Bug#689003: unblock: bacula/5.2.6+dfsg-5
В Wed, 2 Jan 2013 23:28:50 +0400 Alexander Golovko alexan...@ankalagon.ru пишет: В Sat, 1 Dec 2012 14:02:30 +0100 Julien Cristau jcris...@debian.org пишет: On Mon, Nov 26, 2012 at 01:24:19 +0400, Alexander Golovko wrote: Sorry, i don't see any reply. I prepare package for wheezy, changelog here: http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=blob;f=debian/changelog;h=56223bdd477cd7a52770eae92cfc5d1c857dea27;hb=wheezy i try to make each changelog record as separate commit with clean description: http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=shortlog;h=refs/heads/wheezy If i has not a mess, than all changes except one was accepted. I didn't get final reply about #556207 (see inline). I thought it was clear I'm not convinced this change is suitable. Please drop it. Ok And i have yet another question - there was a non-maintainer upload. What package version should be now? I would much prefer if this was a 5.2.6+dfsg-7 version, uploaded to sid, and including only the approved changes, rather than a direct upload to testing. Ok, 5.2.6+dfsg-7 prepared. Additional changes - add dutch translation and update info about upstream bugs in patches. Also i have a question about opened bugs 605449 and 694046. Can be fixes included into wheezy or not? Please, unblock 5.2.6+dfsg-7 (#605449 included, #694046 - not). If this is interest, git history was changed. Subtree [1] with clean changes since 5.2.6+dfsg-2 was merged [2] into master branch without undescribed changes [3] [1] http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=595829670fcf9555b1f50897655d3ae23cca65e6 [2] http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=bbe70c0b38617576fb67a318007c70818007306d [3] http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commitdiff;h=bbe70c0b38617576fb67a318007c70818007306d;hp=595829670fcf9555b1f50897655d3ae23cca65e6 -- with best regards, Alexander Golovko email: alexan...@ankalagon.ru xmpp: alexan...@ankalagon.ru signature.asc Description: PGP signature
Bug#689003: unblock: bacula/5.2.6+dfsg-5
В Sat, 1 Dec 2012 14:02:30 +0100 Julien Cristau jcris...@debian.org пишет: On Mon, Nov 26, 2012 at 01:24:19 +0400, Alexander Golovko wrote: Sorry, i don't see any reply. I prepare package for wheezy, changelog here: http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=blob;f=debian/changelog;h=56223bdd477cd7a52770eae92cfc5d1c857dea27;hb=wheezy i try to make each changelog record as separate commit with clean description: http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=shortlog;h=refs/heads/wheezy If i has not a mess, than all changes except one was accepted. I didn't get final reply about #556207 (see inline). I thought it was clear I'm not convinced this change is suitable. Please drop it. Ok And i have yet another question - there was a non-maintainer upload. What package version should be now? I would much prefer if this was a 5.2.6+dfsg-7 version, uploaded to sid, and including only the approved changes, rather than a direct upload to testing. Ok, 5.2.6+dfsg-7 prepared. Additional changes - add dutch translation and update info about upstream bugs in patches. Also i have a question about opened bugs 605449 and 694046. Can be fixes included into wheezy or not? If this is interest, git history was changed. Subtree [1] with clean changes since 5.2.6+dfsg-2 was merged [2] into master branch without undescribed changes [3] [1] http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=595829670fcf9555b1f50897655d3ae23cca65e6 [2] http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=bbe70c0b38617576fb67a318007c70818007306d [3] http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commitdiff;h=bbe70c0b38617576fb67a318007c70818007306d;hp=595829670fcf9555b1f50897655d3ae23cca65e6 -- with best regards, Alexander Golovko email: alexan...@ankalagon.ru xmpp: alexan...@ankalagon.ru signature.asc Description: PGP signature
Bug#689003: unblock: bacula/5.2.6+dfsg-5
On Sat, Dec 1, 2012 at 14:02:30 +0100, Julien Cristau wrote: I would much prefer if this was a 5.2.6+dfsg-7 version, uploaded to sid, and including only the approved changes, rather than a direct upload to testing. Ping? Cheers, Julien signature.asc Description: Digital signature
Bug#689003: unblock: bacula/5.2.6+dfsg-5
В Tue, 1 Jan 2013 23:35:35 +0100 Julien Cristau jcris...@debian.org пишет: On Sat, Dec 1, 2012 at 14:02:30 +0100, Julien Cristau wrote: I would much prefer if this was a 5.2.6+dfsg-7 version, uploaded to sid, and including only the approved changes, rather than a direct upload to testing. Ping? pong. I'm sorry for delay, will rework 5.2.6+dfsg-2+deb7u1 into 5.2.6+dfsg-7 until end of week. Cheers, Julien -- with best regards, Alexander Golovko email: alexan...@ankalagon.ru xmpp: alexan...@ankalagon.ru signature.asc Description: PGP signature
Bug#689003: unblock: bacula/5.2.6+dfsg-5
On Mon, Nov 26, 2012 at 01:24:19 +0400, Alexander Golovko wrote: Sorry, i don't see any reply. I prepare package for wheezy, changelog here: http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=blob;f=debian/changelog;h=56223bdd477cd7a52770eae92cfc5d1c857dea27;hb=wheezy i try to make each changelog record as separate commit with clean description: http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=shortlog;h=refs/heads/wheezy If i has not a mess, than all changes except one was accepted. I didn't get final reply about #556207 (see inline). I thought it was clear I'm not convinced this change is suitable. Please drop it. And i have yet another question - there was a non-maintainer upload. What package version should be now? I would much prefer if this was a 5.2.6+dfsg-7 version, uploaded to sid, and including only the approved changes, rather than a direct upload to testing. Cheers, Julien signature.asc Description: Digital signature
