Bug#933828: ncbi-tools6/6.1.20170106+dfsg1-0+deb{9,10}u1
Package: release.debian.org Severity: normal Tags: stretch buster User: release.debian@packages.debian.org Usertags: pu Thorsten Alteholz from the FTP Master team recently pointed out a couple of long-standing copyright-related issues with ncbi-tools6: some data files turned out to contain non-free portions, and debian/copyright didn't mention some third-party code I'd previously overlooked. I've addressed these issues in unstable with ncbi-tools6 6.1.20170106+dfsg1-1. Thorsten asked me to upload fixes to (old)stable as well, so I've drafted uploads targeting both releases per https://salsa.debian.org/med-team/ncbi-tools6/tree/stretch https://salsa.debian.org/med-team/ncbi-tools6/tree/buster and the attached debdiffs. NB: I left stretch at source format 1.0 for now to keep changes to a minimum, which means it will need an .orig.tar.gz rather than the identically numbered .orig.tar.xz we have in unstable. If that discrepancy is a problem, I can cherry-pick more changes; please let me know. Could you please take a look? Thanks! Binary files /tmp/user/7286/_0/49j3fHIAMn/ncbi-tools6-6.1.20170106/data/UniVec.nhr and /tmp/user/7286/_0/EJkaUzF4ix/ncbi-tools6-6.1.20170106+dfsg1/data/UniVec.nhr differ Binary files /tmp/user/7286/_0/49j3fHIAMn/ncbi-tools6-6.1.20170106/data/UniVec.nin and /tmp/user/7286/_0/EJkaUzF4ix/ncbi-tools6-6.1.20170106+dfsg1/data/UniVec.nin differ Binary files /tmp/user/7286/_0/49j3fHIAMn/ncbi-tools6-6.1.20170106/data/UniVec.nsq and /tmp/user/7286/_0/EJkaUzF4ix/ncbi-tools6-6.1.20170106+dfsg1/data/UniVec.nsq differ diff -Nru ncbi-tools6-6.1.20170106/debian/changelog ncbi-tools6-6.1.20170106+dfsg1/debian/changelog --- ncbi-tools6-6.1.20170106/debian/changelog 2019-08-03 22:46:14.0 -0400 +++ ncbi-tools6-6.1.20170106+dfsg1/debian/changelog 2019-08-03 22:46:18.0 -0400 @@ -1,3 +1,19 @@ +ncbi-tools6 (6.1.20170106+dfsg1-0+deb9u1) stretch; urgency=medium + + * Belatedly repackage without data/UniVec.*, some portions of which +turned out to be non-free (with copyright held by Invitrogen +Corporation, which requires a license for commercial use thereof). + * debian/copyright: +- Cover previously overlooked third-party code (all DFSG-free). +- Update authors and dates for debian/*. +- Set Files-Excluded to reflect repackaging. + * debian/rules: Introduce NCBI_VERSION_SHLIB, with +dfsg1 stripped off. + * debian/watch: Reflect usage of +dfsg1. + * make/makeshlb.unx: NCBI_VERSION -> NCBI_VERSION_SHLIB. + * Temporarily revert ncbi-cn3d splitout to expedite the above fixes. + + -- Aaron M. Ucko Sat, 03 Aug 2019 22:12:51 -0400 + ncbi-tools6 (6.1.20170106-2) unstable; urgency=medium * debian/control: Correctly version ncbi-tools-bin's Breaks/Replaces diff -Nru ncbi-tools6-6.1.20170106/debian/copyright ncbi-tools6-6.1.20170106+dfsg1/debian/copyright --- ncbi-tools6-6.1.20170106/debian/copyright 2019-08-03 22:46:14.0 -0400 +++ ncbi-tools6-6.1.20170106+dfsg1/debian/copyright 2019-08-03 22:46:18.0 -0400 @@ -2,15 +2,62 @@ Upstream-Contact: tool...@ncbi.nlm.nih.gov Upstream-Name: ncbi Source: http://ftp.ncbi.nih.gov/toolbox/ncbi_tools/old/ +Files-Excluded: ncbi/data/UniVec.* Files: * Copyright: 1996-2017 NCBI License: public_domain +Files: algo/blast/core/boost_erf.c +Copyright: 2006 John Maddock +License: BSL-1.0 + +Files: connect/mitsock/* +Copyright: 1998-1999 The Massachusetts Institute of Technology +License: MIT + +Files: connect/mitsock/OTErrno.c connect/mitsock/OTnetdb.c + connect/mitsock/sock_ext.h +Copyright: National Center for Supercomputing Applications +License: NCSA + +Files: connect/mitsock/a_inet.h: +Copyright: 1983 Regents of the University of California +License: BSD-3-Clause + +Files: connect/mitsock/carbon_netdb.h: +Copyright: 1980, 1983, 1988 Regents of the University of California +License: BSD-3-Clause + +Files: connect/mitsock/neterrno.h: +Copyright: 1982, 1986, 1989 Regents of the University of California +License: BSD-3-Clause + +Files: connect/mitsock/neti_in.h: +Copyright: 1982, 1986, 1990 Regents of the University of California +License: BSD-3-Clause + +Files: connect/mitsock/s_types.h: +Copyright: 1982 Regents of the University of California +License: BSD-3-Clause + +Files: connect/parson.? +Copyright: 2012-2016 Krzysztof Gabis +License: Expat + +Files: corelib/regex.c +Copyright: 1993 Free Software Foundation, Inc. +License: GPL-2+ + +Files: corelib/regex.h +Copyright: 1985, 1989, 1990, 1991, 1992, 1993 Free Software Foundation, Inc. +License: GPL-2+ + Files: debian/* Copyright: 1998-1999 Stephane Bortzmeyer 2001 Dr. Guenter Bechly - 2001-2017 Aaron M. Ucko + 2001-2019 Aaron M. Ucko + 2012-2017 Andreas Tille License: public_domain License: public_domain @@ -35,3 +82,122 @@ purpose. . Please cite the author in any work or product based on this material. + +License: BSL-1.0 + Permission is hereby granted,
