Bug#948786: buster-pu: package apt-cacher-ng/3.2.1-1 pre-approval
Hallo,
* Adam D. Barratt [Tue, Jan 28 2020, 10:28:08PM]:
> > I can, of course, convert all that into debian/patches/XXX but
> > honestly, that would really feel like greenwashing.
> >
> > The changes reported here can be reviewed at
> > https://salsa.debian.org/blade/apt-cacher-ng/commits/temp/debian-merge ,
> > starting with the commit from 2019-12-20.
>
> Those look OK as individual commits, thanks. For completeness, could we
> please have a finalised source debdiff of the built source package,
> compared to current stable?
Of course, attached.
Although, there are a couple of changes which I added on top:
a) removing -Wl,threads from considered linker options. That's a non-functional
change, supposed to counteract FTBFS on mipsel/mips64el which I had experienced
recently (there is a similar workaround in Testing, which detects mipsel
explicitly, but this change simply removed -Wl,threads completely for all
architectures which is the safer option, IMHO)
b) upstreaming the fix of #928957 (this was approved last year for Stable
already, the code just wanders from debian-patch into upstream change)
BTW, there is one remaining change in the Debian diff on the systemd file which
I will keep as is. It existed already in Stable. Not critical and not that
important, and might be upstreamed in Sid, sooner or later.
Best regards,
Eduard.
diff -Nru apt-cacher-ng-3.2/CMakeLists.txt apt-cacher-ng-3.2.1/CMakeLists.txt
--- apt-cacher-ng-3.2/CMakeLists.txt 2018-09-07 15:02:18.0 +0200
+++ apt-cacher-ng-3.2.1/CMakeLists.txt 2020-02-03 19:54:57.0 +0100
@@ -58,6 +58,8 @@
if(NOT DEFINED(RUNDIR))
set(RUNDIR "/run")
endif()
+set(SOCKET_PATH "${RUNDIR}/${PACKAGE}/socket")
+
# carefully splicing of command line arguments, even from lists
macro(_append varname)
@@ -106,7 +108,7 @@
_append(ACNG_CXXFLAGS -fvisibility-inlines-hidden)
endif()
-foreach(linkarg -Wl,--as-needed -Wl,-O1 -Wl,--discard-all -Wl,--no-undefined -Wl,--build-id=sha1 -Wl,-fuse-ld=gold -Wl,--threads)
+foreach(linkarg -Wl,--as-needed -Wl,-O1 -Wl,--discard-all -Wl,--no-undefined -Wl,--build-id=sha1 -Wl,-fuse-ld=gold)
STRING(REGEX REPLACE "=|-|," "" optname "${linkarg}")
set(CMAKE_REQUIRED_FLAGS "${linkarg}")
CHECK_CXX_COMPILER_FLAG("" "LD_${optname}")
diff -Nru apt-cacher-ng-3.2/ChangeLog apt-cacher-ng-3.2.1/ChangeLog
--- apt-cacher-ng-3.2/ChangeLog 2018-09-07 15:02:18.0 +0200
+++ apt-cacher-ng-3.2.1/ChangeLog 2020-02-03 19:54:57.0 +0100
@@ -1,3 +1,38 @@
+apt-cacher-ng (3.2.1) SHAUN-OF-THE-LIVING; urgency=medium
+
+ * POTENTIAL SECURITY ISSUE (CVE-2020-5202):
+- in certain situations, the maint job run by acngtool could leak the
+ administrator credentials from apt-cacher-ng configuration. This is only
+ likely if the attacker is able to impersonate the daemon with an own
+ server listening on the same port.
+- The mitigation path for this is:
+ - SocketPath option is configured by default
+ - By default, acngtool only attempts to run the maint job through the
+Unix Domain Socket. If SocketPath is not set but admin credentials are
+configured, the operation is denied.
+ - For non-standard cases where acngtool is used to run special arbitrary
+commands (ACNG_REQ variable) and the operation through SocketPath is not
+possible (i.e. missing permissions or the tool is run on a different
+host), the operation through TCP can be enforced with ACNG_INSECURE
+environment variable
+
+ [ REALITY SYNC ]
+ * increased size of the decompression line buffer for config file reading
+(Debian bug #942634)
+ * Support .zst compressed packages (reference:
+https://www.archlinux.org/news/now-using-zstandard-instead-of-xz-for-package-compression/ )
+
+ [ Debian Stable Bugfix ]
+ * Fix of Debian bug #928957: overoptimistic guessing of the SHA256SUMS file location
+Incorrect assumption of an existing SHA256SUMS file for Debian
+repositories makes the expiration task fail without a proper way for the
+end user to recover from it. Now ignore a download error in this case
+(similar handling as for other guesses), assuming that permanent 404ing
+for other reasons than removal of remote content can be considered
+unlikely.
+
+ -- Eduard Bloch Wed, 22 Jan 2020 20:53:50 +0100
+
apt-cacher-ng (3.2) MY-NAME-IS-ANYBODY; urgency=medium
* Maintenance release
diff -Nru apt-cacher-ng-3.2/VERSION apt-cacher-ng-3.2.1/VERSION
--- apt-cacher-ng-3.2/VERSION 2018-09-07 15:02:18.0 +0200
+++ apt-cacher-ng-3.2.1/VERSION 2020-02-03 19:54:57.0 +0100
@@ -1 +1 @@
-3.2
+3.2.1
diff -Nru apt-cacher-ng-3.2/conf/acng.conf.in apt-cacher-ng-3.2.1/conf/acng.conf.in
--- apt-cacher-ng-3.2/conf/acng.conf.in 2018-09-07 15:02:18.0 +0200
+++ apt-cacher-ng-3.2.1/conf/acng.conf.in 2
Bug#948786: buster-pu: package apt-cacher-ng/3.2.1-1 pre-approval
Control: tag -1 -moreinfo Hallo Everyone, so here comes the additional info: the CVE-2020-5202 fix was applied to Sid/Bullseye and reached Testing without any bugreports. I had to reupload once in the meantime due to a glitch in the Debian package (yeas, I f*ed it up, right in the great git-based process and I am sorry, but it should all be fine now). Now I am planning to make an upstream release, which consolidates: - backport of CVE-2020-5202 fix from Bullseye (mostly identical, adapted for different function signatures, omits refactoring which comes handy here but hey, let's change as less possible for Stable) - minor extension (.zst as additional compression format alongside of .gz,.bz2,.lzma,.xz). NO extra processing code, just passing through that data instead of rejecting them. - the fix of #942634 which affects the operation with current mirrors and which was the original motivation for this ticket I would like to have some kind of confirmation from the release team that this mail does not go straight to /dev/null and that a new upstream (minor) version is an acceptable candidate for a Stable update. I can, of course, convert all that into debian/patches/XXX but honestly, that would really feel like greenwashing. The changes reported here can be reviewed at https://salsa.debian.org/blade/apt-cacher-ng/commits/temp/debian-merge , starting with the commit from 2019-12-20. I am testing this version in my daily operations now. That test base is small, of course, if anyone has a better idea, please let me know. In case you encounter something not understandable in those changes, feel free to ping me via comments in Salsa git review, and I will explain what this is about. Best regards, Eduard. signature.asc Description: PGP signature
Bug#948786: buster-pu: package apt-cacher-ng/3.2-3~deb10u1
Hallo, * Andreas Beckmann [Mon, Jan 13 2020, 11:20:25AM]: > Package: release.debian.org > Severity: normal > Tags: buster > User: release.debian@packages.debian.org > Usertags: pu > > Hi, > > let's make apt-cacher-ng in stable usable for sid and bullseye, again, > by increasing some decompression buffers. #942634 > > This is a rebuild of the package in testing and already uploaded. "already uploaded" is like "shoot first, ask questions later", so I am not amused. I was going to request a stable update anyway in about two days from now; the plan was to create buster-pu ticket for a backport of CVE-2020-5202 fix AND also include a backport of the length fix. What you created anyway now. Well then, I suggest to wait another day or two and just reuse your ticket. CVE details: https://salsa.debian.org/blade/apt-cacher-ng/commit/3b91874b0c099b0ded1a94f1784fe1265082efbc https://metadata.ftp-master.debian.org/changelogs//main/a/apt-cacher-ng/apt-cacher-ng_3.3.1-1_changelog At release team, please advise: could I also introduce the little fix of #948259? It's really peanuts but would make ArchLinux people happy. See https://salsa.debian.org/blade/apt-cacher-ng/commit/a685db7aee472dd2c85f430aa345b28e22a60d9e for details. Also, since I am the upstream author: shall I make a real upstream release for that? (you can say no because of any process requirements the release team has in mind but that would not make much sense since I will create that upstream release version anyway, ending up in an official 3.2.1 version and a Debian-specific 3.2-3 revision with effectively the same code) Best regards, Eduard.
Bug#929029: unblock: apt-cacher-ng/3.2.1-1
Control: retitle -1 [pre-approval] unblock: apt-cacher-ng/3.2.1-1
Hallo,
* Niels Thykier [Wed, May 15 2019, 07:53:00PM]:
> Control: tags -1 moreinfo
Sure, see attachments. As explained before, just a one-liner which uses
existing functionality (same content as before, now from a real package
build and git compare between tag/branch). If the meaning of the change
is not understandable, please check the effect of forgiveDlErrors member
in
https://salsa.debian.org/blade/apt-cacher-ng/blob/upstream/sid/source/cacheman.cc
and maybe related uses in
https://salsa.debian.org/blade/apt-cacher-ng/blob/upstream/sid/source/expiration.cc
.
BTW, maybe I was not precise enough before: this is a request for
pre-approval, the package is not uploaded yet.
Best Regards,
Eduard.
