Bug#854905: nmu: petsc_3.7.5+dfsg1-4
On Sun, 12 Feb 2017 20:16:06 +0100 Emilio Pozuelo Monfortwrote: > > > > A binNMU seems to be sufficient here. > > > > nmu petsc_3.7.5+dfsg1-4 . ANY . unstable . -m "Rebuild with openmpi 2.0.2" > > We should probably wait until petsc migrates, and then maybe not do this unless > we unblock openmpi. > petsc 3.7.5+dfsg1-4 has now hit testing. Unblock for openmpi has been requested in #855217. Please binNMU petsc at your convenience. Drew p.s. I raised the question of the tight openmpi dependency with PETSc authors. They said the tight dependency was put in place so that PETSc would have consistent MPI handling. Otherwise configure, build and runtime of apps using PETSc could all be performed with different mpi versions, which can lead to error especially if the runtime version is older. Moreover mpich does not provide a simple major.minor.subminor decomposition. So the tight dependency on openmpi subminor version was put in place to match the handling used for the single version number available for mpich. But in principle later subminor versions of openmpi should work fine, and so the PETSc authors are putting in place a more relaxed test allowing use with later subminor versions (for the same major.minor). Once this patch is in place (in future versions of petsc), we won't be affected by the same version incompatibility reported here.
Bug#855258: unblock: spice/0.12.8-2.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi Please unblock package spice It fixes two CVEs, CVE-2016-9577 CVE-2016-9578, reported by Moritz as #854336. Markus Kschany fixed it as: +spice (0.12.8-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * Add CVE-2016-9577-and-CVE-2016-9578.patch: +- CVE-2016-9577: A buffer overflow vulnerability in + main_channel_alloc_msg_rcv_buf was found that occurs when reading large + messages due to missing buffer size check. +- CVE-2016-9578: A vulnerability was discovered in the server's + protocol handling. An attacker able to connect to the spice server could + send crafted messages which would cause the process to crash. + (Closes: #854336) + + -- Markus KoschanyMon, 13 Feb 2017 21:42:01 +0100 Attached the resulting debdiff from the version in testing. unblock spice/0.12.8-2.1 Regards, Salvatore diff -Nru spice-0.12.8/debian/changelog spice-0.12.8/debian/changelog --- spice-0.12.8/debian/changelog 2017-01-06 14:50:55.0 +0100 +++ spice-0.12.8/debian/changelog 2017-02-13 21:42:01.0 +0100 @@ -1,3 +1,17 @@ +spice (0.12.8-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * Add CVE-2016-9577-and-CVE-2016-9578.patch: +- CVE-2016-9577: A buffer overflow vulnerability in + main_channel_alloc_msg_rcv_buf was found that occurs when reading large + messages due to missing buffer size check. +- CVE-2016-9578: A vulnerability was discovered in the server's + protocol handling. An attacker able to connect to the spice server could + send crafted messages which would cause the process to crash. + (Closes: #854336) + + -- Markus Koschany Mon, 13 Feb 2017 21:42:01 +0100 + spice (0.12.8-2) unstable; urgency=medium * Build on all little-endian architectures (Closes: #734218) diff -Nru spice-0.12.8/debian/patches/CVE-2016-9577-and-CVE-2016-9578.patch spice-0.12.8/debian/patches/CVE-2016-9577-and-CVE-2016-9578.patch --- spice-0.12.8/debian/patches/CVE-2016-9577-and-CVE-2016-9578.patch 1970-01-01 01:00:00.0 +0100 +++ spice-0.12.8/debian/patches/CVE-2016-9577-and-CVE-2016-9578.patch 2017-02-13 21:42:01.0 +0100 @@ -0,0 +1,54 @@ +From: Markus Koschany +Date: Mon, 13 Feb 2017 21:38:02 +0100 +Subject: CVE-2016-9577 and CVE-2016-9578 + +Bug-Debian: https://bugs.debian.org/854336 +Origin: http://pkgs.fedoraproject.org/cgit/rpms/spice.git/commit/?id=d919d639ae5f83a9735a04d843eed675f9357c0d +--- + server/main_channel.c | 3 +++ + server/reds.c | 11 ++- + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/server/main_channel.c b/server/main_channel.c +index 0ecc9df..1fc3915 100644 +--- a/server/main_channel.c b/server/main_channel.c +@@ -1026,6 +1026,9 @@ static uint8_t *main_channel_alloc_msg_rcv_buf(RedChannelClient *rcc, + + if (type == SPICE_MSGC_MAIN_AGENT_DATA) { + return reds_get_agent_data_buffer(mcc, size); ++} else if (size > sizeof(main_chan->recv_buf)) { ++/* message too large, caller will log a message and close the connection */ ++return NULL; + } else { + return main_chan->recv_buf; + } +diff --git a/server/reds.c b/server/reds.c +index 61bf735..4c60f58 100644 +--- a/server/reds.c b/server/reds.c +@@ -2110,6 +2110,14 @@ static void reds_handle_read_link_done(void *opaque) + link_mess->num_channel_caps = GUINT32_FROM_LE(link_mess->num_channel_caps); + link_mess->num_common_caps = GUINT32_FROM_LE(link_mess->num_common_caps); + ++/* Prevent DoS. Currently we defined only 13 capabilities, ++ * I expect 1024 to be valid for quite a lot time */ ++if (link_mess->num_channel_caps > 1024 || link_mess->num_common_caps > 1024) { ++reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA); ++reds_link_free(link); ++return; ++} ++ + num_caps = link_mess->num_common_caps + link_mess->num_channel_caps; + caps = (uint32_t *)((uint8_t *)link_mess + link_mess->caps_offset); + +@@ -2202,7 +2210,8 @@ static void reds_handle_read_header_done(void *opaque) + + reds->peer_minor_version = header->minor_version; + +-if (header->size < sizeof(SpiceLinkMess)) { ++/* the check for 4096 is to avoid clients to cause arbitrary big memory allocations */ ++if (header->size < sizeof(SpiceLinkMess) || header->size > 4096) { + reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA); + spice_warning("bad size %u", header->size); + reds_link_free(link); diff -Nru spice-0.12.8/debian/patches/series spice-0.12.8/debian/patches/series --- spice-0.12.8/debian/patches/series 2017-01-06 14:50:42.0 +0100 +++ spice-0.12.8/debian/patches/series 2017-02-13 21:42:01.0 +0100 @@ -1 +1,2 @@ stop-linking-with-libcacard.diff
Re: source-only uploads and arch:all buildds for stretch?
On 16/02/17 00:17, Aurelien Jarno wrote: > Dear release team, > > Before too many people ask the w-b team about that, do we want to allow > source-only uploads and therefore arch:all buildds for stretch? Probably a question for the SRMs, but IMHO yes. Cheers, Emilio
source-only uploads and arch:all buildds for stretch?
Dear release team, Before too many people ask the w-b team about that, do we want to allow source-only uploads and therefore arch:all buildds for stretch? If so we'll enable the all/stretch architecture in wanna-build, configure the arch:all autobuilders accordingly. I guess the ftp-masters team can then enable source-only uploads for stretch. Aurelien (with his w-b team hat) -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurel...@aurel32.net http://www.aurel32.net
Bug#855232: marked as done (unblock: theano/0.8.2-6)
Your message dated Thu, 16 Feb 2017 00:04:42 +0100 with message-id <119f9b4f-62a1-414a-1039-3673d846a...@debian.org> and subject line Re: Bug#855232: unblock: theano/0.8.2-6 has caused the Debian Bug report #855232, regarding unblock: theano/0.8.2-6 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 855232: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855232 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package theano [1]. The latest upload to unstable fixes three RC bugs: #848764 (FTBFS), #831540 (FTBFS on i386), and #831541 (FTBFS on s390x). And two important bugs: #835531 (randomly FTBFS), and #855102. The problems have been solved by patches, please see the attached debdiff for details. Thank you, Daniel Stender [1] https://packages.qa.debian.org/t/theano.html unblock theano/0.8.2-6 -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru theano-0.8.2/debian/changelog theano-0.8.2/debian/changelog --- theano-0.8.2/debian/changelog 2016-07-16 18:42:07.0 +0200 +++ theano-0.8.2/debian/changelog 2017-02-15 09:09:46.0 +0100 @@ -1,3 +1,38 @@ +theano (0.8.2-6) unstable; urgency=medium + + * Upload to unstable. + + -- Daniel StenderWed, 15 Feb 2017 09:09:46 +0100 + +theano (0.8.2-6~exp1) experimental; urgency=medium + + * add disable-overly-environment-dependent-test.patch (Closes: #835531). + * add fix-invalid-casts-negative-stride-handling.patch +(Closes: #831541,#855102) [thanks again to Rebecca N. Palmer]. + + -- Daniel Stender Wed, 15 Feb 2017 00:08:13 +0100 + +theano (0.8.2-5) unstable; urgency=medium + + * Upload to unstable. + + -- Daniel Stender Tue, 14 Feb 2017 09:47:30 +0100 + +theano (0.8.2-5~exp1) experimental; urgency=medium + + * add fix-test_fit_int64-for-python3-32bit.patch (Closes: #831540) +[thanks to Rebecca N. Palmer]. + * deb/rules: remove test failsafes completely. + + -- Daniel Stender Mon, 13 Feb 2017 23:53:19 +0100 + +theano (0.8.2-4) unstable; urgency=medium + + * add fixes-for-numpy-1.12.patch (Closes: #848764) [thanks to +Rebecca N. Palmer]. + + -- Daniel Stender Mon, 13 Feb 2017 15:04:06 +0100 + theano (0.8.2-3) unstable; urgency=medium * Upload to unstable. diff -Nru theano-0.8.2/debian/patches/disable-overly-environment-dependent-test.patch theano-0.8.2/debian/patches/disable-overly-environment-dependent-test.patch --- theano-0.8.2/debian/patches/disable-overly-environment-dependent-test.patch 1970-01-01 01:00:00.0 +0100 +++ theano-0.8.2/debian/patches/disable-overly-environment-dependent-test.patch 2017-02-14 23:55:31.0 +0100 @@ -0,0 +1,23 @@ +Description: Disable overly environment-dependent test + Testing speed by wall-clock time is inherently unreliable on a + shared machine such as Debian's buildds: don't let it fail the whole build. +Author: Rebecca N. Palmer +Bug-Debian: https://bugs.debian.org/835531 +Forwarded: not-needed + +diff --git a/theano/sparse/tests/test_basic.py b/theano/sparse/tests/test_basic.py +index 8c183b9..03d79f1 100644 +--- a/theano/sparse/tests/test_basic.py b/theano/sparse/tests/test_basic.py +@@ -1209,8 +1209,8 @@ class test_structureddot(unittest.TestCase): + overhead_tol = 0.002 # seconds + overhead_rtol = 1.1 # times as long + utt.assert_allclose(scipy_result, theano_result) +-if (not theano.config.mode in ["DebugMode", "DEBUG_MODE"] and +-theano.config.cxx): ++ ++if 0:#(not theano.config.mode in ["DebugMode", "DEBUG_MODE"] and theano.config.cxx): + self.assertFalse( + theano_time > overhead_rtol * scipy_time + overhead_tol, + (theano_time, + diff -Nru theano-0.8.2/debian/patches/fixes-for-numpy-1.12.patch theano-0.8.2/debian/patches/fixes-for-numpy-1.12.patch --- theano-0.8.2/debian/patches/fixes-for-numpy-1.12.patch 1970-01-01 01:00:00.0 +0100 +++ theano-0.8.2/debian/patches/fixes-for-numpy-1.12.patch 2017-02-13 14:32:53.0 +0100 @@ -0,0 +1,80 @@
Bug#855138: unblock: swi-prolog/7.2.3+dfsg-6
On 15/02/17 20:48, Lev Lamberov wrote: > Since no package directly depends on swi-prolog-java (packages mentioned > in #855004 depend only on swi-prolog), I guess, it is possible to remove > rdepends only on mips. How can this be done? As I understand, reason to > remove should start with some acronym, listed on Pending Debian Package > removals page [1]. But since I'm not a maintainer of rdepends, not a > member of QA, not a porter, not a stable release manager and so on, I > cannot request removal of rdepends, right? Should I bother rdepends' > maintainers to fill removal requests? I have followed up on the removal bug. Emilio
Re: Rebuilding packages to increase Stretch's PIE coverage
2017-02-15 20:02 GMT+01:00 Niels Thykier: > Bálint Réczey: >> Dear Release Team, >> >> GCC uses PIE by default in unstable and testing but most packages >> which haven't been rebuilt since the transition still ship unprotected >> binaries [1]. >> >> If the Team agrees I suggest rebuilding the packages which would >> benefit from a rebuild. In case this gets a green light I would >> volunteer to perform a test rebuild for each package to see if the >> lintian warning goes away. >> >> Ideally #848129 would be fixed before the rebuild but it seems unlikely >> that it would move forward without Release Team weighing in. I support >> Adrian's suggestion about removing all PIE support from dpkg. >> >> Cheers, >> Balint >> >> [1] https://lintian.debian.org/tags/hardening-no-pie.html >> >> PS: Thanks to Hanno Böck for asking about the current situation and >> triggering this email. :-) >> > > Hi Bálint, > > Thanks for the offer. > > Personally, I am inclined to accept as it means that we migrate to PIE > for these binaries now rather than post-release (e.g. as a part of a > security update or stable update). > > * Do you have a number of affected source packages handy? A very quick estimate would be ~2000-2500 assuming each affected source generate ~2 affected binary packages: $ w3m -dump https://lintian.debian.org/tags/hardening-no-pie.html | grep binary | wc -l 4715 > > * Do you have a plan for finding packages in testing that has not >been rebuilt? (lintian.d.o does not include testing) I think it is doable with some UDD magic which I have to figure out. Help is welcome here. :-) My plan was providing a list for the affected packages in unstable and asking for a rebuild of those. If they have different version in testing and they can't migrate then they are probably too hard to cover in one shot and should be checked individually. Cheers, Balint > > Thanks, > ~Niels > >
Bug#855138: unblock: swi-prolog/7.2.3+dfsg-6
16.02.2017 00:21, Niels Thykier пишет: > Lev Lamberov: >> Hi Niels, >> >> 15.02.2017 22:48, Niels Thykier пишет: >>> To avoid any misunderstandings, #855004 need to be fixed before >>> swi-prolog/7.2.3+dfsg-6 can migrate. You probably already noticed, but >>> the FTP masters have requested a follow up from you. >> >> Does it mean that swi-prolog should be removed from testing in the first >> place and the bug should be closed, or the bug can be closed without >> removing? >> > > It means that swi-prolog/7.2.3+dfsg-6 cannot migrate until the removal > of the mips binaries built by swi-prolog/7.2.3+dfsg-5 (note the version > difference). This is what #855004 is about. Thanks for clarification. I've found information on Excuses page [0] a bit misleading, since it says: "old binaries left on mips: swi-prolog-java (from 7.2.3+dfsg-5) (*but ignoring cruft, so nevermind*)". > The FTP masters have requested that you deal with the reverse > dependencies of the swi-prolog/7.2.3+dfsg-5 on mips. This can be > "remove them from mips as well" or ask them to disable their > "swi-prolog" support on mips (either way should work). Since no package directly depends on swi-prolog-java (packages mentioned in #855004 depend only on swi-prolog), I guess, it is possible to remove rdepends only on mips. How can this be done? As I understand, reason to remove should start with some acronym, listed on Pending Debian Package removals page [1]. But since I'm not a maintainer of rdepends, not a member of QA, not a porter, not a stable release manager and so on, I cannot request removal of rdepends, right? Should I bother rdepends' maintainers to fill removal requests? Cheers, Lev [0] https://qa.debian.org/excuses.php?package=swi-prolog [1] https://ftp-master.debian.org/removals.html signature.asc Description: OpenPGP digital signature
Bug#855138: unblock: swi-prolog/7.2.3+dfsg-6
Lev Lamberov: > Hi Niels, > > 15.02.2017 22:48, Niels Thykier пишет: >> To avoid any misunderstandings, #855004 need to be fixed before >> swi-prolog/7.2.3+dfsg-6 can migrate. You probably already noticed, but >> the FTP masters have requested a follow up from you. > > Does it mean that swi-prolog should be removed from testing in the first > place and the bug should be closed, or the bug can be closed without > removing? > It means that swi-prolog/7.2.3+dfsg-6 cannot migrate until the removal of the mips binaries built by swi-prolog/7.2.3+dfsg-5 (note the version difference). This is what #855004 is about. The FTP masters have requested that you deal with the reverse dependencies of the swi-prolog/7.2.3+dfsg-5 on mips. This can be "remove them from mips as well" or ask them to disable their "swi-prolog" support on mips (either way should work). > If removing is necessary, then what is the procedure to allow removed > rdepends to migrate to testing back? Should I request unblock for them > in this case? > > Thanks! > Lev > Preferably, this is dealt with before swi-prolog is auto-removed from testing. If so, swi-prolog/7.2.3+dfsg-6 will migrate to testing and the RC bug will be closed (in testing). Hope that clarified it for you. Otherwise, let us know what you don't understand. Thanks, ~Niels
Bug#855232: unblock: theano/0.8.2-6
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package theano [1]. The latest upload to unstable fixes three RC bugs: #848764 (FTBFS), #831540 (FTBFS on i386), and #831541 (FTBFS on s390x). And two important bugs: #835531 (randomly FTBFS), and #855102. The problems have been solved by patches, please see the attached debdiff for details. Thank you, Daniel Stender [1] https://packages.qa.debian.org/t/theano.html unblock theano/0.8.2-6 -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru theano-0.8.2/debian/changelog theano-0.8.2/debian/changelog --- theano-0.8.2/debian/changelog 2016-07-16 18:42:07.0 +0200 +++ theano-0.8.2/debian/changelog 2017-02-15 09:09:46.0 +0100 @@ -1,3 +1,38 @@ +theano (0.8.2-6) unstable; urgency=medium + + * Upload to unstable. + + -- Daniel StenderWed, 15 Feb 2017 09:09:46 +0100 + +theano (0.8.2-6~exp1) experimental; urgency=medium + + * add disable-overly-environment-dependent-test.patch (Closes: #835531). + * add fix-invalid-casts-negative-stride-handling.patch +(Closes: #831541,#855102) [thanks again to Rebecca N. Palmer]. + + -- Daniel Stender Wed, 15 Feb 2017 00:08:13 +0100 + +theano (0.8.2-5) unstable; urgency=medium + + * Upload to unstable. + + -- Daniel Stender Tue, 14 Feb 2017 09:47:30 +0100 + +theano (0.8.2-5~exp1) experimental; urgency=medium + + * add fix-test_fit_int64-for-python3-32bit.patch (Closes: #831540) +[thanks to Rebecca N. Palmer]. + * deb/rules: remove test failsafes completely. + + -- Daniel Stender Mon, 13 Feb 2017 23:53:19 +0100 + +theano (0.8.2-4) unstable; urgency=medium + + * add fixes-for-numpy-1.12.patch (Closes: #848764) [thanks to +Rebecca N. Palmer]. + + -- Daniel Stender Mon, 13 Feb 2017 15:04:06 +0100 + theano (0.8.2-3) unstable; urgency=medium * Upload to unstable. diff -Nru theano-0.8.2/debian/patches/disable-overly-environment-dependent-test.patch theano-0.8.2/debian/patches/disable-overly-environment-dependent-test.patch --- theano-0.8.2/debian/patches/disable-overly-environment-dependent-test.patch 1970-01-01 01:00:00.0 +0100 +++ theano-0.8.2/debian/patches/disable-overly-environment-dependent-test.patch 2017-02-14 23:55:31.0 +0100 @@ -0,0 +1,23 @@ +Description: Disable overly environment-dependent test + Testing speed by wall-clock time is inherently unreliable on a + shared machine such as Debian's buildds: don't let it fail the whole build. +Author: Rebecca N. Palmer +Bug-Debian: https://bugs.debian.org/835531 +Forwarded: not-needed + +diff --git a/theano/sparse/tests/test_basic.py b/theano/sparse/tests/test_basic.py +index 8c183b9..03d79f1 100644 +--- a/theano/sparse/tests/test_basic.py b/theano/sparse/tests/test_basic.py +@@ -1209,8 +1209,8 @@ class test_structureddot(unittest.TestCase): + overhead_tol = 0.002 # seconds + overhead_rtol = 1.1 # times as long + utt.assert_allclose(scipy_result, theano_result) +-if (not theano.config.mode in ["DebugMode", "DEBUG_MODE"] and +-theano.config.cxx): ++ ++if 0:#(not theano.config.mode in ["DebugMode", "DEBUG_MODE"] and theano.config.cxx): + self.assertFalse( + theano_time > overhead_rtol * scipy_time + overhead_tol, + (theano_time, + diff -Nru theano-0.8.2/debian/patches/fixes-for-numpy-1.12.patch theano-0.8.2/debian/patches/fixes-for-numpy-1.12.patch --- theano-0.8.2/debian/patches/fixes-for-numpy-1.12.patch 1970-01-01 01:00:00.0 +0100 +++ theano-0.8.2/debian/patches/fixes-for-numpy-1.12.patch 2017-02-13 14:32:53.0 +0100 @@ -0,0 +1,80 @@ +Description: fix tests for Numpy 1.12 + Collected fixes for passing Theano 0.8.2 tests with Numpy 1.12. Partly taken + from upstream repo, plus changes by Rebecca Palmer. +Bug: https://github.com/Theano/Theano/issues/5396 +Bug-Debian: https://bugs.debian.org/848764 +Origin: https://github.com/Theano/Theano/commit/e8e01f4 +Author: Rebecca N. Palmer + +--- a/theano/sparse/tests/test_sp2.py b/theano/sparse/tests/test_sp2.py +@@ -61,7 +61,7 @@ + + + class BinomialTester(utt.InferShapeTester): +-n = tensor.scalar() ++n = tensor.scalar(dtype='int64') + p = tensor.scalar() + shape = tensor.lvector() + _n = 5 +--- a/theano/tensor/tests/test_elemwise.py b/theano/tensor/tests/test_elemwise.py +@@ -414,7 +414,11 @@ + zv = numpy.bitwise_or.reduce(zv, axis) +
Re: Rebuilding packages to increase Stretch's PIE coverage
Bálint Réczey: > Dear Release Team, > > GCC uses PIE by default in unstable and testing but most packages > which haven't been rebuilt since the transition still ship unprotected > binaries [1]. > > If the Team agrees I suggest rebuilding the packages which would > benefit from a rebuild. In case this gets a green light I would > volunteer to perform a test rebuild for each package to see if the > lintian warning goes away. > > Ideally #848129 would be fixed before the rebuild but it seems unlikely > that it would move forward without Release Team weighing in. I support > Adrian's suggestion about removing all PIE support from dpkg. > > Cheers, > Balint > > [1] https://lintian.debian.org/tags/hardening-no-pie.html > > PS: Thanks to Hanno Böck for asking about the current situation and > triggering this email. :-) > Hi Bálint, Thanks for the offer. Personally, I am inclined to accept as it means that we migrate to PIE for these binaries now rather than post-release (e.g. as a part of a security update or stable update). * Do you have a number of affected source packages handy? * Do you have a plan for finding packages in testing that has not been rebuilt? (lintian.d.o does not include testing) Thanks, ~Niels
Bug#855138: unblock: swi-prolog/7.2.3+dfsg-6
Hi Niels, 15.02.2017 22:48, Niels Thykier пишет: > To avoid any misunderstandings, #855004 need to be fixed before > swi-prolog/7.2.3+dfsg-6 can migrate. You probably already noticed, but > the FTP masters have requested a follow up from you. Does it mean that swi-prolog should be removed from testing in the first place and the bug should be closed, or the bug can be closed without removing? If removing is necessary, then what is the procedure to allow removed rdepends to migrate to testing back? Should I request unblock for them in this case? Thanks! Lev signature.asc Description: OpenPGP digital signature
Bug#855229: unblock: LDC and rdeps
Package: release.debian.org User: release.debian@packages.debian.org Usertags: unblock Severity: normal Please unblock LDC 1:1.1.0+r-1 and its reverse-dependencies. This would bring the LLVM D Compiler to its final version and replace the beta version currently in Stretch. It will also completely fix bug #850958 which made LDC not work at all on ppc64el. The bug also prevented a couple of packages depending on LDC from migrating to Stretch in-time, it would be great if those could be unblocked as well, as each of them also resolves issues. A list of rdeps which would need unblocking can be found below. All packages have successfully been built on ppc64el. Thank you for considering this! Kind regards, Matthias unblock ldc/1:1.1.0+r-1 unblock mustache-d/0.1.3-1 unblock gtk-d/3.5.1-1 unblock terminix/1.4.2-3
Re: Various unblock-udebs
Emilio Pozuelo Monfort: > On 14/02/17 03:48, Cyril Brulebois wrote: >> Hello, >> >> Emilio asked me on IRC to have a look at a bunch of packages which both >> have block-udeb and RC bug fixes. Here's a list with comments, I'm OK >> with unblock-udeb'ing most of them (which doesn't mean you shouldn't >> review as usual for the unblock part), except hw-detect and wpa, which >> have commented out unblock-udeb lines. > > Thanks. I'll review them in the evening if noone beats me to it. > >> [...] > > Cheers, > Emilio > I beat you to it! :D Thanks, ~Niels
Bug#855216: unblock: singularity-container/2.2-2
Yaroslav Halchenko: > [...] > > Thank you! > No problem :) > Is there a chance to kick-force it to migrate before 10day waiting > period ends due to security related aspect? it is on 5th day ATM > Already included :) """ $ hint grep singularity-container ==> nthykier #2017-02-15 # #855216 age-days 5 singularity-container/2.2-2 unblock singularity-container/2.2-2 nthykier@respighi:~$ """ ~Niels
Bug#855138: Re: Bug#855138: unblock: swi-prolog/7.2.3+dfsg-6
Niels Thykier: > [...] >> >> [...] > > Unblocked, thanks. > > ~Niels > Hi Lev, To avoid any misunderstandings, #855004 need to be fixed before swi-prolog/7.2.3+dfsg-6 can migrate. You probably already noticed, but the FTP masters have requested a follow up from you. Thanks, ~Niels
Bug#855184: marked as done (unblock: mlt/6.4.1-2)
Your message dated Wed, 15 Feb 2017 17:46:00 + with message-id <1129be49-f969-a1cb-89a9-51f9b9617...@thykier.net> and subject line Re: Bug#855184: unblock: mlt/6.4.1-2 has caused the Debian Bug report #855184, regarding unblock: mlt/6.4.1-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 855184: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855184 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package mlt It adds two upstream patches to fix crashes of kdenlive/mlt. diff --git a/debian/changelog b/debian/changelog index f423448..378dc92 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +mlt (6.4.1-2) unstable; urgency=low + + * Add upstream patch 01-crash-affine to fix a crash in affine due to relaxed +constraints. + * Add upstream patch 02-crash-clipinfo-update to fix a crash in kdenlive when +a clip has no resource. + + -- Patrick MatthäiTue, 07 Feb 2017 13:13:57 +0100 + mlt (6.4.1-1) unstable; urgency=medium * New upstream release. diff --git a/debian/patches/01-crash-affine.diff b/debian/patches/01-crash-affine.diff new file mode 100644 index 000..ba13782 --- /dev/null +++ b/debian/patches/01-crash-affine.diff @@ -0,0 +1,40 @@ +commit ab626f7543e0498e3ca3842ba69ad2f2e66ce227 +Author: Dan Dennedy +Date: Sun Jan 29 00:43:28 2017 -0800 + +Fix crash in affine due to relaxed constraints. + +diff --git a/src/modules/plus/transition_affine.c b/src/modules/plus/transition_affine.c +index 8c8820e..91607fd 100644 +--- a/src/modules/plus/transition_affine.c b/src/modules/plus/transition_affine.c +@@ -1,6 +1,6 @@ + /* + * transition_affine.c -- affine transformations +- * Copyright (C) 2003-2016 Meltytech, LLC ++ * Copyright (C) 2003-2017 Meltytech, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public +@@ -552,8 +552,8 @@ static int transition_get_image( mlt_frame a_frame, uint8_t **image, mlt_image_f + + // Affine boundaries + float minima = 0; +- float xmax = b_width; +- float ymax = b_height; ++ float xmax = b_width - 1; ++ float ymax = b_height - 1; + + // Set the interpolation function + if ( interps == NULL || strcmp( interps, "nearest" ) == 0 || strcmp( interps, "neighbor" ) == 0 || strcmp( interps, "tiles" ) == 0 || strcmp( interps, "fast_bilinear" ) == 0 ) +@@ -567,9 +567,7 @@ static int transition_get_image( mlt_frame a_frame, uint8_t **image, mlt_image_f + else if ( strcmp( interps, "bilinear" ) == 0 ) + { + interp = interpBL_b32; +- // uses floorf. Values should be >= 0 and < max + 1. +- xmax += 0.99; +- ymax += 0.99; ++ // uses floorf. + } + else if ( strcmp( interps, "bicubic" ) == 0 || strcmp( interps, "hyper" ) == 0 || strcmp( interps, "sinc" ) == 0 || strcmp( interps, "lanczos" ) == 0 || strcmp( interps, "spline" ) == 0 ) + { diff --git a/debian/patches/02-crash-clipinfo-update.diff b/debian/patches/02-crash-clipinfo-update.diff new file mode 100644 index 000..3a89684 --- /dev/null +++ b/debian/patches/02-crash-clipinfo-update.diff @@ -0,0 +1,19 @@ +commit bf2749ab998446f13ba20c8cbc33a8c4d1c36963 +Author: Jean-Baptiste Mardelle +Date: Sun Feb 5 22:54:50 2017 +0100 + +Fix crash in ClipInfo::update method when clip has no resource + +diff --git a/src/mlt++/MltPlaylist.cpp b/src/mlt++/MltPlaylist.cpp +index 5676060..111d3f5 100644 +--- a/src/mlt++/MltPlaylist.cpp b/src/mlt++/MltPlaylist.cpp +@@ -71,7 +71,7 @@ void ClipInfo::update( mlt_playlist_clip_info *info ) + producer = new Producer( info->producer ); + cut = new Producer( info->cut ); + start = info->start; +- resource = strdup( info->resource ); ++ resource = info->resource ? strdup( info->resource ) : 0; + frame_in = info->frame_in; + frame_out = info->frame_out; + frame_count = info->frame_count; diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..5a09da5 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,2 @@ +01-crash-affine.diff +02-crash-clipinfo-update.diff unblock mlt/6.4.1-2 -- System
Bug#855185: marked as done (unblock: kdenlive/16.12.1-3)
Your message dated Wed, 15 Feb 2017 17:44:00 + with message-idand subject line Re: Bug#855185: unblock: kdenlive/16.12.1-3 has caused the Debian Bug report #855185, regarding unblock: kdenlive/16.12.1-3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 855185: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855185 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hello, please unblock kdenlive 16.12.1-3. It adds eleven upstream patches to fix regressions with nvidia cards and various other bugs. On the other side I would like to ask if I get a pre-approval for uploading kdenlive 16.12.2 (KDE Applications upgrade) to unstable/testing, which includes nearly all of those eleven patches. It is nearly only a bugfix release. diff -Naur '--exclude=.svn' 16.12.1-1/debian/changelog 16.12.1-3/debian/changelog --- 16.12.1-1/debian/changelog 2017-01-17 16:07:03.280587938 +0100 +++ 16.12.1-3/debian/changelog 2017-02-07 13:57:52.242304197 +0100 @@ -1,3 +1,33 @@ +kdenlive (16.12.1-3) unstable; urgency=low + + * Add upstream patch 08-title-clip-select-twice: +Fix title clip items need to be selected twice before allowing move. + * Add upstream patch 09-aspect-transparency-issues: +Fix various aspect ratio issues and transparency of composite transition in +some cases. + * Add upstream patch 10-crash-razor-multiple-clips: +Fix crash on razor with multiple clips selected. + * Add upstream patch 11-project-archiving-fix: +Fix color clips incorrectly detected and warn before overwriting project +file. + + -- Patrick Matthäi Tue, 07 Feb 2017 13:23:05 +0100 + +kdenlive (16.12.1-2) unstable; urgency=low + + * Add this upstream patches, to fix some minor bugs and crashes, if you are +using a nvidia card with movit. +- 01-nvidia-crash-375094. + Closes: #853768 +- 02-nvidia-crash-movit-1. +- 03-frame-extract-remember-folder. +- 04-playlist-clip-expand. +- 05-monitor-length-375163. +- 06-playaction-not-pausing. +- 07-nvidia-crash-movit-2. + + -- Patrick Matthäi Wed, 01 Feb 2017 11:16:36 +0100 + kdenlive (16.12.1-1) unstable; urgency=low * New upstream release. diff -Naur '--exclude=.svn' 16.12.1-1/debian/patches/01-nvidia-crash-375094.diff 16.12.1-3/debian/patches/01-nvidia-crash-375094.diff --- 16.12.1-1/debian/patches/01-nvidia-crash-375094.diff1970-01-01 01:00:00.0 +0100 +++ 16.12.1-3/debian/patches/01-nvidia-crash-375094.diff2017-02-07 13:57:52.310303805 +0100 @@ -0,0 +1,55 @@ +commit 8a20fca86e9e2ce3d04b3e024b0752e19f9d8c8e +Author: Jean-Baptiste Mardelle +Date: Mon Jan 16 20:06:00 2017 +0100 + +Revert "Fix warning about QOffscreenSurface thread" +Caused startup crash on NVidia cards +CCBUG: 375094 + +This reverts commit 6675c4a509046aa3b57c60cbc3f31435e09c2df7. + +diff --git a/src/monitor/glwidget.cpp b/src/monitor/glwidget.cpp +index e4089e6..cd4f56a 100644 +--- a/src/monitor/glwidget.cpp b/src/monitor/glwidget.cpp +@@ -109,7 +109,6 @@ GLWidget::GLWidget(int id, QObject *parent) + mlt_properties_set_data(mlt_global_properties(), "glslManager", NULL, 0, NULL, NULL); + emit gpuNotSupported(); + } +-connect(this, SIGNAL(sceneGraphInitialized()), SLOT(createOffscreen())); + connect(this, SIGNAL(sceneGraphInitialized()), SLOT(initializeGL()), Qt::DirectConnection); + connect(this, SIGNAL(beforeRendering()), SLOT(paintGL()), Qt::DirectConnection); + } +@@ -143,17 +142,14 @@ void GLWidget::updateAudioForAnalysis() + m_frameRenderer->sendAudioForAnalysis = KdenliveSettings::monitor_audio(); + } + +-void GLWidget::createOffscreen() ++void GLWidget::initializeGL() + { ++if (m_isInitialized || !isVisible() || !openglContext()) return; + if (!m_offscreenSurface.isValid()) { + m_offscreenSurface.setFormat(openglContext()->format()); + m_offscreenSurface.create(); ++openglContext()->makeCurrent(this); + } +-} +- +-void GLWidget::initializeGL() +-{ +-if (m_isInitialized || !isVisible() || !openglContext()) return; + initializeOpenGLFunctions(); + qDebug() << "OpenGL vendor: " << QString::fromUtf8((const char*) glGetString(GL_VENDOR)); + qDebug() << "OpenGL renderer: " << QString::fromUtf8((const char*) glGetString(GL_RENDERER)); +diff --git a/src/monitor/glwidget.h
Bug#855114: marked as done (unblock (pre-approval): nginx/1.10.3-1)
Your message dated Wed, 15 Feb 2017 17:35:00 + with message-id <6efa1f4c-1396-b2fc-f477-dfad4df91...@thykier.net> and subject line Re: Bug#855114: unblock (pre-approval): nginx/1.10.3-1 has caused the Debian Bug report #855114, regarding unblock (pre-approval): nginx/1.10.3-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 855114: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855114 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock *I have not yet uploaded to unstable*, and I am asking for pre-approval to upload 1.10.3-1. 1.10.3-1 will only include the new upstream release (1.10.2 -> 1.10.3) and no packaging changes. Nginx 1.10.3 is a stable bugfix release that handles 8 bugfixes including a segmentation fault. Relevant bug report: https://bugs.debian.org/855113 Changelog: https://nginx.org/en/CHANGES-1.10 Diff: https://github.com/nginx/nginx/compare/release-1.10.2...release-1.10.3 Thank you! --- End Message --- --- Begin Message --- Christos Trochalakis: > On Tue, Feb 14, 2017 at 05:12:00PM +, Niels Thykier wrote: >> Control: tags -1 confirmed >> >> [...] > > Thanks, I have uploaded nginx-1.10.3-1 to unstable. > > I took the liberty to also piggyback a change to our VCS location in > d/control: > > [...] Fair enough. :) Unblocked. Thanks, ~Niels--- End Message ---
Bug#855216: marked as done (unblock: singularity-container/2.2-2)
Your message dated Wed, 15 Feb 2017 17:17:00 + with message-id <3bb44dcd-57ee-6ab8-1be1-f686f20ba...@thykier.net> and subject line Re: Bug#855216: unblock: singularity-container/2.2-2 has caused the Debian Bug report #855216, regarding unblock: singularity-container/2.2-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 855216: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855216 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package singularity-container 2.2 release contained a vulnerability described in detail upstream https://github.com/singularityware/singularity/releases/tag/2.2.1 : In versions of Singularity previous to 2.2.1, it was possible for a malicious user to create and manipulate specifically crafted raw devices within containers they own. Utilizing MS_NODEV as a container image mount option mitigates this potential vector of attack. As a result, this update should be implemented with high urgency. A big thanks to Mattias Wadenstein (@UMU in Sweden) for identifying and reporting this issue! 2.2-2 (debdiff attached) was prepared in collaboration with upstream to cover that vulnerability and address few other possibly security related (snprintf) and functionality related issues. security@d.o was provided with debdiff and no negative opinions were expressed. unblock singularity-container/2.2-2 -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (900, 'testing'), (600, 'unstable'), (300, 'experimental'), (100, 'unstable-debug') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru singularity-container-2.2/debian/changelog singularity-container-2.2/debian/changelog --- singularity-container-2.2/debian/changelog 2016-11-30 12:33:01.0 -0500 +++ singularity-container-2.2/debian/changelog 2017-02-09 16:27:55.0 -0500 @@ -1,3 +1,24 @@ +singularity-container (2.2-2) unstable; urgency=high + + * debian/patches - picks up from upcoming 2.2.1 release +critical functionality and possibly security-related fixes +- changeset_b859cd8b4b9293f2a8a893ef41c5d93a5318dd6c.diff + to support mounting ext4 formatted images read-only +- changeset_f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d.diff + to utilize mount option MS_NODEV for images + (fixes potential security implications) +- changeset_d835fa1d20efc4aaacca4be68431d193d6625bd8.diff + to fix bootstrapping ran as root (thus no MS_NODEV restriction + from above patch should be applied) +- changeset_3a2b6537f0b1386336e29d7f763ae62374a7cb77.diff + exit with error if snprintf would have went out of bounds +- changeset_acc02b921192e7e16afe1513d5338904f8e6f907.diff + changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff + changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff + Various obvious fixes (updated URLs, apt --force-yes) + + -- Yaroslav HalchenkoThu, 09 Feb 2017 16:27:55 -0500 + singularity-container (2.2-1) unstable; urgency=medium [ Mehdi Dogguy ] diff -Nru singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff --- singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff 1969-12-31 19:00:00.0 -0500 +++ singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff 2017-02-09 16:27:55.0 -0500 @@ -0,0 +1,21 @@ +From: Gregory M. Kurtzer +Subject: Use --force-yes + +--- a/examples/debian.def b/examples/debian.def +@@ -16,5 +16,5 @@ MirrorURL: http://ftp.us.debian.org/debi + %post + echo "Hello from inside the container" + apt-get update +-apt-get -y install vim ++apt-get -y --force-yes install vim + +--- a/examples/ubuntu.def b/examples/ubuntu.def +@@ -16,5 +16,5 @@ MirrorURL: http://us.archive.ubuntu.com/ + %post + echo "Hello from inside the container" + sed -i 's/$/ universe/' /etc/apt/sources.list +-apt-get -y install vim ++apt-get -y --force-yes install vim + diff -Nru
Processed: petsc / openmpi
Processing commands for cont...@bugs.debian.org: > block 854905 by 855217 Bug #854905 [release.debian.org] nmu: petsc_3.7.5+dfsg1-4 Bug #855204 [release.debian.org] libpetsc3.7.5-dev: uninstallable - Depends: libopenmpi-dev (< 2.0.2~git.20161226) 854905 was not blocked by any bugs. 854905 was not blocking any bugs. Added blocking bug(s) of 854905: 855217 855204 was not blocked by any bugs. 855204 was not blocking any bugs. Added blocking bug(s) of 855204: 855217 > thanks Stopping processing here. Please contact me if you need assistance. -- 854905: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854905 855204: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855204 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#855216: unblock: singularity-container/2.2-2
Dear Release Managers, the Security Team has reviewed the diff related to this security problem, and we support the unblock request. Cheers, --Seb
Bug#855204: libpetsc3.7.5-dev: uninstallable - Depends: libopenmpi-dev (< 2.0.2~git.20161226)
On Wed, 15 Feb 2017 23:40:57 +0800 Drew Parsonswrote: > > the Affecting Bug shows up neither on the src:petsc > overview on bugs.debian.org, nor in reportbug (for libpetsc3.7.5- > dev). > I'll file a bug (or 2 bugs). > In fact already reported. #544812 against reportbug #636689 against bugs.debian.org
Rebuilding packages to increase Stretch's PIE coverage
Dear Release Team, GCC uses PIE by default in unstable and testing but most packages which haven't been rebuilt since the transition still ship unprotected binaries [1]. If the Team agrees I suggest rebuilding the packages which would benefit from a rebuild. In case this gets a green light I would volunteer to perform a test rebuild for each package to see if the lintian warning goes away. Ideally #848129 would be fixed before the rebuild but it seems unlikely that it would move forward without Release Team weighing in. I support Adrian's suggestion about removing all PIE support from dpkg. Cheers, Balint [1] https://lintian.debian.org/tags/hardening-no-pie.html PS: Thanks to Hanno Böck for asking about the current situation and triggering this email. :-)
Bug#855204: libpetsc3.7.5-dev: uninstallable - Depends: libopenmpi-dev (< 2.0.2~git.20161226)
On Wed, 15 Feb 2017 13:45:41 + James Cowgillwrote: > > > > Please look for already reported bugs before reporting new ones (there > > is an "affect" so it is in libpetsc3.7.5-dev bugs list). > > Well I did check petsc (not release.debian.org), but affects on binary > packages don't actually show up on the main bugs page - #636689 > James is right, the Affecting Bug shows up neither on the src:petsc overview on bugs.debian.org, nor in reportbug (for libpetsc3.7.5-dev). I'll file a bug (or 2 bugs). Drew
Bug#855216: unblock: singularity-container/2.2-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package singularity-container 2.2 release contained a vulnerability described in detail upstream https://github.com/singularityware/singularity/releases/tag/2.2.1 : In versions of Singularity previous to 2.2.1, it was possible for a malicious user to create and manipulate specifically crafted raw devices within containers they own. Utilizing MS_NODEV as a container image mount option mitigates this potential vector of attack. As a result, this update should be implemented with high urgency. A big thanks to Mattias Wadenstein (@UMU in Sweden) for identifying and reporting this issue! 2.2-2 (debdiff attached) was prepared in collaboration with upstream to cover that vulnerability and address few other possibly security related (snprintf) and functionality related issues. security@d.o was provided with debdiff and no negative opinions were expressed. unblock singularity-container/2.2-2 -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (900, 'testing'), (600, 'unstable'), (300, 'experimental'), (100, 'unstable-debug') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru singularity-container-2.2/debian/changelog singularity-container-2.2/debian/changelog --- singularity-container-2.2/debian/changelog 2016-11-30 12:33:01.0 -0500 +++ singularity-container-2.2/debian/changelog 2017-02-09 16:27:55.0 -0500 @@ -1,3 +1,24 @@ +singularity-container (2.2-2) unstable; urgency=high + + * debian/patches - picks up from upcoming 2.2.1 release +critical functionality and possibly security-related fixes +- changeset_b859cd8b4b9293f2a8a893ef41c5d93a5318dd6c.diff + to support mounting ext4 formatted images read-only +- changeset_f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d.diff + to utilize mount option MS_NODEV for images + (fixes potential security implications) +- changeset_d835fa1d20efc4aaacca4be68431d193d6625bd8.diff + to fix bootstrapping ran as root (thus no MS_NODEV restriction + from above patch should be applied) +- changeset_3a2b6537f0b1386336e29d7f763ae62374a7cb77.diff + exit with error if snprintf would have went out of bounds +- changeset_acc02b921192e7e16afe1513d5338904f8e6f907.diff + changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff + changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff + Various obvious fixes (updated URLs, apt --force-yes) + + -- Yaroslav HalchenkoThu, 09 Feb 2017 16:27:55 -0500 + singularity-container (2.2-1) unstable; urgency=medium [ Mehdi Dogguy ] diff -Nru singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff --- singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff 1969-12-31 19:00:00.0 -0500 +++ singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff 2017-02-09 16:27:55.0 -0500 @@ -0,0 +1,21 @@ +From: Gregory M. Kurtzer +Subject: Use --force-yes + +--- a/examples/debian.def b/examples/debian.def +@@ -16,5 +16,5 @@ MirrorURL: http://ftp.us.debian.org/debi + %post + echo "Hello from inside the container" + apt-get update +-apt-get -y install vim ++apt-get -y --force-yes install vim + +--- a/examples/ubuntu.def b/examples/ubuntu.def +@@ -16,5 +16,5 @@ MirrorURL: http://us.archive.ubuntu.com/ + %post + echo "Hello from inside the container" + sed -i 's/$/ universe/' /etc/apt/sources.list +-apt-get -y install vim ++apt-get -y --force-yes install vim + diff -Nru singularity-container-2.2/debian/patches/changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff singularity-container-2.2/debian/patches/changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff --- singularity-container-2.2/debian/patches/changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff 1969-12-31 19:00:00.0 -0500 +++ singularity-container-2.2/debian/patches/changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff 2017-02-09 16:27:55.0 -0500 @@ -0,0 +1,14 @@ +From: Nekel-Seyew +Subject: added an ERRNO==ENOENT clause + +--- a/src/lib/file/group/group.c b/src/lib/file/group/group.c +@@ -139,7 +139,7 @@ int singularity_file_group(void) { + singularity_message(VERBOSE3, "Found supplementary group membership in: %d\n", gids[i]); + singularity_message(VERBOSE2, "Adding user's supplementary group ('%s') info to template group file\n",
Bug#855217: unblock: openmpi/2.0.2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package openmpi to fix RC bug #848574 Openmpi 2.0.2 was released just as Stretch was being frozen. The package in testing, 2.0.2~git.20161225 was packaged to get relevant (2.0.2) changes into Stretch, but unfortuanatelt contained a significant bug on mips64el release architecture that was not caught before transition. debdiff too large to be useful. unblock openmpi/2.0.2-2 -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 4.9.0-1-686-pae (SMP w/1 CPU core) Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_IE.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Bug#855214: unblock: asterisk/1:13.14.0~dfsg-1 (pre-approval)
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi, I would like to request permission to update Asterisk in Stretch to a new upstream release (13.13.2 to 13.14.0). This version has mostly bugfixes but only very minor new features. Unfortunately a couple of bugs have surfaced that make Asterisk in Stretch close to unusable in certain configurations. They are priority important right now but are borderline RC for some system configurations Bug#853792: Asterisk does not work at all on systems without IPv6. Only viable workaround is to enable IPv6 Bug#855014: The chan_pjsip driver has a broken codec selection that leads to asymetric codecs being negotiated with the endpoint, leading to one-way audio. The only viable workaround is to limit codecs on the phone to just one codec. Both commits could be backported, but this would make it harder to support during the lifetime of Stretch. Additionally there are a tons of other fixes in this version that sound good-to-have in Stretch (memory leaks etc.). Additionally it would allow us to drop two patches that have been included upstream and our OpenSSL 1.1.0 support would be much closer to upstream (we cannot drop all patches because something is still missing, but all remaining patches are already queued in upstreams CI for merging). There are no changes in packaging besides debian/patches. The package is currently in experimental as asterisk/1:13.14.0~dfsg-1~exp1. I'm asking for approval for upload to unstable. Bernhard
Bug#855114: unblock (pre-approval): nginx/1.10.3-1
On Tue, Feb 14, 2017 at 05:12:00PM +, Niels Thykier wrote: Control: tags -1 confirmed Christos Trochalakis: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock *I have not yet uploaded to unstable*, and I am asking for pre-approval to upload 1.10.3-1. 1.10.3-1 will only include the new upstream release (1.10.2 -> 1.10.3) and no packaging changes. Nginx 1.10.3 is a stable bugfix release that handles 8 bugfixes including a segmentation fault. Relevant bug report: https://bugs.debian.org/855113 Changelog: https://nginx.org/en/CHANGES-1.10 Diff: https://github.com/nginx/nginx/compare/release-1.10.2...release-1.10.3 Thank you! Ok, please go ahead and upload that to unstable (I assuming there are not changes to the debian/ beyond on the d/changelog). Thanks, ~Niels Thanks, I have uploaded nginx-1.10.3-1 to unstable. I took the liberty to also piggyback a change to our VCS location in d/control: nginx-1.10.2/debian/control nginx-1.10.3/debian/control --- nginx-1.10.2/debian/control 2017-01-22 12:19:30.0 +0200 +++ nginx-1.10.3/debian/control 2017-02-15 09:58:13.0 +0200 @@ -27,8 +27,8 @@ zlib1g-dev Standards-Version: 3.9.8.0 Homepage: http://nginx.net -Vcs-Git: https://anonscm.debian.org/cgit/collab-maint/nginx.git -Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/nginx.git +Vcs-Git: https://anonscm.debian.org/cgit/pkg-nginx/nginx.git +Vcs-Browser: https://anonscm.debian.org/cgit/pkg-nginx/nginx.git
Bug#855204: libpetsc3.7.5-dev: uninstallable - Depends: libopenmpi-dev (< 2.0.2~git.20161226)
On 15/02/17 13:41, Mattia Rizzolo wrote: > Control: reassign -1 release.debian.org > Control: forcemerge 854905 -1 > > On Wed, Feb 15, 2017 at 01:09:16PM +, James Cowgill wrote: >> Package: libpetsc3.7.5-dev >> Version: 3.7.5+dfsg1-3 >> Severity: serious >> Tags: sid stretch > > Please look for already reported bugs before reporting new ones (there > is an "affect" so it is in libpetsc3.7.5-dev bugs list). Well I did check petsc (not release.debian.org), but affects on binary packages don't actually show up on the main bugs page - #636689 James signature.asc Description: OpenPGP digital signature
Processed: Re: Bug#855204: libpetsc3.7.5-dev: uninstallable - Depends: libopenmpi-dev (< 2.0.2~git.20161226)
Processing control commands: > reassign -1 release.debian.org Bug #855204 [libpetsc3.7.5-dev] libpetsc3.7.5-dev: uninstallable - Depends: libopenmpi-dev (< 2.0.2~git.20161226) Bug reassigned from package 'libpetsc3.7.5-dev' to 'release.debian.org'. No longer marked as found in versions petsc/3.7.5+dfsg1-3. Ignoring request to alter fixed versions of bug #855204 to the same values previously set > forcemerge 854905 -1 Bug #854905 [release.debian.org] nmu: petsc_3.7.5+dfsg1-4 Bug #854905 [release.debian.org] nmu: petsc_3.7.5+dfsg1-4 Added tag(s) stretch and sid. Bug #855204 [release.debian.org] libpetsc3.7.5-dev: uninstallable - Depends: libopenmpi-dev (< 2.0.2~git.20161226) Severity set to 'normal' from 'serious' Added indication that 855204 affects libpetsc3.7.5-dev Merged 854905 855204 -- 854905: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854905 855204: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855204 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#855185: unblock: kdenlive/16.12.1-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hello, please unblock kdenlive 16.12.1-3. It adds eleven upstream patches to fix regressions with nvidia cards and various other bugs. On the other side I would like to ask if I get a pre-approval for uploading kdenlive 16.12.2 (KDE Applications upgrade) to unstable/testing, which includes nearly all of those eleven patches. It is nearly only a bugfix release. diff -Naur '--exclude=.svn' 16.12.1-1/debian/changelog 16.12.1-3/debian/changelog --- 16.12.1-1/debian/changelog 2017-01-17 16:07:03.280587938 +0100 +++ 16.12.1-3/debian/changelog 2017-02-07 13:57:52.242304197 +0100 @@ -1,3 +1,33 @@ +kdenlive (16.12.1-3) unstable; urgency=low + + * Add upstream patch 08-title-clip-select-twice: +Fix title clip items need to be selected twice before allowing move. + * Add upstream patch 09-aspect-transparency-issues: +Fix various aspect ratio issues and transparency of composite transition in +some cases. + * Add upstream patch 10-crash-razor-multiple-clips: +Fix crash on razor with multiple clips selected. + * Add upstream patch 11-project-archiving-fix: +Fix color clips incorrectly detected and warn before overwriting project +file. + + -- Patrick MatthäiTue, 07 Feb 2017 13:23:05 +0100 + +kdenlive (16.12.1-2) unstable; urgency=low + + * Add this upstream patches, to fix some minor bugs and crashes, if you are +using a nvidia card with movit. +- 01-nvidia-crash-375094. + Closes: #853768 +- 02-nvidia-crash-movit-1. +- 03-frame-extract-remember-folder. +- 04-playlist-clip-expand. +- 05-monitor-length-375163. +- 06-playaction-not-pausing. +- 07-nvidia-crash-movit-2. + + -- Patrick Matthäi Wed, 01 Feb 2017 11:16:36 +0100 + kdenlive (16.12.1-1) unstable; urgency=low * New upstream release. diff -Naur '--exclude=.svn' 16.12.1-1/debian/patches/01-nvidia-crash-375094.diff 16.12.1-3/debian/patches/01-nvidia-crash-375094.diff --- 16.12.1-1/debian/patches/01-nvidia-crash-375094.diff1970-01-01 01:00:00.0 +0100 +++ 16.12.1-3/debian/patches/01-nvidia-crash-375094.diff2017-02-07 13:57:52.310303805 +0100 @@ -0,0 +1,55 @@ +commit 8a20fca86e9e2ce3d04b3e024b0752e19f9d8c8e +Author: Jean-Baptiste Mardelle +Date: Mon Jan 16 20:06:00 2017 +0100 + +Revert "Fix warning about QOffscreenSurface thread" +Caused startup crash on NVidia cards +CCBUG: 375094 + +This reverts commit 6675c4a509046aa3b57c60cbc3f31435e09c2df7. + +diff --git a/src/monitor/glwidget.cpp b/src/monitor/glwidget.cpp +index e4089e6..cd4f56a 100644 +--- a/src/monitor/glwidget.cpp b/src/monitor/glwidget.cpp +@@ -109,7 +109,6 @@ GLWidget::GLWidget(int id, QObject *parent) + mlt_properties_set_data(mlt_global_properties(), "glslManager", NULL, 0, NULL, NULL); + emit gpuNotSupported(); + } +-connect(this, SIGNAL(sceneGraphInitialized()), SLOT(createOffscreen())); + connect(this, SIGNAL(sceneGraphInitialized()), SLOT(initializeGL()), Qt::DirectConnection); + connect(this, SIGNAL(beforeRendering()), SLOT(paintGL()), Qt::DirectConnection); + } +@@ -143,17 +142,14 @@ void GLWidget::updateAudioForAnalysis() + m_frameRenderer->sendAudioForAnalysis = KdenliveSettings::monitor_audio(); + } + +-void GLWidget::createOffscreen() ++void GLWidget::initializeGL() + { ++if (m_isInitialized || !isVisible() || !openglContext()) return; + if (!m_offscreenSurface.isValid()) { + m_offscreenSurface.setFormat(openglContext()->format()); + m_offscreenSurface.create(); ++openglContext()->makeCurrent(this); + } +-} +- +-void GLWidget::initializeGL() +-{ +-if (m_isInitialized || !isVisible() || !openglContext()) return; + initializeOpenGLFunctions(); + qDebug() << "OpenGL vendor: " << QString::fromUtf8((const char*) glGetString(GL_VENDOR)); + qDebug() << "OpenGL renderer: " << QString::fromUtf8((const char*) glGetString(GL_RENDERER)); +diff --git a/src/monitor/glwidget.h b/src/monitor/glwidget.h +index dc1e0e2..d12500a 100644 +--- a/src/monitor/glwidget.h b/src/monitor/glwidget.h +@@ -182,7 +182,6 @@ private slots: + void updateTexture(GLuint yName, GLuint uName, GLuint vName); + void paintGL(); + void onFrameDisplayed(const SharedFrame ); +-void createOffscreen(); + + protected: + void resizeEvent(QResizeEvent* event); diff -Naur '--exclude=.svn' 16.12.1-1/debian/patches/02-nvidia-crash-movit-1.diff 16.12.1-3/debian/patches/02-nvidia-crash-movit-1.diff --- 16.12.1-1/debian/patches/02-nvidia-crash-movit-1.diff 1970-01-01 01:00:00.0 +0100 +++ 16.12.1-3/debian/patches/02-nvidia-crash-movit-1.diff 2017-02-07 13:57:52.250304150 +0100 @@ -0,0 +1,44 @@ +commit 754b8eeed8c1a874a5535eb5136b02841a812180 +Author: Jean-Baptiste Mardelle +Date: Fri Jan
Bug#855184: unblock: mlt/6.4.1-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package mlt It adds two upstream patches to fix crashes of kdenlive/mlt. diff --git a/debian/changelog b/debian/changelog index f423448..378dc92 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +mlt (6.4.1-2) unstable; urgency=low + + * Add upstream patch 01-crash-affine to fix a crash in affine due to relaxed +constraints. + * Add upstream patch 02-crash-clipinfo-update to fix a crash in kdenlive when +a clip has no resource. + + -- Patrick MatthäiTue, 07 Feb 2017 13:13:57 +0100 + mlt (6.4.1-1) unstable; urgency=medium * New upstream release. diff --git a/debian/patches/01-crash-affine.diff b/debian/patches/01-crash-affine.diff new file mode 100644 index 000..ba13782 --- /dev/null +++ b/debian/patches/01-crash-affine.diff @@ -0,0 +1,40 @@ +commit ab626f7543e0498e3ca3842ba69ad2f2e66ce227 +Author: Dan Dennedy +Date: Sun Jan 29 00:43:28 2017 -0800 + +Fix crash in affine due to relaxed constraints. + +diff --git a/src/modules/plus/transition_affine.c b/src/modules/plus/transition_affine.c +index 8c8820e..91607fd 100644 +--- a/src/modules/plus/transition_affine.c b/src/modules/plus/transition_affine.c +@@ -1,6 +1,6 @@ + /* + * transition_affine.c -- affine transformations +- * Copyright (C) 2003-2016 Meltytech, LLC ++ * Copyright (C) 2003-2017 Meltytech, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public +@@ -552,8 +552,8 @@ static int transition_get_image( mlt_frame a_frame, uint8_t **image, mlt_image_f + + // Affine boundaries + float minima = 0; +- float xmax = b_width; +- float ymax = b_height; ++ float xmax = b_width - 1; ++ float ymax = b_height - 1; + + // Set the interpolation function + if ( interps == NULL || strcmp( interps, "nearest" ) == 0 || strcmp( interps, "neighbor" ) == 0 || strcmp( interps, "tiles" ) == 0 || strcmp( interps, "fast_bilinear" ) == 0 ) +@@ -567,9 +567,7 @@ static int transition_get_image( mlt_frame a_frame, uint8_t **image, mlt_image_f + else if ( strcmp( interps, "bilinear" ) == 0 ) + { + interp = interpBL_b32; +- // uses floorf. Values should be >= 0 and < max + 1. +- xmax += 0.99; +- ymax += 0.99; ++ // uses floorf. + } + else if ( strcmp( interps, "bicubic" ) == 0 || strcmp( interps, "hyper" ) == 0 || strcmp( interps, "sinc" ) == 0 || strcmp( interps, "lanczos" ) == 0 || strcmp( interps, "spline" ) == 0 ) + { diff --git a/debian/patches/02-crash-clipinfo-update.diff b/debian/patches/02-crash-clipinfo-update.diff new file mode 100644 index 000..3a89684 --- /dev/null +++ b/debian/patches/02-crash-clipinfo-update.diff @@ -0,0 +1,19 @@ +commit bf2749ab998446f13ba20c8cbc33a8c4d1c36963 +Author: Jean-Baptiste Mardelle +Date: Sun Feb 5 22:54:50 2017 +0100 + +Fix crash in ClipInfo::update method when clip has no resource + +diff --git a/src/mlt++/MltPlaylist.cpp b/src/mlt++/MltPlaylist.cpp +index 5676060..111d3f5 100644 +--- a/src/mlt++/MltPlaylist.cpp b/src/mlt++/MltPlaylist.cpp +@@ -71,7 +71,7 @@ void ClipInfo::update( mlt_playlist_clip_info *info ) + producer = new Producer( info->producer ); + cut = new Producer( info->cut ); + start = info->start; +- resource = strdup( info->resource ); ++ resource = info->resource ? strdup( info->resource ) : 0; + frame_in = info->frame_in; + frame_out = info->frame_out; + frame_count = info->frame_count; diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..5a09da5 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,2 @@ +01-crash-affine.diff +02-crash-clipinfo-update.diff unblock mlt/6.4.1-2 -- System Information: Debian Release: 8.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)