from:"Stefano Rivera"

Bug#1070659: transition: re2

2024-05-06 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: r...@packages.debian.org
Control: affects -1 + src:re2
User: release.debian@packages.debian.org
Usertags: transition
Control: block -1 with 1070649 1053409

It has taken a while to prepare the next re2 transition, because it
included a new dependency on abseil. This broke most of the
reverse-dependencies. It also means that transitions will get more
frequent, as every abseil transition will change re2's ABI.

I think the state of the reverse-dependencies is reasonable, now. I just
did a rebuild of them all, and got these failures:

yaramod FTBFS (#1037908):
https://debusine.debian.net/artifact/66513/yaramod_3.6.0-1.1_amd64-2024-05-06T14:59:09Z.build

clickhouse FTBFS (#1070658):
https://debusine.debian.net/artifact/66521/clickhouse_18.16.1+ds-7.4_amd64-2024-05-06T14:59:16Z.build

libvmod-re2 FTBFS Looks like a libre2-11 regression, but simple: #1070649:
https://debusine.debian.net/artifact/66531/libvmod-re2_2.0.0-2_amd64-2024-05-06T15:18:37Z.build

qtwebengine-opensource-src FTBFS libre2-11 regression, patch pending:
#1053409:
https://debusine.debian.net/artifact/66545/qtwebengine-opensource-src_5.15.15+dfsg-3_amd64-2024-05-06T15:31:32Z.build

Ben file:

title = "re2";
is_affected = .depends ~ "libre2-10" | .depends ~ "libre2-11";
is_good = .depends ~ "libre2-11";
is_bad = .depends ~ "libre2-10";

Stefano

Bug#1070158: bullseye-pu: package distro-info-data/0.51+deb11u6

2024-04-30 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: distro-info-d...@packages.debian.org
Control: affects -1 + src:distro-info-data
User: release.debian@packages.debian.org
Usertags: pu

This is a regular distro-info-data update.

[ Reason ]
This update adds:
1. bullseye and bookworm LTS & ELTS.
2. Ubuntu 24.10 Oracular Oriole

[ Impact ]
$ ubuntu-distro-info -d
ubuntu-distro-info: Distribution data outdated.
$ debian-distro-info --lts -f --date=2024-09-01
$

[ Tests ]
We have automated tests that check the basic CSV data structure.
Manually verified the affected Debian & Ubuntu releases.

[ Risks ]
Minimal, this is a data-only package, and there are no schema changes.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
   * Update data to 0.61:
 - Declare LTS and ELTS intentions for bullseye and bookworm
 - debian: Fix LTS EOL date for bullseye
 - debian.csv: Fix EOL date for 2.2
 - Add Ubuntu 24.10 "Oracular Oriole" (LP: #2064136)
diff -Nru distro-info-data-0.51+deb11u5/debian/changelog 
distro-info-data-0.51+deb11u6/debian/changelog
--- distro-info-data-0.51+deb11u5/debian/changelog  2023-10-29 
08:57:15.0 -0400
+++ distro-info-data-0.51+deb11u6/debian/changelog  2024-04-30 
20:54:51.0 -0400
@@ -1,3 +1,13 @@
+distro-info-data (0.51+deb11u6) bullseye; urgency=medium
+
+  * Update data to 0.61:
+- Declare LTS and ELTS intentions for bullseye and bookworm
+- debian: Fix LTS EOL date for bullseye
+- debian.csv: Fix EOL date for 2.2
+- Add Ubuntu 24.10 "Oracular Oriole" (LP: #2064136)
+
+ -- Stefano Rivera   Tue, 30 Apr 2024 20:54:51 -0400
+
 distro-info-data (0.51+deb11u5) bullseye; urgency=medium
 
   * Update data to 0.59:
diff -Nru distro-info-data-0.51+deb11u5/debian.csv 
distro-info-data-0.51+deb11u6/debian.csv
--- distro-info-data-0.51+deb11u5/debian.csv2023-10-29 08:57:15.0 
-0400
+++ distro-info-data-0.51+deb11u6/debian.csv2024-04-30 20:54:51.0 
-0400
@@ -4,7 +4,7 @@
 1.3,Bo,bo,1996-12-12,1997-06-05,1999-03-09
 2.0,Hamm,hamm,1997-06-05,1998-07-24,2000-03-09
 2.1,Slink,slink,1998-07-24,1999-03-09,2000-10-30
-2.2,Potato,potato,1999-03-09,2000-08-15,2003-07-30
+2.2,Potato,potato,1999-03-09,2000-08-15,2003-06-30
 3.0,Woody,woody,2000-08-15,2002-07-19,2006-06-30
 3.1,Sarge,sarge,2002-07-19,2005-06-06,2008-03-31
 4.0,Etch,etch,2005-06-06,2007-04-08,2010-02-15
@@ -14,8 +14,8 @@
 8,Jessie,jessie,2013-05-04,2015-04-26,2018-06-17,2020-06-30,2025-06-30
 9,Stretch,stretch,2015-04-26,2017-06-17,2020-07-18,2022-06-30,2027-06-30
 10,Buster,buster,2017-06-17,2019-07-06,2022-09-10,2024-06-30,2029-06-30
-11,Bullseye,bullseye,2019-07-06,2021-08-14,2024-08-14
-12,Bookworm,bookworm,2021-08-14,2023-06-10,2026-06-10
+11,Bullseye,bullseye,2019-07-06,2021-08-14,2024-08-14,2026-08-31,2031-06-30
+12,Bookworm,bookworm,2021-08-14,2023-06-10,2026-06-10,2028-06-30,2033-06-30
 13,Trixie,trixie,2023-06-10
 14,Forky,forky,2025-08-01
 ,Sid,sid,1993-08-16
diff -Nru distro-info-data-0.51+deb11u5/ubuntu.csv 
distro-info-data-0.51+deb11u6/ubuntu.csv
--- distro-info-data-0.51+deb11u5/ubuntu.csv2023-10-29 08:57:15.0 
-0400
+++ distro-info-data-0.51+deb11u6/ubuntu.csv2024-04-30 20:54:51.0 
-0400
@@ -39,3 +39,4 @@
 23.04,Lunar Lobster,lunar,2022-10-20,2023-04-20,2024-01-25
 23.10,Mantic Minotaur,mantic,2023-04-20,2023-10-12,2024-07-11
 24.04 LTS,Noble 
Numbat,noble,2023-10-12,2024-04-25,2029-05-31,2029-05-31,2034-04-25
+24.10,Oracular Oriole,oracular,2024-04-25,2024-10-10,2025-07-10

Bug#1070157: bookworm-pu: package distro-info-data/0.58+deb12u2

2024-04-30 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: distro-info-d...@packages.debian.org
Control: affects -1 + src:distro-info-data
User: release.debian@packages.debian.org
Usertags: pu

This is a regular distro-info-data update.

[ Reason ]
This update adds:
1. bullseye and bookworm LTS & ELTS.
2. Ubuntu 24.10 Oracular Oriole

[ Impact ]
$ ubuntu-distro-info -d
ubuntu-distro-info: Distribution data outdated.
$ debian-distro-info --lts -f --date=2024-09-01
$

[ Tests ]
We have automated tests that check the basic CSV data structure.
Manually verified the affected Debian & Ubuntu releases.

[ Risks ]
Minimal, this is a data-only package, and there are no schema changes.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

  * Update data to 0.61:
- Declare LTS and ELTS intentions for bullseye and bookworm
- debian: Fix LTS EOL date for bullseye
- debian.csv: Fix EOL date for 2.2
- Add Ubuntu 24.10 "Oracular Oriole" (LP: #2064136)
diff -Nru distro-info-data-0.58+deb12u1/debian/changelog 
distro-info-data-0.58+deb12u2/debian/changelog
--- distro-info-data-0.58+deb12u1/debian/changelog  2023-10-29 
06:12:45.0 -0400
+++ distro-info-data-0.58+deb12u2/debian/changelog  2024-04-30 
20:41:56.0 -0400
@@ -1,3 +1,13 @@
+distro-info-data (0.58+deb12u2) bookworm; urgency=medium
+
+  * Update data to 0.61:
+- Declare LTS and ELTS intentions for bullseye and bookworm
+- debian: Fix LTS EOL date for bullseye
+- debian.csv: Fix EOL date for 2.2
+- Add Ubuntu 24.10 "Oracular Oriole" (LP: #2064136)
+
+ -- Stefano Rivera   Tue, 30 Apr 2024 20:41:56 -0400
+
 distro-info-data (0.58+deb12u1) bookworm; urgency=medium
 
   * Update data to 0.59:
diff -Nru distro-info-data-0.58+deb12u1/debian.csv 
distro-info-data-0.58+deb12u2/debian.csv
--- distro-info-data-0.58+deb12u1/debian.csv2023-10-29 06:12:45.0 
-0400
+++ distro-info-data-0.58+deb12u2/debian.csv2024-04-30 20:41:56.0 
-0400
@@ -4,7 +4,7 @@
 1.3,Bo,bo,1996-12-12,1997-06-05,1999-03-09
 2.0,Hamm,hamm,1997-06-05,1998-07-24,2000-03-09
 2.1,Slink,slink,1998-07-24,1999-03-09,2000-10-30
-2.2,Potato,potato,1999-03-09,2000-08-15,2003-07-30
+2.2,Potato,potato,1999-03-09,2000-08-15,2003-06-30
 3.0,Woody,woody,2000-08-15,2002-07-19,2006-06-30
 3.1,Sarge,sarge,2002-07-19,2005-06-06,2008-03-31
 4.0,Etch,etch,2005-06-06,2007-04-08,2010-02-15
@@ -14,8 +14,8 @@
 8,Jessie,jessie,2013-05-04,2015-04-26,2018-06-17,2020-06-30,2025-06-30
 9,Stretch,stretch,2015-04-26,2017-06-17,2020-07-18,2022-06-30,2027-06-30
 10,Buster,buster,2017-06-17,2019-07-06,2022-09-10,2024-06-30,2029-06-30
-11,Bullseye,bullseye,2019-07-06,2021-08-14,2024-08-14
-12,Bookworm,bookworm,2021-08-14,2023-06-10,2026-06-10
+11,Bullseye,bullseye,2019-07-06,2021-08-14,2024-08-14,2026-08-31,2031-06-30
+12,Bookworm,bookworm,2021-08-14,2023-06-10,2026-06-10,2028-06-30,2033-06-30
 13,Trixie,trixie,2023-06-10
 14,Forky,forky,2025-08-01
 ,Sid,sid,1993-08-16
diff -Nru distro-info-data-0.58+deb12u1/ubuntu.csv 
distro-info-data-0.58+deb12u2/ubuntu.csv
--- distro-info-data-0.58+deb12u1/ubuntu.csv2023-10-29 06:12:45.0 
-0400
+++ distro-info-data-0.58+deb12u2/ubuntu.csv2024-04-30 20:41:56.0 
-0400
@@ -39,3 +39,4 @@
 23.04,Lunar Lobster,lunar,2022-10-20,2023-04-20,2024-01-25
 23.10,Mantic Minotaur,mantic,2023-04-20,2023-10-12,2024-07-11
 24.04 LTS,Noble 
Numbat,noble,2023-10-12,2024-04-25,2029-05-31,2029-05-31,2034-04-25
+24.10,Oracular Oriole,oracular,2024-04-25,2024-10-10,2025-07-10

Bug#1065326: bookworm-pu: package python3.11/3.11.2-6+deb12u1

2024-03-02 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: python3...@packages.debian.org, d...@debian.org
Control: affects -1 + src:python3.11
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
A use-after-free causing a SEGV was found in python 3.11, affecting the
the Zulip chat server.

The bug is known to affect python 3.11.0 - 3.11.4. And since being fixed
upstream, there have been no known related regressions.

[ Impact ]
Potential SEGV in python3. Known to be triggered by zulip's CI when
running under coverage.

[ Tests ]
The Python stdlib testsuite is extensive and passes with this patch.

