Bug#858802: [Letsencrypt-devel] Bug#858802: AttributeError: 'module' object has no attribute '_init_cffi_1_0_external_module'

2017-03-26 Thread Harlan Lieberman-Berg 
package certbot
tag 858802 +unreproducible +moreinfo
thanks

Tom Maneiro  writes:
> Trying to run certbot on a fresh install on my Stretch box leads me to the
> following stackdump:

Hi Tom,

Interesting.  I've tried replicating this on a clean Stretch box, but I
don't get this error at all.  A couple of questions for you:

1.  Is this a fresh install of Stretch, or an upgrade?
2.  Can you attach the output of this command?  (You may need to install
apt-rdepends if you don't already have it installed.)

apt-cache policy $(apt-rdepends -p certbot 2>| /dev/null|awk '/Depends/ {print 
$2}'|sort -u)|awk '/^[^ ]/ { package=$0 } /  Installed/ { print package " " $2 
}'

Sincerely,
-- 
Harlan Lieberman-Berg
~hlieberman

Processed: Re: [Letsencrypt-devel] Bug#858802: AttributeError: 'module' object has no attribute '_init_cffi_1_0_external_module'

2017-03-26 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> package certbot
Limiting to bugs with field 'package' containing at least one of 'certbot'
Limit currently set to 'package':'certbot'

> tag 858802 +unreproducible +moreinfo
Bug #858802 [certbot] AttributeError: 'module' object has no attribute 
'_init_cffi_1_0_external_module'
Added tag(s) unreproducible.
Bug #858802 [certbot] AttributeError: 'module' object has no attribute 
'_init_cffi_1_0_external_module'
Added tag(s) moreinfo.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
858802: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858802
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: retitle 858800 to RFS: xtrs/4.9d-1 [ITA] [RC], block 511645 with 858800

2017-03-26 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> retitle 858800 RFS: xtrs/4.9d-1 [ITA] [RC]
Bug #858800 [sponsorship-requests] RFS: xtrs/4.9d-1 [ITA]
Changed Bug title to 'RFS: xtrs/4.9d-1 [ITA] [RC]' from 'RFS: xtrs/4.9d-1 
[ITA]'.
> block 511645 with 858800
Bug #511645 [xtrs] xtrs: hangs on startup due to use of SIGIO
511645 was not blocked by any bugs.
511645 was not blocking any bugs.
Added blocking bug(s) of 511645: 858800
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
511645: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511645
858800: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858800
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#858803: erlang-cowboy: Cowboy 2.0 != Cowboy 1.0

2017-03-26 Thread Chris Pacejo 
Package: erlang-cowboy
Version: 2.0.0~pre.1+dfsg1-2
Severity: grave
Justification: renders package unusable

Dear Maintainer,

For some reason, erlang-cowboy source has been updated to point at Cowboy
2.0.  This renders the package unusable, since Cowboy 2.0 is a
backward-incompatible API rework (even the name of the "start library"
function has changed).  This package should be reverted to point at the
latest Cowboy 1.x release, and a separate "erlang-cowboy2" package should be
made to track the Cowboy 2.x releases.

Furthermore, the release that this package currently points at is a 2.0
prerelease, which is missing major changes present in the latest 2.0
prerelease.  So, it is not usable even by code expecting Cowboy 2.0.


-- System Information:
Debian Release: 6.0.7
  APT prefers oldoldstable
  APT policy: (500, 'oldoldstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.37.2-RX-domU-static (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages erlang-cowboy depends on:
ii  erlang-base1:19.2.1+dfsg-1
ii  erlang-cowlib  1.3.0-2
ii  erlang-crypto  1:19.2.1+dfsg-1
ii  erlang-ranch   1.2.1-3

erlang-cowboy recommends no packages.

erlang-cowboy suggests no packages.

-- debconf information:
Unescaped left brace in regex is deprecated, passed through in regex; marked by 
<-- HERE in m/^(.*?)(\\)?\${ <-- HERE ([^{}]+)}(.*)$/ at 
/usr/share/perl5/Debconf/Question.pm line 72.
Unescaped left brace in regex is deprecated, passed through in regex; marked by 
<-- HERE in m/\${ <-- HERE ([^}]+)}/ at /usr/share/perl5/Debconf/Config.pm line 
30.

Bug#858556: In case the code is not anywhere...

2017-03-26 Thread Amos Jeffries 
On 26/03/2017 1:34 p.m., Santiago Garcia Mantinan wrote:
>> Maybe it was just that the original code had to be at the 
>> upgrade|install-upgrade
>> block of the case?
>>
>> But why is the -d /etc/squid3 checked?
> 

IIRC this is for transitions where _both_ squid and squid3 packages are
already installed. Including the odd situation where a squid3 package is
partially installed, which apt seems to like doing.

The root cause of our troubles AFAICT is that the old 2.x "squid"
packages do not register their squid.conf as a conffile. So in the debci
testing dpkg has no way to know that there were no changes to the 2.7
default config file when upgrading wheezy->stretch. That was the initial
bug 801654 problem about constantly asking to preserve changes.

So... the current squid package unconditionally preserves any old
squid.conf, goes on to install and register the 3.5+ squid.conf.default
file as its baseline conffile. Then slips the old squid.conf into place
as if it had gone through a normal conffile upgrade with no questions,
always preserving the 'old' version squid.conf.

That much seems to be working as intended for upgrades. But I/we wrongly
assumed the --compare-versions would return false if there was no
previous version.

Amos

Processed: severity of 858802 is serious

2017-03-26 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> # a program that doesn't start is RC
> severity 858802 serious
Bug #858802 [certbot] AttributeError: 'module' object has no attribute 
'_init_cffi_1_0_external_module'
Severity set to 'serious' from 'important'
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
858802: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858802
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#858593: marked as done (src:node-mocha: FTBFS reliably due to test failures: 1.20.1-3 failed on build daemon)

2017-03-26 Thread Debian Bug Tracking System 
Your message dated Sun, 26 Mar 2017 22:48:49 +
with message-id 
and subject line Bug#858593: fixed in node-mocha 1.20.1-7
has caused the Debian Bug report #858593,
regarding src:node-mocha: FTBFS reliably due to test failures: 1.20.1-3 failed 
on build daemon
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
858593: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858593
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: src:node-mocha
Version: 1.20.1-3
Severity: serious
Tags: pending
Justification: fails to build from source

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

My upload of yesterday failed to build on the build daemon¹. This is (at
least) due to tests timing out. While getting the build to pass (by
building with debomatic.d.n as locally the build always succeeds) I
discovered that also the TCP port used in one of the tests is an
official port that may already be in use².

Paul

¹
https://buildd.debian.org/status/fetch.php?pkg=node-mocha=all=1.20.1-3=1490307324=0
² While still available:

http://debomatic-amd64.debian.net/distribution#unstable/node-mocha/1.20.1-3/buildlog
  log said:
  [0m Uncaught Error: listen EADDRINUSE :::8889
at Object.exports._errnoException (util.js:907:11)

at exports._exceptionWithHostPort (util.js:930:20)

at Server._listen2 (net.js:1253:14)

at listen (net.js:1289:10)
at Server.listen (net.js:1385:5)
at Object. (/<>/test/http.meta.js:22:8)
at Module._compile (module.js:409:26)
at Object.Module._extensions..js (module.js:416:10)
at Module.load
(/usr/lib/coffee-script/lib/coffee-script/register.js:45:36)
at Function.Module._load (module.js:300:12)
at Module.require (module.js:353:17)
at require (internal/module.js:12:17)
at /<>/lib/mocha.js:172:27
at Array.forEach (native)
at Mocha.loadFiles (/<>/lib/mocha.js:169:14)
at Mocha.run (/<>/lib/mocha.js:356:31)
at Object. (/<>/bin/_mocha:366:16)
at Module._compile (module.js:409:26)
at Object.Module._extensions..js (module.js:416:10)
at Module.load (module.js:343:32)
at Function.Module._load (module.js:300:12)
at Function.Module.runMain (module.js:441:10)
at startup (node.js:140:18)
at node.js:1043:3

- -- System Information:
Debian Release: 9.0
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)



signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: node-mocha
Source-Version: 1.20.1-7

We believe that the bug you reported is fixed in the latest version of
node-mocha, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 858...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès  (supplier of updated node-mocha package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 27 Mar 2017 00:10:16 +0200
Source: node-mocha
Binary: mocha libjs-mocha
Architecture: source
Version: 1.20.1-7
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers 

Changed-By: Bastien Roucariès 
Description:
 libjs-mocha - simple, flexible, fun test framework - JavaScript library
 mocha  - simple, flexible, fun test framework - Node.js module
Closes: 858593
Changes:
 node-mocha (1.20.1-7) unstable; urgency=medium
 .
   * Team upload
   * Fix http test (Closes: #858593 hopefully)
Checksums-Sha1:
 ef787c1d9c82679a5b145fccd87e1cfb71522bb9 2149 node-mocha_1.20.1-7.dsc
 16a7a32795c212ab0f3fbeba9c22d1bced705feb 6216 node-mocha_1.20.1-7.debian.tar.xz
 58e126439f786a6a728d79fe133bb30d70eb8624 8423 
node-mocha_1.20.1-7_source.buildinfo
Checksums-Sha256:
 cf60b4347d11574060e06410a9cec2803a86645b01370e20c115629634ea5959 2149 
node-mocha_1.20.1-7.dsc
 02aa182fdbf43486d1f0e0979727a8a73ed5c5f482a7548f2d1cd6e7b9c22e00 6216 
node-mocha_1.20.1-7.debian.tar.xz

Processed (with 1 error): reopen

2017-03-26 Thread Debian Bug Tracking System 
Processing control commands:

> reopen 858593
Bug #858593 {Done: Paul Gevers } [src:node-mocha] 
src:node-mocha: FTBFS reliably due to test failures: 1.20.1-3 failed on build 
daemon
'reopen' may be inappropriate when a bug has been closed with a version;
all fixed versions will be cleared, and you may need to re-add them.
Bug reopened
No longer marked as fixed in versions node-mocha/1.20.1-6.
> found 1.20.1-6
Unknown command or malformed arguments to command.


