Bug#1072035: bookworm-pu: package dns-root-data/2024041801

[Marco d'Itri]

On May 27, Jonas Meier  wrote:

>   [ ] attach debdiff against the package in (old)stable

diff -Nru dns-root-data-2023010101/debian/changelog 
dns-root-data-2024041801~deb12u1/debian/changelog
--- dns-root-data-2023010101/debian/changelog   2023-01-11 16:00:11.0 
+0100
+++ dns-root-data-2024041801~deb12u1/debian/changelog   2024-05-30 
14:02:49.0 +0200
@@ -1,3 +1,19 @@
+dns-root-data (2024041801~deb12u1) bookworm; urgency=medium
+
+  * Rebuild for bookworm. (Closes: #1072035)
+
+ -- Marco d'Itri   Thu, 30 May 2024 14:02:49 +0200
+
+dns-root-data (2024041801) unstable; urgency=medium
+
+  * Add myself to the Uploaders field, as discussed with Ondřej.
+  * Fix the package description. (Closes: #1064829)
+  * Update the expired Verisign GRS PGP key.
+  * Update the root hints file to version 2024041801, with:
++ updated A and  records for B. (Closes: #1054393)
+
+ -- Marco d'Itri   Tue, 21 May 2024 16:25:44 +0200
+
 dns-root-data (2023010101) unstable; urgency=medium
 
   * merge current root hints and signatures (same contents as before)
diff -Nru dns-root-data-2023010101/debian/control 
dns-root-data-2024041801~deb12u1/debian/control
--- dns-root-data-2023010101/debian/control 2022-12-21 00:52:11.0 
+0100
+++ dns-root-data-2024041801~deb12u1/debian/control 2024-05-21 
16:25:42.0 +0200
@@ -4,6 +4,7 @@
 Maintainer: dns-root-data packagers 
 Uploaders:
  Daniel Kahn Gillmor ,
+ Marco d'Itri ,
  Ondřej Surý ,
  Robert Edmonds ,
 Build-Depends:
@@ -13,7 +14,7 @@
  openssl,
  unbound-anchor,
  xml2,
-Standards-Version: 4.6.1
+Standards-Version: 4.7.0.0
 Homepage: https://data.iana.org/root-anchors/
 Vcs-Git: https://salsa.debian.org/dns-team/dns-root-data.git
 Vcs-Browser: https://salsa.debian.org/dns-team/dns-root-data
@@ -24,7 +25,7 @@
 Multi-Arch: foreign
 Depends:
  ${misc:Depends},
-Description: DNS root data including root zone and DNSSEC key
+Description: DNS root hints and DNSSEC trust anchor
  This package contains various root zone related data as published
  by IANA to be used by various DNS software as a common source
  of DNS root zone data, namely:
Binary files /tmp/osYYJAlpQA/dns-root-data-2023010101/registry-admin.key and 
/tmp/1ohQbBsBE0/dns-root-data-2024041801~deb12u1/registry-admin.key differ
diff -Nru dns-root-data-2023010101/root.hints 
dns-root-data-2024041801~deb12u1/root.hints
--- dns-root-data-2023010101/root.hints 2023-01-11 08:22:00.0 +0100
+++ dns-root-data-2024041801~deb12u1/root.hints 2024-05-21 16:25:42.0 
+0200
@@ -9,8 +9,8 @@
 ;   on server   FTP.INTERNIC.NET
 ;   -OR-RS.INTERNIC.NET
 ;
-;   last update: January 01, 2023
-;   related version of root zone: 2023010101
+;   last update: April 18, 2024
+;   related version of root zone: 2024041801
 ; 
 ; FORMERLY NS.INTERNIC.NET 
 ;
@@ -21,8 +21,8 @@
 ; FORMERLY NS1.ISI.EDU 
 ;
 .360  NSB.ROOT-SERVERS.NET.
-B.ROOT-SERVERS.NET.  360  A 199.9.14.201
-B.ROOT-SERVERS.NET.  360    2001:500:200::b
+B.ROOT-SERVERS.NET.  360  A 170.247.170.2
+B.ROOT-SERVERS.NET.  360    2801:1b8:10::b
 ; 
 ; FORMERLY C.PSI.NET 
 ;
Binary files /tmp/osYYJAlpQA/dns-root-data-2023010101/root.hints.sig and 
/tmp/1ohQbBsBE0/dns-root-data-2024041801~deb12u1/root.hints.sig differ

-- 
ciao,
Marco


signature.asc
Description: PGP signature

Bug#1057089: bullseye-pu: package usrmerge/37~deb12u1

[Marco d'Itri]

On Nov 29, Andreas Beckmann  wrote:

> Improve the usrmerge experience in bookworm.
Great idea, thank you for working on this!

-- 
ciao,
Marco


signature.asc
Description: PGP signature

Bug#1050681: bookworm-pu: package inn2/2.7.1-1~deb12u1

[Marco d'Itri]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: i...@packages.debian.org
Control: affects -1 + src:inn2

This stable upload contains two patches backported from the upstream 
repository on request of the upstream maintainer.
The patches are also part of the package which is currently in testing.

One patch fixes hangs in nnrpd, while the other allows the package to 
process the high-precision syslog timestamps format which is currently 
the default for Debian.

The package also contains a minor security fix which changes the default 
permissions of two configuration files which contain secrets, which has 
already been added to the next unstable upload.

For a better view of the changes please see
https://salsa.debian.org/md/inn2/-/commits/bookworm .

-- 
ciao,
Marco
diff -Nru inn2-2.7.1/debian/changelog inn2-2.7.1/debian/changelog
--- inn2-2.7.1/debian/changelog	2023-05-01 19:25:42.0 +0200
+++ inn2-2.7.1/debian/changelog	2023-08-28 02:04:59.0 +0200
@@ -1,3 +1,13 @@
+inn2 (2.7.1-1~deb12u1) bookworm; urgency=medium
+
+  * Added patch backport_a1f2e9323: this upstream commit fixes nnrpd hangs
+when compression is enabled.
+  * Added patch backport_f7d111aad: this upstream commit adds support for
+high-precision syslog timestamps which now are the default in Debian.
+  * Made inn-{radius,secrets}.conf not world readable.
+
+ -- Marco d'Itri   Mon, 28 Aug 2023 02:04:59 +0200
+
 inn2 (2.7.1-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru inn2-2.7.1/debian/patches/backport_a1f2e9323 inn2-2.7.1/debian/patches/backport_a1f2e9323
--- inn2-2.7.1/debian/patches/backport_a1f2e9323	1970-01-01 01:00:00.0 +0100
+++ inn2-2.7.1/debian/patches/backport_a1f2e9323	2023-08-28 02:04:59.0 +0200
@@ -0,0 +1,154 @@
+From: Enrik Berkhan 
+Subject: nnrpd: avoid hang due to misplaced select()
+Origin: upstream, commit:a1f2e932338a17eb4111243f29fcade52d39e0a7
+
+The select() call in nnrpd's input data processing is moved right
+before the related read() call to avoid blocking when it shouldn't.
+
+Without this change, there could still remain data to be inflated, that
+has already been read, if compression had been activated.  The select()
+can then time out because the client might already have sent all data
+before, and the yet to be inflated data will not be used until after
+the timeout.
+
+Resolves: #269
+
+diff --git a/nnrpd/line.c b/nnrpd/line.c
+index fc68b15dd..6c048720c 100644
+--- a/nnrpd/line.c
 b/nnrpd/line.c
+@@ -79,12 +79,11 @@ line_reset(struct line *line)
+ }
+ 
+ /*
+-**  Timeout is used only if HAVE_OPENSSL is defined.
+ **  Returns -2 on timeout, -1 on read error, and otherwise the number of
+ **  bytes read.
+ */
+ static ssize_t
+-line_doread(void *p, size_t len, int timeout UNUSED)
++line_doread(void *p, size_t len, int timeout)
+ {
+ ssize_t n;
+ 
+@@ -122,6 +121,22 @@ line_doread(void *p, size_t len, int timeout UNUSED)
+ }
+ #endif /* HAVE_ZLIB */
+ 
++/* It seems that the SSL_read cannot be mixed with select()
++ * as in the current code.  TLS communicates in its own data
++ * blocks and handshaking.  The line_doread using SSL_read
++ * could return, but still with a partial line in the SSL_read
++ * buffer.  Then the server TLS routine would sit there waiting
++ * for completion of that data block while nnrpd sat at the
++ * select() routine waiting for more data from the server.
++ *
++ * Here, we decide to just bypass the select() wait.  Unlike
++ * innd with multiple threads, the select on nnrpd is just
++ * waiting on a single file descriptor, so it is not really
++ * essential with blocked read like SSL_read.  Using an alarm
++ * signal around SSL_read for non active timeout, TLS works
++ * without dead locks.  However, without the select() wait,
++ * the IDLE timer stat won't be collected...
++ */
+ #ifdef HAVE_OPENSSL
+ if (tls_conn) {
+ int err;
+@@ -152,9 +167,38 @@ line_doread(void *p, size_t len, int timeout UNUSED)
+ xsignal(SIGALRM, SIG_DFL);
+ } else
+ #endif /* HAVE_OPENSSL */
++{
++fd_set rmask;
++int i;
++
++/* Wait for activity on stdin, updating timer stats as we go. */
++do {
++struct timeval t;
++
++FD_ZERO();
++FD_SET(STDIN_FILENO, );
++t.tv_sec = timeout;
++t.tv_usec = 0;
++TMRstart(TMR_IDLE);
++i = select(STDIN_FILENO + 1, , NULL, NULL, );
++TMRstop(TMR_IDLE);
++if (i == -1 && errno != EINTR) {
++syswarn("%s can't select", Client.host);
++break;
++}
++} while (i == -1);
++
++ 

Bug#1050542: bookworm-pu: package openbsd-inetd/0.20221205-2+deb12u1

[Marco d'Itri]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
Control: affects -1 + src:openbsd-inetd

This is needed to fix #1050208, introduced in bookworm, which makes 
inetd crash on configuration reloads.

The fix is in the change to patches/default_v4v6, everything else is 
improvements to the test suite and more tests (also to catch this 
specific problem).

0.20221205-2+deb12u1 is a no changes rebuild of the package currently in 
testing.

For a better view of the changes please see
https://salsa.debian.org/md/openbsd-inetd/-/commits/master .

-- 
ciao,
Marco
diff -Nru openbsd-inetd-0.20221205/debian/changelog openbsd-inetd-0.20221205/debian/changelog
--- openbsd-inetd-0.20221205/debian/changelog	2023-01-02 14:33:50.0 +0100
+++ openbsd-inetd-0.20221205/debian/changelog	2023-08-26 00:34:16.0 +0200
@@ -1,8 +1,21 @@
+openbsd-inetd (0.20221205-2+deb12u1) bookworm; urgency=medium
+
+  * Rebuilt for bookworm.
+
+ -- Marco d'Itri   Sat, 26 Aug 2023 00:34:16 +0200
+
+openbsd-inetd (0.20221205-2) unstable; urgency=medium
+
+  * Updated the Debian patch default_v4v6 to fix fix a double free and
+a memory leak on configuration reloads. (Closes: #1050208)
+
+ -- Marco d'Itri   Wed, 23 Aug 2023 12:49:41 +0200
+
 openbsd-inetd (0.20221205-1) unstable; urgency=medium
 
   * New CVS snapshot.
   * When just "tcp" or "udp" is specified in inetd.conf, now inetd defaults
-to runnning two servers: one for IPv4 and one for IPv6 traffic.
+to running two servers: one for IPv4 and one for IPv6 traffic.
 This is identical to specifying both e.g. "tcp4" and "tcp6".
 The old semantics of only accepting IPv4 connections can be restored
 by using "tcp4" or "udp4".
diff -Nru openbsd-inetd-0.20221205/debian/copyright openbsd-inetd-0.20221205/debian/copyright
--- openbsd-inetd-0.20221205/debian/copyright	2023-01-01 22:49:25.0 +0100
+++ openbsd-inetd-0.20221205/debian/copyright	2023-08-23 03:00:22.0 +0200
@@ -29,10 +29,3 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
 
-setproctitle.c and discard_stupid_environment() come from netkit 0.17,
-patched by the USAGI project.
-
-strlcpy.c comes from the openbsd source tree, slightly edited.
-
-bsd-closefrom.c comes from the openssh source tree, slightly edited.
-
diff -Nru openbsd-inetd-0.20221205/debian/NEWS openbsd-inetd-0.20221205/debian/NEWS
--- openbsd-inetd-0.20221205/debian/NEWS	2023-01-02 03:09:21.0 +0100
+++ openbsd-inetd-0.20221205/debian/NEWS	2023-08-23 12:46:59.0 +0200
@@ -1,7 +1,7 @@
 openbsd-inetd (0.20221205-1) unstable; urgency=medium
 
   * When just "tcp" or "udp" is specified in inetd.conf, now inetd defaults
-to runnning two servers: one for IPv4 and one for IPv6 traffic.
+to running two servers: one for IPv4 and one for IPv6 traffic.
 This is identical to specifying both e.g. "tcp4" and "tcp6".
 The old semantics of only accepting IPv4 connections can be restored
 by using "tcp4" or "udp4".
diff -Nru openbsd-inetd-0.20221205/debian/openbsd-inetd.preinst openbsd-inetd-0.20221205/debian/openbsd-inetd.preinst
--- openbsd-inetd-0.20221205/debian/openbsd-inetd.preinst	2023-01-02 02:45:43.0 +0100
+++ openbsd-inetd-0.20221205/debian/openbsd-inetd.preinst	2023-08-23 03:06:12.0 +0200
@@ -54,14 +54,6 @@
 install)
 create_inetd
 ;;
-
-upgrade|abort-upgrade)
-;;
-
-*)
-echo "$0 called with unknown argument '$1'" >&2
-exit 1
-;;
 esac
 
 #DEBHELPER#
diff -Nru openbsd-inetd-0.20221205/debian/patches/default_v4v6 openbsd-inetd-0.20221205/debian/patches/default_v4v6
--- openbsd-inetd-0.20221205/debian/patches/default_v4v6	2023-01-02 02:30:41.0 +0100
+++ openbsd-inetd-0.20221205/debian/patches/default_v4v6	2023-08-23 02:45:43.0 +0200
@@ -44,37 +44,35 @@
  	int val;
  	int argc;
 +	static int proto_override;
-+	static char *saved_cp;
++	static char saved_line[1024];
  
  	sep = calloc(1, sizeof(struct servtab));
  	if (sep == NULL) {
-@@ -1165,6 +1167,14 @@ getconfigent(void)
+@@ -1165,6 +1167,11 @@ getconfigent(void)
  more:
  	freeconfig(sep);
  
 +	if (proto_override) {
 +	/* process again the same configuration entry */
-+	cp = saved_cp;
-+	saved_cp = NULL;
++	cp = saved_line;
 +	} else {
-+		if (saved_cp)
-+		free(saved_cp);
 +
  	while ((cp = nextline(fconfig)) && *cp == '#')
  		;
  	if (cp == NULL) {
-@@ -1172,6 +1182,10 @@ more:
+@@ -1172,6 +1179,11 @@ more:
  		return (NULL);
  	}
  
-+		/* keep a copy of the configuration entry */
-+		saved_cp = newstr(cp);
-+	} /* proto_override */
++	/* keep a copy of the configuration entry */
++	strcpy(saved_line, cp);
++
++	} /* !proto_override */
 +
  	memset(sep, 0, sizeof *sep);

Re: Bug#1038853: usrmerge: clean up the unused empty biarch directories

[Marco d'Itri]

Release managers, I would like to upload to 12.1 a new package to fix 
this (and other minor issues).


On Jun 22, Andreas Beckmann  wrote:

> Package: usrmerge
> Version: 35
> Severity: important
> Tags: patch
> 
> bootstrapping a merged-/usr system or earlier conversions may have
> created empty biarch directories and links to them, e.g.
>   /usr/libx32
>   /libx32 -> /usr/libx32
> 
> Since glibc 2.35-4 this is handled by the respective glibc packages
> and usrmerge has stopped creating them.
> 
> So let's clean them up (once) on upgrades of the usrmerge/usr-is-merged
> packages if they are not owned by any package according to the dpkg
> database. Otherwise they might suddenly disappear after installation and
> removal of a package "owning" them.
> 
> While the existence/disappearance of these directories and links is
> harmless for a regular system, it is nasty for doing QA testing since
> that may trigger an error on sudden disappearance of files/directories
> (at non-volatile locations). Ignoring these locations is not a good
> idea, since it might hide actual bugs mishandling the biarc locations.
> 
> I've been running piuparts bullseye -> bookworm upgrade tests with this
> patch applied and that solved all the unexpected disappearance of biarch
> directories and links.
> 
> 
> Andreas

> >From 6a07b047055ef2d05ab3381f9f7ce64c21f6b60b Mon Sep 17 00:00:00 2001
> From: Andreas Beckmann 
> Date: Sun, 28 May 2023 14:20:21 +0200
> Subject: [PATCH] postinst: Clean up the unused empty biarch directories
> 
> bootstrapping or earlier conversions may have created empty biarch
> directories and links. glibc 2.35-4 or later will create them if
> needed, so clean up the unused (and unowned) ones
> 
> Closes: #
> ---
>  debian/usr-is-merged.postinst | 28 
>  debian/usrmerge.postinst  | 22 +-
>  2 files changed, 49 insertions(+), 1 deletion(-)
>  create mode 100644 debian/usr-is-merged.postinst
> 
> diff --git a/debian/usr-is-merged.postinst b/debian/usr-is-merged.postinst
> new file mode 100644
> index 000..3d0e0c5
> --- /dev/null
> +++ b/debian/usr-is-merged.postinst
> @@ -0,0 +1,28 @@
> +#!/bin/sh
> +set -e
> +
> +cleanup_biarch_dirs() {
> +  # bootstrapping or earlier conversions may have created empty biarch
> +  # directories and links. glibc 2.35-4 or later will create them if needed,
> +  # so clean up the unused (and unowned) ones
> +  local arch_directories="/lib64 /lib32 /libo32 /libx32"
> +  for dir in $arch_directories; do
> +[ -e "$dir" ] || continue
> +if ! dpkg-query -S $dir >/dev/null 2>&1; then
> +  rm -v $dir
> +  if [ -e /usr$dir ] && ! dpkg-query -S /usr$dir >/dev/null 2>&1 ; then
> +rmdir --ignore-fail-on-non-empty -v /usr$dir
> +  fi
> +fi
> +  done
> +}
> +
> +case "$1" in
> +configure)
> +  if dpkg --compare-versions "$2" lt "36~" ; then
> +cleanup_biarch_dirs
> +  fi
> +;;
> +esac
> +
> +#DEBHELPER#
> diff --git a/debian/usrmerge.postinst b/debian/usrmerge.postinst
> index 257f0e5..057b7f1 100644
> --- a/debian/usrmerge.postinst
> +++ b/debian/usrmerge.postinst
> @@ -1,4 +1,5 @@
> -#!/bin/sh -e
> +#!/bin/sh
> +set -e
>  
>  is_fs() {
>local fs_type
> @@ -49,6 +50,22 @@ END
>/usr/lib/usrmerge/convert-usrmerge || return $?
>  }
>  
> +cleanup_biarch_dirs() {
> +  # bootstrapping or earlier conversions may have created empty biarch
> +  # directories and links. glibc 2.35-4 or later will create them if needed,
> +  # so clean up the unused (and unowned) ones
> +  local arch_directories="/lib64 /lib32 /libo32 /libx32"
> +  for dir in $arch_directories; do
> +[ -e "$dir" ] || continue
> +if ! dpkg-query -S $dir >/dev/null 2>&1; then
> +  rm -v $dir
> +  if [ -e /usr$dir ] && ! dpkg-query -S /usr$dir >/dev/null 2>&1 ; then
> +rmdir --ignore-fail-on-non-empty -v /usr$dir
> +  fi
> +fi
> +  done
> +}
> +
>  case "$1" in
>  configure)
>   # Skip the conversion for buildds.
> @@ -59,6 +76,9 @@ case "$1" in
> echo "W: /etc/unsupported-skip-usrmerge-conversion exists." >&2
>   else
> maybe_convert "$@" || { echo "E: usrmerge failed." >&2; exit 1; }
> +   if dpkg --compare-versions "$2" lt "36~" ; then
> + cleanup_biarch_dirs
> +   fi
> /usr/lib/usrmerge/convert-etc-shells
>   fi
>  ;;
> -- 
> 2.20.1
> 


-- 
ciao,
Marco


signature.asc
Description: PGP signature

Bug#1035673: unblock: whois/5.5.17

[Marco d'Itri]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: wh...@packages.debian.org
Control: affects -1 + src:whois

Please unblock package whois

It contains a few database updates.



unblock whois/5.5.17



diff --git a/debian/changelog b/debian/changelog
index 741c74a..13123bc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+whois (5.5.17) unstable; urgency=medium
+
+  [ Robert Scheck ]
+  * Added the .cd TLD server.
+  * Updated the -kg NIC handles server name.
+
+  [ Marco d'Itri ]
+  * Removed 2 new gTLDs which are no longer active.
+
+ -- Marco d'Itri   Wed, 03 May 2023 14:24:37 +0200
+
 whois (5.5.16) unstable; urgency=medium
 
   * Add bash completion support, courtesy of Ville Skyttä.
diff --git a/new_gtlds_list b/new_gtlds_list
index 760c79f..12ff5b8 100644
--- a/new_gtlds_list
+++ b/new_gtlds_list
@@ -573,7 +573,6 @@ lilly
 limited
 limo
 lincoln
-linde
 link
 lipsy
 live
@@ -596,7 +595,6 @@ ltda
 lundbeck
 luxe
 luxury
-macys
 madrid
 maif
 maison
diff --git a/nic_handles_list b/nic_handles_list
index 870ebd6..3fae1dd 100644
--- a/nic_handles_list
+++ b/nic_handles_list
@@ -8,7 +8,7 @@
 -dkwhois.dk-hostmaster.dk
 -ilwhois.isoc.org.il
 -iswhois.isnic.is
--kgwhois.domain.kg
+-kgwhois.kg
 -coop  whois.nic.coop
 -frnic whois.nic.fr
 -lrms  whois.afilias.info
diff --git a/servers_charset_list b/servers_charset_list
index cc81a38..fa85e4e 100644
--- a/servers_charset_list
+++ b/servers_charset_list
@@ -38,7 +38,7 @@ whois.isnic.isiso-8859-1
 whois.nic.it   utf-8
 whois.jprs.jp  iso-2022-jp
 whois.nic.ad.jpiso-2022-jp
-whois.domain.kgcp1251
+whois.kg   cp1251
 whois.nic.or.krutf-8
 whois.kr   utf-8
 whois.nic.kz   utf-8
diff --git a/tld_serv_list b/tld_serv_list
index 948f005..cb480da 100644
--- a/tld_serv_list
+++ b/tld_serv_list
@@ -113,7 +113,7 @@
 .co.ca whois.co.ca
 .cawhois.cira.ca
 .ccVERISIGN ccwhois.verisign-grs.com
-.cdNONE
+.cdwhois.nic.cd
 .cfNONE
 .cgNONE# www.nic.cg
 .chwhois.nic.ch

-- 
ciao,
Marco


signature.asc
Description: PGP signature

Bug#1035672: unblock: inn2/2.7.1-1

[Marco d'Itri]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: i...@packages.debian.org
Control: affects -1 + src:inn2

Please unblock package inn2

This is the diff betwwen 2.7.1 RC1 and 2.7.1.
It contains many documentation fixes, small fixes to pullnews and 
a significant for ovsqlite-util.
It also adds a versioned Breaks on manpages-dev which fixes the RC bug 
#1035098.

The 2.7.1 package is being used in production on one of my news servers.

Follows the git diff between debian/2.7.1_20230322-1 and debian/2.7.1-1,
abridged of whitespace and documentation changes.
The full changelog can be consulted at
https://salsa.debian.org/md/inn2/-/commits/master .

The package has a fairly decent autopkgtest but it currently cannot work 
on the Debian infrastructure, because the workers do not have valid 
hostnames. I will find a solution after the release, so please bear with 
me once more. :-)


unblock inn2/2.7.1-1



diff --git a/Makefile.global.in b/Makefile.global.in
index db42dee2e..3a84f23e7 100644
--- a/Makefile.global.in
+++ b/Makefile.global.in
@@ -20,7 +20,7 @@
 ##  be complying with the NNTP protocol.
 
 VERSION= 2.7.1
-VERSION_EXTRA  = rc1 version
+VERSION_EXTRA  =
 
 ##  The absolute path to the top of the build directory, used to find the
 ##  libraries built as part of INN.  Using relative paths confuses libtool
diff --git a/backends/news2mail.in b/backends/news2mail.in
index bef6ca86a..952cf4610 100644
--- a/backends/news2mail.in
+++ b/backends/news2mail.in
@@ -104,9 +104,15 @@ sub mailto {
 my ($t, $s, @a) = @_;
 
 my $sendmail = $INN::Config::mta;
+# Remove %s and -f from the mta command line (we'll explicitly set
+# recipients and an envelope sender below).
+# Remove -oem as we'll set -oee so that sendmail exits with a
+# non-zero status only if the mail cannot be sent.
 $sendmail =~ s!\s*%s!!;
+$sendmail =~ s!(^|\s+)-f\s*\S*!!;
+$sendmail =~ s!(^|\s+)-oem!!;
 my @command = (
-split(' ', $sendmail), '-ee', '-odq', "-f$s",
+split(' ', $sendmail), '-oee', '-odq', "-f$s",
 "-pNNTP:$INN::Config::pathhost", @a
 );
 
diff --git a/debian/changelog b/debian/changelog
index eff319e64..eeaf10caa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+inn2 (2.7.1-1) unstable; urgency=medium
+
+  * New upstream release.
+  * Breaks manpages-dev << 6.03-2 to make upgrades smoother, because of
+file(3) and list(3) removed from inn2-dev 2.6.5-1. (Closes: #1035098)
+
+ -- Marco d'Itri   Mon, 01 May 2023 19:25:42 +0200
+
 inn2 (2.7.1~20230322-1) unstable; urgency=medium
 
   * New release candidate 1 of the stable branch.
diff --git a/debian/control b/debian/control
index 93d37618c..8d7089372 100644
--- a/debian/control
+++ b/debian/control
@@ -63,6 +63,7 @@ Package: inn2-dev
 Section: devel
 Architecture: any
 Depends: ${misc:Depends}
+Breaks: manpages-dev (<< 6.03-2)
 Conflicts: inn
 Description: libinn.a library, headers and man pages
  You will only need this if you are going to compile programs that
diff --git a/frontends/pullnews.in b/frontends/pullnews.in
index b21ce29b4..0d8809cec 100644
--- a/frontends/pullnews.in
+++ b/frontends/pullnews.in
@@ -100,6 +100,7 @@ my $defaultRetryTime = 1;
 my $defaultProgressWidth = 50;
 my $defaultMaxArts;
 my $lockfile;
+my $runEndBlock = 0;
 
 # Check whether pullnews is run inside INN.
 my $use_inn_shlock = 0;
@@ -120,6 +121,8 @@ if (not $use_inn_shlock) {
 }
 
 END {
+return unless $runEndBlock;
+
 # In case we bail out, while holding a lock.
 if ($use_inn_shlock) {
 INN::Utils::Shlock::releaselocks();
@@ -423,7 +426,7 @@ if ($use_inn_shlock) {
 INN::Utils::Shlock::lock($lockfile)
   or die "cannot create lockfile $lockfile\n";
 } else {
-sysopen(LOCK, "$lockfile", O_RDWR | O_CREAT, 0700)
+sysopen(LOCK, "$lockfile", O_RDWR | O_CREAT, 0644)
   or die "cannot create lockfile $lockfile: $!\n";
 $oldfh = select;
 select LOCK;
@@ -439,6 +442,9 @@ if ($use_inn_shlock) {
 
 print LOCK "$$\n";
 }
+# Now that a lock file has been created, ensure we release it when this process
+# ends or is stopped.
+$runEndBlock = 1;
 
 print LOG scalar(localtime(time)), " start\n\n" unless $quiet;
 
@@ -554,6 +560,7 @@ if (not $quiet and not $quietness) {
 }
 
 my $connectionAttempts = 0;
+my %groupsStarted = ();
 
 UPSTREAM:
 foreach my $server (@servers) {
@@ -683,6 +690,7 @@ foreach my $server (@servers) {
 } continue {
 # Reinitialize the counter for the next server.
 $connectionAttempts = 0;
+%groupsStarted = ();
 }
 
 saveConfig();
@@ -768,7 +776,8 @@ sub stats {
 sub saveConfig {
 return if $no_op;
 
-$SIG{INT} = $SIG{QUIT} = 'IGNORE';
+local $SIG{INT} = 'IGNORE';
+local $SIG{QUIT} = 'IGNORE';
 
 open(FILE, ">$groupFile"

Bug#1034468: unblock: inn2/2.7.1~20230322-1

[Marco d'Itri]

On Apr 26, Paul Gevers  wrote:

> PS: have you considered adding a non-superficial autopkgtest to your package
> such that you don't need to wait for us to unblock your package?
Yes, long story. There is actually one but it is not run, because it 
needs to be significantly modified to actually work on our CI 
infrastructure, because inn2 cannot be installed on systems without 
a valid hostname.

