Bug#750708: RFS: audiotools/2.21-3 [ITP] -- Collection of audio handling programs for the command line
On Sun, 3 Aug 2014 22:27:11 -0700 Vincent Cheng vch...@debian.org wrote:
Sorry for not following up on my earlier debian-mentors review until now!
Agreed with Eriberto, your package is in pretty good shape, however
there are a few more issues:
Blockers:
- debian/copyright needs the full text of CC-BY-SA-3.0-US and
CC-BY-SA-2.5 (visit http://creativecommons.org/licenses/by-sa/2.5/;
won't pass ftpmaster review)
Done. Wrapped legalcode text from each respective Creative Commons
website output to 78 col, indented, and added ' .' on blank lines.
Non-blockers, but please fix anyhow:
- your very first debian/changelog entry should always just be akin to
Initial release. (Closes: #550216) (i.e. your ITP bug report). You
don't need to mention any of your other changes.
OK. Done.
- rename debian/audiotools.docs to debian/docs
(debian/package.{docs,install,manpages,...} is redundant if your
source package only builds a single binary package)
Renamed.
If you haven't already, please forward those patches upstream.
Patching in license headers the way you're doing right now should only
be a short-term thing, and you want it upstream-ed asap.
Upstream applied changes to new stable release 2.22 ; see:
http://http://mentors.debian.net/package/audiotools
dget -x
http://mentors.debian.net/debian/pool/main/a/audiotools/audiotools_2.22-1.dsc
Eric
--
To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive:
https://lists.debian.org/canv2ptpadvgoanjq0pm2hccvtqfn86a+g_t6km_jrmb7fz5...@mail.gmail.com
Bug#764261: RFS: librocket/1.3-1 [ITP]
On Mon, 2014-10-06 at 22:13 -0400, Harlan Lieberman-Berg wrote:
Thanks for packaging librocket for Debian. I've got a couple things for
you to fix as the next steps.
Good review Harlan, you missed some important things though, see below.
2. Your changelog should close an ITP bug - in your case, #764252.
You can do that by adding this in your changelog:
(Closes: #764252)
5. Your standards version isn't the latest version - you should update
it to 3.9.6.
Here is the list of changes since the last version:
https://www.debian.org/doc/debian-policy/upgrading-checklist
6. Your packages should have a short description and a longer
description that should be enough information for a user to decide
whether they want to install the package. Check out Debian Policy 3.4
for more details there.
https://www.debian.org/doc/debian-policy/ch-binary.html#s-descriptions
These issues block the upload of this package:
The package fails to build for me:
debian/rules build
dh build --buildsystem=cmake --sourcedirectory=Build
dh_testdir -O--buildsystem=cmake -O--sourcedirectory=Build
debian/rules override_dh_auto_configure
make[1]: Entering directory '/tmp/buildd/librocket-1.3'
dh_auto_configure -- -DBUILD_PYTHON_BINDINGS=On
-DCMAKE_INSTALL_LIBDIR=/usr/lib
dh_auto_configure: cmake ../Build -DCMAKE_INSTALL_PREFIX=/usr
-DCMAKE_VERBOSE_MAKEFILE=ON -DCMAKE_BUILD_TYPE=None
-DBUILD_PYTHON_BINDINGS=On -DCMAKE_INSTALL_LIBDIR=/usr/lib failed to to
execute: No such file or directory
debian/rules:11: recipe for target 'override_dh_auto_configure' failed
make[1]: *** [override_dh_auto_configure] Error 2
make[1]: Leaving directory '/tmp/buildd/librocket-1.3'
debian/rules:8: recipe for target 'build' failed
make: *** [build] Error 2
The python package should be named python-rocket:
https://www.debian.org/doc/packaging-manuals/python-policy/ch-module_packages.html#s-package_names
The .so symlink should be installed in the -dev package.
The library package should be named librocketN
Please read the Debian policy sections on libraries:
https://www.debian.org/doc/debian-policy/ch-sharedlibs.html
Some parts (in Samples/tutorial) of the upstream tarball do not have a
clear license. The copyright holder is also different to the rest of the
package. Some other parts (Samples/) have a DFSG-free license but a
different copyright holder. The status should be clarified upstream, a
DFSG-free license applied and the results documented in
debian/copyright.
The fonts in Samples/assets are under a non-free license and cannot be
distributed in Debian main. Please ask upstream to remove them from the
tarball and from their version control system. They can simply use
font-family: sans-serif in invader.rcss instead.
http://www.exljbris.com/delicious.html
http://www.exljbris.com/eula.html
Some other issues that you might want to correct:
librocket.pc has an incorrect Version and Description.
Please forward the patches upstream if appropriate.
Please add a debian/watch file based on the example and the docs:
https://wiki.debian.org/debian/watch
debian/README.source is a copy of part of the upstream readme.md and is
not needed.
The static library normally isn't needed, please remove it unless
someone files a bug report asking for it to be added.
The pkg-config file doesn't appear to be installed in the package.
https://wiki.debian.org/HowToPackageForDebian#Check_points_for_any_package
how_to_build_for_mingw.txt is not relevant to Debian users, please drop
it from debian/docs.
changelog.txt should be installed with dh_installchangelogs rather than
dh_installdocs.
debian/copyright doesn't look like it conforms to the format. In
particular the licenses are missing dots on the blank lines. In
addition, you can avoid having two copies of the license by having one
license section separated from the files sections and have those files
sections refer to the files sections. The long lines of the license text
should also be wrapped.
http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
I wonder about the *.tga files in Samples/*invaders/data and
Samples/assets, some of them look like they might have other files (SVG
or similar) as their source. Please ask upstream to include the SVG or
other source in the tarball and have the build system create the *.tga
files at build time.
If the sample games are fun it might be interesting to make packages for
them. If not, their source could be included in an examples package.
Automatic checks:
https://wiki.debian.org/HowToPackageForDebian#Check_points_for_any_package
https://anonscm.debian.org/cgit/collab-maint/check-all-the-things.git
$ cme check dpkg
Warning in 'control source Build-Depends:0' value 'debhelper (= 8.0.0)':
should be (= 9) not (= 8.0.0) because compat is 9
Warning in 'control source Standards-Version' value '3.9.4': Current standards
version is 3.9.6
Warning in 'control binary:librocket-dev Depends:0' value 'librocket (=
${binary:Version})': package
Bug#764261: RFS: librocket/1.3-1 [ITP]
Thanks very much, I'll have a look at those issues soon. Re: pushing upstream, I am an upstream maintainer, so it should be relatively painless. On 7 Oct 2014 11:13, Paul Wise p...@debian.org wrote: On Mon, 2014-10-06 at 22:13 -0400, Harlan Lieberman-Berg wrote: Thanks for packaging librocket for Debian. I've got a couple things for you to fix as the next steps. Good review Harlan, you missed some important things though, see below. 2. Your changelog should close an ITP bug - in your case, #764252. You can do that by adding this in your changelog: (Closes: #764252) 5. Your standards version isn't the latest version - you should update it to 3.9.6. Here is the list of changes since the last version: https://www.debian.org/doc/debian-policy/upgrading-checklist 6. Your packages should have a short description and a longer description that should be enough information for a user to decide whether they want to install the package. Check out Debian Policy 3.4 for more details there. https://www.debian.org/doc/debian-policy/ch-binary.html#s-descriptions These issues block the upload of this package: The package fails to build for me: debian/rules build dh build --buildsystem=cmake --sourcedirectory=Build dh_testdir -O--buildsystem=cmake -O--sourcedirectory=Build debian/rules override_dh_auto_configure make[1]: Entering directory '/tmp/buildd/librocket-1.3' dh_auto_configure -- -DBUILD_PYTHON_BINDINGS=On -DCMAKE_INSTALL_LIBDIR=/usr/lib dh_auto_configure: cmake ../Build -DCMAKE_INSTALL_PREFIX=/usr -DCMAKE_VERBOSE_MAKEFILE=ON -DCMAKE_BUILD_TYPE=None -DBUILD_PYTHON_BINDINGS=On -DCMAKE_INSTALL_LIBDIR=/usr/lib failed to to execute: No such file or directory debian/rules:11: recipe for target 'override_dh_auto_configure' failed make[1]: *** [override_dh_auto_configure] Error 2 make[1]: Leaving directory '/tmp/buildd/librocket-1.3' debian/rules:8: recipe for target 'build' failed make: *** [build] Error 2 The python package should be named python-rocket: https://www.debian.org/doc/packaging-manuals/python-policy/ch-module_packages.html#s-package_names The .so symlink should be installed in the -dev package. The library package should be named librocketN Please read the Debian policy sections on libraries: https://www.debian.org/doc/debian-policy/ch-sharedlibs.html Some parts (in Samples/tutorial) of the upstream tarball do not have a clear license. The copyright holder is also different to the rest of the package. Some other parts (Samples/) have a DFSG-free license but a different copyright holder. The status should