There is a stand-alone reproducer that I've manually reproduced the bug
with and verified that it's fixed.

[ Risks ]
The code is pretty straight-forward. It asserts that the f_frame hasn't
already been freed before freeing.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable
diff -Nru python3.11-3.11.2/debian/changelog python3.11-3.11.2/debian/changelog
--- python3.11-3.11.2/debian/changelog  2023-03-13 08:18:29.0 -0400
+++ python3.11-3.11.2/debian/changelog  2024-03-02 16:28:50.0 -0400
@@ -1,3 +1,11 @@
+python3.11 (3.11.2-6+deb12u1) bookworm; urgency=medium
+
+  [ Anders Kaseorg ]
+  * Fix a use-after-free crash when deallocating a frame object
+(closes: #1050843).
+
+ -- Stefano Rivera   Sat, 02 Mar 2024 16:28:50 -0400
+
 python3.11 (3.11.2-6) unstable; urgency=high
 
   [ Stefano Rivera ]
diff -Nru python3.11-3.11.2/debian/patches/frame_dealloc-crash.diff 
python3.11-3.11.2/debian/patches/frame_dealloc-crash.diff
--- python3.11-3.11.2/debian/patches/frame_dealloc-crash.diff   1969-12-31 
20:00:00.0 -0400
+++ python3.11-3.11.2/debian/patches/frame_dealloc-crash.diff   2024-03-02 
16:28:50.0 -0400
@@ -0,0 +1,54 @@
+Description: Fix use-after-free crash in frame_dealloc
+ It was possible for the trashcan to delay the deallocation of a
+ PyFrameObject until after its corresponding _PyInterpreterFrame has
+ already been freed.  So frame_dealloc needs to avoid dereferencing the
+ f_frame pointer unless it first checks that the pointer still points
+ to the interpreter frame within the frame object.
+Origin: 
https://github.com/python/cpython/commit/46cae02085311481dc8b1ea9a5110969d9325bc7
+Bug-upstream: https://github.com/python/cpython/issues/106092
+Bug-Debian: https://bugs.debian.org/1050843
+Author: Anders Kaseorg 
+Last-Update: 2023-08-29
+Applied-Upstream: 3.11.5
+
+---
+ .../2023-07-18-16-13-51.gh-issue-106092.bObgRM.rst  |  2 ++
+ Objects/frameobject.c   | 13 +++--
+ 2 files changed, 9 insertions(+), 6 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Core and 
Builtins/2023-07-18-16-13-51.gh-issue-106092.bObgRM.rst
+
+--- /dev/null
 b/Misc/NEWS.d/next/Core and 
Builtins/2023-07-18-16-13-51.gh-issue-106092.bObgRM.rst
+@@ -0,0 +1,2 @@
++Fix a segmentation fault caused by a use-after-free bug in ``frame_dealloc``
++when the trashcan delays the deallocation of a ``PyFrameObject``.
+--- a/Objects/frameobject.c
 b/Objects/frameobject.c
+@@ -851,9 +851,6 @@
+ /* It is the responsibility of the owning generator/coroutine
+  * to have cleared the generator pointer */
+ 
+-assert(f->f_frame->owner != FRAME_OWNED_BY_GENERATOR ||
+-_PyFrame_GetGenerator(f->f_frame)->gi_frame_state == FRAME_CLEARED);
+-
+ if (_PyObject_GC_IS_TRACKED(f)) {
+ _PyObject_GC_UNTRACK(f);
+ }
+@@ -861,10 +858,14 @@
+ Py_TRASHCAN_BEGIN(f, frame_dealloc);
+ PyCodeObject *co = NULL;
+ 
++/* GH-106092: If f->f_frame was on the stack and we reached the maximum
++ * nesting depth for deallocations, the trashcan may have delayed this
++ * deallocation until after f->f_frame is freed. Avoid dereferencing
++ * f->f_frame unless we know it still points to valid memory. */
++_PyInterpreterFrame *frame = (_PyInterpreterFrame *)f->_f_frame_data;
++
+ /* Kill all local variables including specials, if we own them */
+-if (f->f_frame->owner == FRAME_OWNED_BY_FRAME_OBJECT) {
+-assert(f->f_frame == (_PyInterpreterFrame *)f->_f_frame_data);
+-_PyInterpreterFrame *frame = (_PyInterpreterFrame *)f->_f_frame_data;
++if (f->f_frame == frame && frame->owner == FRAME_OWNED_BY_FRAME_OBJECT) {
+ /* Don't clear code object until the end */
+ co = frame->f_code;
+ frame->f_code = NULL;
diff -Nru python3.11-3.11.2/debian/patches/series 
python3.11-3.11.2/debian/patches/series
--- python3.11-3.11.2/debian/patches/series 2023-03-01 05:58:01.0 
-0400
+++ python3.11-3.11.2/debian/patches/series 2024-03-02 16:28:50.0 
-0400
@@ -39,3 +39,4 @@
 fix-py_compile.diff
 ntpath-import.diff
 shutdown-deadlock.diff
+frame_dealloc-crash.diff

Bug#1062660: bookworm-pu: package pypy3/7.3.11+dfsg-2+deb12u1

2024-02-02 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: py...@packages.debian.org
Control: affects -1 + src:pypy3

[ Reason ]
A user ran into a JIT bug in pypy3 in bookworm that has been resolved
upstream. It's a simple bug and trivial to backport the fix for.

[ Impact ]
More users may run into this particular JIT bug.

[ Tests ]
The bug comes with a regression test, that passes.

[ Risks ]
The change is very simple. The patch applied cleanly and that code
hasn't been modified upstream, since this patch.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
An assert that crashes the interpreter is replaced by an exception that
will drop back out of the JIT.
diff -Nru pypy3-7.3.11+dfsg/debian/changelog pypy3-7.3.11+dfsg/debian/changelog
--- pypy3-7.3.11+dfsg/debian/changelog  2023-02-06 10:12:43.0 -0400
+++ pypy3-7.3.11+dfsg/debian/changelog  2024-02-01 20:41:13.0 -0400
@@ -1,3 +1,10 @@
+pypy3 (7.3.11+dfsg-2+deb12u1) bookworm; urgency=medium
+
+  * Avoid an rpython assertion error in the JIT if integer ranges don't
+overlap in a loop. (Closes: #1062460)
+
+ -- Stefano Rivera   Thu, 01 Feb 2024 20:41:13 -0400
+
 pypy3 (7.3.11+dfsg-2) unstable; urgency=medium
 
   * Mark pypy3 as being EXTERNALLY-MANAGED.
diff -Nru pypy3-7.3.11+dfsg/debian/patches/int-jit-assert.patch 
pypy3-7.3.11+dfsg/debian/patches/int-jit-assert.patch
--- pypy3-7.3.11+dfsg/debian/patches/int-jit-assert.patch   1969-12-31 
20:00:00.0 -0400
+++ pypy3-7.3.11+dfsg/debian/patches/int-jit-assert.patch   2024-02-01 
20:41:13.0 -0400
@@ -0,0 +1,100 @@
+From: Carl Friedrich Bolz-Tereick 
+Date: Fri, 3 Mar 2023 14:15:42 +0100
+Subject: Upstream: #3892: fix wrong assert in intutils,
+ it should be an InvalidLoop instead
+
+I introduced the assert in 5909f5e0a75c. before that, inconsistent intersects
+would just do nothing, which I am not sure is a better solution than raising
+InvalidLoop
+
+Bug-Debian: https://bugs.debian.org/1062460
+Origin: upstream, 
https://github.com/pypy/pypy/commit/ba8a3c45b9afe068c06780b4c34709c852ae20ea
+---
+ rpython/jit/metainterp/optimizeopt/intutils.py |  8 +-
+ .../metainterp/optimizeopt/test/test_intbound.py   |  5 ++--
+ rpython/jit/metainterp/test/test_ajit.py   | 33 ++
+ 3 files changed, 42 insertions(+), 4 deletions(-)
+
+diff --git a/rpython/jit/metainterp/optimizeopt/intutils.py 
b/rpython/jit/metainterp/optimizeopt/intutils.py
+index 381d0a2..e9ba7f7 100644
+--- a/rpython/jit/metainterp/optimizeopt/intutils.py
 b/rpython/jit/metainterp/optimizeopt/intutils.py
+@@ -129,7 +129,13 @@ class IntBound(AbstractInfo):
+ return 0 <= self.lower
+ 
+ def intersect(self, other):
+-assert not self.known_gt(other) and not self.known_lt(other)
++from rpython.jit.metainterp.optimize import InvalidLoop
++if self.known_gt(other) or self.known_lt(other):
++# they don't overlap, which makes the loop invalid
++# this never happens in regular linear traces, but it can happen 
in
++# combination with unrolling/loop peeling
++raise InvalidLoop("two integer ranges don't overlap")
++
+ r = False
+ if self.make_ge_const(other.lower):
+ r = True
+diff --git a/rpython/jit/metainterp/optimizeopt/test/test_intbound.py 
b/rpython/jit/metainterp/optimizeopt/test/test_intbound.py
+index d4a0db4..ea9b74c 100644
+--- a/rpython/jit/metainterp/optimizeopt/test/test_intbound.py
 b/rpython/jit/metainterp/optimizeopt/test/test_intbound.py
+@@ -225,13 +225,12 @@ def test_intersect():
+ assert not b.contains(n)
+ 
+ def test_intersect_bug():
++from rpython.jit.metainterp.optimize import InvalidLoop
+ b1 = bound(17, 17)
+ b2 = bound(1, 1)
+-with pytest.raises(AssertionError):
++with pytest.raises(InvalidLoop):
+ b1.intersect(b2)
+ 
+-
+-
+ def test_add_bound():
+ for _, _, b1 in some_bounds():
+ for _, _, b2 in some_bounds():
+diff --git a/rpython/jit/metainterp/test/test_ajit.py 
b/rpython/jit/metainterp/test/test_ajit.py
+index 29a8bf8..68e7d60 100644
+--- a/rpython/jit/metainterp/test/test_ajit.py
 b/rpython/jit/metainterp/test/test_ajit.py
+@@ -3256,6 +3256,39 @@ class BasicTests:
+ res = self.interp_operations(f, [127 - 256 * 29])
+ assert res == 127
+ 
++def 
test_bug_inline_short_preamble_can_be_inconsistent_in_optimizeopt(self):
++myjitdriver = JitDriver(greens = [], reds = "auto")
++class Str(object):
++_immutable_fields_ = ['s']
++def __init__(self, s):
++self.s = s
++
++empty = Str("")
++space =

Bug#1055022: bullseye-pu: package distro-info-data/0.51+deb11u5

2023-11-07 Thread Stefano Rivera

Hi David (2023.11.03_18:59:13_+0200)
> Short version:
> Would you consider modifying this bullseye-pu for
> distro-info-data/0.51+deb11u5 into a bullseye-pu for a
> distro-info-data/0.59~deb11u1 instead?

That may make more sense in the future. But in the past, it wasn't
really an option, and consistency is useful.

We have had some format changes in the last few years that have made new
versions not as backportable as one would have hoped. And data changes
that broke test suites in other packages.

Both of these were addressed in the most recent round of updates. So,
the data should be fully backportable right now (provided sufficient
Breaks).

> I recently independently discovered Debian bug #711238[2] with
> devscripts and I would would like to see it fixed in unstable and
> my desired fix of adding to it a Build-Depends on
> ```
> distro-info-data (>= 0.58~) 
> ```

I don't really see the point in bumping Build-Depends like that. You
aren't requiring any format change or anything like that, just a version
that has the *current* stable (or development, not sure of the specifics
of that bug) versions.

We ensure that distro-info-data is kept up to date in all supported
releases.

Probably devscripts should become a little more tolerant about outdated
data?

Stefano

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272

Bug#1055022: bullseye-pu: package distro-info-data/0.51+deb11u5, distro-info/1.0+deb11u1

2023-10-29 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: distro-info-d...@packages.debian.org
Control: affects -1 + src:distro-info-data

Bullseye version of #1055009.