Bug#933764: buster-pu: package e2fsprogs/1.44.5-1+deb10u1
Thanks, Adam! My apologies for screwing up the first build/upload. I've just pushed e2fsprogs/1.44.5-1+deb10u1. I've attached the debdiff below. - Ted diff -Nru e2fsprogs-1.44.5/debian/changelog e2fsprogs-1.44.5/debian/changelog --- e2fsprogs-1.44.5/debian/changelog 2018-12-15 22:46:49.0 -0500 +++ e2fsprogs-1.44.5/debian/changelog 2019-08-02 23:49:00.0 -0400 @@ -1,3 +1,9 @@ +e2fsprogs (1.44.5-1+deb10u1) buster; urgency=medium + + * Fix e4defrag crashes on 32-bit architectures (Closes: #920767) + + -- Theodore Y. Ts'o Fri, 02 Aug 2019 23:49:00 -0400 + e2fsprogs (1.44.5-1) unstable; urgency=medium * New upstream version diff -Nru e2fsprogs-1.44.5/debian/gbp.conf e2fsprogs-1.44.5/debian/gbp.conf --- e2fsprogs-1.44.5/debian/gbp.conf2018-12-15 22:46:49.0 -0500 +++ e2fsprogs-1.44.5/debian/gbp.conf2019-08-02 23:49:00.0 -0400 @@ -1,4 +1,4 @@ [DEFAULT] pristine-tar = True upstream-tag='v%(version)s' -debian-branch=debian/master +debian-branch=debian/stable diff -Nru e2fsprogs-1.44.5/debian/.gitignore e2fsprogs-1.44.5/debian/.gitignore --- e2fsprogs-1.44.5/debian/.gitignore 1969-12-31 19:00:00.0 -0500 +++ e2fsprogs-1.44.5/debian/.gitignore 2019-08-02 23:49:00.0 -0400 @@ -0,0 +1 @@ +!patches diff -Nru e2fsprogs-1.44.5/debian/patches/revert-e4defrag-use-64-bit-counters-to-t.patch e2fsprogs-1.44.5/debian/patches/revert-e4defrag-use-64-bit-counters-to-t.patch --- e2fsprogs-1.44.5/debian/patches/revert-e4defrag-use-64-bit-counters-to-t.patch 1969-12-31 19:00:00.0 -0500 +++ e2fsprogs-1.44.5/debian/patches/revert-e4defrag-use-64-bit-counters-to-t.patch 2019-08-02 23:49:00.0 -0400 @@ -0,0 +1,66 @@ +From: Theodore Ts'o +Date: Thu, 3 Jan 2019 22:27:37 -0500 +X-Dgit-Generated: 1.44.5-1 622e62942104d357912480e49c5b5524588cf45f +Subject: Revert "e4defrag: use 64-bit counters to track # files defragged" + +This reverts commit 3293ea9ecbe1d622f9cf6c41d705d82fbae6a3e3. + +This wasn't really the right fix, since there can't be more than 2**32 +files in a file system. The real issue is when the number of files in +a directory change during the e4defrag run. + +Signed-off-by: Theodore Ts'o + +--- + +--- e2fsprogs-1.44.5.orig/misc/e4defrag.c e2fsprogs-1.44.5/misc/e4defrag.c +@@ -169,13 +169,13 @@ static int block_size; + static intextents_before_defrag; + static intextents_after_defrag; + static intmode_flag; +-static uid_t current_uid; +-static unsigned long long defraged_file_count; +-static unsigned long long frag_files_before_defrag; +-static unsigned long long frag_files_after_defrag; +-static unsigned long long regular_count; +-static unsigned long long succeed_cnt; +-static unsigned long long total_count; ++static unsigned int current_uid; ++static unsigned int defraged_file_count; ++static unsigned int frag_files_before_defrag; ++static unsigned int frag_files_after_defrag; ++static unsigned int regular_count; ++static unsigned int succeed_cnt; ++static unsigned int total_count; + static __u8 log_groups_per_flex; + static __u32 blocks_per_group; + static __u32 feature_incompat; +@@ -1912,9 +1912,9 @@ int main(int argc, char *argv[]) + } + /* File tree walk */ + nftw64(dir_name, file_defrag, FTW_OPEN_FD, flags); +- printf("\n\tSuccess:\t\t\t[ %llu/%llu ]\n", +- succeed_cnt, total_count); +- printf("\tFailure:\t\t\t[ %llu/%llu ]\n", ++ printf("\n\tSuccess:\t\t\t[ %u/%u ]\n", succeed_cnt, ++ total_count); ++ printf("\tFailure:\t\t\t[ %u/%u ]\n", + total_count - succeed_cnt, total_count); + if (mode_flag & DETAIL) { + printf("\tTotal extents:\t\t\t%4d->%d\n", +@@ -1923,10 +1923,12 @@ int main(int argc, char *argv[]) + printf("\tFragmented percentage:\t\t" + "%3llu%%->%llu%%\n", + !regular_count ? 0 : +- (frag_files_before_defrag * 100) / ++ ((unsigned long long) ++ frag_files_before_defrag * 100) / + regular_count, + !regular_count ? 0 : +- (frag_files_after_defrag * 100) / ++ ((unsigned long long) ++ frag_files_after_defrag * 100) / + regular_count); + } + break; diff -Nru e2fsprogs-1.44.5/debian/patches/series e2fsprogs-1.44.5/debian/patches/series ---
Processed: stretch-pu: package freetype/2.6.3-3.2+deb9u1
Processing control commands: > retitle -1 stretch-pu: package freetype/2.6.3-3.2+deb9u1 Bug #933263 [release.debian.org] stretch-pu: package freetype/2.6.3-3.2+deb9u10 Changed Bug title to 'stretch-pu: package freetype/2.6.3-3.2+deb9u1' from 'stretch-pu: package freetype/2.6.3-3.2+deb9u10'. -- 933263: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933263 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#933263: stretch-pu: package freetype/2.6.3-3.2+deb9u1
Control: retitle -1 stretch-pu: package freetype/2.6.3-3.2+deb9u1 Updated debdiff, now with correct update version. freetype-2.6.3-3.2+deb9u1.debdiff Description: Binary data
NEW changes in stable-new
Processing changes file: hfst_3.15.0-1.1~deb10u1_mips64el.changes ACCEPT
NEW changes in stable-new
Processing changes file: hfst_3.15.0-1.1~deb10u1_mipsel.changes ACCEPT Processing changes file: yubikey-personalization_1.19.3-3+deb10u1_mips64el.changes ACCEPT
NEW changes in stable-new
Processing changes file: hfst_3.15.0-1.1~deb10u1_arm64.changes ACCEPT Processing changes file: hfst_3.15.0-1.1~deb10u1_armel.changes ACCEPT Processing changes file: hfst_3.15.0-1.1~deb10u1_armhf.changes ACCEPT Processing changes file: hfst_3.15.0-1.1~deb10u1_mips.changes ACCEPT
NEW changes in stable-new
Processing changes file: hfst_3.15.0-1.1~deb10u1_amd64.changes ACCEPT Processing changes file: hfst_3.15.0-1.1~deb10u1_ppc64el.changes ACCEPT Processing changes file: hfst_3.15.0-1.1~deb10u1_s390x.changes ACCEPT Processing changes file: yubikey-personalization_1.19.3-3+deb10u1_amd64.changes ACCEPT Processing changes file: yubikey-personalization_1.19.3-3+deb10u1_armel.changes ACCEPT Processing changes file: yubikey-personalization_1.19.3-3+deb10u1_armhf.changes ACCEPT Processing changes file: yubikey-personalization_1.19.3-3+deb10u1_i386.changes ACCEPT Processing changes file: yubikey-personalization_1.19.3-3+deb10u1_mips.changes ACCEPT Processing changes file: yubikey-personalization_1.19.3-3+deb10u1_mipsel.changes ACCEPT Processing changes file: yubikey-personalization_1.19.3-3+deb10u1_ppc64el.changes ACCEPT
NEW changes in oldstable-new
Processing changes file: miniupnpd_1.8.20140523-4.1+deb9u2_amd64.changes ACCEPT Processing changes file: miniupnpd_1.8.20140523-4.1+deb9u2_arm64.changes ACCEPT Processing changes file: miniupnpd_1.8.20140523-4.1+deb9u2_armel.changes ACCEPT Processing changes file: miniupnpd_1.8.20140523-4.1+deb9u2_armhf.changes ACCEPT Processing changes file: miniupnpd_1.8.20140523-4.1+deb9u2_i386.changes ACCEPT Processing changes file: miniupnpd_1.8.20140523-4.1+deb9u2_mips.changes ACCEPT Processing changes file: miniupnpd_1.8.20140523-4.1+deb9u2_mips64el.changes ACCEPT Processing changes file: miniupnpd_1.8.20140523-4.1+deb9u2_mipsel.changes ACCEPT Processing changes file: miniupnpd_1.8.20140523-4.1+deb9u2_ppc64el.changes ACCEPT Processing changes file: miniupnpd_1.8.20140523-4.1+deb9u2_s390x.changes ACCEPT
NEW changes in stable-new
Processing changes file: hfst_3.15.0-1.1~deb10u1_i386.changes ACCEPT Processing changes file: libjavascript-beautifier-perl_0.25-1+deb10u1_all.changes ACCEPT Processing changes file: usb.ids_2019.07.27-0+deb10u1_all.changes ACCEPT Processing changes file: yubikey-personalization_1.19.3-3+deb10u1_all.changes ACCEPT Processing changes file: yubikey-personalization_1.19.3-3+deb10u1_arm64.changes ACCEPT Processing changes file: yubikey-personalization_1.19.3-3+deb10u1_s390x.changes ACCEPT
Processed: retitle 933764 to buster-pu: package e2fsprogs/1.44.5-1+deb10u1, tagging 933764
Processing commands for cont...@bugs.debian.org: > retitle 933764 buster-pu: package e2fsprogs/1.44.5-1+deb10u1 Bug #933764 [release.debian.org] stretch-pu: package e2fsprogs/1.44.5-1+deb9u1 Changed Bug title to 'buster-pu: package e2fsprogs/1.44.5-1+deb10u1' from 'stretch-pu: package e2fsprogs/1.44.5-1+deb9u1'. > tags 933764 - stretch + buster Bug #933764 [release.debian.org] buster-pu: package e2fsprogs/1.44.5-1+deb10u1 Removed tag(s) stretch. Bug #933764 [release.debian.org] buster-pu: package e2fsprogs/1.44.5-1+deb10u1 Added tag(s) buster. > thanks Stopping processing here. Please contact me if you need assistance. -- 933764: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933764 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#933764: buster-pu: package e2fsprogs/1.44.5-1+deb10u1
On Sat, 2019-08-03 at 13:08 -0400, Theodore Y. Ts'o wrote: > It was supposed to be 1.44.5-1+deb10u1 targetted at buster. That's > actually what *sources* are; but the changelog and chroot it was > built against was stretch. > > *Sigh*. > > I'll go away, fix the changelog and rebuild it now. Do you prefer > whether we just close this bug as invalid, and I'll open a new one, > or should we retitle this bug and append to it? I don't have strong > preferences either way. Re-using this bug is fine; I'll get the metadata fixed up. On Sat, 2019-08-03 at 15:46 -0400, Theodore Y. Ts'o wrote: > Oh, one more question --- should I be doing a source-only, or binary > push when I push to buster-proposed-updates. Either works fine. If you go the source-only route, please make sure the .changes is _not_ named _amd64.changes or similar, as that will complicate things for the buildd upload. > I'm a bit confused about whether it will be going into the NEW queue, > and hence require a binary push, or a source-only build because > that's the new hotness and it's required for promotions to testing. While there is a holding suite in front of p-u named "stable-new", it's not NEW in the ftp-master sense, and there's generally no reason for an update to stable to hit NEW. The previous one only did because some of the binary packages you uploaded don't exist in stretch. Regards, Adam
