severity again, wishlist
> is the final priority set for this bug.

Quote from "severity levels" section:

serious
is a severe violation of Debian policy (roughly, it violates a
"must" or "required" directive), or, in the package maintainer's or
release manager's opinion, makes the package unsuitable for release.


Regards,

Carsten

Bug#909788: rng-tools5: Missing init script

2018-10-16 Thread Carsten Leonhardt 
Control: severity -1 serious
Control: tags -1 + patch

Not shipping init scripts equivalent to the service files violates
policy 9.11, therefore the bug severity is serious.

I've now attached a patch.

diff -Nur rng-tools5-5/debian/changelog rng-tools5-5-patched/debian/changelog
--- rng-tools5-5/debian/changelog	2018-10-16 23:41:15.0 +0200
+++ rng-tools5-5-patched/debian/changelog	2018-10-16 23:47:35.85600 +0200
@@ -1,3 +1,10 @@
+rng-tools5 (5-4) unstable; urgency=low
+
+  [Carsten Leonhardt]
+  * Add init script. (Closes: #909788)
+
+ -- Carsten Leonhardt   Tue, 16 Oct 2018 23:45:50 +0200
+
 rng-tools5 (5-3) unstable; urgency=low
 
   * adds check so the daemon exits properly after receiving a
diff -Nur rng-tools5-5/debian/rngd.init rng-tools5-5-patched/debian/rngd.init
--- rng-tools5-5/debian/rngd.init	1970-01-01 01:00:00.0 +0100
+++ rng-tools5-5-patched/debian/rngd.init	2018-10-16 23:41:52.27200 +0200
@@ -0,0 +1,21 @@
+#!/bin/sh
+# kFreeBSD do not accept scripts as interpreters, using #!/bin/sh and sourcing.
+if [ true != "$INIT_D_SCRIPT_SOURCED" ] ; then
+set "$0" "$@"; INIT_D_SCRIPT_SOURCED=true . /lib/init/init-d-script
+fi
+### BEGIN INIT INFO
+# Provides:  rngd
+# Required-Start:$remote_fs $syslog
+# Required-Stop: $remote_fs $syslog
+# Default-Start: 2 3 4 5
+# Default-Stop:  0 1 6
+# Short-Description: entropy gathering daemon (rngd)
+# Description:   Check and feed random data from hardware device
+#to kernel random device
+
+### END INIT INFO
+
+# Author: Carsten Leonhardt 
+
+DESC="entropy gathering daemon"
+DAEMON=/usr/sbin/rngd

Bug#826994: Missing init-script(s)?

2018-10-16 Thread Carsten Leonhardt 
Control: severity -1 serious

Not shipping init scripts equivalent to the service files violates
policy 9.11, therefore the bug severity is serious.

Bug#909788: rng-tools5: Missing init script

2018-09-28 Thread Carsten Leonhardt 
Package: rng-tools5
Version: 5-1
Severity: important

Dear Maintainer,

the daemon doesn't start automatically because there's no init script
included.

I've attached a working example.

Regards,

Carsten

#!/bin/sh
# kFreeBSD do not accept scripts as interpreters, using #!/bin/sh and sourcing.
if [ true != "$INIT_D_SCRIPT_SOURCED" ] ; then
set "$0" "$@"; INIT_D_SCRIPT_SOURCED=true . /lib/init/init-d-script
fi
### BEGIN INIT INFO
# Provides:  rngd
# Required-Start:$remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop:  0 1 6
# Short-Description: entropy gathering daemon (rngd)
# Description:   Check and feed random data from hardware device
#to kernel random device

### END INIT INFO

# Author: Carsten Leonhardt 

DESC="entropy gathering daemon"
DAEMON=/usr/sbin/rngd

Bug#909460: Trouble with the sqlite3 upgrade path

2018-09-24 Thread Carsten Leonhardt 
Hi,

I found the source. Upstream commit
ac391519c8e4125db0662dea92e7550d95bd9a16 "Permit catalog to contain
negative FileIndexes", added shortly before the 9.2.1 release.

This makes me wonder about how these schema updates would reach people
that are already on db version 16. For us, we can fix that by adding yet
more manual snippets for dbconfig...


Sven Hartge wrote:

> Looking at the code, it seems we have to create a temp table with the
> new schema and then select everything from the old table into it, then
> removing the old table and finally renaming the temp table.
>
> Just like it was done with basefiles_temp.

Yes, when I read your mail I remembered having done that before...

I'll take care of this, but probably after fixing latex2html and
bacula-docs.

 - Carsten

Bug#909460: Trouble with the sqlite3 upgrade path

2018-09-24 Thread Carsten Leonhardt 
Source: bacula
Version: 9.2.1-1
Severity: serious

Hi,

according to piuparts:

  applying upgrade sql for 7.4.4+dfsg-6 -> 9.0.0.
  Error: near line 84: near "MODIFY": syntax error
  Error: near line 85: near "MODIFY": syntax error
  Error: near line 86: near "MODIFY": syntax error

https://piuparts.debian.org/stable2sid/fail/bacula-director-sqlite3_9.2.1-1.log

The version in stretch-backports contains the 9.0.0 update too but
stretch2bpo works ok.

 - Carsten

Bug#899306: bacula-doc: Broken table in HTML version

2018-05-22 Thread Carsten Leonhardt 
Package: bacula-doc
Version: 9.0.5-1
Severity: normal

The file "main.pdf" has a table in section "Configuring the Director",
subsection "The Job Resource", item "RunScript" after the text "You can
use these following shortcuts:" (currently on page 160).

This table is broken/incomplete in the HTML-version
(main/Configuring_Director.html).

I'm not sure yet if the problem is in bacula-doc or in latex2html.

Bug#869655: approx frequently FTBFS with test failures

2018-04-26 Thread Carsten Leonhardt 
On Tue, 25 Jul 2017 14:36:03 +0300 Adrian Bunk  wrote:
> Source: approx
> Version: 5.9-1
> Severity: serious
> 
> Not sure whether there's a pattern when it fails
> or whether tests fail randomly (and frequently):
> 
> https://buildd.debian.org/status/package.php?p=approx=sid
> https://tests.reproducible-builds.org/debian/history/approx.html
> https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/approx.html

I don't see build failures for current version 5.10-1 in any of the
referenced locations. Is there a reason to not close this bug?

 - Carsten

Bug#893591: e2fsprogs: circular build dependency block build on kfreebsd

2018-03-22 Thread Carsten Leonhardt 
"Theodore Y. Ts'o"  writes:

> On Wed, Mar 21, 2018 at 09:47:41AM +0100, Ansgar Burchardt wrote:

>> There no longer are any kfreebsd buildds, see
>> https://lists.debian.org/debian-bsd/2017/12/msg8.html
>
> Does that mean the kfreebsd port has been discontinued, and a whole
> bunch of dashboards and web/wikipages are out of date?

There are or have been people wanting to set up new buildds.

But the reality seems to be that the former core developers no longer
have time to work on kfreebsd and nobody else has stepped in so far.

Regards,

Carsten

Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6

2018-03-04 Thread Carsten Leonhardt 
Control: tags -1 - moreinfo

"Adam D. Barratt" <a...@adam-barratt.org.uk> writes:

> - --oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG
> + --oknodo --exec $DAEMON -- -g $BUSER -g $BGROUP -c $CONFIG
>
> The first of those "-g" is presumably supposed to be "-u". I realise
> this may seem a small point, but it does make me wonder how it wasn't
> caught in testing.

Thank you for your work and for catching this. A new version of the
patch is attached.

Regards,

Carsten

diff --git a/debian/bacula-common.preinst b/debian/bacula-common.preinst
index 056c2944..d0b323fa 100644
--- a/debian/bacula-common.preinst
+++ b/debian/bacula-common.preinst
@@ -12,6 +12,14 @@ case "$1" in
 			echo "Ok."
 		fi
 	;;
+	install|upgrade)
+		# purging bacula-director-common can mistakenly delete bacula-dir.conf
+		# neutralize the offending line in its postrm; see bug #880529 for details
+		if dpkg-query -l bacula-director-common > /dev/null 2>&1 && \
+		   [ -e /var/lib/dpkg/info/bacula-director-common.postrm ]; then
+			sed -i 's/rm -f $CONFFILE $CONFFILE.dist/#disabled: bug #880529# rm -f $CONFFILE $CONFFILE.dist/' /var/lib/dpkg/info/bacula-director-common.postrm
+		fi
+	;;
 esac
 
 # dh_installdeb will replace this with shell code automatically
diff --git a/debian/bacula-director.init b/debian/bacula-director.init
index 8ac7c36a..89cfbe65 100644
--- a/debian/bacula-director.init
+++ b/debian/bacula-director.init
@@ -67,7 +67,7 @@ do_start()
 {
 	if $DAEMON -u $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then
 		start-stop-daemon --start --quiet --pidfile $PIDFILE \
-		--oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG
+		--oknodo --exec $DAEMON -- -u $BUSER -g $BGROUP -c $CONFIG
 		return 0
 	else
 		log_progress_msg "- the configtest"
diff --git a/debian/bacula-fd.init b/debian/bacula-fd.init
index 649b9cc1..698e4ea3 100644
--- a/debian/bacula-fd.init
+++ b/debian/bacula-fd.init
@@ -54,7 +54,7 @@ do_start()
 {
 	if $DAEMON -u $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then
 		start-stop-daemon --start --quiet --pidfile $PIDFILE \
-		--oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG
+		--oknodo --exec $DAEMON -- -u $BUSER -g $BGROUP -c $CONFIG
 		return 0
 	else
 		log_progress_msg "- the configtest"
diff --git a/debian/bacula-sd.init b/debian/bacula-sd.init
index 47c3d07d..8559f335 100644
--- a/debian/bacula-sd.init
+++ b/debian/bacula-sd.init
@@ -51,9 +51,9 @@ PIDFILE=/run/bacula/$NAME.$PORT.pid
 
 do_start()
 {
-	if $DAEMON -g $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then
+	if $DAEMON -u $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then
 		start-stop-daemon --start --quiet --pidfile $PIDFILE \
-		--oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG
+		--oknodo --exec $DAEMON -- -u $BUSER -g $BGROUP -c $CONFIG
 		return 0
 	else
 		log_progress_msg "- the configtest"
diff --git a/debian/changelog b/debian/changelog
index d0a4ac54..81b0627a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,21 @@
+bacula (7.4.4+dfsg-6+deb9u1) stretch; urgency=medium
+
+  [Sven Hartge]
+  * Let PID files be owned by root. Mitigates a minor security problem
+similar to CVE 2017-14610. Note that this change disables automatic
+tracebacks.
+
+  [Carsten Leonhardt]
+  * Added transitional package bacula-director-common, the old leftover
+package can't be safely purged otherwise (it deletes
+/etc/bacula/bacula-dir.conf in postrm which now belongs to the
+bacula-director package). For the case when the package
+    bacula-director-common is deinstalled but not purged, we neutralize
+the offending postrm script when upgrading bacula-common. (Closes:
+#880529)
+
+ -- Carsten Leonhardt <l...@debian.org>  Wed, 15 Nov 2017 22:55:15 +0100
+
 bacula (7.4.4+dfsg-6) unstable; urgency=medium
 
   [Sven Hartge]
diff --git a/debian/control b/debian/control
index 19418610..7c310185 100644
--- a/debian/control
+++ b/debian/control
@@ -357,3 +357,13 @@ Description: network backup service - Bacula Administration Tool
  .
  This GUI interface has been designed to ease restore operations as much as
  possible as compared to the basic text console.
+
+Package: bacula-director-common
+Section: oldlibs
+Architecture: any
+Pre-Depends: ${misc:Pre-Depends}
+Depends:
+ bacula-common (= ${binary:Version}),
+ ${misc:Depends}
+Description: transitional package
+ This is a transitional package. It can safely be removed.
diff --git a/debian/patches/non-forking-systemd-units.patch b/debian/patches/non-forking-systemd-units.patch
index 636c9153..03cdabd7 100644
--- a/debian/patches/non-forking-systemd-units.patch
+++ b/debian/patches/non-forking-systemd-units.patch
@@ -20,13 +20,13 @@ Author: Sven Hartge <s...@svenhartge.de>
 -PIDFile=@piddir@/bacula-dir.@dir_port@.pid
 -E

Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6

2018-02-26 Thread Carsten Leonhardt 
Hi,

here is a new version of the patch. I now additionally let
bacula-common.preinst check for the existence of
bacula-director-common.postrm and comment out the offending line if
found (first chunk in the diff). I chose to use bacula-common because it
is depended upon by all other bacula packages.