be clarified upstream, a DFSG-free license applied and the results documented in debian/copyright. The fonts in Samples/assets are under a non-free license and cannot be distributed in Debian main. Please ask upstream to remove them from the tarball and from their version control system. They can simply use font-family: sans-serif in invader.rcss instead. http://www.exljbris.com/delicious.html http://www.exljbris.com/eula.html Some other issues that you might want to correct: librocket.pc has an incorrect Version and Description. Please forward the patches upstream if appropriate. Please add a debian/watch file based on the example and the docs: https://wiki.debian.org/debian/watch debian/README.source is a copy of part of the upstream readme.md and is not needed. The static library normally isn't needed, please remove it unless someone files a bug report asking for it to be added. The pkg-config file doesn't appear to be installed in the package. https://wiki.debian.org/HowToPackageForDebian#Check_points_for_any_package how_to_build_for_mingw.txt is not relevant to Debian users, please drop it from debian/docs. changelog.txt should be installed with dh_installchangelogs rather than dh_installdocs. debian/copyright doesn't look like it conforms to the format. In particular the licenses are missing dots on the blank lines. In addition, you can avoid having two copies of the license by having one license section separated from the files sections and have those files sections refer to the files sections. The long lines of the license text should also be wrapped. http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ I wonder about the *.tga files in Samples/*invaders/data and Samples/assets, some of them look like they might have other files (SVG or similar) as their source. Please ask upstream to include the SVG or other source in the tarball and have the build system create the *.tga files at build time. If the sample games are fun it might be interesting to make packages for them. If not, their source could be included in an examples package. Automatic checks: https://wiki.debian.org/HowToPackageForDebian#Check_points_for_any_package https://anonscm.debian.org/cgit/collab-maint/check-all-the-things.git $ cme check dpkg Warning in 'control source
Vodafone ADSL: Naviga e chiama senza limiti e in più una SIM da 1GB
Vodafone Wifor [http://ds.databaseacross.it/frd.php?c=eyJpZENsaSI6Ijk1MSIsImlkQ2FtcCI6IjMxNjY4NyIsImNvZCI6NjAxOTg1MywiY2F0IjoiMzIiLCJjbnQiOiJJVEEiLCJsaXN0IjoibGlzdF9BbHBoYTU3XyIsImVtYWlsIjoiZGViaWFuLW1lbnRvcnNAbGlzdHMuZGViaWFuLm9yZyJ9 Ricevi questa email perchè hai dato il tuo consenso al trattamento dei dati personali e a ricevere comunicazione commerciali, avendo partecipato ad una iniziativa organizzata o collegata a Across srl. Across srl garantisce la massima riservatezza sui dati personali ai sensi del Dlgs 196/03 e si impegna a provvedere alla loro cancellazione o modifica qualora l'interessato ne faccia richiesta. http://ds.databaseacross.it/fur.php?c=%7B%22idCli%22%3A%22951%22%2C%22idCamp%22%3A%22316687%22%2C%22email%22%3A%22debian-mentors%40lists.debian.org%22%2C%22seg%22%3A%22nnvfkwkmorzdatcpjrdtm%3D%3D%3D%22%7Dat=1
Bug#764150: marked as done (RFS: proj/4.9.0~rc2-1~exp1)
Your message dated Tue, 07 Oct 2014 16:25:33 +
with message-id e1xbxzt-0005fh...@quantz.debian.org
and subject line closing RFS: proj/4.9.0~rc2-1~exp1
has caused the Debian Bug report #764150,
regarding RFS: proj/4.9.0~rc2-1~exp1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
764150: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764150
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
---BeginMessage---
Package: sponsorship-requests
Severity: normal
Dear mentors,
I am looking for a sponsor for my package proj
Package name: proj
Version : 4.9.0~rc2-1~exp1
Upstream Author : Frank Warmerdam warmer...@pobox.com
URL : http://trac.osgeo.org/proj/
License : MIT
Section : science
It builds those binary packages:
proj-data- Cartographic projection filter and library (datum package)
libproj0 - Cartographic projection library
libproj-dev - Cartographic projection library (development files)
proj-bin - Cartographic projection library (tools)
libproj-java - Cartographic projection library (JNI bindings)
To access further information about this package, please visit the following
URL:
http://mentors.debian.net/package/proj
Alternatively, one can download the package with dget using this command:
dget -x
http://mentors.debian.net/debian/pool/main/p/proj/proj_4.9.0~rc2-1~exp1.dsc
More information about PROJ.4 can be obtained from http://trac.osgeo.org/proj/.
