Bug#1070727: reportbug: podman does not run wasm/wasi images because of missing crun-wasm - easy fix

[Faidon Liambotis]

Control: reassign -1 crun
Control: retitle -1 Ship the crun-wasm runtime
Control: severity -1 wishlist
Control: forwarded -1 https://github.com/containers/crun/issues/1468

On Sun, May 12, 2024 at 03:34:42PM +0300, Faidon Liambotis wrote:
> Perhaps it's worth bringing it up with both crun and podman upstreams, I
> don't think we're going to be the only distro dealing with this.  (I can
> take care of that.)

We have a little more clarity from Giuseppe. I'll work on shipping
crun-wasm on the next crun upload. (Still debating whether I should ship
it in a different package or not.)

Faidon

Bug#1070727: reportbug: podman does not run wasm/wasi images because of missing crun-wasm - easy fix

[Faidon Liambotis]

On Sat, May 11, 2024 at 11:16:00AM -0400, Reinhard Tartler wrote:
> > I see three paths forward:
> > 1) We do the same, creating a new (almost) empty package.
> > 2) We ship a /usr/bin/crun-wasm symlink in the crun package.
> > 3) We patch podman to use /usr/bin/crun instead of, or in addition to,
> > /usr/bin/crun-wasm.
> >
> I think we should do either 1 or 2 to minimize divergence with upstream. My
> preference would be 2 to enable an out-of-the box experience.

Well... divergence with _which_ upstream? I think that's basically the
question here.

Upstream crun has no notion of "crun-wasm", AFAIK. There is one "crun"
binary that just dynamically loads libwasmedge with dlopen(), among a
few other libraries we don't have in Debian yet, e.g. criu or krun.
There is nothing in its autoconf/Makefiles to install a symlink, either.
The RPM spec does that.

Hence, the existence of "crun-wasm" is an RPM packaging detail that *is*
a divergence by itself, I think. However, that detail is now encoded
into podman upstream. (It's also unclear to me why they decided to
generate and ship a symlink, rather than just a metapackage.  Is it just
for changing podman's error messages?)

Perhaps it's worth bringing it up with both crun and podman upstreams, I
don't think we're going to be the only distro dealing with this.  (I can
take care of that.)

> Is there any reason to not have that symlink installed by default in the
> `crun` package?

Technically, not, that's not hard. It just feels... icky to ship a
symlink just to cover a packaging decision made in a different package,
by another distro, no?

Faidon

Bug#1070727: reportbug: podman does not run wasm/wasi images because of missing crun-wasm - easy fix

[Faidon Liambotis]

Control: tags -1 confirmed

On Wed, May 08, 2024 at 03:10:40AM +0300, Eugen Stan wrote:
> I followed the guide to run wasm images on my system and it failed with
> errors.
> 
> I believe the issue is that podman looks for crun-wasm binary by default.
> I failed to configure podman to use crun instead of crun-wasm.
> I created a simbolic link named crun-wasm:
> 
> sudo ln -s /usr/bin/crun /usr/local/bin/crun-wasm

Ouch! You're right. This worked when I enabled WasmEdge in crun, but
was changed upstream at some point since.

Apparently Fedora/RedHat ship a "crun-wasm" package, which contains a) this
symlink, b) a dependency on WasmEdge.

In Debian, the main "crun" package has a Suggests on libwasmedge0.

I see three paths forward:
1) We do the same, creating a new (almost) empty package.
2) We ship a /usr/bin/crun-wasm symlink in the crun package.
3) We patch podman to use /usr/bin/crun instead of, or in addition to,
/usr/bin/crun-wasm.

I don't particularly love option (1). I'm split between options (2) and
(3), not loving either.

Thoughts?

Faidon

Bug#1068131: ITP: bootterm -- simple terminal to ease connections with SBCs

[Faidon Liambotis]

Package: wnpp
Severity: wishlist
Owner: Faidon Liambotis 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: bootterm
  Version : 0.4+git2023013
  Upstream Contact: Willy Tarreau 
* URL : https://github.com/wtarreau/bootterm
* License : Expat
  Programming Lang: C
  Description : simple terminal to ease connections with SBCs

Bootterm is a simple, reliable and powerful terminal designed to ease
connection to ephemeral serial ports as found on various SBCs, and typically
USB-based ones.
.
Main features:
 * automatic port detection (uses the most recently registered one by default)
 * enumeration of available ports with detected drivers and descriptions
 * wait for a specific, a new, or any port to appear (convenient with USB
   ports)
 * support for non-standard baud rates (e.g. 74880 bauds for ESP8266)
 * can send a Break sequence and toggling RTS/DTR for various reset sequences,
   even on startup
 * fixed/timed captures to files (may be enabled at run time)
 * optionally time-stamped captures (relative/absolute dates)
 * reliable with proper error handling
 * single binary without annoying dependencies, builds out of the box
 * supports stdin/stdout to inject/download data
 * configurable escape character and visible character ranges

Note that upstream has chosen /usr/bin/bt for the binary's name, but I'm
trying to persuade them to use /usr/bin/bootterm instead, in order to
avoid taking up a two-letter name in Debian's shared $PATH namespace,
for what is intended to be a binary for a niche audience. At minimum I'd
expect us to carry a Debian-specific patch.

Bug#1067238: Add support for man preprocessors, like tbl

[Faidon Liambotis]

On Sun, Mar 31, 2024 at 06:52:23PM +1100, Brendan O'Dea wrote:
> > help2man does not output any tables by default (AIUI) but in case one
> > adds text e.g. in their DESCRIPTION that includes tables, it won't work.
> 
> help2man is intended to take `--help` output and massage it into a
> manual page.  The `--help` output still needs to be readable however,
> since people do invoke `foo --help` from the command line.  One option
> would be to have help2man recognize markdown-format tables, which
> would preserve the property of the `--help` output being readable.  A
> simpler option would be to add the table to an include file:
> https://www.gnu.org/software/help2man/#Including-text

Sorry I probably wasn't clear: that's exactly what I meant. I added a
table in the DESCRIPTION through --include and a [DESCRIPTION] section,
that includes a table.

> > While my issue is specific to the "tbl" preprocessor, man(1) supports
> > other preprocessors, including eqn (e), grap (g), pic (p), tbl (t),
> > vgrind (v), refer (r). See the `-p` argument. Perhaps help2man should
> > just gain an argument to support adding arbitrary preprocessors to its
> > output?
> 
> I will look into that.

#1049968 may also be useful context, in particular G. Branden Robinson's
comments.

Thanks,
Faidon

Bug#1055279: tox-current-env: potential bugs on armel

[Faidon Liambotis]

Hi Bo,

Thanks for the short reaction time and for spending your time on this
bug, much appreciated!

On Fri, Mar 22, 2024 at 01:26:35PM +0800, Bo YU wrote:
> Thanks your detailed analysis for it. I have uploaded -3 to unstable to
> hope to unblock tox migrating. But these are some unexpected maybe.

tox has migrated since. Honestly I'm not sure why, given the regression!
So there isn't as much urgency as there was when I filed this bug, I'd
say.

> This will lead a autopkgtest on s390x[0] again from its tracker page[1] to
> get the link(UTC+8 13:06 2024/03/22).
> 
> But another retry on s390x it passed on s390x[2].
> 
> [0]: https://ci.debian.net/packages/t/tox-current-env/testing/s390x/44235641/
> [1]: https://tracker.debian.org/pkg/tox-current-env
> [2]: https://ci.debian.net/packages/t/tox-current-env/

Yup, looks like the same bug all over the place, effectively a race.

> Do you think I will need to upload it to unstable again with `sorted`
> for `test_allenvs_print_deps_to_file` as I analyzed above?

It's clearly a bug IMHO, so it'd be good to fix at some point. No
urgency with regards to the tox migration as I said, but this will
happen again on e.g. the next tox upload.

If I were you I'd fix it in git, submit all of these fixes to upstream,
wait a month or two so in case upstream releases a new version
(hopefully with these), and then upload regardless.

Thanks again,
Faidon

Bug#1067238: Add support for man preprocessors, like tbl

[Faidon Liambotis]

Source: help2man
Version: 1.49.3
Severity: wishlist

In trixie and above, including tables in a manpage does not work
anymore, unless the "tbl" preprocessor is added explicitly. This means
tables are not rendered, and warnings of the following form are emitted:

  warning: tbl preprocessor failed, or it or soelim was not run;
  table(s) likely not rendered (TE macro called with TW register
  undefined)

help2man does not output any tables by default (AIUI) but in case one
adds text e.g. in their DESCRIPTION that includes tables, it won't work.

Per [1][2] the fix is for the first line of the manpage to be:

'\" t

I did not find a way to inject this with help2man, and checking through
the source, it just seems there is no support for that. (I can of course
easily post-process the file, but this is not ideal.)

1: https://lists.debian.org/debian-devel/2023/08/msg00220.html
2: https://manpages.debian.org/bookworm/man-db/man.1.en.html#DEFAULTS

To reproduce, you can generate a table with:
$ cat 

Bug#1018261: confmodule should be distributed separately from debconf

[Faidon Liambotis]

On Sun, Aug 28, 2022 at 08:56:18AM +0200, Gioele Barabucci wrote:
> could you please ship `/usr/share/debconf/confmodule{,.sh}` in a separate
> package, for example debconf-common?

In the same spirit, I think Debconf::Client::ConfModule should also be
split into its own package, as it seems entirely distinct from debconf
itself, and similar to e.g. python3-debconf in that sense.

Per established Perl conventions, perhaps something like
libdebconf-client-confmodule-perl?

The dependency transition is going to be an interesting challenge. I see
Giole has resorted to (Pre-)Depends, for the Shell part, which makes
sense given its size, and could work for Perl as well.
Debconf::Client::ConfModule is used by a tiny minority of packages
though, so perhaps something more creative can be used in the long-term,
like perhaps dh_installdebconf getting taught to add the appropriate
dependencies if necessary.

Faidon

Bug#1055279: tox-current-env: potential bugs on armel

[Faidon Liambotis]

Control: retitle -1 test_allenvs_print_extras tests are flaky

On Fri, Nov 03, 2023 at 08:57:57PM +0800, Bo YU wrote:
> The bug was opened to track a potential bugs on armel(or others slow
> archs, but it does not always happened).
> 
> Fix from upstream[0] may take a long time so if you use the package please
> keep in mind about this unless the bug was closed.

I recently uploaded tox/4.14.1-1. tox-current-env autopkgtests fail on
s390x[1] with a similar error, which in turn is currently preventing tox
from migrating into testing[2]

1: https://ci.debian.net/packages/t/tox-current-env/testing/s390x/44050718/
2: https://qa.debian.org/excuses.php?package=tox

This bug was originally for test_allenvs_print_extras_to_file(); for
this I would imagine think the fix is something like:
  - assert prep_tox_output(result.stdout) == expected
  + assert sorted(prep_tox_output(result.stdout)) == sorted(expected)

The s390x autopkgtest above fails on test_allenvs_print_extras(), which
is very similar. However, that one seems to have a sorted() already:
 45s def test_allenvs_print_extras(print_extras_stdout_arg):
 45s result = tox(print_extras_stdout_arg)
 45s expected = []
 45s for env in envs_from_tox_ini():
 45s expected.extend(("dev", "full", f"{env}: OK"))
 45s expected.pop()  # The last "py310: OK" is not there
 45s expected.append(tox_footer(spaces=0))
 45s expected = ("\n".join(expected)).splitlines()
 45s >   assert sorted(prep_tox_output(result.stdout).splitlines()) == 
sorted(expected)

I don't fully grok what this is supposed to be doing (but I've looked at
it for only a couple of minutes). That .pop() does look suspicious
though, in the sense that it operates before the output is sorted.

Faidon

Bug#1066929: Package outdated, crippled, unfit for release

[Faidon Liambotis]

Source: bcachefs-tools
Version: 24+really1.3.4-2
Severity: serious

I don't think bcachefs-tools in its current state is fit for release.

* The package is severely behind: Debian is currently at 1.3.4. Upstream
  is at 1.6.4.

* Chronologically speaking, 1.3.4 was released in November 2023, so in
  theory, it's not that old.

  In practice, however, bcachefs is a fast-moving project, and in
  particular the past few months have been critical both in terms of
  pace, and in terms of stabilization: bcachefs was merged in the
  upstream Linux kernel, starting with v6.7, released in January 2024.
  Linux 6.8 was released this week as well, with even more fixes,
  including the ability to use the in-kernel fsck.

* Linux v6.7 entered unstable this week, which opens up the user base
  for this package quite a bit. Especially with the recent hype, others
  may be inclined to try it, and be surprised by back-and-forth metadata
  migrations between kernel and userspace, as a concrete example of a
  problem.

* Moreover, even the outdated version that we have in Debian is
  crippled, because large parts of its functionality are missing: all
  the Rust functionality included in this software, which is ever
  increasing (up to being required, in newer upstream releases). This
  has been reported previously as #1060256.

* I'd also argue that the package lacks attentive maintainership, and
  would recommend to orphan and/or find one or more comaintainers:
  - There are various packaging issues: wrong version number, branches
not pushed into git etc. etc. (most reported as #1054620)

  - There hasn't been any coordination/two-way street with upstream; I
contributed a bunch of PRs to help with the Rust integration bits in
Debian, and I know Steinar was in touch with them as well, but none
of this was done by the package maintainer or in coordination with
them.
 
  - No serious effort was made to package the Rust bits before. I worked
on it and made it happen with only a few hours of work, as
documented in that bug report above.

  - There hasn't been any coordinated system integration effort with
other Debian packages like grub/initramfs-tools/etc. #1061525
describes issues that are across projects and up for us, the
distributor, to really triage and coordinate fixes for.
  
  - Finally, while a bunch of work happened by others, like myself
paving the road for the Rust bits to be enabled, and by Steinar to
prepare fixed packages (and even an NMU), there hasn't been an
appropriate level of response to our contributions IMHO, that would
have included in an upload that includes all of these fixes. We are
basically blocked.

Now, I realize that the maintainer may be quite busy with other tasks,
including what I can only image is a busy Debian workload due to some
other, erm, duties (for which I'm thankful!). In an effort to be more
collegial, I've even reached out in private, twice. But, I think we are
at the point where weeks pass while the state of this package is simply
not OK, a disservice to our users, and unfit for release, hence this RC
bug. This is a filesystem we're talking about, so outdated/buggy
software can even mean broader system-wide issues including data
corruption.

In terms of a path forward: I would recommend to upload the package as
prepared by Steinar ASAP, and/or submit an RFH/O for the long-term
maintainership of the package.

Best,
Faidon

Bug#1066908: lowdown FTCBFS: performs a native build

[Faidon Liambotis]

On Fri, Mar 15, 2024 at 07:23:04AM +0100, Helmut Grohne wrote:
>  override_dh_auto_configure:
> + CC='$(CC)' \
>   CFLAGS="${CFLAGS}" \
>   ./configure \
>   PREFIX=/usr \

One more thing: should we also pass AR=$(AR)? It did matter for
WebAssembly (which required the use of llvm-ar) and why I added support
for it to oconfigure¹, but I'm not sure if it makes a difference between
different binutils architectures when cross-building.

Thanks again,
Faidon

1: https://github.com/kristapsdz/oconfigure/pull/23

Bug#1066908: lowdown FTCBFS: performs a native build

[Faidon Liambotis]

> lowdown fails to cross build from source, because it performs a native
> build. Since there is a configure script, debhelper concludes that the
> autoconf build system should be used and that it thus should not pass
> cross tools to make, but it really should. Also since dh_auto_configure
> is overridden, passing cross flags there (CC in particular) is required.
> Last but not least, the pkg-config invocations also need to use the host
> tools. I'm attaching a patch for your convenience.

Thanks for this, Helmut!

>  include /usr/share/dpkg/architecture.mk
> +-include /usr/share/dpkg/buildtools.mk

Why -include? Are there conditions under which buildtools.mk wouldn't
exist?

> +PKG_CONFIG ?= pkg-config

...and if we assume buildtools.mk always exist, can we drop this and
assume PKG_CONFIG is always going to be defined?

>  # output every command that modifies files on the build system.
>  #export DH_VERBOSE = 1
> @@ -10,17 +12,18 @@
>  # Use libbsd for a system copy of the BSD functions, instead of upstream's
>  # embedded compats.c coming from the oconfigure project.
>  # Also see https://github.com/kristapsdz/oconfigure/issues/19
> -CFLAGS += $(shell pkg-config --cflags libmd libbsd-overlay)
> -LDFLAGS += $(shell pkg-config --libs libmd libbsd-overlay)
> +CFLAGS += $(shell $(PKG_CONFIG) --cflags libmd libbsd-overlay)
> +LDFLAGS += $(shell $(PKG_CONFIG) --libs libmd libbsd-overlay)
>  
>  # avoid symbol leakage; keep this in the package until merged upstream:
>  # see https://github.com/kristapsdz/lowdown/issues/109
>  LDFLAGS += -Wl,--version-script=debian/liblowdown.map
>  
>  %:
> - dh $@
> + dh $@ --buildsystem=makefile
>  
>  override_dh_auto_configure:
> + CC='$(CC)' \
>   CFLAGS="${CFLAGS}" \
>   ./configure \
>   PREFIX=/usr \

LGTM. I'll commit those and upload once we resolve the (trivial)
question above :)

Best,
Faidon

Bug#1066139: podman: Cannot create a network with dns_enabled

[Faidon Liambotis]

Control: tags -1 + moreinfo

On Wed, Mar 13, 2024 at 12:17:12AM +0100, Antoine Sirinelli wrote:
> When I create a new custom network, the dns is not enabled:
> 
> $ podman network create test
> test
> $ podman network inspect test
>
> [...]
> 
> The outcome should have "dns_enabled" to true.

Per podman-network(1):
> Podman supports two network backends Netavark and CNI. Netavark is the
> default network backend and was added in Podman version 4.0. CNI  is
> deprecated and will be removed in the next major Podman version 5.0,
> in preference of Netavark.

For DNS, you need to have installed:
  - golang-github-containernetworking-plugin-dnsname (CNI, deprecated)
  - aardvark-dns (Netavark)

podman Depends on golang-github-containers-common which Recommends
netavark, which Recommends aardvark-dns, so a clean install brings in
Netavark by default (per upstream).

I've verified that clean installs, with the exact commands you executed,
with either Netavark (default install), or without Netavark but with
golang-github-containernetworking-plugin-dnsname, and could not
reproduce the issue.

So I would guess that you don't have either of those packages installed.

The question is why.

1) Perhaps you installed podman with apt install --no-install-recommends?

   In this case, I don't think this is a bug. Recommends is the
   appropriate package relationship here, and failure to install all the
   recommended dependencies can result in reduced, non-essential
   functionality.

2) Alternatively, perhaps you first set up podman without Netavark (e.g.
   before 4.0), and later upgraded to a newer version?

   (In this case, I wonder how the setup ended up without the "dnsname"
   plugin. But moot at this point regardless)

   I don't think an automatic transition from the old stack to the new
   stack exists. A "podman system reset" should fix it; I'm not sure if
   there is a less intrusive way to do that. Perhaps we'll know more
   about upgrade paths with the 5.0 release, which is imminent.

3) Some other reason that I can't imagine right now :)

Would love to hear from you and some insight on how your setup ended up
in the way it did. Perhaps we could figure out ways to avoid any further
surprises.

Best,
Faidon

Bug#1065732: podman: Please "Recommends: containers-storage" so overlay driver is used by default

[Faidon Liambotis]

On Sat, Mar 09, 2024 at 06:44:56AM -0700, Anthony Fok wrote:
> Package: podman
> Version: 4.9.3+ds1-1
> Severity: normal
>
> [...]
>
> Eventually, I ran the following commands to remedy the situation:
> 
> sudo apt install containers-storage
> rm -rf ~/.local/share/containers
> podman system reset
> 
> After that, `podman info` shows:
> 
> graphDriverName: overlay
> 
> I propose promoting the dependency on the containers-storage package
> from "Suggests" to "Recommends", or even to "Depends", so that
> "overlay" is consistently chosen as the default storage driver
> which provides a much better overall experience for end users.

