Bug#874663: Document +dfsg as extenson when repacking upstream sources

[David Prévot]

Hi,

Le 08/09/2017 à 07:44, Simon McVittie a écrit :
> On Fri, 08 Sep 2017 at 16:10:44 +0200, Guido Günther wrote:
>> when upstream tarballs need to be repacked because they contain non-dfsg
>> free data appending '+dfsg' to the upstream version seems common
>> practice.
[…]
> It's a coincidence that you should mention this today. I've just run
> into a situation where routinely appending +dfsg causes brokenness:
[…]
> This made me think that we should maybe only be doing this when
> a *pre-existing* upstream version needs to be repacked.
> […] when upstream releases
> foo/1.2.4, even if the non-freeness has not been fixed, the
> maintainer would repack it as 1.2.4 rather than 1.2.4+dfsg.

That is be a bit misleading: since we are not using the upstream
version, using the same version is a lie.

Another data point: I used to package something that upstream was also
distributing on their own, and I used a tilde before “dfsg” to avoid
confusion. That way, people using upstream version (picked from upstream
servers) was always higher than the version in Debian (and because
upstream version didn’t follow policy or even FHS, switching from one
version to another would cause huge brokenness…).

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#873198: php-doctrine-cache-bundle FTBFS: test failures

[David Prévot]

Control: reassign -1 php-doctrine-cache
Control: found -1 1.7.0-1
Control: affects -1 php-doctrine-cache-bundle
Control: retitle -1 php-doctrine-cache should not (silently) depend on php 7.1

Thank you Adrian for filling this issue.

On Fri, Aug 25, 2017 at 04:13:47PM +0300, Adrian Bunk wrote:
> Source: php-doctrine-cache-bundle
[…]
> Some recent change in unstable makes php-doctrine-cache-bundle FTBFS:
[…]
> There were 2 errors:
> 
> 1) 
> Doctrine\Bundle\DoctrineCacheBundle\Tests\Functional\PhpFileCacheTest::testCacheDriver
> ParseError: syntax error, unexpected '?'

Right. The latest php-doctrine-cache version in unstable depends on
php 7.1, and the default version in unstable is still php 7.0 (and there
is no proper way to depend on the more recent php7.1 package available
in unstable). I’ll fix this issue by uploading back the 1.6.1 version of
php-doctrine-cache to unstable.

Regards

David


signature.asc
Description: PGP signature

Bug#872165: [pkg-php-pear] Bug#872165: composer 1.4.3-2 fails its autopkgtests

[David Prévot]

Hi Steve,

Thanks for the fedback.

Le 14/08/2017 à 08:19, Steve Langasek a écrit :
> Source: composer
> Version: 1.4.3-2
> Severity: important
> User: ubuntu-de...@lists.ubuntu.com
> Usertags: origin-ubuntu artful autopkgtest
[…]
> The autopkgtests for composer 1.4.3-2 have been failing since upload,
> despite the fact that they previously passed in version 1.2.2-1
[…]
> I have not analyzed the failures to understand if they point to bugs in the
> test or bugs in the code,

I did already and committed a fix in the Git repository: one of the
tests needing remote access (for PEAR) fails also in the CI
infrastructure (but not at home), so it also needs to be ignored (as in
the proper build).

A new upstream release is also available, so we may fix this issue with
the next version (while checking if the test is more reliable).

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#864791: Acknowledgement (firefox-esr: OAtab order cannot be changed with TabMixPlus)

[David Prévot]

Hi,

Thank you for your report(s).

On Thu, Jun 15, 2017 at 12:27:24AM +0200, Christoph Anton Mitterer wrote:
> Control: reassign -1 xul-ext-tabmixplus

> Seems the bug is rather in TMP or the combination of newer FF, TMP and
> other addons.

Can you please confirm if this issue is fixed with the latest version
(0.5.0.3-1). I was not bitten myself with it and the set of addons
currently installed on my development box…

Regards

David

Bug#866182: xul-ext-tabmixplus: new upstream version

[David Prévot]

Hi,

On Wed, Jun 28, 2017 at 03:39:15AM +0200, Christoph Anton Mitterer wrote:
> Package: xul-ext-tabmixplus
> Version: 0.5.0.1-1
> Severity: wishlist

> There's a newer upstream version. Perhaps even the devel version
> could be packaged (e.g. in experimental) as this may fix several issues
> that make TabMix+ unusable with the current FF/FF-esr versions in sid.

I guess this bug is also (or will also be) relevant for Stretch, since
FF gets updated there too. Can you please describe how unusable it is?
This may rather be a serious bug if the package is totally useless.

Regards

David


signature.asc
Description: PGP signature

Bug#861266: cmocka: Please package new upstream version

[David Prévot]

Hi Sandro,

Le 02/07/2017 à 03:00, Sandro Knauß a écrit :

> the new version is now available in git repository:

Great!

> @taffit: what is your policy to upload new version of cmocka?

I don’t have much. There are a few libcmocka-dev build-rdepends, so you
may want to build test some of them with the new version.

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#866351: stretch-pu: package phpunit/5.4.6-2~deb9u1

[David Prévot]

Hi Cyril,

Le 30/06/2017 à 14:36, Cyril Brulebois a écrit :
> Control: retitle -1 stretch-pu: package phpunit/5.4.6-2~deb9u1
> Control: tag -1 moreinfo

> David Prévot <taf...@debian.org> (2017-06-28):
>> Please, allow this patched version of phpunit, built and tested in a
>> Stretch environment, fixing an arbitrary PHP code execution via HTTP
>> POST [CVE-2017-9841], aka #866200.

> Stretch is Debian 9. :)

Ooops, things are moving so quickly…

> Please post an updated source debdiff with the proper version number for
> a last look before an ACK for the upload.

Attached (with package rebuilt, and tested again), thanks!

Regards

David
diff -Nru phpunit-5.4.6/debian/changelog phpunit-5.4.6/debian/changelog
--- phpunit-5.4.6/debian/changelog	2016-06-18 12:34:11.0 -1000
+++ phpunit-5.4.6/debian/changelog	2017-06-28 17:03:35.0 -1000
@@ -1,3 +1,18 @@
+phpunit (5.4.6-2~deb9u1) stretch; urgency=high
+
+  * Team upload
+  * Upload previous fix to Stretch
+
+ -- David Prévot <taf...@debian.org>  Wed, 28 Jun 2017 17:03:35 -1000
+
+phpunit (5.4.6-2) unstable; urgency=high
+
+  * Team upload
+  * Fix arbitrary PHP code execution via HTTP POST [CVE-2017-9841]
+(Closes: #866200)
+
+ -- David Prévot <taf...@debian.org>  Wed, 28 Jun 2017 16:43:26 -1000
+
 phpunit (5.4.6-1) unstable; urgency=medium
 
   * Team upload
diff -Nru phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch
--- phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch	1969-12-31 14:00:00.0 -1000
+++ phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch	2017-06-28 16:41:16.0 -1000
@@ -0,0 +1,34 @@
+From: Bob Weinand <bobw...@hotmail.com>
+Date: Sun, 13 Nov 2016 18:52:50 +0100
+Subject: Correct fix for #1956
+
+Origin: upstream, https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5
+Bug: https://github.com/sebastianbergmann/phpunit/pull/2356
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866200
+---
+ src/Util/PHP/Template/TestCaseMethod.tpl.dist | 2 +-
+ src/Util/PHP/eval-stdin.php   | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/Util/PHP/Template/TestCaseMethod.tpl.dist b/src/Util/PHP/Template/TestCaseMethod.tpl.dist
+index 47ef6e4..c7172b9 100644
+--- a/src/Util/PHP/Template/TestCaseMethod.tpl.dist
 b/src/Util/PHP/Template/TestCaseMethod.tpl.dist
+@@ -58,7 +58,7 @@ function __phpunit_run_isolated_test()
+ $output = $test->getActualOutput();
+ }
+ 
+-rewind(STDOUT);
++@rewind(STDOUT); /* @ as not every STDOUT target stream is rewindable */
+ if ($stdout = stream_get_contents(STDOUT)) {
+ $output = $stdout . $output;
+ }
+diff --git a/src/Util/PHP/eval-stdin.php b/src/Util/PHP/eval-stdin.php
+index fe1b8bd..3b3a6d0 100644
+--- a/src/Util/PHP/eval-stdin.php
 b/src/Util/PHP/eval-stdin.php
+@@ -1,3 +1,3 @@
+ ' . file_get_contents('php://input'));
++eval('?>' . file_get_contents('php://stdin'));
diff -Nru phpunit-5.4.6/debian/patches/series phpunit-5.4.6/debian/patches/series
--- phpunit-5.4.6/debian/patches/series	2016-06-18 12:15:55.0 -1000
+++ phpunit-5.4.6/debian/patches/series	2017-06-28 16:41:16.0 -1000
@@ -1 +1,2 @@
 0001-Remove-Composer-autoload.patch
+0002-Correct-fix-for-1956.patch


signature.asc
Description: OpenPGP digital signature

Bug#866351: stretch-pu: package phpunit/5.4.6-2~deb8u1

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi stable managers,

Please, allow this patched version of phpunit, built and tested in a
Stretch environment, fixing an arbitrary PHP code execution via HTTP
POST [CVE-2017-9841], aka #866200. As discussed with the security team,
PHPUnit should not be available on a production server, even less
publicly accessible (so we’d prefer to pass on a proper DSA), yet, we’d
prefer not to let such a big flaw available, so please, accept it in the
next stable update.

Regards

David
diff -Nru phpunit-5.4.6/debian/changelog phpunit-5.4.6/debian/changelog
--- phpunit-5.4.6/debian/changelog	2016-06-18 12:34:11.0 -1000
+++ phpunit-5.4.6/debian/changelog	2017-06-28 17:03:35.0 -1000
@@ -1,3 +1,18 @@
+phpunit (5.4.6-2~deb8u1) stretch; urgency=high
+
+  * Team upload
+  * Upload previous fix to Stretch
+
+ -- David Prévot <taf...@debian.org>  Wed, 28 Jun 2017 17:03:35 -1000
+
+phpunit (5.4.6-2) unstable; urgency=high
+
+  * Team upload
+  * Fix arbitrary PHP code execution via HTTP POST [CVE-2017-9841]
+(Closes: #866200)
+
+ -- David Prévot <taf...@debian.org>  Wed, 28 Jun 2017 16:43:26 -1000
+
 phpunit (5.4.6-1) unstable; urgency=medium
 
   * Team upload
diff -Nru phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch
--- phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch	1969-12-31 14:00:00.0 -1000
+++ phpunit-5.4.6/debian/patches/0002-Correct-fix-for-1956.patch	2017-06-28 16:41:16.0 -1000
@@ -0,0 +1,34 @@
+From: Bob Weinand <bobw...@hotmail.com>
+Date: Sun, 13 Nov 2016 18:52:50 +0100
+Subject: Correct fix for #1956
+
+Origin: upstream, https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5
+Bug: https://github.com/sebastianbergmann/phpunit/pull/2356
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866200
+---
+ src/Util/PHP/Template/TestCaseMethod.tpl.dist | 2 +-
+ src/Util/PHP/eval-stdin.php   | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/Util/PHP/Template/TestCaseMethod.tpl.dist b/src/Util/PHP/Template/TestCaseMethod.tpl.dist
+index 47ef6e4..c7172b9 100644
+--- a/src/Util/PHP/Template/TestCaseMethod.tpl.dist
 b/src/Util/PHP/Template/TestCaseMethod.tpl.dist
+@@ -58,7 +58,7 @@ function __phpunit_run_isolated_test()
+ $output = $test->getActualOutput();
+ }
+ 
+-rewind(STDOUT);
++@rewind(STDOUT); /* @ as not every STDOUT target stream is rewindable */
+ if ($stdout = stream_get_contents(STDOUT)) {
+ $output = $stdout . $output;
+ }
+diff --git a/src/Util/PHP/eval-stdin.php b/src/Util/PHP/eval-stdin.php
+index fe1b8bd..3b3a6d0 100644
+--- a/src/Util/PHP/eval-stdin.php
 b/src/Util/PHP/eval-stdin.php
+@@ -1,3 +1,3 @@
+ ' . file_get_contents('php://input'));
++eval('?>' . file_get_contents('php://stdin'));
diff -Nru phpunit-5.4.6/debian/patches/series phpunit-5.4.6/debian/patches/series
--- phpunit-5.4.6/debian/patches/series	2016-06-18 12:15:55.0 -1000
+++ phpunit-5.4.6/debian/patches/series	2017-06-28 16:41:16.0 -1000
@@ -1 +1,2 @@
 0001-Remove-Composer-autoload.patch
+0002-Correct-fix-for-1956.patch


signature.asc
Description: PGP signature

Bug#863493: [pkg-php-pear] Bug#863493: FTBFS with PHP 7.0.18+

[David Prévot]

Hi James,

Le 27/05/2017 à 09:08, James Clarke a écrit :
> Source: symfony
> Version: 2.8.7+dfsg-1.2

> I noticed that symfony now FTBFS after the upload of php7.0 7.0.18-1,

Thanks!