-- 
858593: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858593
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#858593: reopen

2017-03-26 Thread Bastien ROUCARIES 
Control: reopen 858593
Control: found 1.20.1-6

Bug#858769: "cvs init" creates CVSROOT/history and val-tags world-writeable

2017-03-26 Thread Thorsten Glaser 
Ian Jackson dixit:

>Thorsten Glaser writes ("Re: Bug#858769: "cvs init" creates CVSROOT/history 
>and val-tags world-writeable"):
>> 0664, actually; CVS operates group-writable.
>
>Does this not depend on the umask ?

To some degree, yes. On the other hand, there’s an explicit chmod
in there, and normally you operate with a CVSUMASK of 002 precisely
to work in groups.

>> I’m running the sanity testsuite, adjusted, against an accordingly
>> patched CVS right now and have tested the “cvs init” delta.
>
>Right.  Thanks for your prompt attention!

Sure, you’re welcome.

I ended up doing some yak shaving and more bugfixing, which I’m
sadly unlikely to be getting into stretch, so I’ll just have to
pick the individual fixes related to this and not the general
testsuite fixes (sanity.sh is quite insane), and I’m still not
finished testing things enough, so it may take a bit until I
have something that can be uploaded.

bye,
//mirabilos
-- 
“It is inappropriate to require that a time represented as
 seconds since the Epoch precisely represent the number of
 seconds between the referenced time and the Epoch.”
-- IEEE Std 1003.1b-1993 (POSIX) Section B.2.2.2

Bug#858769: "cvs init" creates CVSROOT/history and val-tags world-writeable

2017-03-26 Thread Ian Jackson 
Thorsten Glaser writes ("Re: Bug#858769: "cvs init" creates CVSROOT/history and 
val-tags world-writeable"):
> 0664, actually; CVS operates group-writable.

Does this not depend on the umask ?

> I’m running the sanity testsuite, adjusted, against an accordingly
> patched CVS right now and have tested the “cvs init” delta.

Right.  Thanks for your prompt attention!

Ian.

Bug#858593: marked as done (src:node-mocha: FTBFS reliably due to test failures: 1.20.1-3 failed on build daemon)

2017-03-26 Thread Debian Bug Tracking System 
Your message dated Sun, 26 Mar 2017 21:10:16 +
with message-id 
and subject line Bug#858593: fixed in node-mocha 1.20.1-6
has caused the Debian Bug report #858593,
regarding src:node-mocha: FTBFS reliably due to test failures: 1.20.1-3 failed 
on build daemon
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
858593: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858593
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: src:node-mocha
Version: 1.20.1-3
Severity: serious
Tags: pending
Justification: fails to build from source

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

My upload of yesterday failed to build on the build daemon¹. This is (at
least) due to tests timing out. While getting the build to pass (by
building with debomatic.d.n as locally the build always succeeds) I
discovered that also the TCP port used in one of the tests is an
official port that may already be in use².

Paul

¹
https://buildd.debian.org/status/fetch.php?pkg=node-mocha=all=1.20.1-3=1490307324=0
² While still available:

http://debomatic-amd64.debian.net/distribution#unstable/node-mocha/1.20.1-3/buildlog
  log said:
  [0m Uncaught Error: listen EADDRINUSE :::8889
at Object.exports._errnoException (util.js:907:11)

at exports._exceptionWithHostPort (util.js:930:20)

at Server._listen2 (net.js:1253:14)

at listen (net.js:1289:10)
at Server.listen (net.js:1385:5)
at Object. (/<>/test/http.meta.js:22:8)
at Module._compile (module.js:409:26)
at Object.Module._extensions..js (module.js:416:10)
at Module.load
(/usr/lib/coffee-script/lib/coffee-script/register.js:45:36)
at Function.Module._load (module.js:300:12)
at Module.require (module.js:353:17)
at require (internal/module.js:12:17)
at /<>/lib/mocha.js:172:27
at Array.forEach (native)
at Mocha.loadFiles (/<>/lib/mocha.js:169:14)
at Mocha.run (/<>/lib/mocha.js:356:31)
at Object. (/<>/bin/_mocha:366:16)
at Module._compile (module.js:409:26)
at Object.Module._extensions..js (module.js:416:10)
at Module.load (module.js:343:32)
at Function.Module._load (module.js:300:12)
at Function.Module.runMain (module.js:441:10)
at startup (node.js:140:18)
at node.js:1043:3

- -- System Information:
Debian Release: 9.0
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)



signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: node-mocha
Source-Version: 1.20.1-6

We believe that the bug you reported is fixed in the latest version of
node-mocha, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 858...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Paul Gevers  (supplier of updated node-mocha package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Sun, 26 Mar 2017 21:14:56 +0200
Source: node-mocha
Binary: mocha libjs-mocha
Architecture: source
Version: 1.20.1-6
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers 

Changed-By: Paul Gevers 
Description:
 libjs-mocha - simple, flexible, fun test framework - JavaScript library
 mocha  - simple, flexible, fun test framework - Node.js module
Closes: 856807 858593
Changes:
 node-mocha (1.20.1-6) unstable; urgency=medium
 .
   * There were more tcp ports involved in the test suite, changing them
 too (Closes: #858593 hopefully)
   * Update Vcs-Browser in d/control to use git instead of gitweb
   * Add LC_ALL to sort to make build reproducible (Closes: #856807) thanks
 Chris
Checksums-Sha1:
 d05fa49168b0f524f69c8609d255bf4344dd6858 1804 node-mocha_1.20.1-6.dsc
 6952a25270a2176d206b06d2b0e6722b617f3872 6116 node-mocha_1.20.1-6.debian.tar.xz
Checksums-Sha256:
 0bcfb4e6c58e2fd2106333b5329713bfa4c1230d783d446e77b133004637569f 1804 
node-mocha_1.20.1-6.dsc

Bug#852645: dafny: FTBFS

2017-03-26 Thread Benjamin Barenblat 
1.9.8 builds fine, but that’s a 30,000-plus-LoC diff from 1.9.7, so
trying to get the new version into Stretch seems unlikely at this
point. I suspect cherry-picking upstream’s
dc724533490f66bb553d71be1b971f2008318adc and
e7cfcf3eb135c378d12c04f35d9f85f6cb241467 commits into 1.9.7 would be
sufficient, but I don’t have time to check right now. I’ll continue to
investigate and attempt to backport a fix.

Processed: tagging 856592

2017-03-26 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> tags 856592 + help
Bug #856592 [src:libpodofo] Multiple security issues
Added tag(s) help.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
856592: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856592
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#858794: gmime: Tests contain a MIME message with a (presumably non-free) Playboy/Hustler/something photo

2017-03-26 Thread Sami Liedes 
Source: gmime
Version: 2.6.22-2
Severity: serious

With package 'ripmime' installed:


$ apt-get source gmime-bin
$ cd gmime-2.6.22/tests/
$ mkdir attachments
$ cd attachments
$ cat ../message-partial.* ../*.eml |ripmime -i -
$ ls -l *.jpg
-rw--- 1 sliedes sliedes 115113 Mar 26 22:45 2377h003.jpg
-rw--- 1 sliedes sliedes  17527 Mar 26 22:45 leonc.jpg
-rw--- 1 sliedes sliedes  45064 Mar 26 22:45 SkipStone-Banner.jpg


The file 2377h003.jpg is a photograph of a scantily clad model
apparently taken by a pornographer named Suze Randall. The photograph,
which "ripmime" unfortunately does not extract fully from the
multipart message (you can build gmime and use tests/test-partial
message-partial.* to combine the parts; the size should be 117415
bytes), contains the copyright notice "(c) 2001 Suze Randall" in the
lower right corner.

The file leonc.jpg is apparently part of a movie poster of the movie
Leon: The Professional and depicts the character "Mathilda", a 12-year
old girl played by Natalie Portman, with a huge gun in her hand.

SkipStone-Banner appears to be a partial banner of an old web browser
("Gtk+ only browser"; I did not inspect what its license is, but did
find a source download link).

Sami


-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.10.4 (SMP w/8 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)


signature.asc
Description: PGP signature

Bug#855673: marked as done (rubocop: FTBFS: RuboCop::Cop::Lint::UselessAssignment when a variable is reassigned in loop body but won't be referenced either next iteration or loop condition registers a

2017-03-26 Thread Debian Bug Tracking System 
Your message dated Sun, 26 Mar 2017 20:53:03 +0100
with message-id <20170326195303.ga1...@alice.nomadium.lan>
and subject line Re: rubocop: FTBFS: RuboCop::Cop::Lint::UselessAssignment when 
a variable is reassigned in loop body but won't be referenced either next 
iteration or loop condition registers an offense
has caused the Debian Bug report #855673,
regarding rubocop: FTBFS: RuboCop::Cop::Lint::UselessAssignment when a variable 
is reassigned in loop body but won't be referenced either next iteration or 
loop condition registers an offense
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
855673: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855673
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: rubocop
Version: 0.47.1+dfsg-1
Severity: serious
Justification: fails to build from source
User: reproducible-bui...@lists.alioth.debian.org
Usertags: ftbfs
X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org

Dear Maintainer,

rubocop fails to build from source in unstable/amd64:

  […]

  
┌──┐
  │ Run tests for ruby2.3 from debian/ruby-tests.rake   
 │
  
└──┘
  
  RUBYLIB=«BUILDDIR»/debian/rubocop/usr/lib/ruby/vendor_ruby:. 
GEM_PATH=debian/rubocop/usr/share/rubygems-integration/all:/home/lamby/.gem/ruby/2.3.0:/var/lib/gems/2.3.0:/usr/lib/x86_64-linux-gnu/rubygems-integration/2.3.0:/usr/share/rubygems-integration/2.3.0:/usr/share/rubygems-integration/all
 ruby2.3 -S rake -f debian/ruby-tests.rake
  /usr/bin/ruby2.3 /usr/bin/rspec --pattern ./spec/\*\*/\*_spec.rb
  Run options:
include {:focus=>true}
exclude {:broken=>#}
  
  All examples were filtered out; ignoring {:focus=>true}
  
  Randomized with seed 32857

Bug#858078: Kernel hangs most of the times when modeset=1 on the i915

2017-03-26 Thread Steve Cotton 
On Sat, Mar 18, 2017 at 01:53:09AM +0100, Santiago Garcia Mantinan wrote:
> I just upgraded this machine from Jessie to Stretch and found the kernel
> crashing (computer completelly frozen) most of the times, even if X is not
> started. I then tried to use the kernel from Jessie with current packages
> from Stretch and found that it works perfectly, like it used to on Jessie.
 