I believe this has been previously reported as #1062176.

Are you experiencing this with 4.9.3 as the bug's metadata suggests, or
did you perhaps set up podman e.g. on bullseye, and then later upgraded
(without a system reset)? In other words, if you run the "system reset"
commands, without having containers-storage installed, does it also
address your issue?

In my investigation in the aforementioned bug, I came into the
conclusion that this has already been fixed (properly) upstream in
versions that we already have in trixie, and that it's perhaps a bit too
invasive to do as stable upload. Let me know if you think this is wrong
and/or you disagree.

Regards,
Faidon

Bug#1043530: closed by Debian FTP Masters (reply to Yangfl ) (Bug#1043530: fixed in micropython 1.22.1+ds-1)

[Faidon Liambotis]

Control: reopen -1

Hi there,

Thanks for including asyncio in the 1.22.1+ds-1 upload! That's already
going to be extremely useful!

The bug report was also requesting to ship the "mip" module as well, as
evident from the Subject and this:

On Sat, Feb 10, 2024 at 06:27:09PM +, Debian Bug Tracking System wrote:
> On that matter, the build above also enabled "mip", the new package
> manager and flagship feature of v1.20:
>>>> import mip
>>>>
> (There are some mbedTLS DEBUG messages being emitted when fetching from
> e.g. GitHub, that I haven't tracked down yet, but that's getting a
> little offtopic.)

I don't believe this has happened yet, so reopening the bug report.

On a different note: I looked into git to check whether this was fixed
there before I replied here. It was quite hard to understand the commit
history: it seems like the entirety of the upload was pushed as one
commit, including a re-export of debian/patches etc. I would recommend
that you commit changes as you go, one commit per functional change etc.

Thanks,
Faidon

Bug#1060256: Please enable the Rust parts

[Faidon Liambotis]

On Tue, Jan 23, 2024 at 10:58:03AM +0200, Faidon Liambotis wrote:
> > * The "udev" crate is required, and missing from the
> >   missing list. Note that it's distinctly different to
> >   librust-libudev-dev. debcargo generates a librust-udev-dev package
> >   that seems to build with minor modifications, and no other
> >   dependencies.
> 
> Still required.

I uploaded that last week, currently sitting in NEW.

> > * bch_bindgen also depends on a custom fork of rust-bindgen, checked out
> >   from bcachefs' git. This seems to have only a patch compared to what's
> >   shipped in Debian, originating in an upstream issue:
> >   https://github.com/rust-lang/rust-bindgen/issues/2240
> > 
> This turned out to be more complicated. There's been some discussion on
> the upstream bug tracker:
> https://github.com/koverstreet/bcachefs-tools/issues/202
> including a proposed way forward, that Thomas Bertschinger kindly
> implemented:
> https://lore.kernel.org/linux-bcachefs/20240122201913.GA207770@fedora-laptop/T/#t

This was merged, and bcachefs-tools could be built with Debian's bindgen
for a short while. In the time since, a more generic fix went into
bindgen 0.69.4, and backed out from bcachefs:
https://lore.kernel.org/linux-bcachefs/pcj3od6gpxug7rwksamxfn2hnz2mrebrypa6ss67igmupeqvip@7r2s22ajvygg/T/#t

This will mean one of two options: a) upgrade bindgen in Debian to
0.69.4, b) cherry-pick a revert of this patch.

Faidon

Bug#1062598: libpod: Add support for LoongArch

[Faidon Liambotis]

On Mon, Feb 05, 2024 at 02:13:50PM +0800, 张家岭 wrote:
>  Hi, this can support loong64 build , Ｉ build this in my local . and I'll 
> submit to upstream .

But is your patch necessary to build for loong64? Does the build fail
without your patch?

Faidon

Bug#1062598: libpod: Add support for LoongArch

[Faidon Liambotis]

Control: tags -1 upstream moreinfo

On Fri, Feb 02, 2024 at 04:40:08AM +, JiaLing Zhang wrote:
> Please help to add support for loong64.I have build it in my local
> machine.

Unless I'm missing something, both of your changes seem... unrelated to
what we ship in Debian. Have you verified that this patch is needed?

In any case, kindly also submit any patches upstream.

Thanks!
Faidon

Bug#1062176: podman: Package containers-storage should be recommended

[Faidon Liambotis]

Control: reassign -1 src:golang-github-containers-storage 1.43.0+ds1-8
Control: fixed -1 1.48.1+ds1-1

On Wed, Jan 31, 2024 at 03:45:35PM +0100, Holger Leskien wrote:
> at the moment the dependency on the containers-storage package is "suggests"
> only. However, this means that the package is not installed when podman is
> installed and rootless (all?) containers are then started with the storage
> driver vfs, even though overlay would be possible. This is slow, uses much 
> more
> space and leads to a poor user experience.
> 
> I only noticed that vfs was the cause with a large image with many layers and
> looked for a solution. Installing containers-storage would have been so easy.
> 
> Please change the dependency to Recommends.

I understand how a VFS driver default makes for a poor out of the box
experience.

First of all, I can verify that bookworm rootless defaults to "vfs", as
you established. bookworm rootful, and trixie/sid rootful as well as
rootless default to "overlay". 

I don't think your proposed fix is correct. Installing
containers-storage (and thus a storage.conf) may or may not be a good
idea, I am not sure about that.

However, the cause of your issue here is clear to me: the
containers-storage code (which podman embeds, as it's Go code) up until
v1.47 defaulted to "vfs". This was changed with:
https://github.com/containers/storage/commit/e3b18ab721f02f801d93806ac789e958cbe6a050
and amended with:
https://github.com/containers/storage/commit/9ef15e4d49b76a9af9f548e9415153009faa54d8
Both in >= 1.47.

While we could backport these commits in a future stable upload, I am
not sure if these are appropriate for a stable release. This means
retroactively changing Debian's defaults in a stable update, and to a
value that diverges from upstream for that particular combination of
containers-storage and podman.

Regards,
Faidon

Bug#1030845: RFP: sbctl -- Secure Boot Manager

[Faidon Liambotis]

On Wed, Feb 08, 2023 at 11:32:50AM +0100, Marco d'Itri wrote:
> Package: wnpp
> Severity: wishlist
> 
> * Package name: sbctl
>   Version : 0.10
>   Upstream Contact: Morten Linderud 
> * URL : https://github.com/Foxboron/sbctl/
> * License : MIT
>   Programming Lang: Go
>   Description : Secure Boot Manager

I've pushed:
https://salsa.debian.org/go-team/packages/sbctl
as well as the missing dependency:
https://salsa.debian.org/go-team/packages/golang-github-foxboron-go-uefi

Note that there are two debian/patches for sbctl:
1) First, to use FHS paths, diverging from upstream's locations (which
is non-ideal). Upstream issue #57 is open upstream:
https://github.com/Foxboron/sbctl/issues/57

2) Second, to disable TPM support. It requires a long dependency chain
for Go-Attestation that it felt too overwhelming for me. YMMV :)

This package builds and works for me. I'm not up for maintaining it in
the long-run though, so I'm leaving this as an RFP and *not* uploading
it to unstable. Hopefully this initial packaging work is useful to
whoever decides to pick it up.

If anyone else is up for it, I may be available to sponsor the uploads
and/or provide code reviews.

Best,
Faidon

Bug#1060256: Please enable the Rust parts

[Faidon Liambotis]

A few updates:

On Mon, Jan 08, 2024 at 12:45:35PM +0200, Faidon Liambotis wrote:
> * librust-gag-dev is now in Debian.
 
Still true, but also now moot, as it the dependency has been removed
upstream:
https://github.com/koverstreet/bcachefs-tools/commit/5e224596cfdf9ad9413536482224e2fe79b9e387

> * I don't think librust-parse-display-dev is needed. Upstream indeed
>   has parse-display in Cargo.toml, but as far as I can tell, it's not
>   used anywhere and it's just a spurious dependency? Needs to be
>   forwarded upstream, I think.

Did that, and more dependencies were removed as a result of that
subthread:
https://github.com/koverstreet/bcachefs-tools/commit/5ed0dcc00100c2f361e917760bd114a7af12394a
https://github.com/koverstreet/bcachefs-tools/commit/807cabc4c960347319b5f9566e4d24b28e0183b4

> * The "udev" crate is required, and missing from the
>   missing list. Note that it's distinctly different to
>   librust-libudev-dev. debcargo generates a librust-udev-dev package
>   that seems to build with minor modifications, and no other
>   dependencies.

Still required.

> * A bunch of these packages have mismatched versions. From a quick
>   glance, everything compiled with the versions in Debian, except for
>   rpassword that also required a patch to account for an API change:
>   -rpassword::read_password_from_tty(Some("Enter passphrase: "))?
>   +rpassword::prompt_password("Enter passphrase: ")?

Merged upstream with:
https://github.com/koverstreet/bcachefs-tools/commit/06ff8b55b70fda44d91b31b5511fafd1680a8934

> * bch_bindgen also depends on a custom fork of rust-bindgen, checked out
>   from bcachefs' git. This seems to have only a patch compared to what's
>   shipped in Debian, originating in an upstream issue:
>   https://github.com/rust-lang/rust-bindgen/issues/2240
> 
>   This could perhaps be reported against the Debian package to backport
>   in a debian/patches patch.

This turned out to be more complicated. There's been some discussion on
the upstream bug tracker:
https://github.com/koverstreet/bcachefs-tools/issues/202
including a proposed way forward, that Thomas Bertschinger kindly
implemented:
https://lore.kernel.org/linux-bcachefs/20240122201913.GA207770@fedora-laptop/T/#t

Finally, note that in the meantime main() was converted to Rust, so now
Rust is not just a nice to have, but a necessary dependency to newer
upstream versions:
https://github.com/koverstreet/bcachefs-tools/commit/0a284fc4ffcbb46f0a4b921415ef12a9c75fa05c

To summarize, the next upstream release will make the Rust parts
necessary, but (hopefully) much easier to package. But someone should
upload the only missing dependency, librust-libudev-dev, in the
meantime. (I'd prefer for that someone to not be me :)

Faidon

Bug#1061194: podman: cannot run rootful containers with many layers using overlay driver

[Faidon Liambotis]

Control: reassign -1 src:golang-github-containers-storage 1.43.0+ds1-8
Control: fixed -1 1.45.1+ds1-1
Control: affects -1 src:libpod

On Sun, Jan 21, 2024 at 01:17:46AM +0800, Tee Hao Wei wrote:
> Oh. I just noticed how Debian handles Go dependencies..
> 
> I guess this will actually need to be a cherry-pick to 
> golang-github-containers-storage-dev followed by a rebuild of podman.

That's right, this is technically a golang-github-containers-storage-dev
bug, so reassigning there. FWIW:

$ git describe --contains 7c5964df95c892cfbdbce594cf5a8e2973c70fd7
v1.44.0~28^2
$ git describe --contains d232b36652d55b42a21f1713db7f7d455b837b3c
v1.44.0~9^2
$ git checkout v1.43.0
HEAD is now at 04d8b90f9 Bump to v1.43.0
$ git cherry-pick 7c5964df95c892cfbdbce594cf5a8e2973c70fd7 
d232b36652d55b42a21f1713db7f7d455b837b3c
[...]
$ 
$ git diff --stat v1.43.0..
 drivers/overlay/mount.go   | 97 
-
 drivers/overlay/overlay.go | 50 
 tests/layers.bats  | 40 +--
 3 files changed, 143 insertions(+), 44 deletions(-)

I think that's big enough to make me at least a bit uncomfortable about
a cherry-pick to stable. Could you elaborate on your use case? It sounds
like this manifests only with a large number of layers, and I'm not sure
how common this is.

The alternative to a stable update is a backport of the latest podman
version (currently 4.8.3), plus associated packages like
containers/storage, of course.  It's a moderate amount of work; Reinhard
who's been doing the version updates in unstable could speak more to the
work he's been putting into package updates etc. It would help with
bringing in a lot of more fixes from what I'd consider a very active
upstream. We also have #1059496, as another recent, concrete example.

I'm still unsure and debating targeted s-p-u fixes vs. a backport. My
concern is basically that we may start playing whack-a-mole. A quick
peek at the upstream changelog reveals tons of fixed bugs in every
release, and us trying to keep up by cherry-picking fixes to two years
of upstream development may prove futile...

Thoughts?

Thanks,
Faidon

Bug#1060440: llvm-toolchain-17: 1:17.0.6-4 FTBFS on i386, armel

[Faidon Liambotis]

On Thu, Jan 11, 2024 at 01:02:47PM +, Simon McVittie wrote:
> It looks as though these are already known and already fixed in the
> packaging git repo.

Correct. I introduced these breakages with a couple of recent MRs, and
hopefully fixed them with #130. I asked Sylvestre to hold off until we
have build logs from all (official) architectures, so that's why these
aren't fixed in unstable yet. (mips64el and risv64 are still building,
although mips64el has never built LLVM 17, and my changes are not
expected to fix that.)

Faidon

Bug#1060256: Please enable the Rust parts

[Faidon Liambotis]

On Mon, Jan 08, 2024 at 12:45:35PM +0200, Faidon Liambotis wrote:
> * I don't think librust-parse-display-dev is needed. Upstream indeed
>   has parse-display in Cargo.toml, but as far as I can tell, it's not
>   used anywhere and it's just a spurious dependency? Needs to be
>   forwarded upstream, I think.
> 
> * A bunch of these packages have mismatched versions. From a quick
>   glance, everything compiled with the versions in Debian, except for
>   rpassword that also required a patch to account for an API change:
>   -rpassword::read_password_from_tty(Some("Enter passphrase: "))?
>   +rpassword::prompt_password("Enter passphrase: ")?

For posterity, I just reported these two issues to upstream, alongside a
few other comments:
https://github.com/koverstreet/bcachefs-tools/issues/202

Faidon

Bug#1060256: Please enable the Rust parts

[Faidon Liambotis]

Source: bcachefs-tools
Version: 24+really1.3.4-2
Severity: important

The bcachefs-tools package builds the C portion of the tarball, and not
the parts written in Rust (under rust-src/). This results in a crippled
functionality, such as the missing "mount" binary (#1057295).

There is a README.todo to that effect, that currently says:
> Dependencies available in Debian: librust-byteorder-dev librust-rpassword-dev
> librust-either-dev librust-errno-dev librust-itertools-dev librust-getset-dev
> librust-uuid-dev librust-libudev-dev librust-libc-dev librust-anyhow-dev
> librust-clap-dev librust-colored-dev librust-chrono-dev librust-log-dev
> librust-atty-dev
> 
> Missing dependencies: librust-gag-dev librust-parse-display-dev
> librust-bch-bindgen-dev

This seems a bit inaccurate/outdated, in the following ways:

* librust-gag-dev is now in Debian.

* I don't think librust-parse-display-dev is needed. Upstream indeed
  has parse-display in Cargo.toml, but as far as I can tell, it's not
  used anywhere and it's just a spurious dependency? Needs to be
  forwarded upstream, I think.

* The "udev" crate is required, and missing from the
  missing list. Note that it's distinctly different to
  librust-libudev-dev. debcargo generates a librust-udev-dev package
  that seems to build with minor modifications, and no other
  dependencies.

* A bunch of these packages have mismatched versions. From a quick
  glance, everything compiled with the versions in Debian, except for
  rpassword that also required a patch to account for an API change:
  -rpassword::read_password_from_tty(Some("Enter passphrase: "))?
  +rpassword::prompt_password("Enter passphrase: ")?

* librust-bch-bindgen-dev is not a package that's missing; that's from
  the bcachefs-tools source tree, under rust-src/bch_bindgen/.

* In turn, rust-src/bch_bindgen/ requires librust-bitfield-dev and
  librust-paste-dev, both already in Debian.

* bch_bindgen also depends on a custom fork of rust-bindgen, checked out
  from bcachefs' git. This seems to have only a patch compared to what's
  shipped in Debian, originating in an upstream issue:
  https://github.com/rust-lang/rust-bindgen/issues/2240

  This could perhaps be reported against the Debian package to backport
  in a debian/patches patch.

All in all as far as I can tell the tally is: 1 new easy-to-package Rust
library, 1 patch to a third-party Debian package, 1 patch to
bcachefs-tools, a few Cargo.toml version bumps. That doesn't look too
bad, I guess?

Faidon

Bug#1054620: bcachefs-tools: Issues in packaging and git repo

[Faidon Liambotis]

On Thu, Oct 26, 2023 at 11:00:56PM +0200, Daniel Gröber wrote:
>  - gbp.conf doesn't disable pristine-tar but no pristine-tar branch is
>available, making gbp export-orig fail

In fact, it's *enabling it* (pristine-tar = True).

>  - debian/files was committed to the git repo when it shouldn't be.
> 
>  - The upstream version 24~really1.2 should likely have been s/~/+/
>   24+really1.2. Currently it compares as less than what's in unstable
>   "24".

These seem to be fixed.

>   TBH it seems to me +really isn't appropriate here as it's never
>   going to go away. You should use an epoch instead, after posting on d-devel 
> obv.

Agreed -- I understand wanting to avoid epochs but I think that ship has
sailed. I don't think upstream is going to release v25 anytime soon :)

On a related note, 1.3.4 is behind now; upstream has released v1.4.0 a
couple of weeks ago. bcachefs is now in Linux 6.7 (released yesterday),
so it'd be nice to have up-to-date userspace as well.

Thanks,
Faidon

Bug#984879: podman does not work on Debian with selinux loaded

[Faidon Liambotis]

Hi Laurent & Sam,

On Thu, May 13, 2021 at 10:14:38AM +0200, Laurent Bigonville wrote:
> I see that you reassigned this bug to the refpolicy package and FTR I don't
> completely agree with that.
> 
> Most of the other applications that manipulates SELinux objects are behaving
> nicely when they are running in permissive and the policy is not including
> the type they needed.
> 
> So having the policy implement the needed types is good for a security
> perspective, but podman shouldn't fail hard (and without a clear message).
> 
> This was partially addressed upstream in
> https://github.com/containers/storage/pull/879 (still need to test it)

(I'm going through older bugs in the BTS that affect podman, and trying
to verify if they're still present.)

I read through this bug, plus the associated upstream ones. I know very
little about SELinux, and the upstream bugs themselves do not provide a
ton of extra clarity.

It would help to list all steps needed to reproduce this bug.

Guessing what the problem may be, I tried the following:
  1. Use the Debian sid daily cloud image and boot with QEMU, fully
 up-to-date as of 2024-01-01 (happy new year ;)
  2. adduser user
  3. apt install --no-install-recommends podman slirp4netns uidmap 
dbus-user-session
  4. Verify that "podman run --rm -it debian:sid" runs:
 a. as user "root"
 b. as user "user" (note: do not use sudo, login in another tty instead)
  5. apt install --no-install-recommends selinux-basics selinux-policy-default 
auditd
  6. selinux-activate
  7. Reboot
  8. Run "sestatus" and verify that SELinux status is "enabled" and in
 permissive mode.
  9. "podman run ..." as users "root" & "user" again (cf. step 3).
 10. setenforce 1; sestatus | grep mode
 11. "podman run ..." as users "root" & "user" again (cf. step 3).

In both steps (8) and (10), i.e. even with SELinux in enforcing mode,
both rootful and rootless podman seemed to work for me.

Note that if I install SELinux before podman (so steps 5-8 before 3-4),
then a:
  restorecon -R /var/lib/containers  # for rootful
or
  restorecon -R $HOME/.local/share/containers  # for rootless
are required, but only *after* podman initializes its directory, i.e.
after the first "podman run" invocation. I'm not sure what the SELinux
best practice is for dealing with this, but I assume nothing
podman-specific.

So, should we consider this bug as fixed? Perhaps due to
containers/storage#879 or some other fix?

Regards,
Faidon

Bug#1059677: bullseye-pu: package libpod/3.0.1+dfsg1-3+deb11u5

[Faidon Liambotis]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: lib...@packages.debian.org, siret...@tauware.de
Control: affects -1 + src:libpod

[ Reason ]
This will address the no-dsa CVE-2022-2989. The vulnerability has been
fixed upstream and has been in bookworm, trixie and sid for a long
time now.