> I am happy to NMU again with just the changes needed

Please, go ahead, I don’t have much time currently, and haven’t heard of
Daniel for quite some time either. Your help is much appreciated.

Regards



signature.asc
Description: OpenPGP digital signature

Bug#861294: jessie-pu: package spip/3.0.17-2+deb8u3

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I’ve been asked by the security team to fix the (pile of) security
issues currently affecting the spip package in Jessie. Please find
attached the full debdiff, here is the proposed changelog:

spip (3.0.17-2+deb8u3) jessie; urgency=medium

  * Document CVE in previous changelog entry
  * Update security screen to 1.3.0
  * Backport security fixes from 3.0.23
- Multiple XSS issues
  * Backport security fixes from 3.0.24
- Server side request forgery (SSRF) attacks via the var_url parameter
  [CVE-2016-7999]
- Directory traversal vulnerability in ecrire/exec/valider_xml.php
  [CVE-2016-7982]
- Execution of arbitrary PHP code by authenticated users [CVE-2016-7998]
- Cross-site request forgery (CSRF) vulnerability in
  ecrire/exec/valider_xml.php [CVE-2016-7980]
- Cross-site scripting (XSS) vulnerability in valider_xml.php
  [CVE-2016-7981]
  * Backport security fixes from 3.2-alpha-1
- Reflected Cross Site Scripting Vulnerabilities in
  /ecrire/exec/puce_statut.php and /ecrire/exec/info_plugin.php
  [CVE-2016-9997] [CVE-2016-9998] (Closes: #848641)
- Cross-site scripting (XSS) vulnerability in ecrire/exec/plonger.php
  [CVE-2016-9152] (Closes: #847156)
  * Backport security fix from 3.0.25
- Execution of arbitrary PHP code

 -- David Prévot <taf...@debian.org>  Wed, 26 Apr 2017 18:02:00 -1000

I’ve just deployed the package on production server, and will follow up
if any issue rises before Saturday, in the hope I’m not too late for the
8.8 update.

Thanks in advance for considering it, and also sorry for all those
French comments…

Regards

David
diff -Nru spip-3.0.17/debian/changelog spip-3.0.17/debian/changelog
--- spip-3.0.17/debian/changelog	2016-03-11 10:32:29.0 -1000
+++ spip-3.0.17/debian/changelog	2017-04-26 18:02:00.0 -1000
@@ -1,8 +1,35 @@
+spip (3.0.17-2+deb8u3) jessie; urgency=medium
+
+  * Document CVE in previous changelog entry
+  * Update security screen to 1.3.0
+  * Backport security fixes from 3.0.23
+- Multiple XSS issues
+  * Backport security fixes from 3.0.24
+- Server side request forgery (SSRF) attacks via the var_url parameter
+  [CVE-2016-7999]
+- Directory traversal vulnerability in ecrire/exec/valider_xml.php
+  [CVE-2016-7982]
+- Execution of arbitrary PHP code by authenticated users [CVE-2016-7998]
+- Cross-site request forgery (CSRF) vulnerability in
+  ecrire/exec/valider_xml.php [CVE-2016-7980]
+- Cross-site scripting (XSS) vulnerability in valider_xml.php
+  [CVE-2016-7981]
+  * Backport security fixes from 3.2-alpha-1
+- Reflected Cross Site Scripting Vulnerabilities in
+  /ecrire/exec/puce_statut.php and /ecrire/exec/info_plugin.php
+  [CVE-2016-9997] [CVE-2016-9998] (Closes: #848641)
+- Cross-site scripting (XSS) vulnerability in ecrire/exec/plonger.php
+  [CVE-2016-9152] (Closes: #847156)
+  * Backport security fix from 3.0.25
+- Execution of arbitrary PHP code
+
+ -- David Prévot <taf...@debian.org>  Wed, 26 Apr 2017 18:02:00 -1000
+
 spip (3.0.17-2+deb8u2) jessie-security; urgency=high
 
   * Backport security fixes from 3.0.22
-- PHP code injection
-- Objects injection via unserialize
+- PHP code injection [CVE-2016-3153]
+- Objects injection via unserialize [CVE-2016-3154]
   * Update security screen to 1.2.4
 
  -- David Prévot <taf...@debian.org>  Thu, 10 Mar 2016 19:18:09 -0400
diff -Nru spip-3.0.17/debian/patches/0009-Update-security-screen.patch spip-3.0.17/debian/patches/0009-Update-security-screen.patch
--- spip-3.0.17/debian/patches/0009-Update-security-screen.patch	2016-03-11 10:32:29.0 -1000
+++ spip-3.0.17/debian/patches/0009-Update-security-screen.patch	2017-04-26 17:46:18.0 -1000
@@ -1,13 +1,13 @@
 From: =?utf-8?q?David_Pr=C3=A9vot?= <da...@tilapin.org>
-Date: Thu, 10 Mar 2016 19:17:47 -0400
+Date: Tue, 25 Apr 2017 15:07:50 -1000
 Subject: Update security screen
 
 ---
- config/ecran_securite.php | 164 +++---
- 1 file changed, 98 insertions(+), 66 deletions(-)
+ config/ecran_securite.php | 187 +-
+ 1 file changed, 120 insertions(+), 67 deletions(-)
 
 diff --git a/config/ecran_securite.php b/config/ecran_securite.php
-index 36b0044..0bd8e65 100644
+index 36b0044..ba47691 100644
 --- a/config/ecran_securite.php
 +++ b/config/ecran_securite.php
 @@ -5,7 +5,7 @@
@@ -15,7 +15,7 @@
   */
  
 -define('_ECRAN_SECURITE', '1.1.9'); // 2014-03-13
-+define('_ECRAN_SECURITE', '1.2.4'); // 2016-03-10
++define('_ECRAN_SECURITE', '1.3.0'); // 2017-03-06
  
  /*
   * Documentation : http://www.spip.net/fr_article4200.html
@@ -46,7 +46,7 @@
  	// UA plus cibles
 -	. '80legs|accoona|AltaVista|ASPSeek|Baidu|Charlotte|EC2LinkFinder|eStyle|Google|INA dlweb|Java VM|

Bug#858086: RM: owncloud/7.0.4+dfsg-4~deb8u4

[David Prévot]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm

Hi,

As discussed with the security team, please remove owncloud from stable:
we’re not able to maintain this version on our own anymore, especially
since we had to give up our efforts to provide it for Stretch.

Please note that a fair amount of related packages won’t be useful
anymore (owncloud-doc and owncloud-apps come to mind, but there are many
PHP classes and few other things that were only packaged for ownCloud).
I can try to draft a complete list if you’re in the mood of mass-rm.

Sorry for the inconvenience, that request comes sooner that what we
expected when we were releasing Jessie.

Regards

David


signature.asc
Description: PGP signature

Bug#857818: spip: broken symlinks: /usr/share/spip/plugins-dist/jquery_ui/prive/javascript/ui/*.js -> ../../../../../../javascript/jquery-ui/ui/jquery.ui.*.js

[David Prévot]

Hi Andreas,

Thanks a lot for your report.

On 15/03/2017 02:42, Andreas Beckmann wrote:
> Package: spip
[…]
> during a test with piuparts I noticed your package ships (or creates)
> a broken symlink.
> 
>>From the attached log (scroll to the bottom...):
> 
> 1m5.5s ERROR: FAIL: Broken symlinks:
>   /usr/share/spip/plugins-dist/jquery_ui/prive/javascript/ui/widget.js -> 
> ../../../../../../javascript/jquery-ui/ui/jquery.ui.widget.js
[…]
> libjs-jquery-ui has /usr/share/javascript/jquery-ui/ui/widget.js
> but no jquery.ui.widget.js ...

Great, I missed that libjs-jquery-ui changed again its layout… Do you
believe it’s worth fixing for Stretch (I hadn’t noticed any problem yet,
but can only assume there are usability issues without jquery-ui
properly available)?

Will perform some more tests if we’re going the road of freeze exception.

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#857421: Many plugins are lost since Jessie

[David Prévot]

Package: kipi-plugins
Version: 4:5.3.0-1
Severity: important

Hi,

Thank you for taking care of these plugins!

More than half the plugins advertised in the package description
(including BatchProcess) seem to have been lost after an upgrade from
Jessie to Stretch. Indeed, only 15 of them seem available while over 30
are still present in the package description. Note that we’re using
these plugins via gwenview, in case it matters

Is there any way to have them back (even individually) in a Stretch
system (is it a packaging or an upstream issue? I couldn’t find much
information after a quick look in the changelogs)?

At worst, you may wish to update the list in the package description,
and maybe add a NEWS entry describing the situation.

Regards

David

-- System Information:
Debian Release: 9.0
  APT prefers buildd-unstable
  APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (500, 'testing'), 
(500, 'stable'), (100, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.10.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages kipi-plugins depends on:
ii  digikam-private-libs  4:5.3.0-1
ii  kio   5.28.0-1
ii  kipi-plugins-common   4:5.3.0-1
ii  libc6 2.24-9
ii  libkf5archive55.28.0-1
ii  libkf5completion5 5.28.0-1
ii  libkf5configcore5 5.28.0-1
ii  libkf5configgui5  5.28.0-1
ii  libkf5configwidgets5  5.28.0-1
ii  libkf5coreaddons5 5.28.0-1
ii  libkf5i18n5   5.28.0-1
ii  libkf5kiocore55.28.0-1
ii  libkf5kiowidgets5 5.28.0-1
ii  libkf5kipi31.0.0  4:16.08.2-1
ii  libkf5windowsystem5   5.28.0-1
ii  libkf5xmlgui5 5.28.0-1
ii  libqt5core5a  5.7.1+dfsg-3+b1
ii  libqt5gui55.7.1+dfsg-3+b1
ii  libqt5network55.7.1+dfsg-3+b1
ii  libqt5printsupport5   5.7.1+dfsg-3+b1
ii  libqt5widgets55.7.1+dfsg-3+b1
ii  libqt5xml55.7.1+dfsg-3+b1
ii  libqt5xmlpatterns55.7.1~20161021-3
ii  libstdc++66.3.0-8

Versions of packages kipi-plugins recommends:
ii  enblend  4.2-2
ii  enfuse   4.2-2
ii  hugin2016.2.0+dfsg-1
ii  imagemagick  8:6.9.7.4+dfsg-2
ii  imagemagick-6.q16 [imagemagick]  8:6.9.7.4+dfsg-2
ii  konqueror4:16.08.3-1
ii  minidlna 1.1.6+dfsg-1

Versions of packages kipi-plugins suggests:
ii  gimp  2.8.20-1
ii  kmail 4:16.04.3-3
ii  vorbis-tools  1.4.0-10+b1

-- no debconf information


signature.asc
Description: PGP signature

Bug#816664: [Pkg-owncloud-maintainers] Bug#816664: Useless in Debian

[David Prévot]

Control : retitle -1 Useless in Stretch

On 23/12/2016 13:41, Balint Reczey wrote:
> On Thu, 3 Mar 2016 15:18:51 -0400 David =?iso-8859-1?Q?Pr=E9vot?=
>  wrote:
>> Package: libjs-soundmanager2
>> Version: 2.97a.20150601+dfsg-1
>> Severity: serious
>>
>> [ Filled as an RC-bug by the maintainer to see the package auto-removed
>>   from testing. ]
[…]
> Please keep the package in Debian for at least Stretch.
> 
> Kodi upstream recently switched to a new web interface which uses
> soundmanager2 and to provide the same web interface in Debian I need to
> have it packaged.

That didn’t happen in time for Stretch.

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#854592: [pkg-php-pear] Bug#854592: dokuwiki: Unable to login, missing usr/share/php/Crypt/AES.php

[David Prévot]

Hi,

On 13/02/2017 06:21, Joost van den Berg wrote:

> unfortunately the patch does not solve the problem.
> I believe that the patch generates the wrong
> links to phpseclib/Crypt/AES.php instead of
> ../phpseclib/Crypt/AES.php .

Then it sounds like this bug was incorrectly reassigned to
php-phpseclib: either dokuwiki should depend on version 1 of phpseclib
via the php-seclib package and have the files where expected, or it is
able to use version 2 via the php-phpseclib package installed where it
belongs. In any way, please, do keep both packages installable together,
the proposed patch is not acceptable.