Bug#933764: stretch-pu: package e2fsprogs/1.44.5-1+deb9u1
Oh, one more question --- should I be doing a source-only, or binary push when I push to buster-proposed-updates. I'm a bit confused about whether it will be going into the NEW queue, and hence require a binary push, or a source-only build because that's the new hotness and it's required for promotions to testing. Thanks! - Ted
NEW changes in oldstable-new
Processing changes file: miniupnpd_1.8.20140523-4.1+deb9u2_source.changes ACCEPT
NEW changes in stable-new
Processing changes file: hfst_3.15.0-1.1~deb10u1_source.changes ACCEPT Processing changes file: libjavascript-beautifier-perl_0.25-1+deb10u1_sourceonly.changes ACCEPT Processing changes file: subversion_1.10.4-1+deb10u1_source.changes ACCEPT Processing changes file: subversion_1.10.4-1+deb10u1_all.changes ACCEPT Processing changes file: subversion_1.10.4-1+deb10u1_amd64.changes ACCEPT Processing changes file: subversion_1.10.4-1+deb10u1_arm64.changes ACCEPT Processing changes file: subversion_1.10.4-1+deb10u1_armel.changes ACCEPT Processing changes file: subversion_1.10.4-1+deb10u1_armhf.changes ACCEPT Processing changes file: subversion_1.10.4-1+deb10u1_i386.changes ACCEPT Processing changes file: subversion_1.10.4-1+deb10u1_mips.changes ACCEPT Processing changes file: subversion_1.10.4-1+deb10u1_mips64el.changes ACCEPT Processing changes file: subversion_1.10.4-1+deb10u1_mipsel.changes ACCEPT Processing changes file: subversion_1.10.4-1+deb10u1_ppc64el.changes ACCEPT Processing changes file: subversion_1.10.4-1+deb10u1_s390x.changes ACCEPT Processing changes file: usb.ids_2019.07.27-0+deb10u1_source.changes ACCEPT Processing changes file: yubikey-personalization_1.19.3-3+deb10u1_source.changes ACCEPT
Re: Bits from the Release Team: ride like the wind, Bullseye!
Hi, On 8/3/19 10:12 AM, Andreas Beckmann wrote: Q: BinNMUs of packages uploaded before this new policy that have arch:all binaries can no longer migrate to testing. Is that intentional? I read this as: Q: I already did a binary upload, do I need to do a new (source-only) upload? I read this as Q: The maintainer-uploaded arch:all packages are already in testing. Will new buildd-built binNMUs migrate to testing or do I need to do a new source-only upload to "fix" the arch:all packages? This isn't really intentional. However, if you're worried about delays following uploads of new versions, keep in mind that a possible fix for this will almost certainly take more time than the delay caused by new uploads. Also, given that we eventually want to get rid of the old binaries uploaded by maintainers, a fix for this is low priority (if it happens at all). Cheers, Ivo
Processed: yubikey-personalization 1.19.3-3+deb10u1 flagged for acceptance
Processing control commands: > tags -1 + pending Bug #932518 [release.debian.org] buster-pu: package yubikey-personalization/1.19.3-3 Added tag(s) pending. -- 932518: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932518 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: hfst 3.15.0-1.1~deb10u1 flagged for acceptance
Processing control commands: > tags -1 + pending Bug #933392 [release.debian.org] buster-pu: package hfst/3.15.0-1.1~deb10u1 Ignoring request to alter tags of bug #933392 to the same tags previously set -- 933392: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933392 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: hfst 3.15.0-1.1~deb10u1 flagged for acceptance
Processing control commands: > tags -1 + pending Bug #933392 [release.debian.org] buster-pu: package hfst/3.15.0-1.1~deb10u1 Added tag(s) pending. -- 933392: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933392 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#932518: yubikey-personalization 1.19.3-3+deb10u1 flagged for acceptance
Control: tags -1 + pending Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian buster. Thanks for your contribution! Upload details == Package: yubikey-personalization Version: 1.19.3-3+deb10u1 Explanation: backport additional security precautions
Bug#933787: usb.ids 2019.07.27-0+deb10u1 flagged for acceptance
Control: tags -1 + pending Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian buster. Thanks for your contribution! Upload details == Package: usb.ids Version: 2019.07.27-0+deb10u1 Explanation: routine update of USB IDs
Processed: usb.ids 2019.07.27-0+deb10u1 flagged for acceptance
Processing control commands: > tags -1 + pending Bug #933787 [release.debian.org] buster-pu: package usb.ids/2019.07.27-0+deb10u1 Added tag(s) pending. -- 933787: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933787 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: yubikey-personalization 1.19.3-3+deb10u1 flagged for acceptance
Processing control commands: > tags -1 + pending Bug #932518 [release.debian.org] buster-pu: package yubikey-personalization/1.19.3-3 Ignoring request to alter tags of bug #932518 to the same tags previously set -- 932518: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932518 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: libjavascript-beautifier-perl 0.25-1+deb10u1 flagged for acceptance
Processing control commands: > tags -1 + pending Bug #931596 [release.debian.org] buster-pu: package libjavascript-beautifier-perl/0.25-1+deb10u1 Ignoring request to alter tags of bug #931596 to the same tags previously set -- 931596: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931596 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#931596: libjavascript-beautifier-perl 0.25-1+deb10u1 flagged for acceptance
Control: tags -1 + pending Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian buster. Thanks for your contribution! Upload details == Package: libjavascript-beautifier-perl Version: 0.25-1+deb10u1 Explanation: add missing "=>" operator
Processed: usb.ids 2019.07.27-0+deb10u1 flagged for acceptance
Processing control commands: > tags -1 + pending Bug #933787 [release.debian.org] buster-pu: package usb.ids/2019.07.27-0+deb10u1 Ignoring request to alter tags of bug #933787 to the same tags previously set -- 933787: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933787 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#933392: hfst 3.15.0-1.1~deb10u1 flagged for acceptance
Control: tags -1 + pending Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian buster. Thanks for your contribution! Upload details == Package: hfst Version: 3.15.0-1.1~deb10u1 Explanation: ensure smoother upgrades from stretch
Processed: libjavascript-beautifier-perl 0.25-1+deb10u1 flagged for acceptance
Processing control commands: > tags -1 + pending Bug #931596 [release.debian.org] buster-pu: package libjavascript-beautifier-perl/0.25-1+deb10u1 Added tag(s) pending. -- 931596: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931596 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#933764: stretch-pu: package e2fsprogs/1.44.5-1+deb9u1
On Sat, Aug 03, 2019 at 04:08:14PM +0100, Adam D. Barratt wrote: > > I assume this is simply a case of an outdated chroot pointing at > "stable" or similar. The net effect is that the upload ended up in NEW > (presumably as buster's e2fsprogs builds additional binary packages > relative to stretch). I've asked ftp-master to reject that upload. > > I'm not sure whether you were intending to fix this in stretch or > buster, but this should either be 1.43.4-2+deb9u1 for stretch, or > 1.44.5-1+deb10u1 targetted at buster. It's an outdated chroot plus me being confused. It was supposed to be 1.44.5-1+deb10u1 targetted at buster. That's actually what *sources* are; but the changelog and chroot it was built against was stretch. *Sigh*. I'll go away, fix the changelog and rebuild it now. Do you prefer whether we just close this bug as invalid, and I'll open a new one, or should we retitle this bug and append to it? I don't have strong preferences either way. Cheers, - Ted
Bug#933764: stretch-pu: package e2fsprogs/1.44.5-1+deb9u1
Control: tags -1 + moreinfo On Sat, 2019-08-03 at 01:10 -0400, Theodore Y. Ts'o wrote: > Package: release.debian.org > Severity: normal > Tags: stretch > User: release.debian@packages.debian.org > Usertags: pu > > This uplaod is to fix the important bug, #920767. > > The debdiff is attached below. > > > diff -Nru e2fsprogs-1.44.5/debian/changelog e2fsprogs- > 1.44.5/debian/changelog > --- e2fsprogs-1.44.5/debian/changelog 2018-12-15 > 22:46:49.0 -0500 > +++ e2fsprogs-1.44.5/debian/changelog 2019-08-02 > 23:49:00.0 -0400 > @@ -1,3 +1,9 @@ > +e2fsprogs (1.44.5-1+deb9u1) stretch; urgency=medium stretch has 1.43.4-2, not 1.44.5-1; the latter is in buster. I assume this is simply a case of an outdated chroot pointing at "stable" or similar. The net effect is that the upload ended up in NEW (presumably as buster's e2fsprogs builds additional binary packages relative to stretch). I've asked ftp-master to reject that upload. I'm not sure whether you were intending to fix this in stretch or buster, but this should either be 1.43.4-2+deb9u1 for stretch, or 1.44.5-1+deb10u1 targetted at buster. Regards, Adam
Processed: Re: Bug#933764: stretch-pu: package e2fsprogs/1.44.5-1+deb9u1
Processing control commands: > tags -1 + moreinfo Bug #933764 [release.debian.org] stretch-pu: package e2fsprogs/1.44.5-1+deb9u1 Added tag(s) moreinfo. -- 933764: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933764 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#933793: stretch-pu: package usbutils/1:007-4+deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Dear release team, I would like to update usbutils in stretch to update the usb.ids database. There is no code change, the changes only adds a few hundred of USB devices to the database. There are a lot of new entries as this hasn't been updated for quite some time. Those changes are already in bullseye and sid. I have already uploaded the package to stretch-pu, the full diff is attached. Thanks for considering. Regards, Aurelien usbutils_007-4_007-4+deb9u1.debdiff.gz Description: application/gzip
Bug#933787: buster-pu: package usb.ids/2019.07.27-0+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Dear release team, I have just uploaded a new upstream version of usb.ids to buster-pu. It only adds a few dozen of USB devices to the usb.ids database. Those changes are already in bullseye and sid. The full diff is attached. Thanks for considering. Regards, Aurelien diff -Nru usb.ids-2019.04.23/debian/changelog usb.ids-2019.07.27/debian/changelog --- usb.ids-2019.04.23/debian/changelog 2019-04-28 21:16:01.0 +0200 +++ usb.ids-2019.07.27/debian/changelog 2019-08-03 14:54:50.0 +0200 @@ -1,3 +1,9 @@ +usb.ids (2019.07.27-0+deb10u1) buster; urgency=medium + + * New upstream version. + + -- Aurelien Jarno Sat, 03 Aug 2019 14:54:50 +0200 + usb.ids (2019.04.23-1) unstable; urgency=medium * New upstream version. diff -Nru usb.ids-2019.04.23/usb.ids usb.ids-2019.07.27/usb.ids --- usb.ids-2019.04.23/usb.ids 2019-04-23 21:34:05.0 +0200 +++ usb.ids-2019.07.27/usb.ids 2019-07-27 21:34:05.0 +0200 @@ -9,8 +9,8 @@ # The latest version can be obtained from # http://www.linux-usb.org/usb.ids # -# Version: 2019.04.23 -# Date:2019-04-23 20:34:05 +# Version: 2019.07.27 +# Date:2019-07-27 20:34:05 # # Vendors, devices and interfaces. Please keep sorted. @@ -38,6 +38,8 @@ 181b Venom Arcade Joystick 1843 Mayflash GameCube Controller Adapter 1844 Mayflash GameCube Controller +0080 Assmann Electronic GmbH + a001 Digitus DA-71114 SATA 0085 Boeye Technology Co., Ltd. 0600 eBook Reader 0105 Trust International B.V. @@ -478,6 +480,7 @@ 3517 LaserJet 3390 3602 PhotoSmart 1315 3611 PSC 2410 PhotoSmart + 3612 Officejet Pro 8000 A809 3617 Color LaserJet 2605 3711 PSC 2500 3717 EWS UPD @@ -661,7 +664,9 @@ 9207 HD-4110 Webcam 9302 PhotoSmart R930 series 9402 PhotoSmart R837 + 942a LaserJet Pro M12a 9502 PhotoSmart R840 series + 952a LaserJet Pro M12w 9602 PhotoSmart M730 series 9702 PhotoSmart R740 series 9802 PhotoSmart Mz60 series @@ -786,6 +791,7 @@ 8070 7 Port Hub 8140 Vehicle Explorer Interface 8210 MGTimer - MGCC (Vic) Timing System + 8348 FT232BM [SIENNA Serial Interface] 8370 7 Port Hub 8371 PS/2 Keyboard And Mouse 8372 FT8U100AX Serial Port @@ -1159,6 +1165,7 @@ 040c VTech Computers, Ltd 040d VIA Technologies, Inc. 3184 VNT VT6656 USB-802.11 Wireless LAN Adapter + 340f Audinst HUD-mx2 6205 USB 2.0 Card Reader 040e MCCI 040f Echo Speech Corp. @@ -1509,6 +1516,7 @@ 03a4 C5 (Storage mode) 03c0 C7-00 (Mass storage mode) 03c1 C7-00 (Media transfer mode) + 03c2 Sim 03cd C7-00 (Nokia Suite mode) 03d1 N950 0400 7600 Phone Parent @@ -1925,6 +1933,7 @@ b326 Gamepad GP XID b351 F16 MFD 1 b352 F16 MFD 2 + b365 UbiSoft UbiConnect b603 force feedback Wheel b605 force feedback Racing Wheel b651 Ferrari GT Rumble Force Wheel @@ -4374,6 +4383,8 @@ 6506 CY4603 650a CY4613 6560 CY7C65640 USB-2.0 "TetraHub" + 6570 Unprogrammed CY7C65632/34 hub HX2VL + 6572 Unprogrammed CY7C65642 hub 6830 CY7C68300A EZ-USB AT2 USB 2.0 to ATA/ATAPI 6831 Storage Adapter ISD-300LP (CY) 7417 Wireless PC Lock/Ultra Mouse @@ -5459,6 +5470,7 @@ b5ce Integrated Camera b5cf Integrated IR Camera b5db HP Webcam + b604 Integrated Camera (1280x720@30) 04f3 Elan Microelectronics Corp. 000a Touchscreen 0103 ActiveJet K-2024 Multimedia Keyboard @@ -6363,6 +6375,7 @@ dccf Sound Vision Stream Driver 0547 Anchor Chips, Inc. 0001 ICSI Bluetooth Device + 0080 I3SYSTEM HYUNY 1002 Python2 WDM Encoder 1006 Hantek DSO-2100 UF 2131 AN2131 EZUSB Microcontroller @@ -6963,9 +6976,27 @@ 0079 Laser mouse M-D21DL 007b Laser mouse M-D20DR 007c Laser Bluetooth mouse M-BT5BL + 007e Option mouse M-M8UR + 007f Option mouse M-M9UR + 0081 Option mouse M-DY6DR + 0082 Laser mouse M-D22DR + 0088 Micro Grast2 Bit M-BG3DL + 0089 Micro Grast2 Pop M-PG3DL + 008c M-NE3DL Mouse + 008d ORIME M-NE4DR + 008f M-BT8BL Bluetooth Mouse + 0092 Wireless BlueLED Mouse (M-BL2DB) + 009c IR Mouse M-IR02DR + 009d IR Mouse M-IR03DR + 009f BlueLED Mouse M-HS1DB + 00a1 IR Mouse M-IR05DR + 00a4 Blue LED Mouse M-BL06DB + 00a5 M-NV1BR Bluetooth Mouse + 00a7 Blue LED Mouse M-BL08DB 2003 JC-U3613M 2004 JC-U3613M 200c LD-USB/TX + 2012 JC-U4013S Gamepad 4002 Laneed 100Mbps Ethernet LD-USB/TX
Bug#930420: stretch-pu: package grub2/2.02~beta3-5+deb9u2
On Sat, Jul 27, 2019 at 12:39:40PM +0200, Cyril Brulebois wrote: > Adam D. Barratt (2019-07-26): > > Sorry for the delay in getting back to you regarding this. > > > > While it doesn't sound like the changes should affect d-i, I would > > still appreciate an ack on that side, so tagging and CCing > > appropriately. > > No objections, thanks. Uploaded, thanks. -- Colin Watson [cjwat...@debian.org]
Re: Bits from the Release Team: ride like the wind, Bullseye!
>> Q: BinNMUs of packages uploaded before this new policy that have >>arch:all binaries can no longer migrate to testing. Is that >>intentional? > > I read this as: > Q: I already did a binary upload, do I need to do a new (source-only) > upload? I read this as Q: The maintainer-uploaded arch:all packages are already in testing. Will new buildd-built binNMUs migrate to testing or do I need to do a new source-only upload to "fix" the arch:all packages? Andreas
Bug#932318: buster-pu: package unzip/6.0-23+deb10u1
On Sat, Jul 27, 2019 at 01:38:46PM -0300, Adam D. Barratt wrote: > On 2019-07-27 13:18, Santiago Vila wrote: > > tags 932318 - moreinfo > > thanks > > > > Hello. > > > > The problem with Firefox should now be fixed, and it was unzip's fault. > > > > If possible, I'd like this upload I did 6.0-23+deb10u1 to be rejected so > > that > > I can reuse the +deb10u1 version with all the fixes included. > > Done, pending dak actually processing the request. Fine. I reuploaded unzip, this is the new debdiff, and this time I believe it should be suitable for stable. Thanks. diff -Nru unzip-6.0/debian/changelog unzip-6.0/debian/changelog --- unzip-6.0/debian/changelog 2019-05-29 00:24:08.0 +0200 +++ unzip-6.0/debian/changelog 2019-07-30 22:26:10.0 +0200 @@ -1,3 +1,14 @@ +unzip (6.0-23+deb10u1) buster; urgency=medium + + * Apply three patches by Mark Adler to fix CVE-2019-13232. + - Fix bug in undefer_input() that misplaced the input state. + - Detect and reject a zip bomb using overlapped entries. +Bug discovered by David Fifield. Closes: #931433. + - Do not raise a zip bomb alert for a misplaced central directory. +Reported by Peter Green. Closes: #932404. + + -- Santiago Vila Tue, 30 Jul 2019 22:26:10 +0200 + unzip (6.0-23) unstable; urgency=medium * Fix lame code in fileio.c which parsed 64-bit values incorrectly. diff -Nru unzip-6.0/debian/patches/22-cve-2019-13232-fix-bug-in-undefer-input.patch unzip-6.0/debian/patches/22-cve-2019-13232-fix-bug-in-undefer-input.patch --- unzip-6.0/debian/patches/22-cve-2019-13232-fix-bug-in-undefer-input.patch 1970-01-01 01:00:00.0 +0100 +++ unzip-6.0/debian/patches/22-cve-2019-13232-fix-bug-in-undefer-input.patch 2019-07-30 21:22:00.0 +0200 @@ -0,0 +1,22 @@ +From: Mark Adler +Subject: Fix bug in undefer_input() that misplaced the input state. +Origin: https://github.com/madler/unzip/commit/41beb477c5744bc396fa1162ee0c14218ec12213 +Bug-Debian: https://bugs.debian.org/931433 +X-Debian-version: 6.0-24 + +Fix bug in undefer_input() that misplaced the input state. + +--- a/fileio.c b/fileio.c +@@ -532,8 +532,10 @@ + * This condition was checked when G.incnt_leftover was set > 0 in + * defer_leftover_input(), and it is NOT allowed to touch G.csize + * before calling undefer_input() when (G.incnt_leftover > 0) +- * (single exception: see read_byte()'s "G.csize <= 0" handling) !! ++ * (single exception: see readbyte()'s "G.csize <= 0" handling) !! + */ ++if (G.csize < 0L) ++G.csize = 0L; + G.incnt = G.incnt_leftover + (int)G.csize; + G.inptr = G.inptr_leftover - (int)G.csize; + G.incnt_leftover = 0; diff -Nru unzip-6.0/debian/patches/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch unzip-6.0/debian/patches/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch --- unzip-6.0/debian/patches/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch 1970-01-01 01:00:00.0 +0100 +++ unzip-6.0/debian/patches/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch 2019-07-30 21:23:00.0 +0200 @@ -0,0 +1,335 @@ +From: Mark Adler +Subject: Detect and reject a zip bomb using overlapped entries. +Origin: https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c +Bug-Debian: https://bugs.debian.org/931433 +X-Debian-version: 6.0-24 + +Detect and reject a zip bomb using overlapped entries. + +This detects an invalid zip file that has at least one entry that +overlaps with another entry or with the central directory to the +end of the file. A Fifield zip bomb uses overlapped local entries +to vastly increase the potential inflation ratio. Such an invalid +zip file is rejected. + +See https://www.bamsoftware.com/hacks/zipbomb/ for David Fifield's +analysis, construction, and examples of such zip bombs. + +The detection maintains a list of covered spans of the zip files +so far, where the central directory to the end of the file and any +bytes preceding the first entry at zip file offset zero are +considered covered initially. Then as each entry is decompressed +or tested, it is considered covered. When a new entry is about to +be processed, its initial offset is checked to see if it is +contained by a covered span. If so, the zip file is rejected as +invalid. + +This commit depends on a preceding commit: "Fix bug in +undefer_input() that misplaced the input state." + +--- a/extract.c b/extract.c +@@ -321,6 +321,125 @@ + "\nerror: unsupported extra-field compression type (%u)--skipping\n"; + static ZCONST char Far BadExtraFieldCRC[] = + "error [%s]: bad extra-field CRC %08lx (should be %08lx)\n"; ++static ZCONST char Far NotEnoughMemCover[] = ++ "error: not enough memory for bomb detection\n"; ++static ZCONST char Far OverlappedComponents[] = ++ "error: invalid zip file
Re: Bits from the Release Team: ride like the wind, Bullseye!
Hi Stéphane, On 02-08-2019 05:38, Stéphane Glondu wrote: > Le 07/07/2019 à 03:47, Jonathan Wiltshire a écrit : >> No binary maintainer uploads for bullseye >> = >> >> The release of buster also means the bullseye release cycle is about to >> begin. >> From now on, we will no longer allow binaries uploaded by maintainers to >> migrate to testing. This means that you will need to do source-only uploads >> if >> you want them to reach bullseye. >> >> >> Q: I already did a binary upload, do I need to do a new (source-only) >> upload? >> A: Yes (preferably with other changes, not just a version bump). >> >> Q: I needed to do a binary upload because my upload went to the NEW queue, >> do I need to do a new (source-only) upload for it to reach bullseye? >> A: Yes. We also suggest going through NEW in experimental instead of >> unstable >> where possible, to avoid disruption in unstable. >> >> Q: Does this also apply to contrib and non-free? >> A: No. Not all packages in contrib and non-free can be built on the >> buildds, >> so maintainer uploads will still be allowed to migrate for packages >> outside main. > > Q: BinNMUs of packages uploaded before this new policy that have >arch:all binaries can no longer migrate to testing. Is that >intentional? I read this as: Q: I already did a binary upload, do I need to do a new (source-only) upload? So the answer is: A: Yes (preferably with other changes, not just a version bump). > This will make transitions that involve lots of binNMUs (such as > OCaml-related ones) much harder. For example, there is one such ongoing > (mini-)transition involving ocaml-migrate-parsetree, 26 other binNMUed > packages, and 7 updated packages. It will be delayed by the time to > upload all these binNMUed package and their aging. Meanwhile, this > transition may become bigger and longer as people unaware of this update > their OCaml-related packages. > > Is there a public API to query the built-on-buildd flag for a given > binary package? No API, but you could use the yaml that britney uses (updated every hour): https://release.debian.org/britney/state/signers.json Paul signature.asc Description: OpenPGP digital signature
Bug#933769: buster-pu: package erlang-p1-pkix/1.0.0-3+deb10u1
The corresponding bug report is #933040. Best wishes -- .''`. Philipp Huebner : :' : pgp fp: 6719 25C5 B8CD E74A 5225 3DF9 E5CA 8C49 25E4 205F `. `'` `- signature.asc Description: OpenPGP digital signature
Bug#933769: buster-pu: package erlang-p1-pkix/1.0.0-3+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi, I would like to update erlang-p1-pkix in Buster to fix a regression in ejabberd, prohibiting the use of GnuTLS certificates. The patch is directly from upstream [1] and will also be part of the next upload to unstable. To keep changes minimal I stripped the tests and example certificates added with that commit. The resulting package has been successfully tested in real life. The full diff is attached. [1] https://github.com/processone/pkix/commit/2d7a3b80bf6fc0794720aca852e487a5064d8b86 diff --git a/debian/changelog b/debian/changelog index 772931a..f7f2286 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +erlang-p1-pkix (1.0.0-3+deb10u1) buster; urgency=medium + + * Added upstream patch to fix handling of GnuTLS certificates + + -- Philipp Huebner Thu, 01 Aug 2019 11:34:25 +0200 + erlang-p1-pkix (1.0.0-3) unstable; urgency=medium * Updated debian/copyright diff --git a/debian/patches/2d7a3b80bf6fc0794720aca852e487a5064d8b86.patch b/debian/patches/2d7a3b80bf6fc0794720aca852e487a5064d8b86.patch new file mode 100644 index 000..fe1ef43 --- /dev/null +++ b/debian/patches/2d7a3b80bf6fc0794720aca852e487a5064d8b86.patch @@ -0,0 +1,109 @@ +From 2d7a3b80bf6fc0794720aca852e487a5064d8b86 Mon Sep 17 00:00:00 2001 +From: Evgeny Khramtsov +Date: Thu, 1 Aug 2019 12:23:48 +0300 +Subject: [PATCH] Use original DER during certification path validation + +Index: erlang-p1-pkix/src/pkix.erl +=== +--- erlang-p1-pkix.orig/src/pkix.erl erlang-p1-pkix/src/pkix.erl +@@ -35,7 +35,8 @@ + -define(CERTFILE_TAB, pkix_certfiles). + + -record(pem, {file :: filename(), +-line :: pos_integer()}). ++line :: pos_integer(), ++der :: binary()}). + + -record(state, {files = #{} :: map(), + certs = #{} :: map(), +@@ -437,9 +438,9 @@ pem_decode(Fd, Line, Begin, Buf) -> + -spec pem_decode_entries([{pos_integer(), binary()}], filename(), +map(), map()) -> {ok, map(), map()} | {error, bad_cert_error()}. + pem_decode_entries([{Begin, Data}|PEMs], File, Certs, PrivKeys) -> +-P = #pem{file = File, line = Begin}, + try public_key:pem_decode(Data) of +- [PemEntry] -> ++ [{_, DER, _} = PemEntry] -> ++ P = #pem{file = File, der = DER, line = Begin}, + try der_decode(PemEntry) of + undefined -> + pem_decode_entries(PEMs, File, Certs, PrivKeys); +@@ -510,7 +511,7 @@ der_decode({_, _, _}) -> +{error, filename() | dirname(), io_error()}. + commit(State, Dir, CAFile, ValidateHow) -> + {Chains, BadCertsWithReason, UnusedKeysWithReason} = build_chains(State), +-{CAError, InvalidCertsWithReason} = validate(Chains, CAFile, ValidateHow), ++{CAError, InvalidCertsWithReason} = validate(State, Chains, CAFile, ValidateHow), + InvalidCerts = [C || {C, _} <- InvalidCertsWithReason], + SortedChains = case ValidateHow of + hard when CAError == undefined -> +@@ -730,8 +731,7 @@ store_chain(Chain, Dir, State) -> + pem_encode({Certs, Key}, State) -> + PEM1 = lists:map( +fun(Cert) -> +- Type = element(1, Cert), +- DER = public_key:pkix_encode(Type, Cert, otp), ++ DER = get_der(Cert, State#state.certs), +PemEntry = {'Certificate', DER, not_encrypted}, +Source = lists:map( + fun(#pem{file = File, line = Line}) -> +@@ -742,11 +742,14 @@ pem_encode({Certs, Key}, State) -> + PEM2 = [[io_lib:format("From ~s:~B~n", [File, Line]) +|| #pem{file = File, line = Line} <- maps:get(Key, State#state.keys)], + public_key:pem_encode( +-[{element(1, Key), +- public_key:der_encode(element(1, Key), Key), +- not_encrypted}])], ++[{element(1, Key), get_der(Key, State#state.keys), not_encrypted}])], + iolist_to_binary([PEM1, PEM2]). + ++-spec get_der(cert() | priv_key(), map()) -> binary(). ++get_der(Key, Map) -> ++[#pem{der = DER}|_] = maps:get(Key, Map), ++DER. ++ + %%%=== + %%% Domains extraction + %%%=== +@@ -850,12 +853,12 @@ get_cert_path(G, [Root|_] = Acc) -> + %%%=== + %%% Certificates chain validation + %%%=== +--spec validate([cert_chain()], filename(), false | soft | hard) -> ++-spec validate(state(), [cert_chain()], filename(), false | soft | hard) -> + {undefined | {filename(), bad_cert_error() | io_error()}, + [{cert(), invalid_cert_reason()}]}.