[ Impact ]
Absence of this patch, podman in bullseye will remain vulnerable to
CVE-2022-2989, as detailed here:
https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/

[ Changes ]
bullseye has v3.0.1. The original fix was included in v4.3.0, and was:
https://github.com/containers/podman/commit/d82a41687e614d9ac8b2d169dee47fe226835e4c

However, upstream (which is mostly RedHat) maintains a separate
"v3.0.1-rhel" branch, where they're backporting fixes to RHEL.

The patch included in this upload is lifted directly from that branch,
with no further changes:
https://github.com/containers/podman/commit/a256d7188c9db64a00a37798e6a2f0f59b5d798f

[ Tests ]
Upstream has an extensive test suite, including unit and integration
testing. Some of those tests running as part of the Debian build
process. The fix has been presumably tested by RHEL users as well.

Furthermore, I've verified that the current package is vulnerable, and
the proposed package addresses the vulnerability, by testing both
deb11u4 and deb11u5 with this PoC code:
https://github.com/sjmurdoch/permission-experiment

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Risks ]
Minimal: upstream has backported and tested this patch themselves, and
versions including this exact patch have been deployed to end (RHEL)
users for over a year now.

[ Other info ]

Thanks,
Faidon
diff -Nru libpod-3.0.1+dfsg1/debian/changelog 
libpod-3.0.1+dfsg1/debian/changelog
--- libpod-3.0.1+dfsg1/debian/changelog 2023-04-17 01:16:11.0 +0300
+++ libpod-3.0.1+dfsg1/debian/changelog 2023-12-29 17:26:49.0 +0200
@@ -1,3 +1,12 @@
+libpod (3.0.1+dfsg1-3+deb11u5) bullseye; urgency=medium
+
+  * CVE-2022-2989: Cherry-pick "Add container GID to additional groups" patch
+from the v3.0.1-rhel upstream branch (itself a backport from v4.3.0), to
+address an incorrect handling of supplementary groups. (Closes: #1019591)
+  * Add myself to Uploaders.
+
+ -- Faidon Liambotis   Fri, 29 Dec 2023 17:26:49 +0200
+
 libpod (3.0.1+dfsg1-3+deb11u4) bullseye; urgency=medium
 
   * Recompile to fix parsing of DBUS_SESSION_BUS_ADDRESS (Closes: #1018816)
diff -Nru libpod-3.0.1+dfsg1/debian/control libpod-3.0.1+dfsg1/debian/control
--- libpod-3.0.1+dfsg1/debian/control   2023-04-17 01:16:11.0 +0300
+++ libpod-3.0.1+dfsg1/debian/control   2023-12-29 17:26:49.0 +0200
@@ -3,7 +3,10 @@
 Priority: optional
 Standards-Version: 4.5.0
 Maintainer: Debian Go Packaging Team 

-Uploaders: Dmitry Smirnov , Reinhard Tartler 

+Uploaders:
+ Dmitry Smirnov ,
+ Reinhard Tartler ,
+ Faidon Liambotis ,
 Build-Depends: debhelper-compat (= 12)
 ,bash-completion
 ,conmon
diff -Nru libpod-3.0.1+dfsg1/debian/.gitlab-ci.yml 
libpod-3.0.1+dfsg1/debian/.gitlab-ci.yml
--- libpod-3.0.1+dfsg1/debian/.gitlab-ci.yml2023-04-17 01:16:11.0 
+0300
+++ libpod-3.0.1+dfsg1/debian/.gitlab-ci.yml1970-01-01 02:00:00.0 
+0200
@@ -1,25 +0,0 @@

-# https://docs.gitlab.com/ce/ci/yaml/#include
-include:
-  - remote: https://salsa.debian.org/onlyjob/ci/raw/master/onlyjob-ci.yml
-
-## "amd64-unstable" always runs by default followed by lintian.
-
-## Job to check Build-Depends versioning:
-amd64-testing_unstable:
-  extends: .build
-  variables:
-arch: amd64
-dist: testing_unstable
-
-i386-unstable:
-  extends: .build
-  variables:
-arch: i386
-dist: unstable
-
-amd64-experimental:
-  extends: .build
-  variables:
-arch: amd64
-dist: experimental
diff -Nru 
libpod-3.0.1+dfsg1/debian/patches/CVE-2022-2989-Add-container-GID-to-additional-groups.patch
 
libpod-3.0.1+dfsg1/debian/patches/CVE-2022-2989-Add-container-GID-to-additional-groups.patch
--- 
libpod-3.0.1+dfsg1/debian/patches/CVE-2022-2989-Add-container-GID-to-additional-groups.patch
1970-01-01 02:00:00.0 +0200
+++ 
libpod-3.0.1+dfsg1/debian/patches/CVE-2022-2989-Add-container-GID-to-additional-groups.patch
2023-12-29 17:26:49.0 +0200
@@ -0,0 +1,89 @@
+From a256d7188c9db64a00a37798e6a2f0f59b5d798f Mon Sep 17 00:00:00 2001
+From: Matthew Heon 
+Date: Fri, 2 Sep 2022 13:40:29 -0400
+Subject: [PATCH] Add container GID to additional groups
+
+Mitigates a potential permissions issue. Mirrors Buildah PR #4200
+and CRI-O PR #6159.
+
+Cherry-pick conflicts for v3.0.1-rhel branch have been addressed.
+
+Signed-off-by: Matthew Heon 
+---
+ libpod/container_

Bug#1021207: lintian: Please reconsider the type and size of field-too-long

[Faidon Liambotis]

On Mon, Oct 03, 2022 at 07:57:36PM +0200, Mathias Behrle wrote:
> E: tryton-modules-all: field-too-long Depends (5604 chars > 5000)
>
> 
>
> Looking at #942943 and #942487 it looks as if the issue with reprepro
> should be mitigated with 
> https://salsa.debian.org/debian/reprepro/-/commit/7cb8fcf53c077467c4f38b5a48f706e7b5f75f4c
> 
> So I am asking for re-evaluation and/or advice
> 
> - if this limitation still stands?
> - if the former is true this shouldn't be rather a warning than an
>   error?
> - if the former is true the only way out is to split the Depends into
>   sub-packages?

For what it's worth, we're seeing this error trigger in podman, for the
Built-Using field (it's golang)

Lintian already has exceptions for "package-list" and "description" (per
#942493), and while we could also add "Built-Using" to the list, I kinda
wonder if this is a game of a whack-a-mole and this heuristic should be
revisited, especially in the light of the reprepro fix mentioned by
Mathias above.

Thanks,
Faidon

Bug#1058090: oscrypto: FTBFS: ModuleNotFoundError: No module named 'imp'

[Faidon Liambotis]

Control: tags -1 + fixed-upstream

Dear maintainer,

On Tue, Dec 12, 2023 at 08:58:48AM +0100, Lucas Nussbaum wrote:
> During a rebuild of all packages in sid, your package failed to build
> on amd64.
>
> 
>
> >   File "/<>/tests/__init__.py", line 4, in 
> > import imp
> > ModuleNotFoundError: No module named 'imp'
> > 

This seems to have been fixed upstream by
https://github.com/wbond/oscrypto/commit/3865f5d528740aa1205d16ddbee84c5b48aeb078

("imp" was replaced by "importlib" in upstream Python.)

So hopefully it's just a matter of a simple backport. Do you have the
time to handle it, or would you like someone else from the Python team
(such as myself) to handle it instead?

Thanks,
Faidon

Bug#1057838: clang-17: c++ include dir from sysroot unexpectedly in include paths when in wasm c mode

[Faidon Liambotis]

Thanks, Sylvestre for the Cc and Israel for the bug report!

On Fri, Dec 15, 2023 at 02:00:55PM +0100, Sylvestre Ledru wrote:
> > The above lines are adding c++ include paths in the
> > method (WebAssembly::AddClangSystemIncludeArgs)
> > for adding only system/c include paths.
> > I think the c++ include paths should only be added in the methods for
> > adding
> > libc++ (WebAssembly::addLibCxxIncludePaths) or libstdc++
> > (WebAssembly::addLibStdCXXIncludePaths) include
> > paths.

Israel, I can confirm that your interpetation is correct :) Can you
confirm whether you're experiencing the same issue with clang-16?

Sylvestre, from a cursory look I think the patch that I recently
provided, the one that you applied and was included in the
src:llvm-toolchain-16 1:16.0.6-19 upload, has not been carried over to
at least the 17 branch. I think this will probably fix this bug as well.

Thanks,
Faidon

Bug#1036697: asterisk: CVE-2023-27585

[Faidon Liambotis]

Dear Jonas,

On Mon, Aug 07, 2023 at 03:51:51PM +0300, Faidon Liambotis wrote:
> Dear maintainer, security team,
> 
> (See #1032092 for a similar bug with an almost equivalent response)

I've seen that you've uploaded a couple new upstream releases of
Asterisk in the time since my last response.

Given these are severity: grave bugs, and I believe are most likely
resolved, would it be possible for you to have a look here?

Thanks,
Faidon

Bug#897277: decrease e2fsprogs' Priority: required

[Faidon Liambotis]

Hi Ted,

On Wed, Aug 18, 2021 at 01:41:36AM +0300, Faidon Liambotis wrote:
> I haven't received a response for this. We are now at the beginning of
> the aforementioned bookworm cycle, so I thought it may be a good
> opportunity to bump this :) Do you have any thoughts?

It's now been 2½ years since I last followed up on this bug, and 5½
since your last response where you said you'd "batch it with some other
bug fixes in the next e2fsprogs minor release" and that would happen "by
early June [2018] at the latest".

Has this fallen through the cracks? Have you changed your mind? Would it
be possible to get an update here?

Thanks,
Faidon

Bug#999664: Package severely outdated (unmaintained?)

[Faidon Liambotis]

Control: retitle -1 Package needs an active maintainer

On Sun, Nov 14, 2021 at 02:46:41PM +0200, Faidon Liambotis wrote:
> Debian is currently shipping ipv6calc 1.0.0. Upstream has released 12
> new upstream releases since, and is currently at 4.0.0.

Upstream has been regularly making releases and is now at 4.1.0.

I discussed this a bit in #debian-qa, and after a bit of encouragement,
I decided to work a bit on this package, to bring it up to date.

I uploaded 4.1.0-0.1 to the archive moments ago. This is definitely an
unusual NMU for me, as I refactored the package almost entirely. I hope
that's OK. I basically ran across into a number of issues and it would
be much more difficult for me to debug them using so antiquated
packaging standards and tooling (e.g. it wasn't even using dh), than it
was to just bring it forward to 2023 and then work from there.

I tried to be considerate and went with as much of a standard packaging
as possible, and left a bunch of comments. I also filed a bunch of
upstream issues¹ to raise everything that is an upstream issue, and left
breadcrumbs across debian/ to point to these bugs.

I'll monitor the BTS for any issues in the short-term, but not the
long-term: I am not stepping up to (co)maintain this. This is also why I
did not follow the salvaging process.

Therefore, I'm leaving this bug open for either Luca or anyone else that
decides to step up. Hopefully the work I did today is going to make this
a much easier endeavour :)

Regards,
Faidon

1: https://github.com/pbiering/ipv6calc/issues/created_by/paravoid

Bug#1042609: sphinxcontrib-mermaid: FTBFS with Sphinx 7.1, docutils 0.20: Could not import sphinx.util.SphinxParallelError (exception: No module named 'sphinx.util.SphinxParallelError')

[Faidon Liambotis]

Hi,

This is now RC, which means sphinxcontrib-mermaid has been marked for
autoremoval, including its reverse dependencies (one of which I
maintain).

On Sun, Jul 30, 2023 at 08:30:07PM +0200, Lucas Nussbaum wrote:
> sphinxcontrib-mermaid fails to build with Sphinx 7.1 and docutils 0.20, both 
> of which
> are currently available in experimental.
> 
> Relevant part (hopefully):
> [...]
> > reading sources... [ 50%] index
> > 
> > Mermaid error:
> > Could not import sphinx.util.SphinxParallelError (exception: No module 
> > named 'sphinx.util.SphinxParallelError')

Upstream commit 6f8de39¹, the only commit since 0.9.2, replaces
sphinx.util.SphinxParallelError by sphinx.util.DownloadFiles. 

I've verified that backporting this commit makes the package build
successfully in unstable, with Sphinx 7.2.6-2.

However, the very same commit changes requirements.txt from
"Sphinx>=3.2.1" to "Sphinx<7".

I'm not sure why. I'm not using, nor am I familiar with this plugin, so
I was hoping someone else that is could perhaps validate whether besides
being able to be built, the package actually works.

Hope this helps,
Faidon

1: 
https://github.com/mgaitan/sphinxcontrib-mermaid/commit/6f8de39a84fddc398542e9d4dc74ba55101e7d5e

Bug#1055864: Please recommend lowdown in addition to (or instead of) pandoc

[Faidon Liambotis]

Package: dh-make
Version: 2.202301
Severity: wishlist
X-Debbugs-Cc: ius...@debian.org

A few years ago, a bug was filed against one of my packages, #956041, to
report that build-depending on pandoc is a bit of a nuisance for ports
architectures and bootstrapping, as it has a long depends of B-Ds
itself, including the Haskell toolchain.

My package was merely using pandoc to generate a manpage from a Markdown
document, quite similar to dh-make's debian/manpage.md.ex template. The
bug reporter's suggestion to use Build-Depends-Indep was also not a
viable one, as the manpage had to be shipped with the binary itself, and
a separate -doc package did not make sense for this use case.

To resolve this request, I packaged "lowdown", which is a Markdown
translator, including to the man format. It is a very small binary,
depending only on libbsd (which is widely available). I've been
maintaining it since bullseye, for a couple of years now, and upstream
has been fairly responsive adding features such as Pandoc's metadata
header. There are other translators such as go-md2man etc., but none as
lightweight and comprehensive as lowdown, IMHO.

It seems that most are not familiar with Pandoc alternatives. For
example, from a recent thread on debian-devel:
  https://lists.debian.org/msgid-search/zswgm0nc9ax7u...@teal.hq.k1024.org

I think it'd be helpful if the dh-make templates recommended lowdown in
addition to, or even instead of, Pandoc. That way we'll be giving a
lightweight option to fellow developers interested in writing a manpage
using a modern markup language.

The corresponding command-line syntax is:
   lowdown -s -Tman -o output.1 input.md

Thanks,
Faidon

Bug#1055826: bullseye-pu: package crun/0.17+dfsg-1+deb11u2 (bullseye regression)

[Faidon Liambotis]

On Sun, Nov 12, 2023 at 03:06:34PM +, Adam D. Barratt wrote:
> On Sun, 2023-11-12 at 09:56 +0200, Faidon Liambotis wrote:
> > A change merged into Linux v6.6 broke crun. The change was backported
> > in the stable branch with v6.1.55, the version in bookworm. We fixed
> > crun last week crun 1.8.1-1+deb12u1 (unblock request: #1055241).
> > 
> > Salvatore Bonaccorso pointed out that the change was backported into
> > all the stable branches, including v5.10.197, the version now in
> > bullseye. bullseye's crun, v0.17, is also affected, therefore
> > bullseye crun + bullseye Linux (or bullseye crun+bullseye-backports
> > Linux etc.) are now broken as well.
> 
> I guess you'd like that pushed via bullseye-updates, once it's ready,
> as with the bookworm update?

Yes please :)

Thanks!
Faidon

Bug#1055773: esptool: CVE-2023-46894

[Faidon Liambotis]

On Sat, Nov 11, 2023 at 08:51:30AM +0100, Salvatore Bonaccorso wrote:
> The following vulnerability was published for esptool.
> 
> CVE-2023-46894[0]:
> | An issue discovered in esptool 4.6.2 allows attackers to view
> | sensitive information via weak cryptographic algorithm.
> 
> If I undestand the upstream discussion[1] correctly this is not
> something hich is going to be fixed until the oldest earliest chips
> are not supported anymore. So this bug is merely for documentation
> purpose and can be closed once this support vanishes (or feel free to
> aswer the above, we might then simply mark it as unimportant in the
> security-tracker.

I'd go one step further, and express that IMHO this is not a security
vulnerability and that it shouldn't have been assigned a CVE in the
first place.

As you mentioned, based on upstream's comment above, old revisions of
one of the supported chipsets were using AES ECB for secure boot and
flash encryption, but newer ones have switched to newer cryptographic
algorithms. esptool has kept support for the older algorithms, in order
to keep the ability to work with older revisions of the hardware.

Obviously software shouldn't default or recommend broken cryptographic
ciphers, when it can be avoided. But I don't think it constitutes a
vulnerability to merely implement them, when they are used to interface
with the world as it exists outside of your software, such as for
compatibility with hardware, network protocols etc.

This is the equivalent of saying that coreutils is vulnerable because it
ships md5sum, an implementation of a broken digest, or that browsers
need a CVE for supporting older TLS ciphers, etc. Or perhaps even that
python-cryptography itself needs a CVE because it ships an
implementation of AES-ECB (or 3DES or whatever) :)

Let me know if you disagree! Keeping the bug open until I hear from you.

Thanks,
Faidon

Bug#1055826: bullseye-pu: package crun/0.17+dfsg-1+deb11u2 (bullseye regression)

[Faidon Liambotis]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: c...@packages.debian.org, car...@debian.org
Control: affects -1 + src:crun

A change merged into Linux v6.6 broke crun. The change was backported in
the stable branch with v6.1.55, the version in bookworm. We fixed crun
last week crun 1.8.1-1+deb12u1 (unblock request: #1055241).

Salvatore Bonaccorso pointed out that the change was backported into all
the stable branches, including v5.10.197, the version now in bullseye.
bullseye's crun, v0.17, is also affected, therefore bullseye crun +
bullseye Linux (or bullseye crun+bullseye-backports Linux etc.) are now
broken as well.

This upload just backports the same two patches that we backported to
bookworm and that are needed to address this issue. The patches apply
with minimal changes. There are no other changes included in this
upload.

See the bookworm-pu unblock request, #1055241, and SUA 243-1, for more
context.