File lists identical (after any substitutions)
Control files: lines which differ (wdiff format)
Depends: libbz2-1.0, libc6 (>= [-2.22),-] {+2.28),+} libgcc1 (>= 1:3.3.1),
liblzma5 (>= 5.1.1alpha+20120614), libssl1.1 (>= 1.1.0), libstdc++6 (>= 5.2),
libsystemd0 (>= 210), libwrap0 (>= 7.6-4~), zlib1g (>= 1:1.2.0), debconf (>=
0.5) | debconf-2.0, adduser, lsb-base (>= 3.0-6)
Installed-Size: [-1421-] {+1425+}
Version: [-3.2-1-] {+3.2-2+}
diff --git a/debian/changelog b/debian/changelog
index f33e8f1..b2d9d94 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+apt-cacher-ng (3.2-2) unstable; urgency=medium
+
+ * For incorrect assumption of some existing SHA256SUMS files in Debian
+ repositories which makes the expiration task fail without a proper way
+ for the end user to recover from it. Now ignore a download error in this
+ case (similar handling as for other guesses), assuming that permanent
+ 404ing for other reasons than removal of remote content can be considered
+ unlikely (closes: #928957)
+
+ -- Eduard Bloch Fri, 17 May 2019 22:59:21 +0200
+
apt-cacher-ng (3.2-1) unstable; urgency=low
* New upstream version
diff --git a/source/expiration.cc b/source/expiration.cc
index 2125521..625a7be 100644
--- a/source/expiration.cc
+++ b/source/expiration.cc
@@ -806,6 +806,13 @@ bool expiration::ProcessRegular(const string & sPathAbs, const struct stat
flags.eIdxType = EIDX_SHA256DILIST;
flags.vfile_ondisk = true;
flags.uptodate = false;
+
+ // the original source context will probably provide a viable source for
+ // this URL - it might go 404 if the whole folder is missing but then the
+ // referenced content would also be outdated/gone and not worth keeping
+ // in the cache anyway
+
+ flags.forgiveDlErrors = true;
}
// and last but not least - care only about the modern version of that index
m_metaFilesRel.erase(idir + "MD5SUMS");
Bug#929029: unblock: apt-cacher-ng/3.2.1-1
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please advise how to process with a required fix for the package apt-cacher-ng.
The change is a one-liner and solves the bug #928957. Without it, the
cache cleanup will fail for a lot of people in the next couple of years.
But it touches the upstream source, that's why I would like to release
it as minor upstream version (3.2.1, currently 3.2, and I am the
upstream).
I remember how you handled a similar request of mine a couple of years
ago, and this time I DEMAND a proper response here before I upload
anything. Please don't ignore it again for weeks and don't tell me that
this change is impossible to understand or to estimate WRT consequences;
it is using an already existing interface in the exact usecase it was
designed for. (see below)
Best regards,
Eduard.
diff --git a/ChangeLog b/ChangeLog
index c064c44..67e440a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,10 +1,20 @@
+apt-cacher-ng (3.2.1) MY-NAME-IS-ANYBODY-3D; urgency=low
+
+ * Fix overoptimistic guess of the SHA256SUMS file location of Debian
+repositories, which made the expiration task fail without any way to
+recover from it. Now ignoring a download error in this case since
+permanent 404ing for other reasons than loss of remote content (on any
+mirror) can be considered unlikely.
+
+ -- Eduard Bloch Wed, 15 May 2019 20:32:44 +0200
+
apt-cacher-ng (3.2) MY-NAME-IS-ANYBODY; urgency=medium
* Maintenance release
* Basic support for FlatPak repositories
* Added flat by-hash structure to file patterns
* Allowing some Debian and Ubuntu services in default PassThroughPattern
* Various fixes in manpage and configuration examples
* Mirror database update
-- Eduard Bloch Fri, 07 Sep 2018 12:55:46 +0200
diff --git a/source/expiration.cc b/source/expiration.cc
index 2125521..625a7be 100644
--- a/source/expiration.cc
+++ b/source/expiration.cc
@@ -799,20 +799,27 @@ bool expiration::ProcessRegular(const string & sPathAbs,
const struct stat
auto& flags = m_metaFilesRel[idir +"SHA256SUMS"];
/* pretend that it's there but not usable so the refreshing
code will try to get at
* least one copy for that location if it's needed there
*/
if(!flags.vfile_ondisk)
{
flags.eIdxType = EIDX_SHA256DILIST;
flags.vfile_ondisk = true;
flags.uptodate = false;
+
+ // the original source context will probably provide a
viable source for
+ // this URL - it might go 404 if the whole folder is
missing but then the
+ // referenced content would also be outdated/gone and
not worth keeping
+ // in the cache anyway
+
+ flags.forgiveDlErrors = true;
}
// and last but not least - care only about the modern version
of that index
m_metaFilesRel.erase(idir + "MD5SUMS");
}
unsigned stripLen=0;
if (endsWithSzAr(sPathRel, ".head"))
stripLen=5;
else if (AddIFileCandidate(sPathRel))
{
auto = SetFlags(sPathRel);
Bug#860265: (pre-approval) unblock: apt-cacher-ng/2-2
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please approve the upload of new version of apt-cacher-ng. See #860243
for details. Here is a minimum viable patch included below.
This is made under protest because I still consider the "reasons" for
rejecting #860243 specious and unfair. But anyhow, this changeset should
do the job for a (short) while.
unblock apt-cacher-ng/2-2
diff -Nru apt-cacher-ng-2/debian/changelog apt-cacher-ng-2/debian/changelog
--- apt-cacher-ng-2/debian/changelog2016-11-22 21:39:43.0 +0100
+++ apt-cacher-ng-2/debian/changelog2017-04-13 18:11:17.0 +0200
@@ -1,3 +1,17 @@
+apt-cacher-ng (2-2) testing; urgency=high
+
+ * Special version only for Debian Stretch, solving moderate security issues:
++ hardening against HTTP header splitting attack (no user input printed in
+ the HTTP headers anymore; backport from Sid, related to CVE-2017-7443)
++ hardening against unintended or malicious triggering of hidden space
+ allocation, by disabling the fallocate completely. This is ultima ratio,
+ trading code simplicity for fragmentation avoiding efforts; a smarter
+ solution is found in upstream version 3; closes: #856635)
++ handle a corner case of bad TLS handshake with invalid certificate
+ (related to #839751)
+
+ -- Eduard Bloch <bl...@debian.org> Thu, 13 Apr 2017 18:11:17 +0200
+
apt-cacher-ng (2-1) unstable; urgency=low
* New upstream version
diff -Nru apt-cacher-ng-2/debian/patches/debian-changes
apt-cacher-ng-2/debian/patches/debian-changes
--- apt-cacher-ng-2/debian/patches/debian-changes 1970-01-01
01:00:00.0 +0100
+++ apt-cacher-ng-2/debian/patches/debian-changes 2017-04-13
18:11:17.0 +0200
@@ -0,0 +1,81 @@
+Description:
+ TODO: Put a short summary on the line above and replace this paragraph
+ with a longer explanation of this change. Complete the meta-information
+ with other relevant fields (see below for details). To make it easier, the
+ information below has been extracted from the changelog. Adjust it or drop
+ it.
+ .
+ apt-cacher-ng (2-2) testing; urgency=high
+ .
+ * Special version only for Debian Stretch, solving moderate security issues:
+ + hardening against HTTP header splitting attack (no user input printed in
+ the HTTP headers anymore; backport from Sid, related to CVE-2017-7443)
+ + hardening against unintended or malicious triggering of hidden space
+ allocation, by disabling the fallocate completely. This is ultima ratio,
+ trading code simplicity for fragmentation avoiding efforts; a smarter
+ solution is found in upstream version 3; closes: #856635)
+ + handle a corner case of bad TLS handshake with invalid certificate
+ (related to #839751)
+Author: Eduard Bloch <bl...@debian.org>
+Bug-Debian: https://bugs.debian.org/856635
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>,
+Bug:
+Bug-Debian: https://bugs.debian.org/
+Bug-Ubuntu: https://launchpad.net/bugs/
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By:
+Last-Update: 2017-04-13
+
+--- apt-cacher-ng-2.orig/source/fileio.cc
apt-cacher-ng-2/source/fileio.cc
+@@ -17,7 +17,7 @@ using namespace std;
+ namespace acng
+ {
+
+-#ifdef HAVE_LINUX_FALLOCATE
++#ifdef DISABLED_FOR_NOW
+
+ int falloc_helper(int fd, off_t start, off_t len)
+ {
+--- apt-cacher-ng-2.orig/source/job.cc
apt-cacher-ng-2/source/job.cc
+@@ -712,9 +712,7 @@ report_overload:
+ return ;
+
+ report_notallowed:
+- SetErrorResponse((tSS() << "403 Forbidden file type or location: " <<
sReqPath).c_str(),
+- nullptr, "403 Forbidden file type or location");
+-//USRDBG( sRawUriPath + " -- ACCESS FORBIDDEN");
++ SetErrorResponse("403 Forbidden file type or location");
+ return ;
+
+ report_offlineconf:
+--- apt-cacher-ng-2.orig/source/tcpconnect.cc
apt-cacher-ng-2/source/tcpconnect.cc
+@@ -585,11 +585,19 @@ bool tcpconnect::SSLinit(mstring ,
+ if(!cfg::nsafriendly)
+ {
+ hret=SSL_get_verify_result(ssl);
+- if( hret != X509_V_OK)
++ if(hret != X509_V_OK)
+ {
+ perr=X509_verify_cert_error_string(hret);
+ goto ssl_init_fail;
+ }
++ auto server_cert = SSL_get_peer_certificate(ssl);
++ if(server_cert)
++ X509_free(server_cert);
++ else
++ {
++ perr="Incompatible remote certificate";
++ goto ssl_init_fail;
++ }
+
Bug#860243: jessie-pu: package apt-cacher-ng/0.8.0-3
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Hello,
I would like to upgrade the apt-cacher-ng version in Stable ASAP.
See attachment for the overview of the proposed changes. Please note
that it does not fully resolve #839751, only a minor change was included
(extra certificate check for the weakest/obvious attacks).
Adding a complete solution requires either an update of openssl in
Stable or including a local implementation (can be cherry-picked from
Sid) which is likely to be rejected by you (because of "meh meh meeh
S MANY CHANGES", considering how #857752 was dealt with).
+ apt-cacher-ng (0.8.0-4) stable; urgency=high
+ .
+ * Including some security related fixes from upstream version 3 (simplified
+ versions considered appropriate for Stable, related to #856635 and #839751
+ and CVE-2017-7443)
+Author: Eduard Bloch <bl...@debian.org>
Regards,
Eduard.
--
Das gestern und das heute unterscheiden sich nur durch das hier.
diff -Nru apt-cacher-ng-0.8.0/debian/changelog apt-cacher-ng-0.8.0/debian/changelog
--- apt-cacher-ng-0.8.0/debian/changelog 2014-11-28 21:09:34.0 +0100
+++ apt-cacher-ng-0.8.0/debian/changelog 2017-04-12 22:07:16.0 +0200
@@ -1,3 +1,11 @@
+apt-cacher-ng (0.8.0-4) stable; urgency=high
+
+ * Including some security related fixes from upstream version 3 (simplified
+versions considered appropriate for Stable, related to #856635 and #839751
+and CVE-2017-7443)
+
+ -- Eduard Bloch <bl...@debian.org> Wed, 12 Apr 2017 22:07:16 +0200
+
apt-cacher-ng (0.8.0-3) unstable; urgency=medium
* Restored build-dependency on libsystemd-daemond-dev since upstream source
diff -Nru apt-cacher-ng-0.8.0/debian/patches/debian-changes apt-cacher-ng-0.8.0/debian/patches/debian-changes
--- apt-cacher-ng-0.8.0/debian/patches/debian-changes 1970-01-01 01:00:00.0 +0100
+++ apt-cacher-ng-0.8.0/debian/patches/debian-changes 2017-04-12 22:07:16.0 +0200
@@ -0,0 +1,80 @@
+Description:
+ TODO: Put a short summary on the line above and replace this paragraph
+ with a longer explanation of this change. Complete the meta-information
+ with other relevant fields (see below for details). To make it easier, the
+ information below has been extracted from the changelog. Adjust it or drop
+ it.