Bug#689003: unblock: bacula/5.2.6+dfsg-5
Sorry, i don't see any reply. I prepare package for wheezy, changelog here: http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=blob;f=debian/changelog;h=56223bdd477cd7a52770eae92cfc5d1c857dea27;hb=wheezy i try to make each changelog record as separate commit with clean description: http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=shortlog;h=refs/heads/wheezy If i has not a mess, than all changes except one was accepted. I didn't get final reply about #556207 (see inline). And i have yet another question - there was a non-maintainer upload. What package version should be now? В Fri, 9 Nov 2012 10:12:29 +0400 Alexander Golovko alexan...@ankalagon.ru пишет: В Thu, 8 Nov 2012 23:10:46 +0100 Julien Cristau jcris...@debian.org пишет: On Fri, Nov 9, 2012 at 01:07:18 +0400, Alexander Golovko wrote: bacula daemons SIGSEGV handler can call gdb for save some useful (for developers) info about process (stack for all threads and other). Gdb called with bacula user privileges, but files in /proc/pid/ owned by root and gdb can't get info about process. This is subject of bug #556207. Or you could just let the kernel get you a core file with all the info you would want. Yes, coredump will be enough and in some cases it required for solve problem. But it contain some information, such a passwords, that 1. make impossible coredump publication 2. require password changing even after privately sending coredump to developers due to possibility of passwords leakage. But thank you for attention to this moment, there is a bacula bug - daemons don't create coredumps on such signals, i will send bugreport to upstream. 1. we can't get coredump for bacula daemons http://bugs.bacula.org/view.php?id=1949 2. Upstream declare, that backtrace output enough for bugreports about crashes. I'm sorry, but I don't think this is worthy of breaking the freeze. Yes, user still must install -dbg packages before this will work, but this is not so hard work for them as manually changing init scripts. Seriously, editing a shell script, hard work? Seriously, user must know, what to change before edit shell script. I can add this to documentation, but will not be this poinlessly? -- with best regards, Alexander Golovko email: alexan...@ankalagon.ru xmpp: alexan...@ankalagon.ru signature.asc Description: PGP signature
Bug#689003: unblock: bacula/5.2.6+dfsg-5
В Wed, 7 Nov 2012 18:35:44 +0100 Moritz Muehlenhoff j...@inutil.org пишет: On Wed, Oct 24, 2012 at 06:28:47PM +0200, Moritz Muehlenhoff wrote: [..] Alexander, what's the status? I am sorry for delay! Most of changes prepared with clean commits, but i still need reply to question about systemd changes: 3. fix daemons user/group on systems with systemd (Closes: #679958). delegate daemons uid/gid changing to start-stop-daemon or systemd, thanks to Matija Nalis (Closes: #556207). This changes are related and intersected. First commit reverted by last. http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=d077cd3c71734828b635f8605c8411f6cd86b6f6 http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=cf9eb640182f4adfd83d05954dc35a20b60170c1 http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=694b788e0f82a734ca98bb0930a97432240c7fe8 Upstream already much time (at least since 2010, Oct) use start-stop-daemon for change daemons uid/gid in their variant of init scripts. Our patch for uid/gid changing by systemd was already accepted into upstream. The big problem, that without this change user can't simply get backtraces on daemons crashes. This backtraces required for some bugreport to upstream. Meh. Can't the systemd files be simply removed? If this doesn't affect sysvinit systems I would prefer not to bother. Hmm. But systemd service files was added to package in 5.2.6+dfsg-1 via bug #624532. And patch for fix them is trivial. Apparently not so trivial, since it needs a fixup now. I would rather not see a change that affects all paths to fix something for the .1% of users that run systemd. ohh. i think, that will be better to split explanation of this change into two parts. First - changes in sysvinit scripts. Instead of run daemons as root and pass options for chuid we allow start-stop-daemon to run it as non-root. This is what do upstream and without this fix we have a problems with getting backtraces on daemons crashes. Second - changes in systemd service files. In 5.2.6+dfsg-1 our team add this files into packages, but unfortunely, they was shipped with incorrect (empty) uid/gid in them. So, for systemd service files was fixed two problems: a) Change daemons uid/gid by systemd, as do sysvinit scripts. This is separate patch [1] for simplicity sending it to upstream (already accepted by upstream) b) Fixing incorrect uid/gid. Due to limitation of upstream build system we can't use build options and hardcore uid/gid by patch [2] [1] http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=blob;f=debian/patches/delegate-chuid-to-systemd.patch [2] http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=blob;f=debian/patches/fix-systemd-daemon-user-group.patch As i understand, your opinion is that will be better do not ship systemd service files at all, but include changes in sysvinit scripts? -- with best regards, Alexander Golovko email: alexan...@ankalagon.ru xmpp: alexan...@ankalagon.ru signature.asc Description: PGP signature
Bug#689003: unblock: bacula/5.2.6+dfsg-5
On Thu, Nov 8, 2012 at 13:26:33 +0400, Alexander Golovko wrote: ohh. i think, that will be better to split explanation of this change into two parts. First - changes in sysvinit scripts. Instead of run daemons as root and pass options for chuid we allow start-stop-daemon to run it as non-root. This is what do upstream and without this fix we have a problems with getting backtraces on daemons crashes. That doesn't sound like freeze material to me, as the current scripts work. I don't understand your comment about backtraces. Second - changes in systemd service files. In 5.2.6+dfsg-1 our team add this files into packages, but unfortunely, they was shipped with incorrect (empty) uid/gid in them. So, for systemd service files was fixed two problems: a) Change daemons uid/gid by systemd, as do sysvinit scripts. This is separate patch [1] for simplicity sending it to upstream (already accepted by upstream) b) Fixing incorrect uid/gid. Due to limitation of upstream build system we can't use build options and hardcore uid/gid by patch [2] [1] http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=blob;f=debian/patches/delegate-chuid-to-systemd.patch [2] http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=blob;f=debian/patches/fix-systemd-daemon-user-group.patch As i understand, your opinion is that will be better do not ship systemd service files at all, but include changes in sysvinit scripts? I don't think that reflects my opinion. My understanding is that the current init script works, and if that is true then the current init script doesn't need to be changed. I don't particularly care what happens to the systemd files, though if the current ones don't work then I'd kinda prefer to see them go away rather than get more changes. Cheers, Julien signature.asc Description: Digital signature
Bug#689003: unblock: bacula/5.2.6+dfsg-5
В Thu, 8 Nov 2012 19:45:00 +0100 Julien Cristau jcris...@debian.org пишет: On Thu, Nov 8, 2012 at 13:26:33 +0400, Alexander Golovko wrote: ohh. i think, that will be better to split explanation of this change into two parts. First - changes in sysvinit scripts. Instead of run daemons as root and pass options for chuid we allow start-stop-daemon to run it as non-root. This is what do upstream and without this fix we have a problems with getting backtraces on daemons crashes. That doesn't sound like freeze material to me, as the current scripts work. I don't understand your comment about backtraces. bacula daemons SIGSEGV handler can call gdb for save some useful (for developers) info about process (stack for all threads and other). Gdb called with bacula user privileges, but files in /proc/pid/ owned by root and gdb can't get info about process. This is subject of bug #556207. Yes, user still must install -dbg packages before this will work, but this is not so hard work for them as manually changing init scripts. Second - changes in systemd service files. In 5.2.6+dfsg-1 our team add this files into packages, but unfortunely, they was shipped with incorrect (empty) uid/gid in them. So, for systemd service files was fixed two problems: a) Change daemons uid/gid by systemd, as do sysvinit scripts. This is separate patch [1] for simplicity sending it to upstream (already accepted by upstream) b) Fixing incorrect uid/gid. Due to limitation of upstream build system we can't use build options and hardcore uid/gid by patch [2] [1] http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=blob;f=debian/patches/delegate-chuid-to-systemd.patch [2] http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=blob;f=debian/patches/fix-systemd-daemon-user-group.patch As i understand, your opinion is that will be better do not ship systemd service files at all, but include changes in sysvinit scripts? I don't think that reflects my opinion. My understanding is that the current init script works, and if that is true then the current init script doesn't need to be changed. Current init scripts work, but have a bug, as described above. I don't particularly care what happens to the systemd files, though if the current ones don't work then I'd kinda prefer to see them go away rather than get more changes. Hmm, but if users want worked systemd files (#679958), is it really prefer to drop systemd support over fix problem? -- with best regards, Alexander Golovko email: alexan...@ankalagon.ru xmpp: alexan...@ankalagon.ru signature.asc Description: PGP signature
Bug#689003: unblock: bacula/5.2.6+dfsg-5
On Fri, Nov 9, 2012 at 01:07:18 +0400, Alexander Golovko wrote: bacula daemons SIGSEGV handler can call gdb for save some useful (for developers) info about process (stack for all threads and other). Gdb called with bacula user privileges, but files in /proc/pid/ owned by root and gdb can't get info about process. This is subject of bug #556207. Or you could just let the kernel get you a core file with all the info you would want. I'm sorry, but I don't think this is worthy of breaking the freeze. Yes, user still must install -dbg packages before this will work, but this is not so hard work for them as manually changing init scripts. Seriously, editing a shell script, hard work? [...] Hmm, but if users want worked systemd files (#679958), is it really prefer to drop systemd support over fix problem? We're frozen. Cheers, Julien signature.asc Description: Digital signature
Bug#689003: unblock: bacula/5.2.6+dfsg-5
В Thu, 8 Nov 2012 23:10:46 +0100 Julien Cristau jcris...@debian.org пишет: On Fri, Nov 9, 2012 at 01:07:18 +0400, Alexander Golovko wrote: bacula daemons SIGSEGV handler can call gdb for save some useful (for developers) info about process (stack for all threads and other). Gdb called with bacula user privileges, but files in /proc/pid/ owned by root and gdb can't get info about process. This is subject of bug #556207. Or you could just let the kernel get you a core file with all the info you would want. Yes, coredump will be enough and in some cases it required for solve problem. But it contain some information, such a passwords, that 1. make impossible coredump publication 2. require password changing even after privately sending coredump to developers due to possibility of passwords leakage. But thank you for attention to this moment, there is a bacula bug - daemons don't create coredumps on such signals, i will send bugreport to upstream. I'm sorry, but I don't think this is worthy of breaking the freeze. Yes, user still must install -dbg packages before this will work, but this is not so hard work for them as manually changing init scripts. Seriously, editing a shell script, hard work? [...] Hmm, but if users want worked systemd files (#679958), is it really prefer to drop systemd support over fix problem? We're frozen. ok, i understand you and will remove this files -- with best regards, Alexander Golovko email: alexan...@ankalagon.ru xmpp: alexan...@ankalagon.ru signature.asc Description: PGP signature
Bug#689003: unblock: bacula/5.2.6+dfsg-5
On Wed, Oct 24, 2012 at 06:28:47PM +0200, Moritz Muehlenhoff wrote: On Wed, Oct 10, 2012 at 12:42:42AM +0400, Alexander Golovko wrote: Upstream recommend do not use hardening for bacula, so we have 71 lintian warning about this fact. In git master branch this warnings was hidden by adding lintian-overrides. This is cosmetic change and should not present in next upload, intended for wheezy? Cosmetic changes should be avoided during the freeze, yes. What is the best way to prepare package without rejected changes? Should i upload new package into sid and reopen bugs with rejected fixes or i should upload it directly (but how?) into wheezy? Use 5.2.6+dfsg-2+deb7u1 as the version number and upload as described here: http://www.debian.org/doc/manuals/developers-reference/pkgs.html#t-p-u Alexander, what's the status? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#689003: unblock: bacula/5.2.6+dfsg-5
On Wed, Oct 10, 2012 at 12:42:42AM +0400, Alexander Golovko wrote: Upstream recommend do not use hardening for bacula, so we have 71 lintian warning about this fact. In git master branch this warnings was hidden by adding lintian-overrides. This is cosmetic change and should not present in next upload, intended for wheezy? Cosmetic changes should be avoided during the freeze, yes. What is the best way to prepare package without rejected changes? Should i upload new package into sid and reopen bugs with rejected fixes or i should upload it directly (but how?) into wheezy? Use 5.2.6+dfsg-2+deb7u1 as the version number and upload as described here: http://www.debian.org/doc/manuals/developers-reference/pkgs.html#t-p-u Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#689003: unblock: bacula/5.2.6+dfsg-5
В Mon, 08 Oct 2012 14:26:08 +0200 Mehdi Dogguy me...@dogguy.org пишет: On 28/09/2012 07:57, Alexander Golovko wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi! Please unblock bacula-* packages, it fixes multiple bugs, include CVE-2012-4430, crashes and debian policy violations: #687923 - security issue CVE-2012-4430 #688732 - bacula-fd save only first xattr on file #682733 - unowned files after purge #680051 - switch between bacula-director-dbtype #679958 - incorrect systemd service file Fix unsafe bacula-director passwords. Fix bacula-fd crash on saving xattr on btrfs. Ok, I don't feel comfortable with all these packaging changes. I don't think I'm going to unblock this package. Could you prepare an upload to t-p-u please? #687923, #682733, #679958, Fix unsafe bacula-director passwords look okay. For the others, please show minimal separate patches if you want to include them. I can try to remove some patches, but i'm afraid, that completely rework changes will be very hard. I list all changes (except #687923, #682733, #679958, Fix unsafe bacula-director passwords) with links to commits and additional description. Please say, which of changes can be included and which not. Sorry for this abuse. 1. Build packages for all database types in the same time, not a separate process for sqlite3, mysql and pgsql. http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=1ca440fc3758a28fdcd17c05aa24f724934dbc5f This change affect only package building process. It was thoroughly checked, that binary packages changed not more, than on rebuild from the same sources. This change make build process much more clear and less differ from standard debhelper. I'm afraid, that unaccepting this change will lead to requirement of very hard reworking some other changes. Another argument for accept this change is that this change will be one of first candidate for post-wheezy and we will need support two different solutions - for stable wheezy and current. 2. Save all file xattrs, not only first (Closes: #688732), Fix bacula-fd crash on saving xattr on btrfs. http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=455622199fb46805cd11f69630279af5987c0bb2 http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=d7bb353b616c6221684ffc81cbfe2c885a1dab81 It is a regression since squeeze. Squeeze shipped with previous major version of bacula. There are a big commits, but however this is only adding upstream patch. I'm think, there is important bugfix. 3. fix daemons user/group on systems with systemd (Closes: #679958). delegate daemons uid/gid changing to start-stop-daemon or systemd, thanks to Matija Nalis (Closes: #556207). This changes are related and intersected. First commit reverted by last. http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=d077cd3c71734828b635f8605c8411f6cd86b6f6 http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=cf9eb640182f4adfd83d05954dc35a20b60170c1 http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=694b788e0f82a734ca98bb0930a97432240c7fe8 Upstream already much time (at least since 2010, Oct) use start-stop-daemon for change daemons uid/gid in their variant of init scripts. Our patch for uid/gid changing by systemd was already accepted into upstream. The big problem, that without this change user can't simply get backtraces on daemons crashes. This backtraces required for some bugreport to upstream. 