[ Tests ]
Lightly tested on a bullseye VM.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Thanks,
Faidon
diff -Nru crun-0.17+dfsg/debian/changelog crun-0.17+dfsg/debian/changelog
--- crun-0.17+dfsg/debian/changelog 2023-02-11 23:44:44.0 +0200
+++ crun-0.17+dfsg/debian/changelog 2023-11-02 18:52:46.0 +0200
@@ -1,3 +1,12 @@
+crun (0.17+dfsg-1+deb11u2) bullseye; urgency=medium
+
+  * Backport two commits from upstream ("ignore ENOTSUP when chmod a
+symlink"), that restore containers with systemd as their init system, when
+running under Linux >= v6.6, >= v6.1.55 and >= 5.10.197, i.e. bullseye's
+and bookworm's current stable kernels. (Closes: #1053821)
+
+ -- Faidon Liambotis   Thu, 02 Nov 2023 18:52:46 +0200
+
 crun (0.17+dfsg-1+deb11u1) bullseye; urgency=medium
 
   * Backport upstream commits b847d14 ("spec: do not set inheritable
diff -Nru crun-0.17+dfsg/debian/patches/series 
crun-0.17+dfsg/debian/patches/series
--- crun-0.17+dfsg/debian/patches/series2023-02-11 23:44:44.0 
+0200
+++ crun-0.17+dfsg/debian/patches/series2023-11-02 18:52:46.0 
+0200
@@ -1,2 +1,4 @@
 CVE-2022-27650-b847d14.patch
 CVE-2022-27650-1aeeed2.patch
+utils-ignore-ENOTSUP-when-chmod-a-symlink.patch
+utils-fix-ignore-ENOTSUP-when-chmod-a-symlink.patch
diff -Nru 
crun-0.17+dfsg/debian/patches/utils-fix-ignore-ENOTSUP-when-chmod-a-symlink.patch
 
crun-0.17+dfsg/debian/patches/utils-fix-ignore-ENOTSUP-when-chmod-a-symlink.patch
--- 
crun-0.17+dfsg/debian/patches/utils-fix-ignore-ENOTSUP-when-chmod-a-symlink.patch
   1970-01-01 02:00:00.0 +0200
+++ 
crun-0.17+dfsg/debian/patches/utils-fix-ignore-ENOTSUP-when-chmod-a-symlink.patch
   2023-11-02 18:52:46.0 +0200
@@ -0,0 +1,36 @@
+From 60296f112fddc74f4926f8ca6f6e1ef7a61ef5b9 Mon Sep 17 00:00:00 2001
+From: Giuseppe Scrivano 
+Date: Tue, 26 Sep 2023 11:51:19 +0200
+Subject: [PATCH] utils: fix ignore ENOTSUP when chmod a symlink
+
+when ENOTSUP is encountered we must continue copying the other files,
+not doing an early return.
+
+commit 57262a2710c83fa08767f0ce3ba7a80993515bb2 introduced the
+regression with the Podman CI.
+
+Signed-off-by: Giuseppe Scrivano 
+
+Origin: upstream, 
https://github.com/containers/crun/commit/14afa8a46e2e83608a3a219402bce8ea8d071192
+Bug: https://github.com/containers/crun/issues/1308
+Bug-Debian: https://bugs.debian.org/1053821
+---
+ src/libcrun/utils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libcrun/utils.c b/src/libcrun/utils.c
+index 5c7f315..5306c5b 100644
+--- a/src/libcrun/utils.c
 b/src/libcrun/utils.c
+@@ -1858,7 +1858,7 @@ copy_recursive_fd_to_fd (int srcdirfd, int dfd, const 
char *srcname, const char
+ {
+   /* If the operation fails with ENOTSUP we are dealing with a 
symlink, so ignore it.  */
+   if (errno == ENOTSUP)
+-return 0;
++continue;
+ 
+   if (UNLIKELY (ret < 0))
+ return crun_make_error (err, errno, "chmod `%s/%s`", destname, 
de->d_name);
+-- 
+2.39.2
+
diff -Nru 
crun-0.17+dfsg/debian/patches/utils-ignore-ENOTSUP-when-chmod-a-symlink.patch 
crun-0.17+dfsg/debian/patches/utils-ignore-ENOTSUP-when-chmod-a-symlink.patch
--- 
crun-0.17+dfsg/debian/patches/utils-ignore-ENOTSUP-when-chmod-a-symlink.patch   
1970-01-01 02:00:00.0 +0200
+++ 
crun-0.17+dfsg/debian/patches/utils-ignore-ENOTSUP-when-chmod-a-symlink.patch   
2023-11-02 18:52:46.0 +0200
@@ -0,0 +1,48 @@
+From 3bc67556e2f077337e574e4c3aaf18488410b2f5 Mon Sep 17 00:00:00 2001
+From: Giuseppe Scrivano 
+Date: Fri, 22 Sep 2023 11:34:19 +0200
+Subject: [PATCH] utils: ignore ENOTSUP when chmod a symlink
+
+commit 5d1f903f75a80daa4dfb3d84e114ec8ecbf29956 in the kerne

Bug#1055392: wasmedge: autopkgtest regression: 'cstdint' file not found

[Faidon Liambotis]

Control: affects 1052002 - wasmedge
Control: affects 1052002 + src:wasmedge

On Thu, Nov 09, 2023 at 09:52:04AM +0100, Paul Gevers wrote:
> > Hi Paul,
> > Thank you for your report. This is caused #1052002, which I had marked
> > as affects: wasmedge previously.
> 
> Sorry for not checking that, but because you marked it as affecting the
> *binary* package wasmedge, it doesn't show up looking for bugs in the source
> package wasmedge (that may be a bts bug). Because this is a FTBFS issue, I
> recommend you to mark it affects src:wasmedge instead of wasmedge.

Alright, fair enough. Hopefully fixed above?

> > Also, I'm not sure I understand how clang migrated to testing when it
> > introduced an autopkgtest regression in another package. Isn't
> > autopkgtest integration in britney supposed to prevent this kind of
> > thing from happening?
> 
> britney prevents this kind of things currently only for *direct* reverse
> (test) dependencies. In this case we have:
> 
> test/Depends: clang (from src:llvm-defaults) -> (Depends) clang-16
> 
> As I'm pretty sure you meant not clang, but one of the versioned clang
> packages, britney didn't see the breakage. There are multiple ways to
> improve this:
> * britney should look at all transitive dependencies (we lack the resources
> and also not environmentally friendly)
> * britney could be taught to translate (automatically or via configuration)
> "-defaults" packages to their real packages. This would be good for multiple
> ecosystems, patches welcome.
> * Individual packages that are sensitive could use the
> `hint-testsuite-triggers` trick from the autopkgtest spec [1] and add the
> current real packages. That's a PITA to maintain though, and adding versions
> that you don't really test is wrong.

Hrm, that's useful context and in hindsight makes a lot of sense. Thanks
so much for spending the time to explain this to me!

In the meantime, I'll mark the embed-cxx test as flaky in the next
WasmEdge upload until the clang-16 bug gets fixed.

Best,
Faidon

Bug#1055392: wasmedge: autopkgtest regression: 'cstdint' file not found

[Faidon Liambotis]

Hi Paul,

On Sun, Nov 05, 2023 at 01:45:34PM +0100, Paul Gevers wrote:
> Source: wasmedge
> Version: 0.13.4+dfsg-1
> Severity: serious
> User: debian...@lists.debian.org
> Usertags: regression
> 
> Dear maintainer(s),
> 
> Your package has an autopkgtest, great. However, it fails. Can you please
> investigate the situation and fix it? I copied some of the output at the
> bottom of this report.
> 
> The release team has announced [1] that failing autopkgtest on amd64 and
> arm64 are considered RC in testing.
> 
> More information about this bug and the reason for filing it can be found on
> https://wiki.debian.org/ContinuousIntegration/RegressionEmailInformation
> 
> [...]
>
> 140s #   `clang++ --target=wasm32-wasi -o fibonacci.wasm
> -mexec-model=reactor script/fibonacci.cpp' failed
> 140s # In file included from script/fibonacci.cpp:1:
> 140s # script/fibonacci.h:3:10: fatal error: 'cstdint' file not found

Thank you for your report. This is caused #1052002, which I had marked
as affects: wasmedge previously.

Basically, the autopkgtest compiles a piece of code (with Clang) and
tries to run it (with WasmEdge). The Clang++ regression means the code
cannot be built.

I don't know how you'd like ot handle this w.r.t. the BTS, and testing
migrations. I'm inclined to just reassign/merge it to the bug above, but
I'll wait for your opinion first.

Also, I'm not sure I understand how clang migrated to testing when it
introduced an autopkgtest regression in another package. Isn't
autopkgtest integration in britney supposed to prevent this kind of
thing from happening?

Looking for your guidance,
Faidon

Bug#1052002: firefox: FTBFS: ERROR: Cannot find wasi headers or problem with the wasm compiler. Please fix the problem. Or build with --without-wasm-sandboxed-libraries

[Faidon Liambotis]

Control: reopen -1
Control: found -1 1:16.0.6-17

This is still not fixed :( Mike's findings still stand:

On Sat, Sep 16, 2023 at 05:53:55AM +0900, Mike Hommey wrote:
> This is a regression from the upgrade to clang 16.
> 
> with clang 14:
> #include "..." search starts here:
> #include <...> search starts here:
>  /usr/include/wasm32-wasi/c++/v1
>  /usr/lib/llvm-14/lib/clang/14.0.6/include
>  /usr/local/include
>  /usr/include/wasm32-wasi
>  /usr/include
> End of search list.
> 
> with clang 16:
> #include "..." search starts here:
> #include <...> search starts here:
>  /usr/lib/llvm-16/lib/clang/16/include
>  /usr/local/include
>  /usr/include/wasm32-wasi
>  /usr/include
> End of search list.
> 
> Note how /usr/include/wasm32-wasi/c++/v1 is missing.

Test case:
  $ apt install clang lld libclang-rt-dev-wasm32 libc++-dev-wasm32
  $ cat > hello.cpp <
  
  int main() {
std::cout << "hello world" << std::endl;
return 0;
  }
  EOF
  $ /usr/bin/clang++ -v --target=wasm32-wasi hello.cpp

Only C++ include paths are affected, not C. This almost certainly has to
do with the patch we carry for wasm include paths, that I have
contributed to. Unfortunately I have no time to look into it right now
:( I may find some time in a couple of weeks, but hoping someone else
can take care of it in the meantime :/

Best,
Faidon

Bug#1055241: bookworm-pu: package crun/1.8.1-1+deb12u1 (bookworm regression)

[Faidon Liambotis]

Package: release.debian.org
Severity: important
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: c...@packages.debian.org
Control: affects -1 + src:crun

[ Reason ]
Linux v6.6 blocked the mode change of symlinks, with commit
5d1f903f75a80daa4dfb3d84e114ec8ecbf29956 ("attr: block mode changes of
symlinks").

This was in turn backported to v6.1.55, with
6a84939cc7dd6f970c2621ded82c4d9ea0068b1b, and is part of src:linux
6.1.55-1, which is the version currently in bookworm.

This breaks crun 1.8.1, as found in bookworm, when running containers
with systemd as the init system.

The issue has been addressed upstream with commit
57262a2710c83fa08767f0ce3ba7a80993515bb2 ("ignore ENOTSUP when chmod a
symlink"), as well as 14afa8a46e2e83608a3a219402bce8ea8d071192 ("utils:
fix ignore ENOTSUP when chmod a symlink"), both part of crun 1.9.1.

[ Impact ]
Users are unable to start containers running systemd as their init
system. For example this now fails:
  podman run --rm -d docker.io/jrei/systemd-debian:12

[ Tests ]
The manual test as mentioned above, as well as non-systemd images that
continue to work, like:
  podman run --rm -it debian:sid

(Sadly we don't have any automated tests. crun in unstable now has
autopkgtests, but even these have the isolation-machine restriction and
are thus inoperable in Debian's CI, so I've elected to not backport them
here.)

[ Risks ]
The code is pretty trivial, I think, and has been part of upstream since
v1.9.1, released in September 26. trixie has v1.11, and sid has v1.11.1.

No alternatives that I know of.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
One change, effectively: to ignore ENOTSUP when chmod'ing a symlink,
/run/shm in the most popular broken case.

[ Other info ]
This has been reported by multiple users, cf. #1053821.

Given this constitutes a regression introduced by another package's
stable update, I consider this is an urgent issue, and ask for RMs to
copy this to stable-updates.

Thanks,
Faidon
diff -Nru crun-1.8.1/debian/changelog crun-1.8.1/debian/changelog
--- crun-1.8.1/debian/changelog 2023-02-27 22:01:38.0 +0200
+++ crun-1.8.1/debian/changelog 2023-11-02 18:52:46.0 +0200
@@ -1,3 +1,13 @@
+crun (1.8.1-1+deb12u1) bookworm; urgency=medium
+
+  * Backport two commits from upstream ("ignore ENOTSUP when chmod a
+symlink"), that restore containers with systemd as their init system, when
+running under Linux >= v6.6 and >= v6.1.55, i.e. bookworm's current stable
+kernel. (Closes: #1053821)
+  * Move myself to Maintainer, and Dmitry to Uploaders.
+
+ -- Faidon Liambotis   Thu, 02 Nov 2023 18:52:46 +0200
+
 crun (1.8.1-1) unstable; urgency=medium
 
   * New bugfix upstream release.
diff -Nru crun-1.8.1/debian/control crun-1.8.1/debian/control
--- crun-1.8.1/debian/control   2023-02-27 22:01:38.0 +0200
+++ crun-1.8.1/debian/control   2023-11-02 18:52:46.0 +0200
@@ -2,9 +2,9 @@
 Section: admin
 Priority: optional
 Standards-Version: 4.6.2
-Maintainer: Dmitry Smirnov 
+Maintainer: Faidon Liambotis 
 Uploaders:
- Faidon Liambotis ,
+ Dmitry Smirnov ,
  Reinhard Tartler ,
 Build-Depends:
  automake,
diff -Nru crun-1.8.1/debian/patches/series crun-1.8.1/debian/patches/series
--- crun-1.8.1/debian/patches/series1970-01-01 02:00:00.0 +0200
+++ crun-1.8.1/debian/patches/series2023-11-02 18:52:46.0 +0200
@@ -0,0 +1,2 @@
+utils-ignore-ENOTSUP-when-chmod-a-symlink.patch
+utils-fix-ignore-ENOTSUP-when-chmod-a-symlink.patch
diff -Nru 
crun-1.8.1/debian/patches/utils-fix-ignore-ENOTSUP-when-chmod-a-symlink.patch 
crun-1.8.1/debian/patches/utils-fix-ignore-ENOTSUP-when-chmod-a-symlink.patch
--- 
crun-1.8.1/debian/patches/utils-fix-ignore-ENOTSUP-when-chmod-a-symlink.patch   
1970-01-01 02:00:00.0 +0200
+++ 
crun-1.8.1/debian/patches/utils-fix-ignore-ENOTSUP-when-chmod-a-symlink.patch   
2023-11-02 18:52:46.0 +0200
@@ -0,0 +1,36 @@
+From 60296f112fddc74f4926f8ca6f6e1ef7a61ef5b9 Mon Sep 17 00:00:00 2001
+From: Giuseppe Scrivano 
+Date: Tue, 26 Sep 2023 11:51:19 +0200
+Subject: [PATCH] utils: fix ignore ENOTSUP when chmod a symlink
+
+when ENOTSUP is encountered we must continue copying the other files,
+not doing an early return.
+
+commit 57262a2710c83fa08767f0ce3ba7a80993515bb2 introduced the
+regression with the Podman CI.
+
+Signed-off-by: Giuseppe Scrivano 
+
+Origin: upstream, 
https://github.com/containers/crun/commit/14afa8a46e2e83608a3a219402bce8ea8d071192
+Bug: https://github.com/containers/crun/issues/1308
+Bug-Debian: https://bugs.debian.org/1053821
+---
+ src/libcrun/utils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libcrun/utils.c b/src/libcrun/utils.c
+index e5a82be..74bcf6

Bug#1053821: bookworm patch?

[Faidon Liambotis]

Control: severity -1 important 

On Thu, Nov 02, 2023 at 10:43:46AM -0500, Jesse Hathaway wrote:
> Since this bug affects the current version in bookworm, v1.8.1, would
> there be a possibility of adding the upstream patch to bookworm's
> version? I tested applying the patches atop v1.8.1 and they apply
> cleanly, and fix the issue as well.
> 
> git checkout -b bookworm 1.8.1
> git cherry-pick 57262a2710c83fa08767f0ce3ba7a80993515bb2
> git cherry-pick 14afa8a46e2e83608a3a219402bce8ea8d071192

Despite Austin's description noting this, I had read the bug a bit in
haste and thought this was only affecting crun 1.8.1 + Linux >= 6.6 (as
crun's commit message mentioned). In other words, a combination of (crun
from bookworm) + (Linux from sid), which, while not great, wasn't that
big of an issue.

However, after discussing this further with Jesse, I realized that the
kernel commit in question (5d1f903f75a80daa4dfb3d84e114ec8ecbf29956,
"attr: block mode changes of symlinks") has been backported as a stable
upate to 6.1.55 (6a84939cc7dd6f970c2621ded82c4d9ea0068b1b), in turn part
of src:linux 6.1.55-1, currently in bookworm.

This means that bookworm's crun, combined with bookworm's current
kernel, is broken when running containers with systemd as the init
system.

A simple test case is:
  podman run --rm -d docker.io/jrei/systemd-debian:12

I'm going to prepare a stable update backporting these two commits,
hopefully resolving this incompatibility.

Thanks all!
Faidon

Bug#1052976: Update debian/copyright with upstream's 2.0.0 AGPL->MIT change

[Faidon Liambotis]

Source: mold
Version: 2.2.0+dfsg-1
Severity: normal

With mold 2.0.0 upstream relicensed the project from the AGPL v3.0, to
the MIT (or as we call it in Debian, Expat) license. Given the
restrictions of the AGPL, this is a major change which could open up
mold to more users.

debian/copyright (as of 2.2.0+dfsg-1) has not been updated to reflect
this change, and is thus potentially misleading users. This should be
easy to fix :)

While looking into it, I noticed that a bunch of the code shipped in
thirdparty/ is not documented in d/copyright -- namely, blake3,
rust-demangle, xxhash, zlib, zstd.

Given you're repacking the sources anyway, perhaps the appropriate move
here is to just strip the ones shipped in Debian already (xxhash, zlib
and zstd, I believe) from the source, and document the rest?

Thanks,
Faidon

Bug#1052387: geoipupdate: Please add dependency on ca-certificates

[Faidon Liambotis]

Control: tags -1 pending

Hi Arnaud,

On Thu, Sep 21, 2023 at 04:19:25PM +0700, Arnaud Rebillout wrote:
> geoipupdates talks to MaxMind servers over HTTPS, so it needs the
> package ca-certificates to be functional. Otherwise:

Thanks so much for taking the time to report this! That's a good point.
I pushed a commit in git that adds such a dependency. I'll work on a
couple more issues, and wait for a few days to see if anything more
accumulates, then upload a new version.

Let me know if you find any more issues. I don't use this package much
these days, so I could always hear more from users!

Best,
Faidon

Bug#1051815: wasmedge - autopkgtest failure with rustc 1.68

[Faidon Liambotis]

Control: reassign -1 rustc 1.68.2+dfsg1-1
Control: retitle -1 Builds invalid wasm32 binaries (1.67->1.68 regression)

On Tue, Sep 12, 2023 at 10:56:57PM +0100, Peter Green wrote:
> The autopkgtests for wasmedge fail with rustc 1.68, I have observed this with
> both testing and unstable's versions of wasmedge, and with both testing and
> unstable's versions of wasi-lib.

Thanks for the report. Actually, I think the WasmEdge autopkgtests are
catching a rustc 1.68 regression, whereas rustc compiles wasm32 binaries
that do not work with neither WasmEdge, nor Wasmtime (the latter is not
in Debian).

Very simple test case:

$ podman run --rm -it debian:sid  # or bookworm to test with rustc 1.67

root@ad697f1c195f:~# apt install rustc libstd-rust-dev-wasm32
[...]
root@ad697f1c195f:~# rustc -V
rustc 1.68.2
root@ad697f1c195f:~# cat > hello.rs 

Bug#1043415: netdata: Integrated web server displays "File does not exist, or is not accessible: "

[Faidon Liambotis]

Control: severity -1 grave

On Thu, Aug 10, 2023 at 04:43:18PM +0200, Marc Riedel wrote:
> When opening http://localhost:1, only "File does not exist, or is not
> accessible: " is displayed. Maybe related to commit "Refreshing allow-
> symlinks.patch."

I just tried installing netdata to experiment with it, and I couldn't
get the most basic out-of-the-box configuration to work due to this bug.
Hence setting the severity to grave. I rebuilt with the allow-symlinks
patch disabled and everything seemed to work, so I guess the fix may be
easy enough :)

(The package already has a couple more severity: serious bugs and is
marked for autoremoval from testing, so it won't make a huge
difference...)

Faidon

Bug#1039958: autopkgtest-build-podman: Image creation fails with "sd-bus call: Permission denied"

[Faidon Liambotis]

On Fri, Jun 30, 2023 at 12:52:31PM +0200, Gioele Barabucci wrote:
> autopkgtest-build-podman's failure is due to the issue reported in [1], i.e.
> the Debian setup of podman requires `dbus-user-session`, but none of the
> podman-related packages Depends on it.

podman may not Depend on dbus-user-session, but it Recommends it. I
believe that is because podman may be used in a number of different
configurations some of which may require dbus-user-session, while others
may not.

Per Policy § 7.2, "The Recommends field should list packages that would
be found together with this one in all but unusual installations".
Basically, if you explicitly decide to not install a Recommends, it is
expected that certain configurations or functionalities of the package
break.

Therefore I don't see how this is a bug, rather than a misconfiguration.
Am I missing something?

Thanks,
Faidon

Bug#1043168: please include missing stub_flasher_32.json file

[Faidon Liambotis]

Control: block -1 by 868895

On Sun, Aug 06, 2023 at 10:12:30PM +0200, Piotr Ożarowski wrote:
> I had to add stub_flasher_32.json file manually from upstream repo in
> order to make my esphome (not yet in Debian, working on it) work with
> ESP32 WROOM 32 board.
> 
> Please include this file in the package. TIA

Not sure if that's entirely clear to you (apologies if it is): that file
isn't "just" a JSON data file that has been accidentally omitted from
the package. It's in fact a (JSON-wrapped) binary, compiled from C
sources bundled with the esptool source (and built with gcc, and a libc
and everything). So it's not a matter of including the file, but rather
rebuilding it.

A lot of work has happened in Debian and with upstream over the years to
build these binaries from unmodified sources, which culminated with
Debian shipping the stubs for the ESP8266, as well as for the ESP32
RISC-V variants (ESP32-C2, ESP32-C3, ESP32-C6, ESP32-H2). See the
4.5.1+dfsg-0.1 and 4.6.2+dfsg-0.1 changelog entries, Debian bug #948096,
as well as upstream issues #458, #499 and PRs #500, #501, #856, #858.

The reason that the same has not happened yet for the ESP32, ESP32-S2
and ESP32-S3 stubs is that we lack the toolchain for them in Debian
(gcc, binutils & picolibc). picolibc seems to have gained ESP32 support
upstream in 1.7.9, and Keith Packard is both upstream and the Debian
maintainer for it, so I suppose it won't be too hard to persuade him.
gcc and binutils are more complicated. #868895 provides some context,
and Jonathan McDowell, who maintains gcc-xtensa-lx106 and
binutils-xtensa-lx106, is aware of the need. I think there is more of a
backstory there, but he has the details.

Note that the ESP-IDF is thankfully *not* needed anymore (see upstream
#458).

As an alternative, we could probably ship these three stubs as built by
upstream separately in non-free, but I wasn't motivated enough, and I
was hoping we'd get the toolchain in Debian at some point. (I'm not even
the maintainer for esptool. If you're interested, I'm sure Milan will
appreciate the help!).

Finally, note that the stub isn't always necessary. --no-stub should
work for some, but not all, operations, sometimes at slower speeds.

Hope this helps!

Faidon

Bug#1050439: Requires Sphinx >= v6.0 while unstable has v5.3

[Faidon Liambotis]

Source: furo
Version: 2023.08.19+dfsg-1
Severity: grave

furo 2023.08.19+dfsg-1 requires Sphinx v6.0:
  $ grep -r 'require_sphinx(' /usr/lib/python3/dist-packages/furo
  /usr/lib/python3/dist-packages/furo/__init__.py:app.require_sphinx("6.0")

However:
  $ rmadison -s unstable python3-sphinx
  python3-sphinx | 5.3.0-7   | unstable   | all

This makes furo unusable:
  $ python3 -m sphinx -N -bhtml docs/ build/html
  Running Sphinx v5.3.0
  making output directory... done
  
  Sphinx version error:
  The furo extension used by this project needs at least Sphinx v6.0; it 
therefore cannot be built with this version.

...and breaks unrelated packages build-depending on it. I encountered
this while trying to upload a new version of tox. I'd expect the same
for the 29 packages Build-Depending on furo.

I don't know what to do at this point -- it's perhaps worth checking
with the Sphinx maintainer to see if they intend to upload a newer
version of Sphinx in the coming (very few) days, as 7.1 is already
staged in experimental.

Otherwise, backing out the commits that require the version bump, or the
version altogether, ASAP seems necessary given the impact crater.

In any case, I'd strongly suggest adding some kind of test (either at
build-time, or autopkgtests, ideally both) to avoid this kind of thing
from accidentally happening again. We're humans and bound to miss
something like that over time, so adding safeguards seems prudent :)

Regards,
Faidon

Bug#1047718: liblld-X-dev should probably depend on zlib1g-dev/libzstd-dev

[Faidon Liambotis]

Control: reopen -1
Control: severity -1 serious

On Fri, Aug 18, 2023 at 07:21:05AM +, Debian Bug Tracking System wrote:
>* Also build-depend on libzstd-dev (Closes: #1047718)

Thanks for this, but the bug report was not about a Build-Depends, but
rather for a (runtime) Depends from a -dev package to another -dev
package, namely liblld-16-dev -> libzstd-dev, as well as liblld-16-dev
-> zlib1g-dev. Therefore the bug is still present, as far as I can tell.

I saw #1050071, where Sylvestre started planning the llvm-defaults 16
transition. With this bug open, the switch will make WasmEdge FTBFS,
therefore I'm upping the severity to "serious".

(I can of course add these two transitive B-Ds to the WasmEdge B-D to
workaround this, but I don't think that's the right place for them. Let
me know if you disagree).

Thanks,
Faidon

Bug#1049968: Warnings and tables not rendered with groff 1.23

[Faidon Liambotis]

Package: go-md2man
Version: 2.0.2+ds1-1
Severity: important
X-Debbugs-Cc: g.branden.robin...@gmail.com, cjwat...@debian.org
Control: forwarded -1 https://github.com/cpuguy83/go-md2man/issues/99

go-md2man generates output that is invalid and with groff 1.23:
1) does not render tables, producing these warnings:
   "warning: tbl preprocessor failed, or it or soelim was not run; table(s) 
likely not rendered (TE macro called with TW register undefined)"
2) produces "warning: cannot select font 'C'" warnings 

I bumped into this with the package crun, that I maintain. Reproducing
is as easy as trying to generate and display crun.1 from crun.1.md in
that source package.

Someone else reported this upstream as issue #99 2 days ago, and I just
responded there, but filing it against Debian as this is affecting all
of the go-md2man reverse build dependencies, and there are many.

Cc'ing G. Branden Robinson and Colin Watson who have been super helpful
in mailing lists and related bug reports dealing with the fallout of the
groff 1.23.0 upload.

For the former issue,
  https://lists.debian.org/debian-devel/2023/08/msg00220.html
seems to include the fix.

For the latter issue, which is relatively harmless, I guess an easy
workaround is to remove \fC from the generated output. #1040975
(originally against perl/pod2man) #1041809 (against rst2man), #1043256
(against zip) seem to provide some additional context and solutions.

Regards,
Faidon

Bug#1047718: liblld-X-dev should probably depend on zlib1g-dev/libzstd-dev

[Faidon Liambotis]

Package: liblld-16-dev
Version: 1:16.0.6-10
Severity: normal

WasmEdge 0.13.3+dfsg-1 currently FTBFS on Ubuntu, but not Debian. It
build-depends on liblld-dev, which apparently defaults to 16 in Ubuntu,
but 14 (still) in Debian.

An example build log is:
https://launchpadlibrarian.net/681416533/buildlog_ubuntu-mantic-amd64.wasmedge_0.13.3+dfsg-1_BUILDING.txt.gz

The relevant snippet seems to be:
-- Found assembler: /usr/bin/as
-- Configuring done (3.1s)
CMake Error at /usr/lib/llvm-16/lib/cmake/lld/LLDTargets.cmake:88 
(set_target_properties):
  The link interface of target "lldELF" contains:

zstd::libzstd_shared

  but the target was not found.  Possible reasons include:

* There is a typo in the target name.
* A find_package call is missing for an IMPORTED target.
* An ALIAS target is missing.

Call Stack (most recent call first):
  /usr/lib/llvm-16/lib/cmake/lld/LLDConfig.cmake:19 (include)
  lib/aot/CMakeLists.txt:11 (find_package)

I think that's because of this:
$ grep -B 1 zstd /usr/lib/llvm-16/lib/cmake/lld/LLDTargets.cmake
set_target_properties(lldELF PROPERTIES
  INTERFACE_LINK_LIBRARIES "lldCommon;ZLIB::ZLIB;zstd::libzstd_shared;LLVM"

While on 14:
$ grep -A 1 "lldELF PROPERTIES" 
/usr/lib/llvm-14/lib/cmake/lld/LLDTargets.cmake 
set_target_properties(lldELF PROPERTIES
  INTERFACE_LINK_LIBRARIES "lldCommon;ZLIB::ZLIB;LLVM"

I guess liblld-X-dev X >= 16 should depend on libzstd-dev, and while at
it, liblld-Y-dev Y >= 14 should depend on zlib1g-dev?

Thanks!
Faidon

Bug#1043530: Please ship uasyncio and mip

[Faidon Liambotis]

Source: micropython
Version: 1.19.1+ds-1
Severity: normal

uasyncio is extremely useful in MicroPython programs in my experience,
as it allows for concurrency in environments where there may be
otherwise limited (no threads etc.). It's been supported by MicroPython
for a while, and I see in upstream's git master that it's has been
recently renamed to "asyncio", as it's considered close enough to
CPython.

While the upstream Unix port enables (u)asyncio by default, the Debian
MicroPython builds do not ship with it. I also checked with 1.20.0+ds-1,
as found in salsa.

I believe this is because this is enabled by
  ports/unix/variants/standard/manifest.py
Manifets are disabled in the Debian builds by building with
FROZEN_MANIFEST=.

Removing FROZEN_MANIFEST= from d/rules resulted in the build system
complaining about the omission of micropython-lib. Extracting the
official 1.20 micropython-lib tarball to lib/micropython-lib, however,
made the build work:
   MicroPython v1.20.0+ds-1 on 2023-08-07; linux [GCC 13.2.0] version
   Use Ctrl-D to exit, Ctrl-E for paste mode
   >>> import uasyncio
   >>>

So the solution here is a bit more involved: it requires shipping
micropython-lib, for example leveraging multiple tarball support and
gbp-import-orig's component support.

On that matter, the build above also enabled "mip", the new package
manager and flagship feature of v1.20:
   >>> import mip
   >>>
(There are some mbedTLS DEBUG messages being emitted when fetching from
e.g. GitHub, that I haven't tracked down yet, but that's getting a
little offtopic.)

Given the deviation from the upstream default, and how core these
features are, I'm marking this as "normal", rather than "wishlist". But
up to you :)

Thanks for your work in maintaining MicroPython!

Best,
Faidon

Bug#1043330: tox: please make the build reproducible

[Faidon Liambotis]

Control: tags -1 pending

Hi Chris,

On Wed, Aug 09, 2023 at 09:16:05AM +0100, Chris Lamb wrote:
> This is because:
> 
> a) The documentation embeded the current build date via the copyright
> year and a "last updated" timestamp. The attached patch changes this
> to use SOURCE_DATE_EPOCH if available.

I fixed this upstream a while ago:
https://github.com/tox-dev/tox/pull/2941

> b) The default value for the --hashset argument (a random integer) was
> encoded into the documentation. As this value was nondeterminstic, a
> fresh value is inserted into the documentation on each build. This in
> turn makes the package unreproducible. The attached patch changes this
> to use the Pythonic "default=None … if default is None" pattern (NB.
> this is distinct from the "notset" value, which, incidentally, is
> typod in the --help text.)

I've been working for this for a while, and we actually resolved it with
upstream just this week! See:
https://github.com/tox-dev/tox/issues/2942
https://github.com/tox-dev/tox/pull/3076

The history/current status is: I uploaded 4.4.6-1 to experimental before
the freeze, as it's a major release breaking reverse dependencies. I
noticed the FTBR and tried to fix them upstream in the meantime.

4.4.6 is quite a bit outdated by now. Stefano Rivera is kindly helping
with bringing tox 4 to sid/trixie (see #1035635 for the thread with the
release team) and while doing so (understandably) opted into not
updating to a new upstream version.

I have a new upstream release staged locally, building reproducibly, but
not interfering with the tox 4 transition (as led by Stefano). Once the
transition is over, I'll upload 4.7.0 (or later) to unstable, which
should resolve this reproducibility issues -- and hopefully not
introduce new ones :)

Thanks!
Faidon

Bug#1025165: No opus transcoding available after asterisk install

[Faidon Liambotis]

Hi Jonas,

On Thu, May 04, 2023 at 01:43:33PM +0300, Faidon Liambotis wrote:
> Control: found -1 1:20.2.1~dfsg+~cs6.13.40431413-1
> Control: tags -1 patch
> 
> On Wed, Nov 30, 2022 at 04:18:24PM +0100, IB Development Team wrote:
> > Package: asterisk
> > Version: 1:16.28.0~dfsg-0+deb10u1
> > 
> > In clean Debian 10 after
> > 
> >     apt-get install asterisk
> > 
> > internal opus codec seems to be available in 'core show codecs' but not in
> > 'core show translation' and transcoding with opus does not work; same in
> > Debian 11 and asterisk 1:16.28.0~dfsg-0+deb11u1.
> 
> I believe the reason is that codec_opus_open_source.so is not shipped,
> due to it not being built.
> 
> Adding "ADDONS_ENABLE += codec_opus_open_source" to debian/rules (e.g.
> near the other ADDONS_ENABLE lines) addresses this issue. I've verified
> that "core show translation" shows opus in the matrix after that. I'm
> not sure why menuselect doesn't enable it by default.
> 
> Separately, it looks like there is a patch (2015_opus.patch) to add
> libopusenc detection, used conditionally -if found- by the module
> format_ogg_opus_open_source. However, libopusenc-dev is not in
> Build-Depends. I've verified that the (already patched) build system
> picks it up if I add it, and shlibs etc. are added.

I saw you've made a couple of uploads since my response, so it looks
like the package is maintained (which is great news - thanks for that!).

It may not have been clear from the verbosity of my response, but the
fix for this bug is one line in debian/rules, and optionally another one
line (an addition to Build-Depends) for the related format_ogg issue.

would it be possible for you to have a quick look at this and thus
resolve this bug?

Thanks!
Faidon

Bug#1032092: asterisk: CVE-2022-23537 CVE-2022-23547 CVE-2022-39269

[Faidon Liambotis]

Dear maintainer, security team,

(See #1036697 for a similar bug with an almost equivalent response)

The changelog for the asterisk 1:20.4.0~dfsg+~cs6.13.40431414-1 upload
dated 2023-08-04, currently in unstable, mentions:
>+ fixate component pjproject at upstream release 2.13.1

The sources seem to indeed indicate that the version shipped for
pjproject (aka PJSIP) is 2.13.1, which seems to have resolved the
vulnerabilities listed below. 

Specifically:

On Mon, Feb 27, 2023 at 08:48:36PM +0100, Moritz Mühlenhoff wrote:
> CVE-2022-23537[0]:
> | PJSIP is a free and open source multimedia communication library
> | written in C language implementing standard based protocols such as
> | SIP, SDP, RTP, STUN, TURN, and ICE. Buffer overread is possible when
> | parsing a specially crafted STUN message with unknown attribute. The
> | vulnerability affects applications that uses STUN including PJNATH and
> | PJSUA-LIB. The patch is available as a commit in the master branch
> | (2.13.1).
> 
> https://github.com/pjsip/pjproject/security/advisories/GHSA-9pfh-r8x4-w26w
> https://github.com/pjsip/pjproject/commit/d8440f4d711a654b511f50f79c0445b26f9dd1e1

Upstream says "Patched versions: 2.13.1" in the GitHub GHSA URL above.

> CVE-2022-23547[1]:
> | PJSIP is a free and open source multimedia communication library
> | written in C language implementing standard based protocols such as
> | SIP, SDP, RTP, STUN, TURN, and ICE. This issue is similar to
> | GHSA-9pfh-r8x4-w26w. Possible buffer overread when parsing a certain
> | STUN message. The vulnerability affects applications that uses STUN
> | including PJNATH and PJSUA-LIB. The patch is available as commit in
> | the master branch.
> 
> https://github.com/pjsip/pjproject/security/advisories/GHSA-cxwq-5g9x-x7fr
> https://github.com/pjsip/pjproject/commit/bc4812d31a67d5e2f973fbfaf950d6118226cf36

Upstream says "Patched versions: 2.13.1" in the GitHub GHSA URL above.

> CVE-2022-39269[2]:
> | PJSIP is a free and open source multimedia communication library
> | written in C. When processing certain packets, PJSIP may incorrectly
> | switch from using SRTP media transport to using basic RTP upon SRTP
> | restart, causing the media to be sent insecurely. The vulnerability
> | impacts all PJSIP users that use SRTP. The patch is available as
> | commit d2acb9a in the master branch of the project and will be
> | included in version 2.13. Users are advised to manually patch or to
> | upgrade. There are no known workarounds for this vulnerability.
> 
> https://github.com/pjsip/pjproject/security/advisories/GHSA-wx5m-cj97-4wwg
> https://github.com/pjsip/pjproject/commit/d2acb9af4e27b5ba75d658690406cec9c274c5cc

Upstream says "Patched versions: 2.13" in the GitHub GHSA URL above.

> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
> [...]
>
> Please adjust the affected versions in the BTS as needed.

As I'm neither the maintainer nor in the security team, I'm leaving
these actions to you. Hopefully simple enough, once you confirm my
findings :)

Regards,
Faidon

Bug#1036697: asterisk: CVE-2023-27585

[Faidon Liambotis]

Dear maintainer, security team,

(See #1032092 for a similar bug with an almost equivalent response)

The changelog for the asterisk 1:20.4.0~dfsg+~cs6.13.40431414-1 upload
dated 2023-08-04, currently in unstable, mentions:
>+ fixate component pjproject at upstream release 2.13.1

The sources seem to indeed indicate that the version shipped for
pjproject (aka PJSIP) is 2.13.1, which seems to have resolved the
vulnerabilities listed below.

Specifically:

On Wed, May 24, 2023 at 02:51:41PM +0200, Moritz Mühlenhoff wrote:
> CVE-2023-27585[0]:
> | PJSIP is a free and open source multimedia communication library
> | written in C. A buffer overflow vulnerability in versions 2.13 and
> | prior affects applications that use PJSIP DNS resolver. It doesn't
> | affect PJSIP users who do not utilise PJSIP DNS resolver. This
> | vulnerability is related to CVE-2022-24793. The difference is that
> | this issue is in parsing the query record `parse_query()`, while the
> | issue in CVE-2022-24793 is in `parse_rr()`. A patch is available as
> | commit `d1c5e4d` in the `master` branch. A workaround is to disable
> | DNS resolution in PJSIP config (by setting `nameserver_count` to zero)
> | or use an external resolver implementation instead.
> 
> https://github.com/pjsip/pjproject/security/advisories/GHSA-q9cp-8wcq-7pfr
> https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4
> https://github.com/pjsip/pjproject/commit/d1c5e4da5bae7f220bc30719888bb389c905c0c5

Upstream says "Patched versions: 2.13.1" in the first GitHub GHSA URL
above (for CVE-2023-27585), and "Patched versions: 2.12.1 or later" for
the second one (for CVE-2022-24793).

> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> [...]
> 
> Please adjust the affected versions in the BTS as needed.

As I'm neither the maintainer nor in the security team, I'm leaving
these actions to you. Hopefully simple enough, once you confirm my
findings :)

Regards,
Faidon

Bug#1042193: wasmedge: FTBFS: ld: ../../lib/api/libwasmedge.so.0.0.3: undefined reference to `WasmEdge::Fault::emitFault(WasmEdge::ErrCode)'

[Faidon Liambotis]

Control: forwarded -1 https://github.com/WasmEdge/WasmEdge/issues/2695
Control: tags -1 + patch

On Wed, Jul 26, 2023 at 09:50:12PM +0200, Lucas Nussbaum wrote:
> During a rebuild of all packages in sid, your package failed to build
> on amd64.
> 
> 
> Relevant part (hopefully):
> > /usr/bin/c++ -g -O2 -ffile-prefix-map=/<>=. 
> > -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time 
> > -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -Wl,--export-dynamic -rdynamic 
> > CMakeFiles/wasmedge.dir/wasmedge.cpp.o -o wasmedge  
> > -Wl,-rpath,"\$ORIGIN/../../lib/api::" 
> > ../../lib/api/libwasmedge.so.0.0.3 
> > /usr/lib/x86_64-linux-gnu/libspdlog.so.1.10.0 
> > /usr/lib/x86_64-linux-gnu/libfmt.so.9.1.0 
> > /usr/bin/ld: ../../lib/api/libwasmedge.so.0.0.3: undefined reference to 
> > `WasmEdge::Fault::emitFault(WasmEdge::ErrCode)'
> > collect2: error: ld returned 1 exit status

Thanks Lucas, that's super helpful!