-- 
ciao,
Marco


signature.asc
Description: PGP signature

Bug#1034468: unblock: inn2/2.7.1~20230322-1

[Marco d'Itri]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: i...@packages.debian.org
Control: affects -1 + src:inn2

Please unblock package inn2

This is tagged as a snapshot but is actually 2.7.1 RC1.
It contains many documentation fixes, small improvements and fixes to 
pullnews, and the new ovsqlite-util program which can be used to debug 
and repair an ovsqlite database.

The new package has been used in production for 3 weeks on one of my 
servers.

I am attaching the git diff between debian/2.7.1_20230306-1 and 
debian/2.7.1_20230322-1, abridged of documentation changes.
The full changelog can be consulted at 
https://salsa.debian.org/md/inn2/-/commits/master .

unblock inn2/2.7.1~20230322-1

-- 
ciao,
Marco
diff --git a/.gitignore b/.gitignore
index 274716315..9960002af 100644
--- a/.gitignore
+++ b/.gitignore
@@ -176,6 +176,7 @@
 /storage/ovmethods.h
 /storage/buffindexed/buffindexed_d
 /storage/ovsqlite/ovsqlite-server
+/storage/ovsqlite/ovsqlite-util
 /storage/ovsqlite/sql-init.c
 /storage/ovsqlite/sql-init.h
 /storage/ovsqlite/sql-main.c
diff --git a/MANIFEST b/MANIFEST
index 35e05aef2..7254d27aa 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -210,6 +210,7 @@ doc/man/ovdb_server.8 Manpage for ovdb_server
 doc/man/ovdb_stat.8   Manpage for ovdb_stat
 doc/man/overchan.8Manpage for overchan backend
 doc/man/ovsqlite-server.8 Manpage for ovsqlite-server
+doc/man/ovsqlite-util.8   Manpage for ovsqlite-util
 doc/man/ovsqlite.5Manpage for the ovsqlite overview module
 doc/man/passwd.nntp.5 Manpage for passwd.nntp config file
 doc/man/perl-nocem.8  Manpage for perl-nocem
@@ -331,6 +332,7 @@ doc/pod/ovdb_server.pod   Master file for ovdb_server.8
 doc/pod/ovdb_stat.pod Master file for ovdb_stat.8
 doc/pod/overchan.pod  Master file for overchan.8
 doc/pod/ovsqlite-server.pod   Master file for ovsqlite-server.8
+doc/pod/ovsqlite-util.pod Master file for ovsqlite-util.8
 doc/pod/ovsqlite.pod  Master file for ovsqlite.5
 doc/pod/passwd.nntp.pod   Master file for passwd.nntp.5
 doc/pod/procbatch.pod Master file for procbatch.8
@@ -774,6 +776,7 @@ storage/ovsqlite/ovmethod.mk  Make rules for ovsqlite
 storage/ovsqlite/ovsqlite-private.c   Private code for ovsqlite
 storage/ovsqlite/ovsqlite-private.h   Private header for ovsqlite
 storage/ovsqlite/ovsqlite-server.cSQLite database exclusive owner
+storage/ovsqlite/ovsqlite-util.in Utility program for ovsqlite
 storage/ovsqlite/ovsqlite.c   ovsqlite implementation
 storage/ovsqlite/ovsqlite.h   ovsqlite interface
 storage/ovsqlite/sql-init.c   Generated database setup implementation
diff --git a/Makefile.global.in b/Makefile.global.in
index 8a185ed39..db42dee2e 100644
--- a/Makefile.global.in
+++ b/Makefile.global.in
@@ -20,7 +20,7 @@
 ##  be complying with the NNTP protocol.
 
 VERSION		= 2.7.1
-VERSION_EXTRA	= prerelease
+VERSION_EXTRA	= rc1 version
 
 ##  The absolute path to the top of the build directory, used to find the
 ##  libraries built as part of INN.  Using relative paths confuses libtool
diff --git a/debian/changelog b/debian/changelog
index ffbb0e6a6..eff319e64 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+inn2 (2.7.1~20230322-1) unstable; urgency=medium
+
+  * New release candidate 1 of the stable branch.
+
+ -- Marco d'Itri   Mon, 27 Mar 2023 04:30:21 +0200
+
 inn2 (2.7.1~20230306-1) unstable; urgency=medium
 
   * New upstream snapshot of the stable branch.
diff --git a/doc/man/Makefile b/doc/man/Makefile
index 906725ebd..30a87587f 100644
--- a/doc/man/Makefile
+++ b/doc/man/Makefile
@@ -30,9 +30,9 @@ SEC8	= actsync.8 archive.8 batcher.8 buffchan.8 ckpasswd.8 \
 	innupgrade.8 innwatch.8 innxbatch.8 innxmit.8 mailpost.8 makedbz.8 \
 	makehistory.8 mod-active.8 news.daily.8 news2mail.8 ninpaths.8 \
 	nnrpd.8 nntpsend.8 ovdb_init.8 ovdb_monitor.8 ovdb_server.8 \
-	ovdb_stat.8 overchan.8 ovsqlite-server.8 perl-nocem.8 procbatch.8 \
-	prunehistory.8 radius.8 \
-	rc.news.8 scanlogs.8 scanspool.8 send-ihave.8 send-uucp.8 sendinpaths.8 \
+	ovdb_stat.8 overchan.8 ovsqlite-server.8 ovsqlite-util.8 perl-nocem.8 \
+	procbatch.8 prunehistory.8 radius.8 rc.news.8 \
+	scanlogs.8 scanspool.8 send-ihave.8 send-uucp.8 sendinpaths.8 \
 	tally.control.8 tdx-util.8 tinyleaf.8 writelog.8
 
 all:
diff --git a/doc/pod/Makefile b/doc/pod/Makefile
index 792ccf568..2fe219533 100644
--- a/doc/pod/Makefile
+++ b/doc/pod/Makefile
@@ -48,6 +48,7 @@ MAN8	= ../man/actsync.8 ../man/archive.8 ../man/auth_krb5.8 \
 	../man/nnrpd.8 ../man/nntpsend.8 \
 	../man/ovdb_init.8 ../man/ovdb_monitor.8 ../man/ovdb_server.8 \
 	../man/ovdb_stat.8 ../man/overchan.8 ../man/ovsqlite-server.8 \
+	../man/ovsqlite-util.8 \
 	../man/procbatch.8

Bug#1033694: unblock: gortr/0.14.7-2

[Marco d'Itri]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: go...@packages.debian.org
Control: affects -1 + src:gortr

Please unblock package gortr

I do not want to ship gortr in bookworm because it is unmaintained, but 
other software needs the Go library which comes from this same package.
So I made minimal changes to the package to only build the library.

Full diff attached.

unblock gortr/0.14.7-2

-- 
ciao,
Marco
diff -Nru gortr-0.14.7/debian/changelog gortr-0.14.7/debian/changelog
--- gortr-0.14.7/debian/changelog	2021-01-03 09:17:16.0 +0100
+++ gortr-0.14.7/debian/changelog	2023-03-27 22:43:29.0 +0200
@@ -1,3 +1,10 @@
+gortr (0.14.7-2) unstable; urgency=medium
+
+  * Stop building gortr because it is unmaintained and has been generally
+replaced by stayrtr.
+
+ -- Marco d'Itri   Mon, 27 Mar 2023 22:43:29 +0200
+
 gortr (0.14.7-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru gortr-0.14.7/debian/control gortr-0.14.7/debian/control
--- gortr-0.14.7/debian/control	2021-01-03 09:16:21.0 +0100
+++ gortr-0.14.7/debian/control	2023-03-27 22:42:40.0 +0200
@@ -4,36 +4,27 @@
 Section: net
 Testsuite: autopkgtest-pkg-go
 Priority: optional
-Build-Depends: debhelper-compat (= 12), dh-golang,
+Build-Depends: debhelper-compat (= 13), dh-golang,
  golang-any,
  golang-github-prometheus-client-golang-dev,
  golang-github-stretchr-testify-dev,
  golang-golang-x-crypto-dev,
  golang-logrus-dev,
-Standards-Version: 4.5.0
+Standards-Version: 4.6.2.0
 Vcs-Browser: https://salsa.debian.org/md/gortr
 Vcs-Git: https://salsa.debian.org/md/gortr.git
 Homepage: https://github.com/cloudflare/gortr
 Rules-Requires-Root: no
 XS-Go-Import-Path: github.com/cloudflare/gortr
 
-Package: gortr
-Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends},
- adduser
-Built-Using: ${misc:Built-Using}
-Description: Cloudflare's RPKI to Router server
- GoRTR is an implementation of the RPKI to Router protocol (RFC 6810):
- it can be used to publish Resource Public Key Infrastructure (RFC 6480)
- prefix origin data from a trusted cache to BGP routers.
-
 Package: golang-github-cloudflare-gortr-dev
 Architecture: all
-Section: devel
+Section: golang
 Depends: ${misc:Depends},
  golang-github-prometheus-client-golang-dev,
  golang-github-stretchr-testify-dev,
  golang-golang-x-crypto-dev,
  golang-logrus-dev,
+Multi-Arch: foreign
 Description: Cloudflare's RPKI to router library
  GoRTR is an implementation of the RPKI to router protocol (RFC 6810).
diff -Nru gortr-0.14.7/debian/rules gortr-0.14.7/debian/rules
--- gortr-0.14.7/debian/rules	2021-01-03 09:16:21.0 +0100
+++ gortr-0.14.7/debian/rules	2023-03-27 22:33:18.0 +0200
@@ -1,5 +1,11 @@
 #!/usr/bin/make -f
 
+# only build the library
+export DH_GOLANG_EXCLUDES := cmd/
+
 %:
 	dh $@ --builddirectory=_build --buildsystem=golang --with=golang
 
+override_dh_auto_install:
+	dh_auto_install --destdir=debian/tmp
+


signature.asc
Description: PGP signature

Bug#1033693: unblock: stayrtr/0.5.1-2

[Marco d'Itri]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: stay...@packages.debian.org
Control: affects -1 + src:stayrtr

Please unblock package stayrtr

stayrtr is better integrated with rpki-client than octorpki, which has 
not been getting new features in a long time.

Accordingly recommend rpki-client and use it as the data source by 
default.

Full diff attached.

unblock stayrtr/0.5.1-2

-- 
ciao,
Marco
diff -Nru stayrtr-0.5.1/debian/changelog stayrtr-0.5.1/debian/changelog
--- stayrtr-0.5.1/debian/changelog	2023-03-05 01:11:49.0 +0100
+++ stayrtr-0.5.1/debian/changelog	2023-03-28 23:09:15.0 +0200
@@ -1,3 +1,11 @@
+stayrtr (0.5.1-2) unstable; urgency=medium
+
+  * Default to use /var/lib/rpki-client/json (from rpki-client) as the source
+instead of the octorpki URL, since they are much better integrated.
+  * Recommend rpki-client.
+
+ -- Marco d'Itri   Tue, 28 Mar 2023 23:09:15 +0200
+
 stayrtr (0.5.1-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru stayrtr-0.5.1/debian/control stayrtr-0.5.1/debian/control
--- stayrtr-0.5.1/debian/control	2023-02-27 03:23:32.0 +0100
+++ stayrtr-0.5.1/debian/control	2023-03-27 06:20:23.0 +0200
@@ -24,6 +24,7 @@
 Architecture: any
 Depends: ${shlibs:Depends}, ${misc:Depends},
  adduser
+Recommends: rpki-client
 Conflicts: gortr
 Built-Using: ${misc:Built-Using}
 Description: RPKI to Router server
diff -Nru stayrtr-0.5.1/debian/stayrtr.default stayrtr-0.5.1/debian/stayrtr.default
--- stayrtr-0.5.1/debian/stayrtr.default	2023-02-27 03:18:52.0 +0100
+++ stayrtr-0.5.1/debian/stayrtr.default	2023-03-27 06:20:38.0 +0200
@@ -1,5 +1,5 @@
 # Run "stayrtr -h" to see the available command line options and their
 # defaults.
 
-STAYRTR_ARGS=-bind :323 -cache http://localhost:9880/output.json
+STAYRTR_ARGS=-bind :323 -cache /var/lib/rpki-client/json
 


signature.asc
Description: PGP signature

Bug#1033536: unblock: inn2/2.7.1~20230306-1

[Marco d'Itri]

gz.in   $(FIX) ; $(FIX) -i archivegz.in
-authmysql:   authmysql.in   $(FIX) ; $(FIX) -i authmysql.in
-backlogstat: backlogstat.in $(FIX) ; $(FIX) backlogstat.in
-cleannewsgroups: cleannewsgroups.in $(FIX) ; $(FIX) cleannewsgroups.in
-count_overview:  count_overview.in  $(FIX) ; $(FIX) -i count_overview.in
-delayer: delayer.in $(FIX) ; $(FIX) -i delayer.in
-findreadgroups:  findreadgroups.in  $(FIX) ; $(FIX) findreadgroups.in
-fixhist: fixhist.in $(FIX) ; $(FIX) -i fixhist.in
-innconfcheck:innconfcheck.in$(FIX) ; $(FIX) -i innconfcheck.in
-makeexpctl:  makeexpctl.in  $(FIX) ; $(FIX) makeexpctl.in
-makestorconf:makestorconf.in$(FIX) ; $(FIX) makestorconf.in
-mkbuf:   mkbuf.in   $(FIX) ; $(FIX) -i mkbuf.in
-nnrp.access2readers.conf: nnrp.access2readers.conf.in $(FIX) ; $(FIX) -i nnrp.access2readers.conf.in
-stathist:stathist.in$(FIX) ; $(FIX) -i stathist.in
-thdexpire:   thdexpire.in   $(FIX) ; $(FIX) thdexpire.in
-tunefeed:tunefeed.in$(FIX) ; $(FIX) -i tunefeed.in
+analyze-traffic: analyze-traffic.in $(FIXSCRIPT) ; $(FIX) -i analyze-traffic.in
+archivegz:   archivegz.in   $(FIXSCRIPT) ; $(FIX) -i archivegz.in
+authmysql:   authmysql.in   $(FIXSCRIPT) ; $(FIX) -i authmysql.in
+backlogstat: backlogstat.in $(FIXSCRIPT) ; $(FIX) backlogstat.in
+cleannewsgroups: cleannewsgroups.in $(FIXSCRIPT) ; $(FIX) cleannewsgroups.in
+count_overview:  count_overview.in  $(FIXSCRIPT) ; $(FIX) -i count_overview.in
+delayer: delayer.in $(FIXSCRIPT) ; $(FIX) -i delayer.in
+findreadgroups:  findreadgroups.in  $(FIXSCRIPT) ; $(FIX) findreadgroups.in
+fixhist: fixhist.in $(FIXSCRIPT) ; $(FIX) -i fixhist.in
+innconfcheck:innconfcheck.in$(FIXSCRIPT) ; $(FIX) -i innconfcheck.in
+makeexpctl:  makeexpctl.in  $(FIXSCRIPT) ; $(FIX) makeexpctl.in
+makestorconf:makestorconf.in$(FIXSCRIPT) ; $(FIX) makestorconf.in
+mkbuf:   mkbuf.in   $(FIXSCRIPT) ; $(FIX) -i mkbuf.in
+nnrp.access2readers.conf: nnrp.access2readers.conf.in $(FIXSCRIPT)
+	$(FIX) -i nnrp.access2readers.conf.in
+stathist:stathist.in$(FIXSCRIPT) ; $(FIX) -i stathist.in
+thdexpire:   thdexpire.in   $(FIXSCRIPT) ; $(FIX) thdexpire.in
+tunefeed:tunefeed.in$(FIXSCRIPT) ; $(FIX) -i tunefeed.in
diff --git a/control/Makefile b/control/Makefile
index 19b1888fb..7c4092ea7 100644
--- a/control/Makefile
+++ b/control/Makefile
@@ -44,13 +44,13 @@ $(FIXSCRIPT):
 ##  Build rules.
 LINK	= $(LIBLD) $(LDFLAGS) -o $@
 
-FIX	= $(FIXSCRIPT)
+FIX	= $(SHELL) $(FIXSCRIPT)
 
-controlbatch:	controlbatch.in  $(FIX) ; $(FIX) controlbatch.in
-controlchan:	controlchan.in   $(FIX) ; $(FIX) controlchan.in
-docheckgroups:	docheckgroups.in $(FIX) ; $(FIX) docheckgroups.in
-perl-nocem:	perl-nocem.in$(FIX) ; $(FIX) perl-nocem.in
-pgpverify:	pgpverify.in $(FIX) ; $(FIX) pgpverify.in
+controlbatch:	controlbatch.in  $(FIXSCRIPT) ; $(FIX) controlbatch.in
+controlchan:	controlchan.in   $(FIXSCRIPT) ; $(FIX) controlchan.in
+docheckgroups:	docheckgroups.in $(FIXSCRIPT) ; $(FIX) docheckgroups.in
+perl-nocem:	perl-nocem.in$(FIXSCRIPT) ; $(FIX) perl-nocem.in
+pgpverify:	pgpverify.in $(FIXSCRIPT) ; $(FIX) pgpverify.in
 
 ../doc/man/perl-nocem.8: perl-nocem.in
 	$(POD2MAN) -s 8 -n "PERL-NOCEM" $? > $@
diff --git a/debian/changelog b/debian/changelog
index 83259fbb6..ffbb0e6a6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+inn2 (2.7.1~20230306-1) unstable; urgency=medium
+
+  * New upstream snapshot of the stable branch.
+
+ -- Marco d'Itri   Thu, 09 Mar 2023 12:18:11 +0100
+
 inn2 (2.7.1~20230220-1) unstable; urgency=medium
 
   * New upstream snapshot of the stable branch.
diff --git a/debian/patches/dash-unbatch b/debian/patches/dash-unbatch
index 40d5ad028..0dfaa006d 100644
--- a/debian/patches/dash-unbatch
+++ b/debian/patches/dash-unbatch
@@ -1,7 +1,7 @@
 --- a/frontends/Makefile
 +++ b/frontends/Makefile
-@@ -101,15 +101,15 @@ pullnews:	pullnews.in  $(FIX)	; $(FI
- scanspool:	scanspool.in $(FIX)	; $(FIX) scanspool.in
+@@ -114,15 +114,15 @@ pullnews:	pullnews.in  $(FIXSCRIPT)
+ scanspool:	scanspool.in $(FIXSCRIPT)	; $(FIX) scanspool.in
  
  bunbatch: Makefile ../Makefile.global
 -	( echo '#! $(SHELL)' ; echo 'exec $(BZIP2) -d -c' ) > $@
diff --git a/expire/Makefile b/expire/Makefile
index 5c0434816..8241b2889 100644
--- a/expire/Makefile
+++ b/expire/Makefile
@@ -39,7 +39,7 @@ LINK= $(LIBLD) $(LDFLAGS) -o $@
 INNLIBS		= $(LIBINN) $(LIBS)
 STORELIBS	= $(BOTH) $(STORAGE_LIBS) $(LIBS)
 
-FIX = $(FIXSCRIPT)
+FIX = $(SHELL) $(FIXSCRIPT)
 
 $(FIXSCRIPT):
 	@echo Run configure before running make.  See INSTALL for details.
@@ -54,7 +54,7 @@ makedbz:	makedbz.o  $(LIBINN) ; $(LINK) makedbz.o  $(INNLIBS)
 makehistory:	makehistory.o  $(BOTH)   ; $(LINK) makehistor

Bug#1033180: unblock: stayrtr/0.5.1-1

[Marco d'Itri]

hangelog  2023-03-05 01:11:49.0 +0100
@@ -1,3 +1,9 @@
+stayrtr (0.5.1-1) unstable; urgency=medium
+
+  * New upstream release.
+
+ -- Marco d'Itri   Sun, 05 Mar 2023 01:11:49 +0100
+
 stayrtr (0.5.0-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru stayrtr-0.5.0/debian/patches/series 
stayrtr-0.5.1/debian/patches/series
--- stayrtr-0.5.0/debian/patches/series 2023-02-27 03:20:33.0 +0100
+++ stayrtr-0.5.1/debian/patches/series 1970-01-01 01:00:00.0 +0100
@@ -1 +0,0 @@
-commit-8a3a71e
diff -Nru stayrtr-0.5.0/go.mod stayrtr-0.5.1/go.mod
--- stayrtr-0.5.0/go.mod2023-02-23 22:35:40.0 +0100
+++ stayrtr-0.5.1/go.mod2023-03-01 15:36:19.0 +0100
@@ -7,6 +7,6 @@
github.com/prometheus/client_golang v1.11.1
github.com/sirupsen/logrus v1.8.1
github.com/stretchr/testify v1.4.0
-   golang.org/x/crypto v0.0.0-20210921155107-089bfa567519
-   golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1
+   golang.org/x/crypto v0.6.0
+   golang.org/x/sys v0.5.0
 )


signature.asc
Description: PGP signature

Bug#987013: Release goal proposal: Remove Berkeley DB

[Marco d'Itri]

On Feb 04, Paul Gevers  wrote:

> I don't see the preparation happening in time for bookworm, so if the
> preparations are done for trixie, Berkeley DB can be removed in forky.
I object again to removing Berkeley DB: it is mature software and it 
works fine.
At least inn2 uses it, and a "transition" (i.e. rebuilding the overview 
database with a different indexing method) for a non-trivial server may 
require hours of downtime.

-- 
ciao,
Marco


signature.asc
Description: PGP signature

Bug#1005273: bullseye-pu: package libretls/3.4.1-2

[Marco d'Itri]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

As discussed with Moritz Mühlenhoff of the security team I would like to 
explore the possibility of adding the librtls package to a bullseye 
point release, to be able to update rpki-client to a newer release via 
bullseye-security.

Backgroud from my precedent message to the security team:

  https://rpki.exposed/ lists a long number of vulnerabilities affecting
  software in Debian stable: fort-validator, cfrpki, and rpki-client.
  (Not routinator, because it is an unpackagable mess of Rust.)

  (To make a long story short, RPKI is a way to digitally sign BGP routes
  and all network operators and IXPs are progressively deploying at least
  a couple of servers each to run the validators.)

  The RPKI ecosystem is very young, so this was hardly unexpected.
  While I did significant work trying to establish Debian as the go-to
  platform for deploying RPKI validators, at this point nobody will use
  the validators currently in Debian stable.

  It is not really practical to extract and backport all these patches, so
  I would like to know from the release managers if they would strongly
  consider an upload to stable of the current releases of these packages
  or if I should request instead that they are all removed from stable.

fort-validator and cfrpki are currently in proposed-updates, but at the 
time I did not notice that newer versions of rpki-client require 
libretls, which did not get in testing in time for the bullseye release.

-- 
ciao,
Marco


signature.asc
Description: PGP signature

Re: multiple RPKI-related vulnerabilities in stable

[SEEWEB - Marco d'Itri]

On Nov 30, Moritz Muehlenhoff  wrote:

> > https://rpki.exposed/ lists a long number of vulnerabilities affecting 
> Ironically this website is unreachable since at least yesterday :-)
This was the linked page:
https://docs.google.com/spreadsheets/d/1uuDlO6g1DLATV5OVCa20kU9OOiX9XWBFoZT2OkOezi8/edit#gid=0

> > It is not really practical to extract and backport all these patches, so 
> 
> Let's fix these via bullseye-security, version numbers would be:
> rpki-client 7.5-1~deb11u1
> fort-validator 1.5.3-1~deb11u1
> cfrpki 1.4.2-1~deb11u1
Thank you, I have uploaded fort-validator and cfrpki.
I forgot that rpki-client now requires libretls, which is not in 
bullseye, so I will do a backport and discuss what to do with the 
upstream authors.

-- 
ciao,
Marco


signature.asc
Description: PGP signature

multiple RPKI-related vulnerabilities in stable

[SEEWEB - Marco d'Itri]

https://rpki.exposed/ lists a long number of vulnerabilities affecting 
software in Debian stable: fort-validator, cfrpki, and rpki-client.
(Not routinator, because it is an unpackagable mess of Rust.)

(To make a long story short, RPKI is a way to digitally sign BGP routes 
and all network operators and IXPs are progressively deploying at least 
a couple of servers each to run the validators.)

The RPKI ecosystem is very young, so this was hardly unexpected.
While I did significant work trying to establish Debian as the go-to 
platform for deploying RPKI validators, at this point nobody will use 
the validators currently in Debian stable.

It is not really practical to extract and backport all these patches, so 
I would like to know from the release managers if they would strongly 
consider an upload to stable of the current releases of these packages 
or if I should request instead that they are all removed from stable.

Please Cc: me on replies.

-- 
ciao,
Marco


signature.asc
Description: PGP signature

Bug#993049: bullseye-pu: package rpki-trust-anchors/20210817-1+deb11u1

[Marco d'Itri]

On Aug 27, "Adam D. Barratt"  wrote:

> The version number for a stable upload needs to be lower than the
> version currently in unstable. As a no-change rebuild, the convention
> would be 20210817-1~deb11u1, in the same style as backports.
> 
> With that change in mind, please go ahead.
Done. But I have also mistakenly uploaded the old +deb11u1 package, 
sorry.

-- 
ciao,
Marco


signature.asc
Description: PGP signature

Bug#993049: bullseye-pu: package rpki-trust-anchors/20210817-1+deb11u1

[Marco d'Itri]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

rpki-trust-anchors is a data package containing public keys, similar to 
dns-root-data, which are used by RPKI validators (cfrpki, 
fort-validator, rpki-client, stayrtr).
A stable update is needed because an https URL was finally added to the 
LACNIC trust anchor. This allows the software currently in stable to use 
https to download the certificates instead of the problematic and 
deprecated rsync method.
Also, the same package from testing which I have rebuilt here gained a
new debconf translation.

-- 
ciao,
Marco
diff -Nru rpki-trust-anchors-20210417/debian/changelog rpki-trust-anchors-20210817/debian/changelog
--- rpki-trust-anchors-20210417/debian/changelog	2021-04-17 11:55:56.0 +0200
+++ rpki-trust-anchors-20210817/debian/changelog	2021-08-27 00:21:41.0 +0200
@@ -1,3 +1,15 @@
+rpki-trust-anchors (20210817-1+deb11u1) bullseye; urgency=medium
+
+  * Rebuilt for the stable distribution.
+
+ -- Marco d'Itri   Fri, 27 Aug 2021 00:21:41 +0200
+
+rpki-trust-anchors (20210817-1) unstable; urgency=medium
+
+  * Added the https URL to the LACNIC TAL.
+
+ -- Marco d'Itri   Tue, 17 Aug 2021 01:03:51 +0200
+
 rpki-trust-anchors (20210417-1) unstable; urgency=medium
 
   * Updated the https URL for the APNIC TAL.
diff -Nru rpki-trust-anchors-20210417/debian/control rpki-trust-anchors-20210817/debian/control
--- rpki-trust-anchors-20210417/debian/control	2021-04-17 11:53:53.0 +0200
+++ rpki-trust-anchors-20210817/debian/control	2021-08-17 00:53:56.0 +0200
@@ -2,7 +2,7 @@
 Section: net
 Priority: optional
 Maintainer: Marco d'Itri 
-Standards-Version: 4.4.1.1
+Standards-Version: 4.5.1.0
 Rules-Requires-Root: no
 Build-Depends: debhelper-compat (= 12), po-debconf
 Vcs-Git: https://salsa.debian.org/md/rpki-trust-anchors.git
diff -Nru rpki-trust-anchors-20210417/debian/po/es.po rpki-trust-anchors-20210817/debian/po/es.po
--- rpki-trust-anchors-20210417/debian/po/es.po	1970-01-01 01:00:00.0 +0100
+++ rpki-trust-anchors-20210817/debian/po/es.po	2021-08-17 00:39:31.0 +0200
@@ -0,0 +1,47 @@
+# rpki-trust-anchors po-debconf translation to Spanish.
+# Copyright (C) 2021
+# This file is distributed under the same license as the rpki-trust-anchors package.
+# Camaleón , 2021.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: rpki-trust-anchors\n"
+"Report-Msgid-Bugs-To: rpki-trust-anch...@packages.debian.org\n"
+"POT-Creation-Date: 2019-12-14 17:54+0100\n"
+"PO-Revision-Date: 2021-04-18 10:31+0200\n"
+"Last-Translator: Camaleón \n"
+"Language-Team: Debian Spanish \n"
+"Language: es\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../rpki-trust-anchors.templates:1001
+msgid "Do you accept the ARIN Relying Party Agreement (RPA)?"
+msgstr "¿Acepta el acuerdo de confianza (Relying Party Agreement, RPA) de ARIN?"
+
+#. Type: boolean
+#. Description
+#: ../rpki-trust-anchors.templates:1001
+msgid ""
+"ARIN forbids third parties from distributing the Trust Anchor Locator (TAL) "
+"for their RPKI repository, hence this package can download it only if you "
+"will agree to ARIN's conditions."
+msgstr ""
+"ARIN prohíbe la distribución a terceras partes del localizador de ancla de "
+"confianza (Trust Anchor Locator, TAL) desde su repositorio RPKI, por lo que "
+"solo puede descargar este paquete si acepta las condiciones de ARIN."
+
+#. Type: boolean
+#. Description
+#: ../rpki-trust-anchors.templates:1001
+msgid ""
+"If you want that this package automatically download and installs the ARIN "
+"TAL, then you need to accept the ARIN Relying Party Agreement (RPA): https://;
+"www.arin.net/resources/manage/rpki/rpa.pdf ."
+msgstr ""
+"Si desea que este paquete se descargue automáticamente e instale el TAL de "
+"ARIN, tiene que aceptar el acuerdo de confianza de ARIN (Relying Party "
+"Agreement, RPA): «https://www.arin.net/resources/manage/rpki/rpa.pdf».;
\ Manca newline alla fine del file
diff -Nru rpki-trust-anchors-20210417/tals/lacnic.tal rpki-trust-anchors-20210817/tals/lacnic.tal
--- rpki-trust-anchors-20210417/tals/lacnic.tal	2021-04-17 03:31:46.0 +0200
+++ rpki-trust-anchors-20210817/tals/lacnic.tal	2021-08-17 00:42:23.0 +0200
@@ -1,3 +1,4 @@
+https://rrdp.lacnic.net/ta/rta-lacnic-rpki.cer
 rsync://repository.lacnic.net/rpki/lacnic/rta-lacnic-rpki.cer
 
 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqZEzhYK0+PtDOPfub/KR


signature.asc
Description: PGP signature

Bug#990778: unblock: whois/5.5.10

[Marco d'Itri]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package whois

It has been in unstable for 30 days now and it only contains database 
changes (and one fix for the build process which caused the wrong 
version to be reported).

  * Updated the .lb TLD server.
  * Removed 5 new gTLDs which are no longer active.
  * Updated the charset for whois.lacnic.net, whois.ax, whois.cira.ca
and whois.dns.pt.
  * Fixed reporting an older version number when using --version.

unblock whois/5.5.10

-- 
ciao,
Marco
diff -Nru whois-5.5.9/debian/changelog whois-5.5.10/debian/changelog
--- whois-5.5.9/debian/changelog	2021-03-28 00:38:20.0 +0100
+++ whois-5.5.10/debian/changelog	2021-06-06 19:54:13.0 +0200
@@ -1,3 +1,13 @@
+whois (5.5.10) unstable; urgency=medium
+
+  * Updated the .lb TLD server.
+  * Removed 5 new gTLDs which are no longer active.
+  * Updated the charset for whois.lacnic.net, whois.ax, whois.cira.ca
+and whois.dns.pt.
+  * Fixed reporting an older version number when using --version.
+
+ -- Marco d'Itri   Sun, 06 Jun 2021 19:54:13 +0200
+
 whois (5.5.9) unstable; urgency=medium
 
   * Updated the .ga TLD server.
diff -Nru whois-5.5.9/Makefile whois-5.5.10/Makefile
--- whois-5.5.9/Makefile	2019-12-31 12:14:30.0 +0100
+++ whois-5.5.10/Makefile	2021-06-06 04:13:35.0 +0200
@@ -141,7 +141,7 @@
 	cd po && $(MAKE) install
 
 distclean: clean
-	rm -f po/whois.pot
+	rm -f version.h po/whois.pot
 
 clean:
 	rm -f Makefile.depend as_del.h as32_del.h ip_del.h ip6_del.h \
diff -Nru whois-5.5.9/new_gtlds_list whois-5.5.10/new_gtlds_list
--- whois-5.5.9/new_gtlds_list	2021-02-28 12:58:38.0 +0100
+++ whois-5.5.10/new_gtlds_list	2021-06-06 01:01:07.0 +0200
@@ -383,7 +383,6 @@
 frontier
 ftr
 fujitsu
-fujixerox
 fun
 fund
 furniture
@@ -511,7 +510,6 @@
 istanbul
 itau
 itv
-iveco
 jaguar
 java
 jcb
@@ -664,7 +662,6 @@
 mutual
 nab
 nagoya
-nationwide
 natura
 navy
 nba
@@ -711,7 +708,6 @@
 ong
 onl
 online
-onyourside
 ooo
 open
 oracle
@@ -907,7 +903,6 @@
 space
 sport
 spot
-spreadbetting
 srl
 stada
 staples
diff -Nru whois-5.5.9/servers_charset_list whois-5.5.10/servers_charset_list
--- whois-5.5.9/servers_charset_list	2020-10-03 17:44:03.0 +0200
+++ whois-5.5.10/servers_charset_list	2021-06-06 03:55:46.0 +0200
@@ -4,15 +4,15 @@
 whois.corenic.net	utf-8		-C UTF-8
 whois.online.rs.corenic.net	utf-8	-C UTF-8
 whois.site.rs.corenic.net	utf-8	-C UTF-8
-whois.lacnic.net	iso-8859-1
+whois.lacnic.net	utf-8
 whois.museum		utf-8		-C UTF-8
 whois.ripe.net		iso-8859-1
 
 whois.aeda.net.ae	utf-8
 whois.nic.ar		utf-8
-whois.ax		iso-8859-1
+whois.ax		utf-8
 whois.registro.br	iso-8859-1
-whois.cira.ca		iso-8859-1
+whois.cira.ca		utf-8
 whois.nic.ch		utf-8
 whois.nic.cl		utf-8
 whois.cnnic.cn		utf-8
@@ -47,7 +47,7 @@
 whois.iis.nu		utf-8
 whois.registry.om	utf-8
 whois.registry.pf	utf-8
-whois.dns.pt		iso-8859-1
+whois.dns.pt		utf-8
 whois.registry.qa	utf-8
 whois.nic.re		utf-8
 whois.rnids.rs		utf-8
diff -Nru whois-5.5.9/tld_serv_list whois-5.5.10/tld_serv_list
--- whois-5.5.9/tld_serv_list	2021-02-28 13:25:23.0 +0100
+++ whois-5.5.10/tld_serv_list	2021-06-06 01:00:35.0 +0200
@@ -196,7 +196,7 @@
 .ky	whois.kyregistry.ky
 .kz	whois.nic.kz
 .la	whois.nic.la
-.lb	WEB https://web.aub.edu.lb/cgi-bin/lbdr.pl
+.lb	whois.lbdr.org.lb
 .lc	whois2.afilias-grs.net
 .li	whois.nic.li
 .lk	whois.nic.lk
diff -Nru whois-5.5.9/version.h whois-5.5.10/version.h
--- whois-5.5.9/version.h	2021-02-16 01:54:39.0 +0100
+++ whois-5.5.10/version.h	1970-01-01 01:00:00.0 +0100
@@ -1,2 +0,0 @@
-#define VERSION "5.5.8"
-#define IDSTRING "Md5.5.8"


signature.asc
Description: PGP signature

Bug#988259: unblock: usrmerge/25

[Marco d'Itri]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package usrmerge

[ Reason ]
Adds a new translation and removes years-dead code.

[ Impact ]
Spanish users will miss the translation for a package which is going to 
be used to upgrade all Debian systems.

[ Tests ]
I do not believe that this package can be automatically tested.

[ Risks ]
Not really.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

[ Other info ]
(Anything else the release team should know.)

unblock usrmerge/25

-- 
ciao,
Marco
diff -Nru usrmerge-24/debian/changelog usrmerge-25/debian/changelog
--- usrmerge-24/debian/changelog	2021-01-16 06:02:21.0 +0100
+++ usrmerge-25/debian/changelog	2021-04-27 01:21:48.0 +0200
@@ -1,3 +1,12 @@
+usrmerge (25) unstable; urgency=medium
+
+  * Remove prerm, which has not been needed or even possibly used since
+usrmerge version 19 started removing /etc/dpkg/dpkg.cfg.d/usrmerge on
+upgrades. (Closes: #982867)
+  * New debconf translation(s): es. (Closes: #987519)
+
+ -- Marco d'Itri   Tue, 27 Apr 2021 01:21:48 +0200
+
 usrmerge (24) unstable; urgency=medium
 
   * Moved the scripts to /usr/lib/usrmerge/ on request of Ubuntu for better
diff -Nru usrmerge-24/debian/po/es.po usrmerge-25/debian/po/es.po
--- usrmerge-24/debian/po/es.po	1970-01-01 01:00:00.0 +0100
+++ usrmerge-25/debian/po/es.po	2021-04-27 01:17:21.0 +0200
@@ -0,0 +1,54 @@
+# usrmerge po-debconf translation to Spanish.
+# Copyright (C) 2021
+# This file is distributed under the same license as the usrmerge package.
+# Camaleón , 2021.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: usrmerge\n"
+"Report-Msgid-Bugs-To: usrme...@packages.debian.org\n"
+"POT-Creation-Date: 2016-02-12 03:06+0100\n"
+"PO-Revision-Date: 2021-04-14 08:41+0200\n"
+"Last-Translator: Camaleón \n"
+"Language-Team: Debian Spanish \n"
+"Language: es\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: title
+#. Description
+#: ../usrmerge.templates:1001
+msgid "Automatic conversion to merged /usr"
+msgstr "Conversión automática a /usr combinado"
+
+#. Type: boolean
+#. Description
+#: ../usrmerge.templates:2001
+msgid ""
+"Do you want to convert this system to the merged /usr directories scheme?"
+msgstr ""
+"¿Desea configurar este sistema para usar el esquema de directorios "
+"combinados /usr?"
+
+#. Type: boolean
+#. Description
+#: ../usrmerge.templates:2001
+msgid ""
+"The usrmerge package will automatically convert the system to the merged /"
+"usr directory scheme, in which the /{bin,sbin,lib}/ directories are "
+"symlinked to their counterparts in /usr/."
+msgstr ""
+"El paquete usrmerge ajustará automáticamente el sistema para utilizar "
+"un esquema de directorios combinados /usr, en el que los directorios "
+"/{bin,sbin,lib}/ están enlazados simbólicamente con sus homólogos en /usr/."
+
+#. Type: boolean
+#. Description
+#: ../usrmerge.templates:2001
+msgid ""
+"There is no automatic method to restore the precedent configuration, so "
+"there is no going back once the conversion has been started."
+msgstr ""
+"No existe un método automático para restablecer la configuración anterior, "
+"por lo que una vez iniciado el proceso de conversión, no podrá revertirlo."
diff -Nru usrmerge-24/debian/usrmerge.prerm usrmerge-25/debian/usrmerge.prerm
--- usrmerge-24/debian/usrmerge.prerm	2016-02-28 01:53:38.0 +0100
+++ usrmerge-25/debian/usrmerge.prerm	1970-01-01 01:00:00.0 +0100
@@ -1,35 +0,0 @@
-#!/bin/sh -e
-
-can_remove() {
-  dpkgconf='/etc/dpkg/dpkg.cfg.d/usrmerge'
-
-  [ -e "$dpkgconf" ] || return 0
-
-  local pkgs="$(awk '/^# [^ ]+$/ { print $2 }' $dpkgconf)"
-  [ "$pkgs" ] || return 0
-
-  local installed="$(dpkg-query --showformat='${Package}\n' --show $pkgs 2> /dev/null)"
-
-  if [ "$installed" ]; then
-cat <

signature.asc
Description: PGP signature

Bug#987649: unblock: libxcrypt/1:4.4.18-4

[Marco d'Itri]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package libxcrypt

[ Reason ]
This fixes some related issues which sometimes caused upgrades to fail, 
by moving the library back from /usr/lib/ to /lib/ .

[ Impact ]
Some upgrades to bullseye will randomly fail and we really do not want 
this.

[ Tests ]
autopkgtests passed.

[ Risks ]
The actual change (moving the library back to /lib/) is trivial, and 
since nothing broke spectacularly as soon as I uploaded the new package 
then it very probably is fine.
There are no changes at all to the udeb.

unblock libxcrypt/1:4.4.18-4

-- 
ciao,
Marco
diff -Nru libxcrypt-4.4.18/debian/changelog libxcrypt-4.4.18/debian/changelog
--- libxcrypt-4.4.18/debian/changelog	2021-03-27 17:11:11.0 +0100
+++ libxcrypt-4.4.18/debian/changelog	2021-04-19 02:46:31.0 +0200
@@ -1,3 +1,24 @@
+libxcrypt (1:4.4.18-4) unstable; urgency=high
+
+  * Move back the .pc file (and also .so and .a) to /usr/lib/ to fix a
+regression introduced by the precedent upload. (Closes: #987130)
+
+ -- Marco d'Itri   Mon, 19 Apr 2021 02:46:31 +0200
+
+libxcrypt (1:4.4.18-3) unstable; urgency=high
+
+  [ Ivo De Decker ]
+  * Make sure takeover of libcrypt.so.1 from libc6 works correctly on upgrades
+from buster to bullseye (Closes: #974552):
+- Move the library back from /usr/lib/ to /lib/, because that's where it
+  was in the old libc6 (Closes: #953562).
+- Remove breaks from libcrypt1, to allow installing libcrypt1 before libc6
+  is upgraded.
+- Mark libcrypt1 as Important and Protected, to prevent removal after a
+  partial upgrade.
+
+ -- Marco d'Itri   Sat, 17 Apr 2021 04:04:04 +0200
+
 libxcrypt (1:4.4.18-2) unstable; urgency=medium
 
   * Stop depending on libltdl-dev and instead just include in the package
diff -Nru libxcrypt-4.4.18/debian/control libxcrypt-4.4.18/debian/control
--- libxcrypt-4.4.18/debian/control	2021-03-27 17:11:11.0 +0100
+++ libxcrypt-4.4.18/debian/control	2021-04-17 03:43:28.0 +0200
@@ -15,11 +15,8 @@
 Multi-Arch: same
 Pre-Depends: ${misc:Pre-Depends}
 Depends: ${shlibs:Depends}, ${misc:Depends}
-Breaks:
- libc6 (<< 2.29-4),
- libc6.1 (<< 2.29-4) [alpha ia64],
- libc0.1 (<< 2.29-4) [kfreebsd-amd64 kfreebsd-i386],
- libc0.3 (<< 2.29-4) [hurd-i386],
+XB-Important: yes
+Protected: yes
 Replaces:
  libc6 (<< 2.29-4),
  libc6.1 (<< 2.29-4) [alpha ia64],
diff -Nru libxcrypt-4.4.18/debian/rules libxcrypt-4.4.18/debian/rules
--- libxcrypt-4.4.18/debian/rules	2021-03-27 16:02:25.0 +0100
+++ libxcrypt-4.4.18/debian/rules	2021-04-19 02:36:41.0 +0200
@@ -96,6 +96,11 @@
 	cd build-deb1/ && \
 	$(MAKE) install DESTDIR=$D
 
+	# Move the shared library back to /lib/ because this is where the
+	# libc6 package used to install it (see #953562 for details).
+	mkdir -p $D/lib/$(DEB_HOST_MULTIARCH)
+	mv $D/usr/lib/$(DEB_HOST_MULTIARCH)/libcrypt.so.1* $D/lib/$(DEB_HOST_MULTIARCH)/
+	ln -sf /lib/$(DEB_HOST_MULTIARCH)/libcrypt.so.1 $D/usr/lib/$(DEB_HOST_MULTIARCH)/libcrypt.so
 ifeq ($(BUILD_DEV_VER), 1)
 	dh_movefiles -plibcrypt-dev --sourcedir=debian/libcrypt1/
 else


signature.asc
Description: PGP signature

Bug#987117: unblock: rpki-trust-anchors/20210417-1

[Marco d'Itri]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package rpki-trust-anchors

[ Reason ]
Contains one new debconf translation and a very important update of the 
APNIC trust anchor.

This change has been requested by APNIC and by one of the rpki-client 
upstream maintainers, and will also be required by the next release of 
rpki-client which expects the RRDP and rsync files to have the same 
name.

[ Impact ]
Without this change, at least, the next release of rpki-client will 
not work at all.
Since the old URL is not actually the official one, for all I know it 
may be retired hence breaking all RPKI clients.

[ Tests ]
I have no idea of how this package could automatically be tested.

[ Risks ]
Pretty much none, this is a very simple change and the reverse 
dependencies of rpki-trust-anchors are few packages with (currently) 
a small user base.

unblock rpki-trust-anchors/20210417-1

-- 
ciao,
Marco
diff -Nru rpki-trust-anchors-20200621/debian/changelog rpki-trust-anchors-20210417/debian/changelog
--- rpki-trust-anchors-20200621/debian/changelog	2020-06-21 19:13:33.0 +0200
+++ rpki-trust-anchors-20210417/debian/changelog	2021-04-17 11:55:56.0 +0200
@@ -1,3 +1,15 @@
+rpki-trust-anchors (20210417-1) unstable; urgency=medium
+
+  * Updated the https URL for the APNIC TAL.
+
+ -- Marco d'Itri   Sat, 17 Apr 2021 11:55:56 +0200
+
+rpki-trust-anchors (20200621-2) unstable; urgency=medium
+
+  * Added a debconf translation: pt. (Closes: #982337)
+
+ -- Marco d'Itri   Sun, 28 Mar 2021 00:30:51 +0100
+
 rpki-trust-anchors (20200621-1) unstable; urgency=high
 
   * Fixed the https URL of the APNIC TAL. (Closes: #963268)
diff -Nru rpki-trust-anchors-20200621/debian/po/pt.po rpki-trust-anchors-20210417/debian/po/pt.po
--- rpki-trust-anchors-20200621/debian/po/pt.po	1970-01-01 01:00:00.0 +0100
+++ rpki-trust-anchors-20210417/debian/po/pt.po	2021-04-17 11:53:54.0 +0200
@@ -0,0 +1,49 @@
+# Translation of rpki-trust-anchors debconf messages to European Portuguese.
+# Copyright (C) 2021 THE rpki-trust-anchors'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the rpki-trust-anchors package.
+# Américo Monteiro , 2021.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: rpki-trust-anchors_20200621-1\n"
+"Report-Msgid-Bugs-To: rpki-trust-anch...@packages.debian.org\n"
+"POT-Creation-Date: 2019-12-14 17:54+0100\n"
+"PO-Revision-Date: 2021-02-08 23:33+\n"
+"Last-Translator: Américo Monteiro \n"
+"Language-Team: Portuguese <>\n"
+"Language: pt\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+"X-Generator: Lokalize 2.0\n"
+
+#. Type: boolean
+#. Description
+#: ../rpki-trust-anchors.templates:1001
+msgid "Do you accept the ARIN Relying Party Agreement (RPA)?"
+msgstr "Você aceita o Acordo ARIN Relying Party Agreement (RPA)?"
+
+#. Type: boolean
+#. Description
+#: ../rpki-trust-anchors.templates:1001
+msgid ""
+"ARIN forbids third parties from distributing the Trust Anchor Locator (TAL) "
+"for their RPKI repository, hence this package can download it only if you "
+"will agree to ARIN's conditions."
+msgstr ""
+"ARIN proíbe terceiros de distribuir o Trust Anchor Locator (TAL) para os "
+"seus repositórios RPKI, por isso este pacote apenas o pode descarregar se "
+"você concordar com as condições do ARIN."
+
+#. Type: boolean
+#. Description
+#: ../rpki-trust-anchors.templates:1001
+msgid ""
+"If you want that this package automatically download and installs the ARIN "
+"TAL, then you need to accept the ARIN Relying Party Agreement (RPA): https://;
+"www.arin.net/resources/manage/rpki/rpa.pdf ."
+msgstr ""
+"Se você quiser isso, este pacote descarrega e instala automaticamente o "
+"ARIN TAL, depois você precisa de aceitar o acordo ARIN Relying Party "
+"Agreement (RPA): https://www.arin.net/resources/manage/rpki/rpa.pdf ."
diff -Nru rpki-trust-anchors-20200621/tals/apnic.tal rpki-trust-anchors-20210417/tals/apnic.tal
--- rpki-trust-anchors-20200621/tals/apnic.tal	2020-06-21 19:06:44.0 +0200
+++ rpki-trust-anchors-20210417/tals/apnic.tal	2021-04-17 03:31:46.0 +0200
@@ -1,4 +1,4 @@
-https://tal.apnic.net/apnic.cer
+https://rpki.apnic.net/repository/apnic-rpki-root-iana-origin.cer
 rsync://rpki.apnic.net/repository/apnic-rpki-root-iana-origin.cer
 
 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx9RWSL61YAAYumEiU8z8


signature.asc
Description: PGP signature

Bug#987071: unblock: netbase/6.3

[Marco d'Itri]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package netbase

One port added.

unblock netbase/6.3

-- 
ciao,
Marco
diff -Nru netbase-6.2/debian/changelog netbase-6.3/debian/changelog
--- netbase-6.2/debian/changelog	2020-10-04 18:06:02.0 +0200
+++ netbase-6.3/debian/changelog	2021-03-27 23:33:28.0 +0100
@@ -1,3 +1,12 @@
+netbase (6.3) unstable; urgency=medium
+
+  * services: added ntske (4460/tcp). (Closes: #983592)
+  * services: removed the disclaimer about non-used transports.
+It is not relevant anymore because all such entries for ports assigned to
+non-used transports should have been removed starting from release 5.4.
+
+ -- Marco d'Itri   Sat, 27 Mar 2021 23:33:28 +0100
+
 netbase (6.2) unstable; urgency=medium
 
   * services: added https (443/udp) which was removed in 5.4 but now is
diff -Nru netbase-6.2/etc/services netbase-6.3/etc/services
--- netbase-6.2/etc/services	2020-10-04 16:27:46.0 +0200
+++ netbase-6.3/etc/services	2021-03-27 23:32:57.0 +0100
@@ -1,9 +1,5 @@
 # Network services, Internet style
 #
-# Note that it is presently the policy of IANA to assign a single well-known
-# port number for both TCP and UDP; hence, officially ports have two entries
-# even if the protocol doesn't support UDP operations.
-#
 # Updated from https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml .
 #
 # New ports will be added on request if they have been officially assigned
@@ -217,6 +213,7 @@
 epmd		4369/tcp			# Erlang Port Mapper Daemon
 remctl		4373/tcp		# Remote Authenticated Command Service
 f5-iquery	4353/tcp			# F5 iQuery
+ntske		4460/tcp	# Network Time Security Key Establishment
 ipsec-nat-t	4500/udp			# IPsec NAT-Traversal [RFC3947]
 iax		4569/udp			# Inter-Asterisk eXchange
 mtn		4691/tcp			# monotone Netsync Protocol


signature.asc
Description: PGP signature

Bug#987072: unblock: whois/5.5.9

[Marco d'Itri]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package whois

[ Reason ]
Updated the internal databases.

[ Impact ]
Will not work correctly for some domains.

[ Tests ]
No, anybody who cares feel free to contribute some.

[ Risks ]
Only data changes.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

[ Other info ]
Yes, VERSION is obviously wrong but it is in the package in testing as 
well.

unblock whois/5.5.9

-- 
ciao,
Marco
diff -Nru whois-5.5.8/debian/changelog whois-5.5.9/debian/changelog
--- whois-5.5.8/debian/changelog	2021-02-16 01:53:57.0 +0100
+++ whois-5.5.9/debian/changelog	2021-03-28 00:38:20.0 +0100
@@ -1,3 +1,11 @@
+whois (5.5.9) unstable; urgency=medium
+
+  * Updated the .ga TLD server.
+  * Removed the .cd and cf TLD servers.
+  * Removed 72 new gTLDs which are no longer active.
+
+ -- Marco d'Itri   Sun, 28 Mar 2021 00:38:20 +0100
+
 whois (5.5.8) unstable; urgency=medium
 
   * Added the .xn--4dbrk0ce (.ישראל, Israel) TLD server.
diff -Nru whois-5.5.8/new_gtlds_list whois-5.5.9/new_gtlds_list
--- whois-5.5.8/new_gtlds_list	2020-10-27 18:29:26.0 +0100
+++ whois-5.5.9/new_gtlds_list	2021-02-28 12:58:38.0 +0100
@@ -19,7 +19,6 @@
 accountant
 accountants
 aco
-active
 actor
 adac
 ads
@@ -32,7 +31,6 @@
 agakhan
 agency
 aig
-aigo
 airbus
 airforce
 airtel
@@ -121,14 +119,12 @@
 bio
 black
 blackfriday
-blanco
 blockbuster
 blog
 bloomberg
 blue
 bms
 bmw
-bnl
 bnpparibas
 boats
 boehringer
@@ -138,7 +134,6 @@
 boo
 book
 booking
-boots
 bosch
 bostik
 boston
@@ -179,10 +174,8 @@
 career
 careers
 cars
-cartier
 casa
 case
-caseih
 cash
 casino
 catering
@@ -191,7 +184,6 @@
 cbn
 cbre
 cbs
-ceb
 center
 ceo
 cern
@@ -204,10 +196,8 @@
 chat
 cheap
 chintai
-chloe
 christmas
 chrome
-chrysler
 church
 cipriani
 circle
@@ -301,11 +291,8 @@
 dnp
 docs
 doctor
-dodge
 dog
-doha
 domains
-doosan
 dot
 download
 drive
@@ -313,7 +300,6 @@
 dubai
 duck
 dunlop
-duns
 dupont
 durban
 dvag
@@ -329,19 +315,16 @@
 engineer
 engineering
 enterprises
-epost
 epson
 equipment
 ericsson
 erni
 esq
 estate
-esurance
 etisalat
 eurovision
 eus
 events
-everbank
 exchange
 expert
 exposed
@@ -381,7 +364,6 @@
 flir
 florist
 flowers
-flsmidth
 fly
 foo
 food
@@ -441,7 +423,6 @@
 goldpoint
 golf
 goo
-goodhands
 goodyear
 goog
 google
@@ -487,7 +468,6 @@
 homes
 homesense
 honda
-honeywell
 horse
 hospital
 host
@@ -499,7 +479,6 @@
 house
 how
 hsbc
-htc
 hughes
 hyatt
 hyundai
@@ -509,7 +488,6 @@
 icu
 ieee
 ifm
-iinet
 ikano
 imamat
 imdb
@@ -523,29 +501,24 @@
 institute
 insurance
 insure
-intel
 international
 intuit
 investments
 ipiranga
 irish
-iselect
 ismaili
 ist
 istanbul
 itau
 itv
 iveco
-iwc
 jaguar
 java
 jcb
-jcp
 jeep
 jetzt
 jewelry
 jio
-jlc
 jll
 jmp
 jnj
@@ -578,12 +551,10 @@
 kuokgroup
 kyoto
 lacaixa
-ladbrokes
 lamborghini
 lamer
 lancaster
 lancia
-lancome
 land
 landrover
 lanxess
@@ -601,7 +572,6 @@
 lego
 lexus
 lgbt
-liaison
 lidl
 life
 lifeinsurance
@@ -635,7 +605,6 @@
 ltd
 ltda
 lundbeck
-lupin
 luxe
 luxury
 macys
@@ -655,8 +624,6 @@
 maserati
 mattel
 mba
-mcd
-mcdonalds
 mckinsey
 med
 media
@@ -666,9 +633,7 @@
 memorial
 men
 menu
-meo
 merckmsd
-metlife
 miami
 microsoft
 mini
@@ -679,7 +644,6 @@
 mls
 mma
 mobile
-mobily
 moda
 moe
 moi
@@ -687,8 +651,6 @@
 monash
 money
 monster
-montblanc
-mopar
 mormon
 mortgage
 moscow
@@ -696,15 +658,11 @@
 motorcycles
 mov
 movie
-movistar
 msd
 mtn
-mtpc
 mtr
 mutual
-mutuelle
 nab
-nadex
 nagoya
 nationwide
 natura
@@ -716,7 +674,6 @@
 network
 neustar
 new
-newholland
 news
 next
 nextdirect
@@ -760,16 +717,13 @@
 oracle
 orange
 organic
-orientexpress
 origins
 osaka
 otsuka
 ott
 ovh
 page
-pamperedchef
 panasonic
-panerai
 paris
 pars
 partners
@@ -788,7 +742,6 @@
 photography
 photos
 physio
-piaget
 pics
 pictet
 pictures
@@ -858,7 +811,6 @@
 rich
 richardli
 ricoh
-rightathome
 ril
 rio
 rip
@@ -886,7 +838,6 @@
 sandvikcoromant
 sanofi
 sap
-sapo
 sarl
 sas
 save
@@ -903,7 +854,6 @@
 schwarz
 science
 scjohnson
-scor
 scot
 search
 seat
@@ -931,7 +881,6 @@
 shouji
 show
 showtime
-shriram
 silk
 sina
 singles
@@ -956,19 +905,15 @@
 soy
 spa
 space
-spiegel
 sport
 spot
 spreadbetting
 srl
-srt
 stada
 staples
 star
-starhub
 statebank
 statefarm
-statoil
 stc
 stcgroup
 stockholm
@@ -989,7 +934,6 @@
 swiftcover
 swiss
 sydney
-symantec
 systems
 tab
 taipei
@@ -1006,8 +950,6 @@
 team
 tech
 technology
-telecity
-telefonica
 temasek
 tennis
 teva
@@ -1051,7 +993,6 @@
 tvs
 ubank
 ubs
-uconnect
 unicom
 university
 uno
@@ -1075,8 +1016,6 @@
 virgin
 visa
 vision
-vista
-vistaprint
 viva
 vivo
 vlaanderen
@@ -1093,7 +1032,6 @@
 walter
 wang
 wanggou
-warman
 watch
 watches
 weather
@@ -1146,8 +1084,6 @@
 xn--6qq986b3xl
 xn--80adxhks
 xn--80aqecdr1a
-xn--80asehdb
-xn--80aswg
 xn--8y0a063a
 xn--9dbq2a
 xn

Bug#987013: Release goal proposal: Remove Berkeley DB

[Marco d'Itri]

On Apr 16, Bastian Blank  wrote:

> postfix is easy.  Would inn2 be license compliant with a AGPL licensed
> BDB, aka able to provide the source to it's users, or what is the plan
> anyway?
The plan is to continue using 5.3, not upgrading.

>  slapd defaults to LMDB since several years and you need to
> explicitely specify the bdb or hdb backend.
Sure, but the point was how to convert existing systems.

-- 
ciao,
Marco


signature.asc
Description: PGP signature

Bug#987013: Release goal proposal: Remove Berkeley DB

[Marco d'Itri]

On Apr 15, Bastian Blank  wrote:

> After this time we really should try to get rid of this package, which
> even is NMU maintained since three years.
I am not persuaded. I maintain libberkeleydb-perl and it works fine, it 
is mature software.

But even if we agree that all the libdb5.3 reverse dependencies must 
migrate to a different database then probably we will need to keep 
around db5.3-util (and its dependency libdb5.3) to allow dumping and 
restoring the databases.
Not all software uses libdb as a cache which can just be regenerated 
and/or supports multiple databases and has internal dump/restore tools.

And then all the packages currently depending on libdb5.3 will need to 
implement, or at least document, a transition strategy.
Let me just mention postfix (easy), inn2 (possible but very resources 
intensive) and slapd (I am not sure, but it is critical and scary).

-- 
ciao,
Marco


signature.asc
Description: PGP signature

Bug#939526: buster-pu: package inn2/2.6.3-1+deb10u1

[Marco d'Itri]

Control: retitle -1 buster-pu: package inn2/2.6.3-1+deb10u2

Bug #931256 explains in detail why TLS is broken in inn2 in buster, due 
to the policies of newer openssl versions.

As noticed by Adam D. Barratt, the original patch had a bug: it was 
then solved by the upstream maintainer and the fix has been one month in 
testing now.


diff -Nru inn2-2.6.3/debian/changelog inn2-2.6.3/debian/changelog
--- inn2-2.6.3/debian/changelog 2019-02-17 17:52:36.0 +0100
+++ inn2-2.6.3/debian/changelog 2019-10-06 00:51:59.0 +0200
@@ -1,3 +1,11 @@
+inn2 (2.6.3-1+deb10u2) buster; urgency=medium
+
+  * Backported upstream changeset 10344 to fix negotiation of DHE
+ciphersuites. (See #931256.)
+  * Backported upstream changeset 10348 to fix upstream changeset 10344.
+
+ -- Marco d'Itri   Sun, 06 Oct 2019 00:51:59 +0200
+
 inn2 (2.6.3-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru inn2-2.6.3/debian/patches/changeset_10344 
inn2-2.6.3/debian/patches/changeset_10344
--- inn2-2.6.3/debian/patches/changeset_10344   1970-01-01 01:00:00.0 
+0100
+++ inn2-2.6.3/debian/patches/changeset_10344   2019-09-05 22:34:04.0 
+0200
@@ -0,0 +1,202 @@
+Index: a/nnrpd/tls.c
+===
+--- a/nnrpd/tls.c  (revision 10342)
 a/nnrpd/tls.c  (revision 10344)
+@@ -96,45 +96,58 @@
+ 
+ /*
+-**  Hardcoded DH parameter files, from OpenSSL.
+-**  For information on how these files were generated, see
+-**  "Assigned Number for SKIP Protocols" 
+-**  <http://www.skip-vpn.org/spec/numbers.html>.
+-*/
+-static const char file_dh512[] =
++**  Hardcoded DH parameter files.
++**  These are pre-defined DH groups recommended by RFC 7919 (Appendix A),
++**  that have been audited and therefore supposed to be more
++**  resistant to attacks than ones randomly generated.
++*/
++static const char file_ffdhe2048[] = \
+ "-BEGIN DH PARAMETERS-\n\
+-MEYCQQD1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsCRtMIPWak\n\
+-XUGfnHy9iUsiGSa6q6Jew1XpKgVfAgEC\n\
++MIIBCAKCAQEA//+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n\
+++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n\
++87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n\
++YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n\
++7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n\
++ssbzSibBsu/6iGtCOGEoXJf//wIBAg==\n\
+ -END DH PARAMETERS-\n";
+ 
+-static const char file_dh1024[] =
++static const char file_ffdhe4096[] = \
+ "-BEGIN DH PARAMETERS-\n\
+-MIGHAoGBAPSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsY\n\
+-jY67VYy4XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6\n\
+-ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpL3jHAgEC\n\
++MIICCAKCAgEA//+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n\
+++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n\
++87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n\
++YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n\
++7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n\
++ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3\n\
++7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32\n\
++nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e\n\
++8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx\n\
++iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K\n\
++zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//8CAQI=\n\
+ -END DH PARAMETERS-\n";
+ 
+-static const char file_dh2048[] =
++static const char file_ffdhe8192[] = \
+ "-BEGIN DH PARAMETERS-\n\
+-MIIBCAKCAQEA9kJXtwh/CBdyorrWqULzBej5UxE5T7bxbrlLOCDaAadWoxTpj0BV\n\
+-89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/cdlJPPT2N286Z4VeSWc39uK50\n\
+-T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaClcjrUGvC/RgBYK+X0iP1YTknb\n\
+-zSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD8KVbGI2Ou1WMuF040zT9fBdX\n\
+-Q6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZyAcpesqVDNmWn6vQClCbAkbT\n\
+-CD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwIBAg==\n\
+--END DH PARAMETERS-\n";
+-
+-static const char file_dh4096[] =
+-"-BEGIN DH PARAMETERS-\n\
+-MIICCAKCAgEA+hRyUsFN4VpJ1O8JLcCo/VWr19k3BCgJ4uk+d+KhehjdRqNDNyOQ\n\
+-l/MOyQNQfWXPeGKmOmIig6Ev/nm6Nf9Z2B1h3R4hExf+zTiHnvVPeRBhjdQi81rt\n\
+-Xeoh6TNrSBIKIHfUJWBh3va0TxxjQIs6IZOLeVNRLMqzeylWqMf49HsIXqbcokUS\n\
+-Vt1BkvLdW48j8PPv5DsKRN3tloTxqDJGo9tKvj1Fuk74A+Xda1kNhB7KFlqMyN98\n\
+-VETEJ6c7KpfOo30mnK30wqw3S8OtaIR/maYX72tGOno2ehFDkq3pnPtEbD2CScxc\n\
+-alJC+EL7RPk5c/tgeTvCngvc1KZn92Y//EI7G9tPZtylj2b56sHtMftIoYJ9+ODM\n\
+-sccD5Piz/rejE3Ome8EOOceUSCYAhXn8b3qvxVI1ddd1pED6FHRhFvLrZxFvBEM9\n\
+-ERRMp5QqOaHJkM+Dxv8Cj6MqrCbfC4u+ZErxodzuusgDgvZiLF22uxMZbobFWyte\n\
+-OvOzKGtwcTqO/1wV5gKkzu1ZVswVUQd5Gg8lJicwqRWyyNRczDDoG9jVDxmogKTH\n\
+-AaqLulO7R8Ifa1SwF2DteSGVtgWEN8gDpN3RBmmPTDngyF2DHb5qmpnznwtFKdTL\n\
+-KWbuHn491xN

Bug#939526: buster-pu: package inn2/2.6.3-1~deb10u1

[Marco d'Itri]

On Sep 17, "Adam D. Barratt"  wrote:

> Shouldn't the assignment to "r" be outside of the conditional? Otherwise, if
> ffdheX has previously been initialised, the function will return NULL rather
> than the previously loaded buffer.
Thank you, upstream confirmed.
I did a new upload to unstable and will re-upload to pu next week.

-- 
ciao,
Marco


signature.asc
Description: PGP signature

Bug#939526: buster-pu: package inn2/2.6.3-1~deb10u1

[Marco d'Itri]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Bug #931256 explains in detail why TLS is broken in inn2 in buster, due 
to the policies of newer openssl versions.

This same patch has been in 2.6.3-2 in unstable/testing for two weeks.

diff -Nru inn2-2.6.3/debian/changelog inn2-2.6.3/debian/changelog
--- inn2-2.6.3/debian/changelog 2019-02-17 17:52:36.0 +0100
+++ inn2-2.6.3/debian/changelog 2019-09-05 23:25:56.0 +0200
@@ -1,3 +1,10 @@
+inn2 (2.6.3-1~deb10u1) buster; urgency=medium
+
+  * Backported upstream changeset 10344 to fix negotiation of DHE
+ciphersuites. (See #931256.)
+
+ -- Marco d'Itri   Thu, 05 Sep 2019 23:25:56 +0200
+
 inn2 (2.6.3-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru inn2-2.6.3/debian/patches/changeset_10344 
inn2-2.6.3/debian/patches/changeset_10344
--- inn2-2.6.3/debian/patches/changeset_10344   1970-01-01 01:00:00.0 
+0100
+++ inn2-2.6.3/debian/patches/changeset_10344   2019-09-05 22:34:04.0 
+0200
@@ -0,0 +1,202 @@
+Index: a/nnrpd/tls.c
+===
+--- a/nnrpd/tls.c  (revision 10342)
 a/nnrpd/tls.c  (revision 10344)
+@@ -96,45 +96,58 @@
+ 
+ /*
+-**  Hardcoded DH parameter files, from OpenSSL.
+-**  For information on how these files were generated, see
+-**  "Assigned Number for SKIP Protocols" 
+-**  <http://www.skip-vpn.org/spec/numbers.html>.
+-*/
+-static const char file_dh512[] =
++**  Hardcoded DH parameter files.
++**  These are pre-defined DH groups recommended by RFC 7919 (Appendix A),
++**  that have been audited and therefore supposed to be more
++**  resistant to attacks than ones randomly generated.
++*/
++static const char file_ffdhe2048[] = \
+ "-BEGIN DH PARAMETERS-\n\
+-MEYCQQD1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsCRtMIPWak\n\
+-XUGfnHy9iUsiGSa6q6Jew1XpKgVfAgEC\n\
++MIIBCAKCAQEA//+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n\
+++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n\
++87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n\
++YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n\
++7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n\
++ssbzSibBsu/6iGtCOGEoXJf//wIBAg==\n\
+ -END DH PARAMETERS-\n";
+ 
+-static const char file_dh1024[] =
++static const char file_ffdhe4096[] = \
+ "-BEGIN DH PARAMETERS-\n\
+-MIGHAoGBAPSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsY\n\
+-jY67VYy4XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6\n\
+-ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpL3jHAgEC\n\
++MIICCAKCAgEA//+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n\
+++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n\
++87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n\
++YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n\
++7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n\
++ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3\n\
++7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32\n\
++nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e\n\
++8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx\n\
++iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K\n\
++zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//8CAQI=\n\
+ -END DH PARAMETERS-\n";
+ 
+-static const char file_dh2048[] =
++static const char file_ffdhe8192[] = \
+ "-BEGIN DH PARAMETERS-\n\
+-MIIBCAKCAQEA9kJXtwh/CBdyorrWqULzBej5UxE5T7bxbrlLOCDaAadWoxTpj0BV\n\
+-89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/cdlJPPT2N286Z4VeSWc39uK50\n\
+-T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaClcjrUGvC/RgBYK+X0iP1YTknb\n\
+-zSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD8KVbGI2Ou1WMuF040zT9fBdX\n\
+-Q6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZyAcpesqVDNmWn6vQClCbAkbT\n\
+-CD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwIBAg==\n\
+--END DH PARAMETERS-\n";
+-
+-static const char file_dh4096[] =
+-"-BEGIN DH PARAMETERS-\n\
+-MIICCAKCAgEA+hRyUsFN4VpJ1O8JLcCo/VWr19k3BCgJ4uk+d+KhehjdRqNDNyOQ\n\
+-l/MOyQNQfWXPeGKmOmIig6Ev/nm6Nf9Z2B1h3R4hExf+zTiHnvVPeRBhjdQi81rt\n\
+-Xeoh6TNrSBIKIHfUJWBh3va0TxxjQIs6IZOLeVNRLMqzeylWqMf49HsIXqbcokUS\n\
+-Vt1BkvLdW48j8PPv5DsKRN3tloTxqDJGo9tKvj1Fuk74A+Xda1kNhB7KFlqMyN98\n\
+-VETEJ6c7KpfOo30mnK30wqw3S8OtaIR/maYX72tGOno2ehFDkq3pnPtEbD2CScxc\n\
+-alJC+EL7RPk5c/tgeTvCngvc1KZn92Y//EI7G9tPZtylj2b56sHtMftIoYJ9+ODM\n\
+-sccD5Piz/rejE3Ome8EOOceUSCYAhXn8b3qvxVI1ddd1pED6FHRhFvLrZxFvBEM9\n\
+-ERRMp5QqOaHJkM+Dxv8Cj6MqrCbfC4u+ZErxodzuusgDgvZiLF22uxMZbobFWyte\n\
+-OvOzKGtwcTqO/1wV5gKkzu1ZVswVUQd5Gg8lJicwqRWyyNRczDDoG9jVDxmogKTH\n\
+-AaqLulO7R8Ifa1SwF2DteSGVtgWEN8gDpN3RBmmPTDngyF2DHb5qmpnznwtFKdTL\n\
+-KWbuHn491xNO25CQWMtem80uKw+pTnisBRF/454n1Jnhub144YRBoN8CAQI=\n\
++MIIECAKCBAEA//+t+FRYortKm

Bug#930429: unblock: whois/5.4.3

[Marco d'Itri]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package whois because RIPE was assigned a new network by 
IANA and without this change it will report all newly allocated networks 
in Europe as "unknown" (es: "whois 2a10:::").

The timing is a bit unfortunate since the last update of this data was 
in 2006...

unblock whois/5.4.3

diff -Nru whois-5.4.2/debian/changelog whois-5.4.3/debian/changelog
--- whois-5.4.2/debian/changelog2019-03-28 00:48:28.0 +0100
+++ whois-5.4.3/debian/changelog2019-06-12 15:03:56.0 +0200
@@ -1,3 +1,9 @@
+whois (5.4.3) unstable; urgency=medium
+
+  * Added the new 2a10:::/12 IPv6 assignment to RIPE.
+
+ -- Marco d'Itri   Wed, 12 Jun 2019 15:03:56 +0200
+
 whois (5.4.2) unstable; urgency=medium
 
   * Added the .ss and .xn--mgbah1a3hjkrd (موريتانيا, Mauritania) TLD
diff -Nru whois-5.4.2/ip6_del_list whois-5.4.3/ip6_del_list
--- whois-5.4.2/ip6_del_list2018-01-21 01:24:51.0 +0100
+++ whois-5.4.3/ip6_del_list2019-06-12 15:01:48.0 +0200
@@ -41,5 +41,6 @@
 2620:::/23 arin
 2800:::/12 lacnic
 2A00:::/12 ripe
+2A10:::/12 ripe
 2C00:::/12 afrinic
 
-- 
ciao,
Marco


signature.asc
Description: PGP signature

Bug#930394: unblock: usrmerge/22

[Marco d'Itri]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package usrmerge to support installing the fixed 
molly-guard in buster.

unblock usrmerge/22


diff -Nru usrmerge-21/debian/changelog usrmerge-22/debian/changelog
--- usrmerge-21/debian/changelog2019-02-17 17:44:25.0 +0100
+++ usrmerge-22/debian/changelog2019-06-09 14:54:21.0 +0200
@@ -1,3 +1,10 @@
+usrmerge (22) unstable; urgency=medium
+
+  * Added a version to the conflict with molly-guard (see #914716).
+(Closes: #914716)
+
+ -- Marco d'Itri   Sun, 09 Jun 2019 14:54:21 +0200
+
 usrmerge (21) unstable; urgency=medium
 
   * Added a version to the conflict with ebtables (see #912046).
diff -Nru usrmerge-21/debian/control usrmerge-22/debian/control
--- usrmerge-21/debian/control  2019-02-17 17:41:06.0 +0100
+++ usrmerge-22/debian/control  2019-06-07 23:58:57.0 +0200
@@ -2,7 +2,7 @@
 Section: admin
 Priority: optional
 Maintainer: Marco d'Itri 
-Standards-Version: 4.2.1.1
+Standards-Version: 4.3.0.3
 Rules-Requires-Root: no
 Build-Depends: debhelper (>= 10), po-debconf
 Vcs-Git: https://salsa.debian.org/md/usrmerge.git
@@ -34,7 +34,7 @@
  libpng12-0 (<< 1.2.54-4~),
  libusb-0.1-4 (<< 2:0.1.12-28~),
  mksh (<< 52b-1~),
- molly-guard,
+ molly-guard (<< 0.7.1+exp1~),
  musl-dev (<< 1.1.9-1.1~),
  nano (<< 2.3.99pre3-1~),
  open-iscsi (<< 2.0.873+git0.3b4b4500-13~),


-- 
ciao,
Marco


signature.asc
Description: PGP signature

Bug#929625: unblock: bird/1.6.6-1

[Marco d'Itri]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock the bird package because the version in testing has some 
serious bugs about routes propagation, better explained in the attached 
diff.

This was discussed in #928141, where one of the upstream maintainers 
recommended that 1.6.6 should get into testing.

The version currently in unstable has been in unstable for three months 
without any issues, and is the one that I am using in production (while 
the one currently in testing was toxic in my environment).

I am not the bird maintainer, but Ondřej looks busy and I am sure that 
he will not mind me requesting this.

I am attaching a debdiff from which I removed the generated files and 
some documentation/example changes not relevant for the Debian package.

unblock bird/1.6.6-1

-- 
ciao,
Marco
diff -Nru bird-1.6.5/ChangeLog bird-1.6.6/ChangeLog
--- bird-1.6.5/ChangeLog	2019-01-07 16:29:04.0 +0100
+++ bird-1.6.6/ChangeLog	2019-03-01 00:13:32.0 +0100
@@ -1,3 +1,86 @@
+commit b5d1903bf6ce454716e97828e6e4062bf17ac000
+Author: Ondrej Zajicek (work) 
+Date:   Tue Feb 26 18:10:04 2019 +0100
+
+NEWS and version update
+
+commit 2e7ee1c9d3158603c3b01bbef8559092ae46ae84
+Author: Ondrej Zajicek (work) 
+Date:   Fri Feb 22 02:33:01 2019 +0100
+
+Nest: Do not compare rte.flags during rte_update()
+
+Route flags are mosty internal state of rtable, they are not significant
+to whether a route has changed. With the old code, all routes received as
+a part of enhanced route refresh are always re-announced to other peers
+due to change in REF_STALE.
+
+commit 797969983d38149f4a0ea1f960becfac88fc2b8e
+Author: Ondrej Zajicek (work) 
+Date:   Tue Feb 19 18:32:45 2019 +0100
+
+Doc: Detect SP/OpenSP automatically
+
+commit b3fceeba30bd6a685de0aa17dbe6bcfd77d1ca29
+Author: Ondrej Zajicek (work) 
+Date:   Tue Feb 19 16:21:52 2019 +0100
+
+Nest: Prevent withdraws from propagation back to source protocol (for accepted mode)
+
+Update for one of previous patches, handles the the issue for
+first-accepted mode of route propagation.
+
+commit 2dd9800ab51a309add1c56aa9659c41f30481299
+Author: Ondrej Zajicek (work) 
+Date:   Tue Feb 19 16:00:30 2019 +0100
+
+Nest: Improve export counter handling
+
+One of previous workarounds for phantom route avoidance breaks export
+counters by expanding sending of spurious withdraws, which are send when
+we are not sure whether we have advertised that routes in the past.
+If not, then export counter is decreased, but it was not increased
+before, so it overflows under zero.
+
+The patch fixes that by sending spurious withdraws, but not counting them
+on export counter. That may lead to error in the other direction, but
+that happens only as a race condition (i.e., in normal operation filters
+return proper values about old route export state).
+
+commit b4438e40efa498325f38f0bf4681ecb2bbba4da7
+Author: Ondrej Zajicek (work) 
+Date:   Wed Jan 30 17:03:30 2019 +0100
+
+Nest: Prevent withdraws from propagation back to source protocol
+
+The earlier fix loosen conditions for not running filters on old
+route when deciding about route propagation to a protocol to avoid
+issues with ghost routes in some race conditions.
+
+Unfortunately, the fix also caused back-propagation of withdraws. For
+regular updates, back-propagation is prevented in import_control hooks,
+but these are not called on withdraws. For them, import_control hooks
+are called on old routes instead, changing (old, NULL) notification
+to (NULL, NULL), which is ignored. By not calling export processing
+in some cases, the withdraw is not ignored and is back-propagated.
+
+This patch fixes that by contract conditions so the earlier fix is not
+applied to back-propagated updates.
+
+commit ccb37330d062712935b3f3b9c236322d20c177f6
+Author: Ondrej Zajicek (work) 
+Date:   Sat Jan 26 21:03:36 2019 +0100
+
+Doc: Add documentation for OSPF retransmit delay option
+
+Thanks to Igor Podlesny for notification.
+
+commit e99e7d1c2de3a9b1a737735be2936dadf6ed1ab4
+Author: Ondrej Filip 
+Date:   Mon Jan 7 12:26:21 2019 +0100
+
+Added documentation for 'disable after cease'
+
 commit ef8974b7ca7595bc2685b222aa4822c13349a2e1
 Author: Ondrej Zajicek (work) 
 Date:   Sat Jan 5 00:37:31 2019 +0100
diff -Nru bird-1.6.5/debian/changelog bird-1.6.6/debian/changelog
--- bird-1.6.5/debian/changelog	2019-01-15 09:56:09.0 +0100
+++ bird-1.6.6/debian/changelog	2019-03-03 08:56:10.0 +0100
@@ -1,3 +1,9 @@
+bird (1.6.6-1) unstable; urgency=medium
+
+  * New upstream version 1.6.6
+
+ -- Ondřej Surý   Sun, 03 Mar 2019 07:56:10 +
+
 bird (1.6.5-1) unstable; urgency=medium
 
   * New upstream version 1.6.5
@@ -187,7 +193,7 @@
 bird (1.4.2-1) unstable; urgency=medium
 
   * New upstream version 

Re: fixing debian-security-support upgrades from stretch (for good)

[Marco d'Itri]

On May 13, Holger Levsen  wrote:

> So I think this can only be fixed properly (=without asking people to
> upgrade to the latest stretch pointrelease but instead allowing upgrades
> to buster from *any* stretch pointrelease) by adding a "pre-depends:
> debian-security-support (>= 2019.04.25)" to base-files in buster.
I strongly object to adding this package, and its dependency 
gettext-base, to the transitive essential set.
There are many situations where this package is not needed (e.g. 
containers, where Debian is already quite suboptimal) and it is wrong to 
force it on every system because it wastes disk space and may cause 
future troubles (and it already doing this now).

This is not acceptable for a package with such a low popcon ranking.

I tried installing it (I had never heard of it before) and I see that it 
immediately complains about the version of binutils currently in 
unstable, so I also have serious doubts about the usefulness of 
a security tool which will always report an alarm.

-- 
ciao,
Marco


signature.asc
Description: PGP signature

Bug#928148: RM: libxcrypt/1:4.1.1-1

[Marco d'Itri]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm

Since more recent versions of the package have been stuck in NEW for 
over six months there is no point in shipping in buster this old version 
which nobody should use anyway.
libxcrypt (libcrypt2, libcrypt2-dev) has no reverse depends.

-- 
ciao,
Marco


signature.asc
Description: PGP signature

Bug#925885: unblock: whois/5.4.2

[Marco d'Itri]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package whois

.in and the related IDN TLDs do not work anymore without this patch.
Also, added two new TLDs and some minor bug fixes.

diff --git a/debian/changelog b/debian/changelog
index 706a170..93cb4cc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+whois (5.4.2) unstable; urgency=medium
+
+  * Added the .ss and .xn--mgbah1a3hjkrd (موريتانيا, Mauritania) TLD
+servers.
+  * Updated the .in TLD and related IDN TLDs servers.
+  * Updated the .fm TLD server.
+
+ -- Marco d'Itri   Thu, 28 Mar 2019 00:48:28 +0100
+
 whois (5.4.1) unstable; urgency=medium
 
   * Added the .mw TLD server.
diff --git a/po/pl.po b/po/pl.po
index fa7ba40..4d021cf 100644
--- a/po/pl.po
+++ b/po/pl.po
(omitted)
diff --git a/tld_serv_list b/tld_serv_list
index 27b74e9..421daa5 100644
--- a/tld_serv_list
+++ b/tld_serv_list
@@ -141,7 +141,7 @@
 .fiwhois.fi
 .fjwhois.usp.ac.fj
 .fkNONE# http://www.fidc.co.fk/
-.fmWEB http://dot.fm/whois/
+.fmwhois.nic.fm
 .fowhois.nic.fo
 .frwhois.nic.fr
 .gawhois.dot.ga# www.my.ga
@@ -173,7 +173,7 @@
 .iewhois.iedr.ie
 .ilwhois.isoc.org.il
 .imwhois.nic.im
-.inwhois.inregistry.net# afilias
+.inwhois.registry.in
 .iowhois.nic.io
 .iqwhois.cmc.iq# http://www.cmc.iq/en/iq.html
 .irwhois.nic.ir
@@ -280,7 +280,7 @@
 .snwhois.nic.sn
 .sowhois.nic.so
 .srNONE# www.register.sr
-#.ss
+.sswhois.nic.ss
 .stwhois.nic.st
 .suwhois.tcinet.ru
 .svWEB http://www.svnet.org.sv/
@@ -350,11 +350,11 @@
 
 # AW means that I had to guess the whois server name, but I was not able
 # to find any registered subdomains to verify it.
-.xn--2scrj9c   whois.inregistry.net# India
+.xn--2scrj9c   whois.registry.in   # India
 .xn--3e0b707e  whois.kr# Korea, Republic of
-.xn--3hcrj9c   whois.inregistry.net# India
-.xn--45br5cyl  whois.inregistry.net# India
-.xn--45brj9c   whois.inregistry.net# India, Bengali AW
+.xn--3hcrj9c   whois.registry.in   # India
+.xn--45br5cyl  whois.registry.in   # India
+.xn--45brj9c   whois.registry.in   # India, Bengali AW
 .xn--54b7fta0ccNONE# Bangladesh
 .xn--80ao21a   whois.nic.kz# Kazakhstan
 .xn--90a3acwhois.rnids.rs  # Serbia
@@ -365,12 +365,12 @@
 .xn--e1a4c whois.eu# European Union, Cyrillic AW
 .xn--fiqs8scwhois.cnnic.cn # China, Simplified Chinese
 .xn--fiqz9scwhois.cnnic.cn # China, Traditional Chinese
-.xn--fpcrj9c3d whois.inregistry.net# India, Telugu AW
+.xn--fpcrj9c3d whois.registry.in   # India, Telugu AW
 .xn--fzc2c9e2c whois.nic.lk# Sri Lanka, Sinhala
-.xn--gecrj9c   whois.inregistry.net# India, Gujarati AW
-.xn--h2breg3evewhois.inregistry.net# India
-.xn--h2brj9c8c whois.inregistry.net# India
-.xn--h2brj9c   whois.inregistry.net# India, Hindi AW
+.xn--gecrj9c   whois.registry.in   # India, Gujarati AW
+.xn--h2breg3evewhois.registry.in   # India
+.xn--h2brj9c8c whois.registry.in   # India
+.xn--h2brj9c   whois.registry.in   # India, Hindi AW
 .xn--j1amh whois.dotukr.com# Ukraine
 .xn--j6w193g   whois.hkirc.hk  # Hong Kong
 .xn--kprw13d   whois.twnic.net.tw  # Taiwan, Simplified Chinese
@@ -380,13 +380,14 @@
 .xn--mgb9awbf  whois.registry.om   # Oman
 .xn--mgba3a4f16a   whois.nic.ir# Iran
 .xn--mgbaam7a8hwhois.aeda.net.ae   # United Arab Emirates
+.xn--mgbah1a3hjkrd whois.nic.mr# Mauritania
 .xn--mgbai9azgqp6j NONE# Pakistan
 .xn--mgbayh7gpaWEB http://idn.jo/whois_a.aspx  # Jordan
-.xn--mgbbh1a71ewhois.inregistry.net# India, Urdu AW
-.xn--mgbbh1a   whois.inregistry.net# India
+.xn--mgbbh1a71ewhois.registry.in   # India, Urdu AW
+.xn--mgbbh1a   whois.registry.in   # India
 .xn--mgbc0a9azcg   NONE# Morocco
 .xn--mgberp4a5d4ar whois.nic.net.sa# Saudi Arabia
-.xn--mgbgu82a  whois.inregistry.net# India
+.xn--mgbgu82a  whois.registry.in   # India
 .xn--mgbpl2fh  NONE# Sudan
 .xn--mgbtx2b   whois.cmc.iq# Iraq
 .xn--mgbx4cd0abwhois.mynic.my  # Malaysia AW
@@ -397,12 +398,12 @@
 .xn--p1ai  whois.tcinet.ru # Russian Federation
 .xn--pgbs0dh   NONE# Tunisia
 .xn--qxam  WEB https://grweb.ics.forth.gr

Bug#882391: nmu: inn2_2.6.1-2

[Marco d'Itri]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

inn2 needs to be rebuilt for i386 on stable to fix #882225, because the 
original package was built in a merged-/usr environment and the 
configure script picked up the wrong path for gzip.

nmu inn2_2.6.1-2 . i386 . stretch . -m "binNMU to fix the gzip path. (Closes: 
#882225)"

-- 
ciao,
Marco


signature.asc
Description: PGP signature

Bug#869920: stretch-pu: package whois/5.2.17+deb9u1

[Marco d'Itri]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

ICANN mandated a whois output change that broke the .com, .net, .jobs, 
.bz, .cc and .tv gTLDs, so we need a stable update.
At the same time I would also like to fix support for 6to4 IP addresses, 
which I forgot to upload in time for the release.
The other changes are just database updates.


diff -Nru whois-5.2.15/debian/changelog whois-5.2.17+deb9u1/debian/changelog
--- whois-5.2.15/debian/changelog   2017-02-27 00:37:41.0 +0100
+++ whois-5.2.17+deb9u1/debian/changelog2017-07-27 17:45:04.0 
+0200
@@ -1,3 +1,32 @@
+whois (5.2.17+deb9u1) unstable; urgency=high
+
+  * Rebuilt for stretch.
+
+ -- Marco d'Itri <m...@linux.it>  Thu, 27 Jul 2017 17:45:04 +0200
+
+whois (5.2.17) unstable; urgency=high
+
+  * Fixed whois referrals for .com, .net, .jobs, .bz, .cc and .tv, broken
+by an ICANN-mandated output change:
+https://www.icann.org/resources/pages/rdds-labeling-policy-2017-02-01-en
+  * Added the .xn--2scrj9c (ಭಾರತ, India), .xn--3hcrj9c (ଭାରତ, India),
+.xn--45br5cyl (ভাৰত, India), .xn--h2breg3eve (भारतम्, India),
+.xn--h2brj9c8c (भारोत, India), .xn--mgbbh1a (ﺏﺍﺮﺗ, India),
+.xn--mgbgu82a (ڀﺍﺮﺗ, India) and .xn--rvc1e0am3e (ഭാരതം, India)
+TLD servers.
+  * Updated the list of new gTLDs.
+  * whois.1: fixed a typo. (Closes: #866742)
+
+ -- Marco d'Itri <m...@linux.it>  Thu, 27 Jul 2017 17:08:47 +0200
+
+whois (5.2.16) unstable; urgency=medium
+
+  * Fixed parsing of 6to4 addresses broken in 5.2.15.
+  * Updated the .do TLD server.
+  * Updated the list of new gTLDs.
+
+ -- Marco d'Itri <m...@linux.it>  Mon, 13 Mar 2017 01:40:38 +0100
+
 whois (5.2.15) unstable; urgency=medium
 
   * Updated the .gf and .mq TLD servers.
diff -Nru whois-5.2.15/new_gtlds_list whois-5.2.17+deb9u1/new_gtlds_list
--- whois-5.2.15/new_gtlds_list 2017-02-27 00:37:41.0 +0100
+++ whois-5.2.17+deb9u1/new_gtlds_list  2017-07-27 17:44:55.0 +0200
@@ -60,6 +60,7 @@
 app
 apple
 aquarelle
+arab
 aramco
 archi
 army
@@ -333,6 +334,7 @@
 esq
 estate
 esurance
+etisalat
 eurovision
 eus
 events
@@ -446,6 +448,7 @@
 gratis
 green
 gripe
+grocery
 group
 guardian
 gucci
@@ -487,6 +490,7 @@
 hosting
 hot
 hoteles
+hotels
 hotmail
 house
 how
@@ -635,6 +639,7 @@
 man
 management
 mango
+map
 market
 marketing
 markets
@@ -655,6 +660,7 @@
 men
 menu
 meo
+merckmsd
 metlife
 miami
 microsoft
@@ -768,6 +774,7 @@
 pet
 pfizer
 pharmacy
+phd
 philips
 phone
 photo
@@ -855,6 +862,7 @@
 rogers
 room
 rsvp
+rugby
 ruhr
 run
 rwe
@@ -890,6 +898,7 @@
 scjohnson
 scor
 scot
+search
 seat
 secure
 security
@@ -1169,6 +1178,7 @@
 xn--kput3i
 xn--mgba3a3ejt
 xn--mgba7c0bbn0a
+xn--mgbaakc7dvf
 xn--mgbab2bd
 xn--mgbb9fbpob
 xn--mgbca7dzdo
@@ -1178,6 +1188,7 @@
 xn--mxtq1m
 xn--ngbc5azd
 xn--ngbe9e0a
+xn--ngbrx
 xn--nqv7f
 xn--nqv7fs00ema
 xn--nyqy26a
diff -Nru whois-5.2.15/tld_serv_list whois-5.2.17+deb9u1/tld_serv_list
--- whois-5.2.15/tld_serv_list  2017-02-27 00:37:41.0 +0100
+++ whois-5.2.17+deb9u1/tld_serv_list   2017-07-27 17:44:55.0 +0200
@@ -127,7 +127,7 @@
 .djWEB http://www.nic.dj/whois.php
 .dkwhois.dk-hostmaster.dk
 .dmwhois.nic.dm
-.doWEB http://www.nic.do/whois-h.php3
+.dowhois.nic.do
 .dzwhois.nic.dz
 .ecwhois.nic.ec
 .eewhois.tld.ee
@@ -183,7 +183,7 @@
 .joWEB http://www.dns.jo/Whois.aspx
 .jpwhois.jprs.jp
 .kewhois.kenic.or.ke
-.kgwhois.domain.kg
+.kgwhois.kg
 .khNONE# 
http://www.trc.gov.kh/index.php/en/newsCategory/view?id=42_id=68
 .kiwhois.nic.ki
 .kmNONE# www.domaine.km
@@ -349,7 +349,10 @@
 
 # AW means that I had to guess the whois server name, but I was not able
 # to find any registered subdomains to verify it.
+.xn--2scrj9c   whois.inregistry.net# India
 .xn--3e0b707e  whois.kr# Korea, Republic of
+.xn--3hcrj9c   whois.inregistry.net# India
+.xn--45br5cyl  whois.inregistry.net# India
 .xn--45brj9c   whois.inregistry.net# India, Bengali AW
 .xn--54b7fta0ccNONE# Bangladesh
 .xn--80ao21a   whois.nic.kz# Kazakhstan
@@ -364,6 +367,8 @@
 .xn--fpcrj9c3d whois.inregistry.net# India, Telugu AW
 .xn--fzc2c9e2c whois.nic.lk# Sri Lanka, Sinhala
 .xn--gecrj9c   whois.inregistry.net# India, Gujarati AW
+.xn--h2breg3evewhois.inregistry.net# India
+.xn--h2brj9c8c whois.inregistry.net# India
 .xn--h2brj9c   whois.inregistry.net# India, Hindi AW
 .xn--j1amh whois.dotukr.com# Ukraine
 .xn--j6w193g   whois.hkirc.hk  # Hong Kong
@@ -371,24 +376,27 @@
 .xn--kpry57d   whois.twnic.net.tw  # Taiwan, Traditional Chinese
 .xn--l1acc NONE# Mongolia
 .xn--lgbbat1ad8j 

Bug#863813: unblock: kmod/24-1

[Marco d'Itri]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package kmod

A new upstream release with only bug fixes, it has been in unstable 
since february.

https://anonscm.debian.org/cgit/users/md/kmod.git/log/

unblock kmod/24-1

-- 
ciao,
Marco


signature.asc
Description: PGP signature

Bug#863812: unblock: whois/5.2.15

[Marco d'Itri]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package whois

There is some noise not related to Debian, all the relevant changes
are related to the database.

unblock whois/5.2.15

diff -Nru whois-5.2.14/config.h whois-5.2.15/config.h
--- whois-5.2.14/config.h   2015-01-09 03:49:00.0 +0100
+++ whois-5.2.15/config.h   2017-02-27 00:37:41.0 +0100
@@ -13,6 +13,10 @@
 
 
 /* autoconf in cpp macros */
+#if defined __NetBSD__ || __OpenBSD__
+# include 
+#endif
+
 #ifdef linux
 # define ENABLE_NLS
 #endif
@@ -85,7 +89,7 @@
 #if (defined __FreeBSD__ && __FreeBSD__ >= 9) || \
 (defined __NetBSD__  && __NetBSD_Version__ >= 6) || \
 (defined OpenBSD && OpenBSD >= 200805) || \
-(defined __APPLE__ && defined __MACH__)
+(defined __APPLE__ && defined __MACH__ && MAC_OS_X_VERSION_MIN_REQUIRED >= 
1070)
 # define HAVE_ARC4RANDOM_BUF
 # undef RANDOM_DEVICE
 #endif
diff -Nru whois-5.2.14/debian/changelog whois-5.2.15/debian/changelog
--- whois-5.2.14/debian/changelog   2016-12-29 23:12:19.0 +0100
+++ whois-5.2.15/debian/changelog   2017-02-27 00:37:41.0 +0100
@@ -1,3 +1,14 @@
+whois (5.2.15) unstable; urgency=medium
+
+  * Updated the .gf and .mq TLD servers.
+  * Updated the list of new gTLDs.
+  * Updated the charset for whois.nic.kz.
+  * Fixed multiple portability issues on non-Linux platforms.
+  * Fixed a lot of minor compiler warnings with no practical effects.
+  * Added support for libidn2, not enabled yet.
+
+ -- Marco d'Itri <m...@linux.it>  Mon, 27 Feb 2017 00:37:41 +0100
+
 whois (5.2.14) unstable; urgency=medium
 
   * Updated the .ar, .bm and .fm TLD servers.
diff -Nru whois-5.2.14/Makefile whois-5.2.15/Makefile
--- whois-5.2.14/Makefile   2016-03-29 05:37:17.0 +0200
+++ whois-5.2.15/Makefile   2017-02-27 00:37:41.0 +0100
@@ -15,7 +15,7 @@
 # FreeBSD
 #whois_LDADD += -liconv
 #LIBS += -L/usr/local/lib -lintl
-#INCLUDES += -I/usr/local/include
+#DEFS += -I/usr/local/include
 
 # OS/2 EMX
 #whois_LDADD += -lsocket
@@ -32,10 +32,15 @@
 DEFS += -DLOCALEDIR=\"$(BASEDIR)$(prefix)/share/locale\"
 endif
 
+ifdef HAVE_LIBIDN2
+whois_LDADD += -lidn2
+DEFS += -DHAVE_LIBIDN2
+else
 ifdef HAVE_LIBIDN
 whois_LDADD += -lidn
 DEFS += -DHAVE_LIBIDN
 endif
+endif
 
 ifdef HAVE_ICONV
 whois_OBJECTS += simple_recode.o
diff -Nru whois-5.2.14/mkpasswd.c whois-5.2.15/mkpasswd.c
--- whois-5.2.14/mkpasswd.c 2016-03-29 05:37:17.0 +0200
+++ whois-5.2.15/mkpasswd.c 2017-02-27 00:37:41.0 +0100
@@ -32,6 +32,7 @@
 #endif
 #include 
 #include 
+#include 
 #include 
 #include 
 #ifdef HAVE_XCRYPT
@@ -123,7 +124,7 @@
 
 void generate_salt(char *const buf, const unsigned int len);
 void *get_random_bytes(const unsigned int len);
-void display_help(int error);
+void NORETURN display_help(int error);
 void display_version(void);
 void display_methods(void);
 
@@ -150,7 +151,7 @@
 /* prepend options from environment */
 argv = merge_args(getenv("MKPASSWD_OPTIONS"), argv, );
 
-while ((ch = GETOPT_LONGISH(argc, argv, "hH:m:5P:R:sS:V", longopts, 0))
+while ((ch = GETOPT_LONGISH(argc, argv, "hH:m:5P:R:sS:V", longopts, NULL))
> 0) {
switch (ch) {
case '5':
@@ -363,7 +364,8 @@
 void* get_random_bytes(const unsigned int count)
 {
 char *buf;
-int fd, bytes_read;
+int fd;
+ssize_t bytes_read;
 
 buf = NOFAIL(malloc(count));
 fd = open(RANDOM_DEVICE, O_RDONLY);
@@ -394,7 +396,7 @@
 unsigned char *entropy;
 
 #if defined HAVE_ARC4RANDOM_BUF
-void *entropy = NOFAIL(malloc(len));
+entropy = NOFAIL(malloc(len));
 arc4random_buf(entropy, len);
 #else
 entropy = get_random_bytes(len);
@@ -436,7 +438,7 @@
 
 #endif /* RANDOM_DEVICE || HAVE_ARC4RANDOM_BUF */
 
-void display_help(int error)
+void NORETURN display_help(int error)
 {
 fprintf((EXIT_SUCCESS == error) ? stdout : stderr,
_("Usage: mkpasswd [OPTIONS]... [PASSWORD [SALT]]\n"
diff -Nru whois-5.2.14/new_gtlds_list whois-5.2.15/new_gtlds_list
--- whois-5.2.14/new_gtlds_list 2016-12-29 23:11:41.0 +0100
+++ whois-5.2.15/new_gtlds_list 2017-02-27 00:37:41.0 +0100
@@ -28,6 +28,7 @@
 aetna
 afamilycompany
 afl
+africa
 agakhan
 agency
 aig
diff -Nru whois-5.2.14/servers_charset_list whois-5.2.15/servers_charset_list
--- whois-5.2.14/servers_charset_list   2016-12-29 22:29:49.0 +0100
+++ whois-5.2.15/servers_charset_list   2017-02-27 00:37:41.0 +0100
@@ -36,9 +36,7 @@
 whois.domain.kgcp1251
 whois.nic.or.krutf-8
 whois.kr   utf-8
-# XXX I had to guess: the server is unable to fully transcode U+49b in the
-# answer for xn--e1aybc.xn--80ao21a. Maybe it is cp1251 instead?
-whois.nic.kz   rk1048
+whois.nic.kz  

Re: Merged /usr - supported in stretch?

[Marco d'Itri]

On Mar 21, Adrian Bunk  wrote:

> Merged /usr does not seem to be ready for a stable release right now.
I disagree: it works quite well.

> Not limited to this bug, my general impression of the current state of 
> merged /usr is that it mostly works - but it is not yet in a state that
> it should be used by normal users of Debian stable on production systems.
Even if this were true, since it is not enabled by default I do not 
believe that it would be a concern.

> a) be a properly supported and tested feature - including that
>problems only visible with merged /usr are considered RC, or
Not every bug is RC.

> The usrmerge package contains versioned Conflicts on pre-stretch 
> packages, but the unversioned Conflicts on packages that are still
> broken in stretch won't work in scenarios like:
The packages which are still not compatible are:
- ksh: a trivial patch was provided over one year ago, but the 
  maintainer refuses to merge it
- safe-rm: a patch was provided but the maintainer is unsure about how 
  to fix the package
- molly-guard: same problem (and same maintainer) of safe-rm

I am sure that both safe-rm and molly-guard could be fixed, but I just 
have not had yet a personal interest in spending a few hours on them.

>   apt-get install usrmerge
>   apt-get remove usrmerge
>   apt-get install ksh
While this would be inconvenient for whoever tries to do it, I do not 
believe that it justifies declaring merged-/usr so much broken to be 
unsuitable for a release.

> yp-tools (no bug report?)
I missed that it was fixed long ago, I am updating usrmerge.

> What is the status of "dpkg -S" with merged /usr ?
I understand that other people are working on improving it, but I think 
that this is only a cosmetic issue.

> a) testing that all packages in stretch can be installed and uninstalled
I think that somebody did it recently: this is how they discovered that 
the xfslibs-dev NMU was lost.

> b) automated testing that there are no problems caused by /bin/foo and 
>/usr/bin/foo shipped in different packages
I do this by periodically analysing the Contents files in the archive.

> c) testing that the Conflicts of usrmerge cover all packages in jessie
>that must be upgraded when installing the usrmerge package 
See above.

> d) searching for packages in previous releases that are no longer in
>stretch and that break usrmerge, to have them added to the usrmerge 
>Conflicts
Since I have been working on this for almost three years now I am 
confident that I have covered packages in both wheezy and jessie.

> After reading the wiki page I still don't understand what actual benefit
> merged /usr brings that could make me recommend it to a user.
Then maybe you should read more carefully the provided references (and 
find out that it really depends on how you define "user" here).

-- 
ciao,
Marco


signature.asc
Description: PGP signature

Re: OpenSSL 1.1.0

[Marco d'Itri]

On Nov 16, Pau Garcia i Quiles  wrote:

> * Some obscure feature (e. g. BlaBla20) may be missing or be difficult
> to support on a limited number of packages (e. g. apache2)
ChaCha20 is hardly obscure: if it is to you then I fear that your 
opinion on this issue is not informed enough to be useful.

-- 
ciao,
Marco


signature.asc
Description: PGP signature

Bug#782115: unblock: whois/5.2.7

[Marco d'Itri]

., the Registry Operator for .TEL, NULL,
+Tralliance, Inc., the Registry Operator for .travel, NULL,
+Access to .XXX ICM REGISTRY WHOIS, NULL, /* .xxx */
 
 /* new gTLDs */
 Terms of Use: Users accessing the Donuts WHOIS, NULL,
@@ -72,14 +67,19 @@
 The whois information provided on this site, , /* mm-registry.com */
 ; This data is provided by , NULL,   /* ksregistry.net */
 This whois service is provided by CentralNic Ltd, ,
+.Club Domains, LLC, the Registry Operator, NULL,
+% Except for agreed Internet operational purposes, NULL, /* .berlin */
+TERMS OF USE: The information in the Whois database, NULL, /* .wang */
+The WHOIS service offered by Neustar, Inc, on behalf, NULL,
+The WHOIS service offered by the Registry Operator, NULL, /* .science */
 
 /* ccTLDs */
 Access to CCTLD WHOIS information is provided, ,   /* Afilias */
-Access to ASNIC, by this policy.,  /* as */
-% The WHOIS service offered by DNS.be, % protect the privacy, /* be */
+This WHOIS information is provided, NULL,/* as */
+% The WHOIS service offered by DNS Belgium, ,  /* be */
 % The WHOIS service offered by EURid, % of the database, /* eu */
-% WHOIS LEGAL STATEMENT AND TERMS  CONDITIONS, ,  /* sx */
-NeuStar, Inc., the Registry, OF THE AVAILABILITY,  /* us */
+% WHOIS LEGAL STATEMENT AND TERMS  CONDITIONS, NULL,/* sx */
+NeuStar, Inc., the Registry Administrator for .US, NULL,
 
 NULL, NULL
 };
diff -Nru whois-5.2.5/debian/changelog whois-5.2.7/debian/changelog
--- whois-5.2.5/debian/changelog2015-03-03 02:49:57.0 +0100
+++ whois-5.2.7/debian/changelog2015-03-25 23:04:46.0 +0100
@@ -1,3 +1,20 @@
+whois (5.2.7) unstable; urgency=medium
+
+  * Removed a bogus disclaimer detection string.
+  * Updated the list of new gTLDs
+
+ -- Marco d'Itri m...@linux.it  Wed, 25 Mar 2015 23:04:44 +0100
+
+whois (5.2.6) unstable; urgency=medium
+
+  * Added the .edu.ph TLD server.
+  * Removed the .gov.py TLD server. (Closes: #780562)
+  * Updated the list of new gTLDs.
+  * Implemented hiding multiple disclaimers blocks to improve detection.
+  * Updated the disclaimer detection strings.
+
+ -- Marco d'Itri m...@linux.it  Mon, 23 Mar 2015 04:28:39 +0100
+
 whois (5.2.5) unstable; urgency=medium
 
   * Added the .xn--90ais (.бел, Belarus) TLD server.
diff -Nru whois-5.2.5/mkpasswd.c whois-5.2.7/mkpasswd.c
--- whois-5.2.5/mkpasswd.c  2015-01-09 03:49:00.0 +0100
+++ whois-5.2.7/mkpasswd.c  2015-03-23 04:32:55.0 +0100
@@ -279,8 +279,10 @@
 } else {
 #ifdef HAVE_SOLARIS_CRYPT_GENSALT
salt = crypt_gensalt(salt_prefix, NULL);
-   if (!salt)
+   if (!salt) {
perror(crypt_gensalt);
+   exit(2);
+   }
 #elif defined HAVE_LINUX_CRYPT_GENSALT
void *entropy = get_random_bytes(64);
 
diff -Nru whois-5.2.5/new_gtlds_list whois-5.2.7/new_gtlds_list
--- whois-5.2.5/new_gtlds_list  2015-03-03 02:49:57.0 +0100
+++ whois-5.2.7/new_gtlds_list  2015-03-25 23:04:07.0 +0100
@@ -4,11 +4,13 @@
 # Any exceptions can be handled in tld_serv_list as usual, since it will
 # be checked first.
 
+abbott
 abogado
 academy
 accountants
 active
 actor
+ads
 adult
 agency
 airforce
@@ -33,6 +35,7 @@
 barclays
 bargains
 bayern
+bbc
 beer
 berlin
 best
@@ -78,9 +81,11 @@
 center
 ceo
 cern
+cfd
 channel
 chat
 cheap
+chloe
 christmas
 chrome
 church
@@ -119,6 +124,7 @@
 dad
 dance
 dating
+datsun
 day
 dclk
 deals
@@ -150,7 +156,9 @@
 engineer
 engineering
 enterprises
+epson
 equipment
+erni
 esq
 estate
 eurovision
@@ -161,10 +169,12 @@
 expert
 exposed
 fail
+fan
 fans
 farm
 fashion
 feedback
+film
 finance
 financial
 firmdale
@@ -179,6 +189,7 @@
 fly
 foo
 football
+forex
 forsale
 foundation
 frl
@@ -203,7 +214,10 @@
 gmail
 gmo
 gmx
+gold
 goldpoint
+golf
+goo
 goog
 google
 gop
@@ -211,6 +225,7 @@
 gratis
 green
 gripe
+guge
 guide
 guitars
 guru
@@ -236,6 +251,7 @@
 immo
 immobilien
 industries
+infiniti
 ing
 ink
 institute
@@ -244,6 +260,7 @@
 investments
 irish
 iwc
+java
 jcb
 jetzt
 joburg
@@ -264,6 +281,7 @@
 lawyer
 lds
 lease
+leclerc
 legal
 lgbt
 lidl
@@ -280,11 +298,13 @@
 luxe
 luxury
 madrid
+maif
 maison
 management
 mango
 market
 marketing
+markets
 marriott
 media
 meet
@@ -303,16 +323,19 @@
 moscow
 motorcycles
 mov
+mtpc
 nagoya
 navy
 network
 neustar
 new
+news
 nexus
 ngo
 nhk
 nico
 ninja
+nissan
 nra
 nrw
 ntt
@@ -321,11 +344,14 @@
 one
 ong
 onl
+online
 ooo
+oracle
 organic
 osaka
 otsuka
 ovh
+page
 paris
 partners
 parts
@@ -335,12 +361,15 @@
 photography
 photos
 physio
+piaget
 pics
+pictet
 pictures
 pink
 pizza
 place
 plumbing
+plus
 pohl
 poker
 porn
@@ -397,6 +426,7 @@
 shoes
 shriram
 singles
+site
 sky
 social
 software
@@ -406,6 +436,7 @@
 soy
 space
 spiegel
+spreadbetting
 study
 style
 sucks
@@ -421,6 +452,7 @@
 tatar
 tattoo

Bug#780044: unblock: whois/5.2.5

[Marco d'Itri]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package whois

Data changes only.

unblock whois/5.2.5

-- 
ciao,
Marco
diff -Nru whois-5.2.4/debian/changelog whois-5.2.5/debian/changelog
--- whois-5.2.4/debian/changelog	2015-01-25 04:15:04.0 +0100
+++ whois-5.2.5/debian/changelog	2015-03-03 02:49:57.0 +0100
@@ -1,3 +1,12 @@
+whois (5.2.5) unstable; urgency=medium
+
+  * Added the .xn--90ais (.бел, Belarus) TLD server.
+  * Updated the .ky TLD server.
+  * Updated the list of new gTLDs.
+  * Added new recovered IPv4 allocations.
+
+ -- Marco d'Itri m...@linux.it  Tue, 03 Mar 2015 02:15:57 +0100
+
 whois (5.2.4) unstable; urgency=medium
 
   * Fixed referrals handling for the .cc, .tv a .jobs TLDs.
diff -Nru whois-5.2.4/ip_del_recovered.h whois-5.2.5/ip_del_recovered.h
--- whois-5.2.4/ip_del_recovered.h	2014-09-14 12:52:10.0 +0200
+++ whois-5.2.5/ip_del_recovered.h	2015-03-03 02:49:57.0 +0100
@@ -2,9 +2,13 @@
 { 736886784UL, 737411071UL, whois.apnic.net },
 { 737476608UL, 738000895UL, whois.apnic.net },
 { 738066432UL, 738197503UL, whois.apnic.net },
+{ 755236864UL, 755499007UL, whois.lacnic.net },
+{ 755499008UL, 756023295UL, whois.ripe.net },
 { 756023296UL, 757071871UL, whois.arin.net },
 { 757071872UL, 759169023UL, whois.arin.net },
 { 759169024UL, 759238655UL, whois.apnic.net },
+{ 759431168UL, 759693311UL, whois.lacnic.net },
+{ 759693312UL, 760217599UL, whois.arin.net },
 { 760217600UL, 761266175UL, whois.ripe.net },
 { 761266176UL, 762314751UL, whois.afrinic.net },
 { 762314752UL, 763363327UL, whois.apnic.net },
@@ -12,6 +16,8 @@
 { 765460480UL, 767557631UL, whois.lacnic.net },
 { 767557632UL, 769589247UL, whois.afrinic.net },
 { 769654784UL, 770703359UL, whois.lacnic.net },
+{ 770703360UL, 771227647UL, whois.afrinic.net },
+{ 771227648UL, 771751935UL, whois.apnic.net },
 { 2523594752UL, 2523660287UL, whois.apnic.net },
 { 2525036544UL, 2525102079UL, whois.apnic.net },
 { 2532442112UL, 2532507647UL, whois.apnic.net },
diff -Nru whois-5.2.4/new_gtlds_list whois-5.2.5/new_gtlds_list
--- whois-5.2.4/new_gtlds_list	2015-01-25 04:15:04.0 +0100
+++ whois-5.2.5/new_gtlds_list	2015-03-03 02:49:57.0 +0100
@@ -16,6 +16,7 @@
 alsace
 amsterdam
 android
+apartments
 aquarelle
 archi
 army
@@ -37,6 +38,7 @@
 best
 bid
 bike
+bingo
 bio
 black
 blackfriday
@@ -44,6 +46,7 @@
 blue
 bmw
 bnpparibas
+boats
 boo
 boutique
 brussels
@@ -58,6 +61,7 @@
 camera
 camp
 cancerresearch
+canon
 capetown
 capital
 caravan
@@ -68,11 +72,14 @@
 cartier
 casa
 cash
+casino
 catering
+cbn
 center
 ceo
 cern
 channel
+chat
 cheap
 christmas
 chrome
@@ -100,6 +107,7 @@
 cooking
 cool
 country
+courses
 credit
 creditcard
 cricket
@@ -153,6 +161,7 @@
 expert
 exposed
 fail
+fans
 farm
 fashion
 feedback
@@ -169,6 +178,7 @@
 flsmidth
 fly
 foo
+football
 forsale
 foundation
 frl
@@ -180,6 +190,7 @@
 gallery
 garden
 gbiz
+gdn
 gent
 ggee
 gift
@@ -192,6 +203,7 @@
 gmail
 gmo
 gmx
+goldpoint
 goog
 google
 gop
@@ -244,6 +256,7 @@
 koeln
 krd
 kred
+kyoto
 lacaixa
 land
 lat
@@ -298,9 +311,11 @@
 nexus
 ngo
 nhk
+nico
 ninja
 nra
 nrw
+ntt
 nyc
 okinawa
 one
@@ -366,9 +381,11 @@
 sale
 samsung
 sarl
+saxo
 sca
 scb
 schmidt
+school
 schule
 schwarz
 science
@@ -389,6 +406,9 @@
 soy
 space
 spiegel
+study
+style
+sucks
 supplies
 supply
 support
@@ -403,6 +423,7 @@
 tax
 technology
 temasek
+tennis
 tienda
 tips
 tires
@@ -411,6 +432,7 @@
 tokyo
 tools
 top
+toshiba
 town
 toys
 trade
@@ -496,6 +518,7 @@
 xyz
 yachts
 yandex
+yodobashi
 yoga
 yokohama
 youtube
diff -Nru whois-5.2.4/tld_serv_list whois-5.2.5/tld_serv_list
--- whois-5.2.4/tld_serv_list	2015-01-25 04:15:04.0 +0100
+++ whois-5.2.5/tld_serv_list	2015-03-03 02:49:57.0 +0100
@@ -192,7 +192,7 @@
 .kp	NONE		# NIC? http://www.star.co.kp/
 .kr	whois.kr
 .kw	WEB http://www.kw/
-.ky	WEB http://kynseweb.messagesecure.com/kywebadmin/ # http://www.icta.ky/
+.ky	whois.kyregistry.ky
 .kz	whois.nic.kz
 .la	whois.nic.la
 .lb	WEB http://www.aub.edu.lb/lbdr/
@@ -353,6 +353,7 @@
 .xn--45brj9c		whois.inregistry.net	# India, Bengali AW
 .xn--80ao21a		whois.nic.kz		# Kazakhstan
 .xn--90a3ac		whois.rnids.rs		# Serbia
+.xn--90ais		whois.cctld.by		# Belarus
 .xn--clchc0ea0b2g2a9gcd	whois.sgnic.sg		# Singapore, Tamil
 .xn--d1alf		whois.marnet.mk		# Macedonia
 .xn--fiqs8s		cwhois.cnnic.cn		# China, Simplified Chinese


pgp0YGiPdRJDK.pgp
Description: PGP signature

Bug#778766: unblock: whois/5.2.4

[Marco d'Itri]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package whois.

Some data updates and an important bug fix to restore the support for 
.cc, .tv and .jobs.

unblock whois/5.2.4

https://github.com/rfc1036/whois/commits


diff --git a/debian/changelog b/debian/changelog
index ca6678a..c6d1187 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+whois (5.2.4) unstable; urgency=medium
+
+  * Fixed referrals handling for the .cc, .tv a .jobs TLDs.
+  * Updated the list of new gTLDs.
+
+ -- Marco d'Itri m...@linux.it  Sun, 25 Jan 2015 04:07:20 +0100
+
 whois (5.2.3) unstable; urgency=medium
 
   * Added the .gw TLD server.
diff --git a/new_gtlds_list b/new_gtlds_list
index b9f6d91..5e571f8 100644
--- a/new_gtlds_list
+++ b/new_gtlds_list
@@ -26,7 +26,10 @@ audio
 autos
 axa
 band
+bank
 bar
+barclaycard
+barclays
 bargains
 bayern
 beer
@@ -104,10 +107,12 @@ crs
 cruises
 cuisinella
 cymru
+dabur
 dad
 dance
 dating
 day
+dclk
 deals
 degree
 delivery
@@ -115,6 +120,7 @@ democrat
 dental
 dentist
 desi
+design
 dev
 diamonds
 diet
@@ -155,6 +161,7 @@ financial
 firmdale
 fish
 fishing
+fit
 fitness
 flights
 florist
@@ -185,6 +192,7 @@ globo
 gmail
 gmo
 gmx
+goog
 google
 gop
 graphics
@@ -195,10 +203,12 @@ guide
 guitars
 guru
 hamburg
+hangout
 haus
 healthcare
 help
 here
+hermes
 hiphop
 hiv
 holdings
@@ -210,6 +220,7 @@ hosting
 house
 how
 ibm
+ifm
 immo
 immobilien
 industries
@@ -221,10 +232,12 @@ international
 investments
 irish
 iwc
+jcb
 jetzt
 joburg
 juegos
 kaufen
+kddi
 kim
 kitchen
 kiwi
@@ -233,6 +246,7 @@ krd
 kred
 lacaixa
 land
+lat
 latrobe
 lawyer
 lds
@@ -247,6 +261,7 @@ limo
 link
 loans
 london
+lotte
 lotto
 ltda
 luxe
@@ -257,6 +272,7 @@ management
 mango
 market
 marketing
+marriott
 media
 meet
 melbourne
@@ -287,6 +303,7 @@ nra
 nrw
 nyc
 okinawa
+one
 ong
 onl
 ooo
@@ -361,6 +378,7 @@ sew
 sexy
 shiksha
 shoes
+shriram
 singles
 sky
 social
@@ -384,6 +402,7 @@ tatar
 tattoo
 tax
 technology
+temasek
 tienda
 tips
 tires
@@ -445,6 +464,7 @@ xn--6qq986b3xl
 xn--80adxhks
 xn--80asehdb
 xn--80aswg
+xn--b4w605ferd
 xn--c1avg
 xn--cg4bki
 xn--czr694b
diff --git a/tld_serv_list b/tld_serv_list
index 46b7c5a..c07ba85 100644
--- a/tld_serv_list
+++ b/tld_serv_list
@@ -270,7 +270,7 @@
 .sewhois.iis.se
 .sgwhois.sgnic.sg
 .shwhois.nic.sh
-.siwhois.arnes.si
+.siwhois.register.si
 .sjNONE# http://www.norid.no/domenenavnbaser/bv-sj.html
 .skwhois.sk-nic.sk
 .slwhois.nic.sl
diff --git a/whois.c b/whois.c
index fdb2824..accae8a 100644
--- a/whois.c
+++ b/whois.c
@@ -361,6 +361,9 @@ int handle_query(const char *hserver, const char *hport,
 if (!server)
return 1;
 
+if (*server == '\0')
+   return 0;
+
 query_string = queryformat(server, flags, query);
 if (verb) {
printf(_(Using server %s.\n), server);
@@ -810,9 +813,10 @@ char *query_crsnic(const int sock, const char *query)
   is queried */
if (state == 0  strneq(buf,Domain Name:, 15))
state = 1;
-   if (state == 1  strneq(buf,Whois Server:, 16)) {
-   for (p = buf; *p != ':'; p++);  /* skip until colon */
-   for (p++; *p == ' '; p++);  /* skip colon and spaces */
+   if (state == 1  (strneq(buf,Whois Server:, 16)
+   || strneq(buf,WHOIS Server:, 16))) {
+   for (p = buf; *p != ':'; p++);  /* skip until the colon */
+   for (p++; *p == ' '; p++);  /* skip the spaces */
referral_server = strdup(p);
if ((p = strpbrk(referral_server, \r\n )))
*p = '\0';

-- 
ciao,
Marco


pgpwtlw23hlv1.pgp
Description: PGP signature

Bug#770396: unblock: whois/5.2.2

[Marco d'Itri]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package whois.

This release fixes a parser bug to allow looking up domains with 
a trailing dot (which is a surprisingly often requested feature that 
I broke some time ago) and contains the usual servers updates.

No further code changes are expected before wheezy is released, so 
allowing this bug fix in would prevent me from having to manage a wheezy 
branch of the package.

unblock whois/5.2.2

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (x86_64)

Kernel: Linux 3.16-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.utf8, LC_CTYPE=it_IT.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-- 
ciao,
Marco
diff -Nru whois-5.2.1/debian/changelog whois-5.2.2/debian/changelog
--- whois-5.2.1/debian/changelog	2014-10-16 02:02:40.0 +0200
+++ whois-5.2.2/debian/changelog	2014-11-12 03:35:56.0 +0100
@@ -1,3 +1,12 @@
+whois (5.2.2) unstable; urgency=medium
+
+  * Fixed the code that removes trailing dots. (Closes: #763834)
+  * Added the .xn--d1alf (.мкд, Macedonia) and .xn--node (.გე, Georgia)
+TLD servers.
+  * Updated the list of new gTLDs.
+
+ -- Marco d'Itri m...@linux.it  Thu, 06 Nov 2014 03:47:43 +0100
+
 whois (5.2.1) unstable; urgency=medium
 
   * Added the .aw and .zm TLD servers.
diff -Nru whois-5.2.1/new_gtlds_list whois-5.2.2/new_gtlds_list
--- whois-5.2.1/new_gtlds_list	2014-10-16 01:57:19.0 +0200
+++ whois-5.2.2/new_gtlds_list	2014-11-12 03:35:56.0 +0100
@@ -33,6 +33,7 @@
 bio
 black
 blackfriday
+bloomberg
 blue
 bmw
 bnpparibas
@@ -103,6 +104,7 @@
 day
 deals
 degree
+delivery
 democrat
 dental
 dentist
@@ -120,6 +122,8 @@
 eat
 education
 email
+emerck
+energy
 engineer
 engineering
 enterprises
@@ -340,7 +344,9 @@
 surf
 surgery
 suzuki
+sydney
 systems
+taipei
 tatar
 tattoo
 tax
diff -Nru whois-5.2.1/servers_charset_list whois-5.2.2/servers_charset_list
--- whois-5.2.1/servers_charset_list	2014-10-16 01:57:19.0 +0200
+++ whois-5.2.2/servers_charset_list	2014-11-12 03:35:56.0 +0100
@@ -41,6 +41,7 @@
 whois.nic.li		utf-8
 whois.domreg.lt		utf-8
 whois.dns.lu		iso-8859-1
+whois.marnet.mk		utf-8
 whois.nic.mu		utf-8
 whois.norid.no		iso-8859-1
 whois.iis.nu		utf-8
diff -Nru whois-5.2.1/tld_serv_list whois-5.2.2/tld_serv_list
--- whois-5.2.1/tld_serv_list	2014-10-16 01:57:19.0 +0200
+++ whois-5.2.2/tld_serv_list	2014-11-12 03:35:56.0 +0100
@@ -354,6 +354,7 @@
 .xn--80ao21a		whois.nic.kz		# Kazakhstan
 .xn--90a3ac		whois.rnids.rs		# Serbia
 .xn--clchc0ea0b2g2a9gcd	whois.sgnic.sg		# Singapore, Tamil
+.xn--d1alf		whois.marnet.mk		# Macedonia
 .xn--fiqs8s		cwhois.cnnic.cn		# China, Simplified Chinese
 .xn--fiqz9s		cwhois.cnnic.cn		# China, Traditional Chinese
 .xn--fpcrj9c3d		whois.inregistry.net	# India, Telugu AW
@@ -374,6 +375,7 @@
 .xn--mgbc0a9azcg	NONE			# Morocco
 .xn--mgberp4a5d4ar	whois.nic.net.sa	# Saudi Arabia
 .xn--mgbx4cd0ab		whois.mynic.my		# Malaysia AW
+.xn--node		whois.itdc.ge		# Georgia
 .xn--o3cw4h		whois.thnic.co.th	# Thailand
 .xn--ogbpf8fl		whois.tld.sy		# Syria
 .xn--p1ai		whois.tcinet.ru		# Russian Federation
diff -Nru whois-5.2.1/whois.c whois-5.2.2/whois.c
--- whois-5.2.1/whois.c	2014-10-16 01:57:19.0 +0200
+++ whois-5.2.2/whois.c	2014-11-12 03:35:56.0 +0100
@@ -1110,7 +1110,7 @@
 /*
  * Attempt to normalize a query by removing trailing dots and whitespace,
  * then convert the domain to punycode.
- * The function assumes that the domain is the last token of they query.
+ * The function assumes that the domain is the last token of the query.
  * Returns a malloc'ed string which needs to be freed by the caller.
  */
 char *normalize_domain(const char *dom)
@@ -1121,10 +1121,15 @@
 #endif
 
 ret = strdup(dom);
-/* eat trailing dots and blanks */
-p = ret + strlen(ret);
-for (; *p == '.' || *p == ' ' || *p == '\t' || p == ret; p--)
+/* start from the last character */
+p = ret + strlen(ret) - 1;
+/* and then eat trailing dots and blanks */
+while (p  ret) {
+	if (!(*p == '.' || *p == ' ' || *p == '\t'))
+	break;
 	*p = '\0';
+	p--;
+}
 
 #ifdef HAVE_LIBIDN
 /* find the start of the last word if there are spaces in the query */


pgp6G4OeyKKUl.pgp
Description: PGP signature

Re: Bug#769046: inn2: Allow for better TLS configurability

[Marco d'Itri]

Can I merge this for jessie?

On Nov 11, christian mock c...@tahina.priv.at wrote:

 Source: inn2
 Severity: wishlist
 Tags: patch
 
 Dear Maintainer,
 
 INN, at the moment, supports TLS connections to nnrpd, but does not
 allow any configuration besides the certificate and key.
 
 This means that Wheezy's nnrpd is currently susceptible to the CRIME
 (because TLS compression is on) and POODLE (because SSLv3 is
 supported) attacks, should those be exploitable with NNTP. In
 addition, it supports weak symmetrical ciphers (40 and 56 bit key
 length). 
 
 I've patched nnrpd to allow for detailed TLS configuration: protocol
 versions, cipher suites, compression and whether the client or server
 choses the cipher can now be configured. With the default
 configuration, TLS behaviour is unchanged, as to not break existing
 setups.
 
 This patch is to be integrated upstream[0], but ideally I'd like it
 to be in the next Wheezy point release because I consider the current
 TLS config to be insecure.
 
 The patch, as attached, is against a clean 2.5.4 upstream source, but
 I'd be happy to provide a patch for quilt if you tell me which package
 version I should target.
 
 regards,
 
 cm.
 
 [0] https://lists.isc.org/pipermail/inn-workers/2014-November/018339.html

 diff --git a/doc/pod/inn.conf.pod b/doc/pod/inn.conf.pod
 index f8f5f79..98ebd6e 100644
 --- a/doc/pod/inn.conf.pod
 +++ b/doc/pod/inn.conf.pod
 @@ -1054,6 +1054,28 @@ Ipathetc/key.pem.
  This file must only be readable by the news user or Bnnrpd will refuse to
  use it.
  
 +=item Itlsprotocols
 +
 +The list of TLS protocol versions to support. Valid protocols are
 +BSSLv2, BSSLv3, BTLSv1, BTLSv1.1 and BTLSv1.2. The default
 +value is B[ SSLv3 TLSv1 TLSv1.1 TLSv1.2 ].
 +
 +=item Itlsciphers
 +
 +The string describing the cipher suites OpenSSL will support. See
 +OpenSSL's Bcipher command documentation for details. The default is
 +unset, which uses OpenSSL's default cipher suite list.
 +
 +=item Itlsprefer_server_ciphers
 +
 +Whether to let the client or the server decide the preferred cipher.
 +This is a boolean and the default is false.
 +
 +=item Itlscompression
 +
 +Whether to enable or disable TLS compression support (boolean). The
 +default is true.
 +
  =back
  
  =head2 Monitoring
 diff --git a/doc/pod/news.pod b/doc/pod/news.pod
 index 4315b3f..64cd93b 100644
 --- a/doc/pod/news.pod
 +++ b/doc/pod/news.pod
 @@ -1,3 +1,17 @@
 +=head1 Changes in TLS configuration
 +
 +=over 2
 +
 +=item *
 +
 +New parameters used by Bnnrpd to fine-tune the TLS configuration:
 +Itlsprotocols, Itlsciphers, Itlsprefer_server_ciphers and
 +Itls_compression. If you've been using TLS with Bnnrpd before, be
 +aware that the defaults of those parameters may differ from the
 +previous defaults (which depended on your OpenSSL version).
 +
 +=back
 +
  =head1 Changes in 2.5.4
  
  =over 2
 diff --git a/doc/pod/nnrpd.pod b/doc/pod/nnrpd.pod
 index 9c13821..32698ae 100644
 --- a/doc/pod/nnrpd.pod
 +++ b/doc/pod/nnrpd.pod
 @@ -224,6 +224,12 @@ run Bnnrpd.  (Change the path to Bnnrpd to match 
 your installation.)
  You may need to replace Cnntps with C563 if Cnntps isn't
  defined in F/etc/services on your system.
  
 +Optionally, you may set the Itlsprotocols, Itlsciphers,
 +Itlsprefer_server_ciphers and Itlscompression parameters in
 +Finn.conf to fine-tune the behaviour of the TLS negotiation whenever
 +a new attack on the TLS protocol or some supported cipher suite is
 +discovered.
 +
  =head1 PROTOCOL DIFFERENCES
  
  Bnnrpd implements the NNTP commands defined in SRFC 3977 (NNTP),
 diff --git a/include/inn/innconf.h b/include/inn/innconf.h
 index ee16620..669255c 100644
 --- a/include/inn/innconf.h
 +++ b/include/inn/innconf.h
 @@ -127,6 +127,10 @@ struct innconf {
  char *tlscapath;/* Path to a directory of CA certificates */
  char *tlscertfile;  /* Path to the SSL certificate to use */
  char *tlskeyfile;   /* Path to the key for the certificate */
 +bool tlsprefer_server_ciphers; /* Make server select the cipher */
 +bool tlscompression;/* Turn TLS compression on/off */
 +struct vector *tlsprotocols;   /* List of supported TLS 
 versions */
 +char *tlsciphers;  /* openssl-style cipher string */
  #endif /* HAVE_SSL */
  
  /* Monitoring */
 diff --git a/lib/innconf.c b/lib/innconf.c
 index ded674c..9e6183d 100644
 --- a/lib/innconf.c
 +++ b/lib/innconf.c
 @@ -231,6 +231,10 @@ const struct config config_table[] = {
  { K(tlscapath),   STRING  (NULL) },
  { K(tlscertfile), STRING  (NULL) },
  { K(tlskeyfile),  STRING  (NULL) },
 +{ K(tlsprefer_server_ciphers), BOOL  (false) },
 +{ K(tlscompression),  BOOL(true) },
 +{ K(tlsprotocols),LIST(NULL) },
 +{ K(tlsciphers),  STRING  (NULL) },
  #endif /* HAVE_SSL */
  
  /* The following settings are used by nnrpd and 

Re: Bug#769046: inn2: Allow for better TLS configurability

[Marco d'Itri]

clone 769046 -1
reassign -1 release.debian.org
block 769046 by -1
thanks

Can I merge this for jessie?


On Nov 11, christian mock c...@tahina.priv.at wrote:

 This means that Wheezy's nnrpd is currently susceptible to the CRIME
 (because TLS compression is on) and POODLE (because SSLv3 is
 supported) attacks, should those be exploitable with NNTP. In
 addition, it supports weak symmetrical ciphers (40 and 56 bit key
 length). 
 
 I've patched nnrpd to allow for detailed TLS configuration: protocol
 versions, cipher suites, compression and whether the client or server
 choses the cipher can now be configured. With the default
 configuration, TLS behaviour is unchanged, as to not break existing
 setups.
 
 This patch is to be integrated upstream[0], but ideally I'd like it
 to be in the next Wheezy point release because I consider the current
 TLS config to be insecure.
 
 The patch, as attached, is against a clean 2.5.4 upstream source, but
 I'd be happy to provide a patch for quilt if you tell me which package
 version I should target.
 
 regards,
 
 cm.
 
 [0] https://lists.isc.org/pipermail/inn-workers/2014-November/018339.html

 diff --git a/doc/pod/inn.conf.pod b/doc/pod/inn.conf.pod
 index f8f5f79..98ebd6e 100644
 --- a/doc/pod/inn.conf.pod
 +++ b/doc/pod/inn.conf.pod
 @@ -1054,6 +1054,28 @@ Ipathetc/key.pem.
  This file must only be readable by the news user or Bnnrpd will refuse to
  use it.
  
 +=item Itlsprotocols
 +
 +The list of TLS protocol versions to support. Valid protocols are
 +BSSLv2, BSSLv3, BTLSv1, BTLSv1.1 and BTLSv1.2. The default
 +value is B[ SSLv3 TLSv1 TLSv1.1 TLSv1.2 ].
 +
 +=item Itlsciphers
 +
 +The string describing the cipher suites OpenSSL will support. See
 +OpenSSL's Bcipher command documentation for details. The default is
 +unset, which uses OpenSSL's default cipher suite list.
 +
 +=item Itlsprefer_server_ciphers
 +
 +Whether to let the client or the server decide the preferred cipher.
 +This is a boolean and the default is false.
 +
 +=item Itlscompression
 +
 +Whether to enable or disable TLS compression support (boolean). The
 +default is true.
 +
  =back
  
  =head2 Monitoring
 diff --git a/doc/pod/news.pod b/doc/pod/news.pod
 index 4315b3f..64cd93b 100644
 --- a/doc/pod/news.pod
 +++ b/doc/pod/news.pod
 @@ -1,3 +1,17 @@
 +=head1 Changes in TLS configuration
 +
 +=over 2
 +
 +=item *
 +
 +New parameters used by Bnnrpd to fine-tune the TLS configuration:
 +Itlsprotocols, Itlsciphers, Itlsprefer_server_ciphers and
 +Itls_compression. If you've been using TLS with Bnnrpd before, be
 +aware that the defaults of those parameters may differ from the
 +previous defaults (which depended on your OpenSSL version).
 +
 +=back
 +
  =head1 Changes in 2.5.4
  
  =over 2
 diff --git a/doc/pod/nnrpd.pod b/doc/pod/nnrpd.pod
 index 9c13821..32698ae 100644
 --- a/doc/pod/nnrpd.pod
 +++ b/doc/pod/nnrpd.pod
 @@ -224,6 +224,12 @@ run Bnnrpd.  (Change the path to Bnnrpd to match 
 your installation.)
  You may need to replace Cnntps with C563 if Cnntps isn't
  defined in F/etc/services on your system.
  
 +Optionally, you may set the Itlsprotocols, Itlsciphers,
 +Itlsprefer_server_ciphers and Itlscompression parameters in
 +Finn.conf to fine-tune the behaviour of the TLS negotiation whenever
 +a new attack on the TLS protocol or some supported cipher suite is
 +discovered.
 +
  =head1 PROTOCOL DIFFERENCES
  
  Bnnrpd implements the NNTP commands defined in SRFC 3977 (NNTP),
 diff --git a/include/inn/innconf.h b/include/inn/innconf.h
 index ee16620..669255c 100644
 --- a/include/inn/innconf.h
 +++ b/include/inn/innconf.h
 @@ -127,6 +127,10 @@ struct innconf {
  char *tlscapath;/* Path to a directory of CA certificates */
  char *tlscertfile;  /* Path to the SSL certificate to use */
  char *tlskeyfile;   /* Path to the key for the certificate */
 +bool tlsprefer_server_ciphers; /* Make server select the cipher */
 +bool tlscompression;/* Turn TLS compression on/off */
 +struct vector *tlsprotocols;   /* List of supported TLS 
 versions */
 +char *tlsciphers;  /* openssl-style cipher string */
  #endif /* HAVE_SSL */
  
  /* Monitoring */
 diff --git a/lib/innconf.c b/lib/innconf.c
 index ded674c..9e6183d 100644
 --- a/lib/innconf.c
 +++ b/lib/innconf.c
 @@ -231,6 +231,10 @@ const struct config config_table[] = {
  { K(tlscapath),   STRING  (NULL) },
  { K(tlscertfile), STRING  (NULL) },
  { K(tlskeyfile),  STRING  (NULL) },
 +{ K(tlsprefer_server_ciphers), BOOL  (false) },
 +{ K(tlscompression),  BOOL(true) },
 +{ K(tlsprotocols),LIST(NULL) },
 +{ K(tlsciphers),  STRING  (NULL) },
  #endif /* HAVE_SSL */
  
  /* The following settings are used by nnrpd and rnews. */
 diff --git a/nnrpd/tls.c b/nnrpd/tls.c
 index 62b1a51..22a00c7 100644
 --- a/nnrpd/tls.c
 +++ b/nnrpd/tls.c
 @@ 

Bug#769279: Bug#769046: inn2: Allow for better TLS configurability

[Marco d'Itri]

On Nov 12, Thijs Kinkhorst th...@debian.org wrote:

 Can you remove SSLv3 from the default list?
I do not know the implications wrt clients support.
Christian, did you do any tests?

  +=item Itlscompression
  +Whether to enable or disable TLS compression support (boolean). The
  +default is true.
 Can we default this to false?
This is not really useful because CRIME cannot be exploited over NNTP.

-- 
ciao,
Marco


pgpnrZJ4UZn8b.pgp
Description: PGP signature

Re: Re-Proposal - preserve freedom of choice of init systems

[Marco d'Itri]

In linux.debian.vote Ian Jackson ijack...@chiark.greenend.org.uk wrote:

If people want to make Debian derivatives that work only with a
particular init system, that's completely fine.  The reverse - trying
to put back support for sysvinit, if it gets taken out of Debian,
would be very very difficult.  As the upstream for our ecosystem, we
in Debian have a special responsibility to retain the flexibility our
downstreams might want.
The only downstream distribution that choose to do this was Ubuntu, and
they choose to stop using Upstart when it was not accepted as the
default init system for Debian rather than keep trying to compete with
systemd.
Let's try to not conceive hypothetical problems just because you like
their solution.

-- 
ciao,
Marco


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/m1re4i$aoa$1...@posted-at.bofh.it

Bug#733266: pu: package whois/5.1.0

[Marco d'Itri]

If there are no objections, I will upload 5.1.1~deb7u1 to 
proposed-updates.

FYI, I have no plan to systematically feed back to stable the database 
entries for the new gTLDs, since they will not be active for many months 
at least.

-- 
ciao,
Marco
diff -Nru whois-5.1.0/config.h whois-5.1.1/config.h
--- whois-5.1.0/config.h	2013-12-26 10:04:19.0 +0100
+++ whois-5.1.1/config.h	2014-01-11 00:51:03.0 +0100
@@ -1,5 +1,5 @@
 /* Program version */
-#define VERSION 5.1.0
+#define VERSION 5.1.1
 
 /* Configurable features */
 
diff -Nru whois-5.1.0/debian/changelog whois-5.1.1/debian/changelog
--- whois-5.1.0/debian/changelog	2013-12-26 10:21:24.0 +0100
+++ whois-5.1.1/debian/changelog	2014-01-11 00:51:45.0 +0100
@@ -1,3 +1,9 @@
+whois (5.1.1) unstable; urgency=medium
+
+  * Added the servers for 29 new gTLDs.
+
+ -- Marco d'Itri m...@linux.it  Sat, 11 Jan 2014 00:51:05 +0100
+
 whois (5.1.0) unstable; urgency=low
 
   * Added the .ga, .ml, .pf, .xn--l1acc (.МОН, Mongolia) and
diff -Nru whois-5.1.0/tld_serv_list whois-5.1.1/tld_serv_list
--- whois-5.1.0/tld_serv_list	2013-12-26 10:20:10.0 +0100
+++ whois-5.1.1/tld_serv_list	2014-01-11 00:50:36.0 +0100
@@ -63,60 +63,89 @@
 .xxx	whois.nic.xxx
 
 # new gTLDs
-.academywhois.donuts.co
-.bike   whois.donuts.co
-.buzz   whois.nic.buzz
-.cabwhois.donuts.co
-.camera whois.donuts.co
-.camp   whois.donuts.co
-.careerswhois.donuts.co
-.center whois.donuts.co
-.clothing   whois.donuts.co
-.companywhois.donuts.co
-.computer   whois.donuts.co
-.construction   whois.donuts.co
-.contractorswhois.donuts.co
-.diamonds   whois.donuts.co
-.directory  whois.donuts.co
-.domainswhois.donuts.co
-.enterpriseswhois.donuts.co
-.equipment  whois.donuts.co
-.estate whois.donuts.co
-.gallerywhois.donuts.co
-.graphics   whois.donuts.co
-.guru   whois.donuts.co
-.holdings   whois.donuts.co
-.kitchenwhois.donuts.co
-.land   whois.donuts.co
-.lighting   whois.donuts.co
-.limo   whois.donuts.co
-.management whois.donuts.co
-.menu   whois.nic.menu
-.photographywhois.donuts.co
-.photos whois.donuts.co
-.plumbing   whois.donuts.co
-.recipeswhois.donuts.co
-.ruhr   whois.nic.ruhr
-.sexy   whois.uniregistry.net
-.shoes  whois.donuts.co
-.singleswhois.donuts.co
-.supportwhois.donuts.co
-.systemswhois.donuts.co
-.tattoo whois.uniregistry.net
-.technology whois.donuts.co
-.tips   whois.donuts.co
-.today  whois.donuts.co
-.unowhois.nic.uno
-.ventures   whois.donuts.co
-.viajes whois.donuts.co
-.voyage whois.donuts.co
-.xn--55qw42gwhois.conac.cn
-.xn--80asehdb   whois.online.rs.corenic.net
-.xn--80aswg whois.site.rs.corenic.net
-.xn--ngbc5azd   whois.nic.xn--ngbc5azd
-.xn--q9jyb4cdomain-registry-whois.l.google.com
-.xn--unup4y whois.donuts.co
-.xn--zfr164bwhois.conac.cn
+.academy	whois.donuts.co
+.berlin		whois.berlin.tld-box.at
+.bike		whois.donuts.co
+.builders	whois.donuts.co
+.buzz		whois.nic.buzz
+.cab		whois.donuts.co
+.camera		whois.donuts.co
+.camp		whois.donuts.co
+.careers	whois.donuts.co
+.center		whois.donuts.co
+.ceo		whois.nic.ceo
+.clothing	whois.donuts.co
+.codes		whois.donuts.co
+.coffee		whois.donuts.co
+.company	whois.donuts.co
+.computer	whois.donuts.co
+.construction	whois.donuts.co
+.contractors	whois.donuts.co
+.diamonds	whois.donuts.co
+.directory	whois.donuts.co
+.domains	whois.donuts.co
+.education	whois.donuts.co
+.email		whois.donuts.co
+.enterprises	whois.donuts.co
+.equipment	whois.donuts.co
+.estate		whois.donuts.co
+.farm		whois.donuts.co
+.florist	whois.donuts.co
+.gallery	whois.donuts.co
+.glass		whois.donuts.co
+.graphics	whois.donuts.co
+.guru		whois.donuts.co
+.holdings	whois.donuts.co
+.holiday	whois.donuts.co
+.house		whois.donuts.co
+.immobilien	whois.unitedtld.com
+.institute	whois.donuts.co
+.international	whois.donuts.co
+.kaufen		whois.unitedtld.com
+.kitchen	whois.donuts.co
+.kiwi		whois.dot-kiwi.com
+.land		whois.donuts.co
+.lighting	whois.donuts.co
+.limo		whois.donuts.co
+.management	whois.donuts.co
+.menu		whois.nic.menu
+.ninja		whois.unitedtld.com
+.onl		whois.afilias-srs.net
+.photography	whois.donuts.co
+.photos		whois.donuts.co
+.plumbing	whois.donuts.co
+.recipes	whois.donuts.co
+.repair		whois.donuts.co
+.ruhr		whois.nic.ruhr
+.sexy		whois.uniregistry.net
+.shoes		whois.donuts.co
+.singles	whois.donuts.co
+.solar		whois.donuts.co
+.solutions	whois.donuts.co
+.support	whois.donuts.co
+.systems	whois.donuts.co
+.tattoo		whois.uniregistry.net
+.technology

Bug#733266: pu: package whois/5.1.0

[Marco d'Itri]

On Dec 28, Adam D. Barratt a...@adam-barratt.org.uk wrote:

 This change isn't explicitly documented afaics. Have servers stopped
 supporting the S flag, or was it not actually supported to begin with?
I have forgot the exact details of what it meant, but it was not 
commonly used and it is not supported anymore by servers:

echo '-S 10.0.0.1' | nc whois.ripe.net  43
echo '-S 10.0.0.1' | nc whois.apnic.net 43

-- 
ciao,
Marco


signature.asc
Description: Digital signature

Bug#733266: pu: package whois/5.1.0

[Marco d'Itri]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: pu

whois in stable should be updated due to the many changes in the 
database.
I think that the smartest choice would be to reupload the latest 
release, once it will have transitioned to testing.
All the changes are either documentation and database changes or trivial
fixes contributed by Red Hat.

The complete diff, after removing the translation updates, is 44 KB, so 
maybe it is more practical to review the commits in the git repository 
available from https://github.com/rfc1036/whois .

whois (5.1.0) unstable; urgency=low

  * Added the .ga, .ml, .pf, .xn--l1acc (.МОН, Mongolia) and
.xn--mgba3a4f16a (.ﺍیﺭﺎﻧ, Iran) TLD servers.
  * Added the servers for 54 new gTLDs.
  * Updated the .bw, .gd, .hn, .sb, .xn--j1amh and .xn--mgberp4a5d4ar
TLD servers.
  * Added new RIPE and APNIC ASN allocations.
  * Removed the .ck TLD server.
  * Updated one or more translations.
  * Applied multiple small fixes contributed by Petr Písař of Red Hat.
  * Correctly hide the disclaimers for .be and .sx. (Closes: #729366)
  * Direct queries for private ASN blocks to RIPE. (Closes: #724661)

 -- Marco d'Itri m...@linux.it  Thu, 26 Dec 2013 10:05:43 +0100

whois (5.0.26) unstable; urgency=low

  * Added the .cf TLD server.
  * Updated the .bi TLD server.
  * Added a new ASN allocation.

 -- Marco d'Itri m...@linux.it  Wed, 17 Jul 2013 00:48:12 +0200

whois (5.0.25) unstable; urgency=low

  * Added the .ax, .bn, .iq, .pw and .rw TLD servers.
  * Updated one or more translations.

 -- Marco d'Itri m...@linux.it  Fri, 10 May 2013 05:13:47 +0200

whois (5.0.24) unstable; urgency=low

  * Merged documentation fixes and the whois.conf(5) man page, courtesy of
Petr Písař of Red Hat.
  * Added a new ASN allocation.
  * Updated one or more translations. (Closes: #705163)

 -- Marco d'Itri m...@linux.it  Thu, 18 Apr 2013 03:36:17 +0200


-- 
ciao,
Marco


signature.asc
Description: Digital signature

Bug#705651: unblock: inn2/2.5.3-3

[Marco d'Itri]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package inn2

The first bug can be worked around but it makes the package seriously 
broken in the real world since it totally breaks control messages 
processing.
The second bug is RC.


diff -Nru inn2-2.5.3/debian/changelog inn2-2.5.3/debian/changelog
--- inn2-2.5.3/debian/changelog 2012-06-29 02:03:17.0 +0200
+++ inn2-2.5.3/debian/changelog 2013-04-08 09:22:26.0 +0200
@@ -1,3 +1,20 @@
+inn2 (2.5.3-3) unstable; urgency=low
+
+  * Fixed the fix for #690128.
+
+ -- Marco d'Itri m...@linux.it  Mon, 08 Apr 2013 09:21:53 +0200
+
+inn2 (2.5.3-2) unstable; urgency=low
+
+  * Fixed the fix for #652733, which totally broke pgpverify.
+(Closes: #685007)
+  * Handle upstream renaming of our conffile /etc/news/motd.news to
+non-conffile /etc/news/motd.nnrpd. If it has not been modified by
+the admin then just remove it. Patch courtesy of Nick Leverton.
+(Closes: #690128)
+
+ -- Marco d'Itri m...@linux.it  Sun, 07 Apr 2013 21:43:24 +0200
+
 inn2 (2.5.3-1) unstable; urgency=low
 
   * New upstream release. Fixes:
diff -Nru inn2-2.5.3/debian/control inn2-2.5.3/debian/control
--- inn2-2.5.3/debian/control   2012-06-29 02:24:13.0 +0200
+++ inn2-2.5.3/debian/control   2013-04-08 04:55:37.0 +0200
@@ -7,7 +7,7 @@
 
 Package: inn2
 Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, cron, exim4 | 
mail-transport-agent, time, procps, perl, ${PERLAPI}, libmime-tools-perl
+Depends: ${shlibs:Depends}, ${misc:Depends}, cron, default-mta | 
mail-transport-agent, time, procps, perl, ${PERLAPI}, libmime-tools-perl
 Pre-Depends: inn2-inews (= 2.3.999+20030227-1)
 Suggests: gnupg, wget, libgd-gd2-noxpm-perl | libgd-gd2-perl, 
${shlibs:Suggests}
 Replaces: inn, inewsinn, innfeed, ninpaths, inn2-dev
@@ -37,7 +37,7 @@
 
 Package: inn2-lfs
 Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, cron, exim4 | 
mail-transport-agent, time, procps, perl, ${PERLAPI}, libmime-tools-perl
+Depends: ${shlibs:Depends}, ${misc:Depends}, cron, default-mta | 
mail-transport-agent, time, procps, perl, ${PERLAPI}, libmime-tools-perl
 Pre-Depends: inn2-inews (= 2.3.999+20030227-1)
 Suggests: gnupg, wget, libgd-gd2-noxpm-perl | libgd-gd2-perl, 
${shlibs:Suggests}
 Replaces: inn, inewsinn, innfeed, ninpaths, inn2-dev
diff -Nru inn2-2.5.3/debian/copyright inn2-2.5.3/debian/copyright
--- inn2-2.5.3/debian/copyright 2011-04-14 00:26:37.0 +0200
+++ inn2-2.5.3/debian/copyright 2013-04-07 19:49:10.0 +0200
@@ -9,7 +9,7 @@
 different licenses and/or copyrights is covered by the following copyright
 and license:
 
-   Copyright (c) 2004, 2005, 2006, 2007, 2008, 2009
+   Copyright (c) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012
by Internet Systems Consortium, Inc. (ISC)
Copyright (c) 1991, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001,
2002, 2003 by The Internet Software Consortium and Rich Salz
diff -Nru inn2-2.5.3/debian/inn2.postinst inn2-2.5.3/debian/inn2.postinst
--- inn2-2.5.3/debian/inn2.postinst 2012-06-28 17:49:56.0 +0200
+++ inn2-2.5.3/debian/inn2.postinst 2013-04-08 09:23:51.0 +0200
@@ -155,6 +155,18 @@
 fi
 }
 
+# #690128: if the old MOTD file has been amended by the admin from default,
+# then copy it to the new non-conffile nnrpd MOTD file.
+# If not then remove the old MOTD conffile, being sure to cater for rollback.
+if [ $1 = configure -a $2 ] 
+dpkg --compare-versions $2 le-nl 2.5.3-1~; then
+if [ -e /etc/news/motd.news.dpkg-backup -a ! -e /etc/news/motd.nnrpd ]; 
then
+echo Renaming modified conffile /etc/news/motd.news to 
/etc/news/motd.nnrpd.
+mv /etc/news/motd.news.dpkg-backup /etc/news/motd.nnrpd
+fi
+fi
+dpkg-maintscript-helper rm_conffile /etc/news/motd.news 2.5.3-1~ -- $@
+
 case $1 in
 configure)
 init_inn_files
diff -Nru inn2-2.5.3/debian/inn2.postrm inn2-2.5.3/debian/inn2.postrm
--- inn2-2.5.3/debian/inn2.postrm   2011-04-14 00:26:37.0 +0200
+++ inn2-2.5.3/debian/inn2.postrm   2013-04-08 09:23:30.0 +0200
@@ -1,5 +1,10 @@
 #!/bin/sh -e
 
+# #690128: if the old MOTD file has been amended by the admin from default,
+# then rename it to the new non-conffile nnrpd MOTD file.
+# If not then remove the old MOTD conffile, being sure to cater for rollback.
+dpkg-maintscript-helper rm_conffile /etc/news/motd.news 2.5.3-1~ -- $@
+
 if [ $1 = purge ]; then
   update-rc.d inn2 remove /dev/null
   if [ -e /var/lib/news/ ]; then
diff -Nru inn2-2.5.3/debian/inn2.preinst inn2-2.5.3/debian/inn2.preinst
--- inn2-2.5.3/debian/inn2.preinst  2011-04-14 00:26:37.0 +0200
+++ inn2-2.5.3/debian/inn2.preinst  2013-04-07 22:26:24.0 +0200
@@ -20,6 +20,11 @@
   fi # 2.3.1-2
 }
 
+# #690128: if the old MOTD file has been amended by the admin from default,
+# then copy it to the new non-conffile nnrpd MOTD file

Bug#705356: unblock: netbase/5.1

[Marco d'Itri]

On Apr 15, Jonathan Wiltshire j...@debian.org wrote:

* etc-services: removed console (782/tcp).
  Reverted because #658077 was totally bogus: this entry is not useful.
 Possibly, if this actually causes a problem. Is it harmless to leave it in
 place?
It is harmful if appears in a release and somebody uses it, because 
then it will be much harder to remove.

* etc-services: added urd (465/tcp). ssmtp and smtps kept as aliases.
  (Closes: #703175)
 Only severity normal...
* etc-services: added db-lsp (17500/tcp). (Closes: #695708)
 ... wishlist ...
* etc-protocols: added hopopt (0). (Closes: #675339)
 ... wishlist ...
Yes, but they are all trivial changes.

* Removed ip6-localnet and ip6-mcastprefix from the default /etc/hosts
  created by postinst because they have no purpose. (Closes: #688090)
 ... and normal.
This has barely any effect since the code is triggered only if 
/etc/hosts does not exists (and usually it always exist, since d-i 
creates it and changed it this way long ago).

 If those severities aren't accurate please tell the bts. Otherwise, no they
 are no longer changes we consider urgent. They are all old bugs and could
 have been cleared up in plenty of time before now.
OK, I suck as a maintainer and as a human being and I neglected my 
packages for most of the last year.
But I'd rather move on and fix what can still be fixed.

* Made the package Multi-Arch foreign. (Closes: #688396)
 Definitely not.
Why? netbase is just four config files nowadays, it's not like declaring 
it foreign could break anything.

* Slightly raised the ifupdown Breaks version to match Ubuntu.
 Is there are technical reason for this or just a courtesy to our
 derivatives?
No technical reason, the delta is a few releases which only existed 
in unstable for a short time (and nobody is supposed to be using anymore
due to them being quite experimental).

-- 
ciao,
Marco


signature.asc
Description: Digital signature

Bug#705355: unblock: whois/5.0.23

[Marco d'Itri]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package whois

Wheeze should really have fixes for these issues. The version currently 
in testing is totally broken for:
- 6to4 addresses (#699928)
- Korean domains
- Indonesian domains

The other changes are trivial.

All changes can be reviewed at 
https://github.com/rfc1036/whois/commits/master (please ignore the most 
recent changes, which are about version 5.0.24).

unblock whois/5.0.23

-- 
ciao,
Marco


signature.asc
Description: Digital signature

Bug#705356: unblock: netbase/5.1

[Marco d'Itri]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package netbase

netbase (5.1) unstable; urgency=low

  * etc-services: removed console (782/tcp).
Reverted because #658077 was totally bogus: this entry is not useful.
  * etc-services: added urd (465/tcp). ssmtp and smtps kept as aliases.
(Closes: #703175)
  * etc-services: added db-lsp (17500/tcp). (Closes: #695708)
  * etc-protocols: added hopopt (0). (Closes: #675339)
  * Removed ip6-localnet and ip6-mcastprefix from the default /etc/hosts
created by postinst because they have no purpose. (Closes: #688090)
  * Made the package Multi-Arch foreign. (Closes: #688396)
  * Slightly raised the ifupdown Breaks version to match Ubuntu.

 -- Marco d'Itri m...@linux.it  Tue, 02 Apr 2013 02:31:27 +0200

All changes can also be reviewed at 
http://anonscm.debian.org/gitweb/?p=users/md/netbase.git .

diff -Nru netbase-5.0/debian/changelog netbase-5.1/debian/changelog
--- netbase-5.0/debian/changelog2012-05-14 01:11:15.0 +0200
+++ netbase-5.1/debian/changelog2013-04-02 02:31:32.0 +0200
@@ -1,3 +1,18 @@
+netbase (5.1) unstable; urgency=low
+
+  * etc-services: removed console (782/tcp).
+Reverted because #658077 was totally bogus: this entry is not useful.
+  * etc-services: added urd (465/tcp). ssmtp and smtps kept as aliases.
+(Closes: #703175)
+  * etc-services: added db-lsp (17500/tcp). (Closes: #695708)
+  * etc-protocols: added hopopt (0). (Closes: #675339)
+  * Removed ip6-localnet and ip6-mcastprefix from the default /etc/hosts
+created by postinst because they have no purpose. (Closes: #688090)
+  * Made the package Multi-Arch foreign. (Closes: #688396)
+  * Slightly raised the ifupdown Breaks version to match Ubuntu.
+
+ -- Marco d'Itri m...@linux.it  Tue, 02 Apr 2013 02:31:27 +0200
+
 netbase (5.0) unstable; urgency=medium
 
   * Removed the init script, added Breaks: ifupdown ( 0.7~rc1).
diff -Nru netbase-5.0/debian/control netbase-5.1/debian/control
--- netbase-5.0/debian/control  2012-05-14 00:55:49.0 +0200
+++ netbase-5.1/debian/control  2013-04-01 23:29:11.0 +0200
@@ -2,14 +2,17 @@
 Section: admin
 Priority: important
 Maintainer: Marco d'Itri m...@linux.it
-Standards-Version: 3.9.3.1
+Standards-Version: 3.9.4.0
 Build-Depends: debhelper (= 7)
+Vcs-Git: git://git.debian.org/users/md/netbase.git
+Vcs-Browser: http://git.debian.org/?p=users/md/netbase.git
 
 Package: netbase
 Architecture: all
+Multi-Arch: foreign
 Depends: lsb-base (= 3.0-6), ${misc:Depends}
 Conflicts: openbsd-inetd ( 0.20050402-3), inetutils-inetd ( 
2:1.4.3+20060719-3)
-Breaks: ifupdown ( 0.7~rc1)
+Breaks: ifupdown ( 0.7)
 Recommends: ifupdown
 Description: Basic TCP/IP networking system
  This package provides the necessary infrastructure for basic TCP/IP based
diff -Nru netbase-5.0/debian/netbase.postinst 
netbase-5.1/debian/netbase.postinst
--- netbase-5.0/debian/netbase.postinst 2012-05-14 00:49:44.0 +0200
+++ netbase-5.1/debian/netbase.postinst 2013-04-01 23:48:42.0 +0200
@@ -6,8 +6,6 @@
   cat  /etc/hosts -EOF
127.0.0.1   localhost
::1 localhost ip6-localhost ip6-loopback
-   fe00::0 ip6-localnet
-   ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
 
diff -Nru netbase-5.0/debian/source/format netbase-5.1/debian/source/format
--- netbase-5.0/debian/source/format2010-06-25 23:02:31.0 +0200
+++ netbase-5.1/debian/source/format2013-04-01 23:29:07.0 +0200
@@ -1 +1 @@
-1.0
+3.0 (native)
diff -Nru netbase-5.0/etc-protocols netbase-5.1/etc-protocols
--- netbase-5.0/etc-protocols   2011-06-26 13:38:56.0 +0200
+++ netbase-5.1/etc-protocols   2013-04-01 23:29:14.0 +0200
@@ -7,7 +7,7 @@
 # If you need a huge list of used numbers please install the nmap package.
 
 ip 0   IP  # internet protocol, pseudo protocol number
-#hopopt0   HOPOPT  # IPv6 Hop-by-Hop Option [RFC1883]
+hopopt 0   HOPOPT  # IPv6 Hop-by-Hop Option [RFC1883]
 icmp   1   ICMP# internet control message protocol
 igmp   2   IGMP# Internet Group Management
 ggp3   GGP # gateway-gateway protocol
diff -Nru netbase-5.0/etc-services netbase-5.1/etc-services
--- netbase-5.0/etc-services2012-05-14 01:07:35.0 +0200
+++ netbase-5.1/etc-services2013-04-01 23:29:14.0 +0200
@@ -158,6 +158,7 @@
 microsoft-ds   445/udp
 kpasswd464/tcp
 kpasswd464/udp
+urd465/tcp ssmtp smtps  # URL Rendesvous Directory for SSM
 saft   487/tcp # Simple Asynchronous File Transfer
 saft   487/udp
 isakmp 500/tcp # IPsec - Internet Security Association
@@ -466,6 +467,7 @@
 bpcd   13782/udp
 vopied 13783/tcp

please unblock whois

[Marco d'Itri]

whois (5.0.20) unstable; urgency=low

  * Updated the .by, .ng, .om, .sm, .tn, .ug and .vn TLD servers.
(Closes: #689486)
  * Added the .bw, .td, .xn--mgb9awbf (عمان., Oman), .xn--mgberp4a5d4ar 
(.السعودية, Saudi Arabia) and .xn--mgbx4cd0ab (ﻢﻠﻴﺴﻳﺍ., Malaysia)
TLD servers.
  * Removed the .kp, .mc, .rw and .xn--mgba3a4f16a (ایران., Iran) TLD servers.

 -- Marco d'Itri m...@linux.it  Sun, 07 Oct 2012 01:25:05 +0200

whois (5.0.19) unstable; urgency=low

  * Added the .post TLD server.
  * Updated the .co.za SLD servers. (Closes: #687094)
  * Added the .alt.za, .net.za and .web.za SLD servers.
  * whois.ua changed (?) the encoding to utf-8. (Closes: #686715)
  * Fixed the parsing of 6to4 addresses like whois 2002:::. (LP#967311)
  * Modified the package version check in debian/rules to help Ubuntu
maintainers. (Closes: #684526)

 -- Marco d'Itri m...@linux.it  Mon, 17 Sep 2012 21:41:29 +0200

-- 
ciao,
Marco


signature.asc
Description: Digital signature

Re: Reviewing/unblocking udev/175-7

[Marco d'Itri]

On Aug 25, Cyril Brulebois k...@debian.org wrote:

 1. This one appears twice:
 +  * Moved 60-persistent-input.rules back from udev-gtk-udeb to udev-udeb.
 +(Closes: #666223) 
 
 I suspect a copy/paste failure, since 50-udev-default.rules was moved
 to, but not mentioned in the changelog?
It appears twice because I think that the first time I did it wrong (I 
was a bit confused myself by this as well, but the result looks correct).

 2. You want to compress only source with that, right?
No... Unless somebody strongly feels that XZ binary packages are not
yet acceptable for udev then I will fix this in the next upload.

 3. The libusb-dev epoch bump in build-depswasn't mentioned in the changelog.
This was reported on debian-devel@, the old version was wrong but the 
change has no practical consequences.

 4. Standards-Version was bumped with no mention in the changelog.
Because it required no change to the package.

 5. gir1.2-gudev-1.0's section was changed from libs to introspection
 with no mention in the changelog.
The change merely reflects the actual status in the archive.

 6. udev_conf_comments wasn't mentioned in the changelog.
Following my theory that the change speaks for itself, and that if 
you do not see it then you do not need to care that something has 
changed.

 As mentioned on IRC, 17x vs. 18y for wheezy is for another day…
Either way will require a lot of work, but I think that I will make a 
18x upload to experimental.

-- 
ciao,
Marco


signature.asc
Description: Digital signature

Re: Possible release note for systems running PHP through CGI.

[Marco d'Itri]

On Aug 20, Wouter Verhelst w...@uter.be wrote:

  But some sites accept file uploads with arbitrary names, perhaps
  expected to be a JPEG image, but actually named bar.php.jpeg and
  containing malicious server-side PHP which they could execute from the
  browser.
 Don't Do That Then(TM).
I see that you are not in the web hosting business. g
Millions of web sites do this, so now matter how a bad practice this is 
(and I agree that it is) we need to do everything possible to work 
around insecure web sites.
Also, we are talking about PHP: if educating developers were possible, 
they would not use PHP in the first place.

 The right solution to this problem is instead to write your upload
 scripts so that they
True. But you do not dictate solutions to the 16 year old webmaster 
who happens to be the cousin of your customer.

-- 
ciao,
Marco


signature.asc
Description: Digital signature

Re: Possible release note for systems running PHP through CGI.

[Marco d'Itri]

On Aug 19, Charles Plessy ple...@debian.org wrote:

  - PHP scripts can be executed by Apache httpd through libapache2-mod-php5 or
php5-cgi.  Debian recommends libapache2-mod-php5, but there are still
This is another issue which concerns me, since mod_php forces the use of 
preforking apache, which means that the server will either stop serving 
pages or OOM at the first hint of real traffic.
(And obviously mod_php is wildly insecure for multitenants servers.)

thousands of installations wich report the use of php5-cgi according to the
Popularity Contest statistics.
Yes, because sensible people who need PHP will try to use it as 
CGI/FastCGI (or FPM, finally in wheezy).

  - This breaks the websites executing PHP scripts through php5-cgi, and
a solution is being be documented in the php5 package's NEWS file.

 http://anonscm.debian.org/gitweb/?p=pkg-php/php.git;a=commitdiff;h=f7a6351c620075a9d2a551fbed38ea26919f0d94
I think that this entry is too mild/vague:
- including but possibly not limited to the Apache HTTPD Server: such 
  a major issue justifies being specific about the affected packages
- too many mays, while the entry should clearly state, maybe in caps, 
  something like this will almost certainly break your server if you 
  use PHP as CGI/FastCGI, and also leak your source code and passwords

 This will interrupt upgrade of servers using php5-cgi, but to avoid surprises,
 the rough consensus in #674089 is also to document the same information in the
 release notes.
I agree with the interrupting upgrades for such a major package is going 
to be annoying.
I am also concerned that a *simple* solution to restore the old 
behaviour in a secure way is not provided: maybe php5-cgi should install 
a sensible default configuration in /etc/apache2/conf.d/ ?

-- 
ciao,
Marco


signature.asc
Description: Digital signature

Re: please unblock kmod

[Marco d'Itri]

On Aug 18, Julien Cristau jcris...@debian.org wrote:

  It was uploaded before the freeze cutoff, but it needs an ack by the d-i 
  team.
 What does this fix?  The important changes seem to be in the previous
 version already, the remaining changes are essentially in the testsuite
 AFAICT?
There are no major changes, mostly a few depmod fixes, but I see this as 
an argument in favour of transitioning the package since it was uploaded 
long ago and before the freeze.
The second argument is that I need to include in the next upload an 
important bug fix from GIT[1] which applies to version 9, and I would 
rather not waste time managing t-p-u only uploads and making sure that 
the patch is both literally and logically compatible with version 8.


[1] the last two commits:
http://git.kernel.org/?p=utils/kernel/kmod/kmod.git

-- 
ciao,
Marco


signature.asc
Description: Digital signature

please unblock kmod

[Marco d'Itri]

It was uploaded before the freeze cutoff, but it needs an ack by the d-i 
team.

-- 
ciao,
Marco


signature.asc
Description: Digital signature

please unblock tcp-wrappers

[Marco d'Itri]

diff -urpN a/debian/changelog b/debian/changelog
--- a/debian/changelog  2012-02-19 01:42:55.0 +0100
+++ b/debian/changelog  2012-07-30 03:54:25.0 +0200
@@ -1,3 +1,11 @@
+tcp-wrappers (7.6.q-24) unstable; urgency=low
+
+  * Do not remove /etc/hosts.{allow,deny} on purge of libwrap0 if it is
+installed for multiple architectures. (Closes: #682425)
+Patch courtesy of Jonathan Nieder.
+
+ -- Marco d'Itri m...@linux.it  Mon, 30 Jul 2012 03:37:41 +0200
+
 tcp-wrappers (7.6.q-23) unstable; urgency=medium
 
   * Correctly install libwrap.{a,so} in the multiarch directory.
diff -urpN a/debian/control b/debian/control
--- a/debian/control2012-02-19 01:37:57.0 +0100
+++ b/debian/control2012-07-30 03:48:21.0 +0200
@@ -3,7 +3,7 @@ Section: net
 Priority: important
 Maintainer: Marco d'Itri m...@linux.it
 Build-Depends: debhelper (= 8.1.3), dpkg-dev (= 1.14.8)
-Standards-Version: 3.9.2
+Standards-Version: 3.9.3.1
 
 Package: tcpd
 Priority: optional
diff -urpN a/debian/libwrap0.postrm b/debian/libwrap0.postrm
--- a/debian/libwrap0.postrm2010-05-23 16:31:19.0 +0200
+++ b/debian/libwrap0.postrm2012-07-30 03:47:54.0 +0200
@@ -1,6 +1,7 @@
 #!/bin/sh -e
 
-if [ $1 = purge ]; then
+if [ $1 = purge ]  \
+   [ $(dpkg-query --show libwrap0 2 /dev/null | wc -l) = 1 ]; then
   rm -f /etc/hosts.allow /etc/hosts.deny
 fi
 
diff -urpN a/debian/source/options b/debian/source/options
--- a/debian/source/options 1970-01-01 01:00:00.0 +0100
+++ b/debian/source/options 2012-07-30 03:50:57.0 +0200
@@ -0,0 +1 @@
+compression=xz

-- 
ciao,
Marco


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120812140707.ga14...@bongo.bofh.it

Re: please unblock kmod

[Marco d'Itri]

On Aug 12, Cyril Brulebois k...@debian.org wrote:

 Marco d'Itri m...@linux.it (12/08/2012):
  It was uploaded before the freeze cutoff, but it needs an ack by the
  d-i team.
 Please be patient, we don't need noise.
sure, but can you clarify which event I need to wait for, so that I will 
not create any other unnecessary noise?

I also have a few minor changes waiting (building the udeb with -Os, 
documentation fixes): should I upload a new package right now or wait 
for this one to migrate to testing?

-- 
ciao,
Marco


signature.asc
Description: Digital signature

please unblock whois

[Marco d'Itri]

diff -urNp whois-5.0.17/debian/changelog whois-5.0.18/debian/changelog
--- whois-5.0.17/debian/changelog   2012-06-25 03:36:11.0 +0200
+++ whois-5.0.18/debian/changelog   2012-07-22 20:36:48.279334628 +0200
@@ -1,3 +1,11 @@
+whois (5.0.18) unstable; urgency=low
+
+  * Updated the .ae and .xn--mgbaam7a8h (.امارات, United Arabs Emirates)
+TLDs.
+  * Updated the server charset table for .fr and .it.
+
+ -- Marco d'Itri m...@linux.it  Sun, 22 Jul 2012 20:35:18 +0200
+
 whois (5.0.17) unstable; urgency=medium
 
   * Updated the .bi, .fo, .gr and .gt TLD servers.
diff -urNp whois-5.0.17/servers_charset_list whois-5.0.18/servers_charset_list
--- whois-5.0.17/servers_charset_list   2012-06-08 06:45:36.0 +0200
+++ whois-5.0.18/servers_charset_list   2012-07-22 20:35:10.590850093 +0200
@@ -3,7 +3,7 @@ whois.corenic.net   utf-8   -C UTF-8
 whois.cat  utf-8   -C UTF-8
 whois.museum   utf-8   -C UTF-8
 
-whois.aeda.ae  utf-8
+whois.aeda.net.ae  utf-8
 whois.nic.br   iso-8859-1
 whois.cira.ca  iso-8859-1
 whois.nic.ch   utf-8
@@ -18,12 +18,13 @@ whois.eenet.ee  iso-8859-1
 whois.eu   utf-8
 whois.ficora.fiiso-8859-1
 whois.nic.fo   utf-8
-whois.nic.fr   iso-8859-1
+whois.nic.fr   utf-8
 whois.hkirc.hk utf-8
 whois.nic.hr   utf-8
 whois.nic.hu   iso-8859-1
 whois.nic.ir   utf-8
 whois.isnic.is iso-8859-1
+whois.nic.it   utf-8
 whois.jprs.jp  iso-2022-jp
 whois.nic.ad.jpiso-2022-jp
 whois.nic.or.kreuc-kr
diff -urNp whois-5.0.17/tld_serv_list whois-5.0.18/tld_serv_list
--- whois-5.0.17/tld_serv_list  2012-06-25 03:27:50.0 +0200
+++ whois-5.0.18/tld_serv_list  2012-07-22 20:35:12.266859267 +0200
@@ -58,7 +58,7 @@
 
 .acwhois.nic.ac
 .adNONE# www.nic.ad
-.aewhois.aeda.ae
+.aewhois.aeda.net.ae
 .afwhois.nic.af
 .agwhois.nic.ag
 .aiwhois.ai
@@ -357,7 +357,7 @@
 .xn--kpry57d   whois.twnic.net.tw  # Taiwan, Traditional Chinese
 .xn--lgbbat1ad8j   whois.nic.dz# Algeria
 .xn--mgba3a4f16a   whois.nic.ir# Iran
-.xn--mgbaam7a8hwhois.aeda.ae   # United Arab Emirates
+.xn--mgbaam7a8hwhois.aeda.net.ae   # United Arab Emirates
 .xn--mgbayh7gpaWEB http://idn.jo/whois_a.aspx  # Jordan
 .xn--mgbbh1a71ewhois.registry.in   # India, Urdu AW
 #.xn--mgbc0a9azcg  whois.iam.net.ma# Morocco

-- 
ciao,
Marco


signature.asc
Description: Digital signature

please unblock kmod

[Marco d'Itri]

It was uploaded before the freeze cutoff, but it needs an ack by the d-i 
team.

-- 
ciao,
Marco


signature.asc
Description: Digital signature

Re: please unblock kmod

[Marco d'Itri]

On Jul 27, Cyril Brulebois k...@debian.org wrote:

 Marco d'Itri m...@linux.it (27/07/2012):
  It was uploaded before the freeze cutoff, but it needs an ack by the d-i 
  team.
 NACK for now.
Can you be a little more specific?

-- 
ciao,
Marco


signature.asc
Description: Digital signature

please unblock kmod

[Marco d'Itri]

It was uploaded before the freeze cutoff, but it needs an ack by the d-i 
team.

-- 
ciao,
Marco


signature.asc
Description: Digital signature

Re: Thank you so much for breaking d-i!

[Marco d'Itri]

On Jul 15, Cyril Brulebois k...@debian.org wrote:

 thanks to the totally uncoordinated switch from module-init-tools to
 kmod, d-i is badly broken. We're in freeze, neither debian-boot or
 debian-release were contacted, that's a huge success!
WTF are you talking about? We switched from module-init-tools to kmod 
months ago, and the last time I discussed d-i and modules with 
debian-boot people my understanding was that modules are now loaded by 
busybox.

module-init-tools is not coming back, if d-i still needs something from 
kmod then just let me know without getting crazy for no reason.

-- 
ciao,
Marco


signature.asc
Description: Digital signature

which udev release for wheezy?

[Marco d'Itri]

Due to my day job commitments[1] I have been unable to work on udev 
for the last six months[2].

My original plan was to ship in wheezy udev 182, which was released 
in March, but I missed the freeze deadline and I know that uploading 
it now without comments would not be approved by the release team.

There are no significant functional differences between 175 and 182, 
except for it depending on devtmpfs (which is not a problem for us), 
but the source trees are very different due to some big source 
reorganization which happened in release 176 (files were moved and 
some external binaries have become builtin).
I believe that the very small number of changes since 176 (released on 
january 11) show that upstream udev 182 is a stable release suitable 
for wheezy.

The alternative is to ship udev 175 (the version currently in testing) 
with 35-40 backported patches to fix its bugs.

As the udev maintainer and frequent upstream contributor since it 
exists, it is my opinion that attempting to ship udev 175 + patches
would be very time consuming and probably deliver a package with more 
bugs.
While it may be be possible to backport all the newer fixes to 175, 
I fear that this would introduce subtle bugs due to the big source 
changes in 183, and then we would end up anyway with something 
unsupported and hated by the upstream maintainers.

My proposal for wheezy is to:
- immediately fix a few major packaging issues of udev 175 in testing
- upload udev 182 to unstable and keep it there for a few months
- evaluate migrating 182 to testing later (in september?)


[1] http://www.flickr.com/photos/seeweb/ are the photographic proofs
[2] Why I did not search for co-maintainers? It did not work for ppp

-- 
ciao,
Marco


signature.asc
Description: Digital signature

3.x kernels fix for the stable module-init-tools

[Marco d'Itri]

Please approve the updated module-init-tools package, the trivial patch
comes from upstream and has been in testing for months.

diff -u module-init-tools-3.12/debian/changelog 
module-init-tools-3.12/debian/changelog
--- module-init-tools-3.12/debian/changelog
+++ module-init-tools-3.12/debian/changelog
@@ -1,3 +1,9 @@
+module-init-tools (3.12-2) stable; urgency=low
+
+  * Backported upstream commit 3328d17 to support 3.x kernels.
+
+ -- Marco d'Itri m...@linux.it  Sun, 30 Oct 2011 03:09:19 +0100
+
 module-init-tools (3.12-1) unstable; urgency=low
 
   * New upstream release.
diff -u module-init-tools-3.12/debian/patches/series 
module-init-tools-3.12/debian/patches/series
--- module-init-tools-3.12/debian/patches/series
+++ module-init-tools-3.12/debian/patches/series
@@ -1,3 +1,5 @@
+commit-3328d17
+
 # fixes to be pushed upstream
 document_depmod_m
 
only in patch2:
unchanged:
--- module-init-tools-3.12.orig/debian/patches/commit-3328d17
+++ module-init-tools-3.12/debian/patches/commit-3328d17
@@ -0,0 +1,24 @@
+commit 3328d178247017affd90b7897393699f2f45227d
+Author: Michal Marek mma...@suse.cz
+Date:   Mon May 30 15:58:43 2011 +0200
+
+depmod: Handle X.Y kernel versions
+
+What a stupid check.
+
+Signed-off-by: Michal Marek mma...@suse.cz
+Signed-off-by: Jon Masters j...@jonmasters.org
+
+diff --git a/depmod.c b/depmod.c
+index abfb11e..98a5efa 100644
+--- a/depmod.c
 b/depmod.c
+@@ -247,7 +247,7 @@ static int is_version_number(const char *version)
+ {
+   unsigned int dummy;
+ 
+-  return (sscanf(version, %u.%u.%u, dummy, dummy, dummy) == 3);
++  return (sscanf(version, %u.%u, dummy, dummy) == 2);
+ }
+ 
+ static int old_module_version(const char *version)

-- 
ciao,
Marco


signature.asc
Description: Digital signature

please unblock udev

[Marco d'Itri]

-- 
ciao,
Marco


signature.asc
Description: Digital signature

please unblock udev

[Marco d'Itri]

-- 
ciao,
Marco


signature.asc
Description: Digital signature

please unblock udev

[Marco d'Itri]

-- 
ciao,
Marco


signature.asc
Description: Digital signature

please unblock ppp

[Marco d'Itri]

ppp (2.4.5-5) unstable; urgency=medium

  * Updated debconf translation: da. (Closes: #601791)

 -- Marco d'Itri m...@linux.it  Wed, 19 Jan 2011 23:24:16 +0100

-- 
ciao,
Marco


signature.asc
Description: Digital signature

please unblock udev

[Marco d'Itri]

udev (164-4) unstable; urgency=medium

  * Backported multiple keymap and documentation bug fixes.
  * Removed dead usplash support code from initramfs.top. (Closes: #609279)
  * Updated one or more debconf translations. (Closes: #606997)

 -- Marco d'Itri m...@linux.it  Wed, 19 Jan 2011 23:32:40 +0100

-- 
ciao,
Marco


signature.asc
Description: Digital signature

please unblock netbase

[Marco d'Itri]

netbase (4.45) unstable; urgency=high

  * etc-services: added 4691 (mtn). (Closes: #607858)
  * etc-protocols: added dccp (33). (Closes: #610536)

 -- Marco d'Itri m...@linux.it  Wed, 19 Jan 2011 23:14:59 +0100

-- 
ciao,
Marco


signature.asc
Description: Digital signature

Re: Bug#603710: root and swap devices on lvm do not correctly show up in udev (missing symlinks)

[Marco d'Itri]

On Dec 24, Julien Cristau jcris...@debian.org wrote:

 I don't know.  You say there's a RC bug in our lvm package, so you could
 provide a patch or NMU, or at least give some details about this since
 you seem to know what this is about and there's no details in the bug
 log...
This is what the upstream maintainer had to say on the matter:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590665#20
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=593625#25

I had to revert the change discussed in #593625 because the LVM rules
have not been updated.

I do not know lvm enough to provide a reasonably safe patch.

-- 
ciao,
Marco


signature.asc
Description: Digital signature

Re: udev 164-3 in squeeze?

[Marco d'Itri]

On Dec 18, Christian PERRIER bubu...@debian.org wrote:

 Is udev 164-3 OK for release? I don't really know the impact of the
Yes, and I still have one pending translation to merge.

-- 
ciao,
Marco


signature.asc
Description: Digital signature

Re: Bug#603710: root and swap devices on lvm do not correctly show up in udev (missing symlinks)

[Marco d'Itri]

On Dec 16, Julien Cristau jcris...@debian.org wrote:

  CCing the release team to raise awareness for this issue.
 I have no idea what this is about, but it seems you guys need to fight
LVM is unreliable in squeeze.

 it out and then come back to us when you have packages you want to see
 in squeeze?
The upstream maintainer requested that the udev rules are updated, and
so I did.
I even added back a bug to udev because this was not fixed. The
maintainer did not provide any counterargument.
What else should I do?

-- 
ciao,
Marco


signature.asc
Description: Digital signature

Re: Bug#598135: Severity

[Marco d'Itri]

On Dec 01, Neil McGovern ne...@debian.org wrote:

 I'm currently wondering why #598135 is RC. Would someone care to
 explain what I'm missing? :)
Causes data loss.
I am working on a new package with this fix and the changes stuck in
2.5.2-2 because of libdb5.

-- 
ciao,
Marco


signature.asc
Description: Digital signature

please unblock whois 5.0.10

[Marco d'Itri]

whois (5.0.10) unstable; urgency=medium

  * Added new IPv4 allocations.

 -- Marco d'Itri m...@linux.it  Tue, 30 Nov 2010 23:51:59 +0100

whois (5.0.9) unstable; urgency=low

  * Added new IPv4 allocations.

 -- Marco d'Itri m...@linux.it  Sun, 12 Nov 2010 22:24:42 +0100

-- 
ciao,
Marco


signature.asc
Description: Digital signature

Re: Further udev uploads?

[Marco d'Itri]

On Nov 19, Christian PERRIER bubu...@debian.org wrote:

 So, are there plans to have the needed fixes in squeeze, avoid
 this regression and, as a side effect, get Updated one or more
 debconf translations. (Closes: #601182) in squeeze?
I always have a plan. :-)

-- 
ciao,
Marco


signature.asc
Description: Digital signature

please unblock libberkeleydb-perl 0.42-1~squeeze1

[Marco d'Itri]

0.42-1 has been stuck in unstable since february.

libberkeleydb-perl (0.42-1~squeeze1) testing-proposed-updates; urgency=medium

  * Package rebuilt for squeeze with libdb 4.8 since libdb 5.0 has not
migrated to testing in time.

 -- Marco d'Itri m...@linux.it  Sat, 23 Oct 2010 01:32:16 +0200

-- 
ciao,
Marco


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20101106232749.ga1...@bongo.bofh.it

Re: Further udev uploads?

[Marco d'Itri]

On Nov 01, Christian PERRIER bubu...@debian.org wrote:

 May I ask you what are your plans about futher uploads of udev?
Uploads with new translations and bug fixes will continue as usual.
I have been away a few days, I will upload 164-2 soon.

-- 
ciao,
Marco


signature.asc
Description: Digital signature

please unblock whois 5.0.8

[Marco d'Itri]

whois (5.0.8) unstable; urgency=medium

  * Added the .xn--fzc2c9e2c (.ලංකා, Sri Lanka, Sinhala), .xn--mgbayh7gpa
(.الاردن, Jordan) and .xn--pgbs0dh (.تونس, Tunisia) domains.
  * Added the .xn--o3cw4h (.ไทย, Thailand) and .xn--ygbi2ammx (.فلسطين,
Palestinian Territory) TLD servers.
  * Updated the .bd and .ps TLD servers.
  * Removed the .lk TLD server.

 -- Marco d'Itri m...@linux.it  Wed, 06 Oct 2010 17:57:40 +0200

-- 
ciao,
Marco


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20101018102440.ga16...@bongo.bofh.it

Re: please unblock openbsd-inetd 0.20080125-5

[Marco d'Itri]

On Aug 23, Adam D. Barratt a...@adam-barratt.org.uk wrote:

* Added --oknodo to the init script. (Closes: #592582)
 The package doesn't appear to contain any changes to the init script:
Oops... 0.20080125-6 is now ready for testing.

-- 
ciao,
Marco


signature.asc
Description: Digital signature

please unblock openbsd-inetd 0.20080125-5

[Marco d'Itri]

openbsd-inetd (0.20080125-5) unstable; urgency=medium

  * Added --oknodo to the init script. (Closes: #592582)

 -- Marco d'Itri m...@linux.it  Mon, 16 Aug 2010 21:33:09 +0200

-- 
ciao,
Marco


signature.asc
Description: Digital signature

please unblock whois 5.0.7

[Marco d'Itri]

whois (5.0.7) unstable; urgency=medium

  * Added new IPv4 allocations.
  * Added the .xn--j6w193g (.香港, Hong Kong), .xn--kprw13d (.台湾, Taiwan)
and .xn--kpry57d (.台灣, Taiwan) TLD servers.
  * Updated the .bd, .bo, .cm, .co, .cu, .dz, .gr, .hk, .lb, .ni, .rw, .tw
and .tz TLD servers.

 -- Marco d'Itri m...@linux.it  Mon, 09 Aug 2010 00:58:21 +0200

-- 
ciao,
Marco


signature.asc
Description: Digital signature

Re: libdb5, mips and squeeze

[Marco d'Itri]

On Aug 13, Clint Adams sch...@debian.org wrote:

 Inasmuch as three months ago there was no reason to believe that mips
 would still be suffering from all kinds of toolchain breakage, I suppose.
I still have seen no answers from the MIPS porters.
Is there anybody home?

-- 
ciao,
Marco


signature.asc
Description: Digital signature

libdb5, mips and squeeze

[Marco d'Itri]

libdb5 has been failing to build on mips and mipsel for over 5 weeks,
and apparently nobody cares.
I have multiple packages linked to it which have not been able to move
to testing, should I rebuild them for tpu or can I expect this to be
solved in a reasonable timeframe?

-- 
ciao,
Marco


signature.asc
Description: Digital signature

Re: libdb5, mips and squeeze

[Marco d'Itri]

On Aug 12, Julien Cristau jcris...@debian.org wrote:

 Is there a particular reason for not using the default (4.8) libdb
 version for those 2 packages?  They're the only reverse-depends of db5.0
 in the archive afaict.
Not really, but was there a particular reason for not using the latest
release of the library? Three months ago there was no reason to believe
that it would not be releasable.

-- 
ciao,
Marco


signature.asc
Description: Digital signature

please hint udev

[Marco d'Itri]

It will also fix the symptoms of #586404.

-- 
ciao,
Marco


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20100806140418.gb20...@bongo.bofh.it

Re: lxc linux image flavour

[Marco d'Itri]

On Jan 24, maximilian attems m...@stro.at wrote:

 the plan as decided in Portland was to go forward with openvz
 if upstream provides us with a patch in time. as currently this
 looks quite bad (latest available patch is for 2.6.27, there is
 no sign of a patch for 2.6.32, nor any schedule like it happened
 to be for Lenny).
I expect that it will be released after the first beta of RHEL 6.

 On the negative side it doesn't have yet checkpointing support
 and not all net/ has netns support yet.
It's not just that, AFAIK there is no match for many of the
user_beancounters features (especially the accounting part) and e.g.
lack of the equivalent of vzctl enter is a critical issue for my
applications.
While I am happy to see better support for lxc in Debian, it does not
look like an openvz replacement yet.

-- 
ciao,
Marco


signature.asc
Description: Digital signature

RM: inn2-lfs/testing [kfreebsd-amd64 kfreebsd-i386] -- NBS; not built anymore on kfreebsd-*

[Marco d'Itri]

The packages was built by mistake by precedent releases but it is only
needed on old 32 bit architectures.

-- 
ciao,
Marco


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#546365: What about uploading pmount to stable ?

[Marco d'Itri]

On Oct 13, Philipp Kern pk...@debian.org wrote:

 Were those deprecated sysfs features dropped from the kernel or could they
 still be activated even on newer ones, although they are disabled by
 default?
This would probably break udev.

-- 
ciao,
Marco


signature.asc
Description: Digital signature

Re: [Lenny,regression] Bug#524505: qcontrol: no longer works with udev in lenny

[Marco d'Itri]

On Sep 08, Frans Pop elen...@planet.nl wrote:

 - upload a new version of qcontrol to follow udev
   Probably the simplest option. I strongly doubt there are any other users
   of the persistent device name.
Probably the best solution, since I just backported an upstream bug fix
(that name with a missing component was broken and should not have been
used in the first place).

-- 
ciao,
Marco


signature.asc
Description: Digital signature

Re: [Lenny,regression] Bug#524505: qcontrol: no longer works with udev in lenny

[Marco d'Itri]

On Sep 08, Frans Pop elen...@planet.nl wrote:

 Especially when you know (well, assuming perfect memory ;-) that the 
 device name in question is being used and changing it is known to break 
 another package. I'll happily assume that you did simply forget or 
 overlooked that fact when preparing the upload, but it would still be 
 nice if you could keep this in mind for future stable udev updates.
I did not notice that the name changed, and probably the upstream
maintainer assumed that nobody was using these names anyway.
Indeed, my plan was to only add new names in that update.

-- 
ciao,
Marco


signature.asc
Description: Digital signature

Re: Future of the s390 port

[Marco d'Itri]

On Aug 31, Bastian Blank wa...@debian.org wrote:

 I doubt that I would be able to push this port through another release
 in the current state. The consequence would by that the port dies
 completely and with it the only free and released distribution for this
 machines.
Is this really an important problem?
Does a significant number of people actually use Debian/s390 on
production servers? And if they exist, why they are not helping?

-- 
ciao,
Marco


signature.asc
Description: Digital signature