Bug#821408: Pam 1.3.0

[Florian Vessaz]

Hello Steve and Andreas,

On Thu, Jan 24, 2019 at 12:10:18AM +0100, Florian Vessaz wrote:
[...]
> I'll take the time to review those differences tomorrow or Friday night.

I compared the two branches:

 [a] https://gitlab.gnugen.ch:fvessaz/pkg-pam.git ah/master
 [b] https://salsa.debian.org/ah/pam.git master

The differences I observed are:

- Changelog entry for version 1.3.1-1 are different, the one in [b]
  looks better to me.

- [a] contains patches metadata (author, date) retrieved from VCS
  history or BTS while [b] does not.

- In patches/007_modules_pam_unix, [b] is is not adding the "obscure"
  argument which gates the functionality added by that same patch.

- In patches/055_pam_unix_nullok_secure, [a] adds the "int nullok =
  off(UNIX__NONULL, ctrl);" at the tail of the list of already present
  declarations at the start of the if block while [b] adds it at the
  top. As far as I can tell, both versions have the same result and
  there is no apparent advantage of one over the other:

  [a] static char *envp[] = { NULL };
  const char *args[] = { NULL, NULL, NULL, NULL };
  int nullok = off(UNIX__NONULL, ctrl);

  [b] int nullok = off(UNIX__NONULL, ctrl);
  static char *envp[] = { NULL };
  const char *args[] = { NULL, NULL, NULL, NULL };

  Another difference is that [a] does not use an implicit declaration of
  _pammodutil_tty_secure. [b] is thus triggering an additional implicit
  declaration warning during the build.

  Finally, it appears that [b] was not adapted to the change made
  upstream to how unix_args is defined in modules/pam_unix/support.h.

- In patches/PAM-manpage-section, [a] is doing pam.8.xml -> pam.7 ->
  PAM.7 while [b] is doing pam.8.xml -> pam.8 -> PAM.7. Same result in
  both cases.

  I updated [a] to do as [b] since [b] is changing less lines for the
  same result. Thus, at the time you are reading this e-mail, this
  difference will not be present.

- patches/cve-2010-4708.patch is still included in [b] while upstream
  settled the issue in pam 1.1.3. As the patch description does not
  provide any argument for keeping it despite upstream settling the
  issue, [a] dropped it. If it is preferred to keep the patch, in my
  opinion the patch description should mention the reason.

- In patches/make_documentation_reproducible.patch [a] uses
  "LC_ALL=C.UTF-8" while [b] uses "LC_ALL=C". Usage of "LC_ALL=C.UTF-8"
  was introduced by 4b9ee4f1ec73d87668ce40f0a362ecbc58159d9f.

- In patches/update-motd [a] clarifies a sentence.

Please let me know if my branch should be updated, I can take the time
to do so if I receive feedback. And don't hesitate to replace my commit
with the changelog entry.

Thank you,
-- Florian


signature.asc
Description: PGP signature

Bug#821408: Pam 1.3.0

[Florian Vessaz]

Hello Andreas and Steve,

On Wed, Jan 23, 2019 at 01:29:07PM +0100, Andreas Henriksson wrote:
> Hello Florian and Steve,
> 
> On Tue, Jan 22, 2019 at 02:40:00PM -0800, Steve Langasek wrote:
> > On Tue, Jan 22, 2019 at 09:12:31PM +0100, Florian Vessaz wrote:
> > > We've got no reply from the current maintainers to this bug report since
> > > the approximately 2 and a half years it has been opened. I thus think
> > > it's safe to presume the current maintainers have no interest in keeping
> > > PAM up-to-date in Debian.
> 
> Sorry for not having found time to look at this. I'm still very
> interested in seeing improvements on the PAM side, I'm just very short
> on spare time.
> 
> FWIW I think the chance for getting changes into buster has most likely
> passed already. Atleast I wouldn't feel comfortable introducing alot
> of changes this late in the release cycle. I think it's better to target
> experimental now and then upload to unstable early in the bullseye
> cycle.

I'll see what happens when Buster is released, but it currently appears
to me that not having a reasonably up-to-date version of PAM available
might, for me, be a deal breaker that will make me reconsider my usage
and support of Debian.