[ Reason ]
This is a regular distro-info-data update, adding Ubuntu 24.04 LTS.
It includes some corrections to historical data, one of which affects
the distro-info test-suite.

So, included is a coupled update of distro-info to expect the new values
in its test-suite. In unstable, I updated Build-Depends and Depends on
distro-info-data to help autopkgtests. For stable I just updated the
Build-Depends.

In addition to the changes backported in bullseye is a set of patches to
ensure distro-info's Python packaging metadata version PEP-440
compliant.

[ Impact ]
Stable systems would be unaware of the new Ubuntu LTS.

[ Tests ]
distro-info-data is just CSV data, with some automated tests to verify
the structure and sanity-check the values.

distro-info has a more complex test suite that covers real-world tests
with old stable releases. This needed to be updated for the data
changes.

Build tests and autopkgtests pass in both packages.

Manually verified that the Python package has valid PEP-440 metadata.

[ Risks ]
Trivial, low risk.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

 distro-info-data (0.51+deb11u5) bullseye; urgency=medium
   * Update data to 0.59:
 - Add Ubuntu 24.04 LTS Noble Numbat (LP: #2041662).
 - Correct Ubuntu 6.10 EOL date to 2008-04-25
 - Correct Ubuntu 16.04 ESM begin to 2021-04-30
 - Move Ubuntu 12.04 ESM end date back to Friday, 2019-04-26
 - Correct Debian 3.1 EOL date to 2008-03-31
 - Correct Debian 7 EOL date to 2016-04-25
 - Move Debian 9 EOL to the 9.13 release date 2020-07-18
 - Move Debian 10 EOL to the 10.13 release date 2022-09-10

 distro-info (1.0+deb11u1) bullseye; urgency=medium
   * python:
 - Assert that Python version is PEP440 compliant
 - Handle more Debian versions correctly in make_pep440_compliant
   * Update tests for distro-info-data 0.51+deb11u5, which adjusted Debian 7's
 EoL (Closes: #1054946)

diff --git a/debian.csv b/debian.csv
index 8272895..2646246 100644
--- a/debian.csv
+++ b/debian.csv
@@ -6,14 +6,14 @@ version,codename,series,created,release,eol,eol-lts,eol-elts
 2.1,Slink,slink,1998-07-24,1999-03-09,2000-10-30
 2.2,Potato,potato,1999-03-09,2000-08-15,2003-07-30
 3.0,Woody,woody,2000-08-15,2002-07-19,2006-06-30
-3.1,Sarge,sarge,2002-07-19,2005-06-06,2008-03-30
+3.1,Sarge,sarge,2002-07-19,2005-06-06,2008-03-31
 4.0,Etch,etch,2005-06-06,2007-04-08,2010-02-15
 5.0,Lenny,lenny,2007-04-08,2009-02-14,2012-02-06
 6.0,Squeeze,squeeze,2009-02-14,2011-02-06,2014-05-31,2016-02-29
-7,Wheezy,wheezy,2011-02-06,2013-05-04,2016-04-26,2018-05-31,2020-06-30
+7,Wheezy,wheezy,2011-02-06,2013-05-04,2016-04-25,2018-05-31,2020-06-30
 8,Jessie,jessie,2013-05-04,2015-04-26,2018-06-17,2020-06-30,2025-06-30
-9,Stretch,stretch,2015-04-26,2017-06-17,2020-07-06,2022-06-30,2027-06-30
-10,Buster,buster,2017-06-17,2019-07-06,2022-08-14,2024-06-30,2029-06-30
+9,Stretch,stretch,2015-04-26,2017-06-17,2020-07-18,2022-06-30,2027-06-30
+10,Buster,buster,2017-06-17,2019-07-06,2022-09-10,2024-06-30,2029-06-30
 11,Bullseye,bullseye,2019-07-06,2021-08-14,2024-08-14
 12,Bookworm,bookworm,2021-08-14,2023-06-10,2026-06-10
 13,Trixie,trixie,2023-06-10
diff --git a/debian/changelog b/debian/changelog
index ea4f4da..aee8df2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+distro-info-data (0.51+deb11u5) bullseye; urgency=medium
+
+  * Update data to 0.59:
+- Add Ubuntu 24.04 LTS Noble Numbat (LP: #2041662).
+- Correct Ubuntu 6.10 EOL date to 2008-04-25
+- Correct Ubuntu 16.04 ESM begin to 2021-04-30
+- Move Ubuntu 12.04 ESM end date back to Friday, 2019-04-26
+- Correct Debian 3.1 EOL date to 2008-03-31
+- Correct Debian 7 EOL date to 2016-04-25
+- Move Debian 9 EOL to the 9.13 release date 2020-07-18
+- Move Debian 10 EOL to the 10.13 release date 2022-09-10
+
+ -- Stefano Rivera   Sun, 29 Oct 2023 14:57:15 +0200
+
 distro-info-data (0.51+deb11u4) bullseye; urgency=medium
 
   * Update data to 0.58:
diff --git a/ubuntu.csv b/ubuntu.csv
index 14ef832..3667f04 100644
--- a/ubuntu.csv
+++ b/ubuntu.csv
@@ -3,7 +3,7 @@ version,codename,series,created,release,eol,eol-server,eol-esm
 5.04,Hoary Hedgehog,hoary,2004-10-20,2005-04-08,2006-10-31
 5.10,Breezy Badger,breezy,2005-04-08,2005-10-12,2007-04-13
 6.06 LTS,Dapper Drake,dapper,2005-10-12,2006-06-01,2009-07-14,2011-06-01
-6.10,Edgy Eft,edgy,2006-06-01,2006-10-26,2008-04-26
+6.10,Edgy Eft,edgy,2006-06-01,2006-10-26,2008-04-25
 7.04,Feisty Fawn,feisty,2006-10-26,2007-04-19,2008-10-19
 7.10,Gutsy Gibbon,gutsy,2007-04-19,2007-10

Bug#1055009: bookworm-pu: package distro-info-data/0.58+deb12u1, distro-info/1.5+deb12u1

2023-10-29 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: distro-info-d...@packages.debian.org
Control: affects -1 + src:distro-info-data

[ Reason ]
This is a regular distro-info-data update, adding Ubuntu 24.04 LTS.
It includes some corrections to historical data, one of which affects
the distro-info test-suite.

So, included is a coupled update of distro-info to expect the new values
in its test-suite. In unstable, I updated Build-Depends and Depends on
distro-info-data to help autopkgtests. For stable I just updated the
Build-Depends.

[ Impact ]
Stable systems would be unaware of the new Ubuntu LTS.

[ Tests ]
distro-info-data is just CSV data, with some automated tests to verify
the structure and sanity-check the values.

distro-info has a more complex test suite that covers real-world tests
with old stable releases. This needed to be updated for the data
changes.

Build tests and autopkgtests pass in both packages.

[ Risks ]
Trivial, low risk.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

 distro-info-data (0.58+deb12u1) bookworm; urgency=medium
   * Update data to 0.59:
 - Add Ubuntu 24.04 LTS Noble Numbat (LP: #2041662).
 - Correct Ubuntu 6.10 EOL date to 2008-04-25
 - Correct Ubuntu 16.04 ESM begin to 2021-04-30
 - Move Ubuntu 12.04 ESM end date back to Friday, 2019-04-26
 - Correct Debian 3.1 EOL date to 2008-03-31
 - Correct Debian 7 EOL date to 2016-04-25
 - Move Debian 9 EOL to the 9.13 release date 2020-07-18
 - Move Debian 10 EOL to the 10.13 release date 2022-09-10

 distro-info (1.5+deb12u1) bookworm; urgency=medium
   * Update tests for distro-info-data 0.58+deb12u1, which adjusted Debian 7's
 EoL (Closes: #1054946)
diff --git a/debian.csv b/debian.csv
index 8272895..2646246 100644
--- a/debian.csv
+++ b/debian.csv
@@ -6,14 +6,14 @@ version,codename,series,created,release,eol,eol-lts,eol-elts
 2.1,Slink,slink,1998-07-24,1999-03-09,2000-10-30
 2.2,Potato,potato,1999-03-09,2000-08-15,2003-07-30
 3.0,Woody,woody,2000-08-15,2002-07-19,2006-06-30
-3.1,Sarge,sarge,2002-07-19,2005-06-06,2008-03-30
+3.1,Sarge,sarge,2002-07-19,2005-06-06,2008-03-31
 4.0,Etch,etch,2005-06-06,2007-04-08,2010-02-15
 5.0,Lenny,lenny,2007-04-08,2009-02-14,2012-02-06
 6.0,Squeeze,squeeze,2009-02-14,2011-02-06,2014-05-31,2016-02-29
-7,Wheezy,wheezy,2011-02-06,2013-05-04,2016-04-26,2018-05-31,2020-06-30
+7,Wheezy,wheezy,2011-02-06,2013-05-04,2016-04-25,2018-05-31,2020-06-30
 8,Jessie,jessie,2013-05-04,2015-04-26,2018-06-17,2020-06-30,2025-06-30
-9,Stretch,stretch,2015-04-26,2017-06-17,2020-07-06,2022-06-30,2027-06-30
-10,Buster,buster,2017-06-17,2019-07-06,2022-08-14,2024-06-30,2029-06-30
+9,Stretch,stretch,2015-04-26,2017-06-17,2020-07-18,2022-06-30,2027-06-30
+10,Buster,buster,2017-06-17,2019-07-06,2022-09-10,2024-06-30,2029-06-30
 11,Bullseye,bullseye,2019-07-06,2021-08-14,2024-08-14
 12,Bookworm,bookworm,2021-08-14,2023-06-10,2026-06-10
 13,Trixie,trixie,2023-06-10
diff --git a/debian/changelog b/debian/changelog
index 7550d74..c01e3fc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+distro-info-data (0.58+deb12u1) bookworm; urgency=medium
+
+  * Update data to 0.59:
+- Add Ubuntu 24.04 LTS Noble Numbat (LP: #2041662).
+- Correct Ubuntu 6.10 EOL date to 2008-04-25
+- Correct Ubuntu 16.04 ESM begin to 2021-04-30
+- Move Ubuntu 12.04 ESM end date back to Friday, 2019-04-26
+- Correct Debian 3.1 EOL date to 2008-03-31
+- Correct Debian 7 EOL date to 2016-04-25
+- Move Debian 9 EOL to the 9.13 release date 2020-07-18
+- Move Debian 10 EOL to the 10.13 release date 2022-09-10
+
+ -- Stefano Rivera   Sun, 29 Oct 2023 12:12:45 +0200
+
 distro-info-data (0.58) unstable; urgency=medium
 
   * Add Ubuntu 23.10 Mantic Minotaur (LP: #2018028)
diff --git a/ubuntu.csv b/ubuntu.csv
index 14ef832..3667f04 100644
--- a/ubuntu.csv
+++ b/ubuntu.csv
@@ -3,7 +3,7 @@ version,codename,series,created,release,eol,eol-server,eol-esm
 5.04,Hoary Hedgehog,hoary,2004-10-20,2005-04-08,2006-10-31
 5.10,Breezy Badger,breezy,2005-04-08,2005-10-12,2007-04-13
 6.06 LTS,Dapper Drake,dapper,2005-10-12,2006-06-01,2009-07-14,2011-06-01
-6.10,Edgy Eft,edgy,2006-06-01,2006-10-26,2008-04-26
+6.10,Edgy Eft,edgy,2006-06-01,2006-10-26,2008-04-25
 7.04,Feisty Fawn,feisty,2006-10-26,2007-04-19,2008-10-19
 7.10,Gutsy Gibbon,gutsy,2007-04-19,2007-10-18,2009-04-18
 8.04 LTS,Hardy Heron,hardy,2007-10-18,2008-04-24,2011-05-12,2013-05-09
@@ -14,7 +14,7 @@ version,codename,series,created,release,eol,eol-server,eol-esm
 10.10,Maverick Meerkat,maverick,2010-04-29,2010-10-10,2012-04-10
 11.04,Natty Narwhal,natty,2010-10-10,2011-04-28,2012-10-28
 11.10,Oneiric Ocelot,oneiric,2011-04-28,2011-10-13,2013-05-09
-12.04 LTS

Bug#1054589: unblock: libapache2-mod-python/3.5.0+git20211031.e6458ec-1+b1

2023-10-26 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: libapache2-mod-pyt...@packages.debian.org
Control: affects -1 + src:libapache2-mod-python

Please unblock package libapache2-mod-python

[ Reason ]
* In 03_debian-version.patch, strip the debian part of the version. BinNMUs
  were resulting in invalid PEP-440 versions. (Closes: #1054587)
* Patch: Fix segfaults when releasing threads. (Closes: #1019299)

[ Impact ]
The segfault issue seems rather serious.