Changes since the last upload:
* New upstream release.
* Refresh patches.
* Update copyright file.
* Use minimal dh rules.
* Update install files for Multi-Arch paths.
* Bump Standards-Version to 3.9.6, no changes.
* Remove useless autogenerated doxygen files.
* Update datumgrids.shar with proj-datumgrid-1.6RC1, it now includes
CTable2 format grid shift files that aren't system dependent,
but requires PROJ 4.8.0 or newer.
* Update datumgrids-ch.shar to also include the latest Swiss CHENyx06
dataset, adding CHENYX06a.{asc,gsb} and chenyx06etrs.gsb.
* Update nad2bin-data.patch to fix the build when the .lla files from
proj-datumgrid-1.5 are not present, and install system independent
files from proj-datumgrid-1.6 if they are present.
* Add patch to use the higher precision towgs84 values as specified by
Kadaster for EPSG 28991 28992.
Regards,
Bas Couwenberg
---End Message---
---BeginMessage---
Package proj version 4.9.0~rc2-1~exp1 is in experimental now.
http://packages.qa.debian.org/proj---End Message---
Bug#764381: RFS: binwalk/2.0.1+dfsg-1 [RC]
Package: sponsorship-requests Severity: important Dear mentors, I am looking for a sponsor for my package binwalk * Package name: binwalk Version : 2.0.1+dfsg-1 Upstream Author : Craig Heffner * URL : ttps://github.com/devttys0/binwalk/ * License : Expat It builds those binary packages: binwalk- tool for searching binary images for embedded files and executabl To access further information about this package, please visit the following URL: http://mentors.debian.net/package/binwalk Alternatively, one can download the package with dget using this command: dget -x http://mentors.debian.net/debian/pool/main/b/binwalk/binwalk_2.0.1+dfsg-1.dsc More information about binwalk can be obtained from https://github.com/devttys0/binwalk/ Changes since the last upload: * Tweak rules/clean target. * Bump standard version to 3.9.6, no changes required. * Remove bundled deps, ssdeep has a non-free file inside. (cfr: 764357). * Removed bundled depds inside copyright. * Add a README.source file explaining why we remove bundles directory. Regards, LocutusOfBorg -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1412703914.58183.yahoomail...@web171801.mail.ir2.yahoo.com
Bug#764383: RFS: ddate/0.2.2-1 [ITP]
Package: sponsorship-requests Severity: normal Dear mentors, I'm looking for a sponsor for the ddate package which isn't present in util-linux as of 2.25. It builds those binary packages: ddate - convert Gregorian dates to Discordian dates To access further information about this package, please visit the following URL: http://mentors.debian.net/package/ddate The source of the Debian package can be browsed on GitHub at: https://github.com/yath/debian-ddate Alternatively, one can download the package with dget using this command: dget -x http://mentors.debian.net/debian/pool/main/d/ddate/ddate_0.2.2-1.dsc More information about ddate can be obtained from https://github.com/bo0ts/ddate. Regards, Sebastian signature.asc Description: Digital signature
jellyfish: Syntax error in configure when using autoreconf
Hi, I'm trying to ugrade jellyfish which is maintained here Vcs-Git: git://anonscm.debian.org/debian-med/jellyfish.git I'm using autoreconf and when building the package this leads to ... checking how to hardcode library paths into programs... immediate checking for md5sum... md5sum checking for yaggo... /usr/bin/yaggo ./configure: line 15474: syntax error near unexpected token `VALGRIND,' ./configure: line 15474: ` PKG_CHECK_MODULES(VALGRIND, valgrind = 1.8.0)' == config.log == This file contains any messages produced by compilers while ... I wonder how I could prevent this failure to create a valid configure script. Thanks for any help Andreas. -- http://fam-tille.de -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141007203953.ga30...@an3as.eu
Re: jellyfish: Syntax error in configure when using autoreconf
Hi, Andreas Tille andr...@an3as.eu writes: I'm trying to ugrade jellyfish which is maintained here Vcs-Git: git://anonscm.debian.org/debian-med/jellyfish.git I'm using autoreconf and when building the package this leads to ... checking how to hardcode library paths into programs... immediate checking for md5sum... md5sum checking for yaggo... /usr/bin/yaggo ./configure: line 15474: syntax error near unexpected token `VALGRIND,' ./configure: line 15474: ` PKG_CHECK_MODULES(VALGRIND, valgrind = 1.8.0)' == config.log == This file contains any messages produced by compilers while ... The PKG_CHECK_MODULES macro is not substituted. You probably need a build-dependency on pkg-config. Ansgar -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87ppe3r4k7@deep-thought.43-1.org
Re: jellyfish: Syntax error in configure when using autoreconf
* Andreas Tille andr...@an3as.eu, 2014-10-07, 22:39: ./configure: line 15474: syntax error near unexpected token `VALGRIND,' ./configure: line 15474: ` PKG_CHECK_MODULES(VALGRIND, valgrind = 1.8.0)' It looks like missing build-dependency on pkg-config. -- Jakub Wilk -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141007204610.ga7...@jwilk.net
Re: jellyfish: Syntax error in configure when using autoreconf
Hi Jakub (and Ansgar) On Tue, Oct 07, 2014 at 10:46:10PM +0200, Jakub Wilk wrote: * Andreas Tille andr...@an3as.eu, 2014-10-07, 22:39: ./configure: line 15474: syntax error near unexpected token `VALGRIND,' ./configure: line 15474: ` PKG_CHECK_MODULES(VALGRIND, valgrind = 1.8.0)' It looks like missing build-dependency on pkg-config. Confirmed that this works - thanks a lot, Andreas. -- http://fam-tille.de -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141007210932.gc30...@an3as.eu
Bug#759796: RFS: gemrb/0.8.1-1
Control: owner -1 ! Hi Beren, On Thu, 25 Sep 2014 23:21:20 +0200, Beren Minor beren.minor+deb...@gmail.com wrote: I am still looking for a sponsor for my GemRB package. The details are in the OP of this bug report (#759796 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%20759796). I've taken a look at this, and the only issue I can see is that the copyright years need to be updated to 2003-2014 (see gemrb/core/VEFObject.cpp and gemrb/GUIScripts/CreateControlDecorators.py amongst others). If you fix this I'll sponsor the package! It might also be worth pointing out in README.Debian that filenames should be converted to lower-case after extraction, in particular for the GoG releases, as documented in http://www.gemrb.org/wiki/doku.php?id=install:unshield-bg1 - for me the game segfaults after the intro movies if this isn't done. Have you considered implementing support for the game files in game-data-packager? Regards, Stephen signature.asc Description: PGP signature
Bug#764383: RFS: ddate/0.2.2-1 [ITP]
Hi! Sebastian Schmidt y...@yath.de writes: Alternatively, one can download the package with dget using this command: dget -x http://mentors.debian.net/debian/pool/main/d/ddate/ddate_0.2.2-1.dsc Looks good so far although I think lintian's right with this one (of course without the replaces): I: ddate: conflicts-with-version util-linux ( 2.24.2-1) N: N:An earlier-than version clause is normally an indication that Breaks N:should be used instead of Conflicts. Breaks is a weaker requirement that N:provides the package manager more leeway to find a valid upgrade path. N:Conflicts should only be used if two packages can never be unpacked at N:the same time, or for some situations involving virtual packages (where N:a version clause is not appropriate). In particular, when moving files N:between packages, use Breaks plus Replaces, not Conflicts plus Replaces. N: N:Refer to Debian Policy Manual section 7.4 (Conflicting binary packages - N:Conflicts) for details. N: N:Severity: normal, Certainty: wild-guess N: N:Check: fields, Type: binary, udeb, source Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer pgp6bG0e3iQ_z.pgp Description: PGP signature
Bug Severity Help
Hi mentors, I am the current maintainer for Xalan [1] and could use some feedback with regard to a particular bug [2]. The bug is currently tagged grave severity due to the possibility of a user-supplied stylesheet causing an out-of-memory condition (due to infinite recursion) and crashing the system. It has been forwarded upstream and acknowledged, but not fixed. I recognize that this is an issue, but I feel that this is an edge case that is likely not applicable to most users, and that it would be a shame for it to not be included in Jesse. Other than trying to fix it myself (which isn't an option for me at the moment), what are my options? More importantly, what's the *right* thing to do from a Debian perspective? Thanks! Bill [1] https://packages.qa.debian.org/x/xalan.html [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718315 signature.asc Description: Digital signature
Re: Bug Severity Help
That sounds of a potential denial of service vulnerability. How likely is it that Xalan would be used with untrusted stylesheets supplied by attackers? If you don't think it would be possible to fix it you can ask the release team for a jessie-ignore tag, reportbug release.debian.org, choose 3 other, explain your reasoning. You could also reimplement the libxslt solution for this in Xalan. -- bye, pabs https://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caktje6ezufzmhs4h0k3khy3kt6f7crc2bnxtwwuc0eh7bmx...@mail.gmail.com
