Bug#989425: Libpam-chroot/0.9-5 uploaded

[Javier Fernandez-Sanguino]

tags 989425 -moreinfo
thanks

Libpam-chroot 0.9-5 has been uploaded to unstable.

Best regards

Javier

Bug#986908: unblock: snort 2.9.15.1-5

[Javier Fernandez-Sanguino]

On Mon, 19 Apr 2021 at 23:24, Chris Hofstaedtler  wrote:

> > $ debdiff snort_2.9.15.1-4_i386.deb snort_2.9.15.1-5_i386.deb
> [..]
>
> The debdiff does not seem to show any actual packaging changes. Are
> you sure you diffed the correct files?
>

Apologies, I sent a debdiff of the binary packages. I will send a debdiff
of the source packages soon.

Best regards

Javier

Bug#892793: stretch-pu: package cron/128+deb9u2

[Javier Fernandez-Sanguino]

Dear Michael,

On 13 March 2018 at 01:03, Michael Biebl  wrote:
> Am 13.03.2018 um 00:43 schrieb Javier Fernández-Sanguino Peña:
>> +After=remote-fs.target nss-user-lookup.target
>
> Why is the remote-fs.target ordering necessary? That doesn't seem
> correct to me.

Why doesn't that look correct to you?

Please note that cron's init file already had a dependency on remote
mount points being available (autofs - see bug #512757).
Remote-fs.target was added  to the cron.service file due to bug
#815088 (in version 3.0pl1-128.1, available in unstable following a
NMU in Oct 2017). I just added to this proposed upload for coherence.

Cron system tasks do not depend on user's directories being mounted.
However, crontab tasks defined by local users might depend on remote
mount points being available in the systems (e.g. their /home).

Best regards

Javier

Re: [release-notes] The two last weeks up to the release

[Javier Fernandez-Sanguino]

Dear Niels,


El 5 jun. 2017 9:23 a. m., "Niels Thykier"  escribió:


I admit it is not a lot of time to finish.  But it should get us a lot
of the way while hopefully leaving enough time for everyone to do their
part.


Thank you for providing a plan for both proofreading, reviews and
translations. With my translator's hat own, I think It is really helpful to
have a plan like this in order to plan days of work.

Best regards,

Javier

Re: snort/daq mess in testing.

[Javier Fernandez-Sanguino]

On 5 November 2014 23:53, Peter Michael Green
plugwash-urg...@p10link.net wrote:

 While checking up on the changes to the list of uninstallable packages in 
 arm64 testing I noticed the following had appeared due to the migration of a 
 new version of snort to testing.

 snort2.9.7.0-3unsatisfied dependency on libdaq0
 snort-common-libraries2.9.7.0-3unsatisfied dependency on libdaq0


 Initially I thought this was just another case of need to schedule a binnmu 
 in TPU but unfortunately the reality is a lot more horrible than that.

 On further investigation it seems that

 1: sid has a bogus libdaq0 package that actually contains libdaq.so.2. The 
 package has been correctly renamed in the most recent sid upload but the 
 bogus package is still arround.

The libdaq0 package should be removed from sid. The 'daq' source
package now builds only libdaq2 (which replaces libdaq0). For some
reason the latest version (2.0.4-3) has not yet been built by the
autobuildds, it should have migrated to testing by now.

I probably messed up something in this transition, I tried to go by
the book but I'm not sure I did it properly.


 2: snort appears (from the build logs and from lack of daq related output in 
 ldd) to be statically linked against sid's libdaq but for reasons I do not 
 know (maybe something to do with plugins) it has an unversioned dependency on 
 libdaq0

This seems to be something that upstream does and I was not aware of.
I will have to review if we can change this in the Snort Debian build
for future releases.


 I don't think it's really acceptable to have a package in jessie statically 
 linked against a substantially newer version of the library then is shipped 
 in jessie.

Agreed.



 So as I see it there are a few possible soloutions but none of them are great 
 (not advocating one over another, just saying what the options appear to be, 
 I'm just a regular dd who came across brokenness, not a release team member 
 or ftpmaster)

 1: complete the transition, build everything against the new snort and ship 
 that in jessie.


I would be in favor of this one.


 2: remove the arm64 snort binaries, perform +b2 binnmus of snort in sid and 
 +b1 binnmus of snort in tpu. Make sure the +b2 binnmus don't migrate to 
 testing (depending on how the dependencies are generated this may be tricky)
 2a: same as 2 but fix the daq package for arm64 through TPU rather than 
 removing the arm binaries of snort.
 3: revert daq in unstable using an epoch or a +really version number. Remove 
 arm64 binaries of daq and snort from sid and rebuild snort against the 
 reverted daq.

I would prefer to provide the latest daq version in unstable, the old
one should be removed.