The PEP-440 issue breaks any attempt to enumerate installed packages on
the system with pkg_resources.

[ Tests ]
Manually tested that mod_python runs and serves content.

[ Risks ]
Segfault patch is trivial and taken from upstream.

Version patch is trivial, and Debian-specific.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock libapache2-mod-python/3.5.0+git20211031.e6458ec-1+b1
diff -Nru libapache2-mod-python-3.5.0+git20211031.e6458ec/debian/changelog 
libapache2-mod-python-3.5.0+git20211031.e6458ec/debian/changelog
--- libapache2-mod-python-3.5.0+git20211031.e6458ec/debian/changelog
2022-04-18 06:22:40.0 +0200
+++ libapache2-mod-python-3.5.0+git20211031.e6458ec/debian/changelog
2023-10-26 15:07:51.0 +0200
@@ -1,3 +1,12 @@
+libapache2-mod-python (3.5.0+git20211031.e6458ec-1+deb12u1) bookworm; 
urgency=medium
+
+  * Team upload.
+  * In 03_debian-version.patch, strip the debian part of the version. BinNMUs
+were resulting in invalid PEP-440 versions. (Closes: #1054587)
+  * Patch: Fix segfaults when releasing threads. (Closes: #1019299)
+
+ -- Stefano Rivera   Thu, 26 Oct 2023 15:07:51 +0200
+
 libapache2-mod-python (3.5.0+git20211031.e6458ec-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru 
libapache2-mod-python-3.5.0+git20211031.e6458ec/debian/patches/03_debian-version.patch
 
libapache2-mod-python-3.5.0+git20211031.e6458ec/debian/patches/03_debian-version.patch
--- 
libapache2-mod-python-3.5.0+git20211031.e6458ec/debian/patches/03_debian-version.patch
  2022-04-18 06:22:40.0 +0200
+++ 
libapache2-mod-python-3.5.0+git20211031.e6458ec/debian/patches/03_debian-version.patch
  2023-10-26 15:07:51.0 +0200
@@ -9,7 +9,7 @@
  1 file changed, 2 insertions(+), 19 deletions(-)
 
 diff --git a/dist/version.sh b/dist/version.sh
-index e5d..9ee18ac 100755
+index e5d..f97084a 100755
 --- a/dist/version.sh
 +++ b/dist/version.sh
 @@ -1,21 +1,4 @@
@@ -35,4 +35,4 @@
 -
 -echo $MAJ.$MIN.$PCH$GIT
 +cd $(dirname $0)/..
-+exec dpkg-parsechangelog -S Version
++dpkg-parsechangelog -S Version | cut -d - -f 1
diff -Nru 
libapache2-mod-python-3.5.0+git20211031.e6458ec/debian/patches/15_py310_threadstate_clear.patch
 
libapache2-mod-python-3.5.0+git20211031.e6458ec/debian/patches/15_py310_threadstate_clear.patch
--- 
libapache2-mod-python-3.5.0+git20211031.e6458ec/debian/patches/15_py310_threadstate_clear.patch
 1970-01-01 02:00:00.0 +0200
+++ 
libapache2-mod-python-3.5.0+git20211031.e6458ec/debian/patches/15_py310_threadstate_clear.patch
 2023-10-26 15:07:51.0 +0200
@@ -0,0 +1,27 @@
+From: Gregory Trubetskoy 
+Date: Fri, 16 Jun 2023 18:29:50 -0400
+Subject: 3.10 and up do not need a PyThreadState_Clear()
+
+Closes #100
+
+Bug-Upstream: https://github.com/grisha/mod_python/issues/100
+Bug-Debian: https://bugs.debian.org/1019299
+Origin: upstream, 
https://github.com/grisha/mod_python/commit/7e863bb4652ca4edeb158bf42eb26120e0e54040
+---
+ src/mod_python.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/mod_python.c b/src/mod_python.c
+index 6259c1b..11af968 100644
+--- a/src/mod_python.c
 b/src/mod_python.c
+@@ -303,7 +303,9 @@ static void release_interpreter(interpreterdata *idata)
+ {
+ PyThreadState *tstate = PyThreadState_Get();
+ #ifdef WITH_THREAD
++#if PY_MAJOR_VERSION <= 3 && PY_MINOR_VERSION < 10 
+ PyThreadState_Clear(tstate);
++#endif
+ if (idata)
+ APR_ARRAY_PUSH(idata->tstates, PyThreadState *) = tstate;
+ else
diff -Nru libapache2-mod-python-3.5.0+git20211031.e6458ec/debian/patches/series 
libapache2-mod-python-3.5.0+git20211031.e6458ec/debian/patches/series
--- libapache2-mod-python-3.5.0+git20211031.e6458ec/debian/patches/series   
2022-04-18 06:22:40.0 +0200
+++ libapache2-mod-python-3.5.0+git20211031.e6458ec/debian/patches/series   
2023-10-26 15:07:51.0 +0200
@@ -6,3 +6,4 @@
 12_py310_collections_import.patch
 13_py310_minor_version.patch
 14_sphinx_py3.patch
+15_py310_threadstate_clear.patch

Bug#1052692: bookworm-pu: package spamprobe/1.4d-16+deb12u1

2023-09-26 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: spampr...@packages.debian.org
Control: affects -1 + src:spamprobe

[ Reason ]
Spamprobe is unmaintained upstream and in Debian.

In bookworm it has been crashing a lot when parsing images (#1037422)

The solution is relatively simple, add missing return statements to bool
functions, even though the return is ignored.

[ Impact ]
Spamprobe crashes enough in bookworm to not be useable.

[ Tests ]
Manually tested it on 600 odd spam emails that previously crashed it,
and it didn't crash.

[ Risks ]
Changes are very simple. The return values don't even matter, because
they are ignored.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Add missing return values to bool functions.
diff -Nru spamprobe-1.4d/debian/changelog spamprobe-1.4d/debian/changelog
--- spamprobe-1.4d/debian/changelog 2023-02-20 18:12:05.0 +0530
+++ spamprobe-1.4d/debian/changelog 2023-09-26 12:15:17.0 +0530
@@ -1,3 +1,11 @@
+spamprobe (1.4d-16+deb12u1) bookworm; urgency=medium
+
+  * QA Upload.
+  * Patch: Add missing return statements, fixing crashes parsing JPEG
+attachments. (Closes: #1037422)
+
+ -- Stefano Rivera   Tue, 26 Sep 2023 12:15:17 +0530
+
 spamprobe (1.4d-16) unstable; urgency=medium
 
   * QA upload.
diff -Nru spamprobe-1.4d/debian/patches/missing-returns.patch 
spamprobe-1.4d/debian/patches/missing-returns.patch
--- spamprobe-1.4d/debian/patches/missing-returns.patch 1970-01-01 
05:30:00.0 +0530
+++ spamprobe-1.4d/debian/patches/missing-returns.patch 2023-09-26 
12:15:17.0 +0530
@@ -0,0 +1,47 @@
+Description: spamprobe crashes when parsing jpeg mime attachment
+Author: Torsten Hilbrich
+
+Bug-Debian: https://bugs.debian.org/1037422
+Bug-Upstream: https://sourceforge.net/p/spamprobe/bugs/39/
+Forwarded: https://sourceforge.net/p/spamprobe/bugs/39/
+
+--- a/src/parser/GifParser.cc
 b/src/parser/GifParser.cc
+@@ -91,6 +91,7 @@
+ openImage();
+ digestImage();
+ parseImageRecords();
++return true;
+   } catch (runtime_error ) {
+ return false;
+   }
+--- a/src/parser/JpegParser.cc
 b/src/parser/JpegParser.cc
+@@ -61,6 +61,7 @@
+ initializeSource();
+ digestImage();
+ tokenizeImage();
++return true;
+   } catch (runtime_error ) {
+ return false;
+   }
+--- a/src/parser/MbxMailMessageReader.cc
 b/src/parser/MbxMailMessageReader.cc
+@@ -86,6 +86,7 @@
+   cerr << "MBX: SKIPPED DELETED MESSAGE" << endl;
+ }
+   }
++  return true;
+ }
+ 
+ OWNED MailMessage *MbxMailMessageReader::readMessage()
+--- a/src/parser/PngParser.cc
 b/src/parser/PngParser.cc
+@@ -73,6 +73,7 @@
+   try {
+ digestImage();
+ initializeImage();
++return true;
+   } catch (runtime_error ) {
+ return false;
+   }
diff -Nru spamprobe-1.4d/debian/patches/series 
spamprobe-1.4d/debian/patches/series
--- spamprobe-1.4d/debian/patches/series2023-02-20 18:12:05.0 
+0530
+++ spamprobe-1.4d/debian/patches/series2023-09-26 12:15:17.0 
+0530
@@ -7,3 +7,4 @@
 giflib5.diff
 gcc-11.patch
 fix-typos.patch
+missing-returns.patch

Bug#1037931: transition: platformdirs

2023-06-14 Thread Stefano Rivera

Hi Simon (2023.06.14_13:49:15_+)
> python3-platformdirs 3.x makes python3-virtualenv and python3-poetry
> uninstallable; reporting this as a transition to get it on the release
> team's radar.

Uploaded both of those to unstick it.

They were both staged in experimental, but I'd forgotten that they were
needed :)

Stefano

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272

Bug#1035635: tox: Upgrading to tox 4

2023-06-12 Thread Stefano Rivera

Hi Release Team!

For the tox 4 transition, I have changes in dh-python staged (and in
experimental) but the autopkgtests require tox 4, so I can't upload them
until we're ready to pull the trigger on the transition.

All the fallout I could find is documented in blocking bugs of this bug
and the dh-python bug (1035675).

Some of the fixes were staged in experimental, because we were in freeze
at the time.

Some of the packages need upstream work, and would have to be removed
from testing for the transition.

Please let me know when we should go ahead with this.

Stefano

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272

Bug#1037079: unblock: configobj/5.0.8-2

2023-06-03 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: config...@packages.debian.org
Control: affects -1 + src:configobj

Please unblock package configobj

[ Reason ]
Resolves a (minor) security issue. The patch only became available
recently.

It resolves a ReDoS attack (regular expression denial of service)
potentially caused by parsing untrusted configuration files.

[ Impact ]
Ship with an outstanding (very minor) security issue.

[ Tests ]
The patch includes a regression test.

The package test suite passes.

[ Risks ]
Trivial change to a regex, which looks reasonable.