> ? dump_stack+0x5c/0x78
> ? __warn+0xbe/0xe0
> ? warn_slowpath_fmt+0x5f/0x80
> ? finish_wait+0x3c/0x70
> ? drm_wait_one_vblank+0x197/0x1a0 [drm]
> ? prepare_to_wait_event+0xf0/0xf0
> ? intel_get_load_detect_pipe+0x624/0x640 [i915]
> ? intel_tv_detect+0x155/0x550 [i915]
> ? drm_property_replace_global_blob+0xd8/0x120 [drm]
> ? drm_helper_probe_single_connector_modes+0x3f6/0x4e0 [drm_kms_helper]

Hi Manty,

Does adding video=SVIDEO-1:d to the kernel command line also fix it?
There's an upstream bug that "some that of the TV encoding registers not
being set properly before trying to call intel_wait_for_vblank()"

https://bugs.freedesktop.org/show_bug.cgi?id=93782

BR,
Steve

Bug#839218: nama: FTBFS: Failed 1/7 test programs. 0/91 subtests failed.Bad plan. You planned 126 tests but ran 57.

2017-03-26 Thread Niko Tyni 
On Fri, Mar 24, 2017 at 11:30:11AM +0200, Niko Tyni wrote:
 
> I'll also work a bit on reducing the test further when I find the time.

I got it down to this:

  my $a = [ 0, 1 ];
  sub f {
my $arg = shift;
my @a1 = @$a;
@$a = @a1;
return();
  }
  map{ f($_) } @$a;


This looks to me like an instance of the general stack-not-refcounted
issue, see https://rt.perl.org/Public/Bug/Display.html?id=77706 et al.

But let's see what upstream says, I'll follow up there as well.
-- 
Niko Tyni   nt...@debian.org

Bug#858078: Still happens on 4.9.16

2017-03-26 Thread Santiago Garcia Mantinan 
Hi!

As expected, this does still happen on the 4.9.16 kernel in unstable at this
time.

Regards. 
-- 
Manty/BestiaTester -> http://manty.net

Processed: libxslt: diff for NMU version 1.1.29-2.1

2017-03-26 Thread Debian Bug Tracking System 
Processing control commands:

> tags 858546 + pending
Bug #858546 [src:libxslt] CVE-2017-5029: Integer overflow in xsltAddTextString
Added tag(s) pending.

-- 
858546: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858546
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#858546: libxslt: diff for NMU version 1.1.29-2.1

2017-03-26 Thread Salvatore Bonaccorso 
Control: tags 858546 + pending

Dear maintainer,

I've prepared an NMU for libxslt (versioned as 1.1.29-2.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore
diff -Nru libxslt-1.1.29/debian/changelog libxslt-1.1.29/debian/changelog
--- libxslt-1.1.29/debian/changelog	2016-10-30 15:01:00.0 +0100
+++ libxslt-1.1.29/debian/changelog	2017-03-26 19:44:01.0 +0200
@@ -1,3 +1,11 @@
+libxslt (1.1.29-2.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Check for integer overflow in xsltAddTextString (CVE-2017-5029)
+(Closes: #858546)
+
+ -- Salvatore Bonaccorso   Sun, 26 Mar 2017 19:44:01 +0200
+
 libxslt (1.1.29-2) unstable; urgency=high
 
   * Team upload.
diff -Nru libxslt-1.1.29/debian/patches/0008-Check-for-integer-overflow-in-xsltAddTextString.patch libxslt-1.1.29/debian/patches/0008-Check-for-integer-overflow-in-xsltAddTextString.patch
--- libxslt-1.1.29/debian/patches/0008-Check-for-integer-overflow-in-xsltAddTextString.patch	1970-01-01 01:00:00.0 +0100
+++ libxslt-1.1.29/debian/patches/0008-Check-for-integer-overflow-in-xsltAddTextString.patch	2017-03-26 19:44:01.0 +0200
@@ -0,0 +1,74 @@
+From 08ab2774b870de1c7b5a48693df75e8154addae5 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer 
+Date: Thu, 12 Jan 2017 15:39:52 +0100
+Subject: [PATCH] Check for integer overflow in xsltAddTextString
+
+Limit buffer size in xsltAddTextString to INT_MAX. The issue can be
+exploited to trigger an out of bounds write on 64-bit systems.
+
+Originally reported to Chromium:
+
+https://crbug.com/676623
+---
+ libxslt/transform.c | 25 ++---
+ libxslt/xsltInternals.h |  4 ++--
+ 2 files changed, 24 insertions(+), 5 deletions(-)
+
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 519133fc..02bff34a 100644
+--- a/libxslt/transform.c
 b/libxslt/transform.c
+@@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target,
+ return(target);
+ 
+ if (ctxt->lasttext == target->content) {
++int minSize;
+ 
+-	if (ctxt->lasttuse + len >= ctxt->lasttsize) {
++/* Check for integer overflow accounting for NUL terminator. */
++if (len >= INT_MAX - ctxt->lasttuse) {
++xsltTransformError(ctxt, NULL, target,
++"xsltCopyText: text allocation failed\n");
++return(NULL);
++}
++minSize = ctxt->lasttuse + len + 1;
++
++if (ctxt->lasttsize < minSize) {
+ 	xmlChar *newbuf;
+ 	int size;
++int extra;
++
++/* Double buffer size but increase by at least 100 bytes. */
++extra = minSize < 100 ? 100 : minSize;
++
++/* Check for integer overflow. */
++if (extra > INT_MAX - ctxt->lasttsize) {
++size = INT_MAX;
++}
++else {
++size = ctxt->lasttsize + extra;
++}
+ 
+-	size = ctxt->lasttsize + len + 100;
+-	size *= 2;
+ 	newbuf = (xmlChar *) xmlRealloc(target->content,size);
+ 	if (newbuf == NULL) {
+ 		xsltTransformError(ctxt, NULL, target,
+diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h
+index 060b1783..5ad17719 100644
+--- a/libxslt/xsltInternals.h
 b/libxslt/xsltInternals.h
+@@ -1754,8 +1754,8 @@ struct _xsltTransformContext {
+  * Speed optimization when coalescing text nodes
+  */
+ const xmlChar  *lasttext;		/* last text node content */
+-unsigned intlasttsize;		/* last text node size */
+-unsigned intlasttuse;		/* last text node use */
++int lasttsize;		/* last text node size */
++int lasttuse;		/* last text node use */
+ /*
+  * Per Context Debugging
+  */
+-- 
+2.11.0
+
diff -Nru libxslt-1.1.29/debian/patches/series libxslt-1.1.29/debian/patches/series
--- libxslt-1.1.29/debian/patches/series	2016-10-30 14:56:24.0 +0100
+++ libxslt-1.1.29/debian/patches/series	2017-03-26 19:44:01.0 +0200
@@ -5,3 +5,4 @@
 0005-Link-with-libm.patch
 0006-remove-plugin-in-xslt-config.patch
 0007-Fix-heap-overread-in-xsltFormatNumberConversion.patch
+0008-Check-for-integer-overflow-in-xsltAddTextString.patch

Bug#858644: marked as done (CVE-2017-6369: authenticated remote execution in firebird 3.0 before version 3.0.2)

2017-03-26 Thread Debian Bug Tracking System 
Your message dated Sun, 26 Mar 2017 17:49:19 +
with message-id 
and subject line Bug#858644: fixed in firebird3.0 3.0.1.32609.ds4-14
has caused the Debian Bug report #858644,
regarding CVE-2017-6369: authenticated remote execution in firebird 3.0 before 
version 3.0.2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
858644: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858644
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: firebird3.0-server-core
Version: 3.0.1.32609.ds4-13
Severity: grave
Tags: patch upstream security
Justification: user security hole

Forwarded: http://tracker.firebirdsql.org/browse/CORE-5474

Authenticated Firebird users are allowed to declare UDFs (user-defined
functions). The default config allows using all entry points from the standard
UDF library, which is dynamically linked with libc, with its symbols
re-exported, including system().

Relevant upstream commits for 3.0:
 - 
https://github.com/FirebirdSQL/firebird/commit/8b2a9cb44bf6055e15f016d70a6842b8ada60375
--- End Message ---
--- Begin Message ---
Source: firebird3.0
Source-Version: 3.0.1.32609.ds4-14