 3a: same as 3 but fix the arm64 build of daq when reverting it.
 4: completely remove snort from testing

 It's also quite possible that snort is not the only package caught up in this.

It is, as far as  I know daq is not used by any other package.

 I have not investigated at this point if fixing up testings version of daq 
 for arm64 is a trivial fix or not (it fails with an outdated config.sub 
 which is trivial to fix but I dunno if that's the only issue)

The daq version in testing should be updated with the 2.0.4-3 version


Regards

Javier


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/cab9b7ust7rjxjnpruemln7xn71hml13dfq8lfoujybxt2uy...@mail.gmail.com

Bug#706653: Pre-approval, unblock: debian-history/2.19

[Javier Fernandez-Sanguino]

On 22 May 2013 23:27, David Prévot taf...@debian.org wrote:
 Javier, given your last edition dates from over two weeks, and a point
 release is scheduled in three weeks, is it OK for you to get the
 remaining (main) translations updated, and to pursue the initial goal?
 In case you don’t have time to finish it, or to reply to that thread in
 the coming days, I’ll issue another call for translation updates and
 will continue the process in order to have things ready for next week.

I have sent a trasnlation update call to the translators' mailing list
as well as to the individiual maintainers of specific translations
which could easily be fully up-to-date with latest document changes.

We will give some time for translators to send updated translations
and then we will make an upload to stable with the updated document as
well as the translators. The current target for this upload is June
1st. I hope that leaves enough time for it to get the updated package
into the next point release. Does it?

Best regards

Javier


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAB9B7UuJpPf+xddG6Ntf8m=j5r7g_mznjgctbtgqn1_my0+...@mail.gmail.com

Please accept doc-debian 6.1 into testing (Wheezy)

[Javier Fernandez-Sanguino]

Hi there,

Please unblock doc-debian so that the latest version moves over into
Wheezy. This package only ships documentation and it should not impact
any other stuff.

Wheezy currently ships doc-debian 4.0.2, the same version that was
shipped with the previous release. I believe that it is blocked due to
bug #614497, which applies to the doc-debian version 4.0.2 also.

Since doc-debian includes documents relevant to the project (the
Constitution, the Social Contract) it would be best if the latest
version is shipped with the Wheezy release.

Regarding bug #614497, please note that there is work ongoing
regarding bug #388141, which seems will be resolved throughout the
year, and once that bug is fixed #614497 would go away too.

Thanks,

Javier


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/cab9b7usbdzobbrq0cmg4mpgaoakknvs_jdyjzmdd3ywxdna...@mail.gmail.com

Removal request of OpenVAS packages from testing

[Javier Fernandez-Sanguino]

Dear Release Managers,

I would like to request you to remove *all* of the OpenVAS 2.x
packages from the current testing distribution. This includes the
following packages:

- libopenvas2 /  libopenvas2-dev (version 2.0.4-2.1)
- libopenvasnasl2 / libopenvasnasl2-dev (version 2.0.2-2.1)
- openvas-client (version 2.0.5-1.1)
- openvas-plugins-base / openvas-plugins-dfsg (version 1:20100705-2)
- openvas-server / openvas-server-dev (version 2.0.3-6)

Support for OpenVAS 2 was discontinued last year [2]. Providing
OpenVAS 2 to our Debian 'stable' users in our upcoming release is not
really a good idea. Even though the scanner/client works 'as it is',
users will not be able to download new plugins for this release from
the OpenVAs servers and it will not be possible for them to find
recent vulnerabilities in hosts they scan.

For the last  2 years I have provided experimental versions of OpenVAS
3, which seem to have not received to much attention from users. In
any case since that version is also going to be discontinued upstream.
Since the latest OpenVAS release is version 5 [1]  (released May this
year) I will work towards providing OpenVAS 5 in our unstable
distribution. And, once available, will try to make backports
available for Wheezy too.

Removing the OpenVAS 2 packages from testing simplifies handling
upgrades to the newer version and also installations of the backports
of OpenVAS 5 packages in Wheezy.

Please let me know if I should open up an RC bug against these
packages for this removal.

Thanks,

Javier


[1] http://www.openvas.org/news_archive.html#openvas5

[2] 
http://lists.wald.intevation.org/pipermail/openvas-announce/2011-June/000127.html


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAB9B7Us6GKR=tufmdbmrtaumoboiiforpsc_cmkxnobnp3j...@mail.gmail.com

Re: NMU

[Javier Fernandez-Sanguino]

Thanks for the NMU, I did not have time this week to make an upload myself.

Regards

Javier

PS: If I have time I might make an upload soon with the same changes,
in order to acknowledge the NMU


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/cab9b7ustwhj1mczkl6czjnbar4n282rvtdusrfiuntgrpw2...@mail.gmail.com

Re: ifupdown-extra upload to stable-proposed-updates

[Javier Fernandez-Sanguino]

2011/9/28 Adam D. Barratt a...@adam-barratt.org.uk:
 Unfortunately, after some more detailed review of the diff and some
 testing, I'm afraid we've had to reject the upload, as it stands.

 The issue is the move of the conffile simply using mv.  This leads to
 dpkg raising a conffile change prompt on upgrades even if the user has
 not made any changes.  Note that this issue also affects the package in
 unstable, so would need resolving there first.

Ok. I will fix this and re-upload to stable.

Regards

Javier


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/cab9b7uvror20txsocydymr773xwnj4srf0qdlwchm8bjido...@mail.gmail.com

Re: ifupdown-extra upload to stable-proposed-updates

[Javier Fernandez-Sanguino]

2011/6/13 Adam D. Barratt a...@adam-barratt.org.uk:
 On Sun, 2011-06-12 at 23:25 +0200, Javier Fernández-Sanguino Peña wrote:
 The last of the changes in the list above has this changelog entry
 associated with it:

 +  * if-up-scripts/static-routes:
 +      - Fix typo that prevent the script from adding routes as it expected 
 them
 +        to have 'reject' when they shouldn't. Thanks to Mathieu Parent and
 +        to Petru Ratiu for the patches. (Closes: #613632, #458395) (LP: 
 #631533)

 but actually appears to both fix a bug (the inverted sense of the
 reject test) and introduce new functionality relative to the current
 version in stable, namely the adding of routes which _do_ have reject
 associated with them.  Is that correct?

You are right. I will strip off the new functionality and just fix the bug.

 The second query is more of a comment really.  I appreciate that this
 isn't a regression from the previous matching code, but it seems to me
 that this:

  add_static_routes() {
 -       cat $ROUTEFILE | egrep ${IFACE}$ |
 +       cat $ROUTEFILE | egrep ^[^#].*${IFACE}$ |

 will match a line of foo bareth0 in the route file where $IFACE
 contains eth0.  I'm not sure if this is an issue in practical use of
 the package though.

Hmmm.. .it is not fully a regression since it behaves similarly to how
it did previously, but the regular expression could be improved so
that it only matched $IFACE when it is a full word and not part of it.
It is not that common to have similarly named interfaces, but I do
agree that this, under some circumstances, could trigger a bug.

I will ammend the regular expression in unstable and in the upload to
proposed-updates.

It is my understanding that fixing these two issues I could go ahead
and do an unpload to 'stable'?


Regards

Javier


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/BANLkTi=tbsa9-cxvl1j+3xav0knsmrg...@mail.gmail.com

Bug#609843: unblock: snort/2.8.5.2-7

[Javier Fernandez-Sanguino]

On 21 January 2011 22:55, Adam D. Barratt a...@adam-barratt.org.uk wrote:
 On Fri, 2011-01-21 at 21:47 +0100, Javier Fernandez-Sanguino wrote:
 It's in my todo list for this weekend.

 That's great; thanks for the update.

I uploaded a new version to the archive fixing this and another bug
(that affects upgrades from squeeze) a few hours ago. Sorry for the
delay.

Regards

Javier



-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/AANLkTi=cg41uoekgyvlzrt4+iattx7edprhtdxx-z...@mail.gmail.com

Bug#609843: unblock: snort/2.8.5.2-7

[Javier Fernandez-Sanguino]

Hello Adam,

It's in my todo list for this weekend.

Javier

El 21/01/2011 14:08, Adam D. Barratt a...@adam-barratt.org.uk escribió:

On Tue, January 18, 2011 23:51, Javier Fernandez-Sanguino wrote:
 2011/1/18 Adam D. Barratt adam@a...
Thanks.  Any estimate on when you'll have chance to make the new upload?

Regards,

Adam

Bug#609843: unblock: snort/2.8.5.2-7

[Javier Fernandez-Sanguino]

2011/1/18 Adam D. Barratt a...@adam-barratt.org.uk:
 On Thu, 2011-01-13 at 00:09 +0100, Javier Fernández-Sanguino Peña wrote:
 Please unblock the snort package version 2.8.5.2-7. This package fixes the
 following RC bugs: #608590, #603428 and  #566308

 So, after having stared at it for a while, I think I've convinced myself
 that the configuration management code isn't entirely crazy, which is a
 good start; on the other hand, this, from each of
 snort{,-inline,-mysql,-pgsql}.prerm looks odd:

 +                start-stop-daemon --stop --quiet --oknodo --exec 
 /usr/sbin/nessusd

That shouldn't be there. I don't know how or when this got in but I
will remove it as soon as possible.

Regards

Javier



--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/AANLkTi=_KyQQ2rtqGt1yFzoNJ6FD+t37D1O+kR8TKX=k...@mail.gmail.com

Re: Request unblock for snort 2.8.5.2-5 (in 7 days)

[Javier Fernandez-Sanguino]

On 1 January 2011 19:53, Julien Cristau jcris...@debian.org wrote:
(...)
 This screams of policy violation.  Are user modifications to a
 configuration file actually overwritten?

Errr... yes. You are right that this should not happen.

Actually, in the previous releases this already happened when the
changes were done in a section of the other configuration file
(/etc/snort/snort.conf). So the package in squeeze already does this
already, but to another configuration file and it is not so evident.

The situation is improved somewhat in that now the contents are
automatically written to a configuration file
(/etc/snort/database.conf) and not a conffile provided by the package
(previously, /etc/snort/snort.conf) so that user's will not get a
conffile changed prompt in upgrades.

In addition, upon reviewing the code, this also applies to
pre-existing changes done through debconf to
/etc/snort/snort.debian.conf although the comment in the file is not
so self-evident.

I will try to work on this in order to properly preserve local admin
changes. It might take me some time, however, to get that fixed. In
the meantime I will file a serious bug for the previous version too.

Regards

Javier


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/aanlktimwjc4k66trhjyaedmsq_r7zboon9oypu8rz...@mail.gmail.com

Re: CfH: Some issues regarding the lenny release notes

[Javier Fernandez-Sanguino]

2009/2/2 W. Martin Borgert deba...@debian.org:
 0. Credits

   I added some author and translator names to the file
   en/release-notes.dbk. If your name or the name of your
   favourite contributor is not yet in, please just patch the
   file. If the existing information is inaccurate, patch it.
   Maybe we can also remove some names, which do not apply to
   the current state anymore.

In my opinions translators should only appear in the relevant
translation document, not in all languages. Having, for eg, the
bielorussian's translators name in the spanish translation of the
Release Notes does not make sense. Maybe it should be best to have
something like:
# TRANSLATORS: Please introduce here the name of the people
# you want to credit both for current and past translations
msgid The translation teams for each of their respective languages
msgstr 

And have translation teams introduce in the translation whatever they
feel appropiate. I'm not sure how the 'hidden

Also, either all credits should have email addresses or none should,
doing a mix of some do, some don't looks odd.

Just my 2c

Regards

Javier


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Re: Please unfreeze snort 2.7.0-20

[Javier Fernandez-Sanguino]

2008/11/2 Adeodato Simó [EMAIL PROTECTED]:
 * Javier Fernández-Sanguino Peña [Mon, 27 Oct 2008 21:56:52 +0100]:

 Hello, Javier.

 Snort 2.7.0-20, recently uploaded to unstable, introduces a fix for a known
 security vulnerability (CVE-2008-1804). Please unfreeze this package so that
 the fix can move into Lenny.

 The i386 binaries that were uploaded to t-p-u depended on the pcre3 on
 unstable (they were built in an unstable system/chroot and not in a
 testing one). They hence can't migrate to testing.

I'm postitive I built them in a lenny chroot. I don't know what
happened there. Will check.

Regards

Javier


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Re: Erich Schubert: SELinux support is a release goal for etch

[Javier Fernandez-Sanguino Pen~a]

(Please CC: me, I'm not in the list)

Uwe Hermann said:

Is there any quickstart document I should read to get myself up to speed?
Any TODO list for Debian which contains items a SELinux newbie could
tackle?


Maybe that is one of the things that prevents users and developers from 
running or enabling SElinux, there is currently not much information to 
describe what a user needs to do in Debian in order to benefit from it. 
What's more, if you Google it out you might end up with bits that are 
not updated and do not apply anymore.


Manoj gave an excellent talk on SElinux at Debconf6, and the wiki points 
to three different pages [0]


The Debian Security Manual does not currently have a section on SELinux, 
it is only mentioned, in passing at the Adding kernel patches  section [1]


I would gladly add a separate section on SElinux to the Manual if 
somebody from the team would write one. It doesn't have to be 
excessively detailed, it could maybe be written based on Manoj's [2] or 
Russel's [3] pages. But somebody has to do it (maybe even talk to Manoj 
to get him to attach a proper license to this brief HOWTO so that it can 
be reused in the Manual)


I'm not knowledgeable enough on SELinux to do it myself, and I cannot 
spare time to tinker with it, but if someone where to do it I think that 
might spur more users and developers...


My 2c.

Javier

[0]   http://wiki.debian.org/SELinux, 
http://wiki.debian.org/SELinuxSetup and http://wiki.debian.org/SELinuxStatus


[1] 
http://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html#s-kernel-patches


[2] http://www.golden-gryphon.com/software/security/selinux.xhtml

[3] http://www.coker.com.au/selinux/


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]