> > Wow, that's an incredible conclusion less than 2 weeks after a maintainer
> > upload.
> > 
[...]
> > (I appreciate your past efforts to handle this migration, but in your own
> > words "the history of the packaging is not pretty" and I was unwilling to
> > accept an incomplete history of the packaging.)
> 
> Thanks for joining the discussion. I'm sure we can elaborate eternally
> on our definitions of "properly maintaining" and the tradeoffs between
> pretty git histories and having users suffer the consequenses of
> the outstanding bugs for yet another release cycle, but lets proceed
> to something more productive.

Thank you for joining, I'm glad that it finally looks possible to get
an up-to-date PAM version included in Debian.

I would have greatly appreciated to have gotten a feedback on my
contribution from 2 years ago instead of it being totally ignored.
During those two years, I had more than enough time that would have
enabled me to improve my contribution if I had received a feedback.

I'm also sure everyone who took the time to open bug reports would
appreciate for those bug reports to be followed up.

Anyway, let's focus on the present.

> [...]
> > Anyway, consider this an objection to salvaging of the pam package.
Is this a confirmation from your part that you now have the motivation
and time available in order to upload up-to-date PAM versions and
properly answer the bug reports that pilled up over the years?

> > I am happy to take a look at your work to forward-port the patches onto pam
> > 1.3.  Would you be willing to rebase
> > https://gitlab.gnugen.ch/fvessaz/pkg-pam.git onto
> > https://salsa.debian.org/vorlon/pam.git ?
> 
> As it's not a trivial rebase to do I've "recreated" much of it on top
> of the new git repo. Cherry-picking from Florians tree where possible,
> reimporting the upstream release from scratch, using my own tree
> of patches from my previous effort[1], and resolved conflicts where
> they appeared when cherry-picking, added some new commits as well.
> In other words, credits to Florian and blame for breakage should
> likely be assigned to me.
> 
> My result is thus not exactly equivalent to Florians tree. Diffing
> debian/patches between our trees can be an interesting read as it's
> two independent rebasing of the existing patches.
> 
> Please see https://salsa.debian.org/ah/pam/commits/ah/master
> 
> (see also the ah/upstream branch.)

I also took the time to work on my branch in order to get something to
compare and to ensure I have an understanding of the changes. I also
included the commit you added to update debian/watch.

See https://gitlab.gnugen.ch/fvessaz/pkg-pam, the master branch is the
updated one and 2018/master is the one from December.

I did not update the changelog entry I previously added; yours might be
more appropriate.

I only took the time to have a cursory look at the differences today.
However, it currently appears that they are relatively small and
contained in debian/patches. I'll take the time to review those
differences tomorrow or Friday night.

> Hoping we can make progress here because the things I'm interested
> in seeing fixed are still to come (but to find motivation to try to
> allocate the time there needs to be some signs of it having a chance
> to be a useful investment).

I'm, also hoping we can make progress. :-)

Cheers,
-- Florian


signature.asc
Description: PGP signature

Bug#821408: Pam 1.3.0

[Andreas Henriksson]

Hello Florian and Steve,

On Tue, Jan 22, 2019 at 02:40:00PM -0800, Steve Langasek wrote:
> On Tue, Jan 22, 2019 at 09:12:31PM +0100, Florian Vessaz wrote:
> > We've got no reply from the current maintainers to this bug report since
> > the approximately 2 and a half years it has been opened. I thus think
> > it's safe to presume the current maintainers have no interest in keeping
> > PAM up-to-date in Debian.

Sorry for not having found time to look at this. I'm still very
interested in seeing improvements on the PAM side, I'm just very short
on spare time.

FWIW I think the chance for getting changes into buster has most likely
passed already. Atleast I wouldn't feel comfortable introducing alot
of changes this late in the release cycle. I think it's better to target
experimental now and then upload to unstable early in the bullseye
cycle.

> 
> Wow, that's an incredible conclusion less than 2 weeks after a maintainer
> upload.
> 
> It happens that fly-by NMUs are a lot less work than properly maintaining a
> package.  So yes, there were a series of NMUs from developers who had no
> investment in the long-term maintainability of the package in the time it
> took me to get the VCS history converted into something supported and do a
> maintainer upload.
> 
> (I appreciate your past efforts to handle this migration, but in your own
> words "the history of the packaging is not pretty" and I was unwilling to
> accept an incomplete history of the packaging.)

Thanks for joining the discussion. I'm sure we can elaborate eternally
on our definitions of "properly maintaining" and the tradeoffs between
pretty git histories and having users suffer the consequenses of
the outstanding bugs for yet another release cycle, but lets proceed
to something more productive.

[...]
> Anyway, consider this an objection to salvaging of the pam package.
> 
> I am happy to take a look at your work to forward-port the patches onto pam
> 1.3.  Would you be willing to rebase
> https://gitlab.gnugen.ch/fvessaz/pkg-pam.git onto
> https://salsa.debian.org/vorlon/pam.git ?

As it's not a trivial rebase to do I've "recreated" much of it on top
of the new git repo. Cherry-picking from Florians tree where possible,
reimporting the upstream release from scratch, using my own tree
of patches from my previous effort[1], and resolved conflicts where
they appeared when cherry-picking, added some new commits as well.
In other words, credits to Florian and blame for breakage should
likely be assigned to me.

My result is thus not exactly equivalent to Florians tree. Diffing
debian/patches between our trees can be an interesting read as it's
two independent rebasing of the existing patches.

Please see https://salsa.debian.org/ah/pam/commits/ah/master

(see also the ah/upstream branch.)

Hoping we can make progress here because the things I'm interested
in seeing fixed are still to come (but to find motivation to try to
allocate the time there needs to be some signs of it having a chance
to be a useful investment).

Regards,
Andreas Henriksson


[1]: https://people.debian.org/~ah/pkg-pam/

Bug#821408: Pam 1.3.0

[Steve Langasek]

On Tue, Jan 22, 2019 at 09:12:31PM +0100, Florian Vessaz wrote:
> We've got no reply from the current maintainers to this bug report since
> the approximately 2 and a half years it has been opened. I thus think
> it's safe to presume the current maintainers have no interest in keeping
> PAM up-to-date in Debian.

Wow, that's an incredible conclusion less than 2 weeks after a maintainer
upload.

It happens that fly-by NMUs are a lot less work than properly maintaining a
package.  So yes, there were a series of NMUs from developers who had no
investment in the long-term maintainability of the package in the time it
took me to get the VCS history converted into something supported and do a
maintainer upload.

(I appreciate your past efforts to handle this migration, but in your own
words "the history of the packaging is not pretty" and I was unwilling to
accept an incomplete history of the packaging.)

> The following points are taken from the Debian Developer's Reference
> document mentioned above:

> * NMUs, especially if there has been more than one NMU in a row.

>   Since the 18th of April 2016, date at which this bug was opened there was:

>   2016-06-02 1.1.8-3.3 NMU
>   2016-12-20 1.1.8-3.4 NMU
>   2017-01-04 1.1.8-3.5 NMU
>   2017-05-27 1.1.8-3.6 NMU
>   2018-02-07 1.1.8-3.7 NMU
>   2018-08-13 1.1.8-3.8 NMU
>   2019-01-09 1.1.8-4   upload by a maintainer

I think this is poorly worded in the DevRef.  Clearly the intent is that
there be several /unacknowledged/ NMUs.

Anyway, consider this an objection to salvaging of the pam package.

I am happy to take a look at your work to forward-port the patches onto pam
1.3.  Would you be willing to rebase
https://gitlab.gnugen.ch/fvessaz/pkg-pam.git onto
https://salsa.debian.org/vorlon/pam.git ?

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
Ubuntu Developer   https://www.debian.org/
slanga...@ubuntu.com vor...@debian.org


signature.asc
Description: PGP signature

Bug#821408: Pam 1.3.0

[Florian Vessaz]

Hi Andreas,

On Thu, Dec 06, 2018 at 11:44:14AM +0100, Andreas Henriksson wrote:
> Hi Florian,
> 
> On Mon, Dec 03, 2018 at 10:13:23PM +0100, Florian Vessaz wrote:
> [...]
> > I updated my Git repository such that it now contains pam 1.3.1, the
> > changes from the previous NMUs, your changes and additional small
> > changes to address some of the lintian warnings.
> 
> Thanks for doing that and for still being interested.
> I'll try to find time and motivation to look over your new version
> soon. (Please feel free to poke me if I seem to have forgotten about
> this.)

Thank you for trying. I suppose you might not have found the time or
might not have the motivation. Which is perfectly fine, there are no
obligations.

> [...]
> > I haven't really looked at the available options to get the changes
> > uploaded. So any pointers would be welcomed. :-)
> 
> I assume you're not a DD, so unless current pam maintainers show
> any interest I guess it's up to me to review your stuff and then
> I think it would be quite harmless if we upload it to experimental.

We've got no reply from the current maintainers to this bug report since
the approximately 2 and a half years it has been opened. I thus think
it's safe to presume the current maintainers have no interest in keeping
PAM up-to-date in Debian.

[...]
> Please see here if you're
> interested in the administrative details on how it should be
> done properly these days:
> 
> https://wiki.debian.org/PackageSalvaging
> https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#package-salvaging

The following points are taken from the Debian Developer's Reference
document mentioned above:

* NMUs, especially if there has been more than one NMU in a row.

  Since the 18th of April 2016, date at which this bug was opened there was:

  2016-06-02 1.1.8-3.3 NMU
  2016-12-20 1.1.8-3.4 NMU
  2017-01-04 1.1.8-3.5 NMU
  2017-05-27 1.1.8-3.6 NMU
  2018-02-07 1.1.8-3.7 NMU
  2018-08-13 1.1.8-3.8 NMU
  2019-01-09 1.1.8-4   upload by a maintainer


* Bugs filed against the package do not have answers from the maintainer.

  9 out of the 15 first bugs displayed on the BTS page appear to have
  been neglected for more than a year. I did not inspect the other bug
  reports.
  https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=pam

   No answer since
  #917374  December 2018 Important
  #916169  December 2018 Important
  #914541  November 2018 Important
  #890626  February 2018 Normal
  #890524  February 2018 Important
  #889910  February 2018 Important
  #824607  May  2017 Normal
  #834589  August   2016 Important
  #332292  June 2013 Important
  #583958  May  2013 Normal
  #691008  October  2012 Normal
  #601825  November 2010 Important
  #569746  February 2010 Important
  #336513  October  2005 Important
  #182605  July 2008 Normal

* Upstream has released several versions, but despite there being a bug
  entry asking for it, it has not been packaged.

  This bug reports asked for an up-to-date version of PAM in April 2016.

  In February 2017, I proposed an updated package including PAM 1.3.0
  but no feedback was received from the maintainers.

  In December 2018, I proposed an updated package including PAM 1.3.1
  but no feedback was received from the maintainers.

  The version currently in Debian is 1.1.8 which has been released by
  upstream in September 2013.

So, it appears to me that the Package Salvaging process is applicable.
It's is however unclear to me if the Package Salvaging process can be
performed by someone like me who is not a DD or a DM. As it is defined
in the Debian Developer's Reference, I presume the process is to be
performed by a DD.

Is there a chance to get an up-to-date version of PAM in Buster?

Cheers,
-- Florian


signature.asc
Description: PGP signature

Bug#821408: Pam 1.3.0

[Andreas Henriksson]

Hi Florian,

On Mon, Dec 03, 2018 at 10:13:23PM +0100, Florian Vessaz wrote:
[...]
> I updated my Git repository such that it now contains pam 1.3.1, the
> changes from the previous NMUs, your changes and additional small
> changes to address some of the lintian warnings.

Thanks for doing that and for still being interested.
I'll try to find time and motivation to look over your new version
soon. (Please feel free to poke me if I seem to have forgotten about
this.)

[...]
> I haven't really looked at the available options to get the changes
> uploaded. So any pointers would be welcomed. :-)

I assume you're not a DD, so unless current pam maintainers show
any interest I guess it's up to me to review your stuff and then
I think it would be quite harmless if we upload it to experimental.