We believe that the bug you reported is fixed in the latest version of
firebird3.0, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 858...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Damyan Ivanov  (supplier of updated firebird3.0 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Sat, 25 Mar 2017 16:07:07 +
Source: firebird3.0
Binary: firebird3.0-server-core firebird3.0-server firebird3.0-utils 
libfbclient2 libib-util firebird3.0-common firebird-dev firebird3.0-examples 
firebird3.0-doc firebird3.0-common-doc
Architecture: source
Version: 3.0.1.32609.ds4-14
Distribution: unstable
Urgency: high
Maintainer: Debian Firebird Group 
Changed-By: Damyan Ivanov 
Closes: 858644
Description: 
 firebird3.0-common - common files for firebird 3.0 server, client and utilities
 firebird3.0-common-doc - copyright, licensing and changelogs of firebird3.0
 firebird3.0-doc - Documentation files for firebird database version 3.0
 firebird3.0-examples - Examples for Firebird - an RDBMS based on InterBase 6.0 
code
 firebird3.0-server-core - Firebird Server - engine core
 firebird3.0-server - Firebird Server - an RDBMS based on InterBase 6.0 code
 firebird3.0-utils - Firebird user utilities
 firebird-dev - Development files for Firebird
 libfbclient2 - Firebird client library
 libib-util - Firebird UDF support library
Changes:
 firebird3.0 (3.0.1.32609.ds4-14) unstable; urgency=high
 .
   * Apply commit 56e9a73c168 from upstream B3_0_Release branch
 fixing authenticated remote execution vulnerability (CVE-2017-6369,
 CORE-5474)
 Closes: #858644
Checksums-Sha1: 
 f357485dfc895e442455a749007de945fadb19c8 2894 
firebird3.0_3.0.1.32609.ds4-14.dsc
 296dc712f3de09d018f8375c4b40a64af1ca038c 104660 
firebird3.0_3.0.1.32609.ds4-14.debian.tar.xz
Checksums-Sha256: 
 32f73a82ba790c0271c29f00c6faaccf3d844b4639334d936566ccbd00f397f7 2894 
firebird3.0_3.0.1.32609.ds4-14.dsc
 f0a8ed775e958a2f5bd39bc34b245f0d24b2c1d19e70f973e54ee11b1477570f 104660 
firebird3.0_3.0.1.32609.ds4-14.debian.tar.xz
Files: 
 3020ed5f762a2984ee43fb5d4ca5ba33 2894 database optional 
firebird3.0_3.0.1.32609.ds4-14.dsc
 f8e95f8d3beb05777fd3c6950cadd2d2 104660 database optional 
firebird3.0_3.0.1.32609.ds4-14.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEErqDETssFbpNjDZ0z276dTZnSoAQFAljX++gACgkQ276dTZnS
oAQdfhAAqQiWtninUNhTocg5s923f1tGgH40JTklf5vv08fly80Q+vxG2xwuA+M/
xmPD+vd5MtdLHSGzsK6f1/lh9cEu6k71NhVA8NuM7Y+XlcTY7j8t6PcL6G2lUdPR
cnTThsIKPArjijF7paJViMnWTlLDLaAF0FF8S1Ws0nMBVM5trU0dAHrzLK0MQ8Om
vlAcIP53EZ8JBVbcwbjrYIrJ+L5+lS4pW+sFSJ197rYeoxp/oKWu8j0wkgNRg9Rj
+7r5vI7mCJnJzdPweXFlMDWtG51cEj9XO/my2FAxxhPv4FopPUNjJk9JkVq4y742
Rk0KOyVuohMH3+Ete1W8uYVTUaiTJcclOljy3GoAT0assedW+VvVGzXq6eXXFB3j
6mNL6USXEc0T4b1ju4LOzgEXHBbc0UJq3qytbZC0rqigUkvgehUjqF90201K4OA3
+Tn9fp6IGThEfzc6e7xZmVIlsasJteBErA+qoOUfJa4UwZ0g2X9Ki6M2izR1EWcU

Bug#856536: [Packaging] Bug#856536: Bug#856536: munin: regression from DSA-3794-2: spams munin logs with unitialized warnings: [PERL WARNING] Use of uninitialized value $size_x in string eq at /usr/li

2017-03-26 Thread Holger Levsen 
Hi Jonas,

On Sun, Mar 26, 2017 at 01:38:59PM +0200, Jonas Meurer wrote:
> > could you please be so kind and push your wheezy and jessie uploads to
> > munin.git too? 
> done.

awesome, thanks!


-- 
cheers,
Holger


signature.asc
Description: Digital signature

Bug#858480: marked as done (cylc: broken symlinks: /usr/bin/(cycl|gcapture|gcontrol|gcylc) -> ../share/cylc/bin/\1)

2017-03-26 Thread Debian Bug Tracking System 
Your message dated Sun, 26 Mar 2017 17:18:54 +
with message-id 
and subject line Bug#858480: fixed in cylc 6.11.2-5
has caused the Debian Bug report #858480,
regarding cylc: broken symlinks: /usr/bin/(cycl|gcapture|gcontrol|gcylc) -> 
../share/cylc/bin/\1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
858480: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858480
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: cylc
Version: 6.11.2-4
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts

Hi,

during a test with piuparts I noticed your package ships (or creates)
a broken symlink.

>From the attached log (scroll to the bottom...):

6m45.0s ERROR: FAIL: Broken symlinks:
  /usr/bin/gcylc -> ../share/cylc/bin/gcylc
  /usr/bin/gcontrol -> ../share/cylc/bin/gcontrol
  /usr/bin/gcapture -> ../share/cylc/bin/gcapture
  /usr/bin/cycl -> ../share/cylc/bin/cycl


*/bin/cycl sounds like a misspelling ...
^^

We shouldn't ship broken entries in /usr/bin in a stable release.


cheers,

Andreas


science-meteorology_1.6.log.gz
Description: application/gzip
--- End Message ---
--- Begin Message ---
Source: cylc
Source-Version: 6.11.2-5

We believe that the bug you reported is fixed in the latest version of
cylc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 858...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alastair McKinstry  (supplier of updated cylc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Sun, 26 Mar 2017 16:25:59 +0100
Source: cylc
Binary: cylc python-cylc
Architecture: source amd64
Version: 6.11.2-5
Distribution: unstable
Urgency: medium
Maintainer: Alastair McKinstry 
Changed-By: Alastair McKinstry 
Description:
 cylc   - Workflow scheduler
 python-cylc - Python libraries for cylc workflow scheduler
Closes: 858480
Changes:
 cylc (6.11.2-5) unstable; urgency=medium
 .
   * Fix broken symlinks. Closes: #858480
Checksums-Sha1:
 d76dd543a29b9da6263f7aecd80643f2110cb93b 1983 cylc_6.11.2-5.dsc
 492a1c5bab1340dda2300697414cb458eeb18210 14756 cylc_6.11.2-5.debian.tar.xz
 5cad6ccabb25cb8db06a925539ec82979ff0a4c9 10196 cylc_6.11.2-5_amd64.buildinfo
 6ce763dce4c9e76792ed597ee7a9818d6d17963f 95658 cylc_6.11.2-5_amd64.deb
 cbc84bf4b3ad515b8d5092c68e0191f12bdb942b 342584 python-cylc_6.11.2-5_amd64.deb
Checksums-Sha256:
 1b1650f5c54ed4f37776a8f2785cb9b143085238023b39086c03f4a05cc5674d 1983 
cylc_6.11.2-5.dsc
 c5f7e8115ecd8182409814b5635e6781bd416f5804c715140723976f8918a8d6 14756 
cylc_6.11.2-5.debian.tar.xz
 3f849039f7336f4a90936a1d4410768463a0e1eef3d7a94fb19728327c2d1d0f 10196 
cylc_6.11.2-5_amd64.buildinfo
 bad7bf3c866434657949ac95aef1bfec0cbe37134514f0bdc489a379fe27b837 95658 
cylc_6.11.2-5_amd64.deb
 bd7433b555d9242cac01d53155627a54965bfbb520f27222a2909a990487e9cf 342584 
python-cylc_6.11.2-5_amd64.deb
Files:
 a1dad552cd441e29445cd101fa8f1ecf 1983 utils optional cylc_6.11.2-5.dsc
 29243f49b0c8acec9477ecd80b1a9c24 14756 utils optional 
cylc_6.11.2-5.debian.tar.xz
 bab817570ecea58d35b9cbb5af63fba8 10196 utils optional 
cylc_6.11.2-5_amd64.buildinfo
 80457eace4fc69aa014f2cffb52048f1 95658 utils optional cylc_6.11.2-5_amd64.deb
 691e42fbf470992f75e9d5bd4afdeda9 342584 python optional 
python-cylc_6.11.2-5_amd64.deb

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEgjg86RZbNHx4cIGiy+a7Tl2a06UFAljX86YACgkQy+a7Tl2a
06W4oxAAnNQGffNGlNNSp0ZF9qFJyUk1yjl3XxOZSVpXE4xon0uboLdoVdR9V+ap
DQIsMEQWpQINJ00q5Wx/JGlVKt50Zp2BCsFUyHsUaEgn3PtBSUcSEUfTmPv1cDZ4
5Ee8IgctgVLFABNd3w9ebpOcdxres1sjuj1eqEenww5l6azhLRayRHYtwzawCLIM
cDzoaFnNlM0BP0hVaRzp0p5F10OHXubaJjWdg1ZIzknDAbyUlb5ZmrUk7cjFVpth
1GJ0nG2X3P1FcUJ/seqd6wtYYnznH+n19pk0DPspVFur9s5ShH+HeixNEM520/HP
LIDnT8vC8gyj95dFgMVVjvr83xrs/LRbrudGoSho+nbz4vYGX8uf9WTlFD5HuQHq
ZTehuMRPXQT+s83DpntcVvGMGMD3M9r0AF6jn/rT/q3bbm/Ketcqx46JixXbyjBg
+vU+T4gUW2oQGxMywyP0jDPSfSDORsObLp3aqK5Pk4b5XpuLiddhWc83T7m/5JD5
CX4/yw3X3NVYLIPmk1mzPyO9GMqJ9yzm1MtKe8hRdZI4hm2j4s2uM9rFOcOqKmEm
NyNkU0Kz3f+dpu6y99UHdz/t8FatZZr4TJ0wO3BIJrGRnqUHgdfDSFncBv3BL07I

Bug#858769: "cvs init" creates CVSROOT/history and val-tags world-writeable

2017-03-26 Thread Thorsten Glaser 
Dixi quod…

>>Instead, it would be better to make the file writeable only by those
>>with wrote access to the repository, and simply not record the
>>read-only opertaions.
>
>I agree. We could create them both with permissions 0644 and adjust
>the default configuration accordingly.

0664, actually; CVS operates group-writable.

I’m running the sanity testsuite, adjusted, against an accordingly
patched CVS right now and have tested the “cvs init” delta.

