Bug#892251: dovecot: fails to build from source twice in a row (unclean tree)

[Christian Hofstaedtler]

Source: dovecot
Version: 1:2.2.34-2
Severity: normal

Hi,

thanks for maintaining the dovecot packages.

While rebuilding dovecot from source, I've noticed that doing this twice
in a row fails:

~/dovecot-2.2.34 % debuild -us -uc
[..]
~/dovecot-2.2.34 % debuild -us -uc
[..]
dpkg-source: info: local changes detected, the modified files are:
 dovecot-2.2.34/dovecot.service
 dovecot-2.2.34/src/config/all-settings.c
dpkg-source: error: aborting due to unexpected upstream changes, see 
/tmp/dovecot_2.2.34-2.diff.KZl62_
[..]

Please see the diff below.

Thanks,
Chris



--- /dev/null
+++ dovecot-2.2.34/dovecot.service
@@ -0,0 +1,32 @@
+# This file is part of Dovecot
+#
+# If you want to pass additionally command line options to the dovecot
+# binary, create the file:
+#  `/etc/systemd/system/dovecot.service.d/service.conf'.
+
+[Unit]
+Description=Dovecot IMAP/POP3 email server
+Documentation=man:dovecot(1)
+Documentation=http://wiki2.dovecot.org/
+After=local-fs.target network-online.target
+
+[Service]
+Type=simple
+ExecStart=/usr/sbin/dovecot -F
+PIDFile=/var/run/dovecot/master.pid
+ExecReload=/usr/bin/doveadm reload
+ExecStop=/usr/bin/doveadm stop
+PrivateTmp=true
+NonBlocking=yes
+# Enable this if your systemd is new enough to support it:
+ProtectSystem=full
+
+# You can add environment variables with e.g.:
+#Environment='CORE_OUTOFMEM=1'
+# If you have trouble with `Too many open files' you may set:
+#LimitNOFILE=8192
+# If you want to allow the Dovecot services to produce core dumps, use:
+#LimitCORE=infinity
+
+[Install]
+WantedBy=multi-user.target
--- dovecot-2.2.34.orig/src/config/all-settings.c
+++ dovecot-2.2.34/src/config/all-settings.c
@@ -1068,7 +1068,7 @@ static const struct setting_define mbox_
 };
 static const struct mbox_settings mbox_default_settings = {
.mbox_read_locks = "fcntl",
-   .mbox_write_locks = "dotlock fcntl",
+   .mbox_write_locks = "fcntl dotlock",
.mbox_lock_timeout = 5*60,
.mbox_dotlock_change_timeout = 2*60,
.mbox_min_index_size = 0,
@@ -2910,7 +2910,7 @@ struct master_settings master_default_se
.state_dir = PKG_STATEDIR,
.libexec_dir = PKG_LIBEXECDIR,
.instance_name = PACKAGE,
-   .protocols = "imap pop3 lmtp",
+   .protocols = "",
.listen = "*, ::",
.ssl = "yes:no:required",
.default_internal_user = "dovecot",
@@ -2997,7 +2997,7 @@ static const struct setting_define login
 static const struct login_settings login_default_settings = {
.login_trusted_networks = "",
.login_source_ips = "",
-   .login_greeting = PACKAGE_NAME" ready.",
+   .login_greeting = DOVECOT_NAME" ready.",
.login_log_format_elements = "user=<%u> method=%m rip=%r lip=%l mpid=%e 
%c session=<%{session}>",
.login_log_format = "%$: %s",
.login_access_sockets = "",
@@ -3154,7 +3154,7 @@ static const struct lmtp_settings lmtp_d
.lmtp_user_concurrency_limit = 0,
.lmtp_address_translate = "",
.lmtp_hdr_delivery_address = "final:none:original",
-   .login_greeting = PACKAGE_NAME" ready.",
+   .login_greeting = DOVECOT_NAME" ready.",
.login_trusted_networks = ""
 };
 static const struct setting_parser_info *lmtp_setting_dependencies[] = {
@@ -4802,34 +4802,34 @@ buffer_t config_all_services_buf = {
 const struct setting_parser_info *all_default_roots[] = {
_service_setting_parser_info,
_service_ssl_setting_parser_info,
-   _storage_setting_parser_info, 
-   _setting_parser_info, 
+   _setting_parser_info, 
+   _setting_parser_info, 
_params_setting_parser_info, 
-   _user_setting_parser_info, 
-   _setting_parser_info, 
-   _setting_parser_info, 
-   _urlauth_setting_parser_info, 
+   _setting_parser_info, 
+   _storage_setting_parser_info, 
_urlauth_login_setting_parser_info, 
-   _login_setting_parser_info, 
-   _crypt_setting_parser_info, 
-   _login_setting_parser_info, 
-   _setting_parser_info, 
_setting_parser_info, 
-   _setting_parser_info, 
-   _setting_parser_info, 
_setting_parser_info, 
-   _urlauth_worker_setting_parser_info, 
-   _setting_parser_info, 
-   _status_setting_parser_info, 
-   _setting_parser_info, 
+   _crypt_setting_parser_info, 
_setting_parser_info, 
-   _setting_parser_info, 
+   _setting_parser_info, 
+   _setting_parser_info, 
+   _setting_parser_info, 
+   _setting_parser_info, 
_setting_parser_info, 
-   _setting_parser_info, 
+   _setting_parser_info, 
+   _login_setting_parser_info, 
+   _urlauth_worker_setting_parser_info, 
+   _status_setting_parser_info, 
+   _login_setting_parser_info, 
_setting_parser_info, 
+   _urlauth_setting_parser_info, 
+   _setting_parser_info, 
_setting_parser_info, 
-   _setting_parser_info, 
-   _setting_parser_info, 
+   

Bug#889556: monotone: (Build-)Depends on obsolete libbotan1.10-dev

[Christian Hofstaedtler]

Package: monotone
Version: 1.1-9
Severity: serious

Dear Maintainer,

your package monotone (build-)depends on botan1.10, which itself is
obsolete. Upstream will end security support at the end of 2018, so it
must not be part of buster.

Please drop the libbotan1.10-dev build dependency.

Thanks,
Chris

Bug#889557: ovito: (Build-)Depends on obsolete libbotan1.10-dev

[Christian Hofstaedtler]

Package: ovito
Version: 2.9.0+dfsg1-5
Severity: serious

Dear Maintainer,

your package ovito (build-)depends on botan1.10, which itself is
obsolete. Upstream will end security support at the end of 2018, so it
must not be part of buster.

Please drop the libbotan1.10-dev build dependency.

Thanks,
Chris

Bug#889558: qtcreator: (Build-)Depends on obsolete libbotan1.10-dev

[Christian Hofstaedtler]

Package: qtcreator
Version: 4.5.0-2
Severity: serious

Dear Maintainer,

your package qtcreator (build-)depends on botan1.10, which itself is
obsolete. Upstream will end security support at the end of 2018, so it
must not be part of buster.

Please drop the libbotan1.10-dev build dependency.

Thanks,
Chris

Bug#883456: RM: pdns [armel] -- ROM; no longer builds; likely unusable

[Christian Hofstaedtler]

Package: ftp.debian.org
Severity: normal

Dear ftpmasters,

please remove pdns from armel. It no longer builds there, and
considering the usefulness / requirements any effort to fix that
is likely a pure loss of hours.

Thanks,
Chris

Bug#882961: jessie-pu: package pdns/3.4.1-4+deb8u8

[Christian Hofstaedtler]

* Adam D. Barratt  [171128 22:20]:
> Control: tags -1 + confirmed
> 
> On Mon, 2017-11-27 at 22:23 +, Chris Hofstaedtler wrote:
> > Security update for CVE-2017-15091. DSA has marked this
> > no-DSA but suggested this goes through (old)-stable-updates.
> 
> Please go ahead.

Uploaded, thanks.

Chris

Bug#882960: jessie-pu: package pdns-recursor/3.6.2-2+deb8u4

[Christian Hofstaedtler]

* Adam D. Barratt  [171128 22:21]:
> Control: tags -1 + confirmed
> 
> On Mon, 2017-11-27 at 22:28 +, Chris Hofstaedtler wrote:
> > Security update using upstream patch for CVE-2017-15093.
> > DSA has marked this non-DSA but suggested fixing this
> > through an (old)stable update.
> 
> Please go ahead.

Uploaded, thanks.

Chris

Bug#882958: stretch-pu: package pdns-recursor/4.0.4-1+deb9u2

[Christian Hofstaedtler]

* Adam D. Barratt  [171128 22:22]:
> Control: tags -1 + confirmed
> 
> On Mon, 2017-11-27 at 22:29 +, Chris Hofstaedtler wrote:
> > Security update using upstream patches to fix CVE-2017-15090,
> > CVE-2017-15092, CVE-2017-15093, CVE-2017-15094.
> > DSA has marked those as non-DSA but suggested fixing through
> > a stable update instead.
> 
> Please go ahead.

Uploaded, thanks.

Chris

Bug#882959: stretch-pu: package pdns/4.0.3-1+deb9u2

[Christian Hofstaedtler]

* Adam D. Barratt  [171128 22:22]:
> Control: tags -1 + confirmed
> 
> On Mon, 2017-11-27 at 22:25 +, Chris Hofstaedtler wrote:
> > Security update using upstream patch, for CVE-2017-15091.
> > DSA has marked this no-DSA but suggested that this should
> > be fixed via stable-updates.
> 
> I assume you mean proposed-updates.

Indeed; sorry for that mixup.

> Please go ahead.

Uploaded, thanks.

Chris

Bug#878173: stretch-pu: package pdns/4.0.3-1+deb9u1

[Christian Hofstaedtler]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear Release Team,

pdns before 4.0.4 replies incorrectly to DNS questions with the
DNSSEC query bit (DO) set, when the query also uses the "0x20"
mechanism to increase spoofing resistance.

Unfortunately this is the configuration letsencrypt uses to check
for CAA records on domains. This implies letsencrypt being broken
for all users that have domains on pdns from stretch.

Upstream has fixed this in 4.0.4, but that didn't make it into
stretch.

There is more discussion on this in Debian bug #869222 and
at https://github.com/PowerDNS/pdns/issues/5546 and at
https://community.letsencrypt.org/t/caa-servfail-changes/38298/2

I have imported a minimal patch from upstream and attached the
debdiff. Please let me know if this looks good or if I got something
wrong.

Thanks,
Chris

diff -Nru pdns-4.0.3/debian/changelog pdns-4.0.3/debian/changelog
--- pdns-4.0.3/debian/changelog 2017-01-19 23:05:09.0 +
+++ pdns-4.0.3/debian/changelog 2017-10-10 18:08:15.0 +
@@ -1,3 +1,9 @@
+pdns (4.0.3-1+deb9u1) stable; urgency=medium
+
+  * Fix incorrect qname casing in NSEC3 generation (Closes: #869222)
+
+ -- Christian Hofstaedtler <z...@debian.org>  Tue, 10 Oct 2017 18:08:15 +
+
 pdns (4.0.3-1) unstable; urgency=medium
 
   * New upstream version 4.0.3, fixing bug when running bindbackend
diff -Nru 
pdns-4.0.3/debian/patches/869222-lowercase-qname-before-NSEC-generation.patch 
pdns-4.0.3/debian/patches/869222-lowercase-qname-before-NSEC-generation.patch
--- 
pdns-4.0.3/debian/patches/869222-lowercase-qname-before-NSEC-generation.patch   
1970-01-01 00:00:00.0 +
+++ 
pdns-4.0.3/debian/patches/869222-lowercase-qname-before-NSEC-generation.patch   
2017-10-10 18:08:15.0 +
@@ -0,0 +1,25 @@
+From b91cfe5c069df975176f5fd944540f72fc5d01bb Mon Sep 17 00:00:00 2001
+From: Kees Monshouwer <min...@monshouwer.org>
+Date: Wed, 3 May 2017 21:49:11 +0200
+Subject: [PATCH] auth: lowercase qname before NSEC generation
+
+[z...@debian.org]: Patch from upstream PR #5289.
+https://github.com/PowerDNS/pdns/commit/b91cfe5c069df975176f5fd944540f72fc5d01bb
+
+---
+ pdns/dnsbackend.cc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pdns/dnsbackend.cc b/pdns/dnsbackend.cc
+index 4e43ffc2b1..2454d6efb8 100644
+--- a/pdns/dnsbackend.cc
 b/pdns/dnsbackend.cc
+@@ -273,7 +273,7 @@ bool DNSBackend::getBeforeAndAfterNames(uint32_t id, const 
DNSName& zonename, co
+   // lcqname=labelReverse(lcqname);
+   DNSName dnc;
+   string relqname, sbefore, safter;
+-  relqname=labelReverse(makeRelative(qname.toStringNoDot(), 
zonename.toStringNoDot())); // FIXME400
++  relqname=labelReverse(makeRelative(toLower(qname.toStringNoDot()), 
zonename.toStringNoDot()));
+   //sbefore = before.toString();
+   //safter = after.toString();
+   bool ret = this->getBeforeAndAfterNamesAbsolute(id, relqname, dnc, sbefore, 
safter);
diff -Nru pdns-4.0.3/debian/patches/series pdns-4.0.3/debian/patches/series
--- pdns-4.0.3/debian/patches/series1970-01-01 00:00:00.0 +
+++ pdns-4.0.3/debian/patches/series2017-10-10 18:08:15.0 +
@@ -0,0 +1 @@
+869222-lowercase-qname-before-NSEC-generation.patch

Bug#877783: spyne: Please provide python3-spyne

[Christian Hofstaedtler]

Package: spyne
Version: 2.12.11-1
Severity: wishlist

Dear Maintainer,

Please provide a Python 3 version of the python-spyne package.

Thanks,
Chris

Bug#872928: stretch-pu: package dnsdist/1.1.0-2+deb9u1

[Christian Hofstaedtler]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

this update fixes low-severity CVEs CVE-2016-7069, CVE-2017-7557,
purely based on version-targetted patches from upstream.

Thanks,
Chris
diff -Nru dnsdist-1.1.0/debian/changelog dnsdist-1.1.0/debian/changelog
--- dnsdist-1.1.0/debian/changelog  2016-12-31 15:50:47.0 +
+++ dnsdist-1.1.0/debian/changelog  2017-08-22 13:58:05.0 +
@@ -1,3 +1,10 @@
+dnsdist (1.1.0-2+deb9u1) stretch; urgency=medium
+
+  * Fix CVE-2016-7069, CVE-2017-7557 using patches from upstream
+(Closes: #872854)
+
+ -- Christian Hofstaedtler <z...@debian.org>  Tue, 22 Aug 2017 13:58:05 +
+
 dnsdist (1.1.0-2) unstable; urgency=medium
 
   * Bump debhelper compat to 10 for systemd support.
diff -Nru dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch 
dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch
--- dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch1970-01-01 
00:00:00.0 +
+++ dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch2017-08-22 
13:58:05.0 +
@@ -0,0 +1,37 @@
+--- a/dnsdist-ecs.cc
 b/dnsdist-ecs.cc
+@@ -392,26 +392,29 @@ void handleEDNSClientSubnet(char* const packet, const 
size_t packetSize, const u
+ static int removeEDNSOptionFromOptions(unsigned char* optionsStart, const 
uint16_t optionsLen, const uint16_t optionCodeToRemove, uint16_t* newOptionsLen)
+ {
+   unsigned char* p = optionsStart;
+-  const unsigned char* end = p + optionsLen;
+-  while ((p + 4) <= end) {
++  size_t pos = 0;
++  while ((pos + 4) <= optionsLen) {
+ unsigned char* optionBegin = p;
+ const uint16_t optionCode = 0x100*p[0] + p[1];
+ p += sizeof(optionCode);
++pos += sizeof(optionCode);
+ const uint16_t optionLen = 0x100*p[0] + p[1];
+ p += sizeof(optionLen);
+-if ((p + optionLen) > end) {
++pos += sizeof(optionLen);
++if ((pos + optionLen) > optionsLen) {
+   return EINVAL;
+ }
+ if (optionCode == optionCodeToRemove) {
+-  if (p + optionLen < end) {
++  if (pos + optionLen < optionsLen) {
+ /* move remaining options over the removed one,
+if any */
+-memmove(optionBegin, p + optionLen, end - (p + optionLen));
++memmove(optionBegin, p + optionLen, optionsLen - (pos + optionLen));
+   }
+   *newOptionsLen = optionsLen - (sizeof(optionCode) + sizeof(optionLen) + 
optionLen);
+   return 0;
+ }
+ p += optionLen;
++pos += optionLen;
+   }
+   return ENOENT;
+ }
diff -Nru dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch.asc 
dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch.asc
--- dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch.asc1970-01-01 
00:00:00.0 +
+++ dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch.asc2017-08-22 
13:58:05.0 +
@@ -0,0 +1,12 @@
+-BEGIN PGP SIGNATURE-
+
+iQFOBAABCgA4FiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAlmcNN0aHHJlbWkuZ2Fj
+b2duZUBwb3dlcmRucy5jb20ACgkQogjtT4r1hEZjugf9FqmZzPzql6A8yvqix4lj
+/dXYIuuoIqt2NKIZlKkf4QsMO9fhF+AC6WkPessodAExkyB4IdxrmneumWvVNRpO
+beXT+2l6COKjvDkmYvc+5qKDUPEYHxvh6G1dBFDSGvn5AH5uZI2xXko7R3NdA2m+
+hThY37mkDSsiHrqWGNjj6/DoWIJFeU7gRg2aHkos68JiNdIhai6LMYerwecu4v1b
+6Y5xG6hI85Ofn25xKbXNBjAlj1vYJS8/nMYqqWdxD+eIFKX9FkClwE9IkOdqmyRv
+K0vceChANzLvnIzIcYm81AgKTKqPAoQMQP/0L+IG4hSwVTytHLeajsbQ/XRFDUUW
+Gg==
+=+FBw
+-END PGP SIGNATURE-
diff -Nru dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch 
dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch
--- dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch  1970-01-01 
00:00:00.0 +
+++ dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch  2017-08-22 
13:58:05.0 +
@@ -0,0 +1,123 @@
+--- a/dnsdist-web.cc
 b/dnsdist-web.cc
+@@ -79,13 +79,28 @@ static void apiSaveACL(const NetmaskGroup& nmg)
+   apiWriteConfigFile("acl", content);
+ }
+ 
+-static bool compareAuthorization(YaHTTP::Request& req, const string 
_password, const string& expectedApiKey)
++static bool checkAPIKey(const YaHTTP::Request& req, const string& 
expectedApiKey)
+ {
+-  // validate password
+-  YaHTTP::strstr_map_t::iterator header = req.headers.find("authorization");
+-  bool auth_ok = false;
+-  if (header != req.headers.end() && toLower(header->second).find("basic ") 
== 0) {
+-string cookie = header->second.substr(6);
++  if (expectedApiKey.empty()) {
++return false;
++  }
++
++  const auto header = req.headers.find("x-api-key");
++  if (header != req.headers.end()) {
++return (header->second == expectedApiKey);
++  }
++
++  return false;
++}
++
++static bool checkWebPassword(const YaHTTP::Request& req, const string 
_password)
++{
++  static const char basicStr[] = "basic ";
++
++  const auto header = req.headers.find("authorization");
++
++  if (header != req.head

Bug#872854: dnsdist: CVE-2016-7069 CVE-2017-7557

[Christian Hofstaedtler]

> CVE-2016-7069[0]:
> Crafted backend responses can cause a denial of service
> 
> CVE-2017-7557[1]:
> Alteration of ACLs via API authentication bypass

Source patches for 1.1.0 are available here:

https://downloads.powerdns.com/patches/2017-01/
https://downloads.powerdns.com/patches/2017-02/

Bug#867159: stretch-pu: package pdns-recursor/4.0.4-1

[Christian Hofstaedtler]

Hi,

* Cyril Brulebois <k...@debian.org> [170705 07:13]:
> Control: tag -1 confirmed
> 
> Christian Hofstaedtler <z...@debian.org> (2017-07-04):
> > pdns-recursor has an embedded copy of the DNS root (".") zone public
> > signing key ("KSK"), for DNSSEC verification purposes. ICANN has
> > created a new key and expects it to use starting from October 11,
> > 2017, in place of the old key.
> > 
> > [..]
> 
> This looks good to me, feel free to upload.

Done, should be in proposed-updates by now.

> Are we getting an update for jessie as well? (If so, let's track this in
> a separate bug report please.)

The version in jessie does not have DNSSEC capabilities.
The version in jessie-backports does, and I'll update it once the
stretch update is all through.

> Thanks.

Thanks,
Chris

Bug#867159: stretch-pu: package pdns-recursor/4.0.4-1

[Christian Hofstaedtler]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

pdns-recursor has an embedded copy of the DNS root (".") zone public
signing key ("KSK"), for DNSSEC verification purposes. ICANN has
created a new key and expects it to use starting from October 11,
2017, in place of the old key.

This update adds the new key to the trusted set. If users do not get
this update, DNSSEC validation will fail for them starting on Oct.
11, until they manually update the configuration.

The same fix is already in unstable (as 4.0.4-2).

Thanks,
Chris


diff -Nru pdns-recursor-4.0.4/debian/changelog 
pdns-recursor-4.0.4/debian/changelog
--- pdns-recursor-4.0.4/debian/changelog2017-01-14 03:03:18.0 
+
+++ pdns-recursor-4.0.4/debian/changelog2017-06-27 12:31:08.0 
+
@@ -1,3 +1,10 @@
+pdns-recursor (4.0.4-1+deb9u1) stretch; urgency=medium
+
+  * Add new root trust anchor KSK-2017 to embedded root trust list.
+(Closes: #866112)
+
+ -- Christian Hofstaedtler <z...@debian.org>  Tue, 27 Jun 2017 12:31:08 +
+
 pdns-recursor (4.0.4-1) unstable; urgency=medium
 
   * New upstream version, fixing security issues CVE-2016-7068 and
diff -Nru pdns-recursor-4.0.4/debian/patches/0001-Add-the-2017-root-key.patch 
pdns-recursor-4.0.4/debian/patches/0001-Add-the-2017-root-key.patch
--- pdns-recursor-4.0.4/debian/patches/0001-Add-the-2017-root-key.patch 
1970-01-01 00:00:00.0 +
+++ pdns-recursor-4.0.4/debian/patches/0001-Add-the-2017-root-key.patch 
2017-06-27 12:31:08.0 +
@@ -0,0 +1,20 @@
+From d5037c4d34ffbc89ca5d4f79554dd87aa49fdbc8 Mon Sep 17 00:00:00 2001
+From: Pieter Lexis <pieter.le...@powerdns.com>
+Date: Fri, 3 Feb 2017 09:03:35 +0100
+Subject: [PATCH] Add the 2017 root key
+
+---
+ pdns/root-dnssec.hh | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/pdns/root-dnssec.hh b/pdns/root-dnssec.hh
+index 0d4b3b4ea1..1f5bb37fe7 100644
+--- a/root-dnssec.hh
 b/root-dnssec.hh
+@@ -22,4 +22,5 @@
+ 
+ #pragma once
+ 
+-static const char*rootDSs[]={"19036 8 2 
49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5"};
++static const char*rootDSs[]={"19036 8 2 
49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5",
++ "20326 8 2 
e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d"};
diff -Nru pdns-recursor-4.0.4/debian/patches/series 
pdns-recursor-4.0.4/debian/patches/series
--- pdns-recursor-4.0.4/debian/patches/series   1970-01-01 00:00:00.0 
+
+++ pdns-recursor-4.0.4/debian/patches/series   2017-06-27 12:31:08.0 
+
@@ -0,0 +1 @@
+0001-Add-the-2017-root-key.patch

Bug#866112: [Pkg-dns-devel] Bug#866112: pdns-recursor: Embedded "root" DNSSEC Trust Anchor will expire in 2017

[Christian Hofstaedtler]

* Ondřej Surý <ond...@sury.org> [170627 15:21]:
> Actually it would be best if you could convince pdns_recursor to use TAs
> from dns-root-data, either at build or preferably at start time (or
> runtime).

Yeah, I agree. This is #760470 and https://github.com/PowerDNS/pdns/issues/3530

Should even be relatively easy, but I haven't found time to work on
a patch to send upstream.

-- 
 ,''`.  Christian Hofstaedtler <z...@debian.org>
: :' :  Debian Developer
`. `'   7D1A CFFA D9E0 806C 9C4C  D392 5C13 D6DB 9305 2E03
  `-

Bug#866112: pdns-recursor: Embedded "root" DNSSEC Trust Anchor will expire in 2017

[Christian Hofstaedtler]

Package: pdns-recursor
Version: 4.0.4-1
Severity: important
Tags: upstream fixed-upstream

pdns-recursor embeds the "root" DNSSEC Trust Anchor in its source code,
and the currently in use KSK-2010 will soon be replaced by KSK-2017. The
former is embedded, the latter is not.

Upstream has fixed this already:
https://github.com/PowerDNS/pdns/commit/d5037c4d34ffbc89ca5d4f79554dd87aa49fdbc8

Bug#865561: [Pkg-dns-devel] pdns_server does not start after upgrade to stretch

[Christian Hofstaedtler]

* James Cloos  [170623 20:15]:
> > "OS" == Ondřej Surý  writes:
> 
> OS> (e.g it is recommended to have bind plugin installed under common
> OS> conditions).
> 
> Why is it recommended, though?
> 
> I suspect most use pdns for db backends.
> 
> All of the backends should be suggested, not recommended.

The bind backend is Recommends: because previously it was part of
pdns-server. To not break setups relying on bindbackend (at least
not more than necessary), everyone(*) gets the same feature set as
before. Those who do not want bindbackend at all can purge the
package or comment out the launch+= line.

C.


* Everyone running with the default APT configuration. Setups that
  run with --no-install-recommends are assumed to really know what
  they are doing.

Bug#865561: [Pkg-dns-devel] Bug#865561: closed by Christian Hofstaedtler <z...@debian.org> (Re: Bug#865561: pdns_server does not start after upgrade to stretch)

[Christian Hofstaedtler]

* Juha Heinanen  [170623 20:33]:
> Ondřej Surý writes:
> > I think that Recommends/Suggests should reflect their actual meanings (e.g 
> > it is recommended to have bind plugin installed under common conditions). 
> > It should not be changes to workaround settings of apt.
> 
> Common condition of powerdns is to use a database, not bind backend.
> Database support is the very reason most people use powerdns.

Previously bindbackend was not optional but always builtin into
core. Having a module is a new option in 4.x, and the package is
there to support configurations without bindbackend.

You can remove the package if you don't want it.

Good luck.
 

Bug#842432: ruby2.3: CVE-2016-7798: IV Reuse in GCM Mode

[Christian Hofstaedtler]

* Moritz Mühlenhoff <j...@inutil.org> [170528 13:07]:
> On Thu, Jan 05, 2017 at 08:08:14PM +0100, Salvatore Bonaccorso wrote:
> > Hi Christian,
> > 
> > On Wed, Nov 16, 2016 at 02:48:03AM +0100, Christian Hofstaedtler wrote:
> > > Hi,
> > > 
> > > * Salvatore Bonaccorso <car...@debian.org> [161116 01:46]:
> > > > Source: ruby2.3
> > > > [...]
> > > > [0] https://security-tracker.debian.org/tracker/CVE-2016-7798
> > > > [1] https://github.com/ruby/openssl/issues/49
> > > > [2] 
> > > > https://github.com/ruby/openssl/commit/8108e0a6db133f3375608303fdd2083eb5115062
> > > 
> > > I'm attaching a potential patch against ruby2.3 2.3.2. Any review
> > > would be most welcome.
> > 
> > The patch looks sane to me. Do you have any chance to let it review
> > from upstream for the 2.3 version? Antonio?
> 
> What's the status?

So, the upstream review did not happen because at least I don't have
any useful contacts for that, and it appears upstream did not bother
to fix this in 2.3.

Realistically I'll not have time to work on this over the long
weekend... if someone else can do another review pass and maybe
upload the patch, that would be very welcome.