I've also amended the text in the changelog, otherwise the rest of the
patch is the same as the previous version.

The patch is also viewable at 
https://salsa.debian.org/bacula-team/bacula/compare/debian%2F7.4.4+dfsg-6...stretch
 

Thanks,

Carsten

diff --git a/debian/bacula-common.preinst b/debian/bacula-common.preinst
index 056c2944..d0b323fa 100644
--- a/debian/bacula-common.preinst
+++ b/debian/bacula-common.preinst
@@ -12,6 +12,14 @@ case "$1" in
 			echo "Ok."
 		fi
 	;;
+	install|upgrade)
+		# purging bacula-director-common can mistakenly delete bacula-dir.conf
+		# neutralize the offending line in its postrm; see bug #880529 for details
+		if dpkg-query -l bacula-director-common > /dev/null 2>&1 && \
+		   [ -e /var/lib/dpkg/info/bacula-director-common.postrm ]; then
+			sed -i 's/rm -f $CONFFILE $CONFFILE.dist/#disabled: bug #880529# rm -f $CONFFILE $CONFFILE.dist/' /var/lib/dpkg/info/bacula-director-common.postrm
+		fi
+	;;
 esac
 
 # dh_installdeb will replace this with shell code automatically
diff --git a/debian/bacula-director.init b/debian/bacula-director.init
index 8ac7c36a..89cfbe65 100644
--- a/debian/bacula-director.init
+++ b/debian/bacula-director.init
@@ -67,7 +67,7 @@ do_start()
 {
 	if $DAEMON -u $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then
 		start-stop-daemon --start --quiet --pidfile $PIDFILE \
-		--oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG
+		--oknodo --exec $DAEMON -- -u $BUSER -g $BGROUP -c $CONFIG
 		return 0
 	else
 		log_progress_msg "- the configtest"
diff --git a/debian/bacula-fd.init b/debian/bacula-fd.init
index 649b9cc1..698e4ea3 100644
--- a/debian/bacula-fd.init
+++ b/debian/bacula-fd.init
@@ -54,7 +54,7 @@ do_start()
 {
 	if $DAEMON -u $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then
 		start-stop-daemon --start --quiet --pidfile $PIDFILE \
-		--oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG
+		--oknodo --exec $DAEMON -- -u $BUSER -g $BGROUP -c $CONFIG
 		return 0
 	else
 		log_progress_msg "- the configtest"
diff --git a/debian/bacula-sd.init b/debian/bacula-sd.init
index 47c3d07d..e3863840 100644
--- a/debian/bacula-sd.init
+++ b/debian/bacula-sd.init
@@ -53,7 +53,7 @@ do_start()
 {
 	if $DAEMON -g $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then
 		start-stop-daemon --start --quiet --pidfile $PIDFILE \
-		--oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG
+		--oknodo --exec $DAEMON -- -g $BUSER -g $BGROUP -c $CONFIG
 		return 0
 	else
 		log_progress_msg "- the configtest"
diff --git a/debian/changelog b/debian/changelog
index d0a4ac54..81b0627a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,21 @@
+bacula (7.4.4+dfsg-6+deb9u1) stretch; urgency=medium
+
+  [Sven Hartge]
+  * Let PID files be owned by root. Mitigates a minor security problem
+similar to CVE 2017-14610. Note that this change disables automatic
+tracebacks.
+
+  [Carsten Leonhardt]
+  * Added transitional package bacula-director-common, the old leftover
+package can't be safely purged otherwise (it deletes
+/etc/bacula/bacula-dir.conf in postrm which now belongs to the
+bacula-director package). For the case when the package
+bacula-director-common is deinstalled but not purged, we neutralize
+    the offending postrm script when upgrading bacula-common. (Closes:
+#880529)
+
+ -- Carsten Leonhardt <l...@debian.org>  Wed, 15 Nov 2017 22:55:15 +0100
+
 bacula (7.4.4+dfsg-6) unstable; urgency=medium
 
   [Sven Hartge]
diff --git a/debian/control b/debian/control
index 19418610..7c310185 100644
--- a/debian/control
+++ b/debian/control
@@ -357,3 +357,13 @@ Description: network backup service - Bacula Administration Tool
  .
  This GUI interface has been designed to ease restore operations as much as
  possible as compared to the basic text console.
+
+Package: bacula-director-common
+Section: oldlibs
+Architecture: any
+Pre-Depends: ${misc:Pre-Depends}
+Depends:
+ bacula-common (= ${binary:Version}),
+ ${misc:Depends}
+Description: transitional package
+ This is a transitional package. It can safely be removed.
diff --git a/debian/patches/non-forking-systemd-units.patch b/debian/patches/non-forking-systemd-units.patch
index 636c9153..03cdabd7 100644
--- a/debian/patches/non-forking-systemd-units.patch
+++ b/debian/patches/non-forking-systemd-units.patch
@@ -20,13 +20,13 @@ Author: Sven Hartge <s...@svenhartge.de>
 -PIDFile=@piddir@/bacula-dir.@dir_port@.pid
 -ExecReload=@sbindir@/bacula-dir -t -c @sysconfdir@/bacula-dir.conf
 +Type=simple
-+User=bacula
-+Group=bacula
++User=root
++Group=roo

Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6

2018-01-15 Thread Carsten Leonhardt 
Julien Cristau <jcris...@debian.org> writes:

> On 01/15/2018 08:32 AM, Carsten Leonhardt wrote:
>> Julien Cristau <jcris...@debian.org> writes:
>> 
>>> Control: tag -1 moreinfo
>>>
>>> On Thu, Nov 16, 2017 at 00:02:29 +0100, Carsten Leonhardt wrote:
>>>
>>>> 2) Bug #880529: When updating from jessie to stretch, the package
>>>> "bacula-director-common" will be removed, but the postrm will stay
>>>> around. Upon purging this package, postrm unconditionally removes the
>>>> main bacula configuration file /etc/bacula/bacula-dir.conf, leaving
>>>> bacula unusable. We fix this by introducing a transitional package that
>>>> can then be safely removed.
>>>>
>>> It sounds like this won't solve the issue for anyone who has already
>>> upgraded but hasn't yet purged bacula-director-common.  Couldn't
>>> bacula-director's postinst neuter the old postrm instead?
>> 
>> Are you sure? I'd say that these people will get the upgrade to the
>> transitional package and this will remove the old postrm.
>> 
> How would they get an update to a removed package?  (Yes, I'm pretty sure.)

I see your point now. My proposed solution only helps people that still
have the package installed.

I'll work on a better solution.

Regards,

Carsten

Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6

2018-01-14 Thread Carsten Leonhardt 
Julien Cristau <jcris...@debian.org> writes:

> Control: tag -1 moreinfo
>
> On Thu, Nov 16, 2017 at 00:02:29 +0100, Carsten Leonhardt wrote:
>
>> 2) Bug #880529: When updating from jessie to stretch, the package
>> "bacula-director-common" will be removed, but the postrm will stay
>> around. Upon purging this package, postrm unconditionally removes the
>> main bacula configuration file /etc/bacula/bacula-dir.conf, leaving
>> bacula unusable. We fix this by introducing a transitional package that
>> can then be safely removed.
>> 
> It sounds like this won't solve the issue for anyone who has already
> upgraded but hasn't yet purged bacula-director-common.  Couldn't
> bacula-director's postinst neuter the old postrm instead?

Are you sure? I'd say that these people will get the upgrade to the
transitional package and this will remove the old postrm.

Regards,

Carsten

Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6

2017-12-01 Thread Carsten Leonhardt 
Hi,

is there anything else I can do to help this into the next stable
update?

Or at least only one of the changes?

Regards,

Carsten

Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6

2017-11-18 Thread Carsten Leonhardt 
Hi,

> 2) Bug #880529: When updating from jessie to stretch, the package
> "bacula-director-common" will be removed, but the postrm will stay
> around. Upon purging this package, postrm unconditionally removes the
> main bacula configuration file /etc/bacula/bacula-dir.conf, leaving
> bacula unusable. We fix this by introducing a transitional package that
> can then be safely removed.

I just noticed that I left out a detail that might help understand the
problem: the configuration file used to be owned by the package
"bacula-director-common", but ownership moved to the new package
"bacula-director".

Regards,

Carsten

Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6

2017-11-15 Thread Carsten Leonhardt 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

we would like to fix the following two problems in stable:

1 ) The bacula packages are vulnerable to a security problem similar to
CVE 2017-14610 (PID files not owned by root). On the downside this
change disables a bacula feature that permits automatic tracebacks on a
crash. I've mailed the security team about this, they recommended a
stable update.

2) Bug #880529: When updating from jessie to stretch, the package
"bacula-director-common" will be removed, but the postrm will stay
around. Upon purging this package, postrm unconditionally removes the
main bacula configuration file /etc/bacula/bacula-dir.conf, leaving
bacula unusable. We fix this by introducing a transitional package that
can then be safely removed.

Regards,

Carsten

-- System Information:
Debian Release: 9.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'oldstable-updates'), (500, 
'oldoldstable'), (500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

diff -Nru bacula-7.4.4+dfsg/debian/bacula-director.init bacula-7.4.4+dfsg/debian/bacula-director.init
--- bacula-7.4.4+dfsg/debian/bacula-director.init	2017-02-26 13:39:25.0 +0100
+++ bacula-7.4.4+dfsg/debian/bacula-director.init	2017-11-15 22:55:15.0 +0100
@@ -67,7 +67,7 @@
 {
 	if $DAEMON -u $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then
 		start-stop-daemon --start --quiet --pidfile $PIDFILE \
-		--oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG
+		--oknodo --exec $DAEMON -- -u $BUSER -g $BGROUP -c $CONFIG
 		return 0
 	else
 		log_progress_msg "- the configtest"
diff -Nru bacula-7.4.4+dfsg/debian/bacula-fd.init bacula-7.4.4+dfsg/debian/bacula-fd.init
--- bacula-7.4.4+dfsg/debian/bacula-fd.init	2017-02-26 13:39:25.0 +0100
+++ bacula-7.4.4+dfsg/debian/bacula-fd.init	2017-11-15 22:55:15.0 +0100
@@ -54,7 +54,7 @@
 {
 	if $DAEMON -u $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then
 		start-stop-daemon --start --quiet --pidfile $PIDFILE \
-		--oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG
+		--oknodo --exec $DAEMON -- -u $BUSER -g $BGROUP -c $CONFIG
 		return 0
 	else
 		log_progress_msg "- the configtest"
diff -Nru bacula-7.4.4+dfsg/debian/bacula-sd.init bacula-7.4.4+dfsg/debian/bacula-sd.init
--- bacula-7.4.4+dfsg/debian/bacula-sd.init	2017-02-26 13:39:25.0 +0100
+++ bacula-7.4.4+dfsg/debian/bacula-sd.init	2017-11-15 22:55:15.0 +0100
@@ -53,7 +53,7 @@
 {
 	if $DAEMON -g $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then
 		start-stop-daemon --start --quiet --pidfile $PIDFILE \
-		--oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG
+		--oknodo --exec $DAEMON -- -g $BUSER -g $BGROUP -c $CONFIG
 		return 0
 	else
 		log_progress_msg "- the configtest"
diff -Nru bacula-7.4.4+dfsg/debian/changelog bacula-7.4.4+dfsg/debian/changelog
--- bacula-7.4.4+dfsg/debian/changelog	2017-02-26 13:39:25.0 +0100
+++ bacula-7.4.4+dfsg/debian/changelog	2017-11-15 22:55:15.0 +0100
@@ -1,3 +1,17 @@
+bacula (7.4.4+dfsg-6+deb9u1) stretch; urgency=medium
+
+  [Sven Hartge]
+  * Let PID files be owned by root. Mitigates a minor security problem
+similar to CVE 2017-14610. Note that this change disables automatic
+tracebacks.
+
+  [ Carsten Leonhardt ]
+  * Added transitional package bacula-director-common, the old leftover
+package can't be safely purged otherwise (it deletes
+/etc/bacula/bacula-dir.conf in postrm) (Closes: #880529)
+
+ -- Carsten Leonhardt <l...@debian.org>  Wed, 15 Nov 2017 22:55:15 +0100
+
 bacula (7.4.4+dfsg-6) unstable; urgency=medium
 
   [Sven Hartge]
diff -Nru bacula-7.4.4+dfsg/debian/control bacula-7.4.4+dfsg/debian/control
--- bacula-7.4.4+dfsg/debian/control	2017-02-26 13:39:25.0 +0100
+++ bacula-7.4.4+dfsg/debian/control	2017-11-15 22:55:15.0 +0100
@@ -357,3 +357,13 @@
  .
  This GUI interface has been designed to ease restore operations as much as
  possible as compared to the basic text console.
+
+Package: bacula-director-common
+Section: oldlibs
+Architecture: any
+Pre-Depends: ${misc:Pre-Depends}
+Depends:
+ bacula-common (= ${binary:Version}),
+ ${misc:Depends}
+Description: transitional package
+ This is a transitional package. It can safely be removed.
diff -Nru bacula-7.4.4+dfsg/debian/patches/non-forking-systemd-units.patch bacula-7.4.4+dfsg/debian/patches/non-forking-systemd-units.patch
--- bacula-7.4.4+dfsg/debian/patches/non-forking-systemd-units.patch	2017-02-26 13:39:25.0 +0100
+++ bacula-7.4.4+dfsg/debian/patches/non-forking-systemd-units.patch	2017-11-15 22:55:15.

Bug#874836: [bacula] Future Qt4 removal from Buster

2017-11-15 Thread Carsten Leonhardt 
Control: tag -1 - patch

The upstream patch is incomplete and not yet useable.

Bug#874836: [bacula] Future Qt4 removal from Buster

2017-11-14 Thread Carsten Leonhardt 
Control: tag -1 patch

There's a patch to support Qt5 in upstream's git repository, I'll check
it and upload a fixed version if it's ok.

Bug#881271: [pkg-bacula-devel] Bug#881271: bacula: FTBFS on hurd-i386: XACL_Hurd not declared

2017-11-14 Thread Carsten Leonhardt 
Control: tag -1 patch

There's a patch in upstream's git repository, I'll check it and upload
a fixed version if it's ok.

Bug#850895: bacula: Please migrate to openssl1.1 in buster

2017-11-12 Thread Carsten Leonhardt 
Sebastian Andrzej Siewior <sebast...@breakpoint.cc> writes:

> On 2017-11-10 00:48:34 [+0100], Carsten Leonhardt wrote:
>> Sebastian Andrzej Siewior <sebast...@breakpoint.cc> writes:

>> adding that patch on top of the others I get the following error when
>> trying to compile:
>> 
>> Compiling openssl.c
>> openssl.c: In function 'int init_crypto()':
>> openssl.c:289:11: error: invalid conversion from 'int (*)(const char*,
>> stat*) throw ()' to 'int' [-fpermissive]
>> return stat;
>
> grml. The attached version should do it.

This version didn't throw an error while compiling, thanks.

>> The first set of 5 patches seem to work though, a backup run with them
>> is almost finished now without apparent problems.
>
> Okay. So if it works and you so no problems we could throw them at
> upsteam, right?

I'll wait until tomorrow before contacting upstream again, to see if
another backup run works without problems. The patched version is in
experimental, btw.

Regards,

Carsten

Bug#850895: bacula: Please migrate to openssl1.1 in buster

2017-11-09 Thread Carsten Leonhardt 
Sebastian Andrzej Siewior  writes:

Hi,

> oh boy. Yes, definitely. Something like that in the attached patch?
> (this time not even compile tested).

adding that patch on top of the others I get the following error when
trying to compile:

Compiling openssl.c
openssl.c: In function 'int init_crypto()':
openssl.c:289:11: error: invalid conversion from 'int (*)(const char*,
stat*) throw ()' to 'int' [-fpermissive]
return stat;
   ^~~~
Makefile:182: recipe for target 'openssl.lo' failed
make[3]: *** [openssl.lo] Error 1


The first set of 5 patches seem to work though, a backup run with them
is almost finished now without apparent problems.

Regards,

Carsten

Bug#881271: bacula: FTBFS on hurd-i386: XACL_Hurd not declared

2017-11-09 Thread Carsten Leonhardt 
Control: tag -1 upstream confirmed

Hi Aaron,

> Builds of bacula 9.0.x for hurd-i386 (admittedly not a release
> architecture) have been failing:

[...]
>   xacl.c:1323:15: error: 'XACL_Hurd' was not declared in this scope
[...]
> Could you please take a look?

I'm aware of this - it's due to an upstream change/bug. I'll report it
to the upstream bug tracker shortly.

Regards,

Carsten

Bug#850895: bacula: Please migrate to openssl1.1 in buster

2017-11-08 Thread Carsten Leonhardt 
Hi Sebastian,

Sebastian Andrzej Siewior  writes:

> please find attached a few patches :) I can compile against 1.0.2 and
> 1.1 with them applied. Please do some testing. There is no testsuite so…

first a big thanks!

I'll give it some testing and will point upstream to your patches.

(There's actually an extensive test suite, but sadly it's not yet
integrated in our packaging.)

Regards,

Carsten

Bug#880529: Conffile bacula-dir.conf can be lost; unowned conffiles

2017-11-01 Thread Carsten Leonhardt 
Source: bacula
Version: 5.2.6+dfsg-9.3
Severity: serious

The main configuration files (bacula-{dir,sd,fd}.conf, bconsole.conf,
bat.conf) in the bacula packages aren't registered as belonging to their
respective packages. This leads to the following problem:

Due to the restructuring of the packaging (which happened in version
7.4.3+dfsg-3), when upgrading to the packages 7.4.3+dfsg-3 or later, the
conffile /etc/bacula/bacula-dir.conf will be deleted when the obsoleted
package "bacula-director-common" is purged. This is an error as the file
should be owned by the new package "bacula-director".

Bug#880369: [pkg-bacula-devel] Bug#880369: bacula: missing package location

2017-10-31 Thread Carsten Leonhardt 
Hi,

>* What led up to the situation?
>
> trying to re-install bacula, bacula-dir test program is missing and I cannot 
> locate the package it is in

>* What outcome did you expect instead?
>
> to get /usr/sbin/bacula-dir installed

the package "bacula-director" contains the program
/usr/sbin/bacula-dir. You can also use the search at
https://packages.debian.org.

If this answer doesn't help, please clarify your problem more precisely.

Regards,

Carsten

Bug#850895: [pkg-bacula-devel] Bug#850895: Bug#850895: bacula: Please migrate to openssl1.1 in buster

2017-10-13 Thread Carsten Leonhardt 
Hi Sebastian,

> Arch, Fedora and Gentoo provide OpenSSL 1.1. They are also stucked with
> 1.0 as compatibility layer.
>
>> Lastly, the bug is tagged "help" for quite some time already, but help
>> doesn't seem to be forthcoming.
>
> Could please check if one of the three distos I mentioned has patch? If
> not, please ping me again and I take a look at the code.

I've checked all three distros, Fedora and Arch use OpenSSL 1.0 to build
bacula. For Gentoo I'm not sure I can parse the ebuild-files correctly,
but I think they use LibreSSL - in any case there's no patch to enable
building with OpenSSL 1.1.

Regards,

Carsten

Bug#850895: [pkg-bacula-devel] Bug#850895: bacula: Please migrate to openssl1.1 in buster

2017-10-13 Thread Carsten Leonhardt 
Hi Sebastian,

> this is a remainder about the openssl transition [0]. We really want to
> remove libssl1.0-dev from unstable for Buster. I will raise the severity
> of this bug to serious in a month. Please react before that happens.

I'm not sure what my reaction should be.

I myself will not attempt to migrate bacula to the new OpenSSL API, as
my programming experience is insufficient to touch this security
sensitive code.

Upstream does not see a pressing need because OpenSSL version 1.0.2 is
supported until 2019-12-31 - significantly longer than 1.0.2.

Are there any other distributions that already dropped, or will drop
OpenSSL v1.0 support in the near future that I can use as an argument
for upstream?

Lastly, the bug is tagged "help" for quite some time already, but help
doesn't seem to be forthcoming.

Regards,

Carsten

Bug#728582: bacula-sd on kFreeBSD: unable to use tape drive

2017-09-25 Thread Carsten Leonhardt 
Control: tags -1 + unreproducible

Hi,

FreeBSD has some notes about using bacula:

https://github.com/freebsd/freebsd-ports/blob/master/sysutils/bacula-server/files/pkg-message.server.in

In particular the following part:

> Due to lack of some features in the FreeBSD tape driver implementation
> you MUST add some OS dependent options to the bacula-sd.conf file:

>  Hardware End of Medium = no;
>  Backward Space Record  = no;
>  Backward Space File= no;

> With 2 filemarks at EOT (see man mt):
>   Fast Forward Space File = no;
>   BSF at EOM = yes;
>   TWO EOF= yes;

> With 1 filemarks at EOT (see man mt):
>   Fast Forward Space File = yes;
>   BSF at EOM = no;
>   TWO EOF   = no;

> NOTE: YOU CAN SWITCH EOT model ONLY when starting from scratch with
> EMPTY tapes."

Would you be able to confirm whether following this advice makes tape
drives useable under kFreeBSD?

Regards,

Carsten

Bug#835120: lintian: false positive: virtual-package-depends-without-real-package-depends for bacula-director

2017-09-20 Thread Carsten Leonhardt 
Chris Lamb  writes:

> Mattia Rizzolo wrote:
>
>> trying to regenerate [the list] drops the bacula-director and
>> bacula-sd-tools packages and adds bacula-director-database.
>
> Is that incorrect?

No, that would be correct.

Regards,

Carsten

Bug#835120: lintian: false positive: virtual-package-depends-without-real-package-depends in experimental

2017-09-19 Thread Carsten Leonhardt 
Mattia Rizzolo  writes:

> Then it just needs to be removed from that list.
> I'd attach a patch, but that list is actually automatically generated,
> and indeed trying to regenerate it it drops the baula-director and
> bacula-sd-tools packages and adds bacula-director-database.

So I guess that this list should be regenerated from time to time. Is
there a reason to not update it during build?

Regards,

Carsten

Bug#835120: lintian: false positive: virtual-package-depends-without-real-package-depends in experimental

2017-09-15 Thread Carsten Leonhardt 
Dear Maintainer,

just to let you know that lintian still reports

bacula-server
 W virtual-package-depends-without-real-package-depends
 depends: bacula-director

which I have overridden, but it also reports this for the automatic
package bacula-director-dbgsym where I don't see how I could override it
using debhelper.

So it had nothing to do with experimental as I suspected first.

Reminder: bacula-director was a virtual package in jessie and older but
is a real package in stretch and newer.

 - Carsten

Bug#874836: [pkg-bacula-devel] Bug#874836: [bacula] Future Qt4 removal from Buster

2017-09-14 Thread Carsten Leonhardt 
Control: forwarded -1 
https://sourceforge.net/p/bacula/mailman/bacula-devel/thread/87r2v9tt7s.fsf%40arioch.leonhardt.eu/#msg36038406
Control: tag -1 + upstream

Hi,

> Hi! As you might know we the Qt/KDE team are preparing to remove Qt4
> as [announced] in:

I've reported this to the upstream devel list for now.

 - Carsten

Bug#486131: [pkg-bacula-devel] Bug#486131: Problem still exists in wheezy 5.2.6

2017-08-21 Thread Carsten Leonhardt 
Hi Pierre,

do you still experience bacula-sd crashing if an FD is unreachable, and
can you reproduce the problem in bacula 7.4.4 from Debian 9 (stretch)?
With that version, backtraces should be working.

 - Carsten

Bug#863799: ITP: redtick -- tiny pomodoro timer for Emacs

2017-05-31 Thread Carsten Leonhardt 
Sean Whitton  writes:

>   Description : tiny pomodoro timer for Emacs

I'm curious to see the long description, as I don't see the relationship
between tomatoes and timers.

 - Carsten

Bug#857979: approx: does not start on sysvinit system

2017-03-21 Thread Carsten Leonhardt 
Hi,

you could add a depends on "systemd-sysv | update-inetd" and configure
inetd only if it's installed:

[ -x /usr/sbin/update-inetd ]

And I'd recommend getting the fix into stretch, otherwise non-systemd
approx users will have a surprise when they dist-upgrade.

 - Carsten

Bug#858194: unblock: libsecret/0.18.5-3.1

2017-03-19 Thread Carsten Leonhardt 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package libsecret

This version fixes ##855951 "libsecret FTBFS with test failures on
many architectures". I've included the debdiff between the last
version in testing and this proposed new version.

unblock libsecret/0.18.5-3.1

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
diff -Nru libsecret-0.18.5/debian/changelog libsecret-0.18.5/debian/changelog
--- libsecret-0.18.5/debian/changelog	2016-09-04 12:16:44.0 +0200
+++ libsecret-0.18.5/debian/changelog	2017-03-18 16:56:31.0 +0100
@@ -1,3 +1,25 @@
+libsecret (0.18.5-3.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * debian/patches/0004-tests-collection-add-setup-delay.patch:
++ Fix failing test "collection/delete-sync" by correctly placing
+  the delay. Closes: #855951.
+
+ -- Carsten Leonhardt <l...@debian.org>  Sat, 18 Mar 2017 15:56:31 +
+
+libsecret (0.18.5-3) unstable; urgency=medium
+
+  [ Jeremy Bicha ]
+  * Add basic autopkgtest to run upstream build tests
+
+  [ Emilio Pozuelo Monfort ]
+  * debian/patches/0004-tests-collection-add-setup-delay.patch:
++ Add some delay for the test bus to go up and down. Fixes a test
+  that otherwise may fail, especially when running on a single cpu
+  machine. Closes: #837067.
+
+ -- Emilio Pozuelo Monfort <po...@debian.org>  Tue, 21 Feb 2017 22:57:01 +0100
+
 libsecret (0.18.5-2) unstable; urgency=medium
 
   * Drop --disable-silent-rules from debian/rules. This is now handled by dh
diff -Nru libsecret-0.18.5/debian/control libsecret-0.18.5/debian/control
--- libsecret-0.18.5/debian/control	2016-09-04 12:16:44.0 +0200
+++ libsecret-0.18.5/debian/control	2017-03-18 16:56:31.0 +0100
@@ -6,7 +6,7 @@
 Section: devel
 Priority: optional
 Maintainer: Debian GNOME Maintainers <pkg-gnome-maintain...@lists.alioth.debian.org>
-Uploaders: Andreas Henriksson <andr...@fatal.se>, Michael Biebl <bi...@debian.org>, Sjoerd Simons <sjo...@debian.org>
+Uploaders: Andreas Henriksson <andr...@fatal.se>, Emilio Pozuelo Monfort <po...@debian.org>, Michael Biebl <bi...@debian.org>
 Build-Depends: debhelper (>= 9),
dh-autoreconf,
intltool (>= 0.35.0),
diff -Nru libsecret-0.18.5/debian/patches/0004-tests-collection-add-setup-delay.patch libsecret-0.18.5/debian/patches/0004-tests-collection-add-setup-delay.patch
--- libsecret-0.18.5/debian/patches/0004-tests-collection-add-setup-delay.patch	1970-01-01 01:00:00.0 +0100
+++ libsecret-0.18.5/debian/patches/0004-tests-collection-add-setup-delay.patch	2017-03-18 16:55:44.0 +0100
@@ -0,0 +1,27 @@
+Author: Emilio Pozuelo Monfort <po...@debian.org>
+Bug: https://bugzilla.gnome.org/show_bug.cgi?id=779041
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837067
+
+Update by Carsten Leonhardt <l...@debian.org>: move sleep(1) to the
+beginning of teardown() to address bug #855951
+
+Index: libsecret-0.18.5/libsecret/test-collection.c
+===
+--- libsecret-0.18.5.orig/libsecret/test-collection.c
 libsecret-0.18.5/libsecret/test-collection.c
+@@ -56,12 +56,15 @@ setup (Test *test,
+ 	test->service = secret_service_get_sync (SECRET_SERVICE_NONE, NULL, );
+ 	g_assert_no_error (error);
+ 	g_object_add_weak_pointer (G_OBJECT (test->service), (gpointer *)>service);
++
++	sleep(1);
+ }
+ 
+ static void
+ teardown (Test *test,
+   gconstpointer unused)
+ {
++	sleep(1);
+ 	g_object_unref (test->service);
+ 	secret_service_disconnect ();
+ 	g_assert (test->service == NULL);
diff -Nru libsecret-0.18.5/debian/patches/series libsecret-0.18.5/debian/patches/series
--- libsecret-0.18.5/debian/patches/series	2016-09-04 01:19:53.0 +0200
+++ libsecret-0.18.5/debian/patches/series	2017-02-21 22:56:07.0 +0100
@@ -1,3 +1,4 @@
 0001-build-Port-to-Python-3.patch
 0002-libsecret-Get-rid-of-PyGI-warnings-about-unspecified.patch
 0003-Makefile.am-Compile-vala-unstable-tests-with-SECRET_.patch
+0004-tests-collection-add-setup-delay.patch
diff -Nru libsecret-0.18.5/debian/tests/build libsecret-0.18.5/debian/tests/build
--- libsecret-0.18.5/debian/tests/build	1970-01-01 01:00:00.0 +0100
+++ libsecret-0.18.5/debian/tests/build	2016-09-05 22:30:15.0 +0200
@@ -0,0 +1,2 @@
+#!/bin/sh
+env -u LD_PRELOAD dbus-run-session -- make check
diff -Nru libsecret-0.18.5/debian/tests/control libsecret-0.18.5/debian/tests/control
--- libsecret-0.18.5/debian/tests/control	1970-01-01 01:00:00.0 +0100
+++ libsecret-0.18.5/deb

Bug#855951: Bug #855951: libsecret: diff for NMU version 0.18.5-3.1

2017-03-19 Thread Carsten Leonhardt 
Michael Biebl  writes:

> I don't remember seeing the test suite to get stuck completely (as it
> apparently did on kfreebsd-* now).

It could well be a general problem of the kfreebsd buildds, as they
regularly get completely stuck during the build of gcc-6 in the last
weeks.

Should I go ahead and request the unblock?

 - Carsten

Bug#855951: Bug #855951: libsecret: diff for NMU version 0.18.5-3.1

2017-03-19 Thread Carsten Leonhardt 
Hi,

> The changes in 0.18.5-3 were supposed to fix #837067, i.e. the test
> suite failing to pass on a single CPU machine.
>
> Did you test that as well?

I did now, on a virtual single CPU kfreebsd-amd64 machine. 6 test runs,
no failures.

Or is this too modern?

$ sysctl hw | head -n 3
hw.machine: amd64
hw.model: Intel Core i7 9xx (Nehalem Class Core i7)
hw.ncpu: 1


I've never looked at this package before the BSP this weekend, does it
have a history of getting stuck during the tests, like the buildds of
kfreebsd did just now?

 - Carsten

Bug#855951: Bug #855951: libsecret: diff for NMU version 0.18.5-3.1

2017-03-19 Thread Carsten Leonhardt 
Michael Biebl  writes:

> If you are sure it fixes the issue, feel free to upload without delay.

I've made a dozen test runs of the collection tests on arm64, all
passed. After double checking the buildd logs, I noticed a different
failing test on mipsel, I've made 5 complete test runs there without
failure.

I'll move it to delayed/0 shortly.

 - Carsten

Bug#855951: Bug #855951: libsecret: diff for NMU version 0.18.5-3.1

2017-03-18 Thread Carsten Leonhardt 
Control: tags -1 patch pending

Dear maintainer,

I've prepared an NMU for libsecret (versioned as 0.18.5-3.1) and am
about to upload it to DELAYED/5. Please feel free to tell me if I should
delay it longer.

After the package enters unstable, I'll open another bug for the release
team to unblock it.

 - Carsten

diff -Nru libsecret-0.18.5/debian/changelog libsecret-0.18.5/debian/changelog
--- libsecret-0.18.5/debian/changelog	2017-02-21 22:57:01.0 +0100
+++ libsecret-0.18.5/debian/changelog	2017-03-18 16:56:31.0 +0100
@@ -1,3 +1,12 @@
+libsecret (0.18.5-3.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * debian/patches/0004-tests-collection-add-setup-delay.patch:
++ Fix failing test "collection/delete-sync" by correctly placing
+  the delay. Closes: #855951.
+
+ -- Carsten Leonhardt <l...@debian.org>  Sat, 18 Mar 2017 15:56:31 +
+
 libsecret (0.18.5-3) unstable; urgency=medium
 
   [ Jeremy Bicha ]
diff -Nru libsecret-0.18.5/debian/patches/0004-tests-collection-add-setup-delay.patch libsecret-0.18.5/debian/patches/0004-tests-collection-add-setup-delay.patch
--- libsecret-0.18.5/debian/patches/0004-tests-collection-add-setup-delay.patch	2017-02-21 22:56:07.0 +0100
+++ libsecret-0.18.5/debian/patches/0004-tests-collection-add-setup-delay.patch	2017-03-18 16:55:44.0 +0100
@@ -2,9 +2,14 @@
 Bug: https://bugzilla.gnome.org/show_bug.cgi?id=779041
 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837067
 
 a/libsecret/test-collection.c
-+++ b/libsecret/test-collection.c
-@@ -56,6 +56,8 @@
+Update by Carsten Leonhardt <l...@debian.org>: move sleep(1) to the
+beginning of teardown() to address bug #855951
+
+Index: libsecret-0.18.5/libsecret/test-collection.c
+===
+--- libsecret-0.18.5.orig/libsecret/test-collection.c
 libsecret-0.18.5/libsecret/test-collection.c
+@@ -56,12 +56,15 @@ setup (Test *test,
  	test->service = secret_service_get_sync (SECRET_SERVICE_NONE, NULL, );
  	g_assert_no_error (error);
  	g_object_add_weak_pointer (G_OBJECT (test->service), (gpointer *)>service);
@@ -13,11 +18,10 @@
  }
  
  static void
-@@ -67,6 +69,7 @@
- 	g_assert (test->service == NULL);
- 
- 	mock_service_stop ();
+ teardown (Test *test,
+   gconstpointer unused)
+ {
 +	sleep(1);
- }
- 
- static void
+ 	g_object_unref (test->service);
+ 	secret_service_disconnect ();
+ 	g_assert (test->service == NULL);

Bug#857296: hol88-library is an empty package on arm64, hppa, and m68k

2017-03-18 Thread Carsten Leonhardt 
> Something weired seems to have happend to hol88-library. On some
> architectures (arm64, hppa, m68k), the package is simply empty. Upon
> closer inspection it turns out that the upstream build system simply
> hides build failures.
> 
> https://sources.debian.net/src/hol88/2.02.19940316-32/Makefile/#L291
> | (date; $(MAKE) hol; date; $(MAKE) library; date)
> 
> Thus technically, hol88 fails to build from source, it violates policy
> by not detecting such failure and it is dysfunctional by shipping
> empty packages.

I've discussed this bug with release team member Ivo De Decker.

Currently the package builds ok on arm64, which means the underlying
problem is probably in gcl. Nonetheless the build system needs to catch
the build errors and abort.

 - Carsten

  1   2   3   >