4. fix waiting for real daemon stopping (Closes: #684744). remove unused code from bacula-director init script. http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=ef0c7b8b1ee7060decff3b4757bfb512c11bb98a http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=d4052cfbafbcb1718b687886a7b01198f06fb0a1 http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=037b600ebfec34b6d48adcbfa08580276e188d0b First commit is bug fix, last is only adding info into changelog. Second commit is not required, but always better, when init scripts make the same tasks by the same methods. 5. Add build-depends for read-all capability support (Closes: #683080). capabilities is linux-only feature. disable it for non-linux platforms, add information, that capabilities is linux-only feature. Add information about file daemon without root privileges. http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=c6b51c2c010ae82f73d8cdce2eecbfbe52e6bbec http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=74198182c2fa9e2567077356e345ff5251e26bf1 http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=6e1fab3c304fa73b9c6801a07290ce48b7cadb24 Yes, this is, of-course, new feature. But maybe fact, that this change can improve Debian security and will be very useful for Debian System Administration Team will be enough for accept this
Bug#689003: unblock: bacula/5.2.6+dfsg-5
On Tue, Oct 9, 2012 at 13:17:23 +0400, Alexander Golovko wrote: 1. Build packages for all database types in the same time, not a separate process for sqlite3, mysql and pgsql. http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=1ca440fc3758a28fdcd17c05aa24f724934dbc5f nak. 2. Save all file xattrs, not only first (Closes: #688732), Fix bacula-fd crash on saving xattr on btrfs. http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=455622199fb46805cd11f69630279af5987c0bb2 http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=d7bb353b616c6221684ffc81cbfe2c885a1dab81 It is a regression since squeeze. Squeeze shipped with previous major version of bacula. There are a big commits, but however this is only adding upstream patch. I'm think, there is important bugfix. I would tend to agree. 3. fix daemons user/group on systems with systemd (Closes: #679958). delegate daemons uid/gid changing to start-stop-daemon or systemd, thanks to Matija Nalis (Closes: #556207). This changes are related and intersected. First commit reverted by last. http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=d077cd3c71734828b635f8605c8411f6cd86b6f6 http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=cf9eb640182f4adfd83d05954dc35a20b60170c1 http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=694b788e0f82a734ca98bb0930a97432240c7fe8 Upstream already much time (at least since 2010, Oct) use start-stop-daemon for change daemons uid/gid in their variant of init scripts. Our patch for uid/gid changing by systemd was already accepted into upstream. The big problem, that without this change user can't simply get backtraces on daemons crashes. This backtraces required for some bugreport to upstream. Meh. Can't the systemd files be simply removed? If this doesn't affect sysvinit systems I would prefer not to bother. 4. fix waiting for real daemon stopping (Closes: #684744). remove unused code from bacula-director init script. ack. 5. Add build-depends for read-all capability support (Closes: #683080). A bit nervous about this one. How much has this been tested, and how likely is it to affect unrelated features? 6. don't remove bacula user on package purging (details in bug 621833). ack. 7. fix files left after packages purge (thanks to piuparts). ack. 8. make package purging more careful about users files. Don't really see the point of this one. Purging means purging. 9. fix bacula log directory (Closes: #684203). ack. 10. force /etc/defaults/bacula-dir reregistration in ucf when changing bacula-director database type, fix purging after this (Closes: #680051). Not sure about this, would appreciate advice from somebody who knows ucf. 11. switch to /run directory nak. 12. Fix impossibility to run out-of-box scripts make_mysql_tables and update_mysql_tables scripts, shipped with package (#679855). Are these scripts ever run automatically by the package? 13. switch from usermod to more debian-policy friendly adduser. Unless this is fixing an actual bug, nak. 14. fix hostname substitution (Closes: #682966). Doesn't seem critical? 15. add bacula into cdrom group (Closes: #520508). Same here, I'd say defer to wheezy+1. 16. Cleanup list of linked libraries. nak. 17. Add build-depends for LZO support. nak. 16. Improve the use of English (thanks to debian-l10n-english team). I guess this should be ok... Cheers, Julien signature.asc Description: Digital signature
Bug#689003: unblock: bacula/5.2.6+dfsg-5
В Tue, 9 Oct 2012 12:32:07 +0200 Julien Cristau jcris...@debian.org пишет: On Tue, Oct 9, 2012 at 13:17:23 +0400, Alexander Golovko wrote: 1. Build packages for all database types in the same time, not a separate process for sqlite3, mysql and pgsql. http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=1ca440fc3758a28fdcd17c05aa24f724934dbc5f nak. I try to convince you again, if you don't mind. Benefits for our team: Package building is faster. It was start, wait, make something, look, wait, look, wait, forget, remember only after some time :( It was really annoying and significantly slow my work. Package building process is much clear. Anybody other can help us if he has basic knowledge about debhelper. With old variant d/rules is more hard for understanding. Also this change i test very-very deep. I compare packages, built from sources with and without this change. Comparison include non-elf files by content, where point symlinks, list of linked libraries for elf files and buildlogs for anomaly differences in flags. There was one of my most tested changes. I really can promise, that this change not affect anything in binary packages. I hope, if this arguments will enough for allow exclusion and accept this change. 3. fix daemons user/group on systems with systemd (Closes: #679958). delegate daemons uid/gid changing to start-stop-daemon or systemd, thanks to Matija Nalis (Closes: #556207). This changes are related and intersected. First commit reverted by last. http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=d077cd3c71734828b635f8605c8411f6cd86b6f6 http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=cf9eb640182f4adfd83d05954dc35a20b60170c1 http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=694b788e0f82a734ca98bb0930a97432240c7fe8 Upstream already much time (at least since 2010, Oct) use start-stop-daemon for change daemons uid/gid in their variant of init scripts. Our patch for uid/gid changing by systemd was already accepted into upstream. The big problem, that without this change user can't simply get backtraces on daemons crashes. This backtraces required for some bugreport to upstream. Meh. Can't the systemd files be simply removed? If this doesn't affect sysvinit systems I would prefer not to bother. Hmm. But systemd service files was added to package in 5.2.6+dfsg-1 via bug #624532. And patch for fix them is trivial. 5. Add build-depends for read-all capability support (Closes: #683080). A bit nervous about this one. How much has this been tested, and how likely is it to affect unrelated features? There are only one difference between packages built with and without capabilities support in src/lib/priv.c on lines 110-132. http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=blob;f=src/lib/priv.c;h=cfa4ec768970df40c3baea3f9d87831e761b7735;hb=52609e79da8df27cb68918acd074bff4af7cceb0 If binaries built without capabilities, than bacula-fd will return error Keep readall caps not implemented when user try to use it. If user start bacula without flags for enabling cap usage (default), then the same code will be executed in both binaries - with or without cap support. This change should not affect to anything other. 8. make package purging more careful about users files. Don't really see the point of this one. Purging means purging. actually, this is a difference from squeeze behavior for bacula-director packages. Revert anyway? 10. force /etc/defaults/bacula-dir reregistration in ucf when changing bacula-director database type, fix purging after this (Closes: #680051). Not sure about this, would appreciate advice from somebody who knows ucf. 11. switch to /run directory nak. Ok. i revert it. 12. Fix impossibility to run out-of-box scripts make_mysql_tables and update_mysql_tables scripts, shipped with package (#679855). Are these scripts ever run automatically by the package? No, scripts (dbconfig-common) use other files, generated on build time. This files intended for users, who don't want or can't use dbconfig for database population. 13. switch from usermod to more debian-policy friendly adduser. Unless this is fixing an actual bug, nak. Ok, i revert it. 14. fix hostname substitution (Closes: #682966). Doesn't seem critical? It is not critical for package installation. But this changes will do all users immediately after first package installation. 15. add bacula into cdrom group (Closes: #520508). Same here, I'd say defer to wheezy+1. Ok, i revert it. 16. Cleanup list of linked libraries. nak. Maybe i incorrect worded this change. This change remove unused libraries (no symbols from library used) from list of linked libraries. From ld documentation: --as-needed causes DT_NEEDED tags to only be emitted for libraries that satisfy some symbol
Bug#689003: unblock: bacula/5.2.6+dfsg-5
On Tue, Oct 9, 2012 at 17:56:47 +0400, Alexander Golovko wrote: В Tue, 9 Oct 2012 12:32:07 +0200 Julien Cristau jcris...@debian.org пишет: On Tue, Oct 9, 2012 at 13:17:23 +0400, Alexander Golovko wrote: 1. Build packages for all database types in the same time, not a separate process for sqlite3, mysql and pgsql. http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=1ca440fc3758a28fdcd17c05aa24f724934dbc5f nak. I try to convince you again, if you don't mind. ok, I guess I'll take your word for it. 3. fix daemons user/group on systems with systemd (Closes: #679958). delegate daemons uid/gid changing to start-stop-daemon or systemd, thanks to Matija Nalis (Closes: #556207). This changes are related and intersected. First commit reverted by last. http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=d077cd3c71734828b635f8605c8411f6cd86b6f6 http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=cf9eb640182f4adfd83d05954dc35a20b60170c1 http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=694b788e0f82a734ca98bb0930a97432240c7fe8 Upstream already much time (at least since 2010, Oct) use start-stop-daemon for change daemons uid/gid in their variant of init scripts. Our patch for uid/gid changing by systemd was already accepted into upstream. The big problem, that without this change user can't simply get backtraces on daemons crashes. This backtraces required for some bugreport to upstream. Meh. Can't the systemd files be simply removed? If this doesn't affect sysvinit systems I would prefer not to bother. Hmm. But systemd service files was added to package in 5.2.6+dfsg-1 via bug #624532. And patch for fix them is trivial. Apparently not so trivial, since it needs a fixup now. I would rather not see a change that affects all paths to fix something for the .1% of users that run systemd. 5. Add build-depends for read-all capability support (Closes: #683080). A bit nervous about this one. How much has this been tested, and how likely is it to affect unrelated features? There are only one difference between packages built with and without capabilities support in src/lib/priv.c on lines 110-132. http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=blob;f=src/lib/priv.c;h=cfa4ec768970df40c3baea3f9d87831e761b7735;hb=52609e79da8df27cb68918acd074bff4af7cceb0 If binaries built without capabilities, than bacula-fd will return error Keep readall caps not implemented when user try to use it. If user start bacula without flags for enabling cap usage (default), then the same code will be executed in both binaries - with or without cap support. This change should not affect to anything other. ok, fine. 8. make package purging more careful about users files. Don't really see the point of this one. Purging means purging. actually, this is a difference from squeeze behavior for bacula-director packages. Revert anyway? That would be my preference, yes. 12. Fix impossibility to run out-of-box scripts make_mysql_tables and update_mysql_tables scripts, shipped with package (#679855). Are these scripts ever run automatically by the package? No, scripts (dbconfig-common) use other files, generated on build time. This files intended for users, who don't want or can't use dbconfig for database population. ok. don't have a strong opinion about it then, feel free to keep it. 14. fix hostname substitution (Closes: #682966). Doesn't seem critical? It is not critical for package installation. But this changes will do all users immediately after first package installation. ok. as for 12, no strong opinion. 16. Cleanup list of linked libraries. nak. Maybe i incorrect worded this change. This change remove unused libraries (no symbols from library used) from list of linked libraries. I know what --as-needed does. It's essentially cosmetic, not appropriate during the freeze. And the next question. Currently bacula can't built on hurd platforms. Should i include fix for this problem into next upload, intended for wheezy or not? If the patch is small and obvious enough why not, but hurd won't make wheezy so it's not really needed from our perspective. Thanks for your work. Cheers, Julien signature.asc Description: Digital signature
Bug#689003: unblock: bacula/5.2.6+dfsg-5
В Tue, 9 Oct 2012 19:50:04 +0200 Julien Cristau jcris...@debian.org пишет: On Tue, Oct 9, 2012 at 17:56:47 +0400, Alexander Golovko wrote: В Tue, 9 Oct 2012 12:32:07 +0200 Julien Cristau jcris...@debian.org пишет: On Tue, Oct 9, 2012 at 13:17:23 +0400, Alexander Golovko wrote: 1. Build packages for all database types in the same time, not a separate process for sqlite3, mysql and pgsql. http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=1ca440fc3758a28fdcd17c05aa24f724934dbc5f nak. I try to convince you again, if you don't mind. ok, I guess I'll take your word for it. i'm sorry for my english, but what you mean? That you allow this change or that it rejected and i should not continue try to change you opinion? 3. fix daemons user/group on systems with systemd (Closes: #679958). delegate daemons uid/gid changing to start-stop-daemon or systemd, thanks to Matija Nalis (Closes: #556207). This changes are related and intersected. First commit reverted by last. http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=d077cd3c71734828b635f8605c8411f6cd86b6f6 http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=cf9eb640182f4adfd83d05954dc35a20b60170c1 http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=694b788e0f82a734ca98bb0930a97432240c7fe8 Upstream already much time (at least since 2010, Oct) use start-stop-daemon for change daemons uid/gid in their variant of init scripts. Our patch for uid/gid changing by systemd was already accepted into upstream. The big problem, that without this change user can't simply get backtraces on daemons crashes. This backtraces required for some bugreport to upstream. Meh. Can't the systemd files be simply removed? If this doesn't affect sysvinit systems I would prefer not to bother. Hmm. But systemd service files was added to package in 5.2.6+dfsg-1 via bug #624532. And patch for fix them is trivial. Apparently not so trivial, since it needs a fixup now. I would rather not see a change that affects all paths to fix something for the .1% of users that run systemd. ohh. i think, that will be better to split explanation of this change into two parts. First - changes in sysvinit scripts. Instead of run daemons as root and pass options for chuid we allow start-stop-daemon to run it as non-root. This is what do upstream and without this fix we have a problems with getting backtraces on daemons crashes. Second - changes in systemd service files. In 5.2.6+dfsg-1 our team add this files into packages, but unfortunely, they was shipped with incorrect (empty) uid/gid in them. So, for systemd service files was fixed two problems: a) Change daemons uid/gid by systemd, as do sysvinit scripts. This is separate patch [1] for simplicity sending it to upstream (already accepted by upstream) b) Fixing incorrect uid/gid. Due to limitation of upstream build system we can't use build options and hardcore uid/gid by patch [2] [1] http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=blob;f=debian/patches/delegate-chuid-to-systemd.patch [2] http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=blob;f=debian/patches/fix-systemd-daemon-user-group.patch As i understand, your opinion is that will be better do not ship systemd service files at all, but include changes in sysvinit scripts? 