Bug#1006292: bullseye-pu: package plasma-discover/5.20.5-3
Hi Adam, On Sat, 14 Oct 2023 19:46:36 +0100 "Adam D. Barratt" wrote: [...] > Thanks; please go ahead. It's uploaded. -- Med vänliga hälsningar Patrick Franz
Bug#1006292: bullseye-pu: package plasma-discover/5.20.5-3
On Tue, 2023-10-03 at 19:19 +0200, Patrick Franz wrote: > Hej, > > Am Montag, 2. Oktober 2023, 19:04:00 CEST schrieb Jonathan Wiltshire: > [...] > > Ping on this? It's urgent given the point release is planned for > > the > > coming weekend, and we're currently unsure if the related fix is > > safe > > to release without this one. If there's no answer we'll have to > > play > > safe and hold plasma-desktop back until the next cycle as well. > > I've fixed it and it builds now. I'm attaching a debdiff to the > version that was supposed to be uploaded. Thanks; please go ahead. Regards, Adam
Bug#1006292: bullseye-pu: package plasma-discover/5.20.5-3
Hej, Am Mittwoch, 4. Oktober 2023, 15:02:11 CEST schrieb Adam D. Barratt: [...] > Thanks, but it's too late to get the updated package accepted for the > 11.8 point release now in any case. > > The question that remains from Jonathan's mail is - is it OK to > include the plasma-desktop and knewstuff updates without > plasma-discover, or should those be held back until plasma-discover > is ready, and all three released at the same time? I don't know to be honest. I guess the safe way is to release all three together. -- Med vänliga hälsningar Patrick Franz
Bug#1006292: bullseye-pu: package plasma-discover/5.20.5-3
Hi, On Mon, 2023-10-02 at 19:05 +0200, Patrick Franz wrote: > Hej, > > Am Montag, 2. Oktober 2023, 19:04:00 CEST schrieb Jonathan Wiltshire: > > Ping on this? It's urgent given the point release is planned for > > the > > coming weekend, and we're currently unsure if the related fix is > > safe > > to release without this one. If there's no answer we'll have to > > play > > safe and hold plasma-desktop back until the next cycle as well. > > Thanks for the ping. I'll try to get it done tomorrow or the day > after. Thanks, but it's too late to get the updated package accepted for the 11.8 point release now in any case. The question that remains from Jonathan's mail is - is it OK to include the plasma-desktop and knewstuff updates without plasma-discover, or should those be held back until plasma-discover is ready, and all three released at the same time? Regards, Adam
Bug#1006292: bullseye-pu: package plasma-discover/5.20.5-3
Hej, Am Montag, 2. Oktober 2023, 19:04:00 CEST schrieb Jonathan Wiltshire: [...] > Ping on this? It's urgent given the point release is planned for the > coming weekend, and we're currently unsure if the related fix is safe > to release without this one. If there's no answer we'll have to play > safe and hold plasma-desktop back until the next cycle as well. I've fixed it and it builds now. I'm attaching a debdiff to the version that was supposed to be uploaded. -- Med vänliga hälsningar Patrick Franzdiffstat for plasma-discover-5.20.5 plasma-discover-5.20.5 changelog |8 plasma-discover-common.install |1 - plasma-discover.install|1 - 3 files changed, 8 insertions(+), 2 deletions(-) diff -Nru plasma-discover-5.20.5/debian/changelog plasma-discover-5.20.5/debian/changelog --- plasma-discover-5.20.5/debian/changelog 2022-02-22 22:20:28.0 +0100 +++ plasma-discover-5.20.5/debian/changelog 2023-10-03 19:11:07.0 +0200 @@ -1,3 +1,11 @@ +plasma-discover (5.20.5-3+deb11u2) bullseye; urgency=medium + + [ Patrick Franz ] + * Team upload. + * Update list of installed files. + + -- Patrick Franz Tue, 03 Oct 2023 19:11:07 +0200 + plasma-discover (5.20.5-3+deb11u1) bullseye; urgency=medium * Team upload. diff -Nru plasma-discover-5.20.5/debian/plasma-discover-common.install plasma-discover-5.20.5/debian/plasma-discover-common.install --- plasma-discover-5.20.5/debian/plasma-discover-common.install 2022-02-22 22:20:28.0 +0100 +++ plasma-discover-5.20.5/debian/plasma-discover-common.install 2023-10-03 19:09:08.0 +0200 @@ -1,6 +1,5 @@ usr/share/discover/ usr/share/icons/hicolor/*/apps/plasmadiscover.* -usr/share/knsrcfiles/ usr/share/kxmlgui5/plasmadiscover/ usr/share/libdiscover/categories/packagekit-backend-categories.xml usr/share/locale/ diff -Nru plasma-discover-5.20.5/debian/plasma-discover.install plasma-discover-5.20.5/debian/plasma-discover.install --- plasma-discover-5.20.5/debian/plasma-discover.install 2022-02-22 22:20:28.0 +0100 +++ plasma-discover-5.20.5/debian/plasma-discover.install 2023-10-03 19:07:36.0 +0200 @@ -5,7 +5,6 @@ usr/lib/*/libexec/kf5/discover/runservice usr/lib/*/plasma-discover/ usr/lib/*/qt5/plugins/discover-notifier/DiscoverPackageKitNotifier.so -usr/lib/*/qt5/plugins/discover/kns-backend.so usr/lib/*/qt5/plugins/discover/packagekit-backend.so usr/share/applications/org.kde.discover.apt.urlhandler.desktop usr/share/applications/org.kde.discover.desktop
Bug#1006292: bullseye-pu: package plasma-discover/5.20.5-3
Hej, Am Montag, 2. Oktober 2023, 19:04:00 CEST schrieb Jonathan Wiltshire: > Ping on this? It's urgent given the point release is planned for the > coming weekend, and we're currently unsure if the related fix is safe > to release without this one. If there's no answer we'll have to play > safe and hold plasma-desktop back until the next cycle as well. Thanks for the ping. I'll try to get it done tomorrow or the day after. -- Med vänliga hälsningar Patrick Franz
Bug#1006292: bullseye-pu: package plasma-discover/5.20.5-3
Hi, On Tue, Sep 26, 2023 at 08:32:14PM +0100, Adam D. Barratt wrote: > This should have been spotted earlier, but the upload FTBFS everywhere. > The end of the logs all look like: > > === > dh_install: warning: Cannot find (any matches for) "usr/share/knsrcfiles/" > (tried in ., debian/tmp) > > dh_install: warning: plasma-discover-common missing files: > usr/share/knsrcfiles/ > dh_install: error: missing files, aborting > make: *** [debian/rules:6: binary-indep] Error 25 > === > > I assume this is because the files are not longer being generated, so > you need to stop trying to add them to the binary package. Ping on this? It's urgent given the point release is planned for the coming weekend, and we're currently unsure if the related fix is safe to release without this one. If there's no answer we'll have to play safe and hold plasma-desktop back until the next cycle as well. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1006292: bullseye-pu: package plasma-discover/5.20.5-3
On Thu, 2023-08-03 at 02:03 +0200, Patrick Franz wrote: > Hi, > > On Tue, 25 Jul 2023 22:31:30 +0100 Jonathan Wiltshire > > wrote: > > Hi, > > > > This request was approved but not uploaded in time for the > > previous > > point release (11.7). Should it be part of 11.8 in a few weeks > > time, > > or abandoned and closed? > > Package has been uploaded. This should have been spotted earlier, but the upload FTBFS everywhere. The end of the logs all look like: === dh_install: warning: Cannot find (any matches for) "usr/share/knsrcfiles/" (tried in ., debian/tmp) dh_install: warning: plasma-discover-common missing files: usr/share/knsrcfiles/ dh_install: error: missing files, aborting make: *** [debian/rules:6: binary-indep] Error 25 === I assume this is because the files are not longer being generated, so you need to stop trying to add them to the binary package. Regards, Adam
Bug#1006292: bullseye-pu: package plasma-discover/5.20.5-3
Hi, On Tue, 25 Jul 2023 22:31:30 +0100 Jonathan Wiltshire wrote: > Hi, > > This request was approved but not uploaded in time for the previous > point release (11.7). Should it be part of 11.8 in a few weeks time, > or abandoned and closed? Package has been uploaded. -- Med vänliga hälsningar Patrick Franz
Bug#1006292: bullseye-pu: package plasma-discover/5.20.5-3
Hi, This request was approved but not uploaded in time for the previous point release (11.7). Should it be part of 11.8 in a few weeks time, or abandoned and closed? Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1006292: bullseye-pu: package plasma-discover/5.20.5-3
Control: tag -1 confirmed On Tue, Feb 22, 2022 at 10:38:05PM +0100, Patrick Franz wrote: > [ Reason ] > A bug in plasma-discover causes a Denial of Service attack > against the KDE servers. 3 packages needs to be patch to > mitigate the attack: knewstuff, plasma-desktop and > plasma-discover. > This update fixes bug #1006124 for bullseye and has been > fixed in unstable. > > [ Impact ] > Running the old version causes considerable load for the KDE > servers. > > [ Tests ] > No manual tests have been performed. > > [ Risks ] > The risks are rather low as the update is a single patch. > The patch has been created by KDE upstream specifically for the > version in bullseye. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > The update contains a single patch to help ease the load on > KDE servers. > > [ Other info ] > It would be good if users of KDE plasma could receive the update > as quick as possible. Thanks, go ahead. Cheers, Julien
Bug#1006292: bullseye-pu: package plasma-discover/5.20.5-3
Package: release.debian.org Severity: important Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: delta...@debian.org, debian-qt-...@lists.debian.org [ Reason ] A bug in plasma-discover causes a Denial of Service attack against the KDE servers. 3 packages needs to be patch to mitigate the attack: knewstuff, plasma-desktop and plasma-discover. This update fixes bug #1006124 for bullseye and has been fixed in unstable. [ Impact ] Running the old version causes considerable load for the KDE servers. [ Tests ] No manual tests have been performed. [ Risks ] The risks are rather low as the update is a single patch. The patch has been created by KDE upstream specifically for the version in bullseye. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The update contains a single patch to help ease the load on KDE servers. [ Other info ] It would be good if users of KDE plasma could receive the update as quick as possible. diffstat for plasma-discover-5.20.5 plasma-discover-5.20.5 changelog |8 patches/discover_dns.patch | 31 +++ patches/series |1 + 3 files changed, 40 insertions(+) diff -Nru plasma-discover-5.20.5/debian/changelog plasma-discover-5.20.5/debian/changelog --- plasma-discover-5.20.5/debian/changelog 2021-03-10 23:53:46.0 +0100 +++ plasma-discover-5.20.5/debian/changelog 2022-02-22 22:20:28.0 +0100 @@ -1,3 +1,11 @@ +plasma-discover (5.20.5-3+deb11u1) bullseye; urgency=medium + + * Team upload. + * Cherry-pick commit to fix the Denial of Service bug in Discover +(Closes: #1006124). + + -- Patrick Franz Tue, 22 Feb 2022 22:20:28 +0100 + plasma-discover (5.20.5-3) unstable; urgency=medium [ Patrick Franz ] diff -Nru plasma-discover-5.20.5/debian/patches/discover_dns.patch plasma-discover-5.20.5/debian/patches/discover_dns.patch --- plasma-discover-5.20.5/debian/patches/discover_dns.patch1970-01-01 01:00:00.0 +0100 +++ plasma-discover-5.20.5/debian/patches/discover_dns.patch2022-02-22 22:17:27.0 +0100 @@ -0,0 +1,31 @@ +From efb34c2aa235b703bc55cb9b37fedebed0ac7df8 Mon Sep 17 00:00:00 2001 +From: Ben Cooksley +Date: Mon, 7 Feb 2022 06:39:12 +1300 +Subject: [PATCH] Disable the building of the KNS backend until it can be + corrected to not cause a Denial of Service attack on KDE.org infrastructure. + +(cherry picked from commit f66df3531670592960167f5060feeed6d6c792be) +--- + libdiscover/backends/CMakeLists.txt | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/libdiscover/backends/CMakeLists.txt b/libdiscover/backends/CMakeLists.txt +index 5f87f639f..0fbdc524f 100644 +--- a/libdiscover/backends/CMakeLists.txt b/libdiscover/backends/CMakeLists.txt +@@ -8,9 +8,9 @@ function(add_unit_test name) + Qt5::Test Qt5::Core ${EXTRA_LIBS}) + endfunction() + +-if(KF5Attica_FOUND AND KF5NewStuff_FOUND) +- add_subdirectory(KNSBackend) +-endif() ++#if(KF5Attica_FOUND AND KF5NewStuff_FOUND) ++# add_subdirectory(KNSBackend) ++#endif() + + if(packagekitqt5_FOUND AND AppStreamQt_FOUND) + add_subdirectory(PackageKitBackend) +-- +GitLab + diff -Nru plasma-discover-5.20.5/debian/patches/series plasma-discover-5.20.5/debian/patches/series --- plasma-discover-5.20.5/debian/patches/series2021-03-10 23:53:46.0 +0100 +++ plasma-discover-5.20.5/debian/patches/series2022-02-22 22:17:51.0 +0100 @@ -1 +1,2 @@ https_only_links.patch +discover_dns.patch