Best,
-ch

Bug#860689: blockdiag: FTBFS on i386: E: Build killed with signal TERM after 150 minutes of inactivity

[Christian Hofstaedtler]

Control: retitle -1 double free or corruption when loading unhandled SVG from 
BytesIO
Control: reassign -1 python-wand
Control: affects -1 blockdiag

Hi,

* Lucas Nussbaum  [170505 18:36]:
> During a rebuild of all packages in stretch (in a stretch chroot, not a
> sid chroot), your package failed to build on i386.
> 
> Relevant part (hopefully):
> > f73d6000-f73d7000 r--p 00022000 ca:02 6950262
> > /lib/i386-linux-gnu/ld-2.24.so
> > f73d7000-f73d8000 rw-p 00023000 ca:02 6950262
> > /lib/i386-linux-gnu/ld-2.24.so
> > f73d8000-f7733000 r-xp  ca:02 6822683
> > /usr/bin/python2.7
> > f7733000-f7734000 rwxp  00:00 0 
> > f7734000-f7735000 r--p 0035b000 ca:02 6822683
> > /usr/bin/python2.7
> > f7735000-f7795000 rw-p 0035c000 ca:02 6822683
> > /usr/bin/python2.7
> > f7795000-f77aa000 rw-p  00:00 0 
> > f90e4000-f96dc000 rw-p  00:00 0  
> > [heap]
> > ff8b3000-ff8d4000 rw-p  00:00 0  
> > [stack]
> > Aborted

I've reduced this to a simple test case:

  import io
  import wand.image
  
  s = io.BytesIO()
  s.write('\nhttp://www.w3.org/2000/svg;>\n circle\n \n\n')
  s.seek(0)
  wand.image.Image(file=s)

Result on i386:

  (stretch_i386-dchroot)zeha@barriere:~$ python ~/test.py 
  Traceback (most recent call last):
File "/home/zeha/test.py", line 7, in 
  wand.image.Image(file=s)
File "/usr/lib/python2.7/dist-packages/wand/image.py", line 2740, in 
__init__
  self.read(file=file, resolution=resolution)
File "/usr/lib/python2.7/dist-packages/wand/image.py", line 2822, in read
  self.raise_exception()
File "/usr/lib/python2.7/dist-packages/wand/resource.py", line 222, in 
raise_exception
  raise e
  wand.exceptions.MissingDelegateError: no decode delegate for this image 
format `SVG' @ error/blob.c/BlobToImage/353
  Exception TypeError: TypeError("object of type 'NoneType' has no len()",) in 
> ignored
  *** Error in `python': double free or corruption (!prev): 0xf90daf40 ***
  === Backtrace: =
  /lib/i386-linux-gnu/libc.so.6(+0x6737a)[0xf71d437a]
  /lib/i386-linux-gnu/libc.so.6(+0x6dfb7)[0xf71dafb7]
  /lib/i386-linux-gnu/libc.so.6(+0x6e776)[0xf71db776]
  python(PyMem_Free+0x18)[0xf74f7fe8]
  /usr/lib/python2.7/lib-dynload/_ctypes.i386-linux-gnu.so(+0xf249)[0xf7054249]
  python(+0x10f97d)[0xf74f897d]
  python(+0x10f485)[0xf74f8485]
  python(+0xeb29e)[0xf74d429e]
  python(+0xf1cbd)[0xf74dacbd]
  python(+0xf1c88)[0xf74dac88]
  python(PyDict_SetItem+0x44a)[0xf749cfea]
  python(PyDict_SetItemString+0x58)[0xf74a04d8]
  python(PyImport_Cleanup+0x118)[0xf74fd488]
  python(Py_Finalize+0x99)[0xf74fb439]
  python(Py_Main+0x4d3)[0xf749a2a3]
  python(main+0x26)[0xf7499db6]
  /lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf6)[0xf7185276]
  python(+0xb0c50)[0xf7499c50]


Note that blockdiag is not even involved in this code anymore. Therefore
reassigning to wand, which appears to be the running code.

Involved versions:

ii  libmagickcore-6.q16-3:i3868:6.9.7.4+dfsg-6 i386 low-level 
image manipulation library -- quantum depth Q16
ii  libmagickcore-6.q16-3-dbgsym:i386 8:6.9.7.4+dfsg-6 i386 Debug 
symbols for libmagickcore-6.q16-3
ii  libmagickwand-6.q16-3:i3868:6.9.7.4+dfsg-6 i386 image 
manipulation library -- quantum depth Q16
ii  libmagickwand-6.q16-3-dbgsym:i386 8:6.9.7.4+dfsg-6 i386 Debug 
symbols for libmagickwand-6.q16-3
ii  python-wand   0.4.4-1.1all  Python 
interface for ImageMagick library (Python 2 build)

Best,
C.

Bug#861789: Please provide database.target as a synchronization point for applications providing databases and needing databases

[Christian Hofstaedtler]

How will a database.target solve anything in those not so uncommon
setups:

- database is remote

or

- one database needs another to start?

Please consider: if you end up with a solution that only works
for 90% of installations - fails on 10% - is that actually
solving your problem?

C.

Bug#861040: [DRE-maint] Bug#861040: camping: broken symlink: /usr/share/doc/camping/rdoc/fonts/Lato-RegularItalic.ttf -> ../../../../fonts/truetype/lato/Lato-RegularItalic.ttf

[Christian Hofstaedtler]

* Chris Lamb  [170424 11:45]:
> > The fonts-lato ships /usr/share/fonts/truetype/lato/Lato-Italic.ttf
> > instead.
> 
> Indeed. Patch attached.

> - ln -s /usr/share/fonts/truetype/lato/Lato-RegularItalic.ttf 
> debian/camping/usr/share/doc/camping/rdoc/fonts/
> + ln -s /usr/share/fonts/truetype/lato/Lato-Italic.ttf 
> debian/camping/usr/share/doc/camping/rdoc/fonts/

Note that rdoc really expects a file named Lato-RegularItalic.ttf
in that place.

  C.

Bug#860512: [DRE-maint] Bug#860512: ruby-ronn: fails on m68k (no fast_xs)

[Christian Hofstaedtler]

Hi,

* Aaron M. Ucko  [170418 04:27]:
>   ronn --roff debian/telegram-desktop.1.md
>   /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require': 
> cannot load such file -- fast_xs (LoadError)

This usually means the ruby-fast-xs package is missing or broken or
the search paths are incorrect.

Please provide:
 - ruby -e 'puts RbConfig::CONFIG'
 - strace -eopen ronn --roff debian/telegram-desktop.1.md
 - installed versions of ruby* (esp. ruby-hpricot, ruby-fast-xs,
   ronn)

PS: ronn hasn't seen any development since 2013. It's advisable to
migrate off it.

Cheers,
C.

Bug#857650: [DRE-maint] Bug#857650: ruby-json: Please build java extension

[Christian Hofstaedtler]

* Miguel Landaeta  [170313 19:45]:
> I noticed ruby-json Java extension was not being built from this
> package.
> 
> So, since I need that to get JRuby unit tests passing and it should be
> useful for real-world users, I added that missing component to this
> package.
> 
> If there are no objections to my approach (please see the debdiff
> below), I was planning to merge this and do an upload to experimental
> very soon.

Looks mostly good to me.

One thing:

> diff -Nru ruby-json-2.0.1+dfsg/debian/control 
> ruby-json-2.0.1+dfsg/debian/control
> --- ruby-json-2.0.1+dfsg/debian/control   2016-12-05 23:33:24.0 
> +
> +++ ruby-json-2.0.1+dfsg/debian/control   2017-03-13 11:54:41.0 
> +
> @@ -6,7 +6,11 @@
> Antonio Terceiro ,
> Cédric Boutillier 
>  Build-Depends: debhelper (>= 9~),
> +   default-jdk,
> gem2deb,
> +   git,
  ^^^

Is git actually needed for the build?
As far as I can see from the build log, the git call ends up
emitting just this error:

> fatal: Not a git repository (or any of the parent directories): .git

   -ch

Bug#856337: systemd: please support kernel 4.4, or don't hardcode dm interface versions

[Christian Hofstaedtler]

* Michael Biebl  [170228 14:57]:
> TBH, I find it rather broken having to embed a local copy of dm-ioctl.h
> to work around this.

My feeling as well.

> Christian, this version mismatch, does that happen for minor version
> differences as well, like say 4.10.0 vs 4.10.1 or only major versions
> like 4.10.x vs 4.11.x?

The exact code in the kernel is:

|   if ((DM_VERSION_MAJOR != version[0]) ||
|   (DM_VERSION_MINOR < version[1])) {
|   DMWARN("ioctl interface mismatch: "
|  "kernel(%u.%u.%u), user(%u.%u.%u), cmd(%d)",
|  DM_VERSION_MAJOR, DM_VERSION_MINOR,
|  DM_VERSION_PATCHLEVEL,
|  version[0], version[1], version[2], cmd);
|   r = -EINVAL;

So: patchlevel (4.10.0 vs 4.10.1) does not matter, the 'minor'
version (10 in 4.10) of userspace has to be lower or equal to the
kernel's number. 

The bump from 4.34 to 4.35 happened in linux.git
545ed20e6df68a4d2584a29a2a28ee8b2f7e9547 which was then part of
kernel 4.8.

-c

Bug#856337: systemd: please support kernel 4.4, or don't hardcode dm interface versions

[Christian Hofstaedtler]

* Marc Lehmann  [170228 02:21]:
> Alternatively, since lvm and dmsetup from stretch do not have any issues
> with kernel 4.4, I suspect systemd hardcodes version numbers in direct
> calls instead of going through e.g. libdevmapper - going through a library
> such as libdevmapper that hanmdles the kernel versions bettrer would also
> take care of this issue, at least for current stretch.

This is a direct result of the dm-ioctl.h header file shipped by the
Linux kernel (and the linux-libc-dev package) - any program compiled
against that official header file will embed the version number used
to build. Building systemd (or anything else) against a newer kernel
will result in this problem for older kernels.

libdevmapper works around this by embedding an old copy of
dm-ioctl.h ...

-c

Bug#854449: dns-root-data: New root keys and hint file changes

[Christian Hofstaedtler]

Package: dns-root-data
Version: 2015052300+h+1
Severity: important

Dear Maintainers,

IANA has published new hint files and new root keys.
It'd be good if those would be updated for stretch.

Thanks,
-ch

Bug#854290: unblock: ruby-pdf-reader/1.4.0-2

[Christian Hofstaedtler]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package ruby-pdf-reader version 1.4.0-2

#850688 explains that the copies of the Type1 font files are not
actually distributed under a DFSG-free license when the MustRead.html
file is missing. This revision of the package just adds that file
and updates d/copyright, which also was neglected in the past.

debdiff below.

Thanks,
-ch


unblock ruby-pdf-reader/1.4.0-2


diff -Nru ruby-pdf-reader-1.4.0/debian/changelog 
ruby-pdf-reader-1.4.0/debian/changelog
--- ruby-pdf-reader-1.4.0/debian/changelog  2016-03-03 13:07:16.0 
+
+++ ruby-pdf-reader-1.4.0/debian/changelog  2017-02-05 19:10:44.0 
+
@@ -1,3 +1,11 @@
+ruby-pdf-reader (1.4.0-2) unstable; urgency=medium
+
+  * Team upload.
+  * Include missing file for Type1 fonts license compliance,
+and update debian/copyright. (Closes: #850688)
+
+ -- Christian Hofstaedtler <z...@debian.org>  Sun, 05 Feb 2017 19:10:44 +
+
 ruby-pdf-reader (1.4.0-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru ruby-pdf-reader-1.4.0/debian/copyright 
ruby-pdf-reader-1.4.0/debian/copyright
--- ruby-pdf-reader-1.4.0/debian/copyright  2016-03-03 12:52:32.0 
+
+++ ruby-pdf-reader-1.4.0/debian/copyright  2017-02-05 19:10:44.0 
+
@@ -11,6 +11,18 @@
 Copyright: Copyright 2011 Cédric Boutillier <cedric.boutill...@gmail.com>
 License: Expat
 
+Files: lib/pdf/reader/afm/*
+Copyright: © 1985-1997, Adobe Systems Incorporated
+License: other
+ Core 14 AFM Files - ReadMe
+ This file and the 14 PostScript(R) AFM files it accompanies may be used,
+ copied, and distributed for any purpose and without charge, with or without
+ modification, provided that all copyright notices are retained; that the AFM
+ files are not distributed without this file; that all modifications to this
+ file or any of the AFM files are prominently noted in the modified file(s);
+ and that this paragraph is not modified. Adobe Systems has no responsibility
+ or obligation to support the use of the AFM files.
+
 License: Expat
  Permission is hereby granted, free of charge, to any person obtaining
  a copy of this software and associated documentation files (the
diff -Nru ruby-pdf-reader-1.4.0/debian/patches/0001-add-licensefile.patch 
ruby-pdf-reader-1.4.0/debian/patches/0001-add-licensefile.patch
--- ruby-pdf-reader-1.4.0/debian/patches/0001-add-licensefile.patch 
1970-01-01 00:00:00.0 +
+++ ruby-pdf-reader-1.4.0/debian/patches/0001-add-licensefile.patch 
2017-02-05 19:10:44.0 +
@@ -0,0 +1,7 @@
+Index: ruby-pdf-reader/lib/pdf/reader/afm/MustRead.html
+===
+--- /dev/null
 ruby-pdf-reader/lib/pdf/reader/afm/MustRead.html
+@@ -0,0 +1 @@
++




Core 14 AFM Files - ReadMe



or



This file and the 14 
PostScript(R) AFM files it accompanies may be used, copied, and distributed for 
any purpose and without charge, with or without modification, provided that all 
copyright notices are retained; that the AFM files are not distributed without 
this file; that all modifications to this file or any of the AFM files are 
prominently noted in the modified file(s); and that this paragraph is not 
modified. Adobe Systems has no responsibility or obligation to support the use 
of the AFM files. Col





+\ No newline at end of file
diff -Nru ruby-pdf-reader-1.4.0/debian/patches/series 
ruby-pdf-reader-1.4.0/debian/patches/series
--- ruby-pdf-reader-1.4.0/debian/patches/series 2015-12-17 21:27:00.0 
+
+++ ruby-pdf-reader-1.4.0/debian/patches/series 2017-02-05 19:10:44.0 
+
@@ -1,3 +1,4 @@
+0001-add-licensefile.patch
 0002-examples_rubygems.patch
 0004-spec_fix_requires.patch
 0006-spec_add_require_yaml.patch

Bug#854285: unblock: ruby-rabl/0.13.0-2

[Christian Hofstaedtler]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package ruby-rabl, version 0.13.0-2.

This version adds a patch from Gilles Filippini to fix FTBFS bug
#849315.
While globally patching BSON to expose the removed 'serialize'
method again might not be the nicest thing to do, I agree it's the
best thing to do for stretch. (Effect limited to users importing
ruby-rabl, very tiny change, no other packages appear to care about
the specifics.)

debdiff below.

Thanks,
-ch


unblock ruby-rabl/0.13.0-2



diff -Nru ruby-rabl-0.13.0/debian/changelog ruby-rabl-0.13.0/debian/changelog
--- ruby-rabl-0.13.0/debian/changelog   2016-08-24 10:43:46.0 +
+++ ruby-rabl-0.13.0/debian/changelog   2017-02-05 17:37:31.0 +
@@ -1,3 +1,13 @@
+ruby-rabl (0.13.0-2) unstable; urgency=medium
+
+  * Team upload.
+
+  [ Gilles Filippini ]
+  * def-bson-serialize.patch: reintroduce BSON.serialize method dropped
+from ruby-bson since release 2.0.0 (Closes: #849315)
+
+ -- Christian Hofstaedtler <z...@debian.org>  Sun, 05 Feb 2017 17:37:31 +
+
 ruby-rabl (0.13.0-1) unstable; urgency=medium
 
   * Imported Upstream version 0.13.0
diff -Nru ruby-rabl-0.13.0/debian/patches/def-bson-serialize.patch 
ruby-rabl-0.13.0/debian/patches/def-bson-serialize.patch
--- ruby-rabl-0.13.0/debian/patches/def-bson-serialize.patch1970-01-01 
00:00:00.0 +
+++ ruby-rabl-0.13.0/debian/patches/def-bson-serialize.patch2017-02-05 
17:37:31.0 +
@@ -0,0 +1,36 @@
+Description: From ruby-bson upstream changelog [1]:
+ 2.0.0
+ Backwards Incompatible Changes
+ ...
+ BSON.serialize is no longer the entry point to serialize a BSON
+ document into its raw bytes.
+ For Ruby runtimes that support ordered hashes, you may simply call
+ `to_bson` on the hash instance (Alternatively a `BSON::Document` is
+ also a hash:
+  { key: "value" }.to_bson
+  BSON::Document[:key, "value"].to_bson
+ For Ruby runtimes that do not support ordered hashes, then you must
+ instantiate an instance of a `BSON::Document` (which is a subclass of
+ hash) and call `to_bson` on that, since the BSON specification
+ guarantees order of the fields:
+  BSON::Document[:key, "value"].to_bson
+ .
+ [1] https://github.com/mongodb/bson-ruby/blob/master/CHANGELOG.md
+ .
+ This patch re-introduces BSON.serialize.
+Author: Gilles Filippini <p...@debian.org>
+Bug-Debian: https://bugs.debian.org/849315
+Index: ruby-rabl-0.13.0/lib/rabl/configuration.rb
+===
+--- ruby-rabl-0.13.0.orig/lib/rabl/configuration.rb
 ruby-rabl-0.13.0/lib/rabl/configuration.rb
+@@ -7,6 +7,9 @@ end
+ # We load the bson library if it is available.
+ begin
+   require 'bson'
++  def BSON.serialize data
++data.to_bson
++  end
+   rescue LoadError
+ end
+ 
diff -Nru ruby-rabl-0.13.0/debian/patches/series 
ruby-rabl-0.13.0/debian/patches/series
--- ruby-rabl-0.13.0/debian/patches/series  1970-01-01 00:00:00.0 
+
+++ ruby-rabl-0.13.0/debian/patches/series  2017-02-05 17:37:31.0 
+
@@ -0,0 +1 @@
+def-bson-serialize.patch

Bug#854283: RM: kolabadmin -- RoQA; orphaned; upstream vanished; no related packages in Debian

[Christian Hofstaedtler]

Package: ftp.debian.org
Severity: normal

Dear ftpmasters,

as outlined by one of the previous maintainers in #807711, kolabadmin
should have been gone a while ago:

- upstream has vanished
- orphaned in Debian
- no other kolab packages are in Debian, so use is very limited
- unclear if it works with current kolab

Please remove kolabadmin from sid.

Thanks,
-ch

Bug#854282: RM: pydirector -- RoQA; orphaned; upstream abandoned; will not work with py3k

[Christian Hofstaedtler]

Package: ftp.debian.org
Severity: normal

Dear ftpmasters,

please remove pydirector, which has not seen any upstream activity
since 1.0.0 (already in o-o-stable), and the previous maintainer
has also orphaned it.

There's an open bug suggesting that in error cases, it will not
work under any of the shipping Python 2.x versions, and I do not see
how this package will ever work under Python 3.x.

Previous maintainer CC'ed.

Thanks,
-ch

Bug#854269: unblock: ruby-gettext/3.2.2-2

[Christian Hofstaedtler]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package ruby-gettext.

I have no idea what happened, but -2 apparently never made it into
unstable, even though it was prepared in November 2016.

I can confirm that it fixes the FTBFS bug (#840789) and the problems
under autopkgtest.

debdiff below.


Thanks for considering,
-ch


unblock ruby-gettext/3.2.2-2


diff -Nru ruby-gettext-3.2.2/debian/changelog 
ruby-gettext-3.2.2/debian/changelog
--- ruby-gettext-3.2.2/debian/changelog 2016-08-08 15:56:05.0 +
+++ ruby-gettext-3.2.2/debian/changelog 2016-11-03 08:57:28.0 +
@@ -1,3 +1,17 @@
+ruby-gettext (3.2.2-2) unstable; urgency=medium
+
+  [ Antonio Terceiro ]
+  * Avoid calling rake in debian/ruby-tests.rb; instead, just load
+test/run-test.rb; that is the same as what the Rakefile would do, but the
+Rakefile would also try to write to lib/gettext/po_parser.rb under
+autopkgtest because lib/ is moved away. This fixes the test suite under
+autopkgtest
+  [ Hleb Valoshka ]
+  *  Set external encoding in tests with Encoding.default_external not LC_ALL
+  *  Use ruby-test-unit-rr instead of -rr and -test-unit (Closes: #840789)
+
+ -- Hleb Valoshka <375...@gmail.com>  Thu, 03 Nov 2016 11:57:28 +0300
+
 ruby-gettext (3.2.2-1) unstable; urgency=medium
 
   [ Cédric Boutillier ]
diff -Nru ruby-gettext-3.2.2/debian/control ruby-gettext-3.2.2/debian/control
--- ruby-gettext-3.2.2/debian/control   2016-08-08 15:56:05.0 +
+++ ruby-gettext-3.2.2/debian/control   2016-11-03 08:57:28.0 +
@@ -8,8 +8,7 @@
racc,
rake,
ruby-locale (>= 2.0.5),
-   ruby-rr,
-   ruby-test-unit (>= 2.5.4),
+   ruby-test-unit-rr,
ruby-text (>= 1.3.0),
yard
 Standards-Version: 3.9.8
diff -Nru ruby-gettext-3.2.2/debian/ruby-tests.rb 
ruby-gettext-3.2.2/debian/ruby-tests.rb
--- ruby-gettext-3.2.2/debian/ruby-tests.rb 2016-08-08 15:56:05.0 
+
+++ ruby-gettext-3.2.2/debian/ruby-tests.rb 2016-11-03 08:57:28.0 
+
@@ -1,7 +1,3 @@
-ENV['LC_ALL'] = 'C.UTF-8'
+Encoding.default_external = 'UTF-8'
 
-require 'rake'
-app = Rake.application
-app.init
-app.load_rakefile
-app['test'].invoke
+load 'test/run-test.rb'

Bug#853244: ruby-sshkit: Non-determistically FTBFS due to unreliable timing in tests

[Christian Hofstaedtler]

* Chris Lamb <la...@debian.org> [170204 21:46]:
> Christian Hofstaedtler wrote:
> > I agree this is suboptimal, but these operations succeed on modern
> > hardware including the buildd network
> 
> I'm not so sure. Not only are these not "tests" (in the Martin Fowler
> sense that they are nondeterminstic),

Even tests can have bugs :-)

Thing is, upstream thought these tests provide value, even if they
depend on a certain base performance of the machine they are running
on. We can certainly disable those tests, but neither disabling them
or keeping them as is strikes me as the right thing to do.

> but we can actually trigger them
> on the Reproducible Builds testing framework:
>   
> https://tests.reproducible-builds.org/debian/logs/unstable/amd64/ruby-sshkit_1.9.0-1.build2.log.gz

> > so throwing developer manpower at this is a bad investment at
> > this time.
> 
> Would the idea that they interfere with running QA efforts across the
> archive change your mind? :)

I can see that, but the reality is that there's only so many people
looking at bugs. (Assuming "interfere" means you file a note in
reproducible notes git and move on.)

I've asked micah to take a look though.

Cheers,
-ch

Bug#850688: ruby-pdf-reader: contains non-free Adobe AFM fonts

[Christian Hofstaedtler]

* Jonas Smedegaard  [170205 16:39]:
> The ruby-pdf-reader package includes fonts not freely licensed.
> 
> E.g. /usr/lib/ruby/vendor_ruby/pdf/reader/afm/Times-Bold.afm

I have no idea what to do about that. In any case, here are some
more:

https://packages.debian.org/search?suite=stretch=contents=Times-Bold.afm

Please also file bugs against those.

-ch

Bug#853244: ruby-sshkit: Non-determistically FTBFS due to unreliable timing in tests

[Christian Hofstaedtler]

Control: severity -1 important

* Chris Lamb  [170204 13:15]:
> Source: ruby-sshkit
> Version: 1.9.0-1
> Severity: serious

> Dear Maintainer,
> 
> ruby-sshkit's testsuite appears to use method timing/benchmarking in
> such a way that it will non-deterministically FTBFS:
> 
> 117 def assert_within_10_ms(array)
> 118   assert_in_delta(*array, 0.01) # 10 msec
> 119 end

I agree this is suboptimal, but these operations succeed on modern
hardware including the buildd network, so throwing developer
manpower at this is a bad investment at this time.

Best,
-ch

Bug#843474: ruby-ethon: FTBFS: [BUG] Segmentation fault at 0x007f2767e0d800

[Christian Hofstaedtler]

Control: severity -1 normal
Control: tags -1 + unreproducible moreinfo

> ruby-ethon fails to build from source in unstable/amd64:

Builds for me just fine in sbuild (multiple builds). More info needed.

Best,
-ch

Bug#853841: [DRE-maint] Bug#853841: schleuder: Decide how the schleuder v2 -> v3 upgrade path should look like

[Christian Hofstaedtler]

* Georg Faerber  [170201 13:15]:
> - schleuder doesn't exist in jessie, but in wheezy.
> - According to popcon, there are currently four installs out there.
> - I'm aware of some large installations with >100 lists each.

> Upstream is more in favor of failing (hence the code) if v2 data is
> found, asking the user to move the data out of the way, resume the
> install and migrate after this, which is a (more) manual process then;
> but maybe this would be tolerable as well, because, I guess, most people
> running schleuder have at least some basic script skills. A positive
> side effect would be to cleanup up '/var/lib/schleuder', so we don't
> keep old data inside there "forever".

I'd think moving /var/lib/schleuder out of the way in the postinst
is acceptable here; just let the user know you're doing that (print
something, don't use debconf).

-ch

Bug#853875: [DRE-maint] Bug#853875: ruby-signet: conflicts with ruby-uuidtools over securerandom.rb

[Christian Hofstaedtler]

Control: clone -1 -2
Control: reassign -2 ruby-uuidtools
Control: severity -2 important

* Aaron M. Ucko  [170201 19:15]:
> Package: ruby-signet
> Version: 0.7.3-1
> Severity: serious
> Justification: Policy 6.6(4)
> 
> ruby-signet is impossible to install alongside ruby-uuidtools:
> 
>   Unpacking ruby-signet (0.7.3-1) ...
>   dpkg: error processing archive 
> /tmp/user/0/apt-dpkg-install-psUCUp/19-ruby-signet_0.7.3-1_all.deb (--unpack):
>trying to overwrite '/usr/lib/ruby/vendor_ruby/compat/securerandom.rb', 
> which is also in package ruby-uuidtools 2.1.5-1
> 
> Could you please take a look?  You might consider splitting
> securerandom.rb into its own package
> ...

Actually none of these should ship securerandom.rb, as
   > require 'securerandom'
works just fine in the Ruby shipping with stretch.

-ch

Bug#851841: xonsh: jobs and backgrounding broken

[Christian Hofstaedtler]

* Gordon Ball  [170123 00:23]:
> I have upgraded the bug to severity:serious to prevent migration, so
> stretch will get 0.4.7 and unstable will be updated when patches for 0.5
> are available.

That clearly did not work. 0.5.2+dfsg-1 is now in stretch.

  -ch

Bug#852256: #661591 for avahi-autoipd

[Christian Hofstaedtler]

The hook installed by avahi-autoipd unconditionally runs
avahi-autoipd -k when dhclient assigns an IP. When the interface was
not configured beforehand, no daemon is running, and the -k
invocation will cause an exit code of 1.
This in turn causes ifup to exit with 1, and the interface will end
up in a half-configured state, and the ifup@.service service will
show an error state.

-ch

Bug#852229: failing to log output at boot time

[Christian Hofstaedtler]

* 積丹尼 Dan Jacobson  [170122 18:13]:
> Package: systemd
> Version: 232-12
> 
> As you see in Bug#852194, systemd is failing to log its output at boot time.

It's hard to understand which message you're exactly refering to,
but I've found some weirdness:

I've made systemd-modules-load.service fail (echo athingthatdoesnotexist >> 
/etc/modules),
and in 232-13, there is indeed this message in the journal:

Jan 22 19:21:00 sxl systemd[1]: Listening on Journal Socket.
Jan 22 19:21:00 sxl systemd-journald[302]: Journal started
Jan 22 19:21:00 sxl systemd-journald[302]: Runtime journal 
(/run/log/journal/48e9d21e953d4a28860cd5e78cddae4c) is 0B, max 0B, 0B free.
Jan 22 19:21:00 sxl systemd-modules-load[303]: Failed to find module 
'athingthatdoesnotexist'

Previously this was longer, indicating that systemd-modules-load.service
failed to start. (I saw the extra messages when running stretch with 232-8,
but downgrading systemd, systemd-sysv, libsystemd0 to 232-8 does not
make the messages reappear.)
Messages as appearing in syslog, previously:
Jan 22 19:12:46 sxl systemd-modules-load[309]: Failed to find module 
'athingthatdoesnotexist'
Jan 22 19:12:46 sxl systemd[1]: systemd-modules-load.service: Main process 
exited, code=exited, status=1/FAILURE
Jan 22 19:12:46 sxl systemd[1]: Failed to start Load Kernel Modules.
Jan 22 19:12:46 sxl systemd[1]: systemd-modules-load.service: Unit entered 
failed state.
Jan 22 19:12:46 sxl systemd[1]: systemd-modules-load.service: Failed with 
result 'exit-code'.


Also, with 232-13, systemctl status does not show the error that's
present in the journal:

root@sxl:~# date ; systemctl status systemd-modules-load.service
Sun Jan 22 19:25:41 CET 2017
● systemd-modules-load.service - Load Kernel Modules
   Loaded: loaded (/lib/systemd/system/systemd-modules-load.service; 
static; vendor preset: enabled)
   Active: failed (Result: exit-code) since Sun 2017-01-22 19:21:00 CET; 
4min 41s ago
 Docs: man:systemd-modules-load.service(8)
   man:modules-load.d(5)
 Main PID: 303 (code=exited, status=1/FAILURE)

Warning: Journal has been rotated since unit was started. Log output is 
incomplete or unavailable.

If the error happens after boot, status works as expected:

root@sxl:~# systemctl stop systemd-modules-load.service
root@sxl:~# systemctl start systemd-modules-load.service
Job for systemd-modules-load.service failed because the control process 
exited with error code.
See "systemctl status systemd-modules-load.service" and "journalctl -xe" 
for details.
root@sxl:~# systemctl status systemd-modules-load.service
● systemd-modules-load.service - Load Kernel Modules
   Loaded: loaded (/lib/systemd/system/systemd-modules-load.service; 
static; vendor preset: enabled)
   Active: failed (Result: exit-code) since Sun 2017-01-22 19:29:18 CET; 2s 
ago
 Docs: man:systemd-modules-load.service(8)
   man:modules-load.d(5)
  Process: 1306 ExecStart=/lib/systemd/systemd-modules-load (code=exited, 
status=1/FAILURE)
 Main PID: 1306 (code=exited, status=1/FAILURE)

Jan 22 19:29:18 sxl systemd[1]: Starting Load Kernel Modules...
Jan 22 19:29:18 sxl systemd[1]: systemd-modules-load.service: Main process 
exited, code=exited, status=1/FAILURE
Jan 22 19:29:18 sxl systemd[1]: Failed to start Load Kernel Modules.
Jan 22 19:29:18 sxl systemd[1]: systemd-modules-load.service: Unit entered 
failed state.
Jan 22 19:29:18 sxl systemd[1]: systemd-modules-load.service: Failed with 
result 'exit-code'.

So, wild guess... race condition between journald starting and services 
starting just after it?

-ch (puzzled)

Bug#833256: shadow and util-linux

[Christian Hofstaedtler]

* Andreas Henriksson <andr...@fatal.se> [170122 17:25]:
> [..]
> # chsh
> 
> shadowutil-linux
> 
> -h (== --help)-u (== --help)
> 
> -R chroot-dir
> --root chroot-dir
> 
> (not listing the options only existing in util-linux)
> 
> 
> The strict validation of only valid shells allowed for non-root seems
> to be a COMPILE-TIME "opt-in" feature in util-linux version:
> --enable-chsh-only-listed
> (Default in util-linux is to just warn when setting shell not listed in 
> /etc/shells.)

>From a quick look at 2.29.1-1, it appears to be a compile-time
opt-out feature. From ./configure --help:
  --disable-chsh-only-listed
  chsh: allow shells not in /etc/shells


> # newgrp
> 
> The optional command-line '-' in shadow not supported in util-linux version.
> 
> The shadow man page is much longer and describes possible additional 
> functionality in shadow version (this needs further investigation):
> 
> * password prompting
> * gshadow

u-l newgrp reads gshadow (and falls back to group) for the password,
and does password prompting, if a password is set.

> The shadow version has (compile-time optional) support for login.defs 
> variable SYSLOG_SG_ENAB but that's not available in (any) util-linux tool.

Note that in shadow, this is compile-time and run-time enabled in Debian.


> # vipw
> 
> The shadow version of vipw and vigr supports many command-line options, while 
> the util-linux equivalents only supports:
> 
> -h --help
> (-V --version)

The biggest issue I'm seeing there is the behaviour rgd. the shadow
files.
shadow vipw/vigr allow you to say --shadow to just edit the respective
shadow file.
u-l vipw/vigr do not have this flag, and interactively prompt after
editing the normal file, if the user wants to change the shadow
file too.

shadow vipw/vigr also have --passwd/--group, but personally I see no
value in supporting `vigr --passwd` ...

-- 
christian hofstaedtler <z...@debian.org>

Bug#833256: Patch for tryout

[Christian Hofstaedtler]

For anyone wanting to try the binaries from u-l, here's a simple
(and likely wrong) patch against u-l git, that produces a
util-linux.deb with the binaries included.

Use at your own risk :-)

>From 140d9982e75e7cd313a91a3ba8b7bd8a9fb0e283 Mon Sep 17 00:00:00 2001
From: Christian Hofstaedtler <z...@debian.org>
Date: Sun, 22 Jan 2017 16:01:51 +
Subject: [PATCH] Build login, nologin, su, chsh, chfn from this package

---
 debian/control| 5 -
 debian/rules  | 6 --
 debian/util-linux.install | 5 +
 3 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/debian/control b/debian/control
index 4bf4359ad..e514c1119 100644
--- a/debian/control
+++ b/debian/control
@@ -37,7 +37,10 @@ Replaces: bash-completion (<< 1:2.1-4.1~),
   sysvinit-utils (<< 2.88dsf-59.1~),
   initscripts (<< 2.88dsf-59.2~),
   mount (= 2.26.2-3),
-  mount (= 2.26.2-3ubuntu1)
+  mount (= 2.26.2-3ubuntu1),
+  passwd (<= 1:4.4-2),
+  login (<= 1:4.4-2),
+  bash-completion (<= 1:2.1-4.3)
 Breaks: bash-completion (<< 1:2.1-4.1~),
   grml-debootstrap (<< 0.68),
   cloud-utils (<< 0.27-1~),
diff --git a/debian/rules b/debian/rules
index 227577bfb..1c0cf70f4 100755
--- a/debian/rules
+++ b/debian/rules
@@ -36,16 +36,10 @@ CONFOPTS += --without-python
 CONFOPTS += --enable-libmount-force-mountinfo
 
 # disable utilities shipped by other packages
-# => login
-CONFOPTS += --disable-login
-CONFOPTS += --disable-nologin
-CONFOPTS += --disable-su
 # => procps
 CONFOPTS += --disable-kill
 # => eject
 CONFOPTS += --disable-eject
-# => passwd
-CONFOPTS += --disable-chfn-chsh
 
 ifeq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
CROSS :=
diff --git a/debian/util-linux.install b/debian/util-linux.install
index bbe347c3c..31dfd228e 100755
--- a/debian/util-linux.install
+++ b/debian/util-linux.install
@@ -30,6 +30,11 @@ sbin/sulogin
 sbin/swaplabel
 sbin/wipefs
 sbin/zramctl[linux-any]
+bin/su
+bin/login
+sbin/nologin
+usr/bin/chsh
+usr/bin/chfn
 usr/bin/chrt   [!hurd-any]
 usr/bin/flock
 usr/bin/getopt
-- 
2.11.0

Bug#852228: Please use -a instead of -s when calling dh_fixperms

[Christian Hofstaedtler]

Source: util-linux
Version: 2.29.1-1
Severity: wishlist
Tags: patch

dh_fixperms complains that -s is a deprecated option.
Trivial patch attached.

-- 
 ,''`.  Christian Hofstaedtler <z...@debian.org>
: :' :  Debian Developer
`. `'   7D1A CFFA D9E0 806C 9C4C  D392 5C13 D6DB 9305 2E03
  `-

>From 7d511e8669e6b20d7b3eced09022739d34a3e196 Mon Sep 17 00:00:00 2001
From: Christian Hofstaedtler <z...@debian.org>
Date: Sun, 22 Jan 2017 16:35:59 +
Subject: [PATCH] Fix debhelper -s deprecation warning

---
 debian/rules | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debian/rules b/debian/rules
index cc8c07e1d..e26dbcebb 100755
--- a/debian/rules
+++ b/debian/rules
@@ -173,7 +173,7 @@ override_dh_makeshlibs:
--add-udeb=libuuid1-udeb
 
 override_dh_fixperms:
-   dh_fixperms -i -s -Xusr/bin/wall -Xbin/mount -Xbin/umount
+   dh_fixperms -i -a -Xusr/bin/wall -Xbin/mount -Xbin/umount
 
 override_dh_auto_test:
 ifeq ($(DEB_HOST_ARCH_OS), linux)
-- 
2.11.0

Bug#833256: shadow and util-linux

[Christian Hofstaedtler]

* Christian Hofstaedtler <z...@debian.org> [170122 17:06]:
> * Andreas Henriksson <andr...@fatal.se> [170122 15:31]:
> > Also note the following su related patches carried in Debian shadow package:
> > http://sources.debian.net/src/shadow/1:4.4-2/debian/patches/523_su_arguments_are_concatenated/
> > http://sources.debian.net/src/shadow/1:4.4-2/debian/patches/523_su_arguments_are_no_more_concatenated_by_default/
> > Both seems obsolete (the second one even says to be dropped after etch
> > which was released 2007).
> > (Also pbuilder seems to have switched from su to start-stop-daemon.)
> 
> Dropping the second one sure sounds safe, but the first one looks
> like it changes commonly used behaviour? How does su from util-linux handle
> that?

After some testing (and discussion on IRC), I can't find a
difference in -c and -- handling between u-l su and Debian's current
su *. So whatever those patches do exactly, they are not preventing
us from switching.

* ignoring the extra env var SU_NO_SHELL_ARGS that Debian's su supports.

-- 
christian hofstaedtler <z...@debian.org>

Bug#833256: shadow and util-linux

[Christian Hofstaedtler]

Chiming in here because I can send email.

* Andreas Henriksson <andr...@fatal.se> [170122 15:31]:
> [andreas was looking at the unsupported features in su from
> util-linux]:
> [..]
>
> > DEFAULT_HOME
> 
> util-linux has the opposite default (only warn), and doesn't support
> manual configuring this setting.
> http://sources.debian.net/src/util-linux/2.29.1-1/login-utils/su-common.c/#L979
> 
> Might be useful to implement support for this setting in util-linux.
> Question remains about default, maybe implement a configure time setting
> for the default?
> 
> How much do we really care about this setting though?
> 
> I personally don't think this is a blocker (for su - for login it would
> be important to support it), would rather consider it a wishlist feature
> request than anyone is free to submit a patch to upstream for if they
> want to see it supported.
> 
> 
> => consider as potential wishlist-severity feature request if anyone is
>interested?!

The /etc/login.defs file as shipped in login today has this set to
"yes". Having login and su behave differently does not appear to be an
option today, so I don't think "no" for this setting is actually important?


> > SULOG_FILE
> 
> It seems shadow had the intention for *optional* support of syslog (but
> it's actually always enabled at compile-time and configurable at
> runtime), and non-optional support for built-in logging system. This is
> likely something we want the opposite way around in a modern system, so
> I'd advocate for deprecating this option if we move to util-linux su.
> 
> 
> => consider deprecated?! (Possibly implement a warning on upgrades on
>systems which has it set?)

+1

> > SU_NAME
> 
> This seems like a pretty superficial feature to me.
> 
> (Note: messing with argv0 also seems to cause problems when busybox
> is being used as /bin/sh as experienced by OpenEmbedded.)
> 
> => consider deprecated?!

+1

> > SYSLOG_SU_ENAB
> 
> In util-linux syslog logging is mandatory. I don't see a reason to be
> able to switch it off.
> 
> 
> => consider deprecated?!

+1

> 
> 
> Also note the following su related patches carried in Debian shadow package:
> http://sources.debian.net/src/shadow/1:4.4-2/debian/patches/523_su_arguments_are_concatenated/
> http://sources.debian.net/src/shadow/1:4.4-2/debian/patches/523_su_arguments_are_no_more_concatenated_by_default/
> Both seems obsolete (the second one even says to be dropped after etch
> which was released 2007).
> (Also pbuilder seems to have switched from su to start-stop-daemon.)

Dropping the second one sure sounds safe, but the first one looks
like it changes commonly used behaviour? How does su from util-linux handle
that?


Cheers,
-- 
christian hofstaedtler <z...@debian.org>

Bug#850968: CVE-2016-2788

[Christian Hofstaedtler]

* Moritz Muehlenhoff <j...@debian.org> [170121 23:16]:
> Source: mcollective
> 
> Please see https://puppet.com/security/cve/cve-2016-2788

Looks like the fix is in this commit/merge:
https://github.com/puppetlabs/marionette-collective/commit/4918a0f136aea04452b48a1ba29eb9aabcf5c97d

I've checked the 2.6.x branch and it appears to have the vulnerable
code too.

-- 
christian hofstaedtler <z...@debian.org>

Bug#850762: setserial: missing dependency on lsb-base

[Christian Hofstaedtler]

* Adrian Bunk <b...@debian.org> [170120 19:57]:
> Control: reopen -1
> 
> On Fri, Jan 20, 2017 at 12:42:38AM +0100, Christian Hofstaedtler wrote:
> > Hi,
> > 
> > * Andreas Beckmann <a...@debian.org> [170119 23:40]:
> > >   Selecting previously unselected package setserial.
> > >   (Reading database ... 
> > > (Reading database ... 4394 files and directories currently installed.)
> > >   Preparing to unpack .../setserial_2.17-49.1_amd64.deb ...
> > >   Unpacking setserial (2.17-49.1) ...
> > >   Setting up setserial (2.17-49.1) ...
> > >   removing the old setserial entry in the rcn.d directories
> > >   Update complete.
> > >   update-rc.d: warning: start and stop actions are no longer supported; 
> > > falling back to defaults
> > >   update-rc.d: warning: start and stop actions are no longer supported; 
> > > falling back to defaults
> > >   update-rc.d: warning: start and stop actions are no longer supported; 
> > > falling back to defaults
> > >   update-rc.d: warning: start and stop actions are no longer supported; 
> > > falling back to defaults
> > >   /etc/init.d/setserial: 35: .: Can't open /lib/lsb/init-functions
> > 
> > It is believed that this is fixed with the newer
> > init-system-helpers - the invoke-rc.d call should now be ignored in
> > chroots that miss an init system.
> > (And, if sysvinit is present, the missing file is present, or if
> > systemd is present, setserial.service is used instead.)
> 
> You are looking at the wrong line.
> The update-rc.d warnings are non-fatal warnings.
> 
> The error is the "Can't open /lib/lsb/init-functions" in the last line.

I was refering to that line.

> (lintian also gives an error for this bug.)

A very misguided one though.

I'll leave this for someone else to test, there may very well be
additional issues hiding in postinst.

Best,
-- 
christian hofstaedtler <z...@debian.org>

Bug#851161: CVE-2016-2337 CVE-2016-2339

[Christian Hofstaedtler]

* Salvatore Bonaccorso <car...@debian.org> [170120 09:48]:
> > For the TclTk issue, looks like this upstream patch:
> > https://github.com/ruby/ruby/commit/a2b8925a94a672235ca6a16e584bf09026a957ab
> > If this is the correct patch, 2.3.0 has this fixed, but 2.1.x needs
> > a patch.
> 
> Thanks added the commit as well, and the fixed version to the tracker. I
> *think*, although a problem in the source, this might not rally need an update
> in jessie via a DSA, since the issue is incombination with cancel_eval which 
> is
> supported in Tcl/Tk8.6 or later, but we don't have that for jessie. So I would
> tend to just mark that one as no-dsa at least. Or do I miss something?

Right; I didn't remember we are building with tcl8.5 in jessie. So
looks like no-dsa for that, yes. It looks like the patch might just
apply as is to ruby2.1, so when doing an update we could try
sticking it in just because.

Best regards,
-ch

-- 
christian hofstaedtler <z...@debian.org>

Bug#851161: CVE-2016-2339

[Christian Hofstaedtler]

Control: reassign -1 ruby2.1
Control: found -1 2.1.5-2+deb8u3

Hi,

* Moritz Muehlenhoff <j...@debian.org> [170120 00:05]:
> this has been assigned CVE-2016-2339: 
> http://www.talosintelligence.com/reports/TALOS-2016-0034/
> 
> Patch is here: 
> https://github.com/ruby/ruby/commit/bcc2421b4938fc1d9f5f3fb6ef2320571b27af42

If I'm reading all those right, this is actually fixed since 2.3.0;
this issue is likely open in 2.1.x. Reassigning.

For the TclTk issue, looks like this upstream patch:
https://github.com/ruby/ruby/commit/a2b8925a94a672235ca6a16e584bf09026a957ab
If this is the correct patch, 2.3.0 has this fixed, but 2.1.x needs
a patch.

Would be good if somebody could crosscheck this.

Thanks,
-- 
christian hofstaedtler <z...@debian.org>

Bug#849821: pdns-recursor: Crash with DNSSEC enabled

[Christian Hofstaedtler]

Hi Chris,

there's a new pdns-recursor 4.0.4-1 in sid, maybe you could give it
a try.

Best,
-- 
christian hofstaedtler <z...@debian.org>

Bug#849401: restart silently fails

[Christian Hofstaedtler]

* Francesco Poli <invernom...@paranoici.org> [170115 17:39]:
> Christian, have you decided which strategy should be adopted for the
> ISCONFIGURED handling?

I'm going to set the default UPSTYPE to usb, so there will be no
activity on /dev/ttyS0 caused by the default configuration, and then
ignoring ISCONFIGURED under systemd should be okay.

-- 
christian hofstaedtler <z...@debian.org>

Bug#851586: pdns-backend-mysql: fails to upgrade from 'jessie': mysql said: ERROR 1074 (42000) at line 15: Column length too big for column 'comment' (max = 21845); use BLOB or TEXT instead

[Christian Hofstaedtler]

Control: tags -1 - wontfix

* Andreas Beckmann <a...@debian.org> [170116 18:36]:
> On 2017-01-16 17:56, Christian Hofstaedtler wrote:
> > The SQL upgrade scripts have been patched to work with MariaDB
> > instead. As long as MySQL 5.7 and MariaDB 10.x do not align their
> > limitations, this will stay as is (or until Debian picks MySQL
> > again).
> 
> Thanks for the info.
> Should the package come with a Breaks: mysql-server-5.7 in that case?

Doubt it - the used mysql server may very well be remote and/or the
local one may be used for something different.

> Does the package work on Ubuntu (which should have mysql-server-5.7 as
> default?)

Interesting. Probably not then?


MariaDB conditional comment syntax:
https://mariadb.com/kb/en/mariadb/comment-syntax/
Unfortunately this has no "else" clause...

-- 
christian hofstaedtler <z...@debian.org>

Bug#851586: pdns-backend-mysql: fails to upgrade from 'jessie': mysql said: ERROR 1074 (42000) at line 15: Column length too big for column 'comment' (max = 21845); use BLOB or TEXT instead

[Christian Hofstaedtler]

Control: severity -1 wishlist
Control: tag -1 + wontfix

* Andreas Beckmann <a...@debian.org> [170116 17:39]:
>   creating database backup in 
> /var/cache/dbconfig-common/backups/pdns-backend-mysql_3.4.1-4+deb8u6.2017-01-14-15.05.20.
>   applying upgrade sql for 3.4.1-4+deb8u6 -> 4.0.1-6.
>   error encountered processing 
> /usr/share/dbconfig-common/data/pdns-backend-mysql/upgrade/mysql/4.0.1-6:
>   mysql said: ERROR 1074 (42000) at line 15: Column length too big for column 
> 'comment' (max = 21845); use BLOB or TEXT instead

> This was observed during a jessie->sid upgrade which picked a mysql-5.5 -> 
> mysql-5.7 upgrade for the database server.
> Feel free to downgrade the severity if this bug is specific to that weird 
> combination.

The SQL upgrade scripts have been patched to work with MariaDB
instead. As long as MySQL 5.7 and MariaDB 10.x do not align their
limitations, this will stay as is (or until Debian picks MySQL
again).

I'd welcome help in making those scripts work with all versions of
MariaDB/MySQL though...

Best,
-- 
christian hofstaedtler <z...@debian.org>

Bug#851412: #851412: libsystemd segfaults on mips64el

[Christian Hofstaedtler]

* Michael Biebl <bi...@debian.org> [170115 19:09]:
> Am 15.01.2017 um 14:12 schrieb Christian Hofstaedtler:
> > PS: libsystemd does not appear to have a -dbgsym package.
> > 
> 
> It does, at least on amd64
> 
> libsystemd0-dbgsym:
>   Installed: (none)
>   Candidate: 232-10
>   Version table:
>  232-10 500
> 500 http://debug.mirrors.debian.org/debian-debug
> unstable-debug/main amd64 Packages
> 
> Did you miss the "0" ?

No; appears to be some other, unidentified issue with the mips64el
schroot on eller.d.o.

Best,
  -ch

-- 
 ,''`.  Christian Hofstaedtler <z...@debian.org>
: :' :  Debian Developer
`. `'   7D1A CFFA D9E0 806C 9C4C  D392 5C13 D6DB 9305 2E03
  `-

Bug#851412: #851412: libsystemd segfaults on mips64el

[Christian Hofstaedtler]

Control: affects -1 + pdns pdns-recursor

Hi,

pdns and pdns-recursor link against libsystemd, and this bug causes
both of them to just segfault on startup on mips64el.

Tiny reproducer:

(sid_mips64el-dchroot)zeha@eller:~$ cat foo.c 
int main() {
}
(sid_mips64el-dchroot)zeha@eller:~$ make foo LDFLAGS=-lsystemd
cc   -lsystemd  foo.c   -o foo
(sid_mips64el-dchroot)zeha@eller:~$ gdb --args foo
GNU gdb (Debian 7.12-4) 7.12
Copyright (C) 2016 Free Software Foundation, Inc.
This GDB was configured as "mips64el-linux-gnuabi64".
Type "show configuration" for configuration details.
Reading symbols from foo...(no debugging symbols found)...done.
(gdb) run
Starting program: /home/zeha/foo 
[Thread debugging using libthread_db enabled]
Using host libthread_db library 
"/lib/mips64el-linux-gnuabi64/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
_IO_new_fclose (warning: GDB can't find the start of the function at 
0xfff7f2fd27.

GDB is unable to find the start of the function at 0xfff7f2fd27
and thus can't determine the size of that function's stack frame.
This means that GDB may be unable to access that stack frame, or
the frames below it.
This problem is most likely caused by an invalid program counter or
stack pointer.
However, if you think GDB should simply search farther back
from 0xfff7f2fd27 for code which looks like the beginning of a
function, you can increase the range of the search using the `set
heuristic-fence-post' command.
fp=0x1) at iofclose.c:48
48  iofclose.c: No such file or directory.
(gdb) bt full
#0  _IO_new_fclose (fp=0x1) at iofclose.c:48
status = 
#1  0x00fff7f2fd28 in ?? () from 
/lib/mips64el-linux-gnuabi64/libsystemd.so.0
No symbol table info available.
(gdb) quit
A debugging session is active.

Inferior 1 [process 11890] will be killed.

Quit anyway? (y or n) y
(sid_mips64el-dchroot)zeha@eller:~$ ls -la /etc/machine-id
ls: cannot access '/etc/machine-id': No such file or directory


PS: libsystemd does not appear to have a -dbgsym package.

-- 
christian hofstaedtler <z...@debian.org>

Bug#849401: restart silently fails

[Christian Hofstaedtler]

* Francesco Poli <invernom...@paranoici.org> [170113 00:15]:
> On Wed, 11 Jan 2017 23:17:47 +0100 Christian Hofstaedtler wrote:
> > Suggestions on the actual implementation also welcome ;-)
> 
> I am no systemd expert, but, after reading a bit of the
> systemd.service(5) man page, I would think about adding another
> ExecStartPre= (before the already existing one) and using it to run a
> script that fails in case ISCONFIGURED is not "yes"...
> 
> But of course, I am not sure that making the "service apcupsd restart"
> command fail during the configuration of a newly installed apcupsd
> package is a good idea...

Exactly.
I think this is basically the "between a rock and a hard place"
situation.

Do it right for new installs and break upgrades or do it right for
upgrades and new installs get the silly treatment.

  -ch

Bug#849401: restart silently fails

[Christian Hofstaedtler]

* Francesco Poli <invernom...@paranoici.org> [170111 22:51]:
> However, I glanced over the diff between
> apcupsd_3.14.14-0.2.debian.tar.xz and the proposed
> apcupsd_3.14.14-0.3.debian.tar.xz: the only thing that looks suspicious
> is that the apcupsd.service file seems to lack any check for the
> ISCONFIGURED variable in /etc/default/apcupsd (unlike apcupsd.init,
> which aborts whenever that variable is not set to "yes").
> 
> Is this intentional?
> I think that the check should be implemented somehow...

It's intentional for the test packages. I did not want to spend time
on implementing that if the proposed change doesn't work in the
first place.

Suggestions on the actual implementation also welcome ;-)
(TBH, if I did this package anew today, I'd probably just install
with the service disabled/masked and not do the ISCONFIGURED dance,
but it's not a new package and it's not my package...)

-- 
 ,''`.  Christian Hofstaedtler <z...@debian.org>
: :' :  Debian Developer
`. `'   7D1A CFFA D9E0 806C 9C4C  D392 5C13 D6DB 9305 2E03
  `-

Bug#849401: restart silently fails

[Christian Hofstaedtler]

Hi,

* Daniel Pocock  [170106 11:06]:
> > Is anyone able to reproduce the issue on current Debian testing?
> > 
> 
> How long does it take for your apcupsd daemon to shutdown?
> 
> My UPS uses SNMP signalling, I wonder if that makes the daemon shut
> down more slowly.

Likely.

I can't test this (my UPS is broken and it'd be a serial one
anyway), but here are some test packages with a systemd service
file:

https://people.debian.org/~zeha/apcupsd/

Please report back if those work for you and if the restart issue
is fixed.
Note that successful testing also needs to include a powerfail test
really.

  -ch

Bug#849821: pdns-recursor: Crash with DNSSEC enabled

[Christian Hofstaedtler]

Hi Chris,

* Chris Boot  [170102 18:45]:
> I updated to 4.0.3-5 on Saturday, and have just experienced another
> crash. This time I also got double-free/corruption errors:

Hmm. Upstream is also a bit at a loss with those weird crashes.
Your stacktrace was at least useful to probably rule out the
libssl and the getZoneCuts issues.

There's now a 4.0.3-6 in unstable that's closer to the current 4.0.x
release branch (-5 was missing a few more changesets).

Maybe you could try that?

Thanks,
-ch

Bug#849821: pdns-recursor: Crash with DNSSEC enabled

[Christian Hofstaedtler]

Chris,

* Chris Boot <bo...@debian.org> [161231 16:18]:
> Sure, that's now installed, now I just need to wait for it to fail
> again. This will probably take several days; I'll get back to you when
> it next crashes.

Great!

Incidentally, I've just uploaded version 4.0.3-5, which might fix
the crash. Would be good if you could test againt that version.

Thanks,
  -ch

-- 
christian hofstaedtler <z...@debian.org>

Bug#849821: pdns-recursor: Crash with DNSSEC enabled

[Christian Hofstaedtler]

Hi,

* Chris Boot <bo...@debian.org> [161231 15:39]:
> Version: 4.0.3-4
> 
> Since the upgrade from 4.0.3-3 to 4.0.3-4 I have been experiencing
> intermittent crashes in pdns-recursor. I have so far not managed to get
> a core dump from the daemon, so have resorted to running the process
> within gdb to catch a backtrace.

Thank you for your report!

Upstream has asked if you could install libssl1.1-dbg and capture
the stack of all threads when this happens? (With "thread apply all
bt full" in gdb.) 

Cheers,
-- 
christian hofstaedtler <z...@debian.org>

Bug#833245: openssl-blacklist: Uses obsolete compressor for .deb data.tar member

[Christian Hofstaedtler]

* Moritz Muehlenhoff <j...@inutil.org> [161221 23:22]:
> > Source: openssl-blacklist
> 
> Instead of fixing this, should we just remove the package? It's been almost
> a decade since CVE-2008-0166 happened, I don't think it serves any purpose
> any longer.

Cloned as #833245 to ftp.debian.org for RM.
There's still one r-dep to update.

-- 
christian hofstaedtler <z...@debian.org>

Bug#848616: #848616: mysql_install_db creates unusable root user

[Christian Hofstaedtler]

* Otto Kekäläinen <o...@debian.org> [161221 23:11]:
> To be able to access your test database anyway, use
> --skip-grant-tables to circumvent authentication (which is not needed
> on a test database, right?).

Test suites also test authentication failure, and GRANT statements.
None of these work with --skip-grant-tables.

-- 
christian hofstaedtler <z...@debian.org>

Bug#849019: O: clearsilver -- fast, powerful, and language-neutral HTML template system

[Christian Hofstaedtler]

Package: wnpp
Severity: normal

All maintainers of the clearsilver package are not active anymore,
therefore I'm hereby orphaning it.

Maintaining a package takes time. Before you adopt it, please consider
if you will have enough time to keep maintenance up.

--
zeha

Bug#845106: #845106: x11vnc: configure does not find libssl, builds without OpenSSL support

[Christian Hofstaedtler]

* Christian Beier <christian.cb.be...@googlemail.com> [161219 23:35]:
> So, honestly, I don't know what should happen when the original author of some
> project apparently goes MIA. (Are you there, Karl?) Can the community simply
> "take over" the project or should https://github.com/LibVNC/x11vnc technically
> considered to be a fork?
> 
> What is Debian's experience with situations like that? I'm sure stuff like 
> this
> has happened before...

This is mostly for the package maintainer in Debian to decide; often "taking
the one active fork" is the only option one has, but not always the correct
one.

I'm sure Fathi will do the right thing once the key situation is
sorted :-)

Maybe Vagrant (in CC, as one of his packages depends on x11vnc) also
has input on the fork.

Best,
-- 
christian hofstaedtler <z...@debian.org>

Bug#831965: asciidoc: FTBFS with dpkg-buildpackage -A: doc/testasciidoc.1: No such file or directory at /usr/bin/dh_installman line 131.

[Christian Hofstaedtler]

* Joseph Herlant <herla...@gmail.com> [161219 19:21]:
> Did you upload al the last changes that happened to the repo since
> 2014 or only this particular patch?

Just that patch to sort out this severity serious bug. I'm not sure
what else is in git, etc. If you need a sponsor for those changes, I
could take a look though.

-- 
christian hofstaedtler <z...@debian.org>

Bug#848603: Enable innodb_large_prefix

[Christian Hofstaedtler]

* Otto Kekäläinen <o...@seravo.fi> [161219 22:21]:
> We live in a world where WordPress sites expect to be able to save
> emojis in comments :)

Sure, but other apps expect their indexes to work.

> We have had utf8mb4 as default in Debian and Ubuntu for a many years.

Possibly, but it's only now the provider for (default-)mysql-server.

> You are experiencing a corner case with a single app (which one?).

pdns-backend-mysql

Maybe next time when flipping providers, doing an rdep build and
install check is in order. Discovering that your package breaks
with no upload on your side - as such, a random discovery - is not
fun at all.

-- 
christian hofstaedtler <z...@debian.org>

Bug#848701: statsmodels: FTBFS on i386

[Christian Hofstaedtler]

Source: statsmodels
Version: 0.8.0~rc1+git59-gef47cd9-1

Hi,

your package statsmodels currently FTBFS on i386 and as such does
not migrate to testing.

Build logs from the buildds can be found here:
https://buildd.debian.org/status/logs.php?arch=i386=statsmodels=0.8.0%7Erc1%2Bgit59-gef47cd9-1

I also note that your package is due to be removed from testing
today, and the freeze is approaching rather quickly.