8. make package purging more careful about users files. Don't really see the point of this one. Purging means purging. actually, this is a difference from squeeze behavior for bacula-director packages. Revert anyway? That would be my preference, yes. ok. i revert it. 16. Cleanup list of linked libraries. nak. Maybe i incorrect worded this change. This change remove unused libraries (no symbols from library used) from list of linked libraries. I know what --as-needed does. It's essentially cosmetic, not appropriate during the freeze. ok. i revert it. And the next question. Currently bacula can't built on hurd platforms. Should i include fix for this problem into next upload, intended for wheezy or not? If the patch is small and obvious enough why not, but hurd won't make wheezy so it's not really needed from our perspective. In fact this is depend on upstream. There was a little changes in package (disabled acl, xattr and mtx on this platform) and i wait while upstream fix problems with maximum path length on this platform. I will ask this additionally, when upstream prepare patch. Upstream recommend do not use hardening for bacula, so we have 71 lintian warning about this fact. In git master branch this warnings was hidden by adding lintian-overrides. This is cosmetic change and should not present in next upload, intended for wheezy? What is the best way to prepare package without rejected changes?
Bug#689003: unblock: bacula/5.2.6+dfsg-5
On 28/09/2012 07:57, Alexander Golovko wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi! Please unblock bacula-* packages, it fixes multiple bugs, include CVE-2012-4430, crashes and debian policy violations: #687923 - security issue CVE-2012-4430 #688732 - bacula-fd save only first xattr on file #682733 - unowned files after purge #680051 - switch between bacula-director-dbtype #679958 - incorrect systemd service file Fix unsafe bacula-director passwords. Fix bacula-fd crash on saving xattr on btrfs. Ok, I don't feel comfortable with all these packaging changes. I don't think I'm going to unblock this package. Could you prepare an upload to t-p-u please? #687923, #682733, #679958, Fix unsafe bacula-director passwords look okay. For the others, please show minimal separate patches if you want to include them. Regards, -- Mehdi Dogguy مهدي الدڤي -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#689003: unblock: bacula/5.2.6+dfsg-5
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi! Please unblock bacula-* packages, it fixes multiple bugs, include CVE-2012-4430, crashes and debian policy violations: #687923 - security issue CVE-2012-4430 #688732 - bacula-fd save only first xattr on file #682733 - unowned files after purge #680051 - switch between bacula-director-dbtype #679958 - incorrect systemd service file Fix unsafe bacula-director passwords. Fix bacula-fd crash on saving xattr on btrfs. Also new version include useful for DSA team [1] security improvement - ability to run bacula-fd without root privileges (#683080) There are also other changes in packages, i don't know need you see more detailed description about this changes. Most of them are not so important bugfixes, as listed above and several minor wishlistes, that should not affect to stability. Thank you very much! [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683080#75 unblock bacula/5.2.6+dfsg-5 -- with best regards, Alexander Golovko email: alexan...@ankalagon.ru xmpp: alexan...@ankalagon.ru signature.asc Description: PGP signature
Bug#689003: unblock: bacula/5.2.6+dfsg-5
Quoting Alexander Golovko (alexan...@ankalagon.ru): Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi! Please unblock bacula-* packages, it fixes multiple bugs, include CVE-2012-4430, crashes and debian policy violations: #687923 - security issue CVE-2012-4430 #688732 - bacula-fd save only first xattr on file #682733 - unowned files after purge #680051 - switch between bacula-director-dbtype #679958 - incorrect systemd service file Fix unsafe bacula-director passwords. Fix bacula-fd crash on saving xattr on btrfs. Also new version include useful for DSA team [1] security improvement - ability to run bacula-fd without root privileges (#683080) There are also other changes in packages, i don't know need you see more detailed description about this changes. Most of them are not so important bugfixes, as listed above and several minor wishlistes, that should not affect to stability. Thank you very much! [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683080#75 unblock bacula/5.2.6+dfsg-5 Among other things, that would break completeness for l10n in testing. OK, admitedly, we have a running update round but nothing at this point guarantees me that l10n updates will be accepted eternally by the release team. At some point, even those will be blocked. And I don't want to risk blocking one of the i18n team goals. My understanding was that the debconf changes you had in unstable were *not* meant for wheezy. So, it seems that this release mixes release-critical fixes and non critical fixes. Therefore, and even though my advice is onlyan advice...as I'm not a release team member, I would like to object to this unblock. Given that bacula version in unstable now implements the non critical fixes, I guess that your only option is uploading them through testing-proposed-updates, if the release team doesn't grant the unblock. signature.asc Description: Digital signature