I tracked down the trigger to the gcc-12 -> gcc-13 migration. I think
I've tracked down the root cause as well, and reported a one-line fix to
the upstream issue above. I'll give upstream a couple of days to
validate my assumptions before I make an upload.

Regards,
Faidon

Bug#1042337: gdnsd: FTBFS: dh_auto_test: error: make -j8 test "TESTSUITEFLAGS=-j8 --verbose" VERBOSE=1 returned exit code 2

[Faidon Liambotis]

Control: forwarded -1 https://github.com/gdnsd/gdnsd/issues/236

On Wed, Jul 26, 2023 at 10:20:11PM +0200, Lucas Nussbaum wrote:
> During a rebuild of all packages in sid, your package failed to build
> on amd64.

Thanks Lucas. I had noticed that already and have been trying to figure
out a fix for it, as seen by the upstream issue above.

FTR, this is caused by a recent upload of Net::DNS, which I had al
Net::DNS minor releases breaking gdnsd's test suite has been a bit of a
pattern. https://github.com/gdnsd/gdnsd/pull/229 was a similar issue
that happened during the bookworm lifecycle.

I'll give it another go; if I'm unable to track it down, I may just turn
off "make check" entirely :(

Thanks,
Faidon

Bug#1041463: ITP: rust-wasmtime -- cross-platform engine for running WebAssembly programs

[Faidon Liambotis]

On Wed, Jul 19, 2023 at 06:41:54PM +0200, Jonas Smedegaard wrote:
> > > This is a pseudo-ITP: The source package is already maintained for the
> > > subset covering core Cranelift crates, since they are part of same
> > > monorepo. The intent tracked here is extending that source package to
> > > provide binary packages librust-wasmtime* which involves additional
> > > dependencies unneeded for Cranelift.
> > 
> > I'm not sure what you mean by that -- what is already maintained? 
> 
> Whoops, I had it in mind but evidently forgot to mention it: I mean the
> packaging effort tracked as ITP bug#1041434 (and now in NEW queue).

Ah! It makes sense now, thanks :)

> > Also, are you planning to package wasmtime, as in the CLI, itself? I
> > believe this exists on the same upstream/source tree as the language
> > bindings that you're proposing here?
> 
> I mean both the Rust crates and the command-line tool.
> 
> You are right, both are part of same monorepo.

Awesome!

> > > Please shout if there is need for wasmtime, and especially if there is
> > > interest in helping get the needed dependencies packaged.
> > 
> > I don't have the bandwidth to help packaging wasmtime. However, I do
> > maintain another popular WebAssembly runtime, WasmEdge, and last year I
> > contributed a few changes to the Debian LLVM packages
> > (src:llvm-project-14 and friends) with regards to WebAssembly support,
> > and so you could say I'm interested with helping in bringing more parts
> > of the WebAssembly ecosystem in Debian :) I'm also interested in
> > opportunities to help each other, and in the relevant packages working
> > well with each other and/or providing a unified experience. Let me know
> > if you can think of any such ways.
> 
> I don't have a special interest in WebAssembly (yet) - my packaging
> efforts here is targeted packaging of swt (bug#991761).  That work also
> involves packaging (again only a subset of crates initially for) wasmer.

Wasmer too? That's even better :)

Good luck!

Faidon

Bug#1041463: ITP: rust-wasmtime -- cross-platform engine for running WebAssembly programs

[Faidon Liambotis]

On Wed, Jul 19, 2023 at 10:56:32AM +0200, Jonas Smedegaard wrote:
>  rust-wasmtime is the Rust embedding API for the Wasmtime project:
>  a cross-platform engine for running WebAssembly programs.
> 
> This is a pseudo-ITP: The source package is already maintained for the
> subset covering core Cranelift crates, since they are part of same
> monorepo. The intent tracked here is extending that source package to
> provide binary packages librust-wasmtime* which involves additional
> dependencies unneeded for Cranelift.

I'm not sure what you mean by that -- what is already maintained? 

Also, are you planning to package wasmtime, as in the CLI, itself? I
believe this exists on the same upstream/source tree as the language
bindings that you're proposing here?

> Please shout if there is need for wasmtime, and especially if there is
> interest in helping get the needed dependencies packaged.

I don't have the bandwidth to help packaging wasmtime. However, I do
maintain another popular WebAssembly runtime, WasmEdge, and last year I
contributed a few changes to the Debian LLVM packages
(src:llvm-project-14 and friends) with regards to WebAssembly support,
and so you could say I'm interested with helping in bringing more parts
of the WebAssembly ecosystem in Debian :) I'm also interested in
opportunities to help each other, and in the relevant packages working
well with each other and/or providing a unified experience. Let me know
if you can think of any such ways.

On that note, you may be interested in (and/or subscribing to) #1033322.

Regards,
Faidon

Bug#1034590: precedence of /etc/containers/storage.conf should higher than /usr/share/containers/storage.conf

[Faidon Liambotis]

Control: tags -1 moreinfo

On Wed, Apr 19, 2023 at 09:24:21AM +0800, 鐘翊修 wrote:
> following man 5 containers-storage.conf,
> when a system have both /etc/containers/storage.conf and 
> /usr/share/containers/storage.conf
> 
> the values in /etc/containers/storage.conf overwrite the value in 
> /usr/share/containers/storage.conf
> 
> But in 4.4.0+ds1-1. with both files, podman takes the config from 
> /usr/share/containers/stroage.conf
> 
> To reproduce this
> 
> Create podman graph database on podman 4.3.1 with btrfs (config in 
> /etc/containers/storage.conf)
> 
> upgrade from 4.3.1 to 4.4.0
> 
> run the following command
> 
> sudo podman info
> 
> expected error message
> 
> User-selected graph driver \"overlay\" overwritten by graph driver \"btrfs\" 
> from database

I'm not sure I follow. Could you elaborate on the exact steps you took?
Do you mean that you expected to get this error message but didn't, or
that you got that error message even though you shouldn't have?

Are you aware that you need to run "podman system reset" before changing
storage.conf? See podman-system-reset(1).

Thanks,
Faidon

Bug#1037091: podman run fails because of missing ~/.config/docker/config.json

[Faidon Liambotis]

On Sun, Jun 04, 2023 at 02:52:56PM +0200, Felix Stupp wrote:
> the current version of podman does not allow me to run any container due
> to the following error message:
> Error: stat /home/$USER/.config/docker/config.json: no such file or directory
> 
> I can trigger this issue with a simple: podman run debian
> However, what container I try to run seems not to matter.
> 
> [...]
>
> However, it still seems at least weird to me, that podman requires (not
> just reads optionally) a config file which is in Docker's config dir.

That is indeed weird. Is there any config (either in your .config,
or in /etc) that has been modified in your system?

For example, do you perhaps have a registry configured, and one that
requires a login? An unqualified "podman run debian" could try to
resolve this to your local registry, which in turn may require a login,
which implicitly calls "podman login", which in turn attempts to read
from a variety of config paths, including $HOME/.docker/config.json.

Regards,
Faidon

Bug#1041050: Downgrade or remove fuse-overlayfs Recommends

[Faidon Liambotis]

Package: podman
Version: 4.3.1+ds1-8+b1
Severity: minor

Linux 5.13+ (so Debian stable+) added user namespace support to
overlayfs. Podman can leverage that and use overlayfs in rootless
containers, which results into performance benefits compared to
fuse-overlayfs.

See this older RedHat article for more:
https://www.redhat.com/sysadmin/podman-rootless-overlay

As such, I don't think it makes sense for podman to Recommends:
fuse-overlayfs anymore.  At best it should be a Suggests, if not dropped
entirely. What do you think?

Regards,
Faidon

Bug#1025165: No opus transcoding available after asterisk install

[Faidon Liambotis]

Control: found -1 1:20.2.1~dfsg+~cs6.13.40431413-1
Control: tags -1 patch

On Wed, Nov 30, 2022 at 04:18:24PM +0100, IB Development Team wrote:
> Package: asterisk
> Version: 1:16.28.0~dfsg-0+deb10u1
> 
> In clean Debian 10 after
> 
>     apt-get install asterisk
> 
> internal opus codec seems to be available in 'core show codecs' but not in
> 'core show translation' and transcoding with opus does not work; same in
> Debian 11 and asterisk 1:16.28.0~dfsg-0+deb11u1.

I believe the reason is that codec_opus_open_source.so is not shipped,
due to it not being built.

Adding "ADDONS_ENABLE += codec_opus_open_source" to debian/rules (e.g.
near the other ADDONS_ENABLE lines) addresses this issue. I've verified
that "core show translation" shows opus in the matrix after that. I'm
not sure why menuselect doesn't enable it by default.

Separately, it looks like there is a patch (2015_opus.patch) to add
libopusenc detection, used conditionally -if found- by the module
format_ogg_opus_open_source. However, libopusenc-dev is not in
Build-Depends. I've verified that the (already patched) build system
picks it up if I add it, and shlibs etc. are added.

Thanks,
Faidon

Bug#1001793: mate-terminal: Wrong context menu font when using libvte-2.91-0[-common] 0.66.1-1 or 0.66.2-1

[Faidon Liambotis]

On Thu, Apr 13, 2023 at 04:43:54PM +, Mike Gabriel wrote:
> > This seems to be upstream bug #407 fixed with upstream git commit
> > 52fa45d4ca35e6be11ddee818eac84b768f15e22:
> > https://github.com/mate-desktop/mate-terminal/commit/52fa45d4ca35e6be11ddee818eac84b768f15e22
> > 
> > This was reported against Ubuntu with LP #1955505, and fixed in
> > 1.26.0-1ubuntu2, with a backport of the aforementioned patch:
> > https://git.launchpad.net/ubuntu/+source/mate-terminal/commit/?id=a0d6e4951b3443ba849be12397cc02136e62b8d6
> > 
> > The fix seems to be, thankfully, a trivial one-liner :)
> 
> Tagging with patch tag.
> 
> Thanks for this! Will do an upload soonish.

Any news regarding this? The full freeze is approaching very quickly :)

Thanks!
Faidon

Bug#1001793: mate-terminal: Wrong context menu font when using libvte-2.91-0[-common] 0.66.1-1 or 0.66.2-1

[Faidon Liambotis]

Control: tags -1 upstream
Control: forwarded -1 https://github.com/mate-desktop/mate-terminal/issues/407

On Wed, Apr 12, 2023 at 10:37:19AM +0300, Faidon Liambotis wrote:
> On Thu, Dec 16, 2021 at 12:29:48PM +0100, Jasmin68k wrote:
> > Using Debian sid, running apt-get upgrade, which installed
> > libvte-2.91-0 and libvte-2.91-common 0.66.1-1.  After that, the
> > context (right-click) menu font in mate-terminal became monospace,
> > probably the same system wide monospace font, mate-terminal is using
> > for terminal output, instead of the regular system wide application
> > font.
> 
> This seems like a pretty serious UX issue. It also seems this was
> reported against Ubuntu, and fixed there with 1.26.0-1ubuntu2.
 
To add to this:

This seems to be upstream bug #407 fixed with upstream git commit
52fa45d4ca35e6be11ddee818eac84b768f15e22:
https://github.com/mate-desktop/mate-terminal/commit/52fa45d4ca35e6be11ddee818eac84b768f15e22

This was reported against Ubuntu with LP #1955505, and fixed in
1.26.0-1ubuntu2, with a backport of the aforementioned patch:
https://git.launchpad.net/ubuntu/+source/mate-terminal/commit/?id=a0d6e4951b3443ba849be12397cc02136e62b8d6

The fix seems to be, thankfully, a trivial one-liner :)

Faidon

Bug#1001793: mate-terminal: Wrong context menu font when using libvte-2.91-0[-common] 0.66.1-1 or 0.66.2-1

[Faidon Liambotis]

On Thu, Dec 16, 2021 at 12:29:48PM +0100, Jasmin68k wrote:
> Using Debian sid, running apt-get upgrade, which installed
> libvte-2.91-0 and libvte-2.91-common 0.66.1-1.  After that, the
> context (right-click) menu font in mate-terminal became monospace,
> probably the same system wide monospace font, mate-terminal is using
> for terminal output, instead of the regular system wide application
> font.

This seems like a pretty serious UX issue. It also seems this was
reported against Ubuntu, and fixed there with 1.26.0-1ubuntu2.

IMHO the fix for this should make it to bookworm. Happy to do an NMU
with the Ubuntu patch if that's the maintainers lack the time or so
desire.

Thanks,
Faidon

Bug#782007: criu: Split up binary packages

[Faidon Liambotis]

On Sun, Apr 09, 2023 at 09:08:09AM +0200, Salvatore Bonaccorso wrote:
> > I submitted an MR implementing this:
> > https://salsa.debian.org/debian/criu/-/merge_requests/3
> > 
> > Looking forward to your review!
> 
> Thanks for doing the work, I will have a look but any such change will
> happen only after the bookworm release.

Of course! If you have some spare cycles to review this during the
freeze, it'd be neat if we could stage it in experimental (and cross
through NEW now that things are relatively quiet :). That way I could
also move up the stack and test crun against libcriu in experimental as
well.

Thanks for the quick response regardless!

Best,
Faidon

Bug#1034118: unblock: lowdown/1.0.0-2

[Faidon Liambotis]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package lowdown, a key package, through:
  bind9 -> libmaxminddb -> lowdown

[ Reason ]
lowdown is a Markdown to HTML/roff/LaTeX/etc. translator. A regression
was introduced at some point where the -Tman (manpage) output used a
roff macro that is not present in the "man" package but in the "ms"
package. I reported this upstream[1], and it was subsequently fixed[2].

This is a bookworm-targeted backport of that specific upstream commit,
that applies cleanly as-is.

1: https://github.com/kristapsdz/lowdown/issues/111
2: 
https://github.com/kristapsdz/lowdown/commit/02491bf4ae2a39df2dfed10382512449a5b3262f

[ Impact ]
The output difference is minor from a visual standpoint, e.g.
   OPTIONS
  -batch_size __
  -  Maximum  number  of  entries to request per call to 
get-entries.
  -  You should not generally need to change this. Defaults to 1000.
  +Maximum number of entries to request per call to get-entries.  
You
  +should not generally need to change this. Defaults to 1000.

However, the roff output is technically invalid.

In Debian, this manifests in reverse build-dependencies that are using
lowdown to generate their manpage to emit lintian warnings, e.g.:
W: certspotter: groff-message 29: warning: macro 'PI' not defined 
[usr/share/man/man8/certspotter-script.8.gz:1]
W: certspotter: groff-message 56: warning: macro 'PI' not defined 
[usr/share/man/man8/certspotter.8.gz:1]

There are three reverse build-dependencies in testing:
  1) src:libmaxminddb
  2) src:certspotter
  3) src:nix

Only the first two are using -Tman. I am the maintainer for both.
src:libmaxminddb was built with an pre-regression version of lowdown and
is not affected. It can be binNMUed, although not strictly necessary.

src:certspotter is affected and should probably be binNMUed, although as
explained, the visual impact is relatively minor.

[ Tests ]
Upstream has a comprehensive test suite that runs as part of the build.
The package also has autopkgtests that pass.

[ Risks ]
The code for the fix is trivial. The package is technically a key
package, but only as a reverse build-dep of another package, and is only
a B-D for three packages in total.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
debdiff attached; you can also find the git diff at:
https://salsa.debian.org/debian/lowdown/-/commit/0e2160bb23e194edc5c15c7772042857fd18f2f7

unblock lowdown/1.0.0-2

Also probably:

nmu certspotter_0.16.0-1 . ANY . unstable . -m "Rebuild with lowdown 1.0.0-2"

(but no idea how to ensure the ordering of those two, not fluent in
wanna-build)
diff -Nru lowdown-1.0.0/debian/changelog lowdown-1.0.0/debian/changelog
--- lowdown-1.0.0/debian/changelog  2023-01-07 06:52:41.0 +0200
+++ lowdown-1.0.0/debian/changelog  2023-04-09 03:39:15.0 +0300
@@ -1,3 +1,13 @@
+lowdown (1.0.0-2) unstable; urgency=medium
+
+  * Backport upstream patch to avoid the use of an -ms macro, PI, in the -Tman
+output. This addresses a man warning ("macro 'PI' not defined") which in
+turn is a lintian warning for packages using lowdown to generate their
+manpage(s).
+  * Bump Standards-Version to 4.6.2, no changes needed.
+
+ -- Faidon Liambotis   Sun, 09 Apr 2023 03:39:15 +0300
+
 lowdown (1.0.0-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru lowdown-1.0.0/debian/control lowdown-1.0.0/debian/control
--- lowdown-1.0.0/debian/control2023-01-07 04:49:43.0 +0200
+++ lowdown-1.0.0/debian/control2023-04-09 03:39:15.0 +0300
@@ -6,7 +6,7 @@
  libbsd-dev,
  libmd-dev,
  pkgconf | pkg-config,
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
 Section: text
 Homepage: https://kristaps.bsd.lv/lowdown/
 Vcs-Browser: https://salsa.debian.org/debian/lowdown
diff -Nru lowdown-1.0.0/debian/patches/dont-use-PI-for-tman.patch 
lowdown-1.0.0/debian/patches/dont-use-PI-for-tman.patch
--- lowdown-1.0.0/debian/patches/dont-use-PI-for-tman.patch 1970-01-01 
02:00:00.0 +0200
+++ lowdown-1.0.0/debian/patches/dont-use-PI-for-tman.patch 2023-04-09 
03:38:19.0 +0300
@@ -0,0 +1,83 @@
+From: Kristaps Dz 
+Subject: [PATCH] Don't use \(PI for -tman: it doesn't exist.
+
+The \(PI register only exists for -ms macros.  Use the default value
+of 5n for this (for definition lists) when emitting for -tman.
+
+References #111
+
+Origin: upstream, 
https://github.com/kristapsdz/lowdown/commit/02491bf4ae2a39df2dfed10382512449a5b3262f
+Bug: https://github.com/kristapsdz/lowdown/issues/111
+Last-Update: 2023-04-09
+
+--- a/nroff.c
 b/nroff.c
+@@ -745,7 +745,8 @@ rndr_definition_title(struct bnodeq *obq
+ }
+ 
+ static int
+-rndr_definit

Bug#782007: criu: Split up binary packages

[Faidon Liambotis]

Control: tags -1 patch

On Mon, Apr 06, 2015 at 02:00:46PM +0200, Salvatore Bonaccorso wrote:
> I think it would make sense in meanwhile to split up the criu binary
> package (although still small) into multiple binary packages: E.g.
> criu, criu-dbg, libcriuX, libcriu-dev, python-criu.

I submitted an MR implementing this:
https://salsa.debian.org/debian/criu/-/merge_requests/3

Looking forward to your review!

Thanks,
Faidon

Bug#1009776: podman: Packages uidmap and slirp4netns should be full dependencies

[Faidon Liambotis]

On Fri, Aug 19, 2022 at 02:16:19PM +0200, Andrej Shadura wrote:
> > I have to respectfully disagree here. In Debian, "Recommends"
> > relationships are installed by default, and your message indicates to me
> > that you have configured your system to not install them. It furthermore
> > seems to me that this bug is asking for a convenience that is making
> > your non-standard setup easier, while making other setups where podman
> > is used only in 'root' mode, impossible to install without idmap and
> > friends.
> > I'm going to leave this bug open to remind myself to think about this
> > from time to time, but I still wanted to document my thinking process
> > here more clearly.
> 
> There’s another thing, which I mentioned but I should have made more clear.
> The upstream states the rootless mode is the main mode of operation, hence I
> think it should be available regardless of Recommends, don’t you think?
> 
> Also, from what I gathered talking to Debian and Ubuntu users of podman who
> are not DDs, many of them are frustrated by papercuts like this one, so in
> general I think the package should be made to work as effortlessly as
> possible. So even if the user hasn’t got Recommends installation enabled,
> podman should probably be packaged not to make them stumble upon this.

It's months later and this is a drive-by comment but:

First of all, I'd say that rootless is the main differentiator from
Docker, but far from being a "main mode". Podman works equally well in
rootless and rootful configurations, with the latter being the mode that
one would use as a 1:1 Docker replacement, or in production environment
scenarios where more performant or advanced network configurations are
required.

Second,  according to Policy § 7.2, "The Recommends field should list
packages that would be found together with this one in all but unusual
installations". If folks explicitly pass --no-install-recommends to apt
(or the equivalent preferences.d), then they get to keep the pieces when
things break; I wouldn't call that a papercut. The installation /is/
effortless out of the box, unless one decides that they want to do
something against the maintainer's recommendations, in which case they
should be able to, but with (a bit of) a price to pay.

Hard-Depending on dependencies that are not actually required in common
modes of operation, in this case e.g. servers using podman for
production services, doesn't serve our users -- it just forces
unnecessary cruft on their system, for little benefit to others.

Note that I'm not on a quest against rootless: a couple of years back,
on #987207, I argued to downgrade iptables from Depends to Recommends,
for the same reasosn but to the benefit of rootless users: to avoid the
cruft in rootless configurations :)

So I'm definitely +1 to mark this as wontfix, FWIW.

Best,
Faidon

Bug#1031109: bullseye-pu: package crun/0.17+dfsg-1+deb11u1

[Faidon Liambotis]

On Sat, Apr 01, 2023 at 08:24:57PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> Please go ahead; sorry for the delay.

Thanks for the review! Tagged and uploaded last night, and it's
currently in proposed-updates.

Faidon

Bug#1031716: python3-protobuf: Do reverse dependencies need stricter version constraints?

[Faidon Liambotis]

On Tue, Feb 21, 2023 at 02:23:34PM +0200, Adrian Bunk wrote:
> Looking at #1028371, should generated dependencies on python3-protobuf be
>   python3-protobuf (>= 3.21), python3-protobuf (<< 3.22)
> to ensure that the binary package is used with the same version
> as the protobuf-compiler used during the build?

I'm not the maintainer, but a drive-by contributor. I looked a bit into
this, given its RC severity. 

With my still somewhat limited understanding, a strict version alignment
between protobuf-compiler and python3-protobuf would probably resolve
this particular symptom, but the issues here seem to run deeper.

Specifically:
  * The protobuf project provides three different versions of Python
bindings: pure Python, C++, and libupb-based[1]. These are
selectable using the PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION
environment variable.

  * Debian's python3-protobuf, from src:protobuf, ships the pure Python
version, as well as the C++ bindings. The default implementation in
Debian is "cpp".

  * The upb implementation is not included in src:protobuf, but in the
upb upstream source[2], i.e. what is src:upb in Debian, even though
the snapshot we have in Debian does not contain sources to Python
bindings.

  * Upstream has switched the default implementation to "upb", and
deprecated the "cpp" implementation. There is, in fact, no way for
one to fetch the "cpp" version from PyPI. This is documented
extensively in their May 2022 release notes[3]. However, Debian
still ships, and defaults to, cpp, a major departure from upstream. 

  * Relatedly, when they made that switch, they also made changes to
their versioning scheme, disconnecting the Python library's version
from the source version. As a result, the Python API (both upb, as
well as pure Python), is now versioned at "4.21", rather than
"3.21". The Debian binary package python3-protobuf is versioned as
"3.21.12-1", which is not a version that exists, or will ever exist,
upstream. That binary package in fact, is shipping an egg named
protobuf-4.21.12.egg-info. (This is all also well documented in their
release notes[3]).

  * Finally, in the same release notes document[3], they also state:
"Python upb requires generated code that has been generated from
protoc 3.19.0 or newer.". 

Indeed, if one fetches protobuf 4.21 from PyPI, and runs:
  python3 -c 'import bernhard'
or
  PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=upb python3 -c 'import bernhard'

...a traceback message is emitted, but a much more informative one:
> TypeError: Descriptors cannot not be created directly.
>
> If this call came from a _pb2.py file, your generated code is out of
> date and must be regenerated with protoc >= 3.19.0.
>
> If you cannot immediately regenerate your protos, some other possible 
workarounds are:
> 1. Downgrade the protobuf package to 3.20.x or lower.
> 2. Set PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=python (but this will
> use pure-Python parsing and will be much slower).
>
> More information: 
https://developers.google.com/protocol-buffers/docs/news/2022-05-06#python-updates
  
  * The release notes specifically mention "upb" requiring protoc
(protobuf-compiler) >= 3.19, but not "cpp". However, as established
above, "cpp" is deprecated and not used by anyone (but Debian), and
therefore they either meant "the non-Pure-Python implementation"
there, or did not pay as much attention to forward- and
backwards-compatibility, or informative error messages for their
deprecated backend. It's likely, but not entirely clear, that the
protoc dependency requirement is >= 3.19 here as well.

  * Finally note that the 3.21.12-1+b2 Python implementation still works
with python3-bernhard, Built-Using:  protobuf-compiler (= 3.12.4-1+b3):
  PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=python python3 -c 'import bernhard'

All in all: it's almost certainly necessary to make the dependency
tighter, to something like >= 3.19, if not tight to = 3.21.

I still feel uneasy about Debian shipping a version of python3-protobuf
that includes, and defaults to, an implementation that is deprecated
upstream (and on top of it, is misversioned). I'm not sure what to make
of this so late in the release cycle, though.

For trixie the path forward is probably something along the lines of
updating src:upb to a newer upstream, building the upb-based extension
as python3-protobuf-upb, and then changing src:protobuf to not build the
cpp extension, make python3-protobuf Arch: all, and then Recommend (or
Depend) on python3-protobuf-upb as the native/fast implementation.

Faidon

1: https://github.com/protocolbuffers/protobuf/tree/main/python
2: https://github.com/protocolbuffers/upb/tree/main/python
3: https://protobuf.dev/news/2022-05-06/

Bug#1033322: Please create a new WebAssembly section

[Faidon Liambotis]

Package: ftp.debian.org
Severity: wishlist

I'm about to upload WasmEdge (ITP #1003128), a WebAssembly runtime.

The "wasmedge" binary package is the runtime (think JRE in Java terms),
so Section: devel is not very appropriate. I've set the source package
and the wasmedge package to Section: web for the time being, but that
doesn't feel like a complete match either.

WebAssembly[1] is an entire ecosystem, and especially with efforts such
as WASI[2] it now operates outside the confines of browsers and the web.

I think it'd be valuable to have a Section: webassembly, so that
runtimes and other software that are not strictly for development
purposes can fit in.

Thanks for the consideration,
Faidon

1: https://en.wikipedia.org/wiki/WebAssembly
2: https://wasi.dev/

Bug#1030983: gdnsd may FTBFS on 32-bit platforms, e.g. on hppa

[Faidon Liambotis]

Hi Helge,

On Mon, Feb 27, 2023 at 11:08:23PM +0200, Faidon Liambotis wrote:
> What would you like to do with this bug? Would you like to file a bug
> against libev and mark this bug as blocked by the libev one? Or
> alternatively I can mark as wontfix and resolve?

Friendly bump on this! I'd just like to agree on next steps while we
have this in our recent memory :)

Thanks,
Faidon

Bug#1033103: superficial-tests: false positive when both Testsuite + d/t/control are used

[Faidon Liambotis]

On Fri, Mar 17, 2023 at 01:53:00PM +0200, Faidon Liambotis wrote:
> Indeed, autodep8 generates a file that has the manual tests combined
> with a pybuild-autopkgtest one. The pybuild-autopkgtest one is *not*
> marked as as superficial[1], as evident by the autodep8 output.
>
> 1: Debatable in this particular package, but besides the main point.

In case you go looking at the package to reproduce, note that in the
final upload to experimental I added extra_restrictions=superficial to
debian/tests/autopkgtest-pkg-pybuild.conf, so the autodep8 test will now
also be marked as superficial. In this case the lintian warning is
appropriate.

The bug however stands (it's present when autopkgtest-pkg-pybuild.conf
is not present). It can be reproduced by:
  apt source esptool=4.5.1+dfsg-0.1
  cd esptool*
  rm debian/tests/autopkgtest-pkg-pybuild.conf
  autodep8  # should list a d/t/control with a non-superficial test
  dpkg-buildpackage -S
  lintian ../esptool*dsc

Faidon

Bug#1033103: superficial-tests: false positive when both Testsuite + d/t/control are used

[Faidon Liambotis]

Source: lintian
Version: 2.116.3
Severity: normal

In the experimental branch of src:esptool, I've defined the following:
  * Testsuite: autopkgtest-pkg-pybuild in debian/control, to test the
Python module. 
  * Three superficial tests in debian/tests/control to test the CLI
tools using --help.

TTBOMK this is valid configuration. autodep8(1) has a section titled
"COMBINING AUTO-GENERATED TESTS WITH MANUALLY SPECIFIED ONES" to cover
this use case.

Indeed, autodep8 generates a file that has the manual tests combined
with a pybuild-autopkgtest one. The pybuild-autopkgtest one is *not*
marked as as superficial[1], as evident by the autodep8 output.

As another piece of evidence, autopkgtest reports:
  autopkgtest [13:39:27]:  summary
  smoke-esptoolPASS (superficial)
  smoke-espefuse   PASS (superficial)
  smoke-espsecure  PASS (superficial)
  pybuild-autopkgtest  PASS

However, lintian is warning about "superficial-tests", and says "The
source package declares tests in the debian/tests/control file but
provides only tests with a superficial restriction.".

It looks to me like a lintian bug, but let me know if I've misunderstood
something.

Regards,
Faidon

1: Debatable in this particular package, but besides the main point.

Bug#1032587: UDD's upstream_metadata table may contain stale data?

[Faidon Liambotis]

On Tue, Mar 14, 2023 at 06:42:36PM +0100, Andreas Tille wrote:
> Thanks a lot for your bug report.  I realised some cron job gathering
> upstream metadata files (and other machine readable files) is crashing
> at some point in time.  I need to check this and can't promise anything
> but its really good you filed this bug report since the crash seems to
> happen later than those packages I'm watching closely and thus I did
> not noticed.

Thanks Andreas! Is the code and/or logs for this cronjob somewhere I can
access myself? Perhaps I could have a look myself and help you out?

Faidon

Bug#1032057: pyproject-api: please make the build reproducible

[Faidon Liambotis]

On Sat, Mar 04, 2023 at 01:17:55PM +0200, Faidon Liambotis wrote:
> I checked the Sphinx source code, and it looks like the string is used
> in prepare_writing() from builders/html/__init__.py, which in turn
> passes it on as an argument to format_date() from util/i18n.py. It looks
> like format_date() has support for SOURCE_DATE_EPOCH.
> 
> So from what I can tell, a much simpler patch would be to set
> html_last_updated_fmt to "%Y-%m-%dT%H:%M:%S.%f" for the equivalent ISO
> 8601 string (or even something with less accuracy) -- no need to fiddle
> with the datetime module, or SOURCE_DATE_EPOCH at all.

I submitted a PR and fixed this issue upstream in both pyproject-api and
tox. The former was included in the 1.5.1 release, which I'll upload
shortly.

Regards,
Faidon

Bug#1032317: libc++-15-dev: after installing libc++-15-dev, wasi-wasm32 stddef.h stops declaring size_t

[Faidon Liambotis]

On Thu, Mar 09, 2023 at 08:09:38PM +0200, Faidon Liambotis wrote:
> I pushed this as an MR against the 15 branch:
>   https://salsa.debian.org/pkg-llvm-team/llvm-toolchain/-/merge_requests/113
> (I don't have access to push directly -- and that's totally fine :)
> 
> I also kicked off a test build on barriere, which will take a few hours.
> I'll let folks now if it succeeds.

I cherry-picked MR #113 over 1:15.0.7-1, built it, and ran a few test
cases, including Simon's steps at the beginning of this bug report.
Everything worked as intended, addressing the issue at hand here.

The source & binary packages are on barriere:~paravoid/llvm-1032317/ if
anyone else wants to run any tests.

Faidon

Bug#1032317: libc++-15-dev: after installing libc++-15-dev, wasi-wasm32 stddef.h stops declaring size_t

[Faidon Liambotis]

Control: tags -1 + patch

On Wed, Mar 08, 2023 at 06:51:36PM +0100, Sylvestre Ledru wrote:
> Le 08/03/2023 à 18:13, Simon McVittie a écrit :
> > On Wed, 08 Mar 2023 at 17:46:11 +0200, Faidon Liambotis wrote:
> > > I'm not submitting an MR because I noticed that "15" branch has
> > > progressed further compared to 1-15.0.7-1, and I'm not sure how you'd
> > > like to handle it; basically whether these changes are suitable for
> > > bookworm at this point, or whether you'd like to to fork a branch for
> > > bookworm.
> > See also #1032316 which is exactly about whether 1%15.0.7-1 is intended
> > for bookworm or not: the reason I started looking at this is that
> > 1%15.0.7-1 not migrating is holding back fixes in src:mesa, at least
> > one of which is RC.
> 
> yeah, it is intended for bookworm
> 
> sorry if i didn't state it clearly earlier.
> 
> Faidon, would you like to push your fixes directly in the repo?

I pushed this as an MR against the 15 branch:
  https://salsa.debian.org/pkg-llvm-team/llvm-toolchain/-/merge_requests/113
(I don't have access to push directly -- and that's totally fine :)

I also kicked off a test build on barriere, which will take a few hours.
I'll let folks now if it succeeds.

Faidon

Bug#1032593: Automatically map intersphinx references to local packages

[Faidon Liambotis]

Source: sphinx
Version: 5.3.0-3
Severity: wishlist

Countless packages contain a stanza in their docs/conf.py like:
intersphinx_mapping = {
"python": ("https://docs.python.org/3;, None),
}

Given packages in Debian cannot use network access when being built, and
the dh_make Sphinx boilerplates suggest defining http_proxy to avoid
Sphinx resolving this through the internet, one of these two things
happens:

1) The maintainer patches the upstream source through debian/patches, to
point these references to the local filesystem. That's actually what
src:sphinx does as well for itself, through the intersphinx_local.diff
patch. A quick codesearch[1] reveals ~385 packages doing something
similar.

2) The maintainer does not patch the source, Sphinx attemps to fetch the
file from the network, fails due to http_proxy, and the generated docs
do not resolve these references. Build-time warnings are emitted of the
form:
   WARNING: py:class reference target not found: pathlib.Path
I don't know of an easy way to grep through the build logs to generate
numbers. Anecdotally, I've seen quite a few packages in that category as
well. (Perhaps one could add a tag to the Buildd Log Scanner[2] to scan
for this?)

It'd be great if intersphinx in Debian was patched to map these
references to the local Debian package and also to generate the
necessary dependencies -- perhaps guarded by a environment variable or
command-line option that dh_sphinx would only pass, for example.

Beyond patching the Sphinx code itself, there is of course the matter of
generating these mappings, which is surprisingly non-trivial. From what
I can tell the mappings need to be created heuristically, since I
haven't seen of a way for a central Sphinx to document in metadata where
the generation documentation will be published.

I played around with a few ideas, and while I haven't settled on
something that I feel is not dirty yet, I tried to implement something
akin to what dh-python's pydist/generate_fallback_list.py does: have a
script in the source to be executed manually periodically to regenerate
the cache, which creates a mapping that is then committed to git, and
shipped in the binary. 

So I implemented the attached proof of concept that:
* Scans Contents-all and Contents-amd64 to find objects.inv files
  and maps them back to the binary packages;
* Queries UDD (through one query with joins) to:
  - find the respective source packages for these binary packages
  - find the upstream metadata[3] for these source package
* Prints a tab-separated intersphinx_mappings file that has:
  \t\

It takes ~10s to run on my computer right now, which should be fine for
being executed periodically by the maintainer.

I'm sure there are many issues with this approach that I haven't thought
through, as well as a number of corner cases, but I wanted to have
something to kickstart this discussion beyond just wishful thinking!

I'd love any feedback! Note that I haven't looked at all at what it
would take to integrate this mapping to the Sphinx source (as well as
${sphinx:Depends}) as I thought it'd be good to validate the approach
before I do so.

Regards,
Faidon

1: 
https://codesearch.debian.net/search?q=intersphinx_mapping+path%3Adebian%2F=1=1
2: https://qa.debian.org/bls/
3: I ran into stale data in that table, which is now tracked as #1032587
#!/usr/bin/python3
#
# Copyright © 2023 Faidon Liambotis 
#
# Roughly based on dh-python/pydist/generate_fallback_list.py which is:
# Copyright © 2010-2015 Piotr Ożarowski 
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.

import re
import sys

try:
from distro_info import DistroInfo  # python3-distro-info package
except ImportError:
DistroInfo = None
from gzip import decompress
from pathlib import Path
from urllib.parse import urlparse
from urllib.request import urlopen

import psycopg2
import psycopg2.extras

if "--ubuntu" in sys.argv and DistroInfo:
SOURCES 

Bug#1032587: UDD's upstream_metadata table may contain stale data?

[Faidon Liambotis]

Package: qa.debian.org
User: qa.debian@packages.debian.org
Usertags: udd
Severity: normal
X-Debbugs-Cc: ti...@debian.org

m trying to query UDD for upstream metadata, but upon running some
SELECTs on public.upstream_metadata I've noticed that it doesn't have
data for e.g. src:python-structlog, which I added to the package with
the 22.3.0-1 upload on 18 Feb 2023.

I asked about the refresh frequency in #debian-qa, to which Lucas
responded that's not 100% sure of the status and encouraged me to file a
bug here. He also noted there is no mention of upstream metadata in
https://udd.debian.org/udd-status.cgi and that maybe [the updater] is no
longer running.

This is my first attempt to query this data, so I hope this isn't an
operator error!

Thanks in advance,
Faidon

Bug#983719: esptool: Version 3.0 fixes critical bugs

[Faidon Liambotis]

On Thu, Feb 23, 2023 at 12:16:41PM +0200, Faidon Liambotis wrote:
> I also have changes underway for 4.5, but currently looking into what it
> would take dependency-wise to accomplish this, as there are 1-2 new
> Python module dependencies that are not present in Debian yet. I'll
> follow up once I have something; I expect this to be in the next week or
> so.

I packaged the two new dependencies mentioned above:
 * python-reedsolo, which entered unstable this week; and 
 * python-pkcs11 (used only conditionally, for espsecure's HSM bits),
   which is waiting in NEW for about a week now.

I moved the repository to the DEP-14 layout, rebased the
feature/2.8-update branch, and then built on top of it in the new
debian/experimental branch. This now has 4.5.1, with lots of other fixes
and flasher stubs! I'd consider this a release candidate for an
experimental upload once pkcs11 passes through NEW.

Faidon

Bug#948096: Please build and ship flasher_stubs

[Faidon Liambotis]

Small update:

On Tue, Feb 21, 2023 at 02:05:26PM +0200, Faidon Liambotis wrote:
> Some good news: [...]

I've staged a commit in the debian/experimental branch that takes care
of all this, and builds stubs for ESP8266 and the RISC-V ESP32 chips.
Hooray!

> (There is a tiny warning about no debug support that is silenced by
> removing "-g" from CFLAGS).

That's a regression with GCC 12, and filed against gcc-xtensa-lx106 with
#1032564.

>   1. passing the right CROSS_ prefixes for every chip (configurable)
>   2. passing -mabi=ilp32 to CFLAGS (upstreamable)
>   3. passing -specs=picolibc.specs to CFLAGS (to use picolibc)

These are now patched locally in d/patches in the debian/experimental
branch, and upstreamed with PR #856:
https://github.com/espressif/esptool/pull/856

Faidon

Bug#1032564: "warning: target system does not support debug output" regression

[Faidon Liambotis]

Package: gcc-xtensa-lx106
Version: 12.2.0-9+12
Severity: normal
X-Debbugs-Cc: kei...@keithp.com

When building with -g, I get warnings such as:
  xtensa-lx106-elf-gcc: warning: target system does not support debug output
  cc1: warning: target system does not support debug output

I've noticed this while resuming work on this old project youy may
remember: attempting to build the esptool ESP8266 stubs (#948096).
However, it looks like Keith also experienced the same, and disabled
debug mode with this picolibc commit:
  
https://github.com/picolibc/picolibc/commit/711dbd24220a05693dc3711545d0a2e2cb7ff8e9

Going through snapshots.d.o, these warnings started being emitted with
12.2.0-9+12 and are still emitted with 12.2.0-14+12+b1. They were not
with 11.3.0-4+11 and earlier (including bullseye's, 10.2.1-6+8+b1)

Faidon

Bug#1029010: llvm-toolchain-15: autopkgtest regression

[Faidon Liambotis]

On Wed, Mar 08, 2023 at 09:41:21AM +, Simon McVittie wrote:
> > there is a metapackage, libc++-dev-wasm32, which Depends on the
> > default implementation, which is libc++-14-dev-wasm32 right now. That
> > metapackage has at least one notable reverse B-D, firefox, using it to
> > build certain security/sandboxing features (RLBox[1], AIUI). That is to
> > say, this feature works (w/ 14) and does very useful things today. it
> > (seemingly) broke when it was ported to llvm-toolchain-15, which
> > src:firefox does not depend on directly.
> 
> If I understand correctly, that doesn't *necessarily* have to be RC for
> bookworm, because llvm-toolchain-15 is not (yet!) the default version
> of LLVM provided by the metapackage, and is only used by Mesa? But it
> would be a blocker for either moving the default forward from 14 to 15
> (as has already been done in experimental), or making Firefox use the
> non-default 15 toolchain like Mesa does, presumably to get some new
> feature or optimization that isn't in 14?

At least as I also understand it, that's right. 

I think it'd be a pity to revert this for 15 and we should aim for
feature parity between the two branches, but disabling it is, and can
remain an option as a plan B given where we are in the bookworm release
cycle. That's IMHO, with a biased view, as the wasm patches author, but
ultimately up to the maintainer (which is definitely not me ;).

I'm hopeful we can address the underlying issue quickly though, and I
propose to put a hold to this conversation for the time being and see
where we get with a proper resolution first. I just posted a patch in
the other bug report. Fingers crossed.

Faidon

Bug#1032317: libc++-15-dev: after installing libc++-15-dev, wasi-wasm32 stddef.h stops declaring size_t

[Faidon Liambotis]

On Wed, Mar 08, 2023 at 09:08:13AM +0100, Sylvestre Ledru wrote:
> > Specifically, it looks like the entire patching of the method
> > WebAssembly::AddClangCXXStdlibIncludeArgs isn't happening anymore. One
> > of these differences was exactly about this -- the comment says:
> >// don't include the host architecture's headers in the search path
> > 
> > Sylvestre, I think you did the 14->15 porting, right? Do you
> > know/remember what happened there?
> 
> Maybe i did a mistake in the merge?!

Upstream commit b5787a0 ("Support -stdlib=libstdc++ for WebAssembly")
reorganized the code a bit, which resulted in a merge conflict. It also
included half of what my patch did, namely the getDriver().SysRoot to
computeSysRoot() conversion, which probably resulted in you thinking
that this hunk isn't necessary anymore!

I'm attaching a diff that restores the second half of the diff, and I
believe should fix this bug. (LLVM is a pain to build and test, so I
haven't tested this at all yet; hoping that it's easier for Sylvestre to
test!). I'm also attaching the interdiff in case it helps anyone to
review.

I'm not submitting an MR because I noticed that "15" branch has
progressed further compared to 1-15.0.7-1, and I'm not sure how you'd
like to handle it; basically whether these changes are suitable for
bookworm at this point, or whether you'd like to to fork a branch for
bookworm.

Side-note unrelated to this bug, but confused me during its
investigation:
  # this is a badly named duplicate of debian/1%15.0.7-1
  git tag -d debian/1%15.0.71; git push origin :debian/1%15.0.71
  # cruft left behind from the move to debian/patches/wasm/
  git checkout 15; git rm debian/patches/wasm-*; git commit -m "Remove cruft"
  git checkout snapshot; git rm debian/patches/wasm-*; git commit -m "Remove 
cruft"

HTH!
Faidon
--- a/debian/patches/wasm/wasm-sysroot-usr.diff
+++ b/debian/patches/wasm/wasm-sysroot-usr.diff
@@ -57,6 +59,33 @@
  void WebAssembly::addLibCxxIncludePaths(
  const llvm::opt::ArgList ,
  llvm::opt::ArgStringList ) const {
+@@ -499,7 +519,9 @@ void WebAssembly::addLibCxxIncludePaths(
+   }
+ 
+   // Second add the generic one.
+-  addSystemInclude(DriverArgs, CC1Args, LibPath + "/c++/" + Version);
++  // don't include the host architecture's headers in the search path
++  if (!getDriver().SysRoot.empty())
++addSystemInclude(DriverArgs, CC1Args, LibPath + "/c++/" + Version);
+ }
+ 
+ void WebAssembly::addLibStdCXXIncludePaths(
+@@ -546,8 +568,11 @@ void WebAssembly::addLibStdCXXIncludePat
+ addSystemInclude(DriverArgs, CC1Args, TargetDir);
+   }
+ 
+-  // Second add the generic one.
+-  addSystemInclude(DriverArgs, CC1Args, LibPath + "/c++/" + Version);
+-  // Third the backward one.
+-  addSystemInclude(DriverArgs, CC1Args, LibPath + "/c++/" + Version + "/backward");
++  // don't include the host architecture's headers in the search path
++  if (!getDriver().SysRoot.empty()) {
++// Second add the generic one.
++addSystemInclude(DriverArgs, CC1Args, LibPath + "/c++/" + Version);
++// Third the backward one.
++addSystemInclude(DriverArgs, CC1Args, LibPath + "/c++/" + Version + "/backward");
++  }
+ }
 --- a/clang/lib/Driver/ToolChains/WebAssembly.h
 +++ b/clang/lib/Driver/ToolChains/WebAssembly.h
 @@ -89,6 +89,8 @@ private:
diff -u b/clang/lib/Driver/ToolChains/WebAssembly.cpp b/clang/lib/Driver/ToolChains/WebAssembly.cpp
--- b/clang/lib/Driver/ToolChains/WebAssembly.cpp
+++ b/clang/lib/Driver/ToolChains/WebAssembly.cpp
@@ -519,7 +519,9 @@
   }
 
   // Second add the generic one.
-  addSystemInclude(DriverArgs, CC1Args, LibPath + "/c++/" + Version);
+  // don't include the host architecture's headers in the search path
+  if (!getDriver().SysRoot.empty())
+addSystemInclude(DriverArgs, CC1Args, LibPath + "/c++/" + Version);
 }
 
 void WebAssembly::addLibStdCXXIncludePaths(
@@ -568,6 +570,9 @@
 
-  // Second add the generic one.
-  addSystemInclude(DriverArgs, CC1Args, LibPath + "/c++/" + Version);
-  // Third the backward one.
-  addSystemInclude(DriverArgs, CC1Args, LibPath + "/c++/" + Version + "/backward");
+  // don't include the host architecture's headers in the search path
+  if (!getDriver().SysRoot.empty()) {
+// Second add the generic one.
+addSystemInclude(DriverArgs, CC1Args, LibPath + "/c++/" + Version);
+// Third the backward one.
+addSystemInclude(DriverArgs, CC1Args, LibPath + "/c++/" + Version + "/backward");
+  }
 }

Bug#1016183: RFH: crun -- lightweight OCI runtime for running containers

[Faidon Liambotis]

On Thu, Jul 28, 2022 at 06:39:21PM +0200, Bastian Germann wrote:
> Package: wnpp
> 
> The crun maintainer has requested help in #1014306.

I've done a few uploads since (1.5+dfsg-1, 1.8-1 and 1.8.1-1), as well
as prepared an upload for a bullseye-pu (#1031109). Reinhard also worked
on the package a fair bit, and was added as a comaintainer with 1.8-1.

We could always use more hands, but as far as wnpp goes, I think the
maintainer got some help :)

Faidon

Bug#1032317: libc++-15-dev: after installing libc++-15-dev, wasi-wasm32 stddef.h stops declaring size_t

[Faidon Liambotis]

On Fri, Mar 03, 2023 at 05:31:41PM +, Simon McVittie wrote:
> # clang++-15 -c --target=wasi-wasm32 -ostddef-cpp.o stddef.cpp
> # apt-get install --no-install-recommends libc++-15-dev
> # clang++-15 -c --target=wasi-wasm32 -ostddef-cpp.o stddef.cpp
> 
> Expected result: both clang++-15 calls succeed (stddef.h declares size_t)
> 
> Actual result: the second clang++-15 call fails:

(Super helpful bug report, thanks!)

As I mentioned in #1029010 just now, this is a regression from 14->15.
Retracing the same steps with clang-14 & libc++-14-dev-wasm32, there are
no errors and everything works as intended.

Looking at the differences of the include paths between the two by
passing -v to clang, one can see:
  /usr/include/wasm32-wasi/c++/v1
- /usr/lib/llvm-14/lib/clang/14.0.6/include
+ /usr/include/c++/v1
+ /usr/lib/llvm-15/lib/clang/15.0.7/include
  /usr/local/include
  /usr/include/wasm32-wasi
  /usr/include
i.e. /usr/include/c++/v1 (i.e. libc++-15-dev) is included in the include
path only with clang-15. It shouldn't be.

Looking at the interdiff of d/patches/wasm/wasm-sysroot-usr.diff[1]
patch between llvm-toolchain 1:14.0.6-12 and 1:15.0.7-1, it looks line
there are a few hunks that are missing.

Specifically, it looks like the entire patching of the method
WebAssembly::AddClangCXXStdlibIncludeArgs isn't happening anymore. One
of these differences was exactly about this -- the comment says:
  // don't include the host architecture's headers in the search path

Sylvestre, I think you did the 14->15 porting, right? Do you
know/remember what happened there?

Regards,
Faidon

1: Note that the git tree also has d/patches/wasm-sysroot-usr.diff (and
d/patches/wasm-compiler-rt-default.diff) which are earlier versions of
this patch, now unused (not in d/patches/series). I think what happened
was that the files were copied, instead of moved, to d/patches/wasm/.
Here I am talking exclusively about the versions in d/patches/wasm/.
It'd be good to cleanup this cruft to avoid further confusion.

Bug#1029010: llvm-toolchain-15: autopkgtest regression

[Faidon Liambotis]

On Fri, Mar 03, 2023 at 05:46:15PM +, Simon McVittie wrote:
> I've cut down what I think is the root cause of this compile failure to
> a more minimal bug report: see #1032317.

That's super helpful, thanks :) Spoiler alert: I have a suspicion on the
root cause, I'll follow up there.

> I don't think this is *really* a regression, because in the version in
> bookworm, the autopkgtest didn't exercise compilation of C++ into
> WebAssembly at all.

This statement strictly speaking is true, but applies only if you look
at LLVM 15 in isolation. It *is* a regression, in the sense that this
works with llvm-toolchain-14, where the WebAssembly work was first
pushed, today, in both bookworm and sid. For example, retracing your
steps in #1032317 with s/15/14/ does not result into a failure.

> If I understand correctly, when compared with bookworm, the version in
> sid adds a new feature (the necessary -dev packages for compiling C++ into
> WebAssembly) and also adds a smoke-test for that feature, but the feature
> doesn't yet work as intended. Is that accurate?

Kind of -- again, strictly speaking, true for libc++-15-dev-wasm32.
However, there is a metapackage, libc++-dev-wasm32, which Depends on the
default implementation, which is libc++-14-dev-wasm32 right now. That
metapackage has at least one notable reverse B-D, firefox, using it to
build certain security/sandboxing features (RLBox[1], AIUI). That is to
say, this feature works (w/ 14) and does very useful things today. it
(seemingly) broke when it was ported to llvm-toolchain-15, which
src:firefox does not depend on directly.

1: https://rlbox.dev/

Regards,
Faidon

Bug#1032057: pyproject-api: please make the build reproducible

[Faidon Liambotis]

Hi Chris!

On Mon, Feb 27, 2023 at 07:53:12AM +, Chris Lamb wrote:
> Whilst working on the Reproducible Builds effort [0] we noticed
> that pyproject-api could not be built reproducibly.

That's unfortunate! Sorry for not realizing it before you did.

For what it's worth, this package was uploaded as a new dependency of
tox 4. It looks like tox 4.4.6-1 (uploaded to experimental last week)
suffers from the same issue as well. I will handle it there as soon as
we conclude our resolution of this one -- no need for a separate bug :)

> This is because the documentation embeds the current date in the
> build system's current timezone. A patch is attached that uses
> SOURCE_DATE_EPOCH [1] if available.
>
> ...
>
> + html_theme = "furo"
> +-html_title, html_last_updated_fmt = "pyproject-api docs", 
> datetime.now().isoformat()
> ++build_date = datetime.utcfromtimestamp(
> ++int(os.environ.get('SOURCE_DATE_EPOCH', time.time()))
> ++)
> ++html_title, html_last_updated_fmt = "pyproject-api docs", 
> build_date.isoformat()

Looking at Sphinx's documentation, it looks like html_last_updated_fmt,
as the name hints, is supposed to be the format string, not the actual
date. (A literal date works as a format because anything that's not
percent-encoded is passed on unmodified. So I think that's just a happy
accident.)

I checked the Sphinx source code, and it looks like the string is used
in prepare_writing() from builders/html/__init__.py, which in turn
passes it on as an argument to format_date() from util/i18n.py. It looks
like format_date() has support for SOURCE_DATE_EPOCH.

So from what I can tell, a much simpler patch would be to set
html_last_updated_fmt to "%Y-%m-%dT%H:%M:%S.%f" for the equivalent ISO
8601 string (or even something with less accuracy) -- no need to fiddle
with the datetime module, or SOURCE_DATE_EPOCH at all.

I know you've gone to great lengths to make Sphinx docs reproducible
across the board, so I'm leaning on your experience to let me know if
I'm missing something here before I patch it locally and pass it on to
the two upstream projects. Looking forward to your feedback.

Best,
Faidon

Bug#1032143: ITP: python-pkcs11 -- high level PKCS#11 interface for Python

[Faidon Liambotis]

Package: wnpp
Severity: wishlist
Owner: Faidon Liambotis 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: python-pkcs11
  Version : 0.7.0
  Upstream Author : Danielle Madeley
* URL : https://github.com/danni/python-pkcs11/
* License : Expat
  Programming Lang: Python
  Description : high level PKCS#11 interface for Python

 A high level, "more Pythonic" interface to the PKCS#11 (Cryptoki) standard to
 support HSM and Smartcard devices in Python.
 .
 The interface is designed to follow the logical structure of a HSM, with
 useful defaults for obscurely documented parameters. Many APIs will optionally
 accept iterables and act as generators, allowing you to stream large data
 blocks for symmetric encryption.
 .
 It also includes numerous utility functions to convert between PKCS#11 data
 structures and common interchange formats including PKCS#1 and X.509.
 .
 The library is fully documented and has a full integration test suite for all
 features, with continuous integration against multiple HSM platforms including
 Entrust nShield, Opencryptoki TPM and OpenSC/Smartcard-HSM/Nitrokey HSM.

New optional dependency for esptool, a package that I am trying to help
with. I intend to maintain this package as part of the Debian Python
Team. Co-maintainers/Uploaders more than welcome.

Bug#1032121: Please build and ship the packaging's documentation

[Faidon Liambotis]

Package: python3-packaging
Version: 23.0-1
Severity: wishlist

Upstream ships documentation in the docs/ directory, including a
standard Sphinx Makefile that can be used to build it.

Please build it and ship it as part of this package. My main use case is
other packages (tox and friends) hat are trying to build their own
documentation, and want to link to the packaging manual as a reference.

Thanks!
Faidon

Bug#1030983: gdnsd may FTBFS on 32-bit platforms, e.g. on hppa

[Faidon Liambotis]

On Mon, Feb 27, 2023 at 09:20:05PM +0100, Helge Deller wrote:
> Yes, you seem to be right. I missed the stat() calls.
> I wonder - do you know which files are monitored with the stat() calls?
> Could it be that those are just files from /dev or /proc, or are other
> standard files monitored too?

They are configuration files in /etc/gdnsd, state files in /run, as well
as user-configurable paths, as configured in /etc/gdnsd/config, cf.
gdnsd-plugin-extfile(8). So I see where you were going with this, but
I'm afraid that there's no shortcut here :/

What would you like to do with this bug? Would you like to file a bug
against libev and mark this bug as blocked by the libev one? Or
alternatively I can mark as wontfix and resolve?

(Quite honestly I'm not sure if I were the libev maintainer if I'd
bother with an ABI bump for this; but they might :)

Regards,
Faidon

Bug#1030983: gdnsd may FTBFS on 32-bit platforms, e.g. on hppa

[Faidon Liambotis]

Hi Helge,

On Sun, Feb 26, 2023 at 01:06:16PM +0100, Helge Deller wrote:
> > So, from what I can tell, this is not something that I can fix locally
> > within gdnsd right now. AIUI what would need to happen is that libev
> > would need to be build with LFS support first, which would mean
> > rebuilding it with future=+lfs, breaking its ABI in the process,
> > requiring an ABI bump, and in turn a transition during which all of its
> > reverse dependencies will need sourceful uploads as to be modified to
> > also pass future=+lfs/-D_FILE_OFFSET_BITS=64, and then to be rebuilt
> > themselves (and possibly also affecting their reverse-dependency chains
> > as well).
> 
> Correct. Not something which is possible now.
> 
> But I have another idea.
> We don't need to touch libev for now.
> Instead the only thing which currently may fail is the readdir() in
> src/zsrc_rfc1035.c.  If we get this call to use the 64-bit variant we
> are done.
> 
> Attached is a proposed patch. It just changes this specific readdir()
> and is independend of libev.
> I've sucessfully tested it on the hppa architecture, and I hope it
> compiles the same way on all other platforms too.
> Could you check?

I don't think that's right. I think there are two independent LFS issues
with current builds of gdnsd:
1) the readdir() call in the rfc1035 zonefile parser (src/zsrc_rfc1035.c)
2) the stat() calls, via ev_stat_init etc., in the mon and extfile plugins.

These two issues are in different parts of gdnsd, and independent from
each other.

(1) is contained within gdnsd, and thus building with future=+lfs, as
you originally suggested, addresses this issue. Your readdir64() patch
also addresses this issue, and is functionally the same in that regard:
AIUI with _FILE_OFFSET_BITS=64, glibc implements readdir() with a
readdir64() system call.

However, (2) is not self-contained, with stat structures crossing an ABI
boundary (libev's). Hence why the test suite (legitimately) fails when
building with future=+lfs.

My understanding is that patching (1) with the patch you attached, but
not building with future=+lfs, ill effectively still create a binary
that does not have large file/inode support, as the stat() calls that
the mon/extfile plugins make, will not work on 64-bit inode filesystems.

Does this make sense?

Faidon

Bug#983719: esptool: Version 3.0 fixes critical bugs

[Faidon Liambotis]

On Tue, Feb 21, 2023 at 02:16:40PM +0200, Faidon Liambotis wrote:
> I should note that while the package seems to meet the criteria for
> Salvaging (DevRef 5.12) I don't currently have the bandwidth to maintain
> it properly in the long run either. I'm happy to do a one-off NMU to
> bring it to a more decent shape, however.

Update: I pushed a branch into the main repo, feature/2.8-update, that
just brings up the packaging to modern standards and switches to using
pybuild -- a step necessary given new upstream releases are now using
Python modules etc.

This is still tagged as a 2.8+dfsg-1.1 release that builds the package
as-is with enhancements and no regressions.

I also have changes underway for 4.5, but currently looking into what it
would take dependency-wise to accomplish this, as there are 1-2 new
Python module dependencies that are not present in Debian yet. I'll
follow up once I have something; I expect this to be in the next week or
so.

Regards,
Faidon