-- 
christian hofstaedtler <z...@debian.org>

Bug#846848: [Pkg-nagios-devel] Bug#846848: check-mk: Provides binary package for nagios3 which has been removed from unstable

[Christian Hofstaedtler]

Hi,

* Matt Taggart <tagg...@debian.org> [161219 17:14]:
> The patch you committed looks good. But I have temporarily reverted it
> due to the backport issue mentioned on the list. I think it might still
> be interesting to apply it _before_ stretch releases, ...

Given this bug is severity: serious and check-mk is marked for
autoremoval in 13 days, please apply and upload that patch or
whatever else you see fit.

Thanks,
-- 
christian hofstaedtler <z...@debian.org>

Bug#848660: ruby: might need to strip -fdebug-prefix-map

[Christian Hofstaedtler]

Package: ruby2.3
Severity: normal

dpkg-buildflags has started injecting -fdebug-prefix-map with a
variable path into C(..)FLAGS. We need to figure out if we need to
strip that.

-- 
 ,''`.  Christian Hofstaedtler <z...@debian.org>
: :' :  Debian Developer
`. `'   7D1A CFFA D9E0 806C 9C4C  D392 5C13 D6DB 9305 2E03
  `-

Bug#846098: #846098: unrep

[Christian Hofstaedtler]

> Lowering bug severity for now, as there's another user who cannot
> repro this. Maybe the bug is in mono instead.

Checked with mono-* from testing and can still not repro the issue.

-- 
 ,''`.  Christian Hofstaedtler <z...@debian.org>
: :' :  Debian Developer
`. `'   7D1A CFFA D9E0 806C 9C4C  D392 5C13 D6DB 9305 2E03
  `-

Bug#846098: #846098:

[Christian Hofstaedtler]

Control: tags -1 + moreinfo unreproducible
Control: severity -1 normal

Dear Submitter,

I've quickly tried to reproduce your problem with keepass2 in sid
and failed to do so. Please provide more details about your
environment.

Lowering bug severity for now, as there's another user who cannot
repro this. Maybe the bug is in mono instead.

-- 
 ,''`.  Christian Hofstaedtler <z...@debian.org>
: :' :  Debian Developer
`. `'   7D1A CFFA D9E0 806C 9C4C  D392 5C13 D6DB 9305 2E03
  `-

Bug#846917: #846917: functionality loss

[Christian Hofstaedtler]

Hi,

the submitter tells me that the "auth module was splitted, and the
new binaries are not packaged".

So there's some r-c context for anyone wondering.

-- 
 ,''`.  Christian Hofstaedtler <z...@debian.org>
: :' :  Debian Developer
`. `'   7D1A CFFA D9E0 806C 9C4C  D392 5C13 D6DB 9305 2E03
  `-

Bug#845106: #845106: x11vnc: configure does not find libssl, builds without OpenSSL support

[Christian Hofstaedtler]

Control: reopen -1
Control: severity -1 important

For stretch this is worked around by using libssl1.0, for stretch+1
this needs a proper fix. By then, we hopefully don't need to
traverse 5000 lines of openssl glue.

-- 
christian hofstaedtler <z...@debian.org>

Bug#841601: mysql failures fixed in git

[Christian Hofstaedtler]

I've fixed the mysql_install_db related failure in git (by
switching to mariadb + updating the wrapper shell script), but
there's a new failing test.

-- 
 ,''`.  Christian Hofstaedtler <z...@debian.org>
: :' :  Debian Developer
`. `'   7D1A CFFA D9E0 806C 9C4C  D392 5C13 D6DB 9305 2E03
  `-

Bug#848625: Please drop openssl-blacklist dependency

[Christian Hofstaedtler]

Package: slurmd
Version: 16.05.7-1
Severity: important

Please drop the dependency on openssl-blacklist, if possible.
As outlined in #833245, it's usefulness is probably over.

(Same also applies to slurmctld.)

Thanks,
-- 
 ,''`.  Christian Hofstaedtler <z...@debian.org>
: :' :  Debian Developer
`. `'   7D1A CFFA D9E0 806C 9C4C  D392 5C13 D6DB 9305 2E03
  `-

Bug#834423: Can't reproduce

[Christian Hofstaedtler]

* Dominic Hargreaves <d...@earth.li> [161219 02:04]:
> Control: severity -1 important
> Control tags -1 + unreproducible
> 
> This package builds for me on a current sid chroot, so downgrading.

I was going to merge this bug with #834420 as it looks like
basically the same thing, but then saw this downgrade. Can you sort
out the severity of the other bug and/or the merging?

Thanks,
-- 
christian hofstaedtler <z...@debian.org>

Bug#831965: asciidoc: FTBFS with dpkg-buildpackage -A: doc/testasciidoc.1: No such file or directory at /usr/bin/dh_installman line 131.

[Christian Hofstaedtler]

* Santiago Vila <sanv...@unex.es> [161219 01:50]:
> tags 831965 + patch
> 
> The "build-indep" target is missing.
> Patch attached.

Now in DELAYED/2.

-- 
christian hofstaedtler <z...@debian.org>

Bug#848288: ruby-em-synchrony: (build-)depends on mysql-{client,server}

[Christian Hofstaedtler]

* Emilio Pozuelo Monfort <po...@debian.org> [161219 01:22]:
> Your package build-depends on mysql-server. Since we're transitioning to
> mariadb as the default mysql provider, you should switch your build
> dependency to default-mysql-server | virtual-mysql-server.

While I've done so now in the recent upload, I think this is
misguided: the mysql-server implementations are not nearly
compatible enough to allow switching between them.

* mysql_install_db takes different parameters (--force is missing in
  5.7)
* mariadb sets up users with a default plugin of `unix_socket` which
  needs workarounding
* --skip-grant works differently between mysql and mariadb (mariadb
  does not allow SET PASSWORD after FLUSH PRIVILEGES in this mode)
* the default character sets differ, and as such the valid indexes that
  can be created differ.

None of these are just theoretical issues.

-- 
christian hofstaedtler <z...@debian.org>

Bug#848616: #848616: mysql_install_db creates unusable root user

[Christian Hofstaedtler]

Here's a silly workaround I've added to ruby-mysql2, but this really
can't be the solution:

https://anonscm.debian.org/cgit/pkg-ruby-extras/ruby-mysql2.git/commit/?id=38e0a5633506fd115853aa0b16b91a7441069db5

-- 
christian hofstaedtler <z...@debian.org>

Bug#848289: ruby-riddle: (build-)depends on mysql-{client,server}

[Christian Hofstaedtler]

Control: tags -1 + help

I've committed the d/control changes to git, but with MariaDB there
are failing tests:

  1) Sphinx Updates should update a single record appropriately
 Failure/Error: ellie[:attributes]["birthday"].should == Time.local(1970, 
1, 23).to_i

   expected: 1900800
got: 191203200 (using ==)
 # ./spec/functional/update_spec.rb:14:in `block (2 levels) in '

Looks like MariaDB is not really that compatible or something.

-- 
 ,''`.  Christian Hofstaedtler <z...@debian.org>
: :' :  Debian Developer
`. `'   7D1A CFFA D9E0 806C 9C4C  D392 5C13 D6DB 9305 2E03
  `-

Bug#848616: mysql_install_db creates unusable root user

[Christian Hofstaedtler]

 the MariaDB daemon with:
cd '/usr' ; /usr/bin/mysqld_safe --datadir='/tmp/tmp.WiS7YFCukw'

You can test the MariaDB daemon with mysql-test-run.pl
cd '/usr/mysql-test' ; perl mysql-test-run.pl

Please report any problems at http://mariadb.org/jira

The latest information about MariaDB is available at http://mariadb.org/.
You can find additional information about the MySQL part at:
http://dev.mysql.com
Support MariaDB development by buying support/new features from MariaDB
Corporation Ab. You can contact us about this at sa...@mariadb.com.
Alternatively consider joining our community based development effort:
http://mariadb.com/kb/en/contributing-to-the-mariadb-project/

ch@d:~ % /usr/sbin/mysqld --no-defaults --socket=/tmp/tmp.WiS7YFCukw/mysql.sock 
--datadir=/tmp/tmp.WiS7YFCukw --skip-networking
161219  0:19:09 [Note] /usr/sbin/mysqld (mysqld 10.0.28-MariaDB-2) starting as 
process 11972 ...
161219  0:19:09 [Note] InnoDB: Using mutexes to ref count buffer pool pages
161219  0:19:09 [Note] InnoDB: The InnoDB memory heap is disabled
161219  0:19:09 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
161219  0:19:09 [Note] InnoDB: GCC builtin __atomic_thread_fence() is used for 
memory barrier
161219  0:19:09 [Note] InnoDB: Compressed tables use zlib 1.2.8
161219  0:19:09 [Note] InnoDB: Using Linux native AIO
161219  0:19:09 [Note] InnoDB: Using CPU crc32 instructions
161219  0:19:09 [Note] InnoDB: Initializing buffer pool, size = 128.0M
161219  0:19:09 [Note] InnoDB: Completed initialization of buffer pool
161219  0:19:09 [Note] InnoDB: Highest supported file format is Barracuda.
161219  0:19:10 [Note] InnoDB: 128 rollback segment(s) are active.
161219  0:19:10 [Note] InnoDB: Waiting for purge to start
161219  0:19:10 [Note] InnoDB:  Percona XtraDB (http://www.percona.com) 
5.6.32-79.0 started; log sequence number 1623579
161219  0:19:10 [Note] Plugin 'FEEDBACK' is disabled.
161219  0:19:10 [Note] /usr/sbin/mysqld: ready for connections.
Version: '10.0.28-MariaDB-2'  socket: '/tmp/tmp.WiS7YFCukw/mysql.sock'  port: 0 
 Debian unstable

[in another shell:]

ch@d:~ % /usr/bin/mysqladmin --socket=/tmp/tmp.WiS7YFCukw/mysql.sock ping
/usr/bin/mysqladmin: connect to server at 'localhost' failed
error: 'Access denied for user 'ch'@'localhost''
ch@d:~ % /usr/bin/mysqladmin --socket=/tmp/tmp.WiS7YFCukw/mysql.sock ping -u 
root
/usr/bin/mysqladmin: connect to server at 'localhost' failed
error: 'Access denied for user 'root'@'localhost''

-- 
christian hofstaedtler <z...@debian.org>

Bug#835146: dpkg: please enable bindow hardening flag by default

[Christian Hofstaedtler]

* Bálint Réczey <bal...@balintreczey.hu> [161219 00:06]:
> I have uploaded a fixed package with the attached patch to DELAYED/10.

Given dpkg/1.18.16 has entered sid, your upload will likely fail...

Best,
-- 
christian hofstaedtler <z...@debian.org>

Bug#846299: #846299: lighttpd depends on systemd

[Christian Hofstaedtler]

Control: severity -1 normal

Extra dependencies that are harmless certainly do not qualify as
"severity serious".

Also note that while this would help installability on kfreebsd,
right now lighttpd does not even build there.

-- 
 ,''`.  Christian Hofstaedtler <z...@debian.org>
: :' :  Debian Developer
`. `'   7D1A CFFA D9E0 806C 9C4C  D392 5C13 D6DB 9305 2E03
  `-

Bug#828486: #828486: libssl versions

[Christian Hofstaedtler]

Control: severity -1 important

0.4.3-1 with symbol versioning has entered testing; it also switched
back to libssl 1.0.2; therefore downgrading severity, as upgrading
to libssl 1.1.0 can be done in stretch+1.

-- 
 ,''`.  Christian Hofstaedtler <z...@debian.org>
: :' :  Debian Developer
`. `'   7D1A CFFA D9E0 806C 9C4C  D392 5C13 D6DB 9305 2E03
  `-

Bug#847659: #847659: [dma] postinst maintainer script fails

[Christian Hofstaedtler]

Control: tags -1 + moreinfo

Dear Submitter,

I've quickly tried to reproduce your bug report, but failed to do
so. Please provide more info.
Were you upgrading from a previous version? If so, which?

Cheers,
-- 
 ,''`.  Christian Hofstaedtler <z...@debian.org>
: :' :  Debian Developer
`. `'   7D1A CFFA D9E0 806C 9C4C  D392 5C13 D6DB 9305 2E03
  `-

Bug#848603: Enable innodb_large_prefix

[Christian Hofstaedtler]

Package: mariadb-server
Version: 10.0.28-2
Severity: serious

mariadb-server, the new default-mysql-server, breaks existing
well-functioning applications that need to index columns defined as
VARCHAR(255). This worked fine with mysql-server-5.6.

This is caused by two questionable choices:

  * default character set is utf8mb4 (causing index prefix lengths
quadruple).
  * innodb_large_prefix is OFF.

I'd suggest you enable innodb_large_prefix or revert to what
mysql-server-5.6 did, i.e. set the character set to utf8 (which uses
"just" 3 bytes per character).

Thanks,
-- 
christian hofstaedtler <z...@debian.org>

Bug#848588: cvm: FTBFS: + : directory debian/cvm missing

[Christian Hofstaedtler]

Control: severity -1 important

This appears to be caused by parallel building, which I'm not sure
is a policy requirement, so downgrading for now.

-- 
 ,''`.  Christian Hofstaedtler <z...@debian.org>
: :' :  Debian Developer
`. `'   7D1A CFFA D9E0 806C 9C4C  D392 5C13 D6DB 9305 2E03
  `-

Bug#848588: cvm: FTBFS: + : directory debian/cvm missing

[Christian Hofstaedtler]

Source: cvm
Version: 0.96-1.2
Severity: serious

Dear Maintainer,

your package cvm currently FTBFS in unstable, last few lines:

make[1]: Leaving directory '/<>'
touch build-stamp
 fakeroot debian/rules binary
: implicit
+ : directory debian/cvm missing
: debian/cvm/usr/share/doc/cvm/examples/
debian/implicit:20: recipe for target 'cvm.deb-checkdir' failed
make: *** [cvm.deb-checkdir] Error 1
make: *** Waiting for unfinished jobs
: debian/cvm/usr/share/doc/cvm/
+ install -m0644 debian/cvm.README.Debian 
debian/cvm/usr/share/doc/cvm/README.Debian
+ install -m0644 debian/copyright debian/cvm/usr/share/doc/cvm/
+ install -m0644 debian/changelog debian/cvm/usr/share/doc/cvm/changelog.Debian
+ mv debian/cvm/usr/share/doc/cvm/changelog.Debian 
debian/cvm/usr/share/doc/cvm/changelog
dpkg-buildpackage: error: fakeroot debian/rules binary gave error exit status 2


Build log attached.

