Bug#849505: transition: nodejs
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition nodejs 4.6.1~dfsg-1 provides nodejs-abi-46 nodejs 6.9.2~dfsg-1 provides nodejs-abi-48 I recently uploaded fixes to all Node.js c++ addons so they use dh_nodejs to depend on the correct nodejs-abi-xx provided by nodejs-dev used during build. Transition should have minimal impact on these addons. Most other pure Node.js modules should be okay - they either are already compatible with Node.js 6 or have upstream updates providing that compatibility. Thanks, Jérémy Ben file: title = "nodejs"; is_affected = .depends ~ "nodejs-abi-46" | .depends ~ "nodejs-abi-48"; is_good = .depends ~ "nodejs-abi-48"; is_bad = .depends ~ "nodejs-abi-46";
Bug#849218: Build fine waiting for green light
Hi, experimental build fine. Waiting for green light I see you have setup the transition matrix Bastien
Re: Bug#847575: closed by Hilko Bengen <ben...@debian.org> (no embedded dietlibc)
On Tue, 2016-12-27 at 16:13 -0500, Theodore Ts'o wrote: > On Tue, Dec 27, 2016 at 07:56:36PM +, Adam D. Barratt wrote: > > Thankfully none of that worked. I say thankfully, because you'd have > > given release.d.o an allegedly RC bug (it may be RC for e2fsprogs, it's > > certainly not so for release.d.o) and removed the original bug from > > where it belongs. (The binNMU doesn't resolve the fact that the original > > issue existed - and for some versions still exists - in e2fsprogs.) > > It only exists in the versions of e2fsprogs shipping in Jessie and > before. So unless the SRM's think that it's worth it to fix this > issue via a change to e2fsprogs going to proposed-updates for Jessie > (I'm not entirely convinced but if you want me to add the Built-Using > and ask for a update to Jessie stable, I can do that, and we can punt > on the binNMU for e2fsck-static since it will be obsoleted by the fix > of e2fsprogs in Debian stable.) I already scheduled the binNMUs for the handful of architectures that I could, in the cloned #849488. You may wish to check the architecture list there and confirm whether any of the others were typoes or if the three architectures mentioned are sufficient. Regards, Adam
Re: Bug#847575: closed by Hilko Bengen <ben...@debian.org> (no embedded dietlibc)
On Tue, Dec 27, 2016 at 07:56:36PM +, Adam D. Barratt wrote: > Thankfully none of that worked. I say thankfully, because you'd have > given release.d.o an allegedly RC bug (it may be RC for e2fsprogs, it's > certainly not so for release.d.o) and removed the original bug from > where it belongs. (The binNMU doesn't resolve the fact that the original > issue existed - and for some versions still exists - in e2fsprogs.) It only exists in the versions of e2fsprogs shipping in Jessie and before. So unless the SRM's think that it's worth it to fix this issue via a change to e2fsprogs going to proposed-updates for Jessie (I'm not entirely convinced but if you want me to add the Built-Using and ask for a update to Jessie stable, I can do that, and we can punt on the binNMU for e2fsck-static since it will be obsoleted by the fix of e2fsprogs in Debian stable.) Otherwise, I plan to close the e2fsprogs bugs since it's fixed in Debian Stretch, and with the decision not to try to address this in Jessie, a "wontfix" for older versions of e2fsprogs. Apologies for not adjusting the priority as part of my attempt to move this bug to release.debian.org, but the theory was that fixing this via a binNMU of e2fsck-static was sufficient, given how late we are in Jessie's life cycle, and it wasn't worth trying to fix this bug in stable. If I'm wrong in this, and the SRM's would support/prefer to fix this via an update to e2fsprogs in Jessie and spinning new binary debs for all architectures, I'll stand corrected and we can go down that route. Cheers, - Ted
Upcoming stable point release (8.7)
Hi, The next point release for "jessie" (8.7) is scheduled for Saturday, January 14th. Processing of new uploads into jessie-proposed-updates will be frozen during the preceding weekend. Regards, Adam
Processed: Re: Bug#847575: closed by Hilko Bengen <ben...@debian.org> (no embedded dietlibc)
Processing control commands: > clone -1 -2 Bug #847575 [e2fsck-static] Embeds dietlibc (GPL) but does not have a Built-Using field Bug 847575 cloned as bug 849488 > close -1 Bug #847575 [e2fsck-static] Embeds dietlibc (GPL) but does not have a Built-Using field Marked Bug as done > reassign -2 release.debian.org Bug #849488 [e2fsck-static] Embeds dietlibc (GPL) but does not have a Built-Using field Bug reassigned from package 'e2fsck-static' to 'release.debian.org'. No longer marked as found in versions e2fsprogs/1.43.3-1 and e2fsprogs/1.42.12-2. No longer marked as fixed in versions e2fsprogs/1.43.3-1 and 1.43~WIP.2016.05.12-1. > severity -2 normal Bug #849488 [release.debian.org] Embeds dietlibc (GPL) but does not have a Built-Using field Severity set to 'normal' from 'serious' > retitle -2 nmu: e2fsck-static Bug #849488 [release.debian.org] Embeds dietlibc (GPL) but does not have a Built-Using field Changed Bug title to 'nmu: e2fsck-static' from 'Embeds dietlibc (GPL) but does not have a Built-Using field'. > tags -2 + jessie pending Bug #849488 [release.debian.org] nmu: e2fsck-static Added tag(s) jessie and pending. -- 847575: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847575 849488: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849488 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Re: Bug#847575: closed by Hilko Bengen <ben...@debian.org> (no embedded dietlibc)
Control: clone -1 -2 Control: close -1 Control: reassign -2 release.debian.org Control: severity -2 normal Control: retitle -2 nmu: e2fsck-static Control: tags -2 + jessie pending On Tue, 2016-12-27 at 12:31 -0500, Theodore Ts'o wrote: > retitle -1 release.debian.org: binNMU for e2fsck-static to rebuild against > latest dietlibc > reassign -1 release.debian.org > user release.debian@packages.debian.org > usertag -1 binnmu > thanks Thankfully none of that worked. I say thankfully, because you'd have given release.d.o an allegedly RC bug (it may be RC for e2fsprogs, it's certainly not so for release.d.o) and removed the original bug from where it belongs. (The binNMU doesn't resolve the fact that the original issue existed - and for some versions still exists - in e2fsprogs.) > Agreed, that seems to be the best way to handle things. So that means > we would need to do a binNMU for e2fsck-static/1.42.12-2 for the > following architectures: > > alpha amd64 arm hppa i386 ia64 powerpc ppc64 s390 sparc > > I've reassigned this to the release team to see if the Stable Release > Managers agree (which hopefully they will). Only three of those architectures - amd64, i386 and powerpc - are in stable so are the only ones that are relevant as far as the release.d.o bug is concerned. I've scheduled binNMUs for those; you'll have to handle the others separately, or explain which Debian architectures you actually meant (for instance, "arm" hasn't been used as a Debian architecture name for several releases now). Regards, Adam
Re: Bug#847575: closed by Hilko Bengen <ben...@debian.org> (no embedded dietlibc)
retitle -1 release.debian.org: binNMU for e2fsck-static to rebuild against latest dietlibc reassign -1 release.debian.org user release.debian@packages.debian.org usertag -1 binnmu thanks On Tue, Dec 27, 2016 at 12:16:52PM +, Ben Hutchings wrote: > On Wed, 2016-12-21 at 22:49 -0500, Theodore Ts'o wrote: > > I noticed you reopened this and marked this as still being a problem > > in e2fsprogs/1.42.12-2 (it actually _is_ fixed in e2fsprogs/1.43.3-1). > > Is it worth trying to fix this in Debian Stable? Especially given > > that existence of snapshots.debian.org, the sources for dietlibc will > > always be available one way or another --- and that might be good > > enough for GPL compliance. > > I think that snapshot.debian.org should be sufficient to keep Debian > itself in compliance, but not any downstream commercial distributors. > So all GPL sources should be available in the same suite, and Built- > Using provides the information that dak needs to ensure that. > > As it is, e2fsck-static in jessie has been built with dietlibc > 0.33~cvs20120325-6, but dietlibc has had a security update since then > so that version is no longer present. (That issue didn't affect > e2fsck-static so it hasn't been binNMU'd.) > > I think this could be resolved in stable simply by binNMU'ing e2fsck- > static for the architectures where it uses dietlibc. Agreed, that seems to be the best way to handle things. So that means we would need to do a binNMU for e2fsck-static/1.42.12-2 for the following architectures: alpha amd64 arm hppa i386 ia64 powerpc ppc64 s390 sparc I've reassigned this to the release team to see if the Stable Release Managers agree (which hopefully they will). Ted
Bug#849456: marked as done (unblock: libncursesada/6.0.20150808-2)
Your message dated Tue, 27 Dec 2016 16:53:51 +0100 with message-idand subject line Re: Bug#849456: unblock: libncursesada/5.9.20140726-2 has caused the Debian Bug report #849456, regarding unblock: libncursesada/6.0.20150808-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 849456: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849456 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package libncursesada. The version in testing fails to build (#844918) because of dpkg changes affecting PIE flags in libraries. Here is the debdiff against the package in testing. --- libncursesada-6.0.20150808/debian/changelog +++ libncursesada-6.0.20150808/debian/changelog @@ -1,3 +1,10 @@ +libncursesada (6.0.20150808-2) unstable; urgency=medium + + [ Adrian Bunk ] + * Build with latest dpkg requires PIE hardening flags. Closes: #844918. + + -- Nicolas Boulenguez Tue, 27 Dec 2016 12:11:27 +0100 + libncursesada (6.0.20150808-1) unstable; urgency=medium * New upstream release, built with gnat-6. Both imply --- libncursesada-6.0.20150808/debian/rules +++ libncursesada-6.0.20150808/debian/rules @@ -27,7 +27,7 @@ # Set some variables # ## -DEB_BUILD_MAINT_OPTIONS=hardening=+all,-pie +DEB_BUILD_MAINT_OPTIONS=hardening=+all include /usr/share/dpkg/default.mk include /usr/share/ada/debian_packaging*.mk Thanks. unblock libncursesada/6.0.20150808-2 --- End Message --- --- Begin Message --- On 27/12/16 12:35, Nicolas Boulenguez wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > > Please unblock package libncursesada. > > The version in testing fails to build (#844918) because of dpkg > changes affecting PIE flags in libraries. > > Here is the debdiff against the package in testing. > > --- libncursesada-6.0.20150808/debian/changelog > +++ libncursesada-6.0.20150808/debian/changelog > @@ -1,3 +1,10 @@ > +libncursesada (6.0.20150808-2) unstable; urgency=medium > + > + [ Adrian Bunk ] > + * Build with latest dpkg requires PIE hardening flags. Closes: #844918. > + > + -- Nicolas Boulenguez Tue, 27 Dec 2016 12:11:27 +0100 > + > libncursesada (6.0.20150808-1) unstable; urgency=medium > > * New upstream release, built with gnat-6. Both imply > --- libncursesada-6.0.20150808/debian/rules > +++ libncursesada-6.0.20150808/debian/rules > @@ -27,7 +27,7 @@ > # Set some variables # > ## > -DEB_BUILD_MAINT_OPTIONS=hardening=+all,-pie > +DEB_BUILD_MAINT_OPTIONS=hardening=+all > include /usr/share/dpkg/default.mk > include /usr/share/ada/debian_packaging*.mk > > Thanks. > > unblock libncursesada/6.0.20150808-2 IMHO this can wait 10 days and migrate on its own. No need to rush it. Cheers, Emilio--- End Message ---
Bug#849309: marked as done (nmu: bino_1.6.5-1)
Your message dated Tue, 27 Dec 2016 16:54:37 +0100 with message-id <504ab781-5eef-7c74-fd0c-8c2276fcf...@debian.org> and subject line Re: Bug#849309: nmu: bino_1.6.5-1 has caused the Debian Bug report #849309, regarding nmu: bino_1.6.5-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 849309: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849309 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu Hello, on amd64 bino wasn't built in a clean environment causing it to depend on unavailable libraries, so please rebuild it for this architecture. Thanks nmu bino_1.6.5-1 . amd64 . unstable . -m "Rebuild against libass and ffmpeg from unstable" -- System Information: Debian Release: stretch/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (103, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-rc8-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) --- End Message --- --- Begin Message --- On 25/12/16 08:15, Daniel Schaal wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: binnmu > > Hello, > > on amd64 bino wasn't built in a clean environment causing it to depend on > unavailable libraries, > so please rebuild it for this architecture. > > Thanks > > nmu bino_1.6.5-1 . amd64 . unstable . -m "Rebuild against libass and ffmpeg > from unstable" Scheduled. Emilio--- End Message ---
Re: [Fwd: [Pkg-citadel-devel] citadel is marked for autoremoval from testing]
On 27/12/16 12:08, Michael Meskes wrote: > Hi all, > > is this just a race or needs manual intervention or do I miss something > important here? > > The attached email, that arrived earlier today, tells me the package > will be removed from testing because of a bug that was closed by > exactly the version of the package listed in the email. Probably a race. I see it is no longer marked as to-be-removed. Cheers, Emilio
Bug#849467: jessie-pu: package hplip/3.14.6-1+deb8u1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Dear RT, I'd like to get CVE-2015-0839 fixed in jessie, it's a no-DSA issue, and security team members suggested to get it fixed through stable updates. This bug is a simple 'fetching gpg key from keyservers with a short keyid' problem, and upstream's fix is to use the full fingerprint. The debdiff is attached. Cheers, OdyX diff -Nru hplip-3.14.6/debian/changelog hplip-3.14.6/debian/changelog --- hplip-3.14.6/debian/changelog 2014-06-15 09:24:19.0 +0200 +++ hplip-3.14.6/debian/changelog 2016-12-27 09:13:54.0 +0100 @@ -1,3 +1,11 @@ +hplip (3.14.6-1+deb8u1) stable; urgency=medium + + * Backport CVE-2015-0839 fix from upstream's 3.15.7: use full gpg key +fingerprint when fetching key from keyservers +(Closes: #787353, LP: #1432516) + + -- Didier RaboudTue, 27 Dec 2016 09:13:54 +0100 + hplip (3.14.6-1) unstable; urgency=low * New upstream release diff -Nru hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch --- hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch 1970-01-01 01:00:00.0 +0100 +++ hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch 2016-12-27 09:10:11.0 +0100 @@ -0,0 +1,19 @@ +Description: Use the full key fingerprint, to fix insecure binary driver verification +Bug-CVE: CVE-2015-0839 +Bug-Upstream: https://bugs.launchpad.net/hplip/+bug/1432516 +Bug-Debian: https://bugs.debian.org/787353 +Origin: vendor +Last-Update: 2015-07-15 + +--- a/base/validation.py b/base/validation.py +@@ -40,8 +40,7 @@ + + + class GPG_Verification(DigiSign_Verification): +- +-def __init__(self, pgp_site = 'pgp.mit.edu', key = 0xA59047B9): ++def __init__(self, pgp_site = 'pgp.mit.edu', key = 0x4ABA2F66DBD5A95894910E0673D770CDA59047B9): + self.__pgp_site = pgp_site + self.__key = key + self.__gpg = utils.which('gpg',True) diff -Nru hplip-3.14.6/debian/patches/series hplip-3.14.6/debian/patches/series --- hplip-3.14.6/debian/patches/series 2014-04-04 17:05:13.0 +0200 +++ hplip-3.14.6/debian/patches/series 2016-12-27 09:04:13.0 +0100 @@ -18,3 +18,4 @@ #hp-mkuri-libnotify-so-4-support.dpatch hpaio-option-duplex.diff musb-c-do-not-crash-on-usb-failure.patch +cve-2015-0839-insecure-binary-driver-verification.patch
Processed: fix package version in title of 849456
Processing commands for cont...@bugs.debian.org: > retitle 849456 unblock: libncursesada/6.0.20150808-2 Bug #849456 [release.debian.org] unblock: libncursesada/5.9.20140726-2 Changed Bug title to 'unblock: libncursesada/6.0.20150808-2' from 'unblock: libncursesada/5.9.20140726-2'. > End of message, stopping processing here. Please contact me if you need assistance. -- 849456: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849456 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#849456: unblock: libncursesada/5.9.20140726-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package libncursesada. The version in testing fails to build (#844918) because of dpkg changes affecting PIE flags in libraries. Here is the debdiff against the package in testing. --- libncursesada-6.0.20150808/debian/changelog +++ libncursesada-6.0.20150808/debian/changelog @@ -1,3 +1,10 @@ +libncursesada (6.0.20150808-2) unstable; urgency=medium + + [ Adrian Bunk] + * Build with latest dpkg requires PIE hardening flags. Closes: #844918. + + -- Nicolas Boulenguez Tue, 27 Dec 2016 12:11:27 +0100 + libncursesada (6.0.20150808-1) unstable; urgency=medium * New upstream release, built with gnat-6. Both imply --- libncursesada-6.0.20150808/debian/rules +++ libncursesada-6.0.20150808/debian/rules @@ -27,7 +27,7 @@ # Set some variables # ## -DEB_BUILD_MAINT_OPTIONS=hardening=+all,-pie +DEB_BUILD_MAINT_OPTIONS=hardening=+all include /usr/share/dpkg/default.mk include /usr/share/ada/debian_packaging*.mk Thanks. unblock libncursesada/6.0.20150808-2
[Fwd: [Pkg-citadel-devel] citadel is marked for autoremoval from testing]
Hi all, is this just a race or needs manual intervention or do I miss something important here? The attached email, that arrived earlier today, tells me the package will be removed from testing because of a bug that was closed by exactly the version of the package listed in the email. Thanks. Michael -- Michael Meskes Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org) Meskes at (Debian|Postgresql) dot Org Jabber: michael at xmpp dot meskes dot org VfL Borussia! Força Barça! SF 49ers! Use Debian GNU/Linux, PostgreSQL--- Begin Message --- citadel 902-3 is marked for autoremoval from testing on 2016-12-30 It is affected by these RC bugs: 846543: citadel: FTBFS (dereferencing pointer to incomplete type) ___ Pkg-citadel-devel mailing list pkg-citadel-de...@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-citadel-devel --- End Message ---
Re: Let autopkgtests be gating for testing migration in Buster: heads-up and brain-dump
Hello Antonio, Antonio Terceiro [2016-12-21 18:13 -0200]: > > 0) figure out how to test all of this without breaking the real > > instances (hints more than welcome). > > 1) fix autopkgtest to enable --apt-suite (next to the current --apt-pocket) > > In parallel: > > 2a) getting a testing suite up for debci and extend debci to be aware of > > the additional arguments for autopkgtest > > 2b) let britney generate a list of tests it would like to perform > > 2c) align on the transfer mechanism between britney(1) and debci > > 3) enable debci to swallow the commands from britney > > 4) enable the policy in britney > > Sure. My main concern here is knowing exactly what the interface between > britney and debci is going to be. Obviously we don't want a circular > dependency, so it seems that you are going towards britney knowing how > to deal with debci, and not the other way around. Correct. debci should provide the machinery to run tests, i. e. accept test requests via AMQP (as it does today, except that britney would send the requests instead of debci's cron), run the test, and export the results (https://ci.debian.net/data/ works fine, britney can read that and it's fairly close to reading swift like the Ubuntu implementation does). debci should not interpret the results and do policy decisions, that's britney's domain and thus debci should not know about britney. > On the debci side, we would need: > > - when testing to see if package X can be let into testing, britney > needs a way to say a) "test package X from unstable on a testing base" > and b) "test package Y from testing with X from unstable". That's provided with the "triggers" option, Paul already explained that. The trigger contains the "reason(s)" why a test was started, which could either be a newer version of the tested package itself, or a change of any of its dependencies. > there would be one Y for each of the reverse dependencies of X, and > that list would be generated by britney, I assume. Right. britney has that information anyway for installability testing, it's quite straightforward to generate: https://git.launchpad.net/~ubuntu-release/britney/+git/britney2-ubuntu/tree/britney2/policies/autopkgtest.py#n348 > - a way for britney to "inject" these test requests, and a way for it to > get their results back. This would probably require having some sort > of identifier generated by britney that can be used by later to match > the request to the results. Right. The AMQP request contains the triggers, debci translates them as autopkgtest --env arguments (--env=ADT_TEST_TRIGGERS=foo/1.0-2 bar/2.0-3): https://git.launchpad.net/~ubuntu-release/+git/autopkgtest-cloud/tree/worker/worker#n327 and these envs ends up in results.tar which britney reads, and with that it can map a result back to a run for a particular trigger. Martin -- Martin Pitt| http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org) signature.asc Description: PGP signature