Either way, dokuwiki should be able to use the provided autoloader:
- /usr/share/php/phpseclib/autoload.php for php-phpseclib
- /usr/share/php/phpseclib.autoloader.php for php-seclib

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#851289: O: soundmanager2

[David Prévot]

Package: wnpp
Severity: normal

Following up from #816664. Balint, I can’t see any new
reverse-dependency on soundmanager2, do you actually expect one to be
part of Stretch?

Regards

David


signature.asc
Description: PGP signature

Bug#850646: [copyright-format] Allow https version of Format URI

[David Prévot]

Hi,

Le 08/01/2017 à 09:42, Russ Allbery a écrit :

> […] the Format
> URI for the current copyright-format document is actually a redirect.

Nitpicking: it’s actually not a real redirect. Fetching it directly
(e.g., using wget) works via plain HTTP.

Regards.

David



signature.asc
Description: OpenPGP digital signature

Bug#814030: Security flaw fixed in version 6.2.0

[David Prévot]

Hi,

I just add maintainer and uploader to the loop. Hopefully, they should
know something about the package/code/issue.

Le 04/01/2017 à 21:42, Salvatore Bonaccorso a écrit :

> On Sun, Mar 27, 2016 at 01:33:01PM +0200, Moritz Mühlenhoff wrote:
>> On Sun, Feb 07, 2016 at 02:28:04PM -0400, David Prévot wrote:
>>> Package: php-tcpdf
>>> Version: 6.0.093+dfsg-1
>>> Severity: serious
>>> Tags: security upstream
>>>
>>> According to their changelog [1], upstream fixed a security issue over a
>>> year ago:
>>>
>>> 6.2.0 (2014-12-10)
>>> - Bug #1005 "Security Report, LFI posting internal files externally 
>>> abusing default parameter" was fixed.
>>>
>>> 1: https://sourceforge.net/p/tcpdf/code/ci/master/tree/CHANGELOG.TXT
>>>
>>> The upstream bug report [2] is not public, so I don’t have much
>>> information about the issue, the fix, nor it’s actual severity.
>>>
>>> 2: https://sourceforge.net/p/tcpdf/bugs/1005/
>>
>> Can you contact upstream for information on this security bug? I have
>> no idea what that could possibly mean.
> 
> Did you got any information on that from upstream? The bug is stil
> closed, so does not really help.
> 
> Regards,
> Salvatore




signature.asc
Description: OpenPGP digital signature

Bug#816664: libjs-soundmanager2 in Debian [Was: Bug#816664: Useless in Debian]

[David Prévot]

Hi Balint,

Le 23/12/2016 à 13:41, Balint Reczey a écrit :

> Please keep the package in Debian for at least Stretch.
>
> Kodi upstream recently switched to a new web interface which uses
> soundmanager2 and to provide the same web interface in Debian I need to
> have it packaged.

Please, consider stepping up for its maintenance (or at least orphan it
on my behalf since my reportbug setup is a mess while I’m traveling).

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#847156: [Spip-maintainers] Bug#847156: spip: CVE-2016-9152

[David Prévot]

Hi Salvatore,

Thanks for the report,

Le 05/12/2016 à 20:11, Salvatore Bonaccorso a écrit :

> the following vulnerability was published for spip.
> 
> CVE-2016-9152[0]:
> cross-site scripting
[…]
> [0] https://security-tracker.debian.org/tracker/CVE-2016-9152
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9152

I was about to ask where did you find the link between the CVE entry and
the commit, but my search engine was quicker to answer ;).

FYI, a few other security-oriented commits are being staged for the next
upstream release (coming soon), and the previous fixes that already made
it in a “recent” DLA are still waiting for an upstream ack (they
recently acknowledge on IRC that they have to reply to us).

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#817751: [pkg-php-pear] Bug#817754: google-auth-library-php in unstable prevents removal of src:php5

[David Prévot]

Hi,

Le 27/11/2016 à 23:31, Ondřej Surý a écrit :
> Different package and bug, but same email. Please sort it out.

CCing Benoit who expressed interest in those libraries: if are you still
interested in having php-google-auth and php-google-api-php-client in
Debian, now would be a good time to step up before they get removed from
the archive.

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#845708: O: libjs-chosen -- select box enhancer for jQuery and Protoype

[David Prévot]

Package: wnpp
Severity: normal
X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org,
haskell-hoo...@packages.debian.org

I intend to orphan the libjs-chosen package.

The package description is:
 Chosen is a JavaScript plugin that makes long, unwieldy select boxes
 more user-friendly.

Context in #818561, not sure the package is usable anymore (#797166).



signature.asc
Description: OpenPGP digital signature

Bug#818561: Useless in Debian

[David Prévot]

Hi Axel, haskell-hoogle maintainers,

Le 31/10/2016 à 13:25, Axel Beckert a écrit :
> David Prévot wrote:
>> Package: libjs-chosen
>> Version: 0.9.11-2
>> Severity: serious
>> Tags: sid stretch
>>
>> [ Filled as an RC-bug by the maintainer to see the package auto-removed
>>   from testing. ]
>>
>> I packaged libjs-chosen as used by owncloud, but owncloud is going away,
>> see #816376. There is a priori little point to ship libjs-chosen in the
>> next Debian stable release.

> JFTR: The recent hoogle update pulled this in. So it seems no more
> useless but now even has reverse dependencies again. :-)

Thank you Axel for the heads up. I guess someone (maybe from the
hoogle team) will want to take over the maintenance. Feel free to remove
me from Uploaders when you do.

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#842130: Useless in Stretch

[David Prévot]

Package: libjs-ie7
Version: 2.1~beta4-2
Severity: serious
Tags: sid stretch
X-Debbugs-CC: s...@packages.debian.org

[ Filed with RC-severity by the maintainer to see it removed from
  testing. ]

libjs-ie7 was packaged as a dependency for spip, but the dependency has
recently been dropped (in version 3.1, now available in Sid and
Stretch). There is little point in keeping libjs-ie7 in Stretch as
nothing uses it anymore.

I intend to ask for removal of this package in a few month. Please do
provide information to this bug report if you disagree with this removal.

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#840569: [Pkg-mozext-maintainers] Bug#840569: xul-ext-nosquint is dead, long live nosquint

[David Prévot]

Control: severity -1 serious

Le 12/10/2016 à 10:35, shirish शिरीष a écrit :
> Source: nosquint
> Version: 2.1.9-4
> Severity: important
> 
> Dear Maintainer,
> 
> Nosquint is dead, please remove it

Then let’s use a proper RC-severity so it gets removed from Stretch. If
someone wants to follow up and package something equivalent instead,
please step up before the freeze (i.e., soon).

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#840206: [Pkg-mozext-maintainers] Bug#840206: whonix-de...@whonix.org

[David Prévot]

Control: retitle -1 Please remove premium proxy advertising page
Control: severity wishlist

Thank you for your report.

Le 09/10/2016 à 05:05, ban...@openmailbox.org a écrit :
> Package: foxyproxy
> Version: 3.4-1.1

I assume this is still valid for 4.5.6-debian-2.

> Dear maintainer, please consider patching the package source to remove
> the premium proxy advertising page that opens on first start.

Regards

David




signature.asc
Description: OpenPGP digital signature

Bug#835086: RFP: nextcloud -- self-hosted cloud services

[David Prévot]

Le 22/09/2016 à 01:08, Sam Hartman a écrit :
>> "Xavier" == Xavier Bestel  writes:
> Xavier> Le mardi 20 septembre 2016 à 19:38 +0200, Moritz Mühlenhoff

> >> > * Package name: nextcloud

> >> Nack. It's not an important package if we can't support it
> >> properly.  Let's not repeat the owncloud disaster.
> 
> Xavier> OK, I understand the "official" debian point of view.
> 
> I don't think this is an official Debian POV, simply the opinion of some
> Debian contributors...

Moritz is an active and well known member of the security team. As the
current (or previous…) almost only maintainer of owncloud in Debian, I
do agree with this (strong) advice.

The current ownCloud upstream maintainers reached back to us a few
months ago and are willing to help (or at least not be as obnoxious as
the ones who drove the package away from Debian, and are now gone in the
nextcloud fork team). If someone wants the owncloud package back, I
suggest them to join the current packaging team and eventually take over.

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#835902: Useless in Debian

[David Prévot]

Package: php-zend-db
Version: 2.8.1-1
Severity: serious
X-Debbugs-CC: gale...@packages.debian.org

[ Filed with RC-severity by the maintainer to see it removed from
  testing. This package is not part of Jessie. ]

php-zend-db was recently packaged as a dependency for galette, but
galette has been removed from testing. There is little point in keeping
php-zend-db in shape for Stretch if nothing uses it. Feel free to remove
this bug (and be welcome to take the package over) once galette (or any
other package depending on php-zend-db) is ready for a Debian release.

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#835704: [Pkg-javascript-devel] Bug#835704: It's mostly fixed already!

[David Prévot]

Control: reassign -1 node-ast-types
Control: affects -1 node-ast-utils
Control: done -1 0.9.0-2

Hi,

Le 28/08/2016 à 09:08, Julien Puydt a écrit :

> today's upload of node-ast-types 0.9.0-2 fixes this problem in
> node-ast-utils (and all its rdepends).
> 
> I don't know how to say to control@bugs.d.o that a problem in a package
> is fixed by an upload of another.

That should do.

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#834479: xul-ext-* (Was: Bug#834480: jessie-pu: package mozilla-noscript/2.9.0.11-1~deb8u1)

[David Prévot]

Hi,

Le 28/08/2016 à 04:09, Adam D. Barratt a écrit :
> Control; tags -1 + confirmed
[…]
> Oh, how I've missed Firefox plugin updates. :-|

Same here :/

> Please go ahead.

Thanks, all uploaded.

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#831418: #831418 EOL: not to be released with Stretch

[David Prévot]

Control: severity -1 serious

Le 21/08/2016 à 02:26, Markus Frosch a écrit :
> On 25.07.2016 13:11, Markus Frosch wrote:

>> this is a interesting problem, while looking on the 3 dependent packages. 
>> (see below)
>>
>> We have 3 choices to go on:
>>
>> 1. Still provide zendframework 1 in a separated path, so it won't conflict 
>> with ZF2/3
>> 2. Embed needed code into the packages, and drop the full library

Both those proposals are not acceptable now that upstream dropped
security support for it. Given the amount of security issues patched
into zendframework regularly (we’ve made six stable update since Jessie
has been released, three or four via a DSA), keeping part of its code in
the archive without anyone to audit the code is not an option IMO. Maybe
the security team will have another opinion about it, but I believe they
are relying in the maintainers for those PHP classes.

>> 3. Remove all 3 packages from stretch

4. Wait for (or help) upstream to move away from deprecated code.

> I'd prefer not to remove zendframework from Debian.
> 
> Downgrading bug to important.

Please, don’t hide issues. There is still time right now to get the
reverse dependencies in shape for Stretch, waiting for the freeze won’t
help anyone.

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#834906: [Pkg-mozext-maintainers] Bug#834906: xul-ext-adblock-plus: please support conkeror

[David Prévot]

Control: tag -1 upstream

Hi David,

Thank you for your report.

Le 20/08/2016 à 04:15, David Bremner a écrit :
> Package: xul-ext-adblock-plus
> Version: 2.7.3+dfsg-1
> Severity: wishlist
[…]
> I know very little about mozilla extensions, but I _think_ it just
> needs an entry in
> 
> /usr/share/mozilla/extensions/{a79fe89b-6662-4ff4-8e88-09950ad4dfde}

Whatever the fix is, I guess it is worth pushing it upstream. Can you
open (or is there already) an issue upstream about it?

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#827277: [Pkg-mozext-maintainers] Bug#827277: xul-ext-firegestures: Gesture database empty with firefox-esr

[David Prévot]

Control: fixed -1 1.10.9-1

Hi Christopher,

Thank you for your report.

Le 14/06/2016 à 04:05, Christopher Wellons a écrit :
> Package: xul-ext-firegestures
> Version: 1.8.7-1

> When used with the new firefox-esr, the gesture database is empty and
> the built-in gestures are unavailable.

Looks like the latest stable version in Debian Stretch (and Sid) is not
affected, so I’ll ask the release team for another stable update.