Re: Bug Severity Help
On Wed, Oct 08, 2014 at 10:53:04AM +0800, Paul Wise wrote: That sounds of a potential denial of service vulnerability. How likely is it that Xalan would be used with untrusted stylesheets supplied by attackers? In my opinion, people *shouldn't* be running untrusted stylesheets any more than they should run untrusted shell scripts or other code. If we conveniently ignore that sometimes people do things that are unwise, then I would say the likelyhood is low. If you don't think it would be possible to fix it you can ask the release team for a jessie-ignore tag, reportbug release.debian.org, choose 3 other, explain your reasoning. I don't think upstream has the intention of fixing it anytime soon, and I don't have the time right now to dig into the complexities of the Xalan codebase myself. I'll consider talking to the release team about an exception - I don't think I realized that was an option. You could also reimplement the libxslt solution for this in Xalan. That's an interesting thought. That would likely resolve the issue as filed in the bug report against the xalan executables. However the same problem would still technically exist in the underlying library code (libxalan-c). Though, having never done any programming against libxslt, that might be a longer path for me than just fixing xalan. Thanks for your insight. Bill -- bye, pabs https://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caktje6ezufzmhs4h0k3khy3kt6f7crc2bnxtwwuc0eh7bmx...@mail.gmail.com signature.asc Description: Digital signature
Re: Bug Severity Help
On Wed, Oct 8, 2014 at 11:40 AM, Bill Blough wrote: That's an interesting thought. That would likely resolve the issue as filed in the bug report against the xalan executables. However the same problem would still technically exist in the underlying library code (libxalan-c). Though, having never done any programming against libxslt, that might be a longer path for me than just fixing xalan. Probably libxalan-c would be the best place to implement it? -- bye, pabs https://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAKTje6FSSckYzgeiX28A=ax164hodvhee3bonjoyu0boyr9...@mail.gmail.com
Bug#741649: marked as done (RFS: tegrarcm/1.6-1)
Your message dated Wed, 08 Oct 2014 04:24:29 + with message-id e1xbind-00078p...@quantz.debian.org and subject line closing RFS: tegrarcm/1.6-1 has caused the Debian Bug report #741649, regarding RFS: tegrarcm/1.6-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 741649: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741649 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: sponsorship-requests Severity: normal Dear mentors, I am looking for a sponsor for my package tegrarcm * Package name: tegrarcm Version : 1.5-2 Upstream Author : a.mar...@nvidia.com from NVIDIA * URL : http://github.com/NVIDIA/tegrarcm * License : BSD / proprietary Section : utils It builds those binary packages: tegrarcm - Tool to upload payloads in Tegra SoC recovery mode To access further information about this package, please visit the following URL: http://mentors.debian.net/package/tegrarcm Alternatively, one can download the package with dget using this command: dget -x http://mentors.debian.net/debian/pool/non-free/t/tegrarcm/tegrarcm_1.5-2.dsc More information about hello can be obtained from http://http.download.nvidia.com/tegra-public-appnotes/flashing-tools.html Changes since the last upload: tegrarcm (1.5-2) unstable; urgency=low * Add watch file * Update to Debian Standards version 3.9.5 tegrarcm (1.5-1) unstable; urgency=low * New upstream release Regards, Marc Dietrich ---End Message--- ---BeginMessage--- Package tegrarcm has been removed from mentors.---End Message---
Re: Bug Severity Help
On Tue, Oct 07, 2014 at 11:40:53PM -0400, Bill Blough wrote: In my opinion, people *shouldn't* be running untrusted stylesheets any more than they should run untrusted shell scripts or other code. If we conveniently ignore that sometimes people do things that are unwise, then I would say the likelyhood is low. In that case, it's a normal severity bug at most. Most of Turing-complete languages allow OOMing, and if Xalan stylesheets can already run arbitrary code, an attacker can do things a lot funnier than just OOM. -- // If you believe in so-called intellectual property, please immediately // cease using counterfeit alphabets. Instead, contact the nearest temple // of Amon, whose priests will provide you with scribal services for all // your writing needs, for Reasonable and Non-Discriminatory prices. -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141008043850.ga19...@angband.pl