Input still welcome ;)

bye,
//mirabilos
-- 
(gnutls can also be used, but if you are compiling lynx for your own use,
there is no reason to consider using that package)
-- Thomas E. Dickey on the Lynx mailing list, about OpenSSL

Processed: Re: Bug#857691: lgogdownloader: crashes if you have DLC for a missing game

2017-03-26 Thread Debian Bug Tracking System 
Processing control commands:

> severity -1 serious
Bug #857691 [lgogdownloader] lgogdownloader: crashes if you have DLC for a 
missing game
Severity set to 'serious' from 'important'

-- 
857691: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857691
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#749991: Wrong kernel in debian-installer package

2017-03-26 Thread Philipp Kern 
On 03/14/2017 10:34 PM, Nye Liu wrote:
> On Tue, Mar 14, 2017 at 08:39:31PM +, Ben Hutchings wrote:
>> On Tue, 2017-03-14 at 11:36 -0700, Nye Liu wrote:
>>> The only apparent solution is to have the kernel maintainers coordinate 
>>> with the d-i maintainers so that whatever kernel is used in d-i is NOT 
>>> removed from the package repository and its mirrors.
>> The kernel maintainers already coordinate with the d-i maintainers,
>> thanks.  We don't remove any packages; that happens automatically.
> Is there a mechanism to insure that when packages are removed from a repo
> are reflected in netboot.tar.gz?
> 
> IOW: Is there a way to guarantee that
> (dist)/main/installer-amd64/current/images/netboot/netboot.tar.gz does not
> contain a kernel that has no modules package IN THAT SAME mirror?
>  
> Or maybe even an automated way to update netboot.tar.gz every time a
> dists linux-image-(arch).deb is updated, a new netboot.tar.gz can be
> created from 
> (dist)/main/installer-amd64/current/images/netboot/netboot.tar.gz?

Unfortunately such a mechanism does not currently exist. You can try to
peruse the daily builds hosted on https://d-i.debian.org for this. They
are rebuilt daily and should be able to install testing.

It's mostly driven by some complexity in ensuring consistency. There is
currently not a single continuous build and upload process that deals
with new source uploads to the main archive. We'd need to trigger builds
whenever testing changes and then auto-upload a corresponding build.
It's both a technical and political problem to make that happen.

Kind regards
Philipp Kern



signature.asc
Description: OpenPGP digital signature

Bug#856599: marked as done (libktpcommoninternals9: please add Breaks: libktpcommoninternalsprivate7)

2017-03-26 Thread Debian Bug Tracking System 
Your message dated Sun, 26 Mar 2017 16:22:32 +
with message-id 
and subject line Bug#856599: fixed in ktp-common-internals 15.08.3-1.1
has caused the Debian Bug report #856599,
regarding libktpcommoninternals9: please add Breaks: 
libktpcommoninternalsprivate7
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
856599: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856599
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libktpcommoninternals9
Version: 15.08.3-1
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts

Hi,

during a test with piuparts I noticed apt does not find a clean upgrade
path from jessie to stretch in some cases with
libktpcommoninternalsprivate7 is installed.

I tried adding
  Breaks: libktpcommoninternalsprivate7
to libktpcommoninternals9 and thereafter that upgrade path was working fine.


cheers,

Andreas


kde-telepathy_None.log.gz
Description: application/gzip
--- End Message ---
--- Begin Message ---
Source: ktp-common-internals
Source-Version: 15.08.3-1.1

We believe that the bug you reported is fixed in the latest version of
ktp-common-internals, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 856...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Beckmann  (supplier of updated ktp-common-internals 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Tue, 21 Mar 2017 16:20:51 +0100
Source: ktp-common-internals
Binary: libktp-dev libktpcommoninternals9 libktpmodels9 libktpwidgets9 
libktplogger9 libktpotr9 qml-module-org-kde-telepathy kde-telepathy-data 
libktp-dbg kde-telepathy-kpeople kde-telepathy-kaccounts kde-telepathy-debugger
Architecture: source
Version: 15.08.3-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian/Kubuntu Qt/KDE Maintainers 
Changed-By: Andreas Beckmann 
Description:
 kde-telepathy-data - Shared data for all the KDE Telepathy components
 kde-telepathy-debugger - Debugging tool for KDE Telepathy
 kde-telepathy-kaccounts - kaccounts plugins for kde-telepathy
 kde-telepathy-kpeople - kpeople plugins for kde-telepathy
 libktp-dbg - KDE Telepathy internal library - debug symbols
 libktp-dev - KDE Telepathy internal library - Development headers
 libktpcommoninternals9 - KDE Telepathy common internal library
 libktplogger9 - KDE Telepathy internal logger library
 libktpmodels9 - KDE Telepathy data models internal library
 libktpotr9 - KDE Telepathy internal OTR library
 libktpwidgets9 - KDE Telepathy common internal widgets library
 qml-module-org-kde-telepathy - kde-telepathy QtDeclarative QML support
Closes: 856599
Changes:
 ktp-common-internals (15.08.3-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * libktpcommoninternals9: Add Breaks: libktpcommoninternalsprivate7 to
 ensure smooth upgrade paths from jessie.  (Closes: #856599)
Checksums-Sha1:
 528a251dad9669b4e8775f605cd138d1e4598cc1 3471 
ktp-common-internals_15.08.3-1.1.dsc
 9d016d3525b904a65ebf11bd8c9dd1aa463e81a1 24468 
ktp-common-internals_15.08.3-1.1.debian.tar.xz
 3916e209c886d05b3fe3bc0626403b1dbd3a6d4b 28090 
ktp-common-internals_15.08.3-1.1_source.buildinfo
Checksums-Sha256:
 d20bc51ad1eb646b58085019aa7ffd5b92958fd25c38c48fe103030f905e8726 3471 
ktp-common-internals_15.08.3-1.1.dsc
 560d43d412872253d47fdae8420b23d2581101da36d920ca0dc772051453a4f3 24468 
ktp-common-internals_15.08.3-1.1.debian.tar.xz
 14f556ad9eacdf61fe5a50612634895ef05db7ffec792dbc86510bf1569791a1 28090 
ktp-common-internals_15.08.3-1.1_source.buildinfo
Files:
 a5ee76ed5eb4ebab07fb2c3b00bfc207 3471 libs optional 
ktp-common-internals_15.08.3-1.1.dsc
 985f48b598210a512a8cb64cb584109d 24468 libs optional 
ktp-common-internals_15.08.3-1.1.debian.tar.xz
 84626b6b432edefb7ee0597ca038a3ab 28090 libs optional 
ktp-common-internals_15.08.3-1.1_source.buildinfo

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJY0UbmAAoJEF+zP5NZ6e0IsAkP/3RHn8578ge2ErzfieSxCNcD
4OjCcn4W6jRWX0BU79BA123Q+Pb/shZJiQB9tbIoK9YgOA7k6lSE4H+l/bzyc0O3

Bug#856024: Processed: Adding a conflict in systemd-sysv

2017-03-26 Thread Julien Cristau 
On Sat, Mar 18, 2017 at 20:16:53 +0100, Michael Biebl wrote:

> Asking the release team for their input.
> 
Care to summarize the issue?  I didn't understand from your mail...

Cheers,
Julien

Bug#858503: marked as done (libinfinity-0.6-dev: missing Depends: infinoted (= ${binary:Version}))

2017-03-26 Thread Debian Bug Tracking System 
Your message dated Sun, 26 Mar 2017 15:16:21 +
with message-id 
and subject line Bug#858503: fixed in libinfinity 0.6.7-2
has caused the Debian Bug report #858503,
regarding libinfinity-0.6-dev: missing Depends: infinoted (= ${binary:Version})
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
858503: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858503
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libinfinity-0.6-dev
Version: 0.6.7-1
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts

Hi,

during a test with piuparts I noticed your package ships (or creates)
a broken symlink.

>From the attached log (scroll to the bottom...):

2m20.6s ERROR: FAIL: Broken symlinks:
  /usr/lib/x86_64-linux-gnu/libinfinoted-plugin-manager-0.6.so -> 
libinfinoted-plugin-manager-0.6.so.0.0.0

BTW, why isn't libinfinoted-plugin-manager-0.6.so.0.0.0 in a library package?


cheers,

Andreas


libinfinity-0.6-dev_0.6.7-1+b1.log.gz
Description: application/gzip
--- End Message ---
--- Begin Message ---
Source: libinfinity
Source-Version: 0.6.7-2

We believe that the bug you reported is fixed in the latest version of
libinfinity, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 858...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Philipp Kern  (supplier of updated libinfinity package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Sun, 26 Mar 2017 15:15:33 +0200
Source: libinfinity
Binary: libinfinity-0.6-dev libinfinity-0.6-doc libinfinity-0.6-dbg 
libinfinity-0.6-0 libinfgtk3-0.6-0 infinoted
Architecture: source amd64 all
Version: 0.6.7-2
Distribution: unstable
Urgency: medium
Maintainer: Philipp Kern 
Changed-By: Philipp Kern 
Description:
 infinoted  - dedicated server for infinote-based collaborative editing
 libinfgtk3-0.6-0 - infinote-based collaborative editing (Gtk widgets)
 libinfinity-0.6-0 - infinote-based collaborative editing
 libinfinity-0.6-dbg - infinote-based collaborative editing - debugging symbols
 libinfinity-0.6-dev - infinote-based collaborative editing - development files
 libinfinity-0.6-doc - infinote-based collaborative editing - documentation
Closes: 858503
Changes:
 libinfinity (0.6.7-2) unstable; urgency=medium
 .
   * Include the two patches from 0.6.8. (This is the only code change
 in that release, but it contains a lot of tooling noise.)
   * Update upstream's signing key.
   * Move libinfinoted-plugin-manager files from infinoted to
 libinfinity-0.6-0.  (Thanks to Anton Gladky) (Closes: #858503)
   * Adjust libinfinity-0.6-0's symbols file to list infinoted's plugin
 manager with a minimal dependency version.
Checksums-Sha1:
 321f9ef7ac0316d5099ef461ea19f87f2ffa3a2f 1934 libinfinity_0.6.7-2.dsc
 0cfaeb519b7b2c95f8019d5a872f3a26835fdb95 16028 
libinfinity_0.6.7-2.debian.tar.xz
 bbe8857df6ac92342612288030fc84e946c00371 173536 infinoted_0.6.7-2_amd64.deb
 d685943e9575d37ec4087dc9b2c2ca9b346280e6 216566 
libinfgtk3-0.6-0_0.6.7-2_amd64.deb
 893f2801eea9e39f026574b676c57c50e12102e0 416242 
libinfinity-0.6-0_0.6.7-2_amd64.deb
 1d9c3f1d05b93cc950b74ca23be9cfdd3453ed7c 186 
libinfinity-0.6-dbg_0.6.7-2_amd64.deb
 d49b23d18b6fad801ee856339f5a92c678d18ff7 607416 
libinfinity-0.6-dev_0.6.7-2_amd64.deb
 3f8148e7b9ce0123bd15ef352e6deb7eb8ff62e7 357864 
libinfinity-0.6-doc_0.6.7-2_all.deb
 183c10a63b3cec7450c952064a5fb86346966f22 14548 
libinfinity_0.6.7-2_amd64.buildinfo
Checksums-Sha256:
 1a77196d4e9cc581b441c6e6c4a8fc58f143b45048576593c3313dc5738e8ab5 1934 
libinfinity_0.6.7-2.dsc
 a77b9b72061c92b51c9c1e9041f10556fedde720238dfecf953f48d0fb67e68c 16028 
libinfinity_0.6.7-2.debian.tar.xz
 3239935bc4605591e7351741aca1745df0c93c70639873d9afe3f8756d7d89d0 173536 
infinoted_0.6.7-2_amd64.deb
 6f388c88a6d7638ab194caece6719f0c41d2e74f25785ba55c4dce3e455dfa0f 216566 
libinfgtk3-0.6-0_0.6.7-2_amd64.deb
 eb6a3e6f86d0c77d89537ba07aa9d1ee1e4265444e82ad096aeb3540eac41411 416242 
libinfinity-0.6-0_0.6.7-2_amd64.deb

