Bug#854905: nmu: petsc_3.7.5+dfsg1-4

[Drew Parsons]

On Sun, 12 Feb 2017 20:16:06 +0100 Emilio Pozuelo Monfort  wrote:
> > 
> > A binNMU seems to be sufficient here.
> > 
> > nmu petsc_3.7.5+dfsg1-4 . ANY . unstable . -m "Rebuild with openmpi 2.0.2"
> 
> We should probably wait until petsc migrates, and then maybe not do
this unless
> we unblock openmpi.
> 


petsc 3.7.5+dfsg1-4 has now hit testing.

Unblock for openmpi has been requested in #855217.

Please binNMU petsc at your convenience.

Drew

p.s. I raised the question of the tight openmpi dependency with PETSc
authors.  They said the tight dependency was put in place so that PETSc
would have consistent MPI handling.  Otherwise configure, build and
runtime of apps using PETSc could all be performed with different mpi
versions, which can lead to error especially if the runtime version is
older.   

Moreover mpich does not provide a simple major.minor.subminor
decomposition. So the tight dependency on openmpi subminor version was
put in place to match the handling used for the single version number
available for mpich.

But in principle later subminor versions of openmpi should work fine,
and so the PETSc authors are putting in place a more relaxed test
allowing use with later subminor versions (for the same major.minor).  

Once this patch is in place (in future versions of petsc), we won't be
affected by the same version incompatibility reported here.

Bug#855258: unblock: spice/0.12.8-2.1

[Salvatore Bonaccorso]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi

Please unblock package spice

It fixes two CVEs, CVE-2016-9577 CVE-2016-9578, reported by Moritz as
#854336. Markus Kschany fixed it as:

+spice (0.12.8-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Add CVE-2016-9577-and-CVE-2016-9578.patch:
+- CVE-2016-9577: A buffer overflow vulnerability in
+  main_channel_alloc_msg_rcv_buf was found that occurs when reading large
+  messages due to missing buffer size check.
+- CVE-2016-9578: A vulnerability was discovered in the server's
+  protocol handling. An attacker able to connect to the spice server could
+  send crafted messages which would cause the process to crash.
+  (Closes: #854336)
+
+ -- Markus Koschany   Mon, 13 Feb 2017 21:42:01 +0100

Attached the resulting debdiff from the version in testing.

unblock spice/0.12.8-2.1

Regards,
Salvatore
diff -Nru spice-0.12.8/debian/changelog spice-0.12.8/debian/changelog
--- spice-0.12.8/debian/changelog   2017-01-06 14:50:55.0 +0100
+++ spice-0.12.8/debian/changelog   2017-02-13 21:42:01.0 +0100
@@ -1,3 +1,17 @@
+spice (0.12.8-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Add CVE-2016-9577-and-CVE-2016-9578.patch:
+- CVE-2016-9577: A buffer overflow vulnerability in
+  main_channel_alloc_msg_rcv_buf was found that occurs when reading large
+  messages due to missing buffer size check.
+- CVE-2016-9578: A vulnerability was discovered in the server's
+  protocol handling. An attacker able to connect to the spice server could
+  send crafted messages which would cause the process to crash.
+  (Closes: #854336)
+
+ -- Markus Koschany   Mon, 13 Feb 2017 21:42:01 +0100
+
 spice (0.12.8-2) unstable; urgency=medium
 
   * Build on all little-endian architectures (Closes: #734218)
diff -Nru spice-0.12.8/debian/patches/CVE-2016-9577-and-CVE-2016-9578.patch 
spice-0.12.8/debian/patches/CVE-2016-9577-and-CVE-2016-9578.patch
--- spice-0.12.8/debian/patches/CVE-2016-9577-and-CVE-2016-9578.patch   
1970-01-01 01:00:00.0 +0100
+++ spice-0.12.8/debian/patches/CVE-2016-9577-and-CVE-2016-9578.patch   
2017-02-13 21:42:01.0 +0100
@@ -0,0 +1,54 @@
+From: Markus Koschany 
+Date: Mon, 13 Feb 2017 21:38:02 +0100
+Subject: CVE-2016-9577 and CVE-2016-9578
+
+Bug-Debian: https://bugs.debian.org/854336
+Origin: 
http://pkgs.fedoraproject.org/cgit/rpms/spice.git/commit/?id=d919d639ae5f83a9735a04d843eed675f9357c0d
+---
+ server/main_channel.c |  3 +++
+ server/reds.c | 11 ++-
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/server/main_channel.c b/server/main_channel.c
+index 0ecc9df..1fc3915 100644
+--- a/server/main_channel.c
 b/server/main_channel.c
+@@ -1026,6 +1026,9 @@ static uint8_t 
*main_channel_alloc_msg_rcv_buf(RedChannelClient *rcc,
+ 
+ if (type == SPICE_MSGC_MAIN_AGENT_DATA) {
+ return reds_get_agent_data_buffer(mcc, size);
++} else if (size > sizeof(main_chan->recv_buf)) {
++/* message too large, caller will log a message and close the 
connection */
++return NULL;
+ } else {
+ return main_chan->recv_buf;
+ }
+diff --git a/server/reds.c b/server/reds.c
+index 61bf735..4c60f58 100644
+--- a/server/reds.c
 b/server/reds.c
+@@ -2110,6 +2110,14 @@ static void reds_handle_read_link_done(void *opaque)
+ link_mess->num_channel_caps = 
GUINT32_FROM_LE(link_mess->num_channel_caps);
+ link_mess->num_common_caps = GUINT32_FROM_LE(link_mess->num_common_caps);
+ 
++/* Prevent DoS. Currently we defined only 13 capabilities,
++ * I expect 1024 to be valid for quite a lot time */
++if (link_mess->num_channel_caps > 1024 || link_mess->num_common_caps > 
1024) {
++reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA);
++reds_link_free(link);
++return;
++}
++
+ num_caps = link_mess->num_common_caps + link_mess->num_channel_caps;
+ caps = (uint32_t *)((uint8_t *)link_mess + link_mess->caps_offset);
+ 
+@@ -2202,7 +2210,8 @@ static void reds_handle_read_header_done(void *opaque)
+ 
+ reds->peer_minor_version = header->minor_version;
+ 
+-if (header->size < sizeof(SpiceLinkMess)) {
++/* the check for 4096 is to avoid clients to cause arbitrary big memory 
allocations */
++if (header->size < sizeof(SpiceLinkMess) || header->size > 4096) {
+ reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA);
+ spice_warning("bad size %u", header->size);
+ reds_link_free(link);
diff -Nru spice-0.12.8/debian/patches/series spice-0.12.8/debian/patches/series
--- spice-0.12.8/debian/patches/series  2017-01-06 14:50:42.0 +0100
+++ spice-0.12.8/debian/patches/series  2017-02-13 21:42:01.0 +0100
@@ -1 +1,2 @@
 stop-linking-with-libcacard.diff

Re: source-only uploads and arch:all buildds for stretch?

[Emilio Pozuelo Monfort]

On 16/02/17 00:17, Aurelien Jarno wrote:
> Dear release team,
> 
> Before too many people ask the w-b team about that, do we want to allow
> source-only uploads and therefore arch:all buildds for stretch?

Probably a question for the SRMs, but IMHO yes.

Cheers,
Emilio

source-only uploads and arch:all buildds for stretch?

[Aurelien Jarno]

Dear release team,

Before too many people ask the w-b team about that, do we want to allow
source-only uploads and therefore arch:all buildds for stretch?

If so we'll enable the all/stretch architecture in wanna-build,
configure the arch:all autobuilders accordingly. I guess the ftp-masters
team can then enable source-only uploads for stretch.

Aurelien (with his w-b team hat)

-- 
Aurelien Jarno  GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://www.aurel32.net

Bug#855232: marked as done (unblock: theano/0.8.2-6)

[Debian Bug Tracking System]

Your message dated Thu, 16 Feb 2017 00:04:42 +0100
with message-id <119f9b4f-62a1-414a-1039-3673d846a...@debian.org>
and subject line Re: Bug#855232: unblock: theano/0.8.2-6
has caused the Debian Bug report #855232,
regarding unblock: theano/0.8.2-6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
855232: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855232
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package theano [1].

The latest upload to unstable fixes three RC bugs:
#848764 (FTBFS), #831540 (FTBFS on i386), and #831541 (FTBFS on s390x).

And two important bugs: #835531 (randomly FTBFS), and #855102.

The problems have been solved by patches, please see the attached debdiff
for details.

Thank you,
Daniel Stender

[1] https://packages.qa.debian.org/t/theano.html

unblock theano/0.8.2-6

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru theano-0.8.2/debian/changelog theano-0.8.2/debian/changelog
--- theano-0.8.2/debian/changelog	2016-07-16 18:42:07.0 +0200
+++ theano-0.8.2/debian/changelog	2017-02-15 09:09:46.0 +0100
@@ -1,3 +1,38 @@
+theano (0.8.2-6) unstable; urgency=medium
+
+  * Upload to unstable.
+
+ -- Daniel Stender   Wed, 15 Feb 2017 09:09:46 +0100
+
+theano (0.8.2-6~exp1) experimental; urgency=medium
+
+  * add disable-overly-environment-dependent-test.patch (Closes: #835531).
+  * add fix-invalid-casts-negative-stride-handling.patch
+(Closes: #831541,#855102) [thanks again to Rebecca N. Palmer].
+
+ -- Daniel Stender   Wed, 15 Feb 2017 00:08:13 +0100
+
+theano (0.8.2-5) unstable; urgency=medium
+
+  *  Upload to unstable. 
+
+ -- Daniel Stender   Tue, 14 Feb 2017 09:47:30 +0100
+
+theano (0.8.2-5~exp1) experimental; urgency=medium
+
+  * add fix-test_fit_int64-for-python3-32bit.patch (Closes: #831540)
+[thanks to Rebecca N. Palmer].
+  * deb/rules: remove test failsafes completely.
+
+ -- Daniel Stender   Mon, 13 Feb 2017 23:53:19 +0100
+
+theano (0.8.2-4) unstable; urgency=medium
+
+  * add fixes-for-numpy-1.12.patch (Closes: #848764) [thanks to
+Rebecca N. Palmer].
+
+ -- Daniel Stender   Mon, 13 Feb 2017 15:04:06 +0100
+
 theano (0.8.2-3) unstable; urgency=medium
 
   * Upload to unstable.
diff -Nru theano-0.8.2/debian/patches/disable-overly-environment-dependent-test.patch theano-0.8.2/debian/patches/disable-overly-environment-dependent-test.patch
--- theano-0.8.2/debian/patches/disable-overly-environment-dependent-test.patch	1970-01-01 01:00:00.0 +0100
+++ theano-0.8.2/debian/patches/disable-overly-environment-dependent-test.patch	2017-02-14 23:55:31.0 +0100
@@ -0,0 +1,23 @@
+Description: Disable overly environment-dependent test
+ Testing speed by wall-clock time is inherently unreliable on a
+ shared machine such as Debian's buildds: don't let it fail the whole build.
+Author: Rebecca N. Palmer 
+Bug-Debian: https://bugs.debian.org/835531
+Forwarded: not-needed
+
+diff --git a/theano/sparse/tests/test_basic.py b/theano/sparse/tests/test_basic.py
+index 8c183b9..03d79f1 100644
+--- a/theano/sparse/tests/test_basic.py
 b/theano/sparse/tests/test_basic.py
+@@ -1209,8 +1209,8 @@ class test_structureddot(unittest.TestCase):
+ overhead_tol = 0.002  # seconds
+ overhead_rtol = 1.1  # times as long
+ utt.assert_allclose(scipy_result, theano_result)
+-if (not theano.config.mode in ["DebugMode", "DEBUG_MODE"] and
+-theano.config.cxx):
++
++if 0:#(not theano.config.mode in ["DebugMode", "DEBUG_MODE"] and theano.config.cxx):
+ self.assertFalse(
+ theano_time > overhead_rtol * scipy_time + overhead_tol,
+ (theano_time,
+
diff -Nru theano-0.8.2/debian/patches/fixes-for-numpy-1.12.patch theano-0.8.2/debian/patches/fixes-for-numpy-1.12.patch
--- theano-0.8.2/debian/patches/fixes-for-numpy-1.12.patch	1970-01-01 01:00:00.0 +0100
+++ theano-0.8.2/debian/patches/fixes-for-numpy-1.12.patch	2017-02-13 14:32:53.0 +0100
@@ -0,0 +1,80 @@

Bug#855138: unblock: swi-prolog/7.2.3+dfsg-6

[Emilio Pozuelo Monfort]

On 15/02/17 20:48, Lev Lamberov wrote:
> Since no package directly depends on swi-prolog-java (packages mentioned
> in #855004 depend only on swi-prolog), I guess, it is possible to remove
> rdepends only on mips. How can this be done? As I understand, reason to
> remove should start with some acronym, listed on Pending Debian Package
> removals page [1]. But since I'm not a maintainer of rdepends, not a
> member of QA, not a porter, not a stable release manager and so on, I
> cannot request removal of rdepends, right? Should I bother rdepends'
> maintainers to fill removal requests?

I have followed up on the removal bug.

Emilio

Re: Rebuilding packages to increase Stretch's PIE coverage

[Bálint Réczey]

2017-02-15 20:02 GMT+01:00 Niels Thykier :
> Bálint Réczey:
>> Dear Release Team,
>>
>> GCC uses PIE by default in unstable and testing but most packages
>> which haven't been rebuilt since the transition still ship unprotected
>> binaries [1].
>>
>> If the Team agrees I suggest rebuilding the packages which would
>> benefit from a rebuild. In case this gets a green light I would
>> volunteer to perform a test rebuild for each package to see if the
>> lintian warning goes away.
>>
>> Ideally #848129 would be fixed before the rebuild but it seems unlikely
>> that it would move forward without Release Team weighing in. I support
>> Adrian's suggestion about removing all PIE support from dpkg.
>>
>> Cheers,
>> Balint
>>
>> [1] https://lintian.debian.org/tags/hardening-no-pie.html
>>
>> PS: Thanks to Hanno Böck for asking about the current situation and
>> triggering this email. :-)
>>
>
> Hi Bálint,
>
> Thanks for the offer.
>
> Personally, I am inclined to accept as it means that we migrate to PIE
> for these binaries now rather than post-release (e.g. as a part of a
> security update or stable update).
>
>  * Do you have a number of affected source packages handy?
A very quick estimate would be ~2000-2500 assuming each affected source generate
~2 affected binary packages:
$ w3m -dump https://lintian.debian.org/tags/hardening-no-pie.html |
grep binary | wc -l
4715

>
>  * Do you have a plan for finding packages in testing that has not
>been rebuilt?  (lintian.d.o does not include testing)

I think it is doable with some UDD magic which I have to figure out.
Help is welcome here. :-)

My plan was providing a list for the affected packages in unstable and
asking for a
rebuild of those.
If they have different version in testing and they can't migrate then
they are probably too hard to cover in one shot and should be checked
individually.

Cheers,
Balint

>
> Thanks,
> ~Niels
>
>

Bug#855138: unblock: swi-prolog/7.2.3+dfsg-6

[Lev Lamberov]

16.02.2017 00:21, Niels Thykier пишет:
> Lev Lamberov:
>> Hi Niels,
>>
>> 15.02.2017 22:48, Niels Thykier пишет:
>>> To avoid any misunderstandings, #855004 need to be fixed before
>>> swi-prolog/7.2.3+dfsg-6 can migrate.  You probably already noticed, but
>>> the FTP masters have requested a follow up from you.
>>
>> Does it mean that swi-prolog should be removed from testing in the first
>> place and the bug should be closed, or the bug can be closed without
>> removing?
>>
> 
> It means that swi-prolog/7.2.3+dfsg-6 cannot migrate until the removal
> of the mips binaries built by swi-prolog/7.2.3+dfsg-5 (note the version
> difference).  This is what #855004 is about.

Thanks for clarification. I've found information on Excuses page [0] a
bit misleading, since it says: "old binaries left on mips:
swi-prolog-java (from 7.2.3+dfsg-5) (*but ignoring cruft, so nevermind*)".

> The FTP masters have requested that you deal with the reverse
> dependencies of the swi-prolog/7.2.3+dfsg-5 on mips.  This can be
> "remove them from mips as well" or ask them to disable their
> "swi-prolog" support on mips (either way should work).

Since no package directly depends on swi-prolog-java (packages mentioned
in #855004 depend only on swi-prolog), I guess, it is possible to remove
rdepends only on mips. How can this be done? As I understand, reason to
remove should start with some acronym, listed on Pending Debian Package
removals page [1]. But since I'm not a maintainer of rdepends, not a
member of QA, not a porter, not a stable release manager and so on, I
cannot request removal of rdepends, right? Should I bother rdepends'
maintainers to fill removal requests?

Cheers,
Lev

[0] https://qa.debian.org/excuses.php?package=swi-prolog

[1] https://ftp-master.debian.org/removals.html



signature.asc
Description: OpenPGP digital signature

Bug#855138: unblock: swi-prolog/7.2.3+dfsg-6

[Niels Thykier]

Lev Lamberov:
> Hi Niels,
> 
> 15.02.2017 22:48, Niels Thykier пишет:
>> To avoid any misunderstandings, #855004 need to be fixed before
>> swi-prolog/7.2.3+dfsg-6 can migrate.  You probably already noticed, but
>> the FTP masters have requested a follow up from you.
> 
> Does it mean that swi-prolog should be removed from testing in the first
> place and the bug should be closed, or the bug can be closed without
> removing?
> 

It means that swi-prolog/7.2.3+dfsg-6 cannot migrate until the removal
of the mips binaries built by swi-prolog/7.2.3+dfsg-5 (note the version
difference).  This is what #855004 is about.

The FTP masters have requested that you deal with the reverse
dependencies of the swi-prolog/7.2.3+dfsg-5 on mips.  This can be
"remove them from mips as well" or ask them to disable their
"swi-prolog" support on mips (either way should work).

> If removing is necessary, then what is the procedure to allow removed
> rdepends to migrate to testing back? Should I request unblock for them
> in this case?
> 
> Thanks!
> Lev
> 

Preferably, this is dealt with before swi-prolog is auto-removed from
testing.  If so, swi-prolog/7.2.3+dfsg-6 will migrate to testing and the
RC bug will be closed (in testing).

Hope that clarified it for you. Otherwise, let us know what you don't
understand.

Thanks,
~Niels

Bug#855232: unblock: theano/0.8.2-6

[Daniel Stender]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package theano [1].

The latest upload to unstable fixes three RC bugs:
#848764 (FTBFS), #831540 (FTBFS on i386), and #831541 (FTBFS on s390x).

And two important bugs: #835531 (randomly FTBFS), and #855102.

The problems have been solved by patches, please see the attached debdiff
for details.

Thank you,
Daniel Stender

[1] https://packages.qa.debian.org/t/theano.html

unblock theano/0.8.2-6

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru theano-0.8.2/debian/changelog theano-0.8.2/debian/changelog
--- theano-0.8.2/debian/changelog	2016-07-16 18:42:07.0 +0200
+++ theano-0.8.2/debian/changelog	2017-02-15 09:09:46.0 +0100
@@ -1,3 +1,38 @@
+theano (0.8.2-6) unstable; urgency=medium
+
+  * Upload to unstable.
+
+ -- Daniel Stender   Wed, 15 Feb 2017 09:09:46 +0100
+
+theano (0.8.2-6~exp1) experimental; urgency=medium
+
+  * add disable-overly-environment-dependent-test.patch (Closes: #835531).
+  * add fix-invalid-casts-negative-stride-handling.patch
+(Closes: #831541,#855102) [thanks again to Rebecca N. Palmer].
+
+ -- Daniel Stender   Wed, 15 Feb 2017 00:08:13 +0100
+
+theano (0.8.2-5) unstable; urgency=medium
+
+  *  Upload to unstable. 
+
+ -- Daniel Stender   Tue, 14 Feb 2017 09:47:30 +0100
+
+theano (0.8.2-5~exp1) experimental; urgency=medium
+
+  * add fix-test_fit_int64-for-python3-32bit.patch (Closes: #831540)
+[thanks to Rebecca N. Palmer].
+  * deb/rules: remove test failsafes completely.
+
+ -- Daniel Stender   Mon, 13 Feb 2017 23:53:19 +0100
+
+theano (0.8.2-4) unstable; urgency=medium
+
+  * add fixes-for-numpy-1.12.patch (Closes: #848764) [thanks to
+Rebecca N. Palmer].
+
+ -- Daniel Stender   Mon, 13 Feb 2017 15:04:06 +0100
+
 theano (0.8.2-3) unstable; urgency=medium
 
   * Upload to unstable.
diff -Nru theano-0.8.2/debian/patches/disable-overly-environment-dependent-test.patch theano-0.8.2/debian/patches/disable-overly-environment-dependent-test.patch
--- theano-0.8.2/debian/patches/disable-overly-environment-dependent-test.patch	1970-01-01 01:00:00.0 +0100
+++ theano-0.8.2/debian/patches/disable-overly-environment-dependent-test.patch	2017-02-14 23:55:31.0 +0100
@@ -0,0 +1,23 @@
+Description: Disable overly environment-dependent test
+ Testing speed by wall-clock time is inherently unreliable on a
+ shared machine such as Debian's buildds: don't let it fail the whole build.
+Author: Rebecca N. Palmer 
+Bug-Debian: https://bugs.debian.org/835531
+Forwarded: not-needed
+
+diff --git a/theano/sparse/tests/test_basic.py b/theano/sparse/tests/test_basic.py
+index 8c183b9..03d79f1 100644
+--- a/theano/sparse/tests/test_basic.py
 b/theano/sparse/tests/test_basic.py
+@@ -1209,8 +1209,8 @@ class test_structureddot(unittest.TestCase):
+ overhead_tol = 0.002  # seconds
+ overhead_rtol = 1.1  # times as long
+ utt.assert_allclose(scipy_result, theano_result)
+-if (not theano.config.mode in ["DebugMode", "DEBUG_MODE"] and
+-theano.config.cxx):
++
++if 0:#(not theano.config.mode in ["DebugMode", "DEBUG_MODE"] and theano.config.cxx):
+ self.assertFalse(
+ theano_time > overhead_rtol * scipy_time + overhead_tol,
+ (theano_time,
+
diff -Nru theano-0.8.2/debian/patches/fixes-for-numpy-1.12.patch theano-0.8.2/debian/patches/fixes-for-numpy-1.12.patch
--- theano-0.8.2/debian/patches/fixes-for-numpy-1.12.patch	1970-01-01 01:00:00.0 +0100
+++ theano-0.8.2/debian/patches/fixes-for-numpy-1.12.patch	2017-02-13 14:32:53.0 +0100
@@ -0,0 +1,80 @@
+Description: fix tests for Numpy 1.12
+ Collected fixes for passing Theano 0.8.2 tests with Numpy 1.12. Partly taken
+ from upstream repo, plus changes by Rebecca Palmer.
+Bug: https://github.com/Theano/Theano/issues/5396
+Bug-Debian: https://bugs.debian.org/848764
+Origin: https://github.com/Theano/Theano/commit/e8e01f4
+Author: Rebecca N. Palmer 
+
+--- a/theano/sparse/tests/test_sp2.py
 b/theano/sparse/tests/test_sp2.py
+@@ -61,7 +61,7 @@
+ 
+ 
+ class BinomialTester(utt.InferShapeTester):
+-n = tensor.scalar()
++n = tensor.scalar(dtype='int64')
+ p = tensor.scalar()
+ shape = tensor.lvector()
+ _n = 5
+--- a/theano/tensor/tests/test_elemwise.py
 b/theano/tensor/tests/test_elemwise.py
+@@ -414,7 +414,11 @@
+ zv = numpy.bitwise_or.reduce(zv, axis)
+ 

Re: Rebuilding packages to increase Stretch's PIE coverage

[Niels Thykier]

Bálint Réczey:
> Dear Release Team,
> 
> GCC uses PIE by default in unstable and testing but most packages
> which haven't been rebuilt since the transition still ship unprotected
> binaries [1].
> 
> If the Team agrees I suggest rebuilding the packages which would
> benefit from a rebuild. In case this gets a green light I would
> volunteer to perform a test rebuild for each package to see if the
> lintian warning goes away.
> 
> Ideally #848129 would be fixed before the rebuild but it seems unlikely
> that it would move forward without Release Team weighing in. I support
> Adrian's suggestion about removing all PIE support from dpkg.
> 
> Cheers,
> Balint
> 
> [1] https://lintian.debian.org/tags/hardening-no-pie.html
> 
> PS: Thanks to Hanno Böck for asking about the current situation and
> triggering this email. :-)
> 

Hi Bálint,

Thanks for the offer.

Personally, I am inclined to accept as it means that we migrate to PIE
for these binaries now rather than post-release (e.g. as a part of a
security update or stable update).

 * Do you have a number of affected source packages handy?

 * Do you have a plan for finding packages in testing that has not
   been rebuilt?  (lintian.d.o does not include testing)

Thanks,
~Niels

Bug#855138: unblock: swi-prolog/7.2.3+dfsg-6

[Lev Lamberov]

Hi Niels,

15.02.2017 22:48, Niels Thykier пишет:
> To avoid any misunderstandings, #855004 need to be fixed before
> swi-prolog/7.2.3+dfsg-6 can migrate.  You probably already noticed, but
> the FTP masters have requested a follow up from you.

Does it mean that swi-prolog should be removed from testing in the first
place and the bug should be closed, or the bug can be closed without
removing?

If removing is necessary, then what is the procedure to allow removed
rdepends to migrate to testing back? Should I request unblock for them
in this case?

Thanks!
Lev



signature.asc
Description: OpenPGP digital signature

Bug#855229: unblock: LDC and rdeps

[Matthias Klumpp]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock
Severity: normal

Please unblock LDC 1:1.1.0+r-1 and its reverse-dependencies.
This would bring the LLVM D Compiler to its final version and replace
the beta version currently in Stretch. It will also completely fix bug
#850958 which made LDC not work at all on ppc64el.
The bug also prevented a couple of packages depending on LDC from
migrating to Stretch in-time, it would be great if those could be
unblocked as well, as each of them also resolves issues.
A list of rdeps which would need unblocking can be found below.

All packages have successfully been built on ppc64el.

Thank you for considering this!

Kind regards,
Matthias

unblock ldc/1:1.1.0+r-1
unblock mustache-d/0.1.3-1
unblock gtk-d/3.5.1-1
unblock terminix/1.4.2-3

Re: Various unblock-udebs

[Niels Thykier]

Emilio Pozuelo Monfort:
> On 14/02/17 03:48, Cyril Brulebois wrote:
>> Hello,
>>
>> Emilio asked me on IRC to have a look at a bunch of packages which both
>> have block-udeb and RC bug fixes. Here's a list with comments, I'm OK
>> with unblock-udeb'ing most of them (which doesn't mean you shouldn't
>> review as usual for the unblock part), except hw-detect and wpa, which
>> have commented out unblock-udeb lines.
> 
> Thanks. I'll review them in the evening if noone beats me to it.
> 
>> [...]
> 
> Cheers,
> Emilio
> 

I beat you to it! :D

Thanks,
~Niels

Bug#855216: unblock: singularity-container/2.2-2

[Niels Thykier]

Yaroslav Halchenko:
> [...]
> 
> Thank you!
> 

No problem :)

> Is there a chance to kick-force it to migrate before 10day waiting
> period ends due to security related aspect?  it is on 5th day ATM
> 

Already included :)

"""
$ hint grep  singularity-container
==> nthykier
  #2017-02-15
  # #855216
  age-days 5 singularity-container/2.2-2
  unblock singularity-container/2.2-2
nthykier@respighi:~$
"""

~Niels

Bug#855138: Re: Bug#855138: unblock: swi-prolog/7.2.3+dfsg-6

[Niels Thykier]

Niels Thykier:
> [...]
>>
>> [...]
> 
> Unblocked, thanks.
> 
> ~Niels
> 

Hi Lev,

To avoid any misunderstandings, #855004 need to be fixed before
swi-prolog/7.2.3+dfsg-6 can migrate.  You probably already noticed, but
the FTP masters have requested a follow up from you.

Thanks,
~Niels

Bug#855184: marked as done (unblock: mlt/6.4.1-2)

[Debian Bug Tracking System]

Your message dated Wed, 15 Feb 2017 17:46:00 +
with message-id <1129be49-f969-a1cb-89a9-51f9b9617...@thykier.net>
and subject line Re: Bug#855184: unblock: mlt/6.4.1-2
has caused the Debian Bug report #855184,
regarding unblock: mlt/6.4.1-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
855184: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855184
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package mlt

It adds two upstream patches to fix crashes of kdenlive/mlt.


diff --git a/debian/changelog b/debian/changelog
index f423448..378dc92 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+mlt (6.4.1-2) unstable; urgency=low
+
+  * Add upstream patch 01-crash-affine to fix a crash in affine due to relaxed
+constraints.
+  * Add upstream patch 02-crash-clipinfo-update to fix a crash in kdenlive when
+a clip has no resource.
+
+ -- Patrick Matthäi   Tue, 07 Feb 2017 13:13:57 +0100
+
 mlt (6.4.1-1) unstable; urgency=medium

   * New upstream release.
diff --git a/debian/patches/01-crash-affine.diff 
b/debian/patches/01-crash-affine.diff
new file mode 100644
index 000..ba13782
--- /dev/null
+++ b/debian/patches/01-crash-affine.diff
@@ -0,0 +1,40 @@
+commit ab626f7543e0498e3ca3842ba69ad2f2e66ce227
+Author: Dan Dennedy 
+Date:   Sun Jan 29 00:43:28 2017 -0800
+
+Fix crash in affine due to relaxed constraints.
+
+diff --git a/src/modules/plus/transition_affine.c 
b/src/modules/plus/transition_affine.c
+index 8c8820e..91607fd 100644
+--- a/src/modules/plus/transition_affine.c
 b/src/modules/plus/transition_affine.c
+@@ -1,6 +1,6 @@
+ /*
+  * transition_affine.c -- affine transformations
+- * Copyright (C) 2003-2016 Meltytech, LLC
++ * Copyright (C) 2003-2017 Meltytech, LLC
+  *
+  * This library is free software; you can redistribute it and/or
+  * modify it under the terms of the GNU Lesser General Public
+@@ -552,8 +552,8 @@ static int transition_get_image( mlt_frame a_frame, 
uint8_t **image, mlt_image_f
+
+   // Affine boundaries
+   float minima = 0;
+-  float xmax = b_width;
+-  float ymax = b_height;
++  float xmax = b_width - 1;
++  float ymax = b_height - 1;
+
+   // Set the interpolation function
+   if ( interps == NULL || strcmp( interps, "nearest" ) == 0 || 
strcmp( interps, "neighbor" ) == 0 || strcmp( interps, "tiles" ) == 0 || 
strcmp( interps, "fast_bilinear" ) == 0 )
+@@ -567,9 +567,7 @@ static int transition_get_image( mlt_frame a_frame, 
uint8_t **image, mlt_image_f
+   else if ( strcmp( interps, "bilinear" ) == 0 )
+   {
+   interp = interpBL_b32;
+-  // uses floorf. Values should be >= 0 and < max + 1.
+-  xmax += 0.99;
+-  ymax += 0.99;
++  // uses floorf.
+   }
+   else if ( strcmp( interps, "bicubic" ) == 0 ||  strcmp( 
interps, "hyper" ) == 0 || strcmp( interps, "sinc" ) == 0 || strcmp( interps, 
"lanczos" ) == 0 || strcmp( interps, "spline" ) == 0 )
+   {
diff --git a/debian/patches/02-crash-clipinfo-update.diff 
b/debian/patches/02-crash-clipinfo-update.diff
new file mode 100644
index 000..3a89684
--- /dev/null
+++ b/debian/patches/02-crash-clipinfo-update.diff
@@ -0,0 +1,19 @@
+commit bf2749ab998446f13ba20c8cbc33a8c4d1c36963
+Author: Jean-Baptiste Mardelle 
+Date:   Sun Feb 5 22:54:50 2017 +0100
+
+Fix crash in ClipInfo::update method when clip has no resource
+
+diff --git a/src/mlt++/MltPlaylist.cpp b/src/mlt++/MltPlaylist.cpp
+index 5676060..111d3f5 100644
+--- a/src/mlt++/MltPlaylist.cpp
 b/src/mlt++/MltPlaylist.cpp
+@@ -71,7 +71,7 @@ void ClipInfo::update( mlt_playlist_clip_info *info )
+   producer = new Producer( info->producer );
+   cut = new Producer( info->cut );
+   start = info->start;
+-  resource = strdup( info->resource );
++  resource = info->resource ? strdup( info->resource ) : 0;
+   frame_in = info->frame_in;
+   frame_out = info->frame_out;
+   frame_count = info->frame_count;
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..5a09da5
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,2 @@
+01-crash-affine.diff
+02-crash-clipinfo-update.diff



unblock mlt/6.4.1-2

-- System 

Bug#855185: marked as done (unblock: kdenlive/16.12.1-3)

[Debian Bug Tracking System]

Your message dated Wed, 15 Feb 2017 17:44:00 +
with message-id 
and subject line Re: Bug#855185: unblock: kdenlive/16.12.1-3
has caused the Debian Bug report #855185,
regarding unblock: kdenlive/16.12.1-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
855185: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855185
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hello,

please unblock kdenlive 16.12.1-3. It adds eleven upstream patches to fix
regressions with nvidia cards and various other bugs. On the other side I
would like to ask if I get a pre-approval for uploading kdenlive 16.12.2
(KDE Applications upgrade) to unstable/testing, which includes nearly all
of those eleven patches. It is nearly only a bugfix release.


diff -Naur '--exclude=.svn' 16.12.1-1/debian/changelog 
16.12.1-3/debian/changelog
--- 16.12.1-1/debian/changelog  2017-01-17 16:07:03.280587938 +0100
+++ 16.12.1-3/debian/changelog  2017-02-07 13:57:52.242304197 +0100
@@ -1,3 +1,33 @@
+kdenlive (16.12.1-3) unstable; urgency=low
+
+  * Add upstream patch 08-title-clip-select-twice:
+Fix title clip items need to be selected twice before allowing move.
+  * Add upstream patch 09-aspect-transparency-issues:
+Fix various aspect ratio issues and transparency of composite transition in
+some cases.
+  * Add upstream patch 10-crash-razor-multiple-clips:
+Fix crash on razor with multiple clips selected.
+  * Add upstream patch 11-project-archiving-fix:
+Fix color clips incorrectly detected and warn before overwriting project
+file.
+
+ -- Patrick Matthäi   Tue, 07 Feb 2017 13:23:05 +0100
+
+kdenlive (16.12.1-2) unstable; urgency=low
+
+  * Add this upstream patches, to fix some minor bugs and crashes, if you are
+using a nvidia card with movit.
+- 01-nvidia-crash-375094.
+  Closes: #853768
+- 02-nvidia-crash-movit-1.
+- 03-frame-extract-remember-folder.
+- 04-playlist-clip-expand.
+- 05-monitor-length-375163.
+- 06-playaction-not-pausing.
+- 07-nvidia-crash-movit-2.
+
+ -- Patrick Matthäi   Wed, 01 Feb 2017 11:16:36 +0100
+
 kdenlive (16.12.1-1) unstable; urgency=low

   * New upstream release.
diff -Naur '--exclude=.svn' 
16.12.1-1/debian/patches/01-nvidia-crash-375094.diff 
16.12.1-3/debian/patches/01-nvidia-crash-375094.diff
--- 16.12.1-1/debian/patches/01-nvidia-crash-375094.diff1970-01-01 
01:00:00.0 +0100
+++ 16.12.1-3/debian/patches/01-nvidia-crash-375094.diff2017-02-07 
13:57:52.310303805 +0100
@@ -0,0 +1,55 @@
+commit 8a20fca86e9e2ce3d04b3e024b0752e19f9d8c8e
+Author: Jean-Baptiste Mardelle 
+Date:   Mon Jan 16 20:06:00 2017 +0100
+
+Revert "Fix warning about QOffscreenSurface thread"
+Caused startup crash on NVidia cards
+CCBUG: 375094
+
+This reverts commit 6675c4a509046aa3b57c60cbc3f31435e09c2df7.
+
+diff --git a/src/monitor/glwidget.cpp b/src/monitor/glwidget.cpp
+index e4089e6..cd4f56a 100644
+--- a/src/monitor/glwidget.cpp
 b/src/monitor/glwidget.cpp
+@@ -109,7 +109,6 @@ GLWidget::GLWidget(int id, QObject *parent)
+ mlt_properties_set_data(mlt_global_properties(), "glslManager", NULL, 
0, NULL, NULL);
+ emit gpuNotSupported();
+ }
+-connect(this, SIGNAL(sceneGraphInitialized()), SLOT(createOffscreen()));
+ connect(this, SIGNAL(sceneGraphInitialized()), SLOT(initializeGL()), 
Qt::DirectConnection);
+ connect(this, SIGNAL(beforeRendering()), SLOT(paintGL()), 
Qt::DirectConnection);
+ }
+@@ -143,17 +142,14 @@ void GLWidget::updateAudioForAnalysis()
+   m_frameRenderer->sendAudioForAnalysis = 
KdenliveSettings::monitor_audio();
+ }
+
+-void GLWidget::createOffscreen()
++void GLWidget::initializeGL()
+ {
++if (m_isInitialized || !isVisible() || !openglContext()) return;
+ if (!m_offscreenSurface.isValid()) {
+ m_offscreenSurface.setFormat(openglContext()->format());
+ m_offscreenSurface.create();
++openglContext()->makeCurrent(this);
+ }
+-}
+-
+-void GLWidget::initializeGL()
+-{
+-if (m_isInitialized || !isVisible() || !openglContext()) return;
+ initializeOpenGLFunctions();
+ qDebug() << "OpenGL vendor: " << QString::fromUtf8((const char*) 
glGetString(GL_VENDOR));
+ qDebug() << "OpenGL renderer: " << QString::fromUtf8((const char*) 
glGetString(GL_RENDERER));
+diff --git a/src/monitor/glwidget.h 

Bug#855114: marked as done (unblock (pre-approval): nginx/1.10.3-1)

[Debian Bug Tracking System]

Your message dated Wed, 15 Feb 2017 17:35:00 +
with message-id <6efa1f4c-1396-b2fc-f477-dfad4df91...@thykier.net>
and subject line Re: Bug#855114: unblock (pre-approval): nginx/1.10.3-1
has caused the Debian Bug report #855114,
regarding unblock (pre-approval): nginx/1.10.3-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
855114: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855114
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

*I have not yet uploaded to unstable*, and I am asking for pre-approval
to upload 1.10.3-1.

1.10.3-1 will only include the new upstream release (1.10.2 -> 1.10.3)
and no packaging changes.

Nginx 1.10.3 is a stable bugfix release that handles 8 bugfixes
including a segmentation fault.

Relevant bug report: https://bugs.debian.org/855113
Changelog: https://nginx.org/en/CHANGES-1.10
Diff: https://github.com/nginx/nginx/compare/release-1.10.2...release-1.10.3

Thank you!
--- End Message ---
--- Begin Message ---
Christos Trochalakis:
> On Tue, Feb 14, 2017 at 05:12:00PM +, Niels Thykier wrote:
>> Control: tags -1 confirmed
>>
>> [...]
> 
> Thanks, I have uploaded nginx-1.10.3-1 to unstable.
> 
> I took the liberty to also piggyback a change to our VCS location in
> d/control:
> 
> [...]

Fair enough. :)  Unblocked.

Thanks,
~Niels--- End Message ---

Bug#855216: marked as done (unblock: singularity-container/2.2-2)

[Debian Bug Tracking System]

Your message dated Wed, 15 Feb 2017 17:17:00 +
with message-id <3bb44dcd-57ee-6ab8-1be1-f686f20ba...@thykier.net>
and subject line Re: Bug#855216: unblock: singularity-container/2.2-2
has caused the Debian Bug report #855216,
regarding unblock: singularity-container/2.2-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
855216: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855216
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package singularity-container

2.2 release contained a vulnerability described in detail upstream
https://github.com/singularityware/singularity/releases/tag/2.2.1 :
In versions of Singularity previous to 2.2.1, it was possible for a malicious 
user to create and manipulate specifically crafted raw devices within 
containers they own. Utilizing MS_NODEV as a container image mount option 
mitigates this potential vector of attack. As a result, this update should be 
implemented with high urgency. A big thanks to Mattias Wadenstein (@UMU in 
Sweden) for identifying and reporting this issue!

2.2-2 (debdiff attached) was prepared in collaboration with upstream to cover
that vulnerability and address few other possibly security related (snprintf)
and  functionality related issues.  security@d.o was provided with debdiff and
no negative opinions were expressed.

unblock singularity-container/2.2-2

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (900, 'testing'), (600, 'unstable'), (300, 'experimental'), (100, 
'unstable-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru singularity-container-2.2/debian/changelog 
singularity-container-2.2/debian/changelog
--- singularity-container-2.2/debian/changelog  2016-11-30 12:33:01.0 
-0500
+++ singularity-container-2.2/debian/changelog  2017-02-09 16:27:55.0 
-0500
@@ -1,3 +1,24 @@
+singularity-container (2.2-2) unstable; urgency=high
+
+  * debian/patches - picks up from upcoming 2.2.1 release
+critical functionality and possibly security-related fixes
+- changeset_b859cd8b4b9293f2a8a893ef41c5d93a5318dd6c.diff
+  to support mounting ext4 formatted images read-only
+- changeset_f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d.diff
+  to utilize mount option MS_NODEV for images
+  (fixes potential security implications)
+- changeset_d835fa1d20efc4aaacca4be68431d193d6625bd8.diff
+  to fix bootstrapping ran as root (thus no MS_NODEV restriction
+  from above patch should be applied)
+- changeset_3a2b6537f0b1386336e29d7f763ae62374a7cb77.diff
+  exit with error if snprintf would have went out of bounds
+- changeset_acc02b921192e7e16afe1513d5338904f8e6f907.diff
+  changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
+  changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff
+  Various obvious fixes (updated URLs, apt --force-yes)
+
+ -- Yaroslav Halchenko   Thu, 09 Feb 2017 16:27:55 -0500
+
 singularity-container (2.2-1) unstable; urgency=medium
 
   [ Mehdi Dogguy ]
diff -Nru 
singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
 
singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
--- 
singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
1969-12-31 19:00:00.0 -0500
+++ 
singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
2017-02-09 16:27:55.0 -0500
@@ -0,0 +1,21 @@
+From: Gregory M. Kurtzer 
+Subject: Use --force-yes
+
+--- a/examples/debian.def
 b/examples/debian.def
+@@ -16,5 +16,5 @@ MirrorURL: http://ftp.us.debian.org/debi
+ %post
+ echo "Hello from inside the container"
+ apt-get update
+-apt-get -y install vim
++apt-get -y --force-yes install vim
+ 
+--- a/examples/ubuntu.def
 b/examples/ubuntu.def
+@@ -16,5 +16,5 @@ MirrorURL: http://us.archive.ubuntu.com/
+ %post
+ echo "Hello from inside the container"
+ sed -i 's/$/ universe/' /etc/apt/sources.list
+-apt-get -y install vim
++apt-get -y --force-yes install vim
+ 
diff -Nru 

Processed: petsc / openmpi

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> block 854905 by 855217
Bug #854905 [release.debian.org] nmu: petsc_3.7.5+dfsg1-4
Bug #855204 [release.debian.org] libpetsc3.7.5-dev: uninstallable - Depends: 
libopenmpi-dev (< 2.0.2~git.20161226)
854905 was not blocked by any bugs.
854905 was not blocking any bugs.
Added blocking bug(s) of 854905: 855217
855204 was not blocked by any bugs.
855204 was not blocking any bugs.
Added blocking bug(s) of 855204: 855217
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
854905: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854905
855204: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855204
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#855216: unblock: singularity-container/2.2-2

[Sébastien Delafond]

Dear Release Managers,

the Security Team has reviewed the diff related to this security
problem, and we support the unblock request.

Cheers,

--Seb

Bug#855204: libpetsc3.7.5-dev: uninstallable - Depends: libopenmpi-dev (< 2.0.2~git.20161226)

[Drew Parsons]

On Wed, 15 Feb 2017 23:40:57 +0800 Drew Parsons 
wrote:
> 
> the Affecting Bug shows up neither on the src:petsc
> overview on bugs.debian.org, nor in reportbug (for libpetsc3.7.5-
> dev).

> I'll file a bug (or 2 bugs).
> 


In fact already reported.

#544812 against reportbug
#636689 against bugs.debian.org

Rebuilding packages to increase Stretch's PIE coverage

[Bálint Réczey]

Dear Release Team,

GCC uses PIE by default in unstable and testing but most packages
which haven't been rebuilt since the transition still ship unprotected
binaries [1].

If the Team agrees I suggest rebuilding the packages which would
benefit from a rebuild. In case this gets a green light I would
volunteer to perform a test rebuild for each package to see if the
lintian warning goes away.

Ideally #848129 would be fixed before the rebuild but it seems unlikely
that it would move forward without Release Team weighing in. I support
Adrian's suggestion about removing all PIE support from dpkg.

Cheers,
Balint

[1] https://lintian.debian.org/tags/hardening-no-pie.html

PS: Thanks to Hanno Böck for asking about the current situation and
triggering this email. :-)

Bug#855204: libpetsc3.7.5-dev: uninstallable - Depends: libopenmpi-dev (< 2.0.2~git.20161226)

[Drew Parsons]

On Wed, 15 Feb 2017 13:45:41 + James Cowgill 
wrote:
> > 
> > Please look for already reported bugs before reporting new ones
(there
> > is an "affect" so it is in libpetsc3.7.5-dev bugs list).
> 
> Well I did check petsc (not release.debian.org), but affects on
binary
> packages don't actually show up on the main bugs page - #636689
> 


James is right, the Affecting Bug shows up neither on the src:petsc
overview on bugs.debian.org, nor in reportbug (for libpetsc3.7.5-dev).

I'll file a bug (or 2 bugs).

Drew

Bug#855216: unblock: singularity-container/2.2-2

[Yaroslav Halchenko]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package singularity-container

2.2 release contained a vulnerability described in detail upstream
https://github.com/singularityware/singularity/releases/tag/2.2.1 :
In versions of Singularity previous to 2.2.1, it was possible for a malicious 
user to create and manipulate specifically crafted raw devices within 
containers they own. Utilizing MS_NODEV as a container image mount option 
mitigates this potential vector of attack. As a result, this update should be 
implemented with high urgency. A big thanks to Mattias Wadenstein (@UMU in 
Sweden) for identifying and reporting this issue!

2.2-2 (debdiff attached) was prepared in collaboration with upstream to cover
that vulnerability and address few other possibly security related (snprintf)
and  functionality related issues.  security@d.o was provided with debdiff and
no negative opinions were expressed.

unblock singularity-container/2.2-2

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (900, 'testing'), (600, 'unstable'), (300, 'experimental'), (100, 
'unstable-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru singularity-container-2.2/debian/changelog 
singularity-container-2.2/debian/changelog
--- singularity-container-2.2/debian/changelog  2016-11-30 12:33:01.0 
-0500
+++ singularity-container-2.2/debian/changelog  2017-02-09 16:27:55.0 
-0500
@@ -1,3 +1,24 @@
+singularity-container (2.2-2) unstable; urgency=high
+
+  * debian/patches - picks up from upcoming 2.2.1 release
+critical functionality and possibly security-related fixes
+- changeset_b859cd8b4b9293f2a8a893ef41c5d93a5318dd6c.diff
+  to support mounting ext4 formatted images read-only
+- changeset_f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d.diff
+  to utilize mount option MS_NODEV for images
+  (fixes potential security implications)
+- changeset_d835fa1d20efc4aaacca4be68431d193d6625bd8.diff
+  to fix bootstrapping ran as root (thus no MS_NODEV restriction
+  from above patch should be applied)
+- changeset_3a2b6537f0b1386336e29d7f763ae62374a7cb77.diff
+  exit with error if snprintf would have went out of bounds
+- changeset_acc02b921192e7e16afe1513d5338904f8e6f907.diff
+  changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
+  changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff
+  Various obvious fixes (updated URLs, apt --force-yes)
+
+ -- Yaroslav Halchenko   Thu, 09 Feb 2017 16:27:55 -0500
+
 singularity-container (2.2-1) unstable; urgency=medium
 
   [ Mehdi Dogguy ]
diff -Nru 
singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
 
singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
--- 
singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
1969-12-31 19:00:00.0 -0500
+++ 
singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
2017-02-09 16:27:55.0 -0500
@@ -0,0 +1,21 @@
+From: Gregory M. Kurtzer 
+Subject: Use --force-yes
+
+--- a/examples/debian.def
 b/examples/debian.def
+@@ -16,5 +16,5 @@ MirrorURL: http://ftp.us.debian.org/debi
+ %post
+ echo "Hello from inside the container"
+ apt-get update
+-apt-get -y install vim
++apt-get -y --force-yes install vim
+ 
+--- a/examples/ubuntu.def
 b/examples/ubuntu.def
+@@ -16,5 +16,5 @@ MirrorURL: http://us.archive.ubuntu.com/
+ %post
+ echo "Hello from inside the container"
+ sed -i 's/$/ universe/' /etc/apt/sources.list
+-apt-get -y install vim
++apt-get -y --force-yes install vim
+ 
diff -Nru 
singularity-container-2.2/debian/patches/changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff
 
singularity-container-2.2/debian/patches/changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff
--- 
singularity-container-2.2/debian/patches/changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff
1969-12-31 19:00:00.0 -0500
+++ 
singularity-container-2.2/debian/patches/changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff
2017-02-09 16:27:55.0 -0500
@@ -0,0 +1,14 @@
+From: Nekel-Seyew 
+Subject: added an ERRNO==ENOENT clause
+
+--- a/src/lib/file/group/group.c
 b/src/lib/file/group/group.c
+@@ -139,7 +139,7 @@ int singularity_file_group(void) {
+ singularity_message(VERBOSE3, "Found supplementary group 
membership in: %d\n", gids[i]);
+ singularity_message(VERBOSE2, "Adding user's supplementary 
group ('%s') info to template group file\n", 

Bug#855217: unblock: openmpi/2.0.2

[Alastair McKinstry]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package openmpi to fix RC bug #848574

Openmpi 2.0.2 was released just as Stretch was being frozen. The package in 
testing,
2.0.2~git.20161225 was packaged to get relevant (2.0.2) changes into Stretch, 
but unfortuanatelt contained
a significant bug on mips64el release architecture that was not caught before 
transition.

debdiff too large to be useful.

unblock openmpi/2.0.2-2


-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 4.9.0-1-686-pae (SMP w/1 CPU core)
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_IE.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#855214: unblock: asterisk/1:13.14.0~dfsg-1 (pre-approval)

[Bernhard Schmidt]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi,

I would like to request permission to update Asterisk in Stretch to a new
upstream release (13.13.2 to 13.14.0). This version has mostly bugfixes 
but only very minor new features.

Unfortunately a couple of bugs have surfaced that make Asterisk in Stretch
close to unusable in certain configurations. They are priority important right
now but are borderline RC for some system configurations

Bug#853792: Asterisk does not work at all on systems without IPv6. Only viable
workaround is to enable IPv6

Bug#855014: The chan_pjsip driver has a broken codec selection that leads
to asymetric codecs being negotiated with the endpoint, leading to
one-way audio. The only viable workaround is to limit codecs on the
phone to just one codec.

Both commits could be backported, but this would make it harder to support
during the lifetime of Stretch. Additionally there are a tons of other fixes
in this version that sound good-to-have in Stretch (memory leaks etc.). 

Additionally it would allow us to drop two patches that have been included
upstream and our OpenSSL 1.1.0 support would be much closer to upstream (we
cannot drop all patches because something is still missing, but all remaining
patches are already queued in upstreams CI for merging). 

There are no changes in packaging besides debian/patches.

The package is currently in experimental as asterisk/1:13.14.0~dfsg-1~exp1.
I'm asking for approval for upload to unstable. 

Bernhard

Bug#855114: unblock (pre-approval): nginx/1.10.3-1

[Christos Trochalakis]

On Tue, Feb 14, 2017 at 05:12:00PM +, Niels Thykier wrote:

Control: tags -1 confirmed

Christos Trochalakis:

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

*I have not yet uploaded to unstable*, and I am asking for pre-approval
to upload 1.10.3-1.

1.10.3-1 will only include the new upstream release (1.10.2 -> 1.10.3)
and no packaging changes.

Nginx 1.10.3 is a stable bugfix release that handles 8 bugfixes
including a segmentation fault.

Relevant bug report: https://bugs.debian.org/855113
Changelog: https://nginx.org/en/CHANGES-1.10
Diff:
https://github.com/nginx/nginx/compare/release-1.10.2...release-1.10.3

Thank you!



Ok, please go ahead and upload that to unstable (I assuming there are
not changes to the debian/ beyond on the d/changelog).

Thanks,
~Niels



Thanks, I have uploaded nginx-1.10.3-1 to unstable.

I took the liberty to also piggyback a change to our VCS location in d/control:

nginx-1.10.2/debian/control nginx-1.10.3/debian/control
--- nginx-1.10.2/debian/control 2017-01-22 12:19:30.0 +0200
+++ nginx-1.10.3/debian/control 2017-02-15 09:58:13.0 +0200
@@ -27,8 +27,8 @@
   zlib1g-dev
Standards-Version: 3.9.8.0
Homepage: http://nginx.net
-Vcs-Git: https://anonscm.debian.org/cgit/collab-maint/nginx.git
-Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/nginx.git
+Vcs-Git: https://anonscm.debian.org/cgit/pkg-nginx/nginx.git
+Vcs-Browser: https://anonscm.debian.org/cgit/pkg-nginx/nginx.git

Bug#855204: libpetsc3.7.5-dev: uninstallable - Depends: libopenmpi-dev (< 2.0.2~git.20161226)

[James Cowgill]

On 15/02/17 13:41, Mattia Rizzolo wrote:
> Control: reassign -1 release.debian.org
> Control: forcemerge 854905 -1
> 
> On Wed, Feb 15, 2017 at 01:09:16PM +, James Cowgill wrote:
>> Package: libpetsc3.7.5-dev
>> Version: 3.7.5+dfsg1-3
>> Severity: serious
>> Tags: sid stretch
> 
> Please look for already reported bugs before reporting new ones (there
> is an "affect" so it is in libpetsc3.7.5-dev bugs list).

Well I did check petsc (not release.debian.org), but affects on binary
packages don't actually show up on the main bugs page - #636689

James



signature.asc
Description: OpenPGP digital signature

Processed: Re: Bug#855204: libpetsc3.7.5-dev: uninstallable - Depends: libopenmpi-dev (< 2.0.2~git.20161226)

[Debian Bug Tracking System]

Processing control commands:

> reassign -1 release.debian.org
Bug #855204 [libpetsc3.7.5-dev] libpetsc3.7.5-dev: uninstallable - Depends: 
libopenmpi-dev (< 2.0.2~git.20161226)
Bug reassigned from package 'libpetsc3.7.5-dev' to 'release.debian.org'.
No longer marked as found in versions petsc/3.7.5+dfsg1-3.
Ignoring request to alter fixed versions of bug #855204 to the same values 
previously set
> forcemerge 854905 -1
Bug #854905 [release.debian.org] nmu: petsc_3.7.5+dfsg1-4
Bug #854905 [release.debian.org] nmu: petsc_3.7.5+dfsg1-4
Added tag(s) stretch and sid.
Bug #855204 [release.debian.org] libpetsc3.7.5-dev: uninstallable - Depends: 
libopenmpi-dev (< 2.0.2~git.20161226)
Severity set to 'normal' from 'serious'
Added indication that 855204 affects libpetsc3.7.5-dev
Merged 854905 855204

-- 
854905: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854905
855204: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855204
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#855185: unblock: kdenlive/16.12.1-3

[Patrick Matthäi]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hello,

please unblock kdenlive 16.12.1-3. It adds eleven upstream patches to fix
regressions with nvidia cards and various other bugs. On the other side I
would like to ask if I get a pre-approval for uploading kdenlive 16.12.2
(KDE Applications upgrade) to unstable/testing, which includes nearly all
of those eleven patches. It is nearly only a bugfix release.


diff -Naur '--exclude=.svn' 16.12.1-1/debian/changelog 
16.12.1-3/debian/changelog
--- 16.12.1-1/debian/changelog  2017-01-17 16:07:03.280587938 +0100
+++ 16.12.1-3/debian/changelog  2017-02-07 13:57:52.242304197 +0100
@@ -1,3 +1,33 @@
+kdenlive (16.12.1-3) unstable; urgency=low
+
+  * Add upstream patch 08-title-clip-select-twice:
+Fix title clip items need to be selected twice before allowing move.
+  * Add upstream patch 09-aspect-transparency-issues:
+Fix various aspect ratio issues and transparency of composite transition in
+some cases.
+  * Add upstream patch 10-crash-razor-multiple-clips:
+Fix crash on razor with multiple clips selected.
+  * Add upstream patch 11-project-archiving-fix:
+Fix color clips incorrectly detected and warn before overwriting project
+file.
+
+ -- Patrick Matthäi   Tue, 07 Feb 2017 13:23:05 +0100
+
+kdenlive (16.12.1-2) unstable; urgency=low
+
+  * Add this upstream patches, to fix some minor bugs and crashes, if you are
+using a nvidia card with movit.
+- 01-nvidia-crash-375094.
+  Closes: #853768
+- 02-nvidia-crash-movit-1.
+- 03-frame-extract-remember-folder.
+- 04-playlist-clip-expand.
+- 05-monitor-length-375163.
+- 06-playaction-not-pausing.
+- 07-nvidia-crash-movit-2.
+
+ -- Patrick Matthäi   Wed, 01 Feb 2017 11:16:36 +0100
+
 kdenlive (16.12.1-1) unstable; urgency=low

   * New upstream release.
diff -Naur '--exclude=.svn' 
16.12.1-1/debian/patches/01-nvidia-crash-375094.diff 
16.12.1-3/debian/patches/01-nvidia-crash-375094.diff
--- 16.12.1-1/debian/patches/01-nvidia-crash-375094.diff1970-01-01 
01:00:00.0 +0100
+++ 16.12.1-3/debian/patches/01-nvidia-crash-375094.diff2017-02-07 
13:57:52.310303805 +0100
@@ -0,0 +1,55 @@
+commit 8a20fca86e9e2ce3d04b3e024b0752e19f9d8c8e
+Author: Jean-Baptiste Mardelle 
+Date:   Mon Jan 16 20:06:00 2017 +0100
+
+Revert "Fix warning about QOffscreenSurface thread"
+Caused startup crash on NVidia cards
+CCBUG: 375094
+
+This reverts commit 6675c4a509046aa3b57c60cbc3f31435e09c2df7.
+
+diff --git a/src/monitor/glwidget.cpp b/src/monitor/glwidget.cpp
+index e4089e6..cd4f56a 100644
+--- a/src/monitor/glwidget.cpp
 b/src/monitor/glwidget.cpp
+@@ -109,7 +109,6 @@ GLWidget::GLWidget(int id, QObject *parent)
+ mlt_properties_set_data(mlt_global_properties(), "glslManager", NULL, 
0, NULL, NULL);
+ emit gpuNotSupported();
+ }
+-connect(this, SIGNAL(sceneGraphInitialized()), SLOT(createOffscreen()));
+ connect(this, SIGNAL(sceneGraphInitialized()), SLOT(initializeGL()), 
Qt::DirectConnection);
+ connect(this, SIGNAL(beforeRendering()), SLOT(paintGL()), 
Qt::DirectConnection);
+ }
+@@ -143,17 +142,14 @@ void GLWidget::updateAudioForAnalysis()
+   m_frameRenderer->sendAudioForAnalysis = 
KdenliveSettings::monitor_audio();
+ }
+
+-void GLWidget::createOffscreen()
++void GLWidget::initializeGL()
+ {
++if (m_isInitialized || !isVisible() || !openglContext()) return;
+ if (!m_offscreenSurface.isValid()) {
+ m_offscreenSurface.setFormat(openglContext()->format());
+ m_offscreenSurface.create();
++openglContext()->makeCurrent(this);
+ }
+-}
+-
+-void GLWidget::initializeGL()
+-{
+-if (m_isInitialized || !isVisible() || !openglContext()) return;
+ initializeOpenGLFunctions();
+ qDebug() << "OpenGL vendor: " << QString::fromUtf8((const char*) 
glGetString(GL_VENDOR));
+ qDebug() << "OpenGL renderer: " << QString::fromUtf8((const char*) 
glGetString(GL_RENDERER));
+diff --git a/src/monitor/glwidget.h b/src/monitor/glwidget.h
+index dc1e0e2..d12500a 100644
+--- a/src/monitor/glwidget.h
 b/src/monitor/glwidget.h
+@@ -182,7 +182,6 @@ private slots:
+ void updateTexture(GLuint yName, GLuint uName, GLuint vName);
+ void paintGL();
+ void onFrameDisplayed(const SharedFrame );
+-void createOffscreen();
+
+ protected:
+ void resizeEvent(QResizeEvent* event);
diff -Naur '--exclude=.svn' 
16.12.1-1/debian/patches/02-nvidia-crash-movit-1.diff 
16.12.1-3/debian/patches/02-nvidia-crash-movit-1.diff
--- 16.12.1-1/debian/patches/02-nvidia-crash-movit-1.diff   1970-01-01 
01:00:00.0 +0100
+++ 16.12.1-3/debian/patches/02-nvidia-crash-movit-1.diff   2017-02-07 
13:57:52.250304150 +0100
@@ -0,0 +1,44 @@
+commit 754b8eeed8c1a874a5535eb5136b02841a812180
+Author: Jean-Baptiste Mardelle 
+Date:   Fri Jan 

Bug#855184: unblock: mlt/6.4.1-2

[Patrick Matthäi]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package mlt

It adds two upstream patches to fix crashes of kdenlive/mlt.


diff --git a/debian/changelog b/debian/changelog
index f423448..378dc92 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+mlt (6.4.1-2) unstable; urgency=low
+
+  * Add upstream patch 01-crash-affine to fix a crash in affine due to relaxed
+constraints.
+  * Add upstream patch 02-crash-clipinfo-update to fix a crash in kdenlive when
+a clip has no resource.
+
+ -- Patrick Matthäi   Tue, 07 Feb 2017 13:13:57 +0100
+
 mlt (6.4.1-1) unstable; urgency=medium

   * New upstream release.
diff --git a/debian/patches/01-crash-affine.diff 
b/debian/patches/01-crash-affine.diff
new file mode 100644
index 000..ba13782
--- /dev/null
+++ b/debian/patches/01-crash-affine.diff
@@ -0,0 +1,40 @@
+commit ab626f7543e0498e3ca3842ba69ad2f2e66ce227
+Author: Dan Dennedy 
+Date:   Sun Jan 29 00:43:28 2017 -0800
+
+Fix crash in affine due to relaxed constraints.
+
+diff --git a/src/modules/plus/transition_affine.c 
b/src/modules/plus/transition_affine.c
+index 8c8820e..91607fd 100644
+--- a/src/modules/plus/transition_affine.c
 b/src/modules/plus/transition_affine.c
+@@ -1,6 +1,6 @@
+ /*
+  * transition_affine.c -- affine transformations
+- * Copyright (C) 2003-2016 Meltytech, LLC
++ * Copyright (C) 2003-2017 Meltytech, LLC
+  *
+  * This library is free software; you can redistribute it and/or
+  * modify it under the terms of the GNU Lesser General Public
+@@ -552,8 +552,8 @@ static int transition_get_image( mlt_frame a_frame, 
uint8_t **image, mlt_image_f
+
+   // Affine boundaries
+   float minima = 0;
+-  float xmax = b_width;
+-  float ymax = b_height;
++  float xmax = b_width - 1;
++  float ymax = b_height - 1;
+
+   // Set the interpolation function
+   if ( interps == NULL || strcmp( interps, "nearest" ) == 0 || 
strcmp( interps, "neighbor" ) == 0 || strcmp( interps, "tiles" ) == 0 || 
strcmp( interps, "fast_bilinear" ) == 0 )
+@@ -567,9 +567,7 @@ static int transition_get_image( mlt_frame a_frame, 
uint8_t **image, mlt_image_f
+   else if ( strcmp( interps, "bilinear" ) == 0 )
+   {
+   interp = interpBL_b32;
+-  // uses floorf. Values should be >= 0 and < max + 1.
+-  xmax += 0.99;
+-  ymax += 0.99;
++  // uses floorf.
+   }
+   else if ( strcmp( interps, "bicubic" ) == 0 ||  strcmp( 
interps, "hyper" ) == 0 || strcmp( interps, "sinc" ) == 0 || strcmp( interps, 
"lanczos" ) == 0 || strcmp( interps, "spline" ) == 0 )
+   {
diff --git a/debian/patches/02-crash-clipinfo-update.diff 
b/debian/patches/02-crash-clipinfo-update.diff
new file mode 100644
index 000..3a89684
--- /dev/null
+++ b/debian/patches/02-crash-clipinfo-update.diff
@@ -0,0 +1,19 @@
+commit bf2749ab998446f13ba20c8cbc33a8c4d1c36963
+Author: Jean-Baptiste Mardelle 
+Date:   Sun Feb 5 22:54:50 2017 +0100
+
+Fix crash in ClipInfo::update method when clip has no resource
+
+diff --git a/src/mlt++/MltPlaylist.cpp b/src/mlt++/MltPlaylist.cpp
+index 5676060..111d3f5 100644
+--- a/src/mlt++/MltPlaylist.cpp
 b/src/mlt++/MltPlaylist.cpp
+@@ -71,7 +71,7 @@ void ClipInfo::update( mlt_playlist_clip_info *info )
+   producer = new Producer( info->producer );
+   cut = new Producer( info->cut );
+   start = info->start;
+-  resource = strdup( info->resource );
++  resource = info->resource ? strdup( info->resource ) : 0;
+   frame_in = info->frame_in;
+   frame_out = info->frame_out;
+   frame_count = info->frame_count;
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..5a09da5
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,2 @@
+01-crash-affine.diff
+02-crash-clipinfo-update.diff



unblock mlt/6.4.1-2

-- System Information:
Debian Release: 8.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)