+ .
+ apt-cacher-ng (0.8.0-4) stable; urgency=high
+ .
+ * Including some security related fixes from upstream version 3 (simplified
+ versions considered appropriate for Stable, related to #856635 and #839751
+ and CVE-2017-7443)
+Author: Eduard Bloch <bl...@debian.org>
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>,
+Bug:
+Bug-Debian: https://bugs.debian.org/
+Bug-Ubuntu: https://launchpad.net/bugs/
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By:
+Last-Update: 2017-04-13
+
+--- apt-cacher-ng-0.8.0.orig/source/fileio.cc
apt-cacher-ng-0.8.0/source/fileio.cc
+@@ -13,7 +13,8 @@
+
+ int falloc_helper(int fd, off_t start, off_t len)
+ {
+- return fallocate(fd, FALLOC_FL_KEEP_SIZE, start, len);
++ // disabled due to #856635
++ return 0; // fallocate(fd, FALLOC_FL_KEEP_SIZE, start, len);
+ }
+ #else
+ int falloc_helper(int, off_t, off_t)
+--- apt-cacher-ng-0.8.0.orig/source/job.cc
apt-cacher-ng-0.8.0/source/job.cc
+@@ -731,8 +731,9 @@ report_overload:
+ return ;
+
+ report_notallowed:
+- SetErrorResponse((tSS() << "403 Forbidden file type or location: " << sReqPath).c_str(),
+- NULL, "403 Forbidden file type or location");
++// disabled in Debian Stable, see CVE-2017-7443 for details
++ SetErrorResponse(/* (tSS() << "403 Forbidden file type or location: " << sReqPath).c_str(),
++ NULL, */ "403 Forbidden file type or location");
+ //USRDBG( sRawUriPath + " -- ACCESS FORBIDDEN");
+ return ;
+
+--- apt-cacher-ng-0.8.0.orig/source/tcpconnect.cc
apt-cacher-ng-0.8.0/source/tcpconnect.cc
+@@ -522,7 +522,7 @@ bool tcpconnect::SSLinit(mstring ,
+ while(true)
+ {
+ hret=SSL_connect(ssl);
+- if(hret == 1 )
++ if(hret == 1)
+ break;
+ if(hret == 0)
+ goto ssl_init_fail_retcode;
+@@ -583,7 +583,14 @@ bool tcpconnect::SSLinit(mstring ,
+ perr=X509_verify_cert_error_string(hret);
+ goto ssl_init_fail;
+ }
+-
++ {
++ auto server_cert = SSL_get_peer_certificate(ssl);
++ if (server_cert)
++ X509_free(server_cert);
++ else
++ // Although looking successful the server did not provide a valid certificate
++ goto ssl_init_fail;
++ }
+ return true;
+
+ ssl_init_fail_retcode:
diff -Nru apt-cacher-ng-0.8.0/debian/patches/series apt-cacher-ng-0.8.0/debian/patches/series
--- apt-cacher-ng-0.8
Bug#857752: unblock (pre-approval): apt-cacher-ng/3-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hello, I would like to create a new upstream version and soon a Debian revision of apt-cacher-ng, with a short cycle through experimental to make sure not to run into any platform build issues. It fixes three nasty issues that some users might consider security related bugs. Changelogs for upstream and debian attached below. Particular commits to see at https://anonscm.debian.org/cgit/apt-cacher-ng/apt-cacher-ng.git/log/?h=upstream%2Fsid https://anonscm.debian.org/cgit/apt-cacher-ng/apt-cacher-ng.git/log/?h=debian%2Fexperimental or in the attached diff file. While not released yet, the work is basically finished. The only remaining bug I intend to fix in addition is https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855618 but this will be done with care. Although the changes might looks scarry, I have actually postponed all major changes and kept only: - update of volatile file (mirror database) - security related improvements, including better SSL host checks - also including alternative SSL host validation code which should allow proper backports to Debian LTS and Ubuntu LTS - and harmless/cosmetic changes like clang warning workarounds I would like to hear your opinion ASAP. I can imagine to extract the most critical changes to make an intermediate release but the result would be harder to validate and maintain and I (although biased) would not like to throw those changes away for a version which is supposed to stay around for a while. apt-cacher-ng (3-1) UNRELEASED; urgency=medium * New upstream version + fixes hidden space allocation issue (closes: #856635) * Spanish translation update (by Matías A. Bellone, closes: #853105) * Instructions on how to work around cron job execution and "special needs" of some users to disable the admin page (closes: #855996) -- apt-cacher-ng (3) THIS-IS-NOT-THE-END; urgency=medium * NOTE: this release tackles multiple issues that might be considered security related in certain environments. * FIX: Making sure to truncate the file in case its download is aborted. This is needed in order to avoid hidden filesystem space allocation (Debian bug #856635). Also more delicate use of fallocate calls on Linux due to the potentially syscall execution delay. By default, limit the requested size to the first megabyte of a file. * FIX: detection of incorrectly allocated files and automated trimming in expiration run * FIX: compilation with GCC7, also warning fixes with Clang4 * FIX: better checking of possibly invalid remote certificate configuration in SSL client code * FIX: added workaround code for OpenSSL certificate validation even with ancient SSL versions like the one found in Ubuntu 14 LTS; borrowed from libevent examples (originally from ssl-conservatory and cURL) * FIX: no printing of requested file name in the 403 HTTP status line * FIX: typo/wording in manual, iptables examples * Database update -- Eduard Bloch <bl...@debian.org> Tue, 14 Mar 2017 16:23:20 +0100 CMakeLists.txt | 123 +- COPYING | 62 ++- ChangeLog | 23 +++ TODO| 26 +-- VERSION | 2 +- client/CMakeLists.txt | 2 +- conf/acng.conf.in | 14 +- conf/deb_mirrors.gz | Bin 3697 -> 4095 bytes conf/epel_mirrors | 45 +++-- conf/fedora_mirrors | 16 +- conf/gentoo_mirrors.gz | Bin 2603 -> 2588 bytes conf/sl_mirrors | 2 + conf/ubuntu_mirrors | 57 +-- dbgen/sig-debian| 2 +- dbgen/sig-fsnap | 2 +- dbgen/sig-slsnap| 2 +- dbgen/sig-ubuntu| 2 +- debian/README.Debian| 23 +++ debian/apt-cacher-ng.cron.daily | 12 ++ debian/apt-cacher-ng.default| 10 +- debian/changelog| 10 ++ debian/po/es.po | 33 ++-- doc/README | 4 +- doc/apt-cacher-ng.pdf | 178 +-- doc/html/secure.html| 4 +- doc/src/README.but | 4 +- fs/CMakeLists.txt | 34 ++-- fs/httpfs.cc| 4 +- include/acfg.h | 7 +- include/acsyscap.h.in |
Bug#855448: unblock: encfs/1.9.1-4
Package: release.debian.org User: release.debian@packages.debian.org Usertags: unblock Severity: normal Please unblock the package encfs. The testing version contains a change that might trigger a security flaw, i.e. it changes the visible behavior in a way not expected by "optimistically" written frontend programs, leading to possibly incorrect input of wrong (identical) password, which again might be not properly detected by badly written frontends either. The new upstream patch reverts this and ensures a clean program exit on such failure. See #853916 for details. Regards, Eduard. signature.asc Description: PGP signature
Bug#776149: unblock: pigz/2.3.1-2
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package apt-cacher-ng
there is little security problem in the current pigz version in Testing
which gets only exposed when you use very specific options but it's
easily exploitable in specific scenarios so it better should be fixed in
Jessie. See CVE-2015-1191 and #774978 for details. The patches are
extracted from upstream SCM with a minor modification.
debdiff:
File lists identical (after any substitutions)
Control files: lines which differ (wdiff format)
Version: [-2.3.1-1-] {+2.3.1-2+}
pigz_2.3.1-1_to_2.3.1-2.diff:
diff --git a/debian/changelog b/debian/changelog
index 0a7f362..92685bf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+pigz (2.3.1-2) unstable; urgency=high
+
+ * Patch(es) from upstream's SCM to solve handling of target file names with
+the -N option (CVE-2015-1191, closes: #774978)
+
+ -- Eduard Bloch bl...@debian.org Sun, 18 Jan 2015 23:58:51 +0100
+
pigz (2.3.1-1) unstable; urgency=medium
* New upstream version 2.3.1
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 000..6d51cba
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,4 @@
+[DEFAULT]
+debian-branch = debian/sid
+upstream-branch = upstream/sid
+
diff --git a/debian/patches/0001-Simplify-justname.patch
b/debian/patches/0001-Simplify-justname.patch
new file mode 100644
index 000..125ac9f
--- /dev/null
+++ b/debian/patches/0001-Simplify-justname.patch
@@ -0,0 +1,33 @@
+From 34199bdccd2784638a6442b1724edb5f72b4ac02 Mon Sep 17 00:00:00 2001
+From: Mark Adler mad...@alumni.caltech.edu
+Date: Sun, 11 Jan 2015 18:46:03 -0800
+Subject: [PATCH 1/2] Simplify justname().
+
+This uses strrchr() instead of a manual search, and avoids an
+illegal pointer calculation for purists (one less than the start
+of the buffer).
+---
+ pigz.c | 7 ++-
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/pigz.c b/pigz.c
+index cc8aaae..1b1d89a 100644
+--- a/pigz.c
b/pigz.c
+@@ -3231,11 +3231,8 @@ local char *justname(char *path)
+ {
+ char *p;
+
+-p = path + strlen(path);
+-while (--p = path)
+-if (*p == '/')
+-break;
+-return p + 1;
++p = strrchr(path, '/');
++return p == NULL ? path : p + 1;
+ }
+
+ /* Copy file attributes, from - to, as best we can. This is best effort, so
+--
+2.1.4
+
diff --git
a/debian/patches/0002-When-decompressing-with-N-or-NT-strip-any-path-from-.patch
b/debian/patches/0002-When-decompressing-with-N-or-NT-strip-any-path-from-.patch
new file mode 100644
index 000..84a3277
--- /dev/null
+++
b/debian/patches/0002-When-decompressing-with-N-or-NT-strip-any-path-from-.patch
@@ -0,0 +1,77 @@
+From b70cdfcdce9a27d72cbd739d704f2d1b51bd54c3 Mon Sep 17 00:00:00 2001
+From: Mark Adler mad...@alumni.caltech.edu
+Date: Sun, 11 Jan 2015 20:21:24 -0800
+Subject: [PATCH 2/2] When decompressing with -N or -NT, strip any path from
+ header name.
+
+This uses the path of the compressed file combined with the name
+from the header as the name of the decompressed output file. Any
+path information in the header name is stripped. This avoids a
+possible vulnerability where absolute or descending paths are put
+in the gzip header.
+
+Conflicts:
+ pigz.c
+
+(EB: trivial merge at /* replace .tgz with .tar when decoding */)
+---
+ pigz.c | 37 +++--
+ 1 file changed, 23 insertions(+), 14 deletions(-)
+
+diff --git a/pigz.c b/pigz.c
+index 1b1d89a..68bdf7a 100644
+--- a/pigz.c
b/pigz.c
+@@ -3499,26 +3499,35 @@ local void process(char *path)
+ (use -f to force));
+ }
+ else {
+-char *to, *repl;
+-
+-/* use header name for output when decompressing with -N */
+-to = g.inf;
+-if (g.decode (g.headis 1) != 0 g.hname != NULL) {
+-to = g.hname;
+-len = strlen(g.hname);
++char *to = g.inf, *sufx = ;
++size_t pre = 0;
++
++/* select parts of the output file name */
++if (g.decode) {
++/* for -dN or -dNT, use the path from the input file and the name
++ from the header, stripping any path in the header name */
++if ((g.headis 1) != 0 g.hname != NULL) {
++pre = justname(g.inf) - g.inf;
++to = justname(g.hname);
++len = strlen(to);
++}
++/* for -d or -dNn, replace abbreviated suffixes */
++else if (strcmp(to + len, .tgz) == 0)
++sufx = .tar;
+ }
+-
+-/* replace .tgx with .tar when decoding */
+-repl = g.decode strcmp(to + len, .tgz) ? : .tar;
++else
++/* add appropriate suffix when compressing */
++sufx = g.sufx;
+
+ /* create output file and open to write */
+-g.outf = MALLOC(len
Bug#772007: unblock: apt-cacher-ng/0.8.0-3
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package apt-cacher-ng
there is a trivial but nasty bug in the Debian packaging. No upstream
changes and source-only upload; no build trouble anywhere (except for a
bogus warning on armhf only which I consider a compiler bug, and it has
existed before).
The bug was not reported as serious but I tend to consider it a such one
since it impacts the log rotation and might cause hidden disk space
consumption and probably loss of log data.
debdiff:
File lists identical (after any substitutions)
Control files: lines which differ (wdiff format)
Version: [-0.8.0-1-] {+0.8.0-3+}
And git diff debian/0.8.0-1 debian/0.8.0-3 :
diff --git a/debian/apt-cacher-ng.logrotate b/debian/apt-cacher-ng.logrotate
index 1122f8f..1adf759 100644
--- a/debian/apt-cacher-ng.logrotate
+++ b/debian/apt-cacher-ng.logrotate
@@ -8,7 +8,9 @@
notifempty
create
postrotate
-if [ -s /var/run/apt-cacher-ng/pid ] ; then
+if [ -e /run/systemd/system ] ; then
+systemctl is-active apt-cacher-ng systemctl kill
--signal=USR1 apt-cacher-ng
+elif [ -s /var/run/apt-cacher-ng/pid ] ; then
kill -s USR1 $(cat /var/run/apt-cacher-ng/pid)
fi
endscript
@@ -24,7 +26,9 @@
notifempty
create
postrotate
-if [ -s /var/run/apt-cacher-ng/pid ] ; then
+if [ -e /run/systemd/system ] ; then
+systemctl is-active apt-cacher-ng systemctl kill
--signal=USR1 apt-cacher-ng
+elif [ -s /var/run/apt-cacher-ng/pid ] ; then
kill -s USR1 $(cat /var/run/apt-cacher-ng/pid)
fi
endscript
diff --git a/debian/changelog b/debian/changelog
index afc3766..bddd009 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+apt-cacher-ng (0.8.0-3) unstable; urgency=medium
+
+ * Restored build-dependency on libsystemd-daemond-dev since upstream source
+didn't cope with that change (yet)
+
+ -- Eduard Bloch bl...@debian.org Fri, 28 Nov 2014 21:05:16 +0100
+
+apt-cacher-ng (0.8.0-2) unstable; urgency=medium
+
+ * Send SIGUSR1 properly to reopen the logs when controlled by systemd
+(closes: Bug#77)
+ * replace build-dependency on transitional package libsystemd-daemond-dev
+
+ -- Eduard Bloch bl...@debian.org Fri, 28 Nov 2014 08:14:54 +0100
+
apt-cacher-ng (0.8.0-1) unstable; urgency=medium
* New upstream version
unblock apt-cacher-ng/0.8.0-2
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.12.31+ (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
--
Angela Merkel zitiere ich ja am liebsten wörtlich. Ich hab noch keine
bessere Möglichkeit gefunden, diese Frau zu beleidigen.
-- Volker Pispers
--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive:
https://lists.debian.org/20141204103055.ga6...@rotes76.wohnheim.uni-kl.de
Bug#767022: Please reduce freeze time for cloop
Package: release.debian.org
Severity: normal
Please reduce the freeze time for the package cloop.
The rationale behind this is following:
* the binary packages are harmless, i.e. no suid binaries inside, no
systemd killing init scripts or other potential trouble makers
* the package was removed from Testing because of an rc bug which was
filed against the cloop-src binary package which didn't build with
some kernel 3.10.x version on the user system (this is not even a
FTBFS problem of the source package and the kernel version in
question is history now). After my update all kernels starting with
at least 3.12 should be supported.
* I updated the package following current standards, and I also changed
the type to native (i.e. git-tracked fork with minimal deviations)
because it was simply neccessary: just take a look at the upstream
source to get the feeling, it contained an own debian subdirectory
and reused debian/changelog as upstream changelog. The old stable
version even had a directory with cruft in upstreams debian/ folder.
So I chose to finally separate the changelogs and make some other
editorial changes, and I will try to share the git repository with
the world as soon as somebody fixes
https://alioth.debian.org/scm/browser.php?group_id=30019
* this package itself has a long history and has a very low change
frequency. The upstream source changes are basically little
adaptions of the kernel module source to newer kernel versions. Apart
from the changes on Debian packaging, the few changes on the program
code were needed to solve the compiler warnings discovered with
hardening flags (which was easy since I personally wrote that
particular piece of source code back in my student times *g*).
So after all I think the package is in much better shape than it was
before.
Thanks for your cooperation,
Eduard.
$ debdiff cloop-utils_2.6.39.2-1_amd64.deb cloop-utils_3.14.1.1_amd64.deb
[The following lists of changes regard files as different if they have
different names, permissions or owners.]
Files in first .deb but not in second
-
-rw-r--r-- root/root /usr/share/doc/cloop-utils/changelog.Debian.gz
Control files: lines which differ (wdiff format)
Depends: libc6 (= [-2.3.2),-] {+2.14),+} libgcc1 (= 1:4.1.1), libstdc++6 (=
[-4.6),-] {+4.4.0),+} zlib1g (= 1:1.1.4)
Installed-Size: [-219-] {+112+}
Version: [-2.6.39.2-1-] {+3.14.1.1+}
$ debdiff cloop-src_2.6.39.2-1_all.deb cloop-src_3.14.1.1_all.deb
[The following lists of changes regard files as different if they have
different names, permissions or owners.]
Files in second .deb but not in first
-
-rw-r--r-- root/root /usr/src/cloop.tar.xz
Files in first .deb but not in second
-
-rw-r--r-- root/root /usr/share/doc/cloop-src/README.Debian
-rw-r--r-- root/root /usr/share/doc/cloop-src/changelog.Debian.gz
-rw-r--r-- root/root /usr/src/cloop.tar.bz2
Control files: lines which differ (wdiff format)
Depends: module-assistant, debhelper (= 5.0.37), [-bzip2-] {+xz-utils+}
Installed-Size: [-70-] {+68+}
Version: [-2.6.39.2-1-] {+3.14.1.1+}
$ diff a/cloop-2.639 b/cloop-3.14.1.1/ -Nurd | diffstat
CHANGELOG | 89
ChangeLog | 638
+
Makefile |7
README| 12
VERSION |1
advancecomp-1.15/config.guess | 1197
--
advancecomp-1.15/config.sub | 469
++-
advfs.cc | 75
cloop.c | 54
cloop.mod.c | 89
create_compressed_fs_fast.c | 240 --
debian/README.Debian | 26
debian/changelog | 85
debian/cloop-module-_KVERS_.config| 15
debian/cloop-module-_KVERS_.postinst.modules.in | 22
debian/cloop-module-_KVERS_.postrm| 36
debian/cloop-module-_KVERS_.templates |5
debian/cloop-source.debhelper.log | 24
debian/cloop-source/usr/src/modules/cloop/CHANGELOG | 89
debian/cloop-source/usr/src/modules/cloop/Makefile| 70
Bug#701833: unblock: pigz/2.2.4-2
Hallo,
* Julien Cristau [Thu, Feb 28 2013, 05:14:08PM]:
On Wed, Feb 27, 2013 at 21:05:45 +0100, Eduard Bloch wrote:
Hallo,
* Thijs Kinkhorst [Wed, Feb 27 2013, 06:52:05PM]:
Package pigz/2.2.4-2 was uploaded to sid fixing CVE-2013-0296 (#700608).
The maintainer also added hardening flags. This may be on the border of
acceptable/unacceptable for an unblock. Please let me know either way.
Thanks for reporting. If the hardening flags are not acceptable I can
just build another revision disabling them. Just tell me soon enough.
I'd prefer to have the security fix on its own.
Ok, here we go. pigz 2.2.4-3 is uploaded, debian-diff and debdiff
attached here (note: debdiff gets slightly confused on hardlinks).
Regards,
Eduard.
[The following lists of changes regard files as different if they have
different names, permissions or owners.]
Files in second .deb but not in first
-
-rw-r--r-- root/root /usr/share/man/man1/pigz.1.gz
-rwxr-xr-x root/root /usr/bin/unpigz
hrw-r--r-- root/root /usr/share/man/man1/unpigz.1.gz link to
./usr/share/man/man1/pigz.1.gz
hrwxr-xr-x root/root /usr/bin/pigz link to ./usr/bin/unpigz
Files in first .deb but not in second
-
-rw-r--r-- root/root /usr/share/man/man1/unpigz.1.gz
-rwxr-xr-x root/root /usr/bin/pigz
hrw-r--r-- root/root /usr/share/man/man1/pigz.1.gz link to
./usr/share/man/man1/unpigz.1.gz
hrwxr-xr-x root/root /usr/bin/unpigz link to ./usr/bin/pigz
Control files: lines which differ (wdiff format)
Version: [-2.2.4-1-] {+2.2.4-3+}
diff -Nurd pigz_2.2.4-1.debian/debian/changelog pigz_2.2.4-3.debian/debian/changelog
--- pigz_2.2.4-1.debian/debian/changelog 2012-05-08 22:59:23.0 +0200
+++ pigz_2.2.4-3.debian/debian/changelog 2013-02-28 20:17:36.0 +0100
@@ -1,3 +1,17 @@
+pigz (2.2.4-3) unstable; urgency=low
+
+ * removed hardening flags, this build is targeting Wheezy
+
+ -- Eduard Bloch bl...@debian.org Thu, 28 Feb 2013 20:16:03 +0100
+
+pigz (2.2.4-2) unstable; urgency=high
+
+ * Use 600 permissions for unfinished output files (CVE-2013-0296,
+closes: #700608)
+ * started applying Debian hardening flags
+
+ -- Eduard Bloch bl...@debian.org Sat, 23 Feb 2013 13:44:42 +0100
+
pigz (2.2.4-1) unstable; urgency=low
* New upstream release
diff -Nurd pigz_2.2.4-1.debian/debian/patches/series pigz_2.2.4-3.debian/debian/patches/series
--- pigz_2.2.4-1.debian/debian/patches/series 2012-05-01 13:02:06.0 +0200
+++ pigz_2.2.4-3.debian/debian/patches/series 2013-02-28 20:15:20.0 +0100
@@ -0,0 +1 @@
+strict_temp_file_permissions
diff -Nurd pigz_2.2.4-1.debian/debian/patches/strict_temp_file_permissions pigz_2.2.4-3.debian/debian/patches/strict_temp_file_permissions
--- pigz_2.2.4-1.debian/debian/patches/strict_temp_file_permissions 1970-01-01 01:00:00.0 +0100
+++ pigz_2.2.4-3.debian/debian/patches/strict_temp_file_permissions 2013-02-28 20:14:29.0 +0100
@@ -0,0 +1,22 @@
+Index: pigz/pigz.c
+===
+--- pigz-2.2.4/pigz.c (Revision 4038)
pigz-2.2.5/pigz.c (Arbeitskopie)
+@@ -3228,7 +3228,7 @@
+ memcpy(out, to, len);
+ strcpy(out + len, decode ? : sufx);
+ outd = open(out, O_CREAT | O_TRUNC | O_WRONLY |
+- (force ? 0 : O_EXCL), 0666);
++ (force ? 0 : O_EXCL), 0600);
+
+ /* if exists and not -f, give user a chance to overwrite */
+ if (outd 0 errno == EEXIST isatty(0) verbosity) {
+@@ -3244,7 +3244,7 @@
+ } while (ch != EOF ch != '\n' ch != '\r');
+ if (reply == 1)
+ outd = open(out, O_CREAT | O_TRUNC | O_WRONLY,
+-0666);
++0600);
+ }
+
+ /* if exists and no overwrite, report and go on to next */
signature.asc
Description: Digital signature
Bug#701833: unblock: pigz/2.2.4-2
Hallo, * Thijs Kinkhorst [Wed, Feb 27 2013, 06:52:05PM]: Package pigz/2.2.4-2 was uploaded to sid fixing CVE-2013-0296 (#700608). The maintainer also added hardening flags. This may be on the border of acceptable/unacceptable for an unblock. Please let me know either way. Thanks for reporting. If the hardening flags are not acceptable I can just build another revision disabling them. Just tell me soon enough. Thanks, Eduard. -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130227200545.ga29...@rotes76.wohnheim.uni-kl.de
Bug#694378: unblock: apt-cacher-ng/0.7.10-1
Hallo, * intrigeri [Sat, Jan 26 2013, 10:33:35PM]: Hi Eduard, intrigeri wrote (27 Nov 2012 10:58:28 GMT) : Eduard, given the apparent brokenness of the version currently in testing, the size of the delta, and the fact we've been frozen for months, have you considered preparing a minimal fix meant to fix these bugs for Wheezy? Ping? Well, (no offense implied) I am often puzzled at how people ask for just the minimal fix WRT complex software. It's like asking the garage guy: please replace my brake pads but DON'T remove the wheels!!11 I could try to do that but the the extract would still require significant code changes and involve the risk of breaking something you don't see coming in the beginning. Those three months of testing in Sid are IMHO more worth for software quality than some wild patching. Another option would be to ask for removal from testing, and maintaining this package in backports during the Wheezy lifetime. Since then two upstream releases were uploaded to unstable, and a RC bug (#698466) was filed against the version currently in unstable (it's unclear to me if the version in testing is affected), so I'm Nope, it's against another version in Experimental. And no, it doesn't affect Unstable or Testing. Regards, Eduard. -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130127131453.ga7...@rotes76.wohnheim.uni-kl.de
Bug#694378: unblock: apt-cacher-ng/0.7.10-1
Hallo, * intrigeri [Sun, Jan 27 2013, 03:41:49PM]: Well, (no offense implied) I am often puzzled at how people ask for just the minimal fix WRT complex software. I acknowledge it is sometimes the case that a minimal fix is hard to extract, but it's also, quite often, pretty easy. I don't know this specific code, so I was asking. It's like asking the garage guy: please replace my brake pads but DON'T remove the wheels!!11 Well, it's not my car, I'm not your client, and I'm not asking you to do work that will only benefit me, so I don't think this comparison fits the current situation very well. I'll assume good faith and ignore the feelings this comparison triggers in me. ... a minimal fix is one of the most often applied solution in this kind of situation. Hence, I was merely asking if you had *considered* it... C'mon, this comparison was just made up to demonstrate that the usual dogma everything with more than a couple of diff chunks is heavy development and is therefore evil does not fit all situations. My decission for the bug mentioned before was obvious. It wasn't clear where the problem originates, the suspected code was messy because of various extensions and workarounds over time and remote debugging would have become complicated. I could have spent a lot of time on code reviewing without useful results or take a weekend to redesign the process and make it robust and easier debuggable in future. And IMHO it was the right decission because only a couple of related bugs were discovered afterwards which were easy to analyze and easy to fix. Since wheezy-backports have been mentioned in this BR: it's possible but something I would prefer not to use. I am biased, of course, but IMO it's just a workaround which use could be avoided here. Regards, Eduard. -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130127183331.ga10...@rotes76.wohnheim.uni-kl.de
Bug#694378: Bug#683803: apt-cacher-ng: errors in combination with http.debian.net: [302 Moved Temporarily]
Hallo, * Gabriele Stilli [Tue, Dec 25 2012, 10:10:36PM]: any chance of having this fix backported to Wheezy? It's quite annoying not being able to do proper upgrades when using http.debian.net with (what will become) stable. #694378 is there to get an answer to this question, apparently RM team prefers to look away ATM. Regards, Eduard. -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121226110849.ga14...@rotes76.wohnheim.uni-kl.de
Bug#694378: unblock: apt-cacher-ng/0.7.10-1
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package apt-cacher-ng
it solves #683803 and #677983 (*) since version 0.7.8. These changes are
especially required to support http.debian.net redirection properly and
to stop the total breakage of apt-get update runs on some systems.
There are upstream changes but I consider most of them harmless (I am
upstream) or they have been tested in Unstable/Experimental for already
16 weeks. Little problems in 0.7.8's changes have been solved in 0.7.10
(18 days in Unstable without new bug reports).
(*): assumed, no user complaints this time while previous fixing
attempts caused very prompt responses
$ debdiff apt-cacher-ng_0.7.6-1_amd64.deb apt-cacher-ng_0.7.10-1_amd64.deb
File lists identical (after any substitutions)
Control files: lines which differ (wdiff format)
Depends: libbz2-1.0, libc6 (= 2.10), libgcc1 (= 1:4.1.1), liblzma5 (=
[-5.1.1alpha+20110809),-] {+5.1.1alpha+20120614),+} libstdc++6 (= 4.6),
libwrap0 (= 7.6-4~), zlib1g (= 1:1.1.4), debconf (= 0.5) | debconf-2.0,
adduser
Installed-Size: [-1158-] {+1175+}
Version: [-0.7.6-1-] {+0.7.10-1+}
unblock apt-cacher-ng/0.7.10-1
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.5.0+ (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive:
http://lists.debian.org/20121125224352.ga21...@rotes76.wohnheim.uni-kl.de
Bug#604464: unblock: apt-cacher-ng/0.5.1-3
Package: release.debian.org Severity: important User: release.debian@packages.debian.org Usertags: freeze-exception Please unblock package apt-cacher-ng. insert your favorite I-know-it's-late phrase here. The background of this request is mainly task #598469 which originally got RC severity by Phil and I supposed that most mirror administrators will react similarly in future. The problem is real after all, and the workaround for it has been added weeks ago in Sid and no collateral damage has been reported so far. There are two other issues which I consider important: #603463 because it affects other packages and the reason is hard to track, and a minor problem (hand+thread leak) which affects a few users (those who try the DontCache options) and the corresponding fix could also affect only that few users; I don't expect any regressions caused by it. All that said with the upstream hat on my head. For details, see: http://apt-cacher-ng.alioth.debian.org/apt-cacher-ng_0.5.1-2_to_0.5.1-3.diff Thanks, Eduard. unblock apt-cacher-ng/0.5.1-3 -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.36 (SMP w/4 CPU cores; PREEMPT) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101122122053.ga12...@rotes76.wohnheim.uni-kl.de
Freeze exception: encfs 1.7.2-1
Hello, I uploaded encfs 1.7.2-1 about one week ago and there are now new bugs reported so far in our BTS and no relevant bugs in the upstream BTS. This is a new upstream version but the changeset is small enough for a review (see [1]) and it contains fixes for potential security problems in future (see [2] for various links). I personally don't consider them critical yet but we really shouldn't ship a weak version in a Stable release. [1] http://pkg-icewm.alioth.debian.org/~blade/encfs-1.6.x-to-1.7.2.diff where l10n related noise has been removed [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=595998 Regards, Eduard. signature.asc Description: Digital signature
Re: Freeze exception: encfs 1.7.2-1
#include hallo.h * Adam D. Barratt [Sat, Sep 25 2010, 04:22:55PM]: On Sat, 2010-09-25 at 12:22 +0200, Eduard Bloch wrote: This is a new upstream version but the changeset is small enough for a review (see [1]) and it contains fixes for potential security problems in future (see [2] for various links). I personally don't consider them critical yet but we really shouldn't ship a weak version in a Stable release. Those fixes also change the signature of several public members of libencfs, and therefore its soname; is the library used by anything outside of encfs itself? Not that I am aware of. I.e. ATM the shared library is only used by the executables from the encfs package. Regards, Eduard. signature.asc Description: Digital signature
Re: Request for freeze exception: apt-cacher-ng
#include hallo.h * Marc Haber [Tue, Dec 02 2008, 01:15:15PM]: Okay, simple question: how many RC bugs do you need to allow the push of the Unstable version at the moment? I have one RC candidate (#506273), I am sure that a minimal patch against the version currently in lenny, Wow, so sure. I wish I had your confidence. Regards, Eduard. -- Perun TCW: mit daten cd geht es Perun TCW: aber mountet man na audio cd nicht mit -t iso9660? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Request for freeze exception: apt-cacher-ng
#include hallo.h * Neil McGovern [Sun, Nov 30 2008, 10:14:23AM]: With the number of changes in this, I'm afraid it cannot be reviewed for the lenny release. Actually that's the point, I dislike that kind of conclusions in some cases. There are upstream authors that happily release known shit straight from alpha stage as stable version but I am not one of them. And I have been long enough DM (and DD) to know where to draw the line, IMHO. As you consider the version in testing currently to be old and buggy, and we haven't released with apt-cacher-ng before, I'll be happy to file a removal hint should you so wish. Actually: please no! If I'd wish that you would have already noticed. The quality/bugs ratio is IMO still acceptable for a Debian release. Regards, Eduard. -- weasel wenn es auf der Scheibenwelt neben dem Tod und dem Hogfather noch eine Person fuer die Schuld gaebe, dann waere das white. signature.asc Description: Digital signature
Re: Please readd sl-modem to Lenny
#include hallo.h * Adeodato Simó [Sun, Oct 05 2008, 06:04:03PM]: Package: sl-modem Binary: sl-modem-source, sl-modem-daemon Version: 2.9.9d+e-pre2-12 Priority: optional Section: non-free/misc Maintainer: Debian QA Group [EMAIL PROTECTED] Unblocked. You'll need to get i386 binaries uploaded if you want it migrated. I did upload some yesterday, but they seem to be stuck in the hidden queue. Regards, Eduard. -- Naja, Garbage Collector eben. Holt den Müll sogar vom Himmel. (Heise Trollforum über Java in der Flugzeugsteuerung) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Please readd sl-modem to Lenny
Dear release team, please consider readding the package sl-modem to Lenny. AFAICS it has been removed because of having a bug which I personally don't even consider RC, and the update would fix that one and also update some translations. New version: Package: sl-modem Binary: sl-modem-source, sl-modem-daemon Version: 2.9.9d+e-pre2-12 Priority: optional Section: non-free/misc Maintainer: Debian QA Group [EMAIL PROTECTED] Thanks, Eduard. -- Rhonda Auch wenn mir das weasel optisch zusagt, ich mach's trotzdem nicht mit ihm! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Desktop upgrade strategy - new procedure 'C'
#include hallo.h * Frans Pop [Fri, Mar 23 2007, 07:15:40PM]: There are quite a few proposed methods in that mail, which were you referring to? Note that I'm not a fan of Osamu's suggestions as they don't work for desktop installs. The new procedure goes as follows: - aptitude update (/me is still annoyed at the warnings aptitude prints when a new source is added for the first time) - edit sources.list to point to Etch And mention explicitely to comment/remove the lines pointing to sarge. I have seen APT wreaking random havoc when multiple distro branches are available, though it happened last time with Sarge and *cough* recent Ubuntu. Regards, Eduard. -- Yannick_k hiho, ich brauch dringend nen Virenscanner der windows vieren finden kann Yannick_k kann mir da einer nen tipp geben? rvb Hm. grep 4 * findet Vieren.
Re: Please unblock unp 1.0.11
Hi people, please unblock the unp package, version 1.0.11. It has a one-line fix which avoids a pretty nasty memory bomb, AFAICS without side effects. Thanks, Eduard. -- Kluge halten das Gewöhnliche, Dumme das Ungewöhnliche für toll. -- Jean Paul -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
please unblock the mail-expire package
#include hallo.h Please let mail-expire 0.7 go into Etch, since... 0.6 is completely broken because of a change in a suplementary module and the only change in 0.7 is one simple condition modification to fix it. Eduard. -- Schade, ich hatte gehofft, der Job fällt jetzt nebenbei von meinem Stack, hat mal wieder nicht geklappt. -- Martin Schulze -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Request for permission to upload sl-modem through t-p-u for l10n purposes
#include hallo.h * Christian Perrier [Tue, Mar 06 2007, 06:08:18AM]: I was so bold and uploaded the version 2.9.9d+e-pre2-7etch1 to t-p-u based on 2.9.9d+e-pre2-7 built with just the new translation. Hmmm, this one ? * t-p-u upload only * de.po updates by Helge Kreutzmann * it.po (NEW) bei Luca Monducci I forgot to add the close tags, sorry. Indeed, a complete update of translations in testing should have copied the Japanese and French translations from unstable to make testing translations as complete as possible. Do I have a way to know about them if there are no bug reports? http://ddtp.debian.net/s.html does not display updates for sl-modem, not even for the two languages mentioned in the changelog. Eduard. -- Naja, Garbage Collector eben. Holt den Müll sogar vom Himmel. (Heise Trollforum über Java in der Flugzeugsteuerung) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Request for permission to upload sl-modem through t-p-u for l10n purposes
#include hallo.h * Christian Perrier [Mon, Mar 05 2007, 07:28:40AM]: I hereby request for the permission to upload a fixed 2.9.9d+e-pre2-7etch1 version in t-p-u with translations grabbed from unstable. Of course, if Eduard, the maintainer, prefers doing it himself, I will let him do it (please contact me, Eduard, to get the needed changes). I was so bold and uploaded the version 2.9.9d+e-pre2-7etch1 to t-p-u based on 2.9.9d+e-pre2-7 built with just the new translation. Eduard. -- weaselTM aber /me wollte ins bett. nacht cw80 hehe, morgen channel, nacht weasel ;) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: svn-buildpackage - broken in etch
#include hallo.h * Steve Langasek [Wed, Jan 24 2007, 11:10:04PM]: On Tue, Jan 23, 2007 at 08:08:54PM -0700, Wesley J. Landaker wrote: On Tuesday 23 January 2007 17:56, Steve Langasek wrote: Personally, I'm not sure this is warranted; svn-upgrade is an optional feature of svn-buildpackage, which I don't think is used by terribly many maintainers. And indeed, the changes related to svn_load_dirs alone are fairly intrusive and arguably not suitable for a t-p-u upload. Eh?! svn-upgrade is *essential* to the typical use of svn-buildpackage; it would be a horrible inconvenience to not be able to use it. I use it for all of my packages. Ok, I stand corrected. Eduard, do you have any objections to the unstable version of svn-buildpackage propagating to etch? Huch? I asked for that myself on this list two weeks ago and faced the quick rejection because of t many changes (yeah, aka BUGFIXES making the majority of them). If you consider adding the unstable version, please add it. There are minor issues with the last changes discovered in the meantime but I think that using the unstable version makes more sense than keeping the broken one in Woody. Or filtering out the relevant changes just to work around the one RC bug and closing eyes for the others. Eduard. -- TCW Schick... es funktioniert! TCW Und wiedermal ein Bug über den natürlich ich stolpern mußte! towo Wir koennten TCW als Bugmaneten nutzen. towo Ueber einer BSP aufhaengen und warten... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
please hint svn-buildpackage (0.6.16)
#include hallo.h Please allow svn-buildpackage (0.6.16) go into Etch. I know the log is a bit excessive but a) the package in Etch is just broken because the svn_load_dirs tool used in two of three main tools is missing in the current subversion-tools package, and b) it is a tool for developers anyway so those who care would upgrade to future unstable, sooner or later. Eduard. svn-buildpackage (0.6.16) unstable; urgency=medium [ Eddy Petrișor ] * now is possible to store svn-deblayout information in Subversion properties - namespace is svn-bp:* (Closes: #373295, #377411) * add depends on file (Closes: #397611) * add support for origUrl (adds also a dependency on wget) (Closes: #377880) [ Gonéri Le Bouder ] * add --svn-noninteractive to turn off interactive mode (Closes: #349979) [ Eduard Bloch ] * svn_load_dir replacement implemented (closes: #399661, #398185), dropped dependency on subversion-tools. This also solves the user confusion because of its bizzare output and error handling (closes: #351653) * running custom build command trough a shell (closes: #376278) * disabled some postprocessing sugar with custom build command, makes more problem then it's worth (closes: #381377). If you use custom commands, please do also the post-processing. It is even documented (now also about --svn-linda, closes: #335239). People, please, DO SOME RTFM, it is not that hard. * more carefull checks for UNRELEASED tags in debian/changelog * made the the build-dep checking helper ineffective when prebuild hook is used (closes: #340396) * moved the clean command after build-dep check (closes: #348833) * tested bzip2 support in svn-inject (closes: #388567) * print the actuall svn command to show which repository is beeing accessed when probing around (closes: #396464). This may have caused Sven's confusion as well (closes: #327180, reopen if you have new information). * added a frontend script from Loïc Minier to /svn-buildpackage/usr/share/svn-buildpackage/contrib (closes: #389941) * manpage fixes and updates by Ted Percival (closes: #374805) * exclusion of upstream branch if definitely no files there are modified and explicit exclusion with --no-branches, based on a patch from Thierry Reding (closes: #345616) * Layout type 2 support based on patch from Steve Kowalik (closes: #338389) * carefully weed out empty arguments before exporting (closes: #334608) * now really use Q as the default answer at the failure-checking prompt, patch by Julian Gilbey (closes: #320679, #351611, #342260) * switched positions of copy commands in PRINCIPLES fixed, thanks to Thijs Kinkhorst (closes: #376583) * included some more language fixes (closes: #403066) and mentioned the SSH connection caching in the manual * Corrected the trunk/.svn/svn-buildpackage.conf path in the manpage (closes: #359673). That is enough, I see no good reason for adding a fallback to trunk/.svn/.svn-buildpackage. * alternative lookup in main tags directory when building in .../branches/... (closes: #399646) * removed the reference to the svnbook copy in Debian packages (closes: #347854) which has been removed because of licensing issues -- Eduard Bloch [EMAIL PROTECTED] Tue, 26 Dec 2006 16:01:17 +0100 -- Warum überquerte das Huhn die Straße? Richard M. Nixon: Das Huhn hat die Straße nicht überquert. Ich wiederhole, das Huhn hat die Straße NICHT überquert. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#387783: Why was bug #387783 downgraded from serious to important?
severity 387783 serious thanks #include hallo.h * Andreas Barth [Thu, Oct 19 2006, 11:27:36AM]: * Markus Laire ([EMAIL PROTECTED]) [061019 10:49]: ps. Since the decision to downgrade[2] this bug was done by Andreas Barth, I don't think I have the authority to restore the severity to serious, and so I wanted to contact the Release Team to know what they think about this matter. Just as a first note - if the maintainers consider this bug as serious, it is serious, and they should feel free to upgrade the bug again. I'll write something on the remainder soon. Well, I consider it serious and I upgrading the severity again. Ganneff Zomb: feel free. From my POV (and IANAL) there are not many workarounds: - replace cdrecord.c with the version from the last millenium. Problem: there are many new features missing and there are some subtle changes. They can be reimplemented in few days..weeks, but there is some risk that would be not mature enough for a stable release and some things are so obvious that JS may come back and cry about stollen IP because the code looks similar. Remember SCO. - we could package a cdrtools-mixture package, containing: GPLed build-system from cdrtools-2.01.01a01 or so only files owned/created directly by Schilling the resulting cdrecord binary would be available under the Schily-GPLWAR (Schilling's GPL-like With Additional Restrictions), that is just a provisoric name because Schilling does give concrete answers. Assuming that this would need to go into non-free, all dependent packages would need to be moved to contrib. But... OTOH, if we go this way, we could also create a cdrtools-src package which our users can use to build custom cdrecord/mkisofs/... packages. - ignore possible consequences, remove the offending code or disable its function by technical measures. That is what some people already do. Eduard. -- Der wahre Heldenmut besteht darin, über das Elend des Lebens erhaben zu sein. -- Napoleon I. Bonaparte -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#325484: udev = 0.060-1 and kernels = 2.6.12
#include hallo.h * Roberto C. Sanchez [Tue, Aug 30 2005, 01:06:39AM]: Why? Becuase I roll my own kernel. If I upgrade the kernel with gcc-3.3 (currently the Sarge default) and then upgrade to Etch (which will have gcc-4.0 for a default) I will run into problems if I decide to add new modules to my kernel. Thus, those with a self-compiled kernel are in a The compiler - kernel has always been there and has nothing to do with udev (or any other kernel-stuff-in-userspace troublemaker of the day). For modules, you need to know what you are doing. Unfortunately the kernel developers seem to be ignorant WRT such things, gcc is hardcoded in assumption of beeing a never changing compatibility constant. For additional modules packages using module-assistant there is a workaround that will push the right compiler into the path, but that is a cludge. It will fail with other module packages that just rely on the kernel build system and it will fail if you try to build some extra kernel modules without rebuilding the whole kernel and without manually forcing the kernel build system to use the correct gcc. Regards, Eduard. -- Wo haben wir denn das Dingens mit dem Dingens? -- Torsten Spindler
Drop the minor release number
#include hallo.h * Thomas Hood [Fri, Jul 08 2005, 04:16:01PM]: If Debian continues to use the Release When Ready strategy then I would suggest that the number of the next release be its ordinal in the historical sequence of releases, which is 9 by my reckoning (buzz, rex, bo, hamm, slink, potato, woody, sarge, etch). I see no basis for distinguishing some Debian releases as minor ones. Every release is major. If Debian simply _must_ have decimal points in its release numbers then I'd suggest replacing the 'r' in update version numbers with '.'. Thus 9.1 would be the number of the first etch update. Exactly my point. There is really no reason for having a minor release number after dot in the Debian version, it justs leads people to pointless discussions like this one. Even labelling the versions with integer numbers and having a release every 18 months, we would have about 10 years to get to a state of number space polution that has been reached by commercial distros even now (9.x versions). IMO enough time to do a lot of things. Therefore I suggest dropping the minor number and giving numbers as suggested above. In addition, there may be single latin chars to declare minimalistic changes (like a fix in CD images, not really affecting the released version). Then we would have Debian 4.0 for etch, 4.1 for etch stable release 1, 4.2 for etch stable release 2, 4.2a for etch stable release 2 with a minor CD mastering fix (for example), etc.pp. Does the release team agree with this change or do we need another consensus (or even a GR)? Regards, Eduard. -- Susan Ivanova: An expedition to Coronis space found Sheridan's ship a few days later, but they never found him. All the airlocks were sealed, but there was no trace of him inside. Some of the Minbari believe he will come back some day, but I never say him again in my lifetime... -- Quotes from Babylon 5 -- signature.asc Description: Digital signature
Re: consider adding apt-cacher 0.9.4 to Sarge
Potential bugs: IMHO not in the parts I worked on (I have adopted the
package). The experimental features are disabled by default, disabled in
a non-invasive way. The people need to run an upgrade script once but
that's all. The cached data is not damaged by the upgrade and can be
converted easily.
=20
Approved.
Okay, there have been bugs that I was not aware of, some where self-made
and some not but there is no excuse. I still ask for adding the new
version to Sarge, 0.9.4 this time since the old version was too buggy, I
found even another problem (with 0.8.6) where it deleted unrelated files
during the installation. Changes below.
Thanks,
Eduard.
apt-cacher (0.9.4) unstable; urgency=high
* removed /var/{log,cache}/apt-cacher from debian/dirs to manage them
without interferences via postinst/prerm, calling
install.pl/remove.pl/upgrade.pl (closes: #310990). This bug was hidden
before and came to daylight after the rewrite of the old (ownership
overriding) code in 0.9.
* fixed the size calculation in the access.log (closes: #311001)
* found another stupid bug in install.pl, it removed the files README and
README.txt in the directory where dpkg has been started
* added more visible advisories to run apt-cacher-format-transition.pl in
NEWS.Debian and README.Debian
* commented out the allowed_locations example in apt-cacher.conf, it should
not restrict by default
-- Eduard Bloch [EMAIL PROTECTED] Fri, 27 May 2005 18:20:49 +0200
apt-cacher (0.9.3) unstable; urgency=high
* removed some forgotten debug statements and also a testing die; command
in the checksumming lib (closes: #310393)
* fixed the adding of CGI var separator ? in the sample sources.list URLs
and used nbsp; to not break the lines on extreme low-res monitors
(closes: #310387)
-- Eduard Bloch [EMAIL PROTECTED] Tue, 24 May 2005 18:42:42 +0200
signature.asc
Description: Digital signature
consider adding apt-cacher 0.9.2 to Sarge
Hello, please consider adding apt-cacher 0.9 to Sarge. It's not an easy decission but I would do that. The current version had following problems (summary): - for many it is not useable well with apache2: seems to leave many zombies with Apache2 in with popular configuration (#310566, #281697) - had bad locking problems: #251468 (this alone should have been RC, IMHO) - could only be used with apache or apache2 (no alternatives because of use of proprietary CGI vars). The new version allows usage of any httpd-cgi provider (in theory) - does not support time stamping, leads to desynchronisation of Packages/Release/package files with the remote archive - some cruft code I rewrote in 0.9 most likely caused package data corruption (#251660) - just look at http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=apt-cacher , about 20 bugs would have been fixed by using version 0.9.2 Current bugs in my new version 0.9.2: none (that I am aware of) Potential bugs: IMHO not in the parts I worked on (I have adopted the package). The experimental features are disabled by default, disabled in a non-invasive way. The people need to run an upgrade script once but that's all. The cached data is not damaged by the upgrade and can be converted easily. Regards, Eduard. -- Ambassador Vir Cotto: Prophecy is a guess that comes true. When it doesn't, it's a metaphor. -- Quotes from Babylon 5 -- signature.asc Description: Digital signature
Re: please accept gmailfs-0.4
#include hallo.h Please consider accepting module-assistant 0.9 in Sarge. It mostly contains cosmetic fixes (manpage updates, new translation) and trivial changes for things that would beginn to bother me some months later, when Sarge is Stable. Changes attached below. Regards, Eduard. module-assistant (0.9) unstable; urgency=high * correcting description of the -i option in the manpage * added a rescan method to detect new override files installed by package. Important for the future upgrades when Sarge will be stable. * a nicer version number ;-) -- Eduard Bloch [EMAIL PROTECTED] Mon, 16 May 2005 01:02:02 +0200 module-assistant (0.8.12) unstable; urgency=high * added workarounds in the misdn script (basically disabled parts in clean/unpack/purge rules since the package does not follow conventions) * while working on misdn found and fixed potential bugs in generic.sh (not catching some build directory names and beginning of the build not logged) -- Eduard Bloch [EMAIL PROTECTED] Sun, 15 May 2005 14:23:04 +0200 module-assistant (0.8.11) unstable; urgency=medium * manpage updates: + new goals in the TODO list + a-i does not run prepare (recommended prepare elsewhere, closes:#309031) + typo and gramar fixes * added pt_BR.po from Andre Luis Lopes (closes: #308093) * removed control script for cpcieject (package removed, also from Sarge now, closes: #307227) -- Captain John Sheridan: Something far worse than the Shadows: reporters. -- Quotes from Babylon 5 -- signature.asc Description: Digital signature
please accept module-assistant 0.9
#include hallo.h Please consider accepting module-assistant 0.9 in Sarge. It mostly contains cosmetic fixes (manpage updates, new translation) and trivial changes for things that would beginn to bother me some months later, when Sarge is Stable. Changes attached below. Regards, Eduard. module-assistant (0.9) unstable; urgency=high * correcting description of the -i option in the manpage * added a rescan method to detect new override files installed by package. Important for the future upgrades when Sarge will be stable. * a nicer version number ;-) -- Eduard Bloch [EMAIL PROTECTED] Mon, 16 May 2005 01:02:02 +0200 module-assistant (0.8.12) unstable; urgency=high * added workarounds in the misdn script (basically disabled parts in clean/unpack/purge rules since the package does not follow conventions) * while working on misdn found and fixed potential bugs in generic.sh (not catching some build directory names and beginning of the build not logged) -- Eduard Bloch [EMAIL PROTECTED] Sun, 15 May 2005 14:23:04 +0200 module-assistant (0.8.11) unstable; urgency=medium * manpage updates: + new goals in the TODO list + a-i does not run prepare (recommended prepare elsewhere, closes:#309031) + typo and gramar fixes * added pt_BR.po from Andre Luis Lopes (closes: #308093) * removed control script for cpcieject (package removed, also from Sarge now, closes: #307227) -- Captain John Sheridan: Something far worse than the Shadows: reporters. -- Quotes from Babylon 5 -- signature.asc Description: Digital signature
please approve vpnc 0.3.2+SVN20050326-2 (security flaw)
Hello, the current vpnc package in Sarge has a potential security flaw which is described in the attached .changes contents well enough. Please allow Sid's version 0.3.2+SVN20050326-2 to go into Sarge, there AFAICS no major changes. The package has been in Sid for 10 days without new bug reports. Regards, Eduard. -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.7 Date: Thu, 05 May 2005 19:39:05 +0200 Source: vpnc Binary: vpnc Architecture: source i386 Version: 0.3.2+SVN20050326-2 Distribution: unstable Urgency: high Maintainer: Eduard Bloch [EMAIL PROTECTED] Changed-By: Eduard Bloch [EMAIL PROTECTED] Description: vpnc - Cisco-compatible VPN client Changes: vpnc (0.3.2+SVN20050326-2) unstable; urgency=high . * added a check for having a slash in the config file specification (now it really accepts absolute paths only and not some random, or even malicious, script from the current directory). Before, it was like having . on the first place in root's $PATH. * also reverted the vpnc binary lookup order to limit possible effects of a similar problem Files: 60672862bbc48a75417a0c5f27b16e83 607 net extra vpnc_0.3.2+SVN20050326-2.dsc 805b52569907b764d8c46527ff5f29c5 8556 net extra vpnc_0.3.2+SVN20050326-2.diff.gz 7430a017963a410eefba142dc45361cf 43496 net extra vpnc_0.3.2+SVN20050326-2_i386.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCel6N4QZIHu3wCMURAqp3AJ4n0hjtTbQLhX/lcDDIs1zIz3LnsgCcCKMv uYFMK81XHnJSsKqqBnqMRI4= =z0T6 -END PGP SIGNATURE- -- Natural_ andere frage, wo liegtn der treiber von video4linux ? con-sole http://www.google.com/search?q=video4linux Natural_ nein auf meinem system :) signature.asc Description: Digital signature
please approve pppoeconf 1.7 for sarge
#include hallo.h Please allow pppoeconf to go into Sarge. It only fixes few gramar things and has few lines of code to ensure the interface activation (see below). This is unfortunately needed in Sarge because the alternative patch in ppp has been removed (IMO w/o good reason but Md likes it that way) and that ppp version recently slipped into Sarge without prior noticing of that flaws. Thanks, Eduard. PS: and it disables a dialog call that says nothing important Index: debian/changelog === --- debian/changelog(.../1.6) (Revision 1676) +++ debian/changelog(.../1.7) (Revision 1676) @@ -1,3 +1,13 @@ +pppoeconf (1.7) unstable; urgency=medium + + * adding automatic activation of the ethernet interface to +/etc/network/interfaces (closes: #305941, #306331) + * minor gramatic fixes in the German translation, typo fixes by Sven +Dreyer sven.AT.dreyer-net.de (closes: #306100) + * removed a redundant dialog call + + -- Eduard Bloch [EMAIL PROTECTED] Sat, 30 Apr 2005 18:56:22 +0200 + pppoeconf (1.6) unstable; urgency=high * replaced -p with -o in the iptables call (stupid typo, closes: #304219) Index: pppoeconf === --- pppoeconf (.../1.6) (Revision 1676) +++ pppoeconf (.../1.7) (Revision 1676) @@ -78,8 +78,12 @@ chown root:dip $OPTSFILE if ! grep -q dsl-provider $INTFILE ; then - printf '\niface dsl-provider inet ppp\n provider dsl-provider\n' $INTFILE + printf '\niface dsl-provider inet ppp\nprovider dsl-provider\n' $INTFILE fi + +if ! grep -q line maintained by pppoeconf $INTFILE ; then + sed -i -e 's,provider dsl-provider$, provider dsl-provider\n# please do not modify the following line\n pre-up /sbin/ifconfig eth0 up # line maintained by pppoeconf\n,' $INTFILE +fi umask 177 # make a secure directory @@ -218,13 +222,29 @@ rm -rf $TMP exit 1; fi - title=$(gettext 'DSL CONNECTION FOUND') - text=$(eval_gettext 'I found an Access Concentrator on $iface. Should I setup PPPOE for this connection?') - $DIALOG --title $title --clear --yesno $text 15 60 +# title=$(gettext 'DSL CONNECTION FOUND') +# text=$(eval_gettext 'I found an Access Concentrator on $iface. Should I setup PPPOE for this connection?') +# $DIALOG --title $title --clear --yesno $text 15 60 +# # STATUS: interface is $iface, we can continue + + if ! test $fresh_optsfile ; then + title=$(gettext 'OKAY TO MODIFY') + text=$(eval_gettext 'If you continue with this program, the configuration file $OPTSFILE will be modified. Please make sure that you have a backup copy before saying Yes. - if test $? = 0; then +Continue with configuration?') + $DIALOG --title $title --clear --yesno $text 22 70 + if test $? != 0 ; then +rm -rf $TMP +exit 0 + fi + fi + +# if test $? = 0; then if [ $kernel_pppoe ]; then -# sanity check first + # interface activation code - this sucks here, pppd plugin should do it as needed + sed -i -e s,pre-up /sbin/ifconfig[[:space:]]\+[^[:space:]]\+[[:space:]]\+up.#.line.maintained.by.pppoeconf,pre-up /sbin/ifconfig $ifacenocomma up # line maintained by pppoeconf, $INTFILE + + # change peers config file, sanity check first grep -q ^plugin.*rp-pppoe.so $OPTSFILE || echo plugin rp-pppoe.so $iface $OPTSFILE # disable the pppoe tunnel command if grep -q '^pty' $OPTSFILE ; then @@ -232,7 +252,7 @@ fi # set the interface - sed -i -e s,^plugin.\+rp-pppoe.so[[:space:]]\+[[:alnum:]]*,plugin rp-pppoe.so $ifacenocomma, $OPTSFILE + sed -i -e s,^plugin.\+rp-pppoe.so[[:space:]]\+[^[:space:]]*,plugin rp-pppoe.so $ifacenocomma, $OPTSFILE else # sanity check first, fix the config file @@ -250,24 +270,11 @@ # fix final newline test -e /etc/ppp/pap-secrets ( [ $(tail -1 /etc/ppp/pap-secrets | wc -l) -eq 0 ] || echo /etc/ppp/pap-secrets ) test -e /etc/ppp/chap-secrets ( [ $(tail -1 /etc/ppp/chap-secrets | wc -l) -eq 0 ] || echo /etc/ppp/chap-secrets ) - else -rm -rf $TMP -exit 1 - fi - # STATUS: interface is $iface, we can continue - - if ! test $fresh_optsfile ; then - title=$(gettext 'OKAY TO MODIFY') - text=$(eval_gettext 'If you continue with this program, the configuration file $OPTSFILE will be modified. Please make sure that you have a backup copy before saying Yes. +# else +#rm -rf $TMP +#exit 1 +# fi -Continue with configuration?') - $DIALOG --title $title --clear --yesno $text 22 70 - if test $? != 0 ; then -rm -rf $TMP -exit 0 - fi - fi - # ask about sane options #$DIALOG --title $POPULAR OPTIONS --clear --yesno $Most people using popular dialup providers prefer the options 'noauth' and 'defaultroute' in their configuration and remove the 'nodetach
please allow pppoeconf 1.6 in testing
Hullo guys, please migrate pppoeconf version 1.6 into testing. It fixes the really nasty bug #304219 (messing up the iptables). Regards, Eduard. signature.asc Description: Digital signature
Re: please update pppoeconf in Sarge
#include hallo.h Outdated like hell and fixed many weeks ago. Sarge should really include the current version from Debian unstable (1.0.9). Forwarding to -release now. A fix for one of the bugs was not quite correct. Please add the new version 1.0.11 of pppoeconf to Sarge. Eduard. PS: Once it is there, I can add an experimental option which may make sense so expect a next mail from this kind some weeks later if Sarge is not released before that. -- * ij hat gestern seine Segelnummer gesehen: G 386 ij 386!! und das mir! *grummel* -- ij - Amiga seit 1989
please update pppoeconf in Sarge
Moin Bastian! Bastian Venthur schrieb am Freitag, den 01. Oktober 2004: Package: pppoeconf Version: 1.0.4 Severity: grave Justification: renders package unusable Outdated like hell and fixed many weeks ago. Sarge should really include the current version from Debian unstable (1.0.9). Forwarding to -release now. Regards, Eduard. -- Wie man sein Kind nicht nennen sollte: Ali Mente
removing mono packages from (only) Sarge to work around ARM breakage
Hello, could you please remove the packages for Mono from Sarge (and only Sarge)? Or manually force the current versions into Sarge? The current versions there are completely outdated and buggy and the newer ones do not get into Sarge because s390 buildd ignores them for unknown reason and ARM is completely broken. I was able to build it on s390 on one of our developers machines but ARM people seem not to provide any shell access, not a workin buildd. So the only good way I see is removing the old versions of mono and mcs from Sarge and let the newer ones sink down into Testing (build for i386/ppc/s390). BTW: what is the situation with ARM? IMO it is not keeping up and should be removed from the Sarge architectures. Currently, it blocks the whole process and makes it appear uncontrolable. Please post some news to debian-devel-announce. Regards, Eduard. -- janw ich habe unter Debian die falsche Grafikkarte installiert, wie kann ich das �ndern? fd0 janw: rechner aufschrauben, karte raus, die richtige karte rein, zuschrauben, booten, fertig.
Re: 3.0.22 plan, translations (b-f bugs dropping like flies.)
#include hallo.h David Kimdon wrote on Thu Mar 28, 2002 um 10:17:53AM: b-f bugs : 139595, more bugs should be fixed, no more bugs should be introduced Done. Not nice, I had to drop two languages, but we should have language packs on the CD now. Addition: I have a (hopefully) final version of the bf2.4 kernel, currently waiting for a patch to fix the broken PLIP driver in 2.4.18. modconf: 137547 is fixed in cvs, we need that uploaded, along with any other bugs that can be fixed. Could you do, you made the recent changes. debian-cd: there are a couple of pending bugs, including one that will allow for all languages to be available on the CD, that will be great to see. net-inst: do net-inst/mini-iso cds have the extra language packs, can they? At least for i386, the i386-special/mini-cd.iso script can produce netinst images for each BF flavor, with or without basedebs.tar debian-dvd: do we want to make official debian dvd's? what is involved? AFAIK debian-cd should be able to produce an iso9660-image of any size, so it should work for DVDs too. I do not thing that distributing the whole image on all mirrors makes much sense - it is IMHO possible keep the DVD image on few servers. End users can cat CD images into one file and let rsync cook an DVD image from this file. Or isn't this new JugDo method useable for this purpose? Gruss/Regards, Eduard. -- -!- Gromitt_ is now known as Gromitt @Getty oh scheisse, gromitt wird wach @Getty da hab ich jetzt soviele lines gemacht in den letzten 24 std. @Getty und jetzt kommt der wieder ;) -- #debian.de -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