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#834484: jessie-pu: package firegestures/1.10.9-1~deb8u1

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-CC: pkg-mozext-maintain...@lists.alioth.debian.org

[ Yet another xul-ext-* RC-buggy package in stable. It wasn’t properly
  triaged, sorry for my initial overlook. ]

Hi,

The latest firefox major update in stable broke firegestures (#827277).
The latest version of firegestures in Debian (1.10.9) is known to work
with it, and has been in Sid and Stretch for a while. Unfortunately, the
debdiff against the version is Jessie is big (50 files changed, 1216
insertions(+), 303 deletions(-) while ignoring all spaces and blank lines)…

I’m simply attaching the debdiff against Sid (adding a changelog entry).
The package, rebuilt in a Jessie chroot, has been successfully tested in
Jessie.

Regards

David
diff --git a/debian/changelog b/debian/changelog
index 0c6f48b..cf52cbf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+firegestures (1.10.9-1~deb8u1) jessie; urgency=medium
+
+  * Upload compatible version with recent Firefox in Jessie (Closes: #827277)
+
+ -- David Prévot <taf...@debian.org>  Mon, 15 Aug 2016 18:49:34 -1000
+
 firegestures (1.10.9-1) unstable; urgency=medium
 
   * Team upload


signature.asc
Description: OpenPGP digital signature

Bug#834483: jessie-pu: package tabmixplus/0.5.0.0-1~deb8u1

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

[ Note: This is the first out of four similar requests for xul-ext-*
packages ]

Hi,

The latest firefox major update in stable broke again tabmixplus
(#826995). The latest stable version of tabmixplus in debian (0.5.0.0)
is known to work with it, and has been in Sid and Stretch for a while.
Unfortunately, the debdiff against the version is Jessie is again quite
insane (293 files changed, 9739 insertions(+), 6153 deletions(-) while
ignoring all spaces and blank lines)…

I’m simply attaching the debdiff against Sid (mostly adding a changelog
entry). The package, rebuild in a Jessie chroot, has been successfully
tested in Jessie.

Regards

David
diff --git a/debian/changelog b/debian/changelog
index c188c5d..93c8a2d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+tabmixplus (0.5.0.0-1~deb8u1) jessie; urgency=medium
+
+  * Upload compatible version with recent Firefox in Jessie (Closes: #826995)
+
+ -- David Prévot <taf...@debian.org>  Mon, 15 Aug 2016 16:34:54 -1000
+
 tabmixplus (0.5.0.0-1) unstable; urgency=medium
 
   * Upload stable version to unstable
@@ -96,6 +102,12 @@ tabmixplus (0.4.1.9~150703a1-1) experimental; urgency=medium
 
  -- David Prévot <taf...@debian.org>  Sun, 05 Jul 2015 10:53:40 -0400
 
+tabmixplus (0.4.1.8-1~deb8u1) jessie; urgency=medium
+
+  * Track the jessie branch
+
+ -- David Prévot <taf...@debian.org>  Fri, 14 Aug 2015 17:03:55 +0200
+
 tabmixplus (0.4.1.8-1) unstable; urgency=medium
 
   * Upload stable version to unstable
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 000..fae4302
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = jessie


signature.asc
Description: OpenPGP digital signature

Bug#834482: jessie-pu: package adblock-plus/2.7.3+dfsg-1~deb8u1

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-CC: pkg-mozext-maintain...@lists.alioth.debian.org

Hi,

The latest firefox major update in stable broke adblock-plus (#829267).
The latest version of adblock-plus in Debian (2.7.3) is known to work
with it, and has been in Sid and Stretch for a while. Unfortunately, the
debdiff against the version is Jessie is pretty insane (611 files
changed, 21429 insertions(+), 6423 deletions(-) while ignoring all
spaces and blank lines, as well as most renamed and moved files)…

I’m simply attaching the debdiff against Sid (adding a changelog entry).
The package, rebuild in a Jessie chroot, has been successfully tested in
Jessie.

This is the last of the four currently RC-buggy packages in stable from
the xul-ext-* team I’m aware of. Hopefully no other should pop up
(Firefox has been in Jessie for a little while now). Thanks in advance
for accepting them for the next point release.

Regards

David
diff --git a/debian/changelog b/debian/changelog
index ebfb4a3..642abe0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+adblock-plus (2.7.3+dfsg-1~deb8u1) jessie; urgency=medium
+
+  * Upload compatible version with recent Firefox in Jessie (Closes: #829267)
+
+ -- David Prévot <taf...@debian.org>  Mon, 15 Aug 2016 16:53:49 -1000
+
 adblock-plus (2.7.3+dfsg-1) unstable; urgency=medium
 
   [ Wladimir Palant ]


signature.asc
Description: OpenPGP digital signature

Bug#834480: jessie-pu: package mozilla-noscript/2.9.0.11-1~deb8u1

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

The latest firefox major update in stable broke noscript (#826896).
The latest version of noscript in Debian (2.9.0.11) is known to work
with it, and has been in Sid and Stretch for a while. Unfortunately, the
debdiff against the version is Jessie is quite insane (169 files
changed, 3584 insertions(+), 1594 deletions(-) while ignoring all spaces
and blank lines)…

I’m simply attaching the debdiff against Sid (adding a changelog entry).
The package, rebuild in a Jessie chroot, has been successfully tested in
Jessie.

Regards

David
diff --git a/debian/changelog b/debian/changelog
index 62fec8b..40171aa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+mozilla-noscript (2.9.0.11-1~deb8u1) jessie; urgency=medium
+
+  * Upload compatible version with recent Firefox in Jessie (Closes: #826896)
+
+ -- David Prévot <taf...@debian.org>  Mon, 15 Aug 2016 16:45:33 -1000
+
 mozilla-noscript (2.9.0.11-1) unstable; urgency=medium
 
   * Drop Iceape and Iceweasel from description


signature.asc
Description: OpenPGP digital signature

Bug#834479: jessie-pu: package greasemonkey/3.8-1~deb8u1

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

The latest firefox major update in stable broke greasemonkey (#828622).
The latest stable version of greasemonkey in Debian (3.8) is known to
work with it, and has been in Sid and Stretch for a while.
Unfortunately, the debdiff against the version is Jessie is quite insane
(252 files changed, 6416 insertions(+), 3144 deletions(-) while ignoring
all spaces and blank lines)…

I’m simply attaching the debdiff against Sid (adding a changelog entry).
The package, rebuild in a Jessie chroot, has been successfully tested in
Jessie.

Regards

David
diff --git a/debian/changelog b/debian/changelog
index 5c62a31..42b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+greasemonkey (3.8-1~deb8u1) jessie; urgency=medium
+
+  * Upload compatible version with recent Firefox in Jessie (Closes: #828622)
+
+ -- David Prévot <taf...@debian.org>  Sat, 16 Jul 2016 08:54:01 -0400
+
 greasemonkey (3.8-1) unstable; urgency=medium
 
   * Team upload, to unstable since it’s a stable release


signature.asc
Description: OpenPGP digital signature

Bug#825749: xul-ext-foxyproxy-standard: foxyproxy cannot be installed if icedove 45 is present

[David Prévot]

Control: unmerge -1 with 827170
Control: reopen -1
Control: reassign -1 icedove 1:45.1.0-1

Hi Christoph and all,

On Sun, May 29, 2016 at 09:50:40AM -0400, Robbie Harwood wrote:
> Package: xul-ext-foxyproxy-standard
> Version: 4.5.6-debian-1
> Severity: important
> 
> Dear Maintainer,
> 
> It is currently not possible to have both xul-ext-foxyproxy-standard and
> icedove 45.1.0-1 (i.e., the icedove from sid) present on the same system:
> 
> ```
> $ aptitude -s install -t unstable icedove
[…]
> The following packages have unmet dependencies:
>  icedove : Breaks: xul-ext-foxyproxy-standard (> 3.4-1) but 4.5.6-debian-1 is 
> installed.
> The following actions will resolve these dependencies:
> 
> Remove the following packages:
> 1) xul-ext-foxyproxy-standard

Since 4.5.6-debian-2, xul-ext-foxyproxy-standard is not available (thus
does not show up) in Icedove/Thunderbird anymore (since #827170 has been
fixed), so please, do change the
Breaks: […] xul-ext-foxyproxy-standard (>> 3.4-1)
into
Breaks: xul-ext-foxyproxy-standard (<< 4.5.6-debian-2~)
If a fix for #820026 is also needed for stable, we can provide a version
3.4-1.1+deb8u1 including a similar patch to 827170 (and of course, the
Break will need to be changed against “<< 3.4-1.1+deb8u1~”).

Regards

David


signature.asc
Description: PGP signature

Bug#831418: EOL: not to be released with Stretch

[David Prévot]

Source: zendframework
Severity: serious
Tags: security sid stretch

Hi,

Upstream recently stated [0] that “Zend Framework 1 reaches its End of
Life (EOL) […] on 28 September 2016.”

0: https://framework.zend.com/blog/2016-06-28-zf1-eol.html

Therefore, we should not release it with Stretch (and we’ll do our best
to support it during Jessie lifetime). Reverse dependencies already had
an important bug report about zendframework removal for Stretch a while
ago.

Regards

David


signature.asc
Description: PGP signature

Bug#819900: [Pkg-mozext-maintainers] Bug#819900: Configuration page doesn't work on Firefox 45.0.1

[David Prévot]

Hi Evgeny,

Le 13/07/2016 à 13:50, Evgeny Kapun a écrit :
> Control: tags -1 - upstream
> 
> Looks like the problem is caused by the file
>  being not found.

Thanks a lot for the debbuging and the explanations! I’ll try to fix it
ASAP (but it may be a while before I have some time for that).

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#829764: [pkg-php-pear] Bug#829764: php-monolog: add stage1 and nocheck build profiles

[David Prévot]

Control: tag -1 pending

Le 05/07/2016 à 20:13, Nish Aravamudan a écrit :
> On 05.07.2016 [16:51:48 -0400], David Prévot wrote:
>> Le 05/07/2016 à 16:19, Nishanth Aravamudan a écrit :
>>> Package: php-monolog
>> […]
>>>   *  Add nocheck and stage1 build profiles.
>>
>> Thanks for your patch. Please, do commit it directly:

> Done, looking at master's history, I believe you'll take care of the
> corresponding changelog entry?

Thanks! Indeed, “gbp dch” will take care of the changelog.

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#829764: [pkg-php-pear] Bug#829764: php-monolog: add stage1 and nocheck build profiles

[David Prévot]

Hi Nishanth,

Le 05/07/2016 à 16:19, Nishanth Aravamudan a écrit :
> Package: php-monolog
[…]
>   *  Add nocheck and stage1 build profiles.

Thanks for your patch. Please, do commit it directly: I have no way to
test it nor any setup to maintain it anyway, besides being able to
revert it in case it breaks (broken) expectations in Debian infrastructure.

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#827695: [pkg-php-pear] Bug#827695: zendframework: Rename zend-framework in Ubuntu to allow for a package sync

[David Prévot]

Hi,

Le 19/06/2016 à 15:35, Nishanth Aravamudan a écrit :
> Package: zendframework
> Version: 1.12.18+dfsg-1
[…]
> I am hoping to get rid of the Ubuntu zend-framework package and simply
> sync the zendframework package from Debian. 

I’m not clear about why Debian should carry Ubuntu-specific hacks for
Ubuntu-specific transitions. Why not simply make those changes directly
in the zend-framework Ubuntu-specific package?

zendframework is targeted for removal ASAP anyway. Any help into fixing
the current reverse dependencies would be welcome, some bugs already
filed are affecting zendframework, maybe more need to be filed.

https://bugs.debian.org/zendframework

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#827698: Depends on zendframework, but zendframework is going away

[David Prévot]

Package: php-letodms-lucene
Version: 1.1.1-2
Severity: important
Control: affects -1 zendframework

Hi,

php-letodms-lucene depends on zendframework (version 1), but this
package is unlikely to make it in Stretch: we intend to ship version 3
of zendframework, that is maintained in separate packages (associated
with separate upstream components). We’d thus like to get rid of the
zendframework package as soon as possible now that Jessie got released.

I’ve not looked at how Zend is actually used, but feel free to point it
new packages that will be needed in order to ensure smooth upgrade.

Do not hesitate to stay in touch with the Debian PHP PEAR Maintainers
team  if you need any help moving
forward.

Regards

David


signature.asc
Description: PGP signature

Bug#827483: [pkg-horde] Bug#827483: php-horde-mapi: fix autopkgtest errors

[David Prévot]

Hi,

Le 18/06/2016 à 16:32, Mathieu Parent a écrit :

> Some other things may break, but I'll vote still vote for this patch,
> as only 6 packages depends on it.
> 
> David, what do you think?

I disagree, and stand to what I’ve written in the last changelog entry:

  Actually fixing the constructors requires to also fix all their calls,
  both internally and externally. This backward-incompatible change has
  been achieved in version 2 of phpseclib, packaged in Debian as
  php-phpseclib to ensure co-installability. (Closes: #819420)

From http://phpseclib.sourceforge.net/:

  The 2.0 branch has pretty much the exact same API as the 1.0 branch,
  save for that it is namespaced, uses PHP5-style constructors (thereby
  avoiding E_DEPRECATED errors) and requires the use of an autoloader.

A proper fix to the deprecated constructor syntax is maintained
upstream, provided in Debian via php-phpseclib (version 2). If you want
to use it, you should depend on php-phpseclib instead of php-seclib
(helping various upstreams to move away from version 1 to version 2 will
probably be a better use of our collective time than patching the
version 1 ourselves).

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#816389: transition: php7.0

[David Prévot]

Hi,

Le 15/06/2016 à 03:56, Ondřej Surý a écrit :
> - php-guzzle - seems fixed to me, but dak still wants to remove the
> package

Code is PHP5-specific, it’s superseded by php-guzzlehttp. None of them
should be released in Stretch, so it’s perfectly fine to see it go away.

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#826896: [Pkg-mozext-maintainers] Bug#826896: xul-ext-noscript: incompatible with firefox-esr in jessie

[David Prévot]

Hi Vagrant,

Le 10/06/2016 à 01:30, Vagrant Cascadian a écrit :

> FWIW, I also did the same with xul-ext-tabmixplus, though I should
> probably report a separate bug about that...

Please do: the team is pretty low in human power currently: bug reports
will help tracking the issues. Having multiple actors on them will help
explaining the need of a fix to the release team.

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#826896: xul-ext-noscript: incompatible with firefox-esr in jessie

[David Prévot]

Hi Vagrant,

On Thu, Jun 09, 2016 at 03:39:00PM -0700, Vagrant Cascadian wrote:
> Package: xul-ext-noscript
> Version: 2.6.9.3-1

> Apparently, the xul-ext-noscript package in jessie is incompatible
> with the new firefox-esr security update just released.

Thank you for your report.

> I presume this is fixed in stretch/sid versions of xul-ext-noscript.

Can you please check that it does? I just rebuilt it in a Jessie chroot:

https://people.debian.org/~taffit/xul/xul-ext-noscript_2.9.0.11-1~deb8u1_all.deb

Thanks in advance.

Regards

David


signature.asc
Description: PGP signature

Bug#825572: Source only upload [Was: Uploaded to DELAYED/2]

[David Prévot]

Hi Mathieu,

On Tue, Jun 07, 2016 at 08:33:43PM +0200, Mathieu Parent wrote:
> 2016-06-07 0:16 GMT+02:00 David Prévot <taf...@debian.org>:

> > FYI, there is now a buildd available for arch:all, so you could have
> > simply dput the _source.changes without any binary package.
> 
> Yes I know. But I don't have yet a simple way to build this
> _source.changes from "gbp buildpackage". how to ?

I guess it depends on what you use behind gbp to actually build the
package. I use pbuilder, and added a hook [1] recently shared by another
DD in order to get both the _amd64.changes (to run lintian, debdiff and
all) as well as the _source.changes for the upload.

1: https://www.corsac.net/?rub=blog=1579

“debuild -S” does the trick too afterward: the binary packages will
anyway be built inside a proper chroot on the buildd system.

Regards

David


signature.asc
Description: PGP signature

Bug#825572: Uploaded to DELAYED/2

[David Prévot]

Hi Mathieu,

On Mon, Jun 06, 2016 at 09:50:21PM +0200, Mathieu Parent wrote:

> I've uploaded php-sabre-vobject (2.1.7-3) to DELAYED/2. to fix this RC

Thanks for your update! No need to wait IMHO, so I just ran:

dcut reschedule \
--file=php-sabre-vobject_2.1.7-3_amd64.changes --days=0

FYI, there is now a buildd available for arch:all, so you could have
simply dput the _source.changes without any binary package.

Regards

David


signature.asc
Description: PGP signature

Bug#817751: [pkg-php-pear] Bug#817751: google-api-php-client: diff for NMU version 1.1.7-0.1

[David Prévot]

Control: retitle 817751 Useless in Debian

Le 01/06/2016 à 11:50, Nish Aravamudan a écrit :

> I've prepared an NMU for google-api-php-client

Please don’t: this package should not end in a stable release without a
proper maintainer.

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#814674: Providing map files in node-es6-shim

[David Prévot]

Hi,

Le 29/05/2016 à 02:39, Julien Puydt a écrit :

> In fact, I have already prepared a new version, which can be seen here:
> https://mentors.debian.net/package/node-es6-shim

Thanks! Is it available in some public VCS?

> Does it fix the bug properly?

owncloud(-news) has been removed from the archive in the mean time, so
don’t count on me for some tests, sorry.

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#813653: [pkg-php-pear] Bug#813653: Bug#813653: jessie-pu: package symfony/2.3.21+dfsg-4+deb8u3

[David Prévot]

Hi,

Le 27/05/2016 à 15:46, Julien Cristau a écrit :
> On Thu, Mar 31, 2016 at 23:43:03 +0200, Daniel Beyer wrote:

>> Can you give a short update regarding the proposed
>> symfony/2.3.21+dfsg-4+deb8u3, fixing CVE-2016-1902?

FYI, it should be dealt with via DSA with other issues soon, we should
close this bug when that happens.

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#824507: [Pkg-owncloud-maintainers] Bug#824507: owncloud-client symbol lookup error

[David Prévot]

Hi,

> Package: owncloud-client
[…]
> trying to start the client I get this:
>
> leandro@sgorbio:~$ owncloud
> owncloud: symbol lookup error:
> /usr/lib/x86_64-linux-gnu/libowncloudsync.so.0: undefined symbol:
> _ZN9QKeychain16WritePasswordJob6setKeyERK7QString
[…]
> ii  libqtkeychain00.6.2-1.1

Where does that come from?

$ rmadison libqtkeychain0
libqtkeychain0 | 0.1.0-2~bpo70+1 | wheezy-backports |
libqtkeychain0 | 0.4.0-1 | stable   |
libqtkeychain0 | 0.4.0-1 | stable-kfreebsd  |
libqtkeychain0 | 0.5.0-1 | testing  |
libqtkeychain0 | 0.5.0-1 | unstable |

Regards

David

Bug#824410: RM: php5-symfony-debug/experimental -- NBS; cruft

[David Prévot]

Package: ftp.debian.org
Severity: normal

Hi,

As per #824148: the last symfony uploads got rid of php5-symfony-debug
(arch:any), so only arch:all packages are build now. Version
3.0.4+dfsg-1 of php5-symfony-debug seems to prevent version 3.0.6+dfsg-1
of php-symfony* packages to be available in the archive.

Thanks in advance for your prompt action: version 3.0.6+dfsg-1 contains
security fixes.

Regards

David


signature.asc
Description: PGP signature

Bug#824175: Error: Class '...\PropertyAccess' not found

[David Prévot]

Control: tag -1 upstream

On Fri, May 13, 2016 at 01:29:46PM +0200, Antonio Ospite wrote:
> Package: php-symfony-serializer
> Version: 2.8.6+dfsg-1
> Severity: normal
> 
> Dear Maintainer,
> 
> I installed php-symfony-serializer and tried the first example from the
> documentation at
> http://symfony.com/doc/current/components/serializer.html, the code is
> like this:
[…]
> PHP Fatal error:  Uncaught Error: Class 
> 'Symfony\Component\PropertyAccess\PropertyAccess' not found in 
> /usr/share/php/Symfony/Component/Serializer/Normalizer/ObjectNormalizer.php:40

The documentation page you’re referring to already warns about it:

“To use the ObjectNormalizer, the PropertyAccess component must also be
installed.”

> Of course the error goes away if I install the
> php-symfony-property-access package.
> 
> I see that php-symfony-property-access is a suggested package, but I was
> wondering it if should be a dependency or a least a recommended
> package.

This is intended upstream, that only suggests symfony/property-info in
their composer.json file.

https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Serializer/composer.json

Composer documents suggest as follow:

Suggested packages that can enhance or work well with this package. These are
just informational and are displayed after the package is installed, to give
your users a hint that they could add more packages, even though they are not
strictly required.

https://getcomposer.org/doc/04-schema.md#suggest

Debian documents suggests as follow:

This is used to declare that one package may be more useful with one or
more others. Using this field tells the packaging system and the user
that the listed packages are related to this one and can perhaps enhance
its usefulness, but that installing this one without them is perfectly
reasonable.

https://www.debian.org/doc/debian-policy/ch-relationships.html#s-binarydeps

Both Composer and Debian interpretation of suggest seem to match well
enough, so if you believe the relation is too weak, you should try to
convince upstream about it.

http://symfony.com/doc/current/contributing/code/bugs.html
http://symfony.com/doc/current/contributing/code/patches.html

Regards

David


signature.asc
Description: PGP signature

Bug#821044: wheezy-pu: package zendframework/1.11.13-1.1+deb7u6

[David Prévot]

Hi,

> Assuming that the resulting package has been tested on wheezy, please go
> ahead.

It just got accepted into oldstable-proposed-updates->oldstable-new,
thanks (and yes, I do use it in some boxes).

Regards

David

Bug#815482: On bug #815482 (localized libjs-moment)

[David Prévot]

Hi Julien,

> Could you have a look and tell me if it's ok?

debian/libjs-moment.install contains now:

locale usr/share/javascript/moment/locale

You probably meant:

locale usr/share/javascript/moment

(Assuming you don’t want the locales in
/usr/share/javascript/moment/locale/locale since they seems looked up in
('./locale/' + name) according to the code.)

owncloud-news has been removed from the archive in the mean time, so I
don’t have a real testbed to check it further, sorry.

Regards

David

Bug#824148: RM: php5-symfony-debug -- NBS; cruft

[David Prévot]

Package: ftp.debian.org
Severity: normal

Hi,

The last symfony uploads got rid of php5-symfony-debug (arch:any), so
only arch:all packages are build now. Version 2.8.4+dfsg-1 [3.0.4+dfsg-1
in experimental] of php5-symfony-debug seems to prevent version
2.8.6+dfsg-1 [3.0.6+dfsg-1 in experimental] of php-symfony* packages to
be available in the archive, and also prevents symfony to migrate into
testing.

Thanks in advance for your prompt action: version 2.8.6+dfsg-1
[3.0.6+dfsg-1 in experimental] contains security fixes.

Regards

David


signature.asc
Description: PGP signature

Bug#824147: RM: php5-twig -- NBS; cruft

[David Prévot]

Package: ftp.debian.org
Severity: normal

Hi,

The last twig upload got rid of php5-twig (arch:any), so it only builds
arch:all packages now. Version 1.24.0-1 of php5-twig seems to prevent
version 1.24.0-2 of php-twig* to be available in the archive, and also
prevents twig to migrate into testing.

Thanks in advance.

Regards

David


signature.asc
Description: PGP signature

Bug#823768: Useless in Stretch

[David Prévot]

Package: php-jmespath
Version: 2.3.0-2
Severity: serious

[ Filled as an RC-bug by the maintainer to see the package auto-removed
  from testing. ]

I recently packaged php-jmespath as used by php-aws-sdk (in
experimental), but it won’t be part of Stretch as per #821698. There is
a priori little point in shipping php-jmespath in the next Debian stable
release.

Since php-aws-sdk is still in experimental, I don’t intend to request
the removal of this package.

Regards

David


signature.asc
Description: PGP signature

Bug#823683: PHP 7.0 Transition

[David Prévot]

Package: php-services-json
Version: 1.0.3-1
Severity: serious
User: pkg-php-ma...@lists.alioth.debian.org
Usertags: php7.0-transition

Hi,

As shown by php7cc, php-services-json contains deprecated PHP 4
constructors. As outlined in #783422, upstream has not been active in
years, so unless that changes, this package should probably not be
shipped in the next Debian stable release.

Regards

David


signature.asc
Description: PGP signature

Bug#823649: libjs-mediaelement: Reflected XSS vulnerability

[David Prévot]

Hi,

On Sat, May 07, 2016 at 11:58:22AM +1000, Craig Small wrote:
> Package: libjs-mediaelement
> Version: 2.15.1+dfsg-1
> Severity: important
> Tags: security upstream
> 
> I saw this regarding the wordpress 4.5.2 release[1].

Thank you for the heads up.

> MediaElement.js is
> vulnerable to a reflected XSS attack. The wordpress patch is at [2]
> but I cannot exactly find what has changed but I think it is the
> url has the time added to randomize it more. [3]

Looks like the issue is confined in the Flash player that is disabled in
Debian, so we should be on the safe side. I’ll backport the fix anyway
to be on the safer side, thanks.

> 1: https://wordpress.org/news/2016/05/wordpress-4-5-2/
> 2: https://core.trac.wordpress.org/changeset/37370
> 3: 
> https://github.com/johndyer/mediaelement/commit/34834eef8ac830b9145df169ec22016a4350f06e

Regards

David


signature.asc
Description: PGP signature

Bug#823511: Useless in Debian

[David Prévot]

Package: php-psr-http-message
Version: 1.0-2
Severity: serious

I recently packaged php-psr-http-message as used by php-guzzlehttp-psr7
and php-google-auth, but php-guzzlehttp-psr7 is going away, see #823505
(so is php-google-auth, see #817754). There is a priori little point in
shipping php-psr-http-message in the next Debian stable

However, Benoit Mortier suggested [817754#10] that php-google-auth may
be useful for a FusionDirectory google-apps plugin soon, so I don’t
intend to request the removal of this package.

817754#10: https://bugs.debian.org/817754#10

Regards

David


signature.asc
Description: PGP signature

Bug#823510: Useless in Debian

[David Prévot]

Package: php-react-promise
Version: 2.4.1-1
Severity: serious

[ Filled as an RC-bug by the maintainer to see the package auto-removed
  from testing. ]

I packaged php-react-promise as used by php-guzzlehttp-ringphp, but
php-guzzlehttp-ringphp is going away, see #823506. There is a priori
little point in shipping php-react-promise in any Debian stable release
anymore.

I intend to follow up with an RM request in a few months if nobody
objects (but feel free to beat me to it).

Regards

David


signature.asc
Description: PGP signature

Bug#823508: Useless in Debian

[David Prévot]

Package: python-guzzle-sphinx-theme
Version: 0.7.10-1
Severity: serious

[ Filled as an RC-bug by the maintainer to see the package auto-removed
  from testing. ]

I packaged python-guzzle-sphinx-theme in order to build php-guzzle-doc,
but php-guzzle is going away, see #821698. There is a priori little
point in shipping python-guzzle-sphinx-theme in any Debian stable
release anymore.

I intend to follow up with an RM request once php-guzzle is gone, unless
anyone objects (but feel free to beat me to it).

Regards

David


signature.asc
Description: PGP signature

Bug#823507: Useless in Debian

[David Prévot]

Package: php-guzzle-stream
Version: 3.0.0-5
Severity: normal

[ Filled as an RC-bug by the maintainer to see the package auto-removed
  from testing. ]

I packaged php-guzzle-stream as used by php-guzzlehttp-ringphp, but
php-guzzlehttp-ringphp is going away, see #823506. There is a priori
little point in shipping php-guzzle-stream in any Debian stable release
anymore.

I intend to follow up with an RM request in a few months if nobody
objects (but feel free to beat me to it).

Regards

David


signature.asc
Description: PGP signature

Bug#823506: Useless in Debian

[David Prévot]

Source: php-guzzlehttp-ringphp
Version: 1.1.0-2
Severity: serious

[ Filled as an RC-bug by the maintainer to see the package auto-removed
  from testing. ]

I packaged php-guzzlehttp-ringphp as used by php-guzzlehttp (version 5,
as in Jessie), but latest version (version 6.2, as in Sid) doesn’t use
it anymore. There is a priori little point in shipping
php-guzzlehttp-ringphp in any Debian stable release anymore.

I intend to follow up with an RM request in a few months if nobody
objects (but feel free to beat me to it).

Regards

David


signature.asc
Description: PGP signature

Bug#823505: Useless in Debian

[David Prévot]

Package: php-guzzlehttp-psr7
Version: 1.3.0-1
Severity: serious

[ Filled as an RC-bug by the maintainer to see the package auto-removed
  from testing. ]

I recently packaged php-guzzlehttp-psr7 as used by php-guzzlehttp,
php-aws-sdk (in experimental), and php-google-auth, but php-guzzlehttp
is going away (so is php-google-auth, see #817754). There is a priori
little point in shipping php-guzzlehttp-psr7 in the next Debian stable
release.

However, Benoit Mortier suggested [817754#10] that php-google-auth may
be useful for a FusionDirectory google-apps plugin soon, so I don’t
intend to request the removal of this package.

817754#10: https://bugs.debian.org/817754#10

Regards

David


signature.asc
Description: PGP signature

Bug#823504: Useless in Debian

[David Prévot]

Package: php-guzzlehttp-promises
Version: 1.1.0-1
Severity: serious

[ Filled as an RC-bug by the maintainer to see the package auto-removed
  from testing. ]

I recently packaged php-guzzlehttp-promises as used by php-guzzlehttp
and php-aws-sdk (in experimental), but php-guzzlehttp is going away, see
#823502). There is a priori little point in shipping
php-guzzlehttp-promises in the next Debian stable release.

However, Benoit Mortier suggested [817754#10] that php-google-auth may
be useful for a FusionDirectory google-apps plugin soon, so I don’t
intend to request the removal of this package.

817754#10: https://bugs.debian.org/817754#10

Regards

David


signature.asc
Description: PGP signature

Bug#823502: Useless in Debian

[David Prévot]

Source: php-guzzlehttp
Version: 6.2.0-1
Severity: serious


[ Filled as an RC-bug by the maintainer to see the package auto-removed
  from testing. ]

I recently packaged php-guzzlehttp as used by owncloud and
php-google-auth, but owncloud is going away, see #816376 (so is
php-google-auth, see #817754). There is a priori little point in
shipping php-guzzlehttp in the next Debian stable release.

However, Benoit Mortier suggested [817754#10] that php-google-auth may
be useful for a FusionDirectory google-apps plugin soon, so I don’t
intend to request the removal of this package.

817754#10: https://bugs.debian.org/817754#10

Regards

David


signature.asc
Description: PGP signature

Bug#823063: RM: php-irods -- ROM; Useless in Debian

[David Prévot]

Package: ftp.debian.org
Severity: normal

Hi,

#756580 was reassigned with a broken title, and the source package
hasn’t been removed AFAICT. Please, remove it too.

Regards

David


signature.asc
Description: PGP signature

Bug#822681: RM: owncloud -- ROM; Unfit upstream, uninstallable

[David Prévot]

Package: ftp.debian.org
Severity: normal

As per #816376, we won’t be shipping ownCloud in the next Debian
release, and since the version in Sid is not installable anymore (see
#821826), there is no point in keeping it at all.

The following reverse dependencies can also go away:
- owncloud-antivirus
- owncloud-apps
- owncloud-music
- owncloud-tasks

I’ll take care of filling RM bugs for the many packages introduced for
it later (there are already RC-bugs preventing them to be part of the
next Debian release).

Thanks in advance

Regards

David


signature.asc
Description: PGP signature

Bug#816796: php-apigen: Useless in Debian

[David Prévot]

Hi Florian,

Le 22/04/2016 à 16:09, Florian Schlichting a écrit :
> On Wed, Apr 20, 2016 at 04:00:40PM -0400, David Prévot wrote:
>> Le 20/04/2016 à 15:43, Florian Schlichting a écrit
>>> So if it's not too difficult to maintain with PHP 7, I'd love for
>>> php-apigen to be kept in Debian in the future!
>>
>> Feel free to take it over (with its dependency chain).
> 
> OK, I'll have a look at php-apigen and dependencies, preparing updates
> for PHP 7. Can I keep you in Uploaders, or would you rather be removed?

Please, remove me (I’m still around the team, and willing to help for
general or specific issues, but don’t wish to be part of the main
contacts for packages I don’t use anymore).

> I may need a hand or
> helpful hint getting used to the pkg-php tools, though, so if you see me
> doing something stupid please do tell!

The <pkg-php-p...@lists.alioth.debian.org> should be the good place to
ask for advice in doubt, I won’t the only one willing to help.

> I have requested to join pkp-php on alioth.

I’m not an admin, but those are usually dealt with in a timely manner,
so welcome!

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#816796: php-apigen: Useless in Debian

[David Prévot]

Hi Florian,

Le 20/04/2016 à 15:43, Florian Schlichting a écrit

> So if it's not too difficult to maintain with PHP 7, I'd love for
> php-apigen to be kept in Debian in the future!

Feel free to take it over (with its dependency chain).

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#821123: Useless in Debian

[David Prévot]

Package: doctrine-sphinx-theme
Version: 0~20130227-1
Severity: serious
Tags: sid stretch

[ Filled as an RC-bug by the maintainer to see the package auto-removed
  from testing. ]

I packaged doctrine-sphinx-theme to build doctrine-orm-doc, but we
stopped building it (not DFSG compliant anymore). There is a priori
little point in shipping doctrine-sphinx-theme with the next Debian
stable release.

I intend to follow up with an RM request in a few months if nobody
objects (but feel free to beat me to it).

Regards

David


signature.asc
Description: PGP signature

Bug#821044: wheezy-pu: package zendframework/1.11.13-1.1+deb7u6

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian@packages.debian.org
Usertags: pu

Hi,

As agreed with the security team, I’d like to fix another potential
entropy vulnerability that has been fixed in zendframework.

The fix also gets rid of openssl_random_pseudo_bytes() introduced in the
previous ZF2015-09 fix, and I also added a regression fix from the
CVE-2015-7695 (ZF2015-08) patch (this one was introduced in DSA-3369-1).

Please find attached the proposed debdiff for Wheezy, it’s pretty
similar to the one from #821042.

zendframework (1.11.13-1.1+deb7u6) wheezy; urgency=medium

  * Fix regression from ZF2015-08: binary data corruption
  * Backport security fix from 1.12.18:
- ZF2016-01: Potential Insufficient Entropy Vulnerability in ZF1
  http://framework.zend.com/security/advisory/ZF2016-01

Regards

David
diff -u zendframework-1.11.13/debian/changelog zendframework-1.11.13/debian/changelog
--- zendframework-1.11.13/debian/changelog
+++ zendframework-1.11.13/debian/changelog
@@ -1,6 +1,15 @@
+zendframework (1.11.13-1.1+deb7u6) wheezy; urgency=medium
+
+  * Fix regression from ZF2015-08: binary data corruption
+  * Backport security fix from 1.12.18:
+- ZF2016-01: Potential Insufficient Entropy Vulnerability in ZF1
+  http://framework.zend.com/security/advisory/ZF2016-01
+
+ -- David Prévot <taf...@debian.org>  Wed, 13 Apr 2016 16:34:02 -0400
+
 zendframework (1.11.13-1.1+deb7u5) wheezy; urgency=medium
 
-  * Backport security fix from 1.12.17
+  * Backport security fix from 1.12.17:
 - ZF2015-09: Fixed entropy issue in word CAPTCHA
   http://framework.zend.com/security/advisory/ZF2015-09
 
@@ -8,7 +17,7 @@
 
 zendframework (1.11.13-1.1+deb7u4) wheezy-security; urgency=high
 
-  * Backport security fixes from 1.12.16
+  * Backport security fixes from 1.12.16:
 - ZF2015-07: Filesystem Permissions Issues in Multiple Components
   http://framework.zend.com/security/advisory/ZF2015-07
   [CVE-2015-5723]
diff -u zendframework-1.11.13/debian/patches/series zendframework-1.11.13/debian/patches/series
--- zendframework-1.11.13/debian/patches/series
+++ zendframework-1.11.13/debian/patches/series
@@ -15,0 +16 @@
+0016-Fixed-the-rand-usage.patch
diff -u zendframework-1.11.13/debian/patches/0014-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch zendframework-1.11.13/debian/patches/0014-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch
--- zendframework-1.11.13/debian/patches/0014-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch
+++ zendframework-1.11.13/debian/patches/0014-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch
@@ -5,37 +5,31 @@
 This addresses the same issue as found in ZF2014-06, but within the PDO MsSql
 adapter. Additionally, it fixes transaction tests for that adapter.
 
-Origin: upstream, https://github.com/zendframework/zf1/commit/2ac9c30f73ec2e6235c602bed745749a551b4fe2
+Origin: upstream, https://github.com/zendframework/zf1/commit/2ac9c30f73ec2e6235c602bed745749a551b4fe2 https://github.com/zendframework/zf1/commit/70d8aba8c525190e906c663dfdc55355f6e74416
 ---
- library/Zend/Db/Adapter/Pdo/Abstract.php |  3 +-
- library/Zend/Db/Adapter/Pdo/Mssql.php|  2 +-
- tests/TestConfiguration.php.dist |  5 ++--
- tests/Zend/Db/Adapter/Pdo/MssqlTest.php  | 47 +++-
- tests/Zend/Db/Adapter/Pdo/TestCommon.php | 10 +++
- tests/Zend/Db/Adapter/TestCommon.php |  5 ++--
+ library/Zend/Db/Adapter/Pdo/Abstract.php |  1 -
+ library/Zend/Db/Adapter/Pdo/Mssql.php| 19 +--
+ library/Zend/Db/Adapter/Pdo/Sqlite.php   | 14 
+ tests/TestConfiguration.php.dist |  5 +--
+ tests/Zend/Db/Adapter/Pdo/MssqlTest.php  | 58 
+ tests/Zend/Db/Adapter/Pdo/MysqlTest.php  | 13 +--
+ tests/Zend/Db/Adapter/Pdo/SqliteTest.php | 10 ++
+ tests/Zend/Db/Adapter/Pdo/TestCommon.php | 10 ++
+ tests/Zend/Db/Adapter/TestCommon.php |  5 ++-
  tests/Zend/Db/TestUtil/Pdo/Mssql.php |  4 ++-
- 7 files changed, 31 insertions(+), 45 deletions(-)
+ 10 files changed, 91 insertions(+), 48 deletions(-)
 
 diff --git a/library/Zend/Db/Adapter/Pdo/Abstract.php b/library/Zend/Db/Adapter/Pdo/Abstract.php
-index 95f3734..8fde066 100644
+index 95f3734..d718255 100644
 --- a/library/Zend/Db/Adapter/Pdo/Abstract.php
 +++ b/library/Zend/Db/Adapter/Pdo/Abstract.php
-@@ -292,6 +292,8 @@ abstract class Zend_Db_Adapter_Pdo_Abstract extends Zend_Db_Adapter_Abstract
- if (is_int($value) || is_float($value)) {
- return $value;
- }
-+// Fix for null-byte injection
-+$value = addcslashes($value, "\000\032");
- $this->_connect();
- return $this->_connection->quote($value);
- }
-@@ -398,4 +400,3 @@ abstract class Zend_Db_Adapter_Pdo_Abstract extends Zend_Db_Adapter_Abstract
+@@ -398,4 +398,3 @@ abstract class Zend_Db_Adapter_Pdo_Abstract extends

Bug#821042: jessie-pu: package zendframework/1.12.9+dfsg-2+deb8u6

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

As agreed with the security team, I’d like to fix another potential
entropy vulnerability has been fixed in zendframework.

The fix also gets rid of openssl_random_pseudo_bytes() introduced in the
previous ZF2015-09 fix, and I also added a regression fix from the
CVE-2015-7695 (ZF2015-08) patch (this one was introduced in DSA-3369-1).

Please find attached the proposed debdiff for Jessie (a similar request
for Wheezy follows), the changelog entry is:

zendframework (1.12.9+dfsg-2+deb8u6) jessie; urgency=medium

  * Fix regression from ZF2015-08: binary data corruption
  * Backport security fix from 1.12.18:
- ZF2016-01: Potential Insufficient Entropy Vulnerability in ZF1
  http://framework.zend.com/security/advisory/ZF2016-01

Regards

David
diff -Nru zendframework-1.12.9+dfsg/debian/changelog zendframework-1.12.9+dfsg/debian/changelog
--- zendframework-1.12.9+dfsg/debian/changelog	2015-11-24 18:25:30.0 -0400
+++ zendframework-1.12.9+dfsg/debian/changelog	2016-04-13 17:12:29.0 -0400
@@ -1,6 +1,15 @@
+zendframework (1.12.9+dfsg-2+deb8u6) jessie; urgency=medium
+
+  * Fix regression from ZF2015-08: binary data corruption
+  * Backport security fix from 1.12.18:
+- ZF2016-01: Potential Insufficient Entropy Vulnerability in ZF1
+  http://framework.zend.com/security/advisory/ZF2016-01
+
+ -- David Prévot <taf...@debian.org>  Wed, 13 Apr 2016 16:37:00 -0400
+
 zendframework (1.12.9+dfsg-2+deb8u5) jessie; urgency=medium
 
-  * Backport security fix from 1.12.17
+  * Backport security fix from 1.12.17:
 - ZF2015-09: Fixed entropy issue in word CAPTCHA
   http://framework.zend.com/security/advisory/ZF2015-09
 
diff -Nru zendframework-1.12.9+dfsg/debian/patches/0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch zendframework-1.12.9+dfsg/debian/patches/0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch
--- zendframework-1.12.9+dfsg/debian/patches/0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch	2015-11-24 18:18:19.0 -0400
+++ zendframework-1.12.9+dfsg/debian/patches/0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch	2016-04-13 17:12:29.0 -0400
@@ -5,37 +5,31 @@
 This addresses the same issue as found in ZF2014-06, but within the PDO MsSql
 adapter. Additionally, it fixes transaction tests for that adapter.
 
-Origin: upstream, https://github.com/zendframework/zf1/commit/2ac9c30f73ec2e6235c602bed745749a551b4fe2
+Origin: upstream, https://github.com/zendframework/zf1/commit/2ac9c30f73ec2e6235c602bed745749a551b4fe2 https://github.com/zendframework/zf1/commit/70d8aba8c525190e906c663dfdc55355f6e74416
 ---
- library/Zend/Db/Adapter/Pdo/Abstract.php |  3 +-
- library/Zend/Db/Adapter/Pdo/Mssql.php|  2 +-
- tests/TestConfiguration.php.dist |  5 ++--
- tests/Zend/Db/Adapter/Pdo/MssqlTest.php  | 47 +++-
- tests/Zend/Db/Adapter/Pdo/TestCommon.php | 10 +++
- tests/Zend/Db/Adapter/TestCommon.php |  5 ++--
+ library/Zend/Db/Adapter/Pdo/Abstract.php |  1 -
+ library/Zend/Db/Adapter/Pdo/Mssql.php| 17 +-
+ library/Zend/Db/Adapter/Pdo/Sqlite.php   | 14 
+ tests/TestConfiguration.php.dist |  5 +--
+ tests/Zend/Db/Adapter/Pdo/MssqlTest.php  | 58 
+ tests/Zend/Db/Adapter/Pdo/MysqlTest.php  | 13 +--
+ tests/Zend/Db/Adapter/Pdo/SqliteTest.php | 11 ++
+ tests/Zend/Db/Adapter/Pdo/TestCommon.php | 10 ++
+ tests/Zend/Db/Adapter/TestCommon.php |  5 ++-
  tests/Zend/Db/TestUtil/Pdo/Mssql.php |  4 ++-
- 7 files changed, 31 insertions(+), 45 deletions(-)
+ 10 files changed, 91 insertions(+), 47 deletions(-)
 
 diff --git a/library/Zend/Db/Adapter/Pdo/Abstract.php b/library/Zend/Db/Adapter/Pdo/Abstract.php
-index 84a76f3..7699d7a 100644
+index 84a76f3..e12b602 100644
 --- a/library/Zend/Db/Adapter/Pdo/Abstract.php
 +++ b/library/Zend/Db/Adapter/Pdo/Abstract.php
-@@ -292,6 +292,8 @@ abstract class Zend_Db_Adapter_Pdo_Abstract extends Zend_Db_Adapter_Abstract
- if (is_int($value) || is_float($value)) {
- return $value;
- }
-+// Fix for null-byte injection
-+$value = addcslashes($value, "\000\032");
- $this->_connect();
- return $this->_connection->quote($value);
- }
-@@ -398,4 +400,3 @@ abstract class Zend_Db_Adapter_Pdo_Abstract extends Zend_Db_Adapter_Abstract
+@@ -398,4 +398,3 @@ abstract class Zend_Db_Adapter_Pdo_Abstract extends Zend_Db_Adapter_Abstract
  }
  }
  }
 -
 diff --git a/library/Zend/Db/Adapter/Pdo/Mssql.php b/library/Zend/Db/Adapter/Pdo/Mssql.php
-index e3d8c7a..8a8d306 100644
+index e3d8c7a..6081887 100644
 --- a/library/Zend/Db/Adapter/Pdo/Mssql.php
 +++ b/library/Zend/Db/Adapter/Pdo/Mssql.php
 @@ -410,7 +410,7 @@ class Zend_Db_Adapter_Pdo_Mssql extends Zend_Db_Adapter_Pdo_Abstract
@@ -47,6 +41,49

Bug#820336: composer: remove mercurial from Recommends

[David Prévot]

Hi Thijs,

Thanks for you interest in the composer package.

Le 07/04/2016 09:57, Thijs Kinkhorst a écrit :

> Installing composer by default also pulls in mercurial because it's in
> Recommends. I personally doubt that the amount of mercurial use justifies
> pulling it in by default (and e.g. not svn).

On top of the default Hg driver, there is one specific to Bitbucket, so
I initially assumed it should be useful enough, but I have never seen
any PHP package hosted on Mercurial yet.

> I'd say it could be better
> moved to Suggests.

Agreed, added subversion to suggest too since there is also a Svn driver.

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#819415: [pkg-php-pear] Bug#819420: php-seclib: Call to undefined method Crypt_Base::Crypt_Base()

[David Prévot]

Hi,

Thank you for your report.

CCing Perpetuum who reported a similar issue in #819415, and Mathieu who
uploaded php-seclib 1.0.1-3.

Le 28/03/2016 07:31, Frank Jung a écrit :
> Package: php-seclib
> Version: 1.0.1-3

> Loading Dokuwiki running on lighttpd reported a 500 "The localhost page isn’t
> working" error. Looking into lighttpd logs I see in error.log
> 
> (mod_fastcgi.c.2520) FastCGI-stderr: PHP Fatal error:  Call to undefined 
> method
> Crypt_Base::Crypt_Base() in /usr/share/php/Crypt/Rijndael.php on line 269

I guess the “Fix Methods with the same name as their class” is
incomplete, can you please roll back to 1.0.1-2 and comment if it fixes
the issue for you.

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#819322: Useless in Debian

[David Prévot]

Package: php-xml-parser
Version: 1.3.6-1
Severity: serious
Control: block -1 by 818800
User: pkg-php-ma...@lists.alioth.debian.org
Usertags: php7.0-transition

[ Filled as an RC-bug by a team member to see the package auto-removed
  from testing, and not let it block the PHP 7.0 transition. ]

php-xml-parser “has been superseded” according to upstream [0], and has
only two reverse dependencies left in Sid: php-xml-serializer (not in
testing) and simplesamlphp (that should be a mistake, see #818800).

0: http://pear.php.net/package/XML_Parser

There is a priori little point in shipping php-xml-parser with the next
Debian stable release. I intend to follow up with an RM request in a few
months if nobody objects (but feel free to beat me to it).

Regards

David


signature.asc
Description: PGP signature

Bug#819031: jessie-pu: package mozilla-devscripts/0.39+deb8u1

[David Prévot]

Hi,

Le 24/03/2016 15:13, Adam D. Barratt a écrit :

> Thanks for the review and the examples. Please feel free to upload.

Uploaded and accepted, thanks.

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#819031: jessie-pu: package mozilla-devscripts/0.39+deb8u1

[David Prévot]

Hi,

On Tue, Mar 22, 2016 at 08:45:02PM -0700, Sean Whitton wrote:

> The version of mozilla-devscripts currently in Jessie generates
> references to the iceweasel and icedove packages.  But iceweasel is to
> be replaced with firefox-esr, and icedove is probably going to be
> replaced with thunderbird.

FWIW, I’ve reviewed Sean Whitton’s changes, built the mozilla-devscripts
in Jessie, and tested it there in order to rebuild some xul-ext-*
packages. I believe those changes are short, fine, and will allow us to
make an “as smooth as possible” transition from iceweasel to firefox
(and icedove to thunderbird) whenever those packages reached stable
(i.e., probably via stable-security, thus the idea to push those changes
prior to the forced transition). I’m happy to upload this package in a
timely manner if you agree with this proposal.

Packages built with this latest mozilla-devscripts can be installed with
iceweasel as well as firefox, here are a few examples of binary debdiff,
for xul-ext-noscript and xul-ext-adblock-plus, between the version
currently in stable and the no-change rebuild with this version of
mozilla-devscripts.


$ debdiff 
/var/cache/apt-cacher-ng/debrep/pool/main/m/mozilla-noscript/xul-ext-noscript_2.6.9.3-1_all.deb
 /var/cache/pbuilder/result/xul-ext-noscript_2.6.9.3-1_all.deb 
File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)

Breaks: {+firefox (<< 3.0.9), firefox-esr (<< 3.0.9),+} iceape (>> 2.33+), 
iceape (<< 2.0), iceweasel (<< 3.0.9)
Depends: iceweasel (>= 3.0.9) | {+firefox (>= 3.0.9) | firefox-esr (>= 3.0.9) 
|+} iceape (>= 2.0)
Enhances: {+firefox, firefox-esr,+} iceape, iceweasel
Installed-Size: [-1129-] {+1019+}
Provides: {+firefox-esr-noscript, firefox-noscript,+} iceape-noscript,
iceweasel-noscript

$ debdiff 
/var/cache/apt-cacher-ng/debrep/pool/main/a/adblock-plus/xul-ext-adblock-plus_2.6.6+dfsg-1_all.deb
 /var/cache/pbuilder/result/xul-ext-adblock-plus_2.6.6+dfsg-1_all.deb 
File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)

Breaks: {+firefox (<< 22.0), firefox-esr (<< 22.0),+} iceape (>> 2.34+), iceape 
(<< 2.19), icedove (<< 22.0), iceweasel (<< {+22.0), thunderbird (<<+} 22.0)
Depends: iceweasel (>= 22.0) | {+firefox (>= 22.0) | firefox-esr (>= 22.0) | 
thunderbird (>= 22.0) |+} icedove (>= 22.0) | iceape (>= 2.19)
Enhances: {+firefox, firefox-esr,+} iceape, icedove, [-iceweasel-] {+iceweasel, 
thunderbird+}
Installed-Size: [-2603-] {+2306+}
Provides: adblock-plus, {+firefox-adblock-plus, firefox-esr-adblock-plus,+} 
iceape-adblock-plus, icedove-adblock-plus, [-iceweasel-adblock-plus-] 
{+iceweasel-adblock-plus, thunderbird-adblock-plus+}

Thanks in advance for considering.

Regards

David


signature.asc
Description: PGP signature

Bug#818756: fixed in mozilla-devscripts 0.45.1

[David Prévot]

Hi Sean,

Thank you for your work on the xul-ext-* tools!

On Tue, Mar 22, 2016 at 04:51:15PM +, Debian Bug Tracking System wrote:
[…]
>  mozilla-devscripts (0.45.1) unstable; urgency=high
>  .
>* Restore generation of iceweasel entries for Depends:, Enhances:
>  etc. to ease the Iceweasel -> Firefox transition. (Closes: #818756)
>  Update test suite accordingly.
>* Also restore generation of iceweasel-* binary packages.
>* Preemptively add generation of thunderbird entries for Depends:,
>  Enhances: etc. for the upcoming Icedove -> Thunderbird transition.
>  Update test suite accordingly.

Would you be willing to propose a fix of #818013 and #818756 for stable
(including the thunderbird change too)? Extra bonus points if its ready
ASAP, i.e. within the next few days, in order to make it for the
upcoming stable point release (8.4).

8.4: https://lists.debian.org/debian-release/2016/03/msg00211.html

I haven’t yet had a look at the changes, nor actually tested them, but
am willing to look and do some tests in a stable environment for such a
pu request. It would be nice to have all the needed tools to prepare an
“as smooth as possible” transition in stable too…

Regards

David


signature.asc
Description: PGP signature

Bug#818800: simplesamlphp: Useless dependency on php-xml-parser

[David Prévot]

Package: simplesamlphp
Version: 1.14.2-1
Severity: normal

Hi,

It seems like simplesamlphp is the last bit in Debian depending on
php-xml-parser, but it doesn’t seem to actually use it. If
php-xml-parser is not used by simplesamlphp, please drop the dependency
on it, so we can get rid of it for the next stable release.

Regards

David


signature.asc
Description: PGP signature

Bug#818756: [Pkg-mozext-maintainers] Bug#818756: Bug#818756: dh_xul-ext: please add alternative dependency on iceweasel

[David Prévot]

Hi,

> On Sun, Mar 20, 2016 at 01:05:22PM +0100, Jakub Wilk wrote:
>> To facilitate smoother partial jessie->stretch upgrades, it would be
>> good if iceweasel was added as an alternative dependency.
>
> I'm not familiar with this use case: could you explain why someone might
> want to do that, please?

It makes the life of the package manager (solver) less painful. It also
would allow one to use xul-ext-* packages from unstable or testing on a
stable release without the hassle of rebuilding it, again not a bad thing.

> Further, firefox-esr will replace iceweasel in Jessie when the next ESR
> release is made by Mozilla.

That will make the current “rebuild all the xul-ext-* world” again more
painful (because stable). If we can start handling this mess sooner, that
would not be bad either (i.e., we could make the xul-ext-* packages from
stable installable with firefox{,-esr} as well as iceweasel right now).
That also means preparing a stable upload of mozilla-devscripts ASAP
(needed anyway, if we want to binNMU or even full upload the xul-ext-*
world in stable).

Starting right now to depend on thunderbird on top of icedove could also
be a good idea, no need to wait for #816679 to be fixed.

Regards

David

Bug#818104: Possible MBF: Packages depending on iceweasel but not firefox/firefox-esr

[David Prévot]

Le 18/03/2016 18:06, Josh Triplett a écrit :

> I would suggest that Firefox addon packages should depend on "firefox |
> firefox-esr"

Most of those packages are mozilla-devscripts for the build and just
need to be rebuilt to get fixed. Even if our infrastructure has all the
needed tools to binNMU all of them as a proper transition, some
limitations on the way arch:all binNMU are handled currently prevents us
from having most of them already fixed, see #818104.

What is currently needed if the arch:all binNMU doesn’t get fixed, is
“just” to upload all of them. I’m currently dragged into doing that for
hundred of PHP classes packages because of this no arch:all binNMU
limitation, so I hope someone else from the Debian Mozilla Extension
Maintainers could take the lead on it (new members are welcome ;).

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#783422: php-services-json: Useless in Debian?

[David Prévot]

Hi Dmitry,

> My concern for removal of this package is that recently introduced CiviCRM
> loosely depends on it.

Looks like civicrm only build-depends on it, that seems strange (I wonder
how php-services-json is used during the build).

Looks like civicrm is using dh_linktree for embedding PHP classes, that
seems like a awful tool for the un-bundling job, you may wish to properly
load the needed classes instead. Since there is no actual dependencies, I
wonder how php-services-json is actually useful for civicrm currently.

Anyway, if you wish to see php-services-json stay, you should consider
taking over its maintenance, and ensure it’s ready for PHP 7.0.

Regards

David

Bug#818709: Useless in Debian

[David Prévot]

Package: php-mail-mimedecode
Version: 1.5.5-3
Severity: serious

[Filled as RC by a team member to see it autoremoved from testing if
 nobody disagrees. Please, do downgrade it with an explanation if you
 disagree.]

This package has no reverse dependencies anymore in Stretch, and hasn’t
seen any activity upstream in over five years. There is a priori little
point in shipping php-mail-mimedecode with the next Debian stable
release.

I don’t intend to follow up with an RM request since Thomas said he’d
wish to see extplorer in Debian again at some point.

Regards

David


signature.asc
Description: PGP signature

Bug#818558: Useless in Debian

[David Prévot]

Package: libjs-jquery-minicolors
Version: 1.2.1-1
Severity: serious
Tag: sid stretch

[ Filled as an RC-bug by the maintainer to see the package auto-removed
  from testing. ]

I packaged libjs-jquery-minicolors as used by owncloud, but owncloud is
going away, see #816376. There is a priori little point to ship
libjs-jquery-minicolors in the next Debian stable release.

I intend to follow up with an RM request in a few months if nobody
objects (but feel free to beat me to it).

Regards

David


signature.asc
Description: PGP signature

Bug#818674: Useless in Debian

[David Prévot]

Package: owncloud-doc
Version: 0~20160302-1
Severity: serious


[ Filled as an RC-bug by the maintainer to see the package auto-removed
  from testing. ]

I packaged owncloud-doc as used by owncloud, but owncloud is going away,
see #816376. There is a priori little point in shipping owncloud-doc
with the next Debian stable release.

I intend to follow up with an RM request in a few months if nobody
objects (but feel free to beat me to it).

Regards

David


signature.asc
Description: PGP signature

Bug#818673: Useless in Debian

[David Prévot]

Package: python-sphinxcontrib.phpdomain
Version: 0.1.4-2
Severity: serious

[ Filled as an RC-bug by the maintainer to see the package auto-removed
  from testing. ]

I packaged python-sphinxcontrib.phpdomain to build owncloud-doc and
php-opencloud-doc as used by owncloud, but owncloud is going away, see
#816376. There is a priori little point in shipping
sphinxcontrib-phpdomain with the next Debian stable release.

I intend to follow up with an RM request in a few months if nobody
objects (but feel free to beat me to it).

Regards

David


signature.asc
Description: PGP signature

Bug#818561: Useless in Debian

[David Prévot]

Package: libjs-chosen
Version: 0.9.11-2
Severity: serious
Tags: sid stretch

[ Filled as an RC-bug by the maintainer to see the package auto-removed
  from testing. ]

I packaged libjs-chosen as used by owncloud, but owncloud is going away,
see #816376. There is a priori little point to ship libjs-chosen in the
next Debian stable release.

I intend to follow up with an RM request in a few months if nobody
objects (but feel free to beat me to it).

Regards

David


signature.asc
Description: PGP signature

Bug#818412: Please adapt code for the PHP 7.0 transition

[David Prévot]

Package: debpear
Version: 0.4
Severity: serious

[ Filled as an RC-bug by a team member to ensure the package does not
  get released with this status in Stretch. ]

Even if it doesn’t show up in the package metadata, according to a quick
look at the code, there are some assumptions about at least the php5-*
naming scheme.

Disclaimer: I don’t intend to look into fixing it myself in the near
future.

Regards

David


signature.asc
Description: PGP signature

Bug#817754: php-google-a* maybe not so useless (Was: Useless in Debian)

[David Prévot]

Hi Benoit,

Le 15/03/2016 04:54, Benoit Mortier a écrit :
> Le 09/03/16 21:38, David Prévot a écrit :
>> Package: php-google-api-php-client
[…]
>> Package: php-google-auth

>> [ Filled as an RC-bug by the maintainer to see the package auto-removed
>>   from testing, and not let it block the PHP 7.0 transition. ]
>>
>> I packaged php-google-api-php-client as used by owncloud
[…]
>> I intend to follow up with an RM request in a few months if nobody
>> objects (but feel free to beat me to it).

> we are the developper of FusionDirectory and we will soon have a
> google-apps plugin that will use this library
> 
> could we keep it inside debian

Let’s hold on the RM request then. Please ping us back when your plugin
is in the archive. You may wish to step up for the maintenance
(including dependencies) then: not sure I’ll stay around the PHP PEAR
(and Composer) Maintainers much longer once the ownCloud mess is done.

Regards

David



signature.asc
Description: OpenPGP digital signature

Bug#818034: Useless in Debian

[David Prévot]

Package: php-picofeed
Version: 0.1.19-1
Severity: serious

[ Filled as an RC-bug by the maintainer to see the package auto-removed
  from testing, and not let it block the PHP 7.0 transition. ]

I recently packaged php-picofeed, as used by owncloud-news, but it’s now
gone as per #816901 since owncloud is going away, see #816376. There is
a priori little point to ship php-picofeed in a Debian stable release.

I intend to follow up with an RM request in a few months if nobody
objects (but feel free to beat me to it).

Regards

David


signature.asc
Description: PGP signature

Bug#818033: Useless in Debian

[David Prévot]

Package: php-nette
Version: 2.3.9-1
Severity: serious


[ Filled as an RC-bug by the maintainer to see the package auto-removed
  from testing, and not let it block the PHP 7.0 transition. ]

I packaged php-nette as used by php-apigen in order to build
php-opencloud(-doc), as used by owncloud, but owncloud is going away,
see #816376 (so is php-apigen, see #816796). There is a priori little
point to ship php-apigen in the next Debian stable release.

I intend to follow up with an RM request in a few months if nobody
objects (but feel free to beat me to it).

Regards

David


signature.asc
Description: PGP signature

Bug#818012: RM: phpseclib/experimental -- ROM; Superseded by php-phpseclib

[David Prévot]

Package: ftp.debian.org
Severity: normal

Hi,

Please remove phpseclib from experimental, the version 2 is now provided
by php-phpseclib.

Regards

David


signature.asc
Description: PGP signature

Bug#817765: Useless in Stretch

[David Prévot]

Package: php-psr-cache
Version: 1.0.0-1
Severity: serious

[ Filled as an RC-bug by the maintainer to see the package auto-removed
  from testing, and not let it block the PHP 7.0 transition. ]

I recently packaged php-psr-cache as a new symfony dependency, but it
shouldn’t be useful before 3.1 (with the php-symfony-cache component)
while Stretch should ship with Symfony 2.8. There is a priori little
point shipping php-psr-cache in the upcoming Debian release, but feel
free to downgrade or close with an explanation if there is.

I do not intend to follow up with an RM request, but rather close this
bug once Stretch is frozen or the package actually needed.

Regards

David


signature.asc
Description: PGP signature