In the olden days we'd then battle it out for ownership, but since
recently there's a new official procedure how to go about this
which I should read up on myself. Please see here if you're
interested in the administrative details on how it should be
done properly these days:

https://wiki.debian.org/PackageSalvaging
https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#package-salvaging


Regards,
Andreas Henriksson

Bug#821408: Pam 1.3.0

[Florian Vessaz]

Hi Andreas,

On Fri, Nov 09, 2018 at 01:17:45AM +0100, Andreas Henriksson wrote:
> Hi Florian,
> 
> On Sun, Feb 05, 2017 at 05:48:23PM +0100, Florian Vessaz wrote:
> > Hi,
> > 
> > I've refreshed the patches against the 1.3.0 release and moved the
> > packaging to Git as upstream is also using Git. (This was discussed with
> > Steve two weeks ago.)
> [...]
> >   https://gitlab.gnugen.ch/fvessaz/pkg-pam.git
> [...]
> > I'm naturally open to constructive criticism. Let me know if there is
> > something I can do to help out.
> 
> I (unfortunately) just redid all of your work because I didn't
> find this bug report because of the non-standard subject. :(
> 
> OTOH I did against pam 1.3.1 so slightly newer.
> See https://people.debian.org/~ah/pkg-pam/
> 
> I'm just at the point where it now builds. No further checks done yet.
> 
> I guess we can always compare work to see if we did it the same.

I updated my Git repository such that it now contains pam 1.3.1, the
changes from the previous NMUs, your changes and additional small
changes to address some of the lintian warnings.

> Since a long time has passed, I'd like to ask if you are still
> interested in working on pam in Debian?

Yes, I'm interested in having an up-to-date pam in Debian. Over the last
two years or so, I've just installed pam through other means to get the
latest upstream versions. So if I instead spend time to keep the package
updated, that would actually be more useful.

> I think an upload to experimental would be a good start and I'm willing
> to sponsor if there's a need. (If we continue from your work then 
> incorporating all the NMUs that happened since it was prepared is
> also needed.)

I haven't really looked at the available options to get the changes
uploaded. So any pointers would be welcomed. :-)

Cheers,
-- Florian


signature.asc
Description: PGP signature

Bug#821408: Pam 1.3.0

[Andreas Henriksson]

Control: retitle -1 New upstream release available (1.3.1)

Hi Florian,

On Sun, Feb 05, 2017 at 05:48:23PM +0100, Florian Vessaz wrote:
> Hi,
> 
> I've refreshed the patches against the 1.3.0 release and moved the
> packaging to Git as upstream is also using Git. (This was discussed with
> Steve two weeks ago.)
[...]
>   https://gitlab.gnugen.ch/fvessaz/pkg-pam.git
[...]
> I'm naturally open to constructive criticism. Let me know if there is
> something I can do to help out.

I (unfortunately) just redid all of your work because I didn't
find this bug report because of the non-standard subject. :(

OTOH I did against pam 1.3.1 so slightly newer.
See https://people.debian.org/~ah/pkg-pam/

I'm just at the point where it now builds. No further checks done yet.

I guess we can always compare work to see if we did it the same.

Since a long time has passed, I'd like to ask if you are still
interested in working on pam in Debian?
I think an upload to experimental would be a good start and I'm willing
to sponsor if there's a need. (If we continue from your work then 
incorporating all the NMUs that happened since it was prepared is
also needed.)

Regards,
Andreas Henriksson

Bug#821408: Pam 1.3.0

[Florian Vessaz]

Hi,

I've refreshed the patches against the 1.3.0 release and moved the
packaging to Git as upstream is also using Git. (This was discussed with
Steve two weeks ago.)

I've imported the packaging history from bzr. The history of the
packaging is not pretty, but I don't think there is a reasonable way to
fix it.

You can fetch the relevant branches from this Git remote:
  https://gitlab.gnugen.ch/fvessaz/pkg-pam.git

 master: packaging branch
 upstream: upstream releases
 pam/master: upstream's master branch
 bzr/sid: https://alioth.debian.org/scm/loggerhead/pkg-pam/debian/sid

The important tags are also here:
 debian/*: Debian releases
 upstream/*: Imports of upstream sources

I believe the future releases can be imported using gbp-import-orig and
the --upstream-vcs-tag option to link upstream's master branch.

In my opinion it would be a good idea to push all that to Alioth but I
can't do it myself as I'm just a long-time Debian user. ;-)

I'm naturally open to constructive criticism. Let me know if there is
something I can do to help out.

Cheers,
-- Florian


signature.asc
Description: PGP signature