Processed: Re: Bug#856133: shiboken FTBFS on i386/armel/armhf: other_collector_external_operator test failed

2017-03-26 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + patch
Bug #856133 [src:shiboken] shiboken FTBFS on i386/armel/armhf: 
other_collector_external_operator test failed
Added tag(s) patch.

-- 
856133: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856133
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#856133: shiboken FTBFS on i386/armel/armhf: other_collector_external_operator test failed

2017-03-26 Thread Gilles Filippini 
Control: tags -1 + patch

Gilles Filippini a écrit le 25/03/2017 à 17:20 :
> On Sat, 4 Mar 2017 20:06:36 +0100 gregor herrmann  wrote:
>> On Sat, 25 Feb 2017 16:07:03 +0200, Adrian Bunk wrote:
>>
>>> Source: shiboken
>>> Version: 1.2.2-3
>>> Severity: serious
>>>
>>> https://buildd.debian.org/status/package.php?p=shiboken=sid
>>>
>>
>> FWIW, the package currently builds fine for me in an i386 sid
>> cowbuilder chroot (and an amd64 machine).
> 
> Strangely it builds fine in an i386 sbuild chroot, but it fails
> reproducibly on porter box barriere.debian.org.

The failing testcase seems flawed:
> class CollectorOtherObjectType(unittest.TestCase):
> '''Test cases for Collector << OtherObjectType'''
> ...
> def testOtherReversal(self):
> '''Collector << OtherObjectType # libother << operator'''
> collector = Collector()
> obj = OtherObjectType()
> collector << obj
> self.assertEqual(collector.items()[0], obj.identifier() * 2)

Collector stores unsigned long ids:
> class LIBSAMPLE_API Collector
> {
> public:
> Collector() {}
> virtual ~Collector() {}
> 
> void clear();
> 
> Collector& operator<<(unsigned long item);
> 
> Collector& operator<<(const ObjectType *);
> 
> std::list items();
> int size();
> ...

OtherObjectType inherits identifier() from ObjectType:
> inline unsigned long identifier() const { return 
> reinterpret_cast(this); }

And << operator for OtherObjectType strores the objects's id * 2 into the 
collector:
> Collector&
> operator<<(Collector& collector, const OtherObjectType& obj)
> {
> std::cout << sizeof() << std::endl;
> collector << obj.identifier()*2;
> return collector;
> }

The problem is that the *2 operation may causes an overflow when the results is 
> ULONG_MAX.
To fix the test, either drop the *2, or store unsigned long long into 
Collector.items(). The easiest being the former, IMHO.
Patch attached.

Thanks,

_g.

diff -Nru shiboken-1.2.2/debian/changelog shiboken-1.2.2/debian/changelog
--- shiboken-1.2.2/debian/changelog 2016-07-09 14:34:52.0 +
+++ shiboken-1.2.2/debian/changelog 2017-03-26 14:09:16.0 +
@@ -1,3 +1,11 @@
+shiboken (1.2.2-3.1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * New patch fix-collector_external_operator_test.patch to fix an
+unsigned long overflow in testcase collector_external_operator_test.py
+
+ -- Gilles Filippini   Sun, 26 Mar 2017 14:09:16 
+
+
 shiboken (1.2.2-3) unstable; urgency=medium
 
   [ Ondřej Nový ]
diff -Nru 
shiboken-1.2.2/debian/patches/fix-collector_external_operator_test.patch 
shiboken-1.2.2/debian/patches/fix-collector_external_operator_test.patch
--- shiboken-1.2.2/debian/patches/fix-collector_external_operator_test.patch
1970-01-01 00:00:00.0 +
+++ shiboken-1.2.2/debian/patches/fix-collector_external_operator_test.patch
2017-03-26 14:09:16.0 +
@@ -0,0 +1,29 @@
+Description: don't *2 the object's identifier because this causes an
+ unsigned long overflow when the result is > ULONG_MAX
+Author: Gilles Filippini 
+Bug-Debian: http://bugs.debian.org/856133
+Index: shiboken-1.2.2/tests/libother/otherobjecttype.cpp
+===
+--- shiboken-1.2.2.orig/tests/libother/otherobjecttype.cpp
 shiboken-1.2.2/tests/libother/otherobjecttype.cpp
+@@ -25,6 +25,6 @@
+ Collector&
+ operator<<(Collector& collector, const OtherObjectType& obj)
+ {
+-collector << obj.identifier()*2;
++collector << obj.identifier();
+ return collector;
+ }
+Index: shiboken-1.2.2/tests/otherbinding/collector_external_operator_test.py
+===
+--- shiboken-1.2.2.orig/tests/otherbinding/collector_external_operator_test.py
 shiboken-1.2.2/tests/otherbinding/collector_external_operator_test.py
+@@ -46,7 +46,7 @@ class CollectorOtherObjectType(unittest.
+ collector = Collector()
+ obj = OtherObjectType()
+ collector << obj
+-self.assertEqual(collector.items()[0], obj.identifier() * 2)
++self.assertEqual(collector.items()[0], obj.identifier())
+ 
+ if __name__ == '__main__':
+ unittest.main()
diff -Nru shiboken-1.2.2/debian/patches/series 
shiboken-1.2.2/debian/patches/series
--- shiboken-1.2.2/debian/patches/series2016-07-09 14:24:52.0 
+
+++ shiboken-1.2.2/debian/patches/series2017-03-26 14:03:45.0 
+
@@ -6,3 +6,4 @@
 fix_py3_expect.patch
 pkg-config-depend-on-python.patch
 0008-Cast-ifstream-to-bool-explicitely-to-work-with-GCC-6.patch
+fix-collector_external_operator_test.patch


signature.asc
Description: OpenPGP digital signature

Bug#858503: diff NMU for libinfinity_0.6.7-1.1

2017-03-26 Thread Anton Gladky 
Hi Philipp,

2017-03-26 15:06 GMT+02:00 Philipp Kern :
> Actually I'll upload a new upstream version to fix a use-after-free. So
> please just cancel the NMU.

I have just cancelled the upload. Please be sure that Release managers
will accept a new upstream version to be included into the Stretch
during freeze period.

Best regards

Anton

Bug#858769: "cvs init" creates CVSROOT/history and val-tags world-writeable

2017-03-26 Thread Thorsten Glaser 
Hi Ian,

>zealot:d> ll CVSROOT/
>...
>-rw-rw-rw- 1 ian ian0 Mar 26 13:38 history
>...
>-rw-rw-rw- 1 ian ian0 Mar 26 13:38 val-tags

Indeed. This is something I wondered about as well, and which, I
think, most people actually operating a CVS server change.

I just did a quick test, and I found out that repository access
needs write permissions (for the reader lock files) anyway (or
CVSREADONLYFS/-R, of course), so this is probably totally useless.

>AFAICT from the text in cvs.txt.gz, a corrupted val-tags file can
>cause CVS to be oblivious to some tags and claim they do not exist.  I

I see only the requirement for users that can commit to be able
to write into them there, and a historic reference.

I’ve been running my CVS repository with a truncated val-tags for
ages; each 'cvs tag' operation adds to it, but nothing so far has
failed when I remove the entries again. This is probably a historic
accident or something.

>AIUI the history file is used to record even read-only operations.

This is true, but it can be disabled.

>I'm not sure what the worste consequences could be of a corrupted or
>malicious history file.

AFAICT it’s append-only.

>Instead, it would be better to make the file writeable only by those
>with wrote access to the repository, and simply not record the
>read-only opertaions.

I agree. We could create them both with permissions 0644 and adjust
the default configuration accordingly.

>I have filed this bug with severity `serious' because it's a prima
>facie security bug and because I didn't find anything in the package

I don’t quite agree with that, but given it also affects temporary
local repositories users could create in their homes when those are
traversable by other, it can have not-nice effects.

>If these permissions are indeed safe, then please take this as a
>request for a documentation improvement and downgrade the bug
>accordingly.

I think I’ll look into changing the default configuration and
permissions instead and documenting this (in the Cederqvist and
the Debian NEWS file). I’ll check whether the history file is
indeed append-only, too, and what val-tags is used for internally,
then I’ll do an upload. We’ll deviate from upstream there, but
given chances are that I’ll become the new upstream anyway, this
point is irrelevant.

Please feel free to provide further input (suggested behavioural
changes, documentation, patches, etc.) if you wish. Your contri‐
bution by means of filing bugs is appreciated.

Thanks,
//mirabilos
-- 
13:22⎜«neurodamage» mira, what's up man? I have a CVS question for you in #cvs
13:22⎜«neurodamage» since you're so good w. it │ «neurodamage:#cvs» i love you
13:28⎜«neurodamage:#cvs» you're a handy guy to have around for systems stuff ☺
16:06⎜ Thank god I found you =)   20:03│«bioe007:#cvs» mira2k: ty
17:14⎜ Thanks big help you are :-)mira|nwt: ty again
18:35⎜«alturiak:#cvs» mirabilos: aw, nice. thanks :o
18:36⎜«ThunderChicken:#cvs» mirabilos FTW!  23:03⎜«mithraic:#cvs» aaah. thanks
18:41⎜«alturiak:#cvs» phew. thanks a bunch, guys. you just made my weekend :-)
18:10⎜«sumit:#cvs» mirabilos: oh ok.. thanks for that
21:57⎜ yeah, I really appreciate help
18:50⎜«grndlvl:#cvs» thankyou18:50⎜«grndlvl:#cvs» worked perfectly
20:50⎜ i see. mirabilos, thnks for your support
00:36⎜«halirutan:#cvs» ok, the obvious way:-) thx
18:44⎜«arcfide:#cvs» mirabilos, I am running OpenBSD. 18:59⎜«arcfide:#cvs»
Hrm, yes, I see what you mean. 19:01⎜«arcfide:#cvs» Yeah, thanks for the help.
21:33⎜«CardinalFang:#cvs» Ugh.  Okay.  Sorry for the dumb question.  Thank you
21:34⎜ mirabilos: whoa that's sweet
21:52⎜«garrett__:#cvs» much appreciated  «garrett__:#cvs» thanks for your time
23:39⎜ this worked, thank you very much 16:26⎜ ok
thx, i'll try that 20:00⎜«stableable:#cvs» Thank you.20:50⎜«s833:#cvs»
mirabilos: thanks a lot.19:34⎜ Thanks for confirming :)
20:08⎜ ...works like a charm.. thanks mirabilos

Bug#858503: diff NMU for libinfinity_0.6.7-1.1

2017-03-26 Thread Philipp Kern 
On 03/26/2017 02:43 PM, Philipp Kern wrote:
> On 03/25/2017 11:35 PM, Anton Gladky wrote:
>> I have prepared an NMU (versioned as 0.6.7-1.1) and
>> uploaded to DELAYED/5.
>>
>> Please fell free to tell me if I should delay it longer, cancel
>> or reschedule.
>>
>> Diff is attached.
> 
> So the plugin manager was an oversight. The library actually ships
> header files to link new plugins. So I guess the plugin manager needs to
> go into libinfinity in absence of a more sensible place to put it (its
> own binary package).
> 
> But the plugins belong into the infinoted package. So that part of the
> NMU is wrong. If you do that the dependency on libinfinity-0.6-0 will
> also naturally come from shlibs:Depends and doesn't need to be specified
> manually (because it links directly with the plugin manager, among other
> things, but dlopen()s the plugins).
> 
> Please don't upload this as-is. (But thanks for getting the ball rolling!)

Actually I'll upload a new upstream version to fix a use-after-free. So
please just cancel the NMU. (OTOH I'm probably quicker and will just
upload the new package later today.)

Kind regards and thanks again
Philipp Kern




signature.asc
Description: OpenPGP digital signature

Bug#858769: "cvs init" creates CVSROOT/history and val-tags world-writeable

2017-03-26 Thread Ian Jackson 
Package: cvs
Version: 2:1.12.13+real-21
Severity: grave

zealot:d> umask
0002
zealot:d> cvs -d `pwd` init
zealot:d> ll CVSROOT/
...
-rw-rw-rw- 1 ian ian0 Mar 26 13:38 history
...
-rw-rw-rw- 1 ian ian0 Mar 26 13:38 val-tags
...

AFAICT from the text in cvs.txt.gz, a corrupted val-tags file can
cause CVS to be oblivious to some tags and claim they do not exist.  I
don't know whether cvs's parser for val-tags is robust against
malicious input.  I haven't attempted a simulated attack.

AIUI the history file is used to record even read-only operations.
I'm not sure what the worste consequences could be of a corrupted or
malicious history file.

Instead, it would be better to make the file writeable only by those
with wrote access to the repository, and simply not record the
read-only opertaions.


I have filed this bug with severity `serious' because it's a prima
facie security bug and because I didn't find anything in the package
or the bug system which provides a justification for why this is
OK.

(Note: what is needed is not an explanation of why this is
necessary for CVS's current functionality.  What is needed is an
explanation of why these world-writeable control files cannot make cvs
malfunction, if they are maliciously modified.)

If these permissions are indeed safe, then please take this as a
request for a documentation improvement and downgrade the bug
accordingly.

Thanks,
Ian.

-- 
Ian Jackson    These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

Bug#858503: diff NMU for libinfinity_0.6.7-1.1

2017-03-26 Thread Philipp Kern 
On 03/25/2017 11:35 PM, Anton Gladky wrote:
> I have prepared an NMU (versioned as 0.6.7-1.1) and
> uploaded to DELAYED/5.
> 
> Please fell free to tell me if I should delay it longer, cancel
> or reschedule.
> 
> Diff is attached.

So the plugin manager was an oversight. The library actually ships
header files to link new plugins. So I guess the plugin manager needs to
go into libinfinity in absence of a more sensible place to put it (its
own binary package).

But the plugins belong into the infinoted package. So that part of the
NMU is wrong. If you do that the dependency on libinfinity-0.6-0 will
also naturally come from shlibs:Depends and doesn't need to be specified
manually (because it links directly with the plugin manager, among other
things, but dlopen()s the plugins).

Please don't upload this as-is. (But thanks for getting the ball rolling!)

Kind regards
Philipp Kern



signature.asc
Description: OpenPGP digital signature

Bug#857521: marked as done (liballjoynservices-dev-1509: broken symlink: /usr/lib/x86_64-linux-gnu/liballjoyn_config.so -> liballjoyn_config.so.1509)

2017-03-26 Thread Debian Bug Tracking System 
Your message dated Sun, 26 Mar 2017 11:48:45 +
with message-id 
and subject line Bug#857521: fixed in alljoyn-services-1509 15.09-4
has caused the Debian Bug report #857521,
regarding liballjoynservices-dev-1509: broken symlink: 
/usr/lib/x86_64-linux-gnu/liballjoyn_config.so -> liballjoyn_config.so.1509
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
857521: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857521
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: liballjoynservices-dev-1509
Version: 15.09-3
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts

Hi,

during a test with piuparts I noticed your package ships (or creates)
a broken symlink.

>From the attached log (scroll to the bottom...):

0m36.7s ERROR: FAIL: Broken symlinks:
  /usr/lib/x86_64-linux-gnu/liballjoyn_config.so -> liballjoyn_config.so.1509

A file called liballjoyn_config.so.1509 does not seem to exist in
any package in Debian unstable.


cheers,

Andreas


liballjoynservices-dev-1509_15.09-3.log.gz
Description: application/gzip
--- End Message ---
--- Begin Message ---
Source: alljoyn-services-1509
Source-Version: 15.09-4

We believe that the bug you reported is fixed in the latest version of
alljoyn-services-1509, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 857...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Alteholz  (supplier of updated 
alljoyn-services-1509 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 26 Mar 2017 12:28:32 +0200
Source: alljoyn-services-1509
Binary: liballjoynservices1509 liballjoynservices-dev-1509 alljoyn-services-1509
Architecture: source amd64
Version: 15.09-4
Distribution: sid
Urgency: medium
Maintainer: Debian IoT Maintainers 

Changed-By: Thorsten Alteholz 
Description:
 alljoyn-services-1509 - AllJoyn base services for 1509
 liballjoynservices-dev-1509 - AllJoyn base services C++ development library
 liballjoynservices1509 - AllJoyn base services library
Closes: 857521
Changes:
 alljoyn-services-1509 (15.09-4) unstable; urgency=medium
 .
   * fix broken symlink (closes: #857521).
 (thanks to Michael Ott for the patch)
Checksums-Sha1:
 5a66d242a3e20a9e96f56df4fa75606ee0843026 2501 alljoyn-services-1509_15.09-4.dsc
 c3a1bdcdd8730855a9d82baec00ef6cab01991db 1107414 
alljoyn-services-1509_15.09.orig.tar.gz
 160d0e1021af898561e30c5777189a9854df4b52 6440 
alljoyn-services-1509_15.09-4.debian.tar.xz
 81120313e3fe780d40a27866d0fd8a59c412afc5 6963 
alljoyn-services-1509_15.09-4_amd64.buildinfo
 5f4229b00158e5b47a4186ec49892f87c09782e5 877480 
alljoyn-services-1509_15.09-4_amd64.deb
 01a69960f079743ace6b27c437a72301e8b8f60d 176422 
liballjoynservices-dev-1509_15.09-4_amd64.deb
 974856bd9f8923fefe9b2a51e12887bb6a4208d1 111966 
liballjoynservices1509_15.09-4_amd64.deb
Checksums-Sha256:
 465de9e3011dfdb5053db294768f35dd058148dce33deaa574e722b4726a2c0d 2501 
alljoyn-services-1509_15.09-4.dsc
 4797af986a0fd0767f947f67b0966f01210d217a857b404a907d1443e364e9bd 1107414 
alljoyn-services-1509_15.09.orig.tar.gz
 fdf8ffc5c128819534115ae2423a59e6be87de4d9e8197d6aa5216e7de2c1ac4 6440 
alljoyn-services-1509_15.09-4.debian.tar.xz
 4eb16274e649d13c242a6bb194c0b5a77d084ed025b92a3d52c622768983bdfe 6963 
alljoyn-services-1509_15.09-4_amd64.buildinfo
 b9dc5a19e36198afee4f9898479f60982580b658d27b386ee861616ec14abe0b 877480 
alljoyn-services-1509_15.09-4_amd64.deb
 8b9b3fc7a7c3a4750e64e66b8558e8e6a369aa18c8a5f59ec7ff2660e2a7cfe4 176422 
liballjoynservices-dev-1509_15.09-4_amd64.deb
 ada15827320f7e2cb19ce9491a9a84585d453faf3669cd7b988955047b69c41d 111966 
liballjoynservices1509_15.09-4_amd64.deb
Files:
 b2e17bf739e192e4f552c066e65fa5d8 2501 net extra 
alljoyn-services-1509_15.09-4.dsc
 1997baabb89022dd1345ac1174a8bb15 1107414 net extra 
alljoyn-services-1509_15.09.orig.tar.gz
 1c2246887cf5635875299ebe33bfc9d7 6440 net extra 
alljoyn-services-1509_15.09-4.debian.tar.xz
 8ca020301967c455c50aa313cbcabf07 6963 net extra

Bug#856536: [Packaging] Bug#856536: munin: regression from DSA-3794-2: spams munin logs with unitialized warnings: [PERL WARNING] Use of uninitialized value $size_x in string eq at /usr/lib/munin/cgi/

2017-03-26 Thread Jonas Meurer 
Hi Holger,

Am 06.03.2017 um 12:54 schrieb Holger Levsen:
> could you please be so kind and push your wheezy and jessie uploads to
> munin.git too? It's lives in collab-maint on alioth, so you both should
> have write access already :)
> 
> Please just push it as signed tags (based on previous tags), not as
> branches, and please use the debian/* tag namespace.
> 
> Thanks!
> 
> (If you insist, even mildly, I'd create those tags, but you'd help me if you'd
> did. And: you already helped, so choose your pick :)

done.