Cheers,
-- 
christian hofstaedtler <z...@debian.org>
sbuild (Debian sbuild) 0.72.0 (25 Oct 2016) on debbuild.in.namespace.at

+==+
| cvm 0.96-1.2 (amd64) Sun, 18 Dec 2016 17:13:41 + |
+==+

Package: cvm
Version: 0.96-1.2
Source Version: 0.96-1.2
Distribution: unstable
Machine Architecture: amd64
Host Architecture: amd64
Build Architecture: amd64

I: NOTICE: Log filtering will replace 
'var/run/schroot/mount/unstable-amd64-sbuild-3727a883-1bb1-47e9-a623-ac99b68433ba'
 with '<>'

+--+
| Update chroot|
+--+

Get:1 http://http.at.debian.org/debian unstable InRelease [223 kB]
Get:2 http://http.at.debian.org/debian unstable/main Sources.diff/Index [27.9 
kB]
Get:3 http://http.at.debian.org/debian unstable/main amd64 Packages.diff/Index 
[27.9 kB]
Get:4 http://http.at.debian.org/debian unstable/main Sources 
2016-12-18-0227.50.pdiff [18.4 kB]
Get:5 http://http.at.debian.org/debian unstable/main Sources 
2016-12-18-0827.17.pdiff [2281 B]
Get:6 http://http.at.debian.org/debian unstable/main Sources 
2016-12-18-1427.50.pdiff [10.9 kB]
Get:7 http://http.at.debian.org/debian unstable/main amd64 Packages 
2016-12-18-0227.50.pdiff [13.7 kB]
Get:8 http://http.at.debian.org/debian unstable/main amd64 Packages 
2016-12-18-0827.17.pdiff [2228 B]
Get:9 http://http.at.debian.org/debian unstable/main amd64 Packages 
2016-12-18-1427.50.pdiff [16.5 kB]
Get:6 http://http.at.debian.org/debian unstable/main Sources 
2016-12-18-1427.50.pdiff [10.9 kB]
Get:9 http://http.at.debian.org/debian unstable/main amd64 Packages 
2016-12-18-1427.50.pdiff [16.5 kB]
Fetched 343 kB in 1s (238 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
Calculating upgrade...
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

+--+
| Fetch source files   |
+--+


Local sources
-

/home/ch/Debian/tmp/cvm_0.96-1.2.dsc exists in /home/ch/Debian/tmp; copying to 
chroot
I: NOTICE: Log filtering will replace 'build/cvm-7jI1Ey/cvm-0.96' with 
'<>'
I: NOTICE: Log filtering will replace 'build/cvm-7jI1Ey' with '<>'

+--+
| Install build-essential  |
+--+


Setup apt archive
-

Merged Build-Depends: build-essential, fakeroot
Filtered Build-Depends: build-essential, fakeroot
dpkg-deb: building package 'sbuild-build-depends-core-dummy' in 
'/<>/resolver-LEFpsD/apt_archive/sbuild-build-depends-core-dummy.deb'.
dpkg-scanpackages: warning: Packages in archive but missing from override file:
dpkg-scanpackages: warning:   sbuild-build-depends-core-dummy
dpkg-scanpackages: info: Wrote 1 entries to output Packages file.
Ign:1 copy:/<>/resolver-LEFpsD/apt_archive ./ InRelease
Get:2 copy:/<>/resolver-LEFpsD/apt_archive ./ Release [957 B]
Ign:3 copy:/<>/resolver-LEFpsD/apt_archive ./ Release.gpg
Get:4 copy:/<>/resolver-LEFpsD/apt_archive ./ Sources [349 B]
Get:5 copy:/<>/resolver-LEFpsD/apt_archive ./ Packages [432 B]
Fetched 1738 B in 0s (106 kB/s)
Reading package lists...
Reading package lists...

+--+
| Install core build dependencies (aptitude-based resolver)|
+--+

Bug#848580: dirmngr: upgrading from jessie fails

[Christian Hofstaedtler]

Control: reassign -1 dpkg
Control: found -1 1.18.16
Control: retitle -1 dpkg-maintscript-helper: fails if optional version is not 
given

Reassigning to dpkg which apparently broke dpkg-maintscript-helper
in 1.18.16.

-- 
christian hofstaedtler <z...@debian.org>

Bug#848504: usrmerge breaks various systemd symlinks

[Christian Hofstaedtler]

Control: found -1 13

* Michael Biebl <bi...@debian.org> [161217 21:35]:
> Am 17.12.2016 um 21:08 schrieb Michael Biebl:
...
> > So it seems, usrmerge resolved those to the symlink target.
> > 
> > I don't see anything broken in systemd here though, so 
> > reassigning to usrmerge (and bumping the severity, as this breaks systemd 
> > badly)
> > 
> > Which version of usrmerge is this?

Version 13

> Fwiw, I just tried usrmerge in a freshly created test VM. It ran
> succesfully without any issues regarding systemd symlinks.
> 
> Christian, do you have any custom modifications or some special setup?
> Do you maybe have a backup of that system where you can check those
> symlinks and where they were pointing to?

No to both unfortunately. This is my scratch/build VM, so it may
very well have seen various interesting upgrades over time in sid,
or it may just have been plain and normal. The VM probably started
out as jessie.

So what I did not mention before (sorry), is that installing
usrmerge actually aborted at first, because keepalived installed a
file in both /usr/lib and /lib; but from the output it appeared to
me the abort happened before doing any real work. Therefore I just
removed keepalived and then dpkg ran the usrmerge postinst again, I
think.

/etc/fstab (minus comments):
UUID=dcdeb525-ea16-4b14-96bc-52669f8b28f6 /   ext4 
errors=remount-ro 0   1

/proc/cmdline:
BOOT_IMAGE=/boot/vmlinuz-4.8.0-2-amd64 
root=UUID=dcdeb525-ea16-4b14-96bc-52669f8b28f6 ro panic=30 console=ttyS0,115200 
console=tty0 vga=791

% grep -Ev '^(#|$)' /etc/dpkg/dpkg.cfg /etc/dpkg/dpkg.cfg.d/*
/etc/dpkg/dpkg.cfg:no-debsig
/etc/dpkg/dpkg.cfg:log /var/log/dpkg.log
/etc/dpkg/dpkg.cfg.d/needrestart:status-logger=(test -x 
/usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > 
/dev/null)
/etc/dpkg/dpkg.cfg.d/pkg-config-hook-config:post-invoke=if { test 
"$DPKG_HOOK_ACTION" = add-architecture || test "$DPKG_HOOK_ACTION" = 
remove-architecture; } && test -x /usr/share/pkg-config-dpkghook; then 
/usr/share/pkg-config-dpkghook update; fi

apt is set to APT::Install-Recommends 0;

ii  usrmerge  13  
all Convert the system to the merged /usr directories 
scheme
ii  util-linux2.29-1  
amd64   miscellaneous system utilities
ii  systemd   232-7   
amd64   system and service manager
un  systemd-container   
  (no description available)
un  systemd-shim
  (no description available)
ii  systemd-sysv  232-7   
amd64   system and service manager - SysV links
un  systemd-ui      
  (no description available)

Cheers,
-- 
 ,''`.  Christian Hofstaedtler <z...@debian.org>
: :' :  Debian Developer
`. `'   7D1A CFFA D9E0 806C 9C4C  D392 5C13 D6DB 9305 2E03
  `-

Bug#843977: #843977: missing dependeny on python-pkg-resources

[Christian Hofstaedtler]

Even with python-pkg-resources installed, the package does not work,
as pep8 has been renamed to pycodestyle and autopep8 now fails like
this:

% autopep8
Traceback (most recent call last):
  File "/usr/bin/autopep8", line 5, in 
from pkg_resources import load_entry_point
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 3019, 
in 
@_call_aside
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 3003, 
in _call_aside
f(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 3032, 
in _initialize_master_working_set
working_set = WorkingSet._build_master()
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 655, 
in _build_master
ws.require(__requires__)
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 963, 
in require
needed = self.resolve(parse_requirements(requirements))
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 849, 
in resolve
raise DistributionNotFound(req, requirers)
pkg_resources.DistributionNotFound: The 'pep8>=1.4.5' distribution was not 
found and is required by autopep8

-- 
christian hofstaedtler <z...@debian.org>

Bug#848504: usrmerge breaks various systemd symlinks

[Christian Hofstaedtler]

After rebooting:

% systemctl status procps.service
Unit procps.service could not be found.
% systemctl status runlevel3.target
Unit runlevel3.target could not be found.
% systemctl status dbus-org.freedesktop.hostname1.service
Unit dbus-org.freedesktop.hostname1.service could not be found.
% systemctl status dbus-org.freedesktop.timedate1.service
Unit dbus-org.freedesktop.timedate1.service could not be found.
% systemctl status dbus-org.freedesktop.login1.service   
Unit dbus-org.freedesktop.login1.service could not be found.

I don't think that is the expected outcome...?

-- 
christian hofstaedtler <z...@debian.org>

Bug#848504: usrmerge breaks various systemd symlinks

[Christian Hofstaedtler]

Package: systemd
Version: 232-7

usrmerge reports that various symlinks installed by systemd are "broken"
and cannot be properly converted:

WARNING: /usr/lib/systemd/system/dbus-org.freedesktop.login1.service is a 
broken symlink and has been renamed!
WARNING: /usr/lib/systemd/system/runlevel3.target is a broken symlink and has 
been renamed!
WARNING: /usr/lib/systemd/system/dbus-org.freedesktop.timedate1.service is a 
broken symlink and has been renamed!
WARNING: /usr/lib/systemd/system/dbus-org.freedesktop.hostname1.service is a 
broken symlink and has been renamed!
WARNING: /usr/lib/systemd/system/procps.service is a broken symlink and has 
been renamed!

ls -la (in /usr/lib/systemd/system/) after conversion:

lrwxrwxrwx 1 root root 62 Dec 17 18:35 dbus-org.freedesktop.hostname1.service 
-> /usr/lib/systemd/system/dbus-org.freedesktop.hostname1.service
lrwxrwxrwx 1 root root 59 Dec 17 18:35 dbus-org.freedesktop.login1.service -> 
/usr/lib/systemd/system/dbus-org.freedesktop.login1.service
lrwxrwxrwx 1 root root 62 Dec 17 18:35 dbus-org.freedesktop.timedate1.service 
-> /usr/lib/systemd/system/dbus-org.freedesktop.timedate1.service
lrwxrwxrwx 1 root root 38 Dec 17 18:35 procps.service -> 
/usr/lib/systemd/system/procps.service
lrwxrwxrwx 1 root root 40 Dec 17 18:35 runlevel3.target -> 
/usr/lib/systemd/system/runlevel3.target

lrwxrwxrwx 1 root root 25 Nov 30 13:38 
dbus-org.freedesktop.hostname1.service.usrmerge-broken -> 
systemd-hostnamed.service
lrwxrwxrwx 1 root root 22 Nov 30 13:38 
dbus-org.freedesktop.login1.service.usrmerge-broken -> systemd-logind.service
lrwxrwxrwx 1 root root 25 Nov 30 13:38 
dbus-org.freedesktop.timedate1.service.usrmerge-broken -> 
systemd-timedated.service
lrwxrwxrwx 1 root root 22 Nov 30 13:38 procps.service.usrmerge-broken -> 
systemd-sysctl.service
lrwxrwxrwx 1 root root 17 Nov 30 13:38 runlevel3.target.usrmerge-broken -> 
multi-user.target

Can't really tell what the state before was, though.

-- 
christian hofstaedtler <z...@debian.org>

Bug#843761: invoke-rc.d: Kill 600 birds with one stone (a.k.a. automatic policy-rc.d for init-less chroots)

[Christian Hofstaedtler]

* Martin Pitt <mp...@debian.org> [161210 20:50]:
> However, I do like the patch, it would give us a much saner behaviour
> of package installation in self-created chroots. mk-sbuild and friends
> do install a policy-rc.d already, but I've seen this come up more than
> once already.

> Michael, any others: Do you see any downside of this?

>From a sysadmin PoV: please implement this.

Cheers,
-- 
christian hofstaedtler <z...@debian.org>

Bug#416086: [Pkg-sysvinit-devel] Bug#416086: symlinks are not removed on uninstall/purge

[Christian Hofstaedtler]

Control: tags -1 + wontfix

* Henrique de Moraes Holschuh <h...@debian.org> [161210 20:43]:
> On Sat, 24 Mar 2007, Michael Biebl wrote:
> > When deinstalling/purging initscripts, the symlinks in /etc/rcS.d,rc0.d
> > and rc6.d are not removed.
> 
> Messing with those has a critical effect on the ability to shutdown or
> reboot the system.  I don't know if we can change that, even for purging.

Note that purging works fine.

I'm tagging this wontfix for now, as the symlinks are indeed
configuration, and just removing initscripts then is pointless.

-- 
christian hofstaedtler <z...@debian.org>

Bug#728682: Patch

[Christian Hofstaedtler]

Control: tags -1 + patch

Proposed patch attached.

-- 
 ,''`.  Christian Hofstaedtler <z...@debian.org>
: :' :  Debian Developer
`. `'   7D1A CFFA D9E0 806C 9C4C  D392 5C13 D6DB 9305 2E03
  `-

>From ceae57b4ae857680c2526d2e7c3a149ae5c23dec Mon Sep 17 00:00:00 2001
From: Christian Hofstaedtler <z...@debian.org>
Date: Sat, 10 Dec 2016 20:34:05 +
Subject: [PATCH] Align policy-rc.d existing/nonexisting case for custom
 actions

Previously, when calling invoke-rc.d with a "custom" action, it
would print an error when a policy-rc.d file was installed, but
it would be silent if no such file was installed.

Closes: #728682
---
 script/invoke-rc.d | 11 ---
 1 file changed, 11 deletions(-)

diff --git a/script/invoke-rc.d b/script/invoke-rc.d
index ed9028d..7d839bf 100755
--- a/script/invoke-rc.d
+++ b/script/invoke-rc.d
@@ -257,17 +257,6 @@ fi
 #NOTE: It may not be obvious, but "$@" from this point on must expand
 #to the extra initscript parameters, except inside functions.
 
-## sanity checks and just-in-case warnings.
-case ${ACTION} in
-start|stop|force-stop|restart|reload|force-reload|status)
-   ;;
-*)
-   if test "x${POLICYHELPER}" != x && test -x "${POLICYHELPER}" ; then
-   printerror action ${ACTION} is unknown, but proceeding anyway.
-   fi
-   ;;
-esac
-
 # Operate against system upstart, not session
 unset UPSTART_SESSION
 # If we're running on upstart and there's an upstart job of this name, do
-- 
2.11.0

Bug#728682: #728682 - unfixed, only happens with policy-rc.d

[Christian Hofstaedtler]

Reassigning to init-system-helpers, which nowadays provides
invoke-rc.d.

While Michael correctly notices that the warning is not printed on
sid, this is just an effect of the bug:
invoke-rc.d does print the warning ONLY if a policy-rc.d helper has
been installed by the local admin.

See:
http://sources.debian.net/src/init-system-helpers/1.46/script/invoke-rc.d/#L265

I find this is quite annoying, and would suggest just dropping lines
260-269 from that file. Any opposition?

Thanks,
-- 
 ,''`.  Christian Hofstaedtler <z...@debian.org>
: :' :  Debian Developer
`. `'   7D1A CFFA D9E0 806C 9C4C  D392 5C13 D6DB 9305 2E03
  `-