Bug#1035475: bullseye-pu: package dkimpy/1.0.5-1

2023-06-26 Thread Scott Kitterman 
On Monday, June 26, 2023 3:26:19 PM EDT Jonathan Wiltshire wrote:
> Control: tag -1 confirmed
> 
> On Wed, May 03, 2023 at 01:44:43PM -0400, Scott Kitterman wrote:
> > This is a new upstream release that we targetted to address bugs that
> > would generally be suitable for Debian post-release updates.
> 
> Please go ahead.

Uploaded.

Thanks,

Scott K

signature.asc
Description: This is a digitally signed message part.

Bug#1035475: bullseye-pu: package dkimpy/1.0.5-1

2023-06-26 Thread Jonathan Wiltshire 
Control: tag -1 confirmed

On Wed, May 03, 2023 at 01:44:43PM -0400, Scott Kitterman wrote:
> This is a new upstream release that we targetted to address bugs that
> would generally be suitable for Debian post-release updates.

Please go ahead.

Thanks,

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

Bug#1035475: bullseye-pu: package dkimpy/1.0.5-1

2023-05-03 Thread Scott Kitterman 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

This is a new upstream release that we targetted to address bugs that
would generally be suitable for Debian post-release updates.

[ Reason ]
Fix bugs identified below.

Several significant bug fixes have been done that together merited an
upstream release of the older series (1.0).  While none of these are
known regressions from Buster, some of them are significant, in
particular:

The base64 validation regexp bug causes a 1-2% DKIM signature
verification failure rate, which adds up.

The ed25519 key file permissions fix has potential security implications
for anyone generating private keys on insecure systems.  This is low
probability because people shouldn't do this, but no doubt someone does.

[ Impact ]
Bugs aren't fixed.  Primary impact is 1-2% of messages that should pass
DKIM verification will be evaluated as failures.

[ Tests ]
The dkimpy package has an autopkgtest which runs the upstream test suite
(and passes).  I have this update running in production locally.

[ Risks ]
Risk is low.  The riskiest change, the base64 validation regexp fix has
been released in the dkimpy 1.1 series for a few months with no issues
reported.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]

All upstream changes are described in the upstream changelog:

2023-04-30 Version 1.0.6
- Provide more specific error message when ed25519 private key is invalid
  (See LP 1901569 for background)
- Correct base64 validation regexp so that valid signature with == split
  between two lines are not incorrectly evaluated as invalid (LP:
  #2002295) - Thanks to  for the report and
  the proposed fix
- Fix traceback when attempting to verify an unsigned message using
  async verify (Thanks to Nikita Sychev for the report and a suggested
  fix) (LP: #2008723)
- Verify correct AMS header is used for ARC seal verification
- Catch nacl.exceptions.ValueError and raise KeyFormatError, similar to how
  RSA key errors are treated (LP: #2018021)
- Create ed25519 key files with secure permissions to avoid risk of
  insecure chmode call/race condition (Thanks to Hanno Böck for the report
  and the suggested fix) (LP: #2017430)

The only packaging changes are to adjust for bullseye specifics

[ Other info ]
These bug fixes were included in unstable in version 1.1.0-1, 1.1.1-1,
1.1.2-1, and 1.1.3-1.
diff -Nru dkimpy-1.0.5/ChangeLog dkimpy-1.0.6/ChangeLog
--- dkimpy-1.0.5/ChangeLog  2020-08-08 22:34:58.0 -0400
+++ dkimpy-1.0.6/ChangeLog  2023-04-30 10:09:05.0 -0400
@@ -1,3 +1,20 @@
+2023-04-30 Version 1.0.6
+- Provide more specific error message when ed25519 private key is invalid
+  (See LP 1901569 for background)
+- Correct base64 validation regexp so that valid signature with == split
+  between two lines are not incorrectly evaluated as invalid (LP:
+  #2002295) - Thanks to  for the report and
+  the proposed fix
+- Fix traceback when attempting to verify an unsigned message using
+  async verify (Thanks to Nikita Sychev for the report and a suggested
+  fix) (LP: #2008723)
+- Verify correct AMS header is used for ARC seal verification
+- Catch nacl.exceptions.ValueError and raise KeyFormatError, similar to how
+  RSA key errors are treated (LP: #2018021)
+- Create ed25519 key files with secure permissions to avoid risk of
+  insecure chmode call/race condition (Thanks to Hanno Böck for the report
+  and the suggested fix) (LP: #2017430)
+
 2020-08-08 Version 1.0.5
 - Update dnsplug for DNS Python (dns) 2.0 compatibility (LP: #1888583)
 - Fix @param srv_id typos (LP: #1890532)
diff -Nru dkimpy-1.0.5/debian/changelog dkimpy-1.0.6/debian/changelog
--- dkimpy-1.0.5/debian/changelog   2020-08-08 23:05:48.0 -0400
+++ dkimpy-1.0.6/debian/changelog   2023-05-03 12:55:36.0 -0400
@@ -1,3 +1,11 @@
+dkimpy (1.0.6-0+deb11u1) bullseye; urgency=medium
+
+  * Update d/watch to look for 1.0 updates for bullseye
+  * Update d/gbp.conf for bullseye
+  * New upstream release
+
+ -- Scott Kitterman   Wed, 03 May 2023 12:55:36 -0400
+
 dkimpy (1.0.5-1) unstable; urgency=medium
 
   * Bump debhelper compat to 12
diff -Nru dkimpy-1.0.5/debian/gbp.conf dkimpy-1.0.6/debian/gbp.conf
--- dkimpy-1.0.5/debian/gbp.conf2020-04-06 08:25:05.0 -0400
+++ dkimpy-1.0.6/debian/gbp.conf2023-05-03 12:53:03.0 -0400
@@ -1,2 +1,3 @@
 [DEFAULT]
-debian-branch=debian/master
+debian-branch=debian/bullseye
+upstream-branch=upstream-bullseye
diff -Nru dkimpy-1.0.5/debian/watch dkimpy-1.0.6/debian/watch
---