Kind regards,
 jonas




signature.asc
Description: OpenPGP digital signature

Processed: Re: squid: prompting due to modified conffiles which were not modified by the user: /etc/squid/squid.conf

2017-03-26 Thread Debian Bug Tracking System 
Processing control commands:

> notfixed -1 3.5.12-1
Bug #801564 {Done: Amos Jeffries } [squid] squid: 
prompting due to modified conffiles which were not modified by the user: 
/etc/squid/squid.conf
No longer marked as fixed in versions squid3/3.5.12-1.
> fixed -1 3.5.23-2
Bug #801564 {Done: Amos Jeffries } [squid] squid: 
prompting due to modified conffiles which were not modified by the user: 
/etc/squid/squid.conf
Marked as fixed in versions squid3/3.5.23-2.
> notfound -1 3.5.23-2
Bug #801564 {Done: Amos Jeffries } [squid] squid: 
prompting due to modified conffiles which were not modified by the user: 
/etc/squid/squid.conf
No longer marked as found in versions squid3/3.5.23-2.

-- 
801564: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801564
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#801564: squid: prompting due to modified conffiles which were not modified by the user: /etc/squid/squid.conf

2017-03-26 Thread Cobra 
Control: notfixed -1 3.5.12-1
Control: fixed -1 3.5.23-2
Control: notfound -1 3.5.23-2
thanks

simply mirroring commands, because sending Control commands to nnn-done@ does 
not yet work, see #705155.

Processed: tagging 857744

2017-03-26 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> tags 857744 + pending
Bug #857744 [src:qemu] qemu: CVE-2016-9603: cirrus: heap buffer overflow via 
vnc connection
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
857744: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857744
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#857295: [pkg-lxc-devel] Bug#857295: Bug#857295: Info received ([oss-security] LXC: CVE-2017-5985: lxc-user-nic didn't verify network namespace ownership)

2017-03-26 Thread Evgeni Golov 
Hi Stiepan,

On Fri, Mar 24, 2017 at 10:51:24AM -0400, Stiepan wrote:

> Using a bridge set up with libvirt (as in 
> http://wiki.libvirt.org/page/Networking#NAT_forwarding_.28aka_.22virtual_networks.22.29)
>  doesn't work.

Is that what the libvirt package does on Debian out-of-the-box?
If so it works just fine for me on my laptop where I put the containers on the 
vibr0 created by libvirt.

> Neither does using a bridge set up as indicated in 
> https://wiki.debian.org/LXC/SimpleBridge#Using_lxc-net (causes the same 
> errors as with libvirt).

So I just fired a fresh jessie+backports Vagrant box and it worked fine (incl 
network in the container):

$ vagrant init debian/jessie64
$ vagrant up
$ vagrant ssh

vagrant@jessie:~$ sudo nano /etc/apt/sources.list
deb http://httpredir.debian.org/debian jessie-backports main

vagrant@jessie:~$ sudo apt update

vagrant@jessie:~$ sudo apt install lxc/jessie-backports lxcfs

vagrant@jessie:~$ sudo nano /etc/default/lxc-net
USE_LXC_BRIDGE="true"

vagrant@jessie:~$ systemctl enable lxc-net
vagrant@jessie:~$ systemctl restart lxc-net

vagrant@jessie:~$ ip a s dev lxcbr0
3: lxcbr0:  mtu 1500 qdisc noqueue state 
DOWN group default 
link/ether 00:16:3e:00:00:00 brd ff:ff:ff:ff:ff:ff
inet 10.0.3.1/24 scope global lxcbr0
   valid_lft forever preferred_lft forever

vagrant@jessie:~$ sudo sysctl -w kernel.unprivileged_userns_clone=1

vagrant@jessie:~$ exit # needed to trigger lxcfs' PAM module

$vagrant ssh

vagrant@jessie:~$ cat /proc/self/cgroup 
8:perf_event:/
7:blkio:/
6:net_cls,net_prio:/
5:freezer:/user/vagrant/0
4:devices:/
3:cpu,cpuacct:/
2:cpuset:/
1:name=systemd:/user/vagrant/0

vagrant@jessie:~$ mkdir ~/.config/lxc/ -p

vagrant@jessie:~$ nano ~/.config/lxc/default.conf 
xc.include = /etc/lxc/default.conf
lxc.id_map = u 0 624288 65536
lxc.id_map = g 0 624288 65536

vagrant@jessie:~$ sudo nano /etc/lxc/lxc-usernet
vagrant veth lxcbr0 10

vagrant@jessie:~$ lxc-create -n jessie -t download -- -d debian -r jessie -a 
amd64

vagrant@jessie:~$ nano .local/share/lxc/jessie/config 
lxc.network.type=veth 
lxc.network.flags=up 
lxc.network.link=lxcbr0 

vagrant@jessie:~$ lxc-start -n jessie
vagrant@jessie:~$ lxc-ls -f
NAME   STATE   AUTOSTART GROUPS IPV4 IPV6 
jessie RUNNING 0 -  --


> Using a classical / "plain old" / you-name-it bridge, set up as in 
> http://wiki.libvirt.org/page/Networking#Altering_the_interface_config, does 
> work.

I don't see any technical difference between the plain br0 setup with this link 
and the ones created by lxc-net or libvirt.
Can you point them out please?

> By the way, the lxc_delete_network:3028... additional error I was seeing pops 
> up only when /etc/lxc/lxc-usernet is still set to use br0, whilst the LXC 
> container is 
> set to use virbr0 and hence can be ignored, sorry about that. When properly 
> configured (i.e. when both are configured to use virbr0, or lxcbr0), 
> container startup 
> simply fails with a "Failed to create the configured network" error, but 
> still fails, whereas when using classical br0, it works.

Can you please provide the steps how to setup your setup from a plain jessie or 
stretch image?

> So, if your bridge is set up as suggested in 
> https://wiki.debian.org/BridgeNetworkConnections' Manual bridge setup 
> section, using either brctl or 
> /etc/network/interfaces (for a persistent config), we have the same 
> configuration and it works, which is fine. Still, I thought that LXC enabled 
> using lxcbr0 bridges 
> in user mode, as lxc-user-nic's man page suggests is possible. Can you 
> confirm whether this is the case with the current version?

lxc-user-nic is to attach a user-namespace-nic to an existing bridge, you can't 
create a bridge with it.

Bug#858729: plasma-discover: too many bugs for the next stable

2017-03-26 Thread Leand 
So, this is not a bug in Discover. Also, all of the issues outlined in
this bug report are minor annoyances which do not at all justify the
severity of "grave" for this bug report.
I am even tempted to close it:
* The search results are not Discover's fault, or are intended (see below)
* Discover will not show dependencies or packages - it is not a
package manager. If you want a package manager, use Apper or Muon.
* Displaying unrelated stuff to be removed when removing Gimp is
definitely a bug, but creating a clean, new one with normal priority
is a better idea here. Also, immediately reporting this upstream will
help.

Thank you for your explanation! However this is a little bit confusing for me
and I hope you can help me understand better the problem.

The issues that I reported appear in discover and even if they are not all bugs
of discover they unfortunately make discover unusable for me. I understand
that the search issue is not discover's fault but still, for an average user 
like
me, it is discover that cannot be used as intended. That is why the severity of
grave.

Also, why discover is not a package manager? The description says that it is
"a graphical software manager for the Plasma workspace". Muon is "graphical
package manager for KDE" and Apper is "a KDE package manager based on
PackageKit". Ehr... it is really really confusing! What am I suppose to use?
Why having three almost identical software for kde?

Thank you.

Bug#858564: Confirmed on sid

2017-03-26 Thread Mathieu Parent 
Control: tag -1 + confirmed upstream
Control: found -1 2:4.5.6+dfsg-2
Control: severity -1 important

Hello,

I can reproduce it on sid. It has also been reproduced on master.

I've downgraded the severity: this is a regression but it doesn't
"renders package unusable", as removing "follow symlinks = no"
workarounds the problem.


Regards

-- 
Mathieu Parent

Processed: Confirmed on sid

2017-03-26 Thread Debian Bug Tracking System 
Processing control commands:

> tag -1 + confirmed upstream
Bug #858564 [samba] Cannot access anything under a subdirectory if symlinks are 
disallowed
Added tag(s) upstream.
> found -1 2:4.5.6+dfsg-2
Bug #858564 [samba] Cannot access anything under a subdirectory if symlinks are 
disallowed
Marked as found in versions samba/2:4.5.6+dfsg-2.
> severity -1 important
Bug #858564 [samba] Cannot access anything under a subdirectory if symlinks are 
disallowed
Severity set to 'important' from 'grave'

-- 
858564: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858564
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems