Bug#933828: ncbi-tools6/6.1.20170106+dfsg1-0+deb{9,10}u1

[Aaron M. Ucko]

Package: release.debian.org
Severity: normal
Tags: stretch buster
User: release.debian@packages.debian.org
Usertags: pu

Thorsten Alteholz from the FTP Master team recently pointed out a
couple of long-standing copyright-related issues with ncbi-tools6:
some data files turned out to contain non-free portions, and
debian/copyright didn't mention some third-party code I'd previously
overlooked.  I've addressed these issues in unstable with ncbi-tools6
6.1.20170106+dfsg1-1.

Thorsten asked me to upload fixes to (old)stable as well, so I've
drafted uploads targeting both releases per
https://salsa.debian.org/med-team/ncbi-tools6/tree/stretch
https://salsa.debian.org/med-team/ncbi-tools6/tree/buster
and the attached debdiffs.

NB: I left stretch at source format 1.0 for now to keep changes to a
minimum, which means it will need an .orig.tar.gz rather than the
identically numbered .orig.tar.xz we have in unstable.  If that
discrepancy is a problem, I can cherry-pick more changes; please let
me know.

Could you please take a look?

Thanks!
Binary files 
/tmp/user/7286/_0/49j3fHIAMn/ncbi-tools6-6.1.20170106/data/UniVec.nhr and 
/tmp/user/7286/_0/EJkaUzF4ix/ncbi-tools6-6.1.20170106+dfsg1/data/UniVec.nhr 
differ
Binary files 
/tmp/user/7286/_0/49j3fHIAMn/ncbi-tools6-6.1.20170106/data/UniVec.nin and 
/tmp/user/7286/_0/EJkaUzF4ix/ncbi-tools6-6.1.20170106+dfsg1/data/UniVec.nin 
differ
Binary files 
/tmp/user/7286/_0/49j3fHIAMn/ncbi-tools6-6.1.20170106/data/UniVec.nsq and 
/tmp/user/7286/_0/EJkaUzF4ix/ncbi-tools6-6.1.20170106+dfsg1/data/UniVec.nsq 
differ
diff -Nru ncbi-tools6-6.1.20170106/debian/changelog 
ncbi-tools6-6.1.20170106+dfsg1/debian/changelog
--- ncbi-tools6-6.1.20170106/debian/changelog   2019-08-03 22:46:14.0 
-0400
+++ ncbi-tools6-6.1.20170106+dfsg1/debian/changelog 2019-08-03 
22:46:18.0 -0400
@@ -1,3 +1,19 @@
+ncbi-tools6 (6.1.20170106+dfsg1-0+deb9u1) stretch; urgency=medium
+
+  * Belatedly repackage without data/UniVec.*, some portions of which
+turned out to be non-free (with copyright held by Invitrogen
+Corporation, which requires a license for commercial use thereof).
+  * debian/copyright:
+- Cover previously overlooked third-party code (all DFSG-free).
+- Update authors and dates for debian/*.
+- Set Files-Excluded to reflect repackaging.
+  * debian/rules: Introduce NCBI_VERSION_SHLIB, with +dfsg1 stripped off.
+  * debian/watch: Reflect usage of +dfsg1.
+  * make/makeshlb.unx: NCBI_VERSION -> NCBI_VERSION_SHLIB.
+  * Temporarily revert ncbi-cn3d splitout to expedite the above fixes.
+
+ -- Aaron M. Ucko   Sat, 03 Aug 2019 22:12:51 -0400
+
 ncbi-tools6 (6.1.20170106-2) unstable; urgency=medium
 
   * debian/control: Correctly version ncbi-tools-bin's Breaks/Replaces
diff -Nru ncbi-tools6-6.1.20170106/debian/copyright 
ncbi-tools6-6.1.20170106+dfsg1/debian/copyright
--- ncbi-tools6-6.1.20170106/debian/copyright   2019-08-03 22:46:14.0 
-0400
+++ ncbi-tools6-6.1.20170106+dfsg1/debian/copyright 2019-08-03 
22:46:18.0 -0400
@@ -2,15 +2,62 @@
 Upstream-Contact: tool...@ncbi.nlm.nih.gov
 Upstream-Name: ncbi
 Source: http://ftp.ncbi.nih.gov/toolbox/ncbi_tools/old/
+Files-Excluded: ncbi/data/UniVec.*
 
 Files: *
 Copyright: 1996-2017 NCBI
 License: public_domain
 
+Files: algo/blast/core/boost_erf.c
+Copyright: 2006 John Maddock
+License: BSL-1.0
+
+Files: connect/mitsock/*
+Copyright: 1998-1999 The Massachusetts Institute of Technology
+License: MIT
+
+Files: connect/mitsock/OTErrno.c connect/mitsock/OTnetdb.c
+ connect/mitsock/sock_ext.h
+Copyright:  National Center for Supercomputing Applications
+License: NCSA
+
+Files: connect/mitsock/a_inet.h:
+Copyright: 1983 Regents of the University of California
+License: BSD-3-Clause
+
+Files: connect/mitsock/carbon_netdb.h:
+Copyright: 1980, 1983, 1988 Regents of the University of California
+License: BSD-3-Clause
+
+Files: connect/mitsock/neterrno.h:
+Copyright: 1982, 1986, 1989 Regents of the University of California
+License: BSD-3-Clause
+
+Files: connect/mitsock/neti_in.h:
+Copyright: 1982, 1986, 1990 Regents of the University of California
+License: BSD-3-Clause
+
+Files: connect/mitsock/s_types.h:
+Copyright: 1982 Regents of the University of California
+License: BSD-3-Clause
+
+Files: connect/parson.?
+Copyright: 2012-2016 Krzysztof Gabis
+License: Expat
+
+Files: corelib/regex.c
+Copyright: 1993 Free Software Foundation, Inc.
+License: GPL-2+
+
+Files: corelib/regex.h
+Copyright: 1985, 1989, 1990, 1991, 1992, 1993 Free Software Foundation, Inc.
+License: GPL-2+
+
 Files: debian/*
 Copyright: 1998-1999 Stephane Bortzmeyer 
2001  Dr. Guenter Bechly 
-   2001-2017 Aaron M. Ucko 
+   2001-2019 Aaron M. Ucko 
+   2012-2017 Andreas Tille 
 License: public_domain
 
 License: public_domain
@@ -35,3 +82,122 @@
  purpose.
  .
  Please cite the author in any work or product based on this material.
+
+License: BSL-1.0
+ Permission is hereby granted, 

Bug#933764: buster-pu: package e2fsprogs/1.44.5-1+deb10u1

[Theodore Y. Ts'o]

Thanks, Adam!  My apologies for screwing up the first build/upload.
I've just pushed e2fsprogs/1.44.5-1+deb10u1.

I've attached the debdiff below.

- Ted

diff -Nru e2fsprogs-1.44.5/debian/changelog e2fsprogs-1.44.5/debian/changelog
--- e2fsprogs-1.44.5/debian/changelog   2018-12-15 22:46:49.0 -0500
+++ e2fsprogs-1.44.5/debian/changelog   2019-08-02 23:49:00.0 -0400
@@ -1,3 +1,9 @@
+e2fsprogs (1.44.5-1+deb10u1) buster; urgency=medium
+
+  * Fix e4defrag crashes on 32-bit architectures (Closes: #920767)
+
+ -- Theodore Y. Ts'o   Fri, 02 Aug 2019 23:49:00 -0400
+
 e2fsprogs (1.44.5-1) unstable; urgency=medium
 
   * New upstream version
diff -Nru e2fsprogs-1.44.5/debian/gbp.conf e2fsprogs-1.44.5/debian/gbp.conf
--- e2fsprogs-1.44.5/debian/gbp.conf2018-12-15 22:46:49.0 -0500
+++ e2fsprogs-1.44.5/debian/gbp.conf2019-08-02 23:49:00.0 -0400
@@ -1,4 +1,4 @@
 [DEFAULT]
 pristine-tar = True
 upstream-tag='v%(version)s'
-debian-branch=debian/master
+debian-branch=debian/stable
diff -Nru e2fsprogs-1.44.5/debian/.gitignore e2fsprogs-1.44.5/debian/.gitignore
--- e2fsprogs-1.44.5/debian/.gitignore  1969-12-31 19:00:00.0 -0500
+++ e2fsprogs-1.44.5/debian/.gitignore  2019-08-02 23:49:00.0 -0400
@@ -0,0 +1 @@
+!patches
diff -Nru 
e2fsprogs-1.44.5/debian/patches/revert-e4defrag-use-64-bit-counters-to-t.patch 
e2fsprogs-1.44.5/debian/patches/revert-e4defrag-use-64-bit-counters-to-t.patch
--- 
e2fsprogs-1.44.5/debian/patches/revert-e4defrag-use-64-bit-counters-to-t.patch  
1969-12-31 19:00:00.0 -0500
+++ 
e2fsprogs-1.44.5/debian/patches/revert-e4defrag-use-64-bit-counters-to-t.patch  
2019-08-02 23:49:00.0 -0400
@@ -0,0 +1,66 @@
+From: Theodore Ts'o 
+Date: Thu, 3 Jan 2019 22:27:37 -0500
+X-Dgit-Generated: 1.44.5-1 622e62942104d357912480e49c5b5524588cf45f
+Subject: Revert "e4defrag: use 64-bit counters to track # files defragged"
+
+This reverts commit 3293ea9ecbe1d622f9cf6c41d705d82fbae6a3e3.
+
+This wasn't really the right fix, since there can't be more than 2**32
+files in a file system.  The real issue is when the number of files in
+a directory change during the e4defrag run.
+
+Signed-off-by: Theodore Ts'o 
+
+---
+
+--- e2fsprogs-1.44.5.orig/misc/e4defrag.c
 e2fsprogs-1.44.5/misc/e4defrag.c
+@@ -169,13 +169,13 @@ static int   block_size;
+ static intextents_before_defrag;
+ static intextents_after_defrag;
+ static intmode_flag;
+-static uid_t  current_uid;
+-static unsigned long long defraged_file_count;
+-static unsigned long long frag_files_before_defrag;
+-static unsigned long long frag_files_after_defrag;
+-static unsigned long long regular_count;
+-static unsigned long long succeed_cnt;
+-static unsigned long long total_count;
++static unsigned int   current_uid;
++static unsigned int   defraged_file_count;
++static unsigned int   frag_files_before_defrag;
++static unsigned int   frag_files_after_defrag;
++static unsigned int   regular_count;
++static unsigned int   succeed_cnt;
++static unsigned int   total_count;
+ static __u8 log_groups_per_flex;
+ static __u32 blocks_per_group;
+ static __u32 feature_incompat;
+@@ -1912,9 +1912,9 @@ int main(int argc, char *argv[])
+   }
+   /* File tree walk */
+   nftw64(dir_name, file_defrag, FTW_OPEN_FD, flags);
+-  printf("\n\tSuccess:\t\t\t[ %llu/%llu ]\n",
+- succeed_cnt, total_count);
+-  printf("\tFailure:\t\t\t[ %llu/%llu ]\n",
++  printf("\n\tSuccess:\t\t\t[ %u/%u ]\n", succeed_cnt,
++  total_count);
++  printf("\tFailure:\t\t\t[ %u/%u ]\n",
+   total_count - succeed_cnt, total_count);
+   if (mode_flag & DETAIL) {
+   printf("\tTotal extents:\t\t\t%4d->%d\n",
+@@ -1923,10 +1923,12 @@ int main(int argc, char *argv[])
+   printf("\tFragmented percentage:\t\t"
+   "%3llu%%->%llu%%\n",
+   !regular_count ? 0 :
+-  (frag_files_before_defrag * 100) /
++  ((unsigned long long)
++  frag_files_before_defrag * 100) /
+   regular_count,
+   !regular_count ? 0 :
+-  (frag_files_after_defrag * 100) /
++  ((unsigned long long)
++  frag_files_after_defrag * 100) /
+   regular_count);
+   }
+   break;
diff -Nru e2fsprogs-1.44.5/debian/patches/series 
e2fsprogs-1.44.5/debian/patches/series
--- 

Processed: stretch-pu: package freetype/2.6.3-3.2+deb9u1

[Debian Bug Tracking System]

Processing control commands:

> retitle -1 stretch-pu: package freetype/2.6.3-3.2+deb9u1
Bug #933263 [release.debian.org] stretch-pu: package freetype/2.6.3-3.2+deb9u10
Changed Bug title to 'stretch-pu: package freetype/2.6.3-3.2+deb9u1' from 
'stretch-pu: package freetype/2.6.3-3.2+deb9u10'.

-- 
933263: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933263
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#933263: stretch-pu: package freetype/2.6.3-3.2+deb9u1

[Hugh McMaster]

Control: retitle -1 stretch-pu: package freetype/2.6.3-3.2+deb9u1

Updated debdiff, now with correct update version.


freetype-2.6.3-3.2+deb9u1.debdiff
Description: Binary data

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: hfst_3.15.0-1.1~deb10u1_mips64el.changes
  ACCEPT

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: hfst_3.15.0-1.1~deb10u1_mipsel.changes
  ACCEPT
Processing changes file: 
yubikey-personalization_1.19.3-3+deb10u1_mips64el.changes
  ACCEPT

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: hfst_3.15.0-1.1~deb10u1_arm64.changes
  ACCEPT
Processing changes file: hfst_3.15.0-1.1~deb10u1_armel.changes
  ACCEPT
Processing changes file: hfst_3.15.0-1.1~deb10u1_armhf.changes
  ACCEPT
Processing changes file: hfst_3.15.0-1.1~deb10u1_mips.changes
  ACCEPT

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: hfst_3.15.0-1.1~deb10u1_amd64.changes
  ACCEPT
Processing changes file: hfst_3.15.0-1.1~deb10u1_ppc64el.changes
  ACCEPT
Processing changes file: hfst_3.15.0-1.1~deb10u1_s390x.changes
  ACCEPT
Processing changes file: yubikey-personalization_1.19.3-3+deb10u1_amd64.changes
  ACCEPT
Processing changes file: yubikey-personalization_1.19.3-3+deb10u1_armel.changes
  ACCEPT
Processing changes file: yubikey-personalization_1.19.3-3+deb10u1_armhf.changes
  ACCEPT
Processing changes file: yubikey-personalization_1.19.3-3+deb10u1_i386.changes
  ACCEPT
Processing changes file: yubikey-personalization_1.19.3-3+deb10u1_mips.changes
  ACCEPT
Processing changes file: yubikey-personalization_1.19.3-3+deb10u1_mipsel.changes
  ACCEPT
Processing changes file: 
yubikey-personalization_1.19.3-3+deb10u1_ppc64el.changes
  ACCEPT

NEW changes in oldstable-new

[Debian FTP Masters]

Processing changes file: miniupnpd_1.8.20140523-4.1+deb9u2_amd64.changes
  ACCEPT
Processing changes file: miniupnpd_1.8.20140523-4.1+deb9u2_arm64.changes
  ACCEPT
Processing changes file: miniupnpd_1.8.20140523-4.1+deb9u2_armel.changes
  ACCEPT
Processing changes file: miniupnpd_1.8.20140523-4.1+deb9u2_armhf.changes
  ACCEPT
Processing changes file: miniupnpd_1.8.20140523-4.1+deb9u2_i386.changes
  ACCEPT
Processing changes file: miniupnpd_1.8.20140523-4.1+deb9u2_mips.changes
  ACCEPT
Processing changes file: miniupnpd_1.8.20140523-4.1+deb9u2_mips64el.changes
  ACCEPT
Processing changes file: miniupnpd_1.8.20140523-4.1+deb9u2_mipsel.changes
  ACCEPT
Processing changes file: miniupnpd_1.8.20140523-4.1+deb9u2_ppc64el.changes
  ACCEPT
Processing changes file: miniupnpd_1.8.20140523-4.1+deb9u2_s390x.changes
  ACCEPT

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: hfst_3.15.0-1.1~deb10u1_i386.changes
  ACCEPT
Processing changes file: 
libjavascript-beautifier-perl_0.25-1+deb10u1_all.changes
  ACCEPT
Processing changes file: usb.ids_2019.07.27-0+deb10u1_all.changes
  ACCEPT
Processing changes file: yubikey-personalization_1.19.3-3+deb10u1_all.changes
  ACCEPT
Processing changes file: yubikey-personalization_1.19.3-3+deb10u1_arm64.changes
  ACCEPT
Processing changes file: yubikey-personalization_1.19.3-3+deb10u1_s390x.changes
  ACCEPT

Processed: retitle 933764 to buster-pu: package e2fsprogs/1.44.5-1+deb10u1, tagging 933764

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> retitle 933764 buster-pu: package e2fsprogs/1.44.5-1+deb10u1
Bug #933764 [release.debian.org] stretch-pu: package e2fsprogs/1.44.5-1+deb9u1
Changed Bug title to 'buster-pu: package e2fsprogs/1.44.5-1+deb10u1' from 
'stretch-pu: package e2fsprogs/1.44.5-1+deb9u1'.
> tags 933764 - stretch + buster
Bug #933764 [release.debian.org] buster-pu: package e2fsprogs/1.44.5-1+deb10u1
Removed tag(s) stretch.
Bug #933764 [release.debian.org] buster-pu: package e2fsprogs/1.44.5-1+deb10u1
Added tag(s) buster.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
933764: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933764
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#933764: buster-pu: package e2fsprogs/1.44.5-1+deb10u1

[Adam D. Barratt]

On Sat, 2019-08-03 at 13:08 -0400, Theodore Y. Ts'o wrote:
> It was supposed to be 1.44.5-1+deb10u1 targetted at buster.  That's
> actually what *sources* are; but the changelog and chroot it was
> built against was stretch.
> 
> *Sigh*.
> 
> I'll go away, fix the changelog and rebuild it now.  Do you prefer
> whether we just close this bug as invalid, and I'll open a new one,
> or should we retitle this bug and append to it?  I don't have strong
> preferences either way.

Re-using this bug is fine; I'll get the metadata fixed up.

On Sat, 2019-08-03 at 15:46 -0400, Theodore Y. Ts'o wrote:
> Oh, one more question --- should I be doing a source-only, or binary
> push when I push to buster-proposed-updates.

Either works fine. If you go the source-only route, please make sure
the .changes is _not_ named _amd64.changes or similar, as that will
complicate things for the buildd upload.

> I'm a bit confused about whether it will be going into the NEW queue,
> and hence require a binary push, or a source-only build because
> that's the new hotness and it's required for promotions to testing.

While there is a holding suite in front of p-u named "stable-new", it's
not NEW in the ftp-master sense, and there's generally no reason for an
update to stable to hit NEW. The previous one only did because some of
the binary packages you uploaded don't exist in stretch.

Regards,

Adam

Bug#933764: stretch-pu: package e2fsprogs/1.44.5-1+deb9u1

[Theodore Y. Ts'o]

Oh, one more question --- should I be doing a source-only, or binary
push when I push to buster-proposed-updates.

I'm a bit confused about whether it will be going into the NEW queue,
and hence require a binary push, or a source-only build because that's
the new hotness and it's required for promotions to testing.

Thanks!

- Ted

NEW changes in oldstable-new

[Debian FTP Masters]

Processing changes file: miniupnpd_1.8.20140523-4.1+deb9u2_source.changes
  ACCEPT

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: hfst_3.15.0-1.1~deb10u1_source.changes
  ACCEPT
Processing changes file: 
libjavascript-beautifier-perl_0.25-1+deb10u1_sourceonly.changes
  ACCEPT
Processing changes file: subversion_1.10.4-1+deb10u1_source.changes
  ACCEPT
Processing changes file: subversion_1.10.4-1+deb10u1_all.changes
  ACCEPT
Processing changes file: subversion_1.10.4-1+deb10u1_amd64.changes
  ACCEPT
Processing changes file: subversion_1.10.4-1+deb10u1_arm64.changes
  ACCEPT
Processing changes file: subversion_1.10.4-1+deb10u1_armel.changes
  ACCEPT
Processing changes file: subversion_1.10.4-1+deb10u1_armhf.changes
  ACCEPT
Processing changes file: subversion_1.10.4-1+deb10u1_i386.changes
  ACCEPT
Processing changes file: subversion_1.10.4-1+deb10u1_mips.changes
  ACCEPT
Processing changes file: subversion_1.10.4-1+deb10u1_mips64el.changes
  ACCEPT
Processing changes file: subversion_1.10.4-1+deb10u1_mipsel.changes
  ACCEPT
Processing changes file: subversion_1.10.4-1+deb10u1_ppc64el.changes
  ACCEPT
Processing changes file: subversion_1.10.4-1+deb10u1_s390x.changes
  ACCEPT
Processing changes file: usb.ids_2019.07.27-0+deb10u1_source.changes
  ACCEPT
Processing changes file: yubikey-personalization_1.19.3-3+deb10u1_source.changes
  ACCEPT

Re: Bits from the Release Team: ride like the wind, Bullseye!

[Ivo De Decker]

Hi,

On 8/3/19 10:12 AM, Andreas Beckmann wrote:

Q: BinNMUs of packages uploaded before this new policy that have
arch:all binaries can no longer migrate to testing. Is that
intentional?


I read this as:
Q: I already did a binary upload, do I need to do a new (source-only)
upload?


I read this as

Q: The maintainer-uploaded arch:all packages are already in testing.
Will new buildd-built binNMUs migrate to testing or do I need to do a
new source-only upload to "fix" the arch:all packages?


This isn't really intentional. However, if you're worried about delays 
following uploads of new versions, keep in mind that a possible fix for 
this will almost certainly take more time than the delay caused by new 
uploads.


Also, given that we eventually want to get rid of the old binaries 
uploaded by maintainers, a fix for this is low priority (if it happens 
at all).


Cheers,

Ivo

Processed: yubikey-personalization 1.19.3-3+deb10u1 flagged for acceptance

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #932518 [release.debian.org] buster-pu: package 
yubikey-personalization/1.19.3-3
Added tag(s) pending.

-- 
932518: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932518
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: hfst 3.15.0-1.1~deb10u1 flagged for acceptance

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #933392 [release.debian.org] buster-pu: package hfst/3.15.0-1.1~deb10u1
Ignoring request to alter tags of bug #933392 to the same tags previously set

-- 
933392: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933392
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: hfst 3.15.0-1.1~deb10u1 flagged for acceptance

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #933392 [release.debian.org] buster-pu: package hfst/3.15.0-1.1~deb10u1
Added tag(s) pending.

-- 
933392: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933392
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#932518: yubikey-personalization 1.19.3-3+deb10u1 flagged for acceptance

[Jonathan Wiltshire]

Control: tags -1 + pending

Hi,

The upload referenced by this bug report has been flagged for acceptance into 
the proposed-updates queue for Debian buster.

Thanks for your contribution!

Upload details
==

Package: yubikey-personalization
Version: 1.19.3-3+deb10u1

Explanation: backport additional security precautions

Bug#933787: usb.ids 2019.07.27-0+deb10u1 flagged for acceptance

[Jonathan Wiltshire]

Control: tags -1 + pending

Hi,

The upload referenced by this bug report has been flagged for acceptance into 
the proposed-updates queue for Debian buster.

Thanks for your contribution!

Upload details
==

Package: usb.ids
Version: 2019.07.27-0+deb10u1

Explanation: routine update of USB IDs

Processed: usb.ids 2019.07.27-0+deb10u1 flagged for acceptance

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #933787 [release.debian.org] buster-pu: package 
usb.ids/2019.07.27-0+deb10u1 
Added tag(s) pending.

-- 
933787: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933787
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: yubikey-personalization 1.19.3-3+deb10u1 flagged for acceptance

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #932518 [release.debian.org] buster-pu: package 
yubikey-personalization/1.19.3-3
Ignoring request to alter tags of bug #932518 to the same tags previously set

-- 
932518: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932518
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: libjavascript-beautifier-perl 0.25-1+deb10u1 flagged for acceptance

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #931596 [release.debian.org] buster-pu: package 
libjavascript-beautifier-perl/0.25-1+deb10u1
Ignoring request to alter tags of bug #931596 to the same tags previously set

-- 
931596: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931596
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#931596: libjavascript-beautifier-perl 0.25-1+deb10u1 flagged for acceptance

[Jonathan Wiltshire]

Control: tags -1 + pending

Hi,

The upload referenced by this bug report has been flagged for acceptance into 
the proposed-updates queue for Debian buster.

Thanks for your contribution!

Upload details
==

Package: libjavascript-beautifier-perl
Version: 0.25-1+deb10u1

Explanation: add missing "=>" operator

Processed: usb.ids 2019.07.27-0+deb10u1 flagged for acceptance

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #933787 [release.debian.org] buster-pu: package 
usb.ids/2019.07.27-0+deb10u1 
Ignoring request to alter tags of bug #933787 to the same tags previously set

-- 
933787: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933787
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#933392: hfst 3.15.0-1.1~deb10u1 flagged for acceptance

[Jonathan Wiltshire]

Control: tags -1 + pending

Hi,

The upload referenced by this bug report has been flagged for acceptance into 
the proposed-updates queue for Debian buster.

Thanks for your contribution!

Upload details
==

Package: hfst
Version: 3.15.0-1.1~deb10u1

Explanation: ensure smoother upgrades from stretch

Processed: libjavascript-beautifier-perl 0.25-1+deb10u1 flagged for acceptance

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #931596 [release.debian.org] buster-pu: package 
libjavascript-beautifier-perl/0.25-1+deb10u1
Added tag(s) pending.

-- 
931596: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931596
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#933764: stretch-pu: package e2fsprogs/1.44.5-1+deb9u1

[Theodore Y. Ts'o]

On Sat, Aug 03, 2019 at 04:08:14PM +0100, Adam D. Barratt wrote:
> 
> I assume this is simply a case of an outdated chroot pointing at
> "stable" or similar. The net effect is that the upload ended up in NEW
> (presumably as buster's e2fsprogs builds additional binary packages
> relative to stretch). I've asked ftp-master to reject that upload.
> 
> I'm not sure whether you were intending to fix this in stretch or
> buster, but this should either be 1.43.4-2+deb9u1 for stretch, or
> 1.44.5-1+deb10u1 targetted at buster.

It's an outdated chroot plus me being confused.  It was supposed to be
1.44.5-1+deb10u1 targetted at buster.  That's actually what *sources*
are; but the changelog and chroot it was built against was stretch.

*Sigh*.

I'll go away, fix the changelog and rebuild it now.  Do you prefer
whether we just close this bug as invalid, and I'll open a new one, or
should we retitle this bug and append to it?  I don't have strong
preferences either way.

Cheers,

- Ted

Bug#933764: stretch-pu: package e2fsprogs/1.44.5-1+deb9u1

[Adam D. Barratt]

Control: tags -1 + moreinfo

On Sat, 2019-08-03 at 01:10 -0400, Theodore Y. Ts'o wrote:
> Package: release.debian.org
> Severity: normal
> Tags: stretch
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> This uplaod is to fix the important bug, #920767.
> 
> The debdiff is attached below.
> 
> 
> diff -Nru e2fsprogs-1.44.5/debian/changelog e2fsprogs-
> 1.44.5/debian/changelog
> --- e2fsprogs-1.44.5/debian/changelog 2018-12-15
> 22:46:49.0 -0500
> +++ e2fsprogs-1.44.5/debian/changelog 2019-08-02
> 23:49:00.0 -0400
> @@ -1,3 +1,9 @@
> +e2fsprogs (1.44.5-1+deb9u1) stretch; urgency=medium

stretch has 1.43.4-2, not 1.44.5-1; the latter is in buster.

I assume this is simply a case of an outdated chroot pointing at
"stable" or similar. The net effect is that the upload ended up in NEW
(presumably as buster's e2fsprogs builds additional binary packages
relative to stretch). I've asked ftp-master to reject that upload.

I'm not sure whether you were intending to fix this in stretch or
buster, but this should either be 1.43.4-2+deb9u1 for stretch, or
1.44.5-1+deb10u1 targetted at buster.

Regards,

Adam

Processed: Re: Bug#933764: stretch-pu: package e2fsprogs/1.44.5-1+deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + moreinfo
Bug #933764 [release.debian.org] stretch-pu: package e2fsprogs/1.44.5-1+deb9u1
Added tag(s) moreinfo.

-- 
933764: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933764
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#933793: stretch-pu: package usbutils/1:007-4+deb9u1

[Aurelien Jarno]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear release team,

I would like to update usbutils in stretch to update the usb.ids
database. There is no code change, the changes only adds a few hundred
of USB devices to the database. There are a lot of new entries as this
hasn't been updated for quite some time. Those changes are already in
bullseye and sid.

I have already uploaded the package to stretch-pu, the full diff is
attached. Thanks for considering.

Regards,
Aurelien


usbutils_007-4_007-4+deb9u1.debdiff.gz
Description: application/gzip

Bug#933787: buster-pu: package usb.ids/2019.07.27-0+deb10u1

[Aurelien Jarno]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Dear release team,

I have just uploaded a new upstream version of usb.ids to buster-pu. It
only adds a few dozen of USB devices to the usb.ids database. Those
changes are already in bullseye and sid.

The full diff is attached. Thanks for considering.

Regards,
Aurelien
diff -Nru usb.ids-2019.04.23/debian/changelog 
usb.ids-2019.07.27/debian/changelog
--- usb.ids-2019.04.23/debian/changelog 2019-04-28 21:16:01.0 +0200
+++ usb.ids-2019.07.27/debian/changelog 2019-08-03 14:54:50.0 +0200
@@ -1,3 +1,9 @@
+usb.ids (2019.07.27-0+deb10u1) buster; urgency=medium
+
+  * New upstream version. 
+
+ -- Aurelien Jarno   Sat, 03 Aug 2019 14:54:50 +0200
+
 usb.ids (2019.04.23-1) unstable; urgency=medium
 
   * New upstream version. 
diff -Nru usb.ids-2019.04.23/usb.ids usb.ids-2019.07.27/usb.ids
--- usb.ids-2019.04.23/usb.ids  2019-04-23 21:34:05.0 +0200
+++ usb.ids-2019.07.27/usb.ids  2019-07-27 21:34:05.0 +0200
@@ -9,8 +9,8 @@
 #  The latest version can be obtained from
 #  http://www.linux-usb.org/usb.ids
 #
-# Version: 2019.04.23
-# Date:2019-04-23 20:34:05
+# Version: 2019.07.27
+# Date:2019-07-27 20:34:05
 #
 
 # Vendors, devices and interfaces. Please keep sorted.
@@ -38,6 +38,8 @@
181b  Venom Arcade Joystick
1843  Mayflash GameCube Controller Adapter
1844  Mayflash GameCube Controller
+0080  Assmann Electronic GmbH
+   a001  Digitus DA-71114 SATA
 0085  Boeye Technology Co., Ltd.
0600  eBook Reader
 0105  Trust International B.V.
@@ -478,6 +480,7 @@
3517  LaserJet 3390
3602  PhotoSmart 1315
3611  PSC 2410 PhotoSmart
+   3612  Officejet Pro 8000 A809
3617  Color LaserJet 2605
3711  PSC 2500
3717  EWS UPD
@@ -661,7 +664,9 @@
9207  HD-4110 Webcam
9302  PhotoSmart R930 series
9402  PhotoSmart R837
+   942a  LaserJet Pro M12a
9502  PhotoSmart R840 series
+   952a  LaserJet Pro M12w
9602  PhotoSmart M730 series
9702  PhotoSmart R740 series
9802  PhotoSmart Mz60 series
@@ -786,6 +791,7 @@
8070  7 Port Hub
8140  Vehicle Explorer Interface
8210  MGTimer - MGCC (Vic) Timing System
+   8348  FT232BM [SIENNA Serial Interface]
8370  7 Port Hub
8371  PS/2 Keyboard And Mouse
8372  FT8U100AX Serial Port
@@ -1159,6 +1165,7 @@
 040c  VTech Computers, Ltd
 040d  VIA Technologies, Inc.
3184  VNT VT6656 USB-802.11 Wireless LAN Adapter
+   340f  Audinst HUD-mx2
6205  USB 2.0 Card Reader
 040e  MCCI
 040f  Echo Speech Corp.
@@ -1509,6 +1516,7 @@
03a4  C5 (Storage mode)
03c0  C7-00 (Mass storage mode)
03c1  C7-00 (Media transfer mode)
+   03c2  Sim
03cd  C7-00 (Nokia Suite mode)
03d1  N950
0400  7600 Phone Parent
@@ -1925,6 +1933,7 @@
b326  Gamepad GP XID
b351  F16 MFD 1
b352  F16 MFD 2
+   b365  UbiSoft UbiConnect
b603  force feedback Wheel
b605  force feedback Racing Wheel
b651  Ferrari GT Rumble Force Wheel
@@ -4374,6 +4383,8 @@
6506  CY4603
650a  CY4613
6560  CY7C65640 USB-2.0 "TetraHub"
+   6570  Unprogrammed CY7C65632/34 hub HX2VL
+   6572  Unprogrammed CY7C65642 hub
6830  CY7C68300A EZ-USB AT2 USB 2.0 to ATA/ATAPI
6831  Storage Adapter ISD-300LP (CY)
7417  Wireless PC Lock/Ultra Mouse
@@ -5459,6 +5470,7 @@
b5ce  Integrated Camera
b5cf  Integrated IR Camera
b5db  HP Webcam
+   b604  Integrated Camera (1280x720@30)
 04f3  Elan Microelectronics Corp.
000a  Touchscreen
0103  ActiveJet K-2024 Multimedia Keyboard
@@ -6363,6 +6375,7 @@
dccf  Sound Vision Stream Driver
 0547  Anchor Chips, Inc.
0001  ICSI Bluetooth Device
+   0080  I3SYSTEM HYUNY
1002  Python2 WDM Encoder
1006  Hantek DSO-2100 UF
2131  AN2131 EZUSB Microcontroller
@@ -6963,9 +6976,27 @@
0079  Laser mouse M-D21DL
007b  Laser mouse M-D20DR
007c  Laser Bluetooth mouse M-BT5BL
+   007e  Option mouse M-M8UR
+   007f  Option mouse M-M9UR
+   0081  Option mouse M-DY6DR
+   0082  Laser mouse M-D22DR
+   0088  Micro Grast2 Bit M-BG3DL
+   0089  Micro Grast2 Pop M-PG3DL
+   008c  M-NE3DL Mouse
+   008d  ORIME M-NE4DR
+   008f  M-BT8BL Bluetooth Mouse
+   0092  Wireless BlueLED Mouse (M-BL2DB)
+   009c  IR Mouse M-IR02DR
+   009d  IR Mouse M-IR03DR
+   009f  BlueLED Mouse M-HS1DB
+   00a1  IR Mouse M-IR05DR
+   00a4  Blue LED Mouse M-BL06DB
+   00a5  M-NV1BR Bluetooth Mouse
+   00a7  Blue LED Mouse M-BL08DB
2003  JC-U3613M
2004  JC-U3613M
200c  LD-USB/TX
+   2012  JC-U4013S Gamepad
4002  Laneed 100Mbps Ethernet LD-USB/TX 

Bug#930420: stretch-pu: package grub2/2.02~beta3-5+deb9u2

[Colin Watson]

On Sat, Jul 27, 2019 at 12:39:40PM +0200, Cyril Brulebois wrote:
> Adam D. Barratt  (2019-07-26):
> > Sorry for the delay in getting back to you regarding this.
> > 
> > While it doesn't sound like the changes should affect d-i, I would
> > still appreciate an ack on that side, so tagging and CCing
> > appropriately.
> 
> No objections, thanks.

Uploaded, thanks.

-- 
Colin Watson   [cjwat...@debian.org]

Re: Bits from the Release Team: ride like the wind, Bullseye!

[Andreas Beckmann]

>> Q: BinNMUs of packages uploaded before this new policy that have
>>arch:all binaries can no longer migrate to testing. Is that
>>intentional?
> 
> I read this as:
> Q: I already did a binary upload, do I need to do a new (source-only)
> upload?

I read this as

Q: The maintainer-uploaded arch:all packages are already in testing.
Will new buildd-built binNMUs migrate to testing or do I need to do a
new source-only upload to "fix" the arch:all packages?


Andreas

Bug#932318: buster-pu: package unzip/6.0-23+deb10u1

[Santiago Vila]

On Sat, Jul 27, 2019 at 01:38:46PM -0300, Adam D. Barratt wrote:
> On 2019-07-27 13:18, Santiago Vila wrote:
> > tags 932318 - moreinfo
> > thanks
> > 
> > Hello.
> > 
> > The problem with Firefox should now be fixed, and it was unzip's fault.
> > 
> > If possible, I'd like this upload I did 6.0-23+deb10u1 to be rejected so
> > that
> > I can reuse the +deb10u1 version with all the fixes included.
> 
> Done, pending dak actually processing the request.

Fine. I reuploaded unzip, this is the new debdiff, and this time
I believe it should be suitable for stable.

Thanks.

diff -Nru unzip-6.0/debian/changelog unzip-6.0/debian/changelog
--- unzip-6.0/debian/changelog  2019-05-29 00:24:08.0 +0200
+++ unzip-6.0/debian/changelog  2019-07-30 22:26:10.0 +0200
@@ -1,3 +1,14 @@
+unzip (6.0-23+deb10u1) buster; urgency=medium
+
+  * Apply three patches by Mark Adler to fix CVE-2019-13232.
+  - Fix bug in undefer_input() that misplaced the input state.
+  - Detect and reject a zip bomb using overlapped entries.
+Bug discovered by David Fifield. Closes: #931433.
+  - Do not raise a zip bomb alert for a misplaced central directory.
+Reported by Peter Green. Closes: #932404.
+
+ -- Santiago Vila   Tue, 30 Jul 2019 22:26:10 +0200
+
 unzip (6.0-23) unstable; urgency=medium
 
   * Fix lame code in fileio.c which parsed 64-bit values incorrectly.
diff -Nru 
unzip-6.0/debian/patches/22-cve-2019-13232-fix-bug-in-undefer-input.patch 
unzip-6.0/debian/patches/22-cve-2019-13232-fix-bug-in-undefer-input.patch
--- unzip-6.0/debian/patches/22-cve-2019-13232-fix-bug-in-undefer-input.patch   
1970-01-01 01:00:00.0 +0100
+++ unzip-6.0/debian/patches/22-cve-2019-13232-fix-bug-in-undefer-input.patch   
2019-07-30 21:22:00.0 +0200
@@ -0,0 +1,22 @@
+From: Mark Adler 
+Subject: Fix bug in undefer_input() that misplaced the input state.
+Origin: 
https://github.com/madler/unzip/commit/41beb477c5744bc396fa1162ee0c14218ec12213
+Bug-Debian: https://bugs.debian.org/931433
+X-Debian-version: 6.0-24
+
+Fix bug in undefer_input() that misplaced the input state.
+
+--- a/fileio.c
 b/fileio.c
+@@ -532,8 +532,10 @@
+  * This condition was checked when G.incnt_leftover was set > 0 in
+  * defer_leftover_input(), and it is NOT allowed to touch G.csize
+  * before calling undefer_input() when (G.incnt_leftover > 0)
+- * (single exception: see read_byte()'s  "G.csize <= 0" handling) !!
++ * (single exception: see readbyte()'s  "G.csize <= 0" handling) !!
+  */
++if (G.csize < 0L)
++G.csize = 0L;
+ G.incnt = G.incnt_leftover + (int)G.csize;
+ G.inptr = G.inptr_leftover - (int)G.csize;
+ G.incnt_leftover = 0;
diff -Nru 
unzip-6.0/debian/patches/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch
 
unzip-6.0/debian/patches/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch
--- 
unzip-6.0/debian/patches/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch
   1970-01-01 01:00:00.0 +0100
+++ 
unzip-6.0/debian/patches/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch
   2019-07-30 21:23:00.0 +0200
@@ -0,0 +1,335 @@
+From: Mark Adler 
+Subject: Detect and reject a zip bomb using overlapped entries.
+Origin: 
https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c
+Bug-Debian: https://bugs.debian.org/931433
+X-Debian-version: 6.0-24
+
+Detect and reject a zip bomb using overlapped entries.
+
+This detects an invalid zip file that has at least one entry that
+overlaps with another entry or with the central directory to the
+end of the file. A Fifield zip bomb uses overlapped local entries
+to vastly increase the potential inflation ratio. Such an invalid
+zip file is rejected.
+
+See https://www.bamsoftware.com/hacks/zipbomb/ for David Fifield's
+analysis, construction, and examples of such zip bombs.
+
+The detection maintains a list of covered spans of the zip files
+so far, where the central directory to the end of the file and any
+bytes preceding the first entry at zip file offset zero are
+considered covered initially. Then as each entry is decompressed
+or tested, it is considered covered. When a new entry is about to
+be processed, its initial offset is checked to see if it is
+contained by a covered span. If so, the zip file is rejected as
+invalid.
+
+This commit depends on a preceding commit: "Fix bug in
+undefer_input() that misplaced the input state."
+
+--- a/extract.c
 b/extract.c
+@@ -321,6 +321,125 @@
+   "\nerror:  unsupported extra-field compression type (%u)--skipping\n";
+ static ZCONST char Far BadExtraFieldCRC[] =
+   "error [%s]:  bad extra-field CRC %08lx (should be %08lx)\n";
++static ZCONST char Far NotEnoughMemCover[] =
++  "error: not enough memory for bomb detection\n";
++static ZCONST char Far OverlappedComponents[] =
++  "error: invalid zip file 

Re: Bits from the Release Team: ride like the wind, Bullseye!

[Paul Gevers]

Hi Stéphane,

On 02-08-2019 05:38, Stéphane Glondu wrote:
> Le 07/07/2019 à 03:47, Jonathan Wiltshire a écrit :
>> No binary maintainer uploads for bullseye
>> =
>>
>> The release of buster also means the bullseye release cycle is about to 
>> begin.
>> From now on, we will no longer allow binaries uploaded by maintainers to
>> migrate to testing. This means that you will need to do source-only uploads 
>> if
>> you want them to reach bullseye.
>>
>>
>>   Q: I already did a binary upload, do I need to do a new (source-only) 
>> upload?
>>   A: Yes (preferably with other changes, not just a version bump).
>>
>>   Q: I needed to do a binary upload because my upload went to the NEW queue,
>>  do I need to do a new (source-only) upload for it to reach bullseye?
>>   A: Yes. We also suggest going through NEW in experimental instead of 
>> unstable
>>  where possible, to avoid disruption in unstable.
>>
>>   Q: Does this also apply to contrib and non-free?
>>   A: No. Not all packages in contrib and non-free can be built on the 
>> buildds,
>>  so maintainer uploads will still be allowed to migrate for packages
>>  outside main.
> 
> Q: BinNMUs of packages uploaded before this new policy that have
>arch:all binaries can no longer migrate to testing. Is that
>intentional?

I read this as:
Q: I already did a binary upload, do I need to do a new (source-only)
upload?

So the answer is:
A: Yes (preferably with other changes, not just a version bump).

> This will make transitions that involve lots of binNMUs (such as
> OCaml-related ones) much harder. For example, there is one such ongoing
> (mini-)transition involving ocaml-migrate-parsetree, 26 other binNMUed
> packages, and 7 updated packages. It will be delayed by the time to
> upload all these binNMUed package and their aging. Meanwhile, this
> transition may become bigger and longer as people unaware of this update
> their OCaml-related packages.
> 
> Is there a public API to query the built-on-buildd flag for a given
> binary package?

No API, but you could use the yaml that britney uses (updated every
hour): https://release.debian.org/britney/state/signers.json

Paul



signature.asc
Description: OpenPGP digital signature

Bug#933769: buster-pu: package erlang-p1-pkix/1.0.0-3+deb10u1

[Philipp Huebner]

The corresponding bug report is #933040.

Best wishes
-- 
 .''`.   Philipp Huebner 
: :'  :  pgp fp: 6719 25C5 B8CD E74A 5225  3DF9 E5CA 8C49 25E4 205F
`. `'`
  `-



signature.asc
Description: OpenPGP digital signature

Bug#933769: buster-pu: package erlang-p1-pkix/1.0.0-3+deb10u1

[Philipp Huebner]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I would like to update erlang-p1-pkix in Buster to fix a regression in
ejabberd, prohibiting the use of GnuTLS certificates.

The patch is directly from upstream [1] and will also be part of the next
upload to unstable. To keep changes minimal I stripped the tests and
example certificates added with that commit.

The resulting package has been successfully tested in real life.

The full diff is attached.

[1] 
https://github.com/processone/pkix/commit/2d7a3b80bf6fc0794720aca852e487a5064d8b86
diff --git a/debian/changelog b/debian/changelog
index 772931a..f7f2286 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+erlang-p1-pkix (1.0.0-3+deb10u1) buster; urgency=medium
+
+  * Added upstream patch to fix handling of GnuTLS certificates
+
+ -- Philipp Huebner   Thu, 01 Aug 2019 11:34:25 +0200
+
 erlang-p1-pkix (1.0.0-3) unstable; urgency=medium
 
   * Updated debian/copyright
diff --git a/debian/patches/2d7a3b80bf6fc0794720aca852e487a5064d8b86.patch 
b/debian/patches/2d7a3b80bf6fc0794720aca852e487a5064d8b86.patch
new file mode 100644
index 000..fe1ef43
--- /dev/null
+++ b/debian/patches/2d7a3b80bf6fc0794720aca852e487a5064d8b86.patch
@@ -0,0 +1,109 @@
+From 2d7a3b80bf6fc0794720aca852e487a5064d8b86 Mon Sep 17 00:00:00 2001
+From: Evgeny Khramtsov 
+Date: Thu, 1 Aug 2019 12:23:48 +0300
+Subject: [PATCH] Use original DER during certification path validation
+
+Index: erlang-p1-pkix/src/pkix.erl
+===
+--- erlang-p1-pkix.orig/src/pkix.erl
 erlang-p1-pkix/src/pkix.erl
+@@ -35,7 +35,8 @@
+ -define(CERTFILE_TAB, pkix_certfiles).
+
+ -record(pem, {file :: filename(),
+-line :: pos_integer()}).
++line :: pos_integer(),
++der  :: binary()}).
+
+ -record(state, {files = #{}  :: map(),
+   certs = #{}  :: map(),
+@@ -437,9 +438,9 @@ pem_decode(Fd, Line, Begin, Buf) ->
+ -spec pem_decode_entries([{pos_integer(), binary()}], filename(),
+map(), map()) -> {ok, map(), map()} | {error, 
bad_cert_error()}.
+ pem_decode_entries([{Begin, Data}|PEMs], File, Certs, PrivKeys) ->
+-P = #pem{file = File, line = Begin},
+ try public_key:pem_decode(Data) of
+-  [PemEntry] ->
++  [{_, DER, _} = PemEntry] ->
++  P = #pem{file = File, der = DER, line = Begin},
+   try der_decode(PemEntry) of
+   undefined ->
+   pem_decode_entries(PEMs, File, Certs, PrivKeys);
+@@ -510,7 +511,7 @@ der_decode({_, _, _}) ->
+{error, filename() | dirname(), io_error()}.
+ commit(State, Dir, CAFile, ValidateHow) ->
+ {Chains, BadCertsWithReason, UnusedKeysWithReason} = build_chains(State),
+-{CAError, InvalidCertsWithReason} = validate(Chains, CAFile, ValidateHow),
++{CAError, InvalidCertsWithReason} = validate(State, Chains, CAFile, 
ValidateHow),
+ InvalidCerts = [C || {C, _} <- InvalidCertsWithReason],
+ SortedChains = case ValidateHow of
+  hard when CAError == undefined ->
+@@ -730,8 +731,7 @@ store_chain(Chain, Dir, State) ->
+ pem_encode({Certs, Key}, State) ->
+ PEM1 = lists:map(
+fun(Cert) ->
+-   Type = element(1, Cert),
+-   DER = public_key:pkix_encode(Type, Cert, otp),
++   DER = get_der(Cert, State#state.certs),
+PemEntry = {'Certificate', DER, not_encrypted},
+Source = lists:map(
+   fun(#pem{file = File, line = Line}) ->
+@@ -742,11 +742,14 @@ pem_encode({Certs, Key}, State) ->
+ PEM2 = [[io_lib:format("From ~s:~B~n", [File, Line])
+|| #pem{file = File, line = Line} <- maps:get(Key, 
State#state.keys)],
+   public_key:pem_encode(
+-[{element(1, Key),
+-  public_key:der_encode(element(1, Key), Key),
+-  not_encrypted}])],
++[{element(1, Key), get_der(Key, State#state.keys), 
not_encrypted}])],
+ iolist_to_binary([PEM1, PEM2]).
+
++-spec get_der(cert() | priv_key(), map()) -> binary().
++get_der(Key, Map) ->
++[#pem{der = DER}|_] = maps:get(Key, Map),
++DER.
++
+ %%%===
+ %%% Domains extraction
+ %%%===
+@@ -850,12 +853,12 @@ get_cert_path(G, [Root|_] = Acc) ->
+ %%%===
+ %%% Certificates chain validation
+ %%%===
+--spec validate([cert_chain()], filename(), false | soft | hard) ->
++-spec validate(state(), [cert_chain()], filename(), false | soft | hard) ->
+  {undefined | {filename(), bad_cert_error() | io_error()},
+   [{cert(), invalid_cert_reason()}]}.