The upstream hasn't reviewed it, yet.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock configobj/5.0.8-2
diff -Nru configobj-5.0.8/debian/changelog configobj-5.0.8/debian/changelog
--- configobj-5.0.8/debian/changelog2023-01-26 18:57:36.0 -0400
+++ configobj-5.0.8/debian/changelog2023-06-03 16:23:41.0 -0400
@@ -1,3 +1,11 @@
+configobj (5.0.8-2) unstable; urgency=medium
+
+  * Patch: Resolve CVE-2023-26112, a Regular Expression Denial of Service
+attack. (Closes: #1034152)
+  * Clean correctly.
+
+ -- Stefano Rivera   Sat, 03 Jun 2023 16:23:41 -0400
+
 configobj (5.0.8-1) unstable; urgency=medium
 
   * New upstream release!
diff -Nru configobj-5.0.8/debian/clean configobj-5.0.8/debian/clean
--- configobj-5.0.8/debian/clean1969-12-31 20:00:00.0 -0400
+++ configobj-5.0.8/debian/clean2023-06-03 16:23:41.0 -0400
@@ -0,0 +1 @@
+src/configobj.egg-info/*
diff -Nru configobj-5.0.8/debian/patches/CVE-2023-26112 
configobj-5.0.8/debian/patches/CVE-2023-26112
--- configobj-5.0.8/debian/patches/CVE-2023-26112   1969-12-31 
20:00:00.0 -0400
+++ configobj-5.0.8/debian/patches/CVE-2023-26112   2023-06-03 
16:23:41.0 -0400
@@ -0,0 +1,48 @@
+From: cdcadman 
+Date: Wed, 17 May 2023 03:57:08 -0700
+Subject: Address CVE-2023-26112 ReDoS
+
+Origin: https://github.com/DiffSK/configobj/pull/236
+---
+ src/configobj/validate.py |  2 +-
+ src/tests/test_validate_errors.py | 10 +-
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/src/configobj/validate.py b/src/configobj/validate.py
+index 9267a3f..98d879f 100644
+--- a/src/configobj/validate.py
 b/src/configobj/validate.py
+@@ -541,7 +541,7 @@ class Validator(object):
+ """
+ 
+ # this regex does the initial parsing of the checks
+-_func_re = re.compile(r'(.+?)\((.*)\)', re.DOTALL)
++_func_re = re.compile(r'([^\(\)]+?)\((.*)\)', re.DOTALL)
+ 
+ # this regex takes apart keyword arguments
+ _key_arg = re.compile(r'^([a-zA-Z_][a-zA-Z0-9_]*)\s*=\s*(.*)$',  
re.DOTALL)
+diff --git a/src/tests/test_validate_errors.py 
b/src/tests/test_validate_errors.py
+index 399daa8..f7d6c27 100644
+--- a/src/tests/test_validate_errors.py
 b/src/tests/test_validate_errors.py
+@@ -3,7 +3,7 @@ import os
+ import pytest
+ 
+ from configobj import ConfigObj, get_extra_values, ParseError, NestingError
+-from configobj.validate import Validator
++from configobj.validate import Validator, VdtUnknownCheckError
+ 
+ @pytest.fixture()
+ def thisdir():
+@@ -77,3 +77,11 @@ def test_no_parent(tmpdir, specpath):
+ ini.write('[[haha]]')
+ with pytest.raises(NestingError):
+ conf = ConfigObj(str(ini), configspec=specpath, file_error=True)
++
++
++def test_re_dos(val):
++value = "aaa"
++i = 165100
++attack = '\x00'*i + ')' + '('*i
++with pytest.raises(VdtUnknownCheckError):
++val.check(attack, value)
diff -Nru configobj-5.0.8/debian/patches/series 
configobj-5.0.8/debian/patches/series
--- configobj-5.0.8/debian/patches/series   1969-12-31 20:00:00.0 
-0400
+++ configobj-5.0.8/debian/patches/series   2023-06-03 16:23:41.0 
-0400
@@ -0,0 +1 @@
+CVE-2023-26112

Bug#1037078: unblock: dh-python/5.20230603

2023-06-03 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: dh-pyt...@packages.debian.org, pi...@debian.org
Control: affects -1 + src:dh-python

Please unblock package dh-python

[ Reason ]

Re-adds some Breaks+Replaces to help upgrade scenarios that Andreas
Beckmann discovered through piuparts (bug #1036943).

[ Impact ]

Upgrades buster -> bullseye -> bookworm will be broken, if the user
didn't manually uninstall the old python2 package.

[ Tests ]
It's just Breaks+Replaces.

Manually verified that it works in a manual scenario where buster's
python2 package was still installed.

[ Risks ]
Trivial change. Present in bullseye, but reverted after it. This
re-introduces the change.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing


unblock dh-python/5.20230603
diff -Nru dh-python-5.20230130/debian/changelog 
dh-python-5.20230603/debian/changelog
--- dh-python-5.20230130/debian/changelog   2023-01-30 12:30:45.0 
-0400
+++ dh-python-5.20230603/debian/changelog   2023-06-03 10:49:36.0 
-0400
@@ -1,3 +1,10 @@
+dh-python (5.20230603) unstable; urgency=medium
+
+  * Reintroduce Breaks+Replaces on python2 needed to help apt in some upgrade
+scenarios. (Closes: #1036943)
+
+ -- Stefano Rivera   Sat, 03 Jun 2023 10:49:36 -0400
+
 dh-python (5.20230130) unstable; urgency=medium
 
   * pybuild.pm: Export SETUPTOOLS_SCM_PRETEND_VERSION for packages using
diff -Nru dh-python-5.20230130/debian/control 
dh-python-5.20230603/debian/control
--- dh-python-5.20230130/debian/control 2023-01-30 12:30:45.0 -0400
+++ dh-python-5.20230603/debian/control 2023-06-03 10:49:36.0 -0400
@@ -29,6 +29,9 @@
 Breaks:
 # due to /usr/bin/dh_python3 and debhelper files
  python3 (<< 3.3.2-4~),
+# due to debhelper files
+ python2 (<< 2.7.18-2)
+Replaces: python2 (<< 2.7.18-2)
 Description: Debian helper tools for packaging Python libraries and 
applications
  This package contains:
   * pybuild - invokes various build systems for requested Python versions in

Bug#1036031: unblock: python-mitogen/0.3.3-9

2023-05-13 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: python-mito...@packages.debian.org
Control: affects -1 + src:python-mitogen

Please unblock package python-mitogen

[ Reason ]

This resolves bug 1036018. Apparently ansible has grown the number of
open file handles over time, causing select() to become unusable.
Use poll() instead of select.

python-mitogen development is somewhat sporadic at the moment. We
patched it to support Ansible 6, even though upstream hadn't declared
support, yet. That probably contributed to this bug appearing.

Upstream hasn't picked up this patch, yet. But it's been sitting on
GitHub since early Feb, and resolves the issue.

[ Impact ]

Some users will hit "filedescriptor out of range in select()" errors
when using ansible with miteogen.

[ Tests ]

I've manually tested ansible with mitogen, and it seems to work.
The automated test suite passes.

Some of the GitHub actions tests for this PR failed. But the affected
platforms don't seem relevant to us.

[ Risks ]

Patch is relatively straightforward. Replacing one drop-in class in
place of another.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock python-mitogen/0.3.3-9
diff -Nru python-mitogen-0.3.3/debian/changelog 
python-mitogen-0.3.3/debian/changelog
--- python-mitogen-0.3.3/debian/changelog   2022-12-13 22:43:51.0 
-0400
+++ python-mitogen-0.3.3/debian/changelog   2023-05-13 09:45:14.0 
-0400
@@ -1,3 +1,10 @@
+python-mitogen (0.3.3-9) unstable; urgency=medium
+
+  * Patch: Use poll() in the broker to handle more file descriptors.
+(Closes: #1036018)
+
+ -- Stefano Rivera   Sat, 13 May 2023 09:45:14 -0400
+
 python-mitogen (0.3.3-8) unstable; urgency=medium
 
   * Team upload.
diff -Nru python-mitogen-0.3.3/debian/patches/poll-poller 
python-mitogen-0.3.3/debian/patches/poll-poller
--- python-mitogen-0.3.3/debian/patches/poll-poller 1969-12-31 
20:00:00.0 -0400
+++ python-mitogen-0.3.3/debian/patches/poll-poller 2023-05-13 
09:45:14.0 -0400
@@ -0,0 +1,28 @@
+From: Luca Berruti 
+Date: Wed, 8 Feb 2023 14:05:25 +0100
+Subject: Fix: filedescriptor out of range in select()
+
+Bug-Debian: https://bugs.debian.org/1036018
+Bug-Upstream: https://github.com/mitogen-hq/mitogen/issues/957
+Origin: https://github.com/mitogen-hq/mitogen/pull/984
+---
+ ansible_mitogen/process.py | 6 --
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/ansible_mitogen/process.py b/ansible_mitogen/process.py
+index 63caa88..8c19c37 100644
+--- a/ansible_mitogen/process.py
 b/ansible_mitogen/process.py
+@@ -285,8 +285,10 @@ class Broker(mitogen.master.Broker):
+ the exuberant syscall expense of EpollPoller, so override it and restore
+ the poll() poller.
+ """
+-poller_class = mitogen.core.Poller
+-
++if mitogen.parent.PollPoller.SUPPORTED:
++poller_class = mitogen.parent.PollPoller
++else:
++poller_class = mitogen.core.Poller
+ 
+ class Binding(object):
+ """
diff -Nru python-mitogen-0.3.3/debian/patches/series 
python-mitogen-0.3.3/debian/patches/series
--- python-mitogen-0.3.3/debian/patches/series  2022-12-13 20:24:51.0 
-0400
+++ python-mitogen-0.3.3/debian/patches/series  2023-05-13 09:45:14.0 
-0400
@@ -6,3 +6,4 @@
 skip-python2.7-test
 ansible-6
 hack-remove-cleanup
+poll-poller

Bug#1035105: bullseye-pu: package distro-info-data/0.51+deb11u4

2023-04-29 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: distro-info-d...@packages.debian.org, bdr...@debian.org
Control: affects -1 + src:distro-info-data

As usual, a distro-info-data update.

[ Reason ]
There's a new Ubuntu development release, a bookworm release date, and
some minor Ubuntu EoL changes.

* Update data to 0.58:
  - Add Debian 14 "forky" with a vague creation date.
  - Correct Ubuntu 23.04 release date to 2023-04-20.
  - Tighten validate-csv-data heuristics, restricting Ubuntu EoLs to
Tue-Thursday.
  - Document Ubuntu ESM overlap period (LP: #2003949)
  - Add Ubuntu 23.10 Mantic Minotaur (LP: #2018028)
  - Set the planned release date for Debian bookworm (and an EoL based on it).
  - Adjust trixie's creation date to match bookworm's release.

[ Impact ]
Debian stable is unaware of the current Ubuntu development release, and
Debian bookworm release dates.

Currently:

$ debian-distro-info -t --date=2023-06-10
bookworm
$ debian-distro-info -s --date=2023-06-10
bullseye
$ ubuntu-distro-info -df
ubuntu-distro-info: Distribution data outdated.
Please check for an update for distro-info-data. See 
/usr/share/doc/distro-info-data/README.Debian for details.

Expected:

$ debian-distro-info -t --date=2023-06-10
trixie
$ debian-distro-info -s --date=2023-06-10
bookworm
$ ubuntu-distro-info -df
Ubuntu 23.10 "Mantic Minotaur"


[ Tests ]
Autopkgtests passed.
The changes include some updates to tests around the Ubuntu EoL dates.

Manually tested as above.

[ Risks ]
Data-only package, this will bring it up to parity with unstable.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable
diff -Nru distro-info-data-0.51+deb11u3/debian/changelog 
distro-info-data-0.51+deb11u4/debian/changelog
--- distro-info-data-0.51+deb11u3/debian/changelog  2022-10-30 
07:31:55.0 -0400
+++ distro-info-data-0.51+deb11u4/debian/changelog  2023-04-29 
14:30:57.0 -0400
@@ -1,3 +1,17 @@
+distro-info-data (0.51+deb11u4) bullseye; urgency=medium
+
+  * Update data to 0.58:
+- Add Debian 14 "forky" with a vague creation date.
+- Correct Ubuntu 23.04 release date to 2023-04-20.
+- Tighten validate-csv-data heuristics, restricting Ubuntu EoLs to
+  Tue-Thursday.
+- Document Ubuntu ESM overlap period (LP: #2003949)
+- Add Ubuntu 23.10 Mantic Minotaur (LP: #2018028)
+- Set the planned release date for Debian bookworm (and an EoL based on 
it).
+- Adjust trixie's creation date to match bookworm's release.
+
+ -- Stefano Rivera   Sat, 29 Apr 2023 14:30:57 -0400
+
 distro-info-data (0.51+deb11u3) bullseye; urgency=medium
 
   * Update data to 0.55:
diff -Nru distro-info-data-0.51+deb11u3/debian.csv 
distro-info-data-0.51+deb11u4/debian.csv
--- distro-info-data-0.51+deb11u3/debian.csv2022-10-30 07:31:55.0 
-0400
+++ distro-info-data-0.51+deb11u4/debian.csv2023-04-29 14:30:57.0 
-0400
@@ -15,7 +15,8 @@
 9,Stretch,stretch,2015-04-26,2017-06-17,2020-07-06,2022-06-30,2027-06-30
 10,Buster,buster,2017-06-17,2019-07-06,2022-08-14,2024-06-30,2029-06-30
 11,Bullseye,bullseye,2019-07-06,2021-08-14,2024-08-14
-12,Bookworm,bookworm,2021-08-14
-13,Trixie,trixie,2023-08-01
+12,Bookworm,bookworm,2021-08-14,2023-06-10,2026-06-10
+13,Trixie,trixie,2023-06-10
+14,Forky,forky,2025-08-01
 ,Sid,sid,1993-08-16
 ,Experimental,experimental,1993-08-16
diff -Nru distro-info-data-0.51+deb11u3/ubuntu.csv 
distro-info-data-0.51+deb11u4/ubuntu.csv
--- distro-info-data-0.51+deb11u3/ubuntu.csv2022-10-30 07:31:55.0 
-0400
+++ distro-info-data-0.51+deb11u4/ubuntu.csv2023-04-29 14:30:57.0 
-0400
@@ -26,14 +26,15 @@
 16.10,Yakkety Yak,yakkety,2016-04-21,2016-10-13,2017-07-20
 17.04,Zesty Zapus,zesty,2016-10-13,2017-04-13,2018-01-13
 17.10,Artful Aardvark,artful,2017-04-13,2017-10-19,2018-07-19
-18.04 LTS,Bionic 
Beaver,bionic,2017-10-19,2018-04-26,2023-04-26,2023-04-26,2028-04-26
+18.04 LTS,Bionic 
Beaver,bionic,2017-10-19,2018-04-26,2023-05-31,2023-05-31,2028-04-26
 18.10,Cosmic Cuttlefish,cosmic,2018-04-26,2018-10-18,2019-07-18
 19.04,Disco Dingo,disco,2018-10-18,2019-04-18,2020-01-23
 19.10,Eoan Ermine,eoan,2019-04-18,2019-10-17,2020-07-17
-20.04 LTS,Focal 
Fossa,focal,2019-10-17,2020-04-23,2025-04-23,2025-04-23,2030-04-23
+20.04 LTS,Focal 
Fossa,focal,2019-10-17,2020-04-23,2025-05-29,2025-05-29,2030-04-23
 20.10,Groovy Gorilla,groovy,2020-04-23,2020-10-22,2021-07-22
 21.04,Hirsute Hippo,hirsute,2020-10-22,2021-04-22,2022-01-20
 21.10,Impish Indri,impish,2021-04-22,2021-10-14,2022-07-14
-22.04 LTS,Jammy 
Jellyfish,jammy,2021-10-14,2022-04-21,2027-04-21,2027-04-21,2032-04-21
+22.04 LTS,Jammy 
Jellyfish,jammy,2021-10-14,2022-04-21,2027-06-01,2027-06-01,2032-04-21
 22.10,Kinetic Kudu,kinetic,20

Bug#1034284: unblock: wheel/0.38.4-2

2023-04-12 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: wh...@packages.debian.org
Control: affects -1 + src:wheel

Please unblock package wheel

Fixed an RC bug: The source package wasn't cleaning correctly.

[ Reason ]
RC Bug fix.

[ Impact ]
Stable will ship with the source-level RC bug.

[ Tests ]
Verified by hand.

[ Risks ]
Change is trivial.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock wheel/0.38.4-2
diff -Nru wheel-0.38.4/debian/changelog wheel-0.38.4/debian/changelog
--- wheel-0.38.4/debian/changelog   2022-11-10 06:24:48.0 -0400
+++ wheel-0.38.4/debian/changelog   2023-04-11 14:10:59.0 -0400
@@ -1,3 +1,9 @@
+wheel (0.38.4-2) unstable; urgency=medium
+
+  * Correctly clean. (Closes: #1034079)
+
+ -- Stefano Rivera   Tue, 11 Apr 2023 14:10:59 -0400
+
 wheel (0.38.4-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru wheel-0.38.4/debian/clean wheel-0.38.4/debian/clean
--- wheel-0.38.4/debian/clean   2022-11-10 06:24:48.0 -0400
+++ wheel-0.38.4/debian/clean   2023-04-11 14:10:59.0 -0400
@@ -1 +1,6 @@
-docs/_build
+.tox/
+dist/
+docs/_build/
+src/*.egg-info/
+tests/testdata/*/*.egg-info/
+tests/testdata/*/build/

Re: Bug#993590: distro-info-data: Store a mapping from distro to gpg keyring

2023-01-19 Thread Stefano Rivera

> On Fri, 03 Sep 2021 15:16:54 +0200 Johannes Schauer Marin Rodrigues
>  wrote:
> > please consider storing a mapping from distro to keyring in
> > /usr/share/keyring. Currently there is no reliable way to retrieve the
> > authoritative keyring for a given distro name. Even when limiting
> > oneself to only Debian, it is not obvious for which suites one needs
> > /usr/share/keyrings/debian-archive-keyring.gpg and for which one needs
> > /usr/share/keyrings/debian-archive-removed-keys.gpg.
> 
> I am not sure whether distro-info-data is the right place for it. Are
> there rules when keys move from debian-archive-keyring.gpg to debian-
> archive-removed-keys.gpg? Shouldn't that information better be shipped
> by debian-archive-keyring?

Can someone from the release team answer how this works?

Thanks,

Stefano

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272

Bug#1028436: transition: re2

2023-01-10 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition
X-Debbugs-Cc: r...@packages.debian.org
Control: affects -1 + src:re2

Sorry for a last minute request. I was just looking through my packages
on the weekend and noticed that re2 had tagged a new release, but I
hadn't seen it due to the GitHub layout change last year.

This is a very minor ABI break in the C++ library, caused by changing
class layout.

The in the 6 months since the previous release, they've only made 22
commits. Which also means that if it misses the freeze, it's probably
not a big deal.

The new version is currently sitting in experimental bin-NEW.

I've test-built the reverse dependencies, they all build, except for
unrelated failures:

$ grep ^Status *.build
chromium_amd64.build:Status: successful
clickhouse_amd64.build:Status: successful
dnsdist_amd64.build:Status: successful
effcee_amd64.build:Status: attempted
grpc_amd64.build:Status: successful
inspircd_amd64.build:Status: successful
libphonenumber_amd64.build:Status: successful
libpog_amd64.build:Status: successful
libre-engine-re2-perl_amd64.build:Status: successful
libvmod-re2_amd64.build:Status: successful
node-re2_amd64.build:Status: successful
pytorch-text_amd64.build:Status: given-back
qt6-webengine_amd64.build:Status: successful
qtwebengine-opensource-src_amd64.build:Status: attempted
re2_20221201+dfsg-1_amd64.build:Status: successful
ruby-re2_amd64.build:Status: successful
sphinxsearch_amd64.build:Status: successful

effcee: FTBFS with GCC-11: #984048
pytorch-text: FTBFS with Python 3.10 (yes 3.10, not 3.11): #1008924
qtwebengine-opensource-src: FTBFS with Python 3.11 (fixed in 5.15.12+dfsg-1 in 
experimental)

Ben file:

title = "re2";
is_affected = .depends ~ "libre2-9" | .depends ~ "libre2-10";
is_good = .depends ~ "libre2-10";
is_bad = .depends ~ "libre2-9";

Thanks for the consideration!

Stefano

Re: Python 3.11 for bookworm?

2022-12-22 Thread Stefano Rivera

Hi Timo (2022.12.22_12:56:20_+)
> > There have been rebuilds in Ubuntu that give us some idea of how much
> > work remains. I think it's tractable, but also will have some package
> > casualties.
> I have some spare time right now, and I am happy to help
> work on problematic cases, so hopefully nobody will feel left out in
> the cold with their favorite packages.

Offhand, the one I most expect trouble with is numba. We were reliant on
upstream for the 3.10 transition, and probably will be for 3.11.

Thanks for your help with pony ORM, Timo. I didn't think we'd be able to
port that without upstream, but it did end up being tractable.

I'm expecting to have more time in the upcoming weeks, too.

So, release team, I still think we should go ahead!

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272

Re: Python 3.11 for bookworm?

2022-12-22 Thread Stefano Rivera

Hi Sandro (2022.12.22_00:13:36_+)
> It appears there has been little work in preparing the work to
> introduce python3.11 from its maintainer, instead that works has been
> pushed downstream to maintainers.

That is, I'm afraid, the only realistic approach for handling new Python
versions. It is too much work for one or two people to do. It needs the
help of the team and upstreams to make it happen.

Yes, a maintainer could take all this work on their shoulders, but if we
require them to, I don't think we'll ship even vaguely current Python
versions.

> if we continue with the plan as described above, several python
> libraries/applications maintainers will be left with the short end of
> the stick and deal with an unknown amount of issues (upstream fixes
> not available, not ready and or/ not released, rushed, etc) with less
> than a month from the beginning of the transition freeze[2]

That will almost certainly be the case, yes. So we have a trade-off to
make between shipping a new Python upstream release, that many of our
users would definitely appreciate, and having some libraries / apps miss
the release, that many of our users would probably be affected by.

> [2] also highlights at the very beginning "Plan your changes for
> bullseye", this change appears as if it was not planned and we should
> be skeptical to proceed without further (and in advance) understanding
> of the impact it may have on Bullseye.

We discussed this transition at DebConf 22, and decided to approach it
the way that it has been approached.

Where we currently are in the release, I would lean towards going
through with the transition. So far, it seems to have been roughly as
difficult as previous Python transitions.

There have been rebuilds in Ubuntu that give us some idea of how much
work remains. I think it's tractable, but also will have some package
casualties.

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272

Bug#1023118: bullseye-pu: package distro-info-data/0.51+deb11u3

2022-10-30 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: bdr...@debian.org

As usual, a distro-info-data update.

[ Reason ]
There's a new Ubuntu development release, and also some minor Debian
changes.

* Update data to 0.55:
  - Update Debian ELTS dates to ~10 years of support (Closes: #1014837)
  - Correct release date of Debian 8 (jessie) to 2015-04-26
  - Add dates for Ubuntu 23.04, Lunar Lobster (LP: #1993667)

[ Impact ]

Debian stable is unaware of the current Ubuntu development release, and
Debian ELTS support periods.

Currently:

$ ubuntu-distro-info -d
ubuntu-distro-info: Distribution data outdated.
Please check for an update for distro-info-data. See 
/usr/share/doc/distro-info-data/README.Debian for details.
$ debian-distro-info --elts
stretch

Expected:

$ ubuntu-distro-info -d
lunar
$ debian-distro-info --elts
jessie
stretch

[ Tests ]
Autopkgtests passed.

Manually tested as above.

[ Risks ]
Data-only package, this will bring it up to parity with unstable.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable
commit 9fb1990fe6d70cfbac351ad780b672bf4478a8e5
Author: Stefano Rivera 
Date:   Sun Oct 30 13:32:12 2022 +0200

Update data to 0.55:

* Update data to 0.55:
  - Update Debian ELTS dates to ~10 years of support (Closes: #1014837)
  - Correct release date of Debian 8 (jessie) to 2015-04-26
  - Add dates for Ubuntu 23.04, Lunar Lobster (LP: #1993667)

diff --git a/debian.csv b/debian.csv
index 967a3f0..6d06e13 100644
--- a/debian.csv
+++ b/debian.csv
@@ -11,9 +11,9 @@ version,codename,series,created,release,eol,eol-lts,eol-elts
 5.0,Lenny,lenny,2007-04-08,2009-02-14,2012-02-06
 6.0,Squeeze,squeeze,2009-02-14,2011-02-06,2014-05-31,2016-02-29
 7,Wheezy,wheezy,2011-02-06,2013-05-04,2016-04-26,2018-05-31,2020-06-30
-8,Jessie,jessie,2013-05-04,2015-04-25,2018-06-17,2020-06-30,2022-06-30
-9,Stretch,stretch,2015-04-25,2017-06-17,2020-07-06,2022-06-30,2024-06-30
-10,Buster,buster,2017-06-17,2019-07-06,2022-08-14,2024-06-30,2026-06-30
+8,Jessie,jessie,2013-05-04,2015-04-26,2018-06-17,2020-06-30,2025-06-30
+9,Stretch,stretch,2015-04-26,2017-06-17,2020-07-06,2022-06-30,2027-06-30
+10,Buster,buster,2017-06-17,2019-07-06,2022-08-14,2024-06-30,2029-06-30
 11,Bullseye,bullseye,2019-07-06,2021-08-14,2024-08-14
 12,Bookworm,bookworm,2021-08-14
 13,Trixie,trixie,2023-08-01
diff --git a/debian/changelog b/debian/changelog
index 4e7670c..8e078e3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+distro-info-data (0.51+deb11u3) bullseye; urgency=medium
+
+  * Update data to 0.55:
+- Update Debian ELTS dates to ~10 years of support (Closes: #1014837)
+- Correct release date of Debian 8 (jessie) to 2015-04-26
+- Add dates for Ubuntu 23.04, Lunar Lobster (LP: #1993667)
+
+ -- Stefano Rivera   Sun, 30 Oct 2022 13:31:55 +0200
+
 distro-info-data (0.51+deb11u2) bullseye; urgency=medium
 
   * Update data to 0.53:
diff --git a/ubuntu.csv b/ubuntu.csv
index eeaacff..4706da8 100644
--- a/ubuntu.csv
+++ b/ubuntu.csv
@@ -36,3 +36,4 @@ version,codename,series,created,release,eol,eol-server,eol-esm
 21.10,Impish Indri,impish,2021-04-22,2021-10-14,2022-07-14
 22.04 LTS,Jammy 
Jellyfish,jammy,2021-10-14,2022-04-21,2027-04-21,2027-04-21,2032-04-21
 22.10,Kinetic Kudu,kinetic,2022-04-21,2022-10-20,2023-07-20
+23.04,Lunar Lobster,lunar,2022-10-20,2023-04-27,2024-01-25

Bug#1011939: bullseye-pu: package hdmi2usb-mode-switch/0.0.1-2+deb11u1

2022-05-27 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: debconf-vi...@lists.debian.org

[ Reason ]
Linux started to have multiple /dev/video device nodes in
linux-image-4.19.0-5-amd64 (#1011938).

This broke hdmi2usb-udev because we wouldn't know which /dev/video
device to capture video from.

The DebConf Video team has known about this problem since buster, but
has only recently figured out the (fairly straightforward) solution.
Blame COVID-19 for us not meeting in person again, and dealing with it.

[ Impact ]
hdmi2usb-udev doesn't give you an unambiguous device to capture video
from, for your hdmi2usb hardware.

There is very little of this hardware in the wild, so the DebConf video
team are almost the only affected people.

[ Tests ]
Manually tested at the Hamburg Debian Reunion 2022.

[ Risks ]
Pretty trivial changes. Extremely low popcon :)
Rare, out of production hardware.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
1. Add a suffix to the device node, from information provided by
   60-persistent-v4l.rules
2. Sort the udev rule *after* 60-persistent-v4l.rules.
diff -Nru hdmi2usb-mode-switch-0.0.1/debian/changelog 
hdmi2usb-mode-switch-0.0.1/debian/changelog
--- hdmi2usb-mode-switch-0.0.1/debian/changelog 2018-01-19 09:28:58.0 
+0200
+++ hdmi2usb-mode-switch-0.0.1/debian/changelog 2022-05-27 12:22:19.0 
+0200
@@ -1,3 +1,11 @@
+hdmi2usb-mode-switch (0.0.1-2+deb11u1) bullseye; urgency=low
+
+  * Patch: Udev: Add a suffix to /dev/video device nodes to disambiguate them.
+(Closes: #1011938)
+  * Move udev rules to priority 70, to come after 60-persistent-v4l.rules.
+
+ -- Stefano Rivera   Fri, 27 May 2022 12:22:19 +0200
+
 hdmi2usb-mode-switch (0.0.1-2) unstable; urgency=medium
 
   * Update symlinks for ixo-usb-jtag 0.0.1.
diff -Nru 
hdmi2usb-mode-switch-0.0.1/debian/patches/disambiguate-video-device-nodes 
hdmi2usb-mode-switch-0.0.1/debian/patches/disambiguate-video-device-nodes
--- hdmi2usb-mode-switch-0.0.1/debian/patches/disambiguate-video-device-nodes   
1970-01-01 02:00:00.0 +0200
+++ hdmi2usb-mode-switch-0.0.1/debian/patches/disambiguate-video-device-nodes   
2022-05-27 12:22:19.0 +0200
@@ -0,0 +1,52 @@
+From: Nicolas Dandrimont 
+Date: Thu, 26 May 2022 22:17:33 +0200
+Subject: Add a suffix to the video device name when no capture capability is
+ detected
+
+Recent versions of the linux kernel generate multiple device nodes for
+each uvcvideo capture card. The HDMI2USB-generated video symlinks end up
+stomping on one another until the last one wins.
+
+Recent versions of udev's id_v4l script add a ID_V4L_CAPABILITIES
+variable that we can use to distinguish both devices. We give the
+metadata device a `-metadata` suffix to distinguish it from the capture
+node.
+
+Origin: https://github.com/litex-hub/litex-buildenv-udev/pull/9
+Bug-Debian: https://bugs.debian.org/1011938
+---
+ udev/99-hdmi2usb-aliases.rules | 15 ++-
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/udev/99-hdmi2usb-aliases.rules b/udev/99-hdmi2usb-aliases.rules
+index 8ae7f48..e0863ca 100644
+--- a/udev/99-hdmi2usb-aliases.rules
 b/udev/99-hdmi2usb-aliases.rules
+@@ -119,17 +119,22 @@ SUBSYSTEM=="tty", ENV{ID_HDMI2USB}=="1", 
ENV{NUM_HDMI2USB_TTY}!="", ENV{NUM_HDMI
+   
SYMLINK+="hdmi2usb/by-num/$env{ID_HDMI2USB_BOARD}$env{NUM_HDMI2USB_BOARD}/tty$env{NUM_HDMI2USB_TTY}"
+ 
+ # Video capture device
++SUBSYSTEM=="video4linux", ENV{ID_HDMI2USB}=="1", 
ENV{ID_V4L_CAPABILITIES}=="*:capture:*" \
++ENV{HDMI2USB_VIDEO_SUFFIX}:=""
++SUBSYSTEM=="video4linux", ENV{ID_HDMI2USB}=="1", 
ENV{ID_V4L_CAPABILITIES}!="*:capture:*" \
++ENV{HDMI2USB_VIDEO_SUFFIX}:="-metadata"
++
+ SUBSYSTEM=="video4linux", ENV{ID_HDMI2USB}=="1", ENV{ID_SERIAL_SHORT}!="" \
+-  SYMLINK+="hdmi2usb/by-serial/$env{ID_SERIAL_SHORT}/video"
++  
SYMLINK+="hdmi2usb/by-serial/$env{ID_SERIAL_SHORT}/video$env{HDMI2USB_VIDEO_SUFFIX}"
+ 
+ SUBSYSTEM=="video4linux", ENV{ID_HDMI2USB}=="1", ENV{ID_PATH}!="" \
+-  SYMLINK+="hdmi2usb/by-path/$env{ID_PATH}/video"
++  
SYMLINK+="hdmi2usb/by-path/$env{ID_PATH}/video$env{HDMI2USB_VIDEO_SUFFIX}"
+ 
+ SUBSYSTEM=="video4linux", ENV{ID_HDMI2USB}=="1", ENV{ID_PATH_HUMAN}!="" \
+-  SYMLINK+="hdmi2usb/by-path/$env{ID_PATH_HUMAN}/video"
++  
SYMLINK+="hdmi2usb/by-path/$env{ID_PATH_HUMAN}/video$env{HDMI2USB_VIDEO_SUFFIX}"
+ 
+ SUBSYSTEM=="video4linux", ENV{ID_HDMI2USB}=="1", ENV{NUM_HDMI2USB}

Bug#1011360: buster-pu: package python-scrapy/1.5.1-1+deb10u1

2022-05-20 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: mouzan...@gmail.com, w...@debian.org

[ Reason ]
Hi, there were some security issues in python-scrapy, that were deemed
no-DSA

[ Impact ]
Known security issues, with the risk of credential-exposure.

[ Tests ]
They both include unit tests, which pass.

[ Risks ]
There are behavioural changes, that could affect users of this code, if
they are scraping sites that need authentication.
However, this is unavoidable for the issues being fixed.

This matches what was uploaded to stretch-security, although the patch
isn't identical. So, anyone upgrading from stretch-lts would hit a
regression if this wasn't updated. Risks both ways.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
* Security fix for CVE-2021-41125: Don't send authentication data with all
  requests. Provide a http_auth_domain spider attribute to control which
  domains are allowed to receive the configured HTTP authentication
  credentials.
* Security Fix CVE-2022-0577: Don't expose cookies cross-domain when
  redirected. (Closes: #1008234)

[ Other info ]
See also Bug #1011359 for bullseye.
diff -Nru python-scrapy-1.5.1/debian/changelog 
python-scrapy-1.5.1/debian/changelog
--- python-scrapy-1.5.1/debian/changelog2018-09-29 08:51:15.0 
-0400
+++ python-scrapy-1.5.1/debian/changelog2022-05-20 16:14:25.0 
-0400
@@ -1,3 +1,15 @@
+python-scrapy (1.5.1-1+deb10u1) buster; urgency=medium
+
+  * Team upload.
+  * Security fix for CVE-2021-41125: Don't send authentication data with all
+requests. Provide a http_auth_domain spider attribute to control which
+domains are allowed to receive the configured HTTP authentication
+credentials.
+  * Security fix CVE-2022-0577: Don't expose cookies cross-domain when
+redirected. (Closes: #1008234)
+
+ -- Stefano Rivera   Fri, 20 May 2022 16:14:25 -0400
+
 python-scrapy (1.5.1-1) unstable; urgency=medium
 
   [ Ondřej Nový ]
diff -Nru python-scrapy-1.5.1/debian/patches/CVE-2021-41125.patch 
python-scrapy-1.5.1/debian/patches/CVE-2021-41125.patch
--- python-scrapy-1.5.1/debian/patches/CVE-2021-41125.patch 1969-12-31 
20:00:00.0 -0400
+++ python-scrapy-1.5.1/debian/patches/CVE-2021-41125.patch 2022-05-20 
16:14:25.0 -0400
@@ -0,0 +1,206 @@
+From: Andrey Rakhmatullin 
+Date: Fri, 16 Aug 2019 14:53:42 +0500
+Subject: Add http_auth_domain to HttpAuthMiddleware.
+
+Fixes CVE-2021-41125
+Origin: upstream, 
https://github.com/scrapy/scrapy/commit/b01d69a1bf48060daec8f751368622352d8b85a6
+---
+ docs/topics/downloader-middleware.rst   | 18 +-
+ scrapy/downloadermiddlewares/httpauth.py| 21 ++-
+ tests/test_downloadermiddleware_httpauth.py | 85 -
+ 3 files changed, 118 insertions(+), 6 deletions(-)
+
+diff --git a/docs/topics/downloader-middleware.rst 
b/docs/topics/downloader-middleware.rst
+index dfe4c13..73e7e0f 100644
+--- a/docs/topics/downloader-middleware.rst
 b/docs/topics/downloader-middleware.rst
+@@ -309,8 +309,21 @@ HttpAuthMiddleware
+ This middleware authenticates all requests generated from certain spiders
+ using `Basic access authentication`_ (aka. HTTP auth).
+ 
+-To enable HTTP authentication from certain spiders, set the ``http_user``
+-and ``http_pass`` attributes of those spiders.
++To enable HTTP authentication for a spider, set the ``http_user`` and
++``http_pass`` spider attributes to the authentication data and the
++``http_auth_domain`` spider attribute to the domain which requires this
++authentication (its subdomains will be also handled in the same way).
++You can set ``http_auth_domain`` to ``None`` to enable the
++authentication for all requests but usually this is not needed.
++
++.. warning::
++In the previous Scrapy versions HttpAuthMiddleware sent the
++authentication data with all requests, which is a security problem if
++the spider makes requests to several different domains. Currently if
++the ``http_auth_domain`` attribute is not set, the middleware will use
++the domain of the first request, which will work for some spider but
++not for others. In the future the middleware will produce an error
++instead.
+ 
+ Example::
+ 
+@@ -320,6 +333,7 @@ HttpAuthMiddleware
+ 
+ http_user = 'someuser'
+ http_pass = 'somepass'
++http_auth_domain = 'intranet.example.com'
+ name = 'intranet.example.com'
+ 
+ # .. rest of the spider code omitted ...
+diff --git a/scrapy/downloadermiddlewares/httpauth.py 
b/scrapy/downloadermiddlewares/httpauth.py
+index 7aa7a62..b9030f7 100644
+--- a/scrapy/downloadermiddlewares

Bug#1011359: bullseye-pu: package python-scrapy/2.4.1-2+deb11u1

2022-05-20 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: mouzan...@gmail.com, w...@debian.org

[ Reason ]
Hi, there were some security issues in python-scrapy, that were deemed
no-DSA

[ Impact ]
Known security issues, with the risk of credential-exposure.

[ Tests ]
They both include unit tests, which pass.

[ Risks ]
There are behavioural changes, that could affect users of this code, if
they are scraping sites that need authentication.
However, this is unavoidable for the issues being fixed.

This matches what was uploaded to stretch-security, although the patch
isn't identical. So, anyone upgrading from stretch-lts would hit a
regression if this wasn't updated. Risks both ways.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
* Security fix for CVE-2021-41125: Don't send authentication data with all
 requests. Provide a http_auth_domain spider attribute to control which
 domains are allowed to receive the configured HTTP authentication
 credentials.
* Security Fix CVE-2022-0577: Don't expose cookies cross-domain when
 redirected. (Closes: #1008234)
diff -Nru python-scrapy-2.4.1/debian/changelog 
python-scrapy-2.4.1/debian/changelog
--- python-scrapy-2.4.1/debian/changelog2021-02-28 09:55:45.0 
-0400
+++ python-scrapy-2.4.1/debian/changelog2022-05-20 16:11:00.0 
-0400
@@ -1,3 +1,15 @@
+python-scrapy (2.4.1-2+deb11u1) bullseye; urgency=medium
+
+  * Team upload.
+  * Security fix for CVE-2021-41125: Don't send authentication data with all
+requests. Provide a http_auth_domain spider attribute to control which
+domains are allowed to receive the configured HTTP authentication
+credentials.
+  * Security Fix CVE-2022-0577: Don't expose cookies cross-domain when
+redirected. (Closes: #1008234)
+
+ -- Stefano Rivera   Fri, 20 May 2022 16:11:00 -0400
+
 python-scrapy (2.4.1-2) unstable; urgency=medium
 
   * Skip tests that require network access (Closes: #980901).
diff -Nru python-scrapy-2.4.1/debian/patches/CVE-2021-41125.patch 
python-scrapy-2.4.1/debian/patches/CVE-2021-41125.patch
--- python-scrapy-2.4.1/debian/patches/CVE-2021-41125.patch 1969-12-31 
20:00:00.0 -0400
+++ python-scrapy-2.4.1/debian/patches/CVE-2021-41125.patch 2022-05-20 
16:11:00.0 -0400
@@ -0,0 +1,206 @@
+From: Andrey Rakhmatullin 
+Date: Fri, 16 Aug 2019 14:53:42 +0500
+Subject: Add http_auth_domain to HttpAuthMiddleware.
+
+Fixes CVE-2021-41125
+Origin: upstream, 
https://github.com/scrapy/scrapy/commit/b01d69a1bf48060daec8f751368622352d8b85a6
+---
+ docs/topics/downloader-middleware.rst   | 18 +-
+ scrapy/downloadermiddlewares/httpauth.py| 21 ++-
+ tests/test_downloadermiddleware_httpauth.py | 85 -
+ 3 files changed, 118 insertions(+), 6 deletions(-)
+
+diff --git a/docs/topics/downloader-middleware.rst 
b/docs/topics/downloader-middleware.rst
+index 6801adc..e0a3205 100644
+--- a/docs/topics/downloader-middleware.rst
 b/docs/topics/downloader-middleware.rst
+@@ -323,8 +323,21 @@ HttpAuthMiddleware
+ This middleware authenticates all requests generated from certain spiders
+ using `Basic access authentication`_ (aka. HTTP auth).
+ 
+-To enable HTTP authentication from certain spiders, set the ``http_user``
+-and ``http_pass`` attributes of those spiders.
++To enable HTTP authentication for a spider, set the ``http_user`` and
++``http_pass`` spider attributes to the authentication data and the
++``http_auth_domain`` spider attribute to the domain which requires this
++authentication (its subdomains will be also handled in the same way).
++You can set ``http_auth_domain`` to ``None`` to enable the
++authentication for all requests but usually this is not needed.
++
++.. warning::
++In the previous Scrapy versions HttpAuthMiddleware sent the
++authentication data with all requests, which is a security problem if
++the spider makes requests to several different domains. Currently if
++the ``http_auth_domain`` attribute is not set, the middleware will use
++the domain of the first request, which will work for some spider but
++not for others. In the future the middleware will produce an error
++instead.
+ 
+ Example::
+ 
+@@ -334,6 +347,7 @@ HttpAuthMiddleware
+ 
+ http_user = 'someuser'
+ http_pass = 'somepass'
++http_auth_domain = 'intranet.example.com'
+ name = 'intranet.example.com'
+ 
+ # .. rest of the spider code omitted ...
+diff --git a/scrapy/downloadermiddlewares/httpauth.py 
b/scrapy/downloadermiddlewares/httpauth.py
+index 089bf0d..1bee3e2 100644
+--- a/scrapy/downloadermiddlewares

Bug#1010613: bullseye-pu: package twisted/20.3.0-7+deb11u1

2022-05-05 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: d...@debian.org

[ Reason ]
Catching up on outstanding security issues.
Security team deemed them no-dsa.

[ Impact ]
Outstanding security issues remain unresolved.

[ Tests ]
Twisted has a comprehensive test-suite, the relevant updates come with
tests, and no regressions were noticed.

[ Risks ]
The same patches are carried in Ubuntu, and in Debian LTS * ELTS.
They did need some backporting to older releases, but nothing too risky.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
* CVE-2022-21712: Information disclosure results in leaking of HTTP cookie
  and authorization headers when following cross origin redirects
  - debian/patches/CVE-2022-21712-*.patch: Ensure sensitive HTTP headers are
removed when forming requests, in src/twisted/web/client.py,
src/twisted/web/test/test_agent.py and src/twisted/web/iweb.py.
  - Thanks Canonical for backporting the patches.
* CVE-2022-21716: Parsing of SSH version identifier field during an SSH
  handshake can result in a denial of service when excessively large packets
  are received
  - debian/patches/CVE-2022-21716-*.patch: Ensure that length of received
handshake buffer is checked, prior to processing version string in
src/twisted/conch/ssh/transport.py and
src/twisted/conch/test/test_transport.py
  - Thanks Canonical for backporting the patches.
* CVE-2022-24801: Correct several defects in HTTP request parsing that could
  permit HTTP request smuggling: disallow signed Content-Length headers,
  forbid illegal characters in chunked extensions, forbid 0x prefix to chunk
  lengths, and only strip space and horizontal tab from header values.
  - debian/patches/CVE-2022-24801-*.patch
* Patch: remove spurious test for illegal whitespace in xmlns, to allow
  tests to pass, again.
  This was a regression introduced by the patch to expat for CVE-2022-25236.
  The resolution upstream was to just delete the test.

[ Other info ]
(Anything else the release team should know.)
diff -Nru twisted-20.3.0/debian/changelog twisted-20.3.0/debian/changelog
--- twisted-20.3.0/debian/changelog 2021-04-24 12:36:24.0 -0400
+++ twisted-20.3.0/debian/changelog 2022-05-05 09:59:26.0 -0400
@@ -1,3 +1,30 @@
+twisted (20.3.0-7+deb11u1) bullseye; urgency=medium
+
+  * Team upload.
+  * CVE-2022-21712: Information disclosure results in leaking of HTTP cookie
+and authorization headers when following cross origin redirects
+- debian/patches/CVE-2022-21712-*.patch: Ensure sensitive HTTP headers are
+  removed when forming requests, in src/twisted/web/client.py,
+  src/twisted/web/test/test_agent.py and src/twisted/web/iweb.py.
+- Thanks Canonical for backporting the patches.
+  * CVE-2022-21716: Parsing of SSH version identifier field during an SSH
+handshake can result in a denial of service when excessively large packets
+are received
+- debian/patches/CVE-2022-21716-*.patch: Ensure that length of received
+  handshake buffer is checked, prior to processing version string in
+  src/twisted/conch/ssh/transport.py and
+  src/twisted/conch/test/test_transport.py
+- Thanks Canonical for backporting the patches.
+  * CVE-2022-24801: Correct several defects in HTTP request parsing that could
+permit HTTP request smuggling: disallow signed Content-Length headers,
+forbid illegal characters in chunked extensions, forbid 0x prefix to chunk
+lengths, and only strip space and horizontal tab from header values.
+- debian/patches/CVE-2022-24801-*.patch
+  * Patch: remove spurious test for illegal whitespace in xmlns, to allow
+tests to pass, again.
+
+ -- Stefano Rivera   Thu, 05 May 2022 09:59:26 -0400
+
 twisted (20.3.0-7) unstable; urgency=medium
 
   * Team upload.
diff -Nru twisted-20.3.0/debian/patches/CVE-2022-21712-10.patch 
twisted-20.3.0/debian/patches/CVE-2022-21712-10.patch
--- twisted-20.3.0/debian/patches/CVE-2022-21712-10.patch   1969-12-31 
20:00:00.0 -0400
+++ twisted-20.3.0/debian/patches/CVE-2022-21712-10.patch   2022-05-05 
09:59:26.0 -0400
@@ -0,0 +1,29 @@
+From 0c44b4806a27d258baf13d6f714f06eddb28da5a Mon Sep 17 00:00:00 2001
+From: Glyph 
+Date: Sun, 23 Jan 2022 15:31:51 -0800
+Subject: [PATCH] correct docstring to suggest the right order
+
+---
+ src/twisted/web/iweb.py | 10 +-
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/src/twisted/web/iweb.py
 b/src/twisted/web/iweb.py
+@@ -716,12 +716,12 @@ class IAgent(Interface):
+ obtained by combining a number of (hypothetical) implementations::
+ 
+ baseAgent = Agent(reactor)
+-redirect = BrowserLikeRedirectAgent(baseAgent, limit=10

Bug#1010194: bullseye-pu: package distro-info-data/0.51+deb11u2

2022-04-25 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

As usual, a distro-info-data update.

[ Reason ]

This one only has Ubuntu changes, but still worth keeping up-to-date in
stable.

  * Update data to 0.53:
- Add Ubuntu 22.10, Kinetic Kudu.

[ Impact ]

Debian stable is unaware of the current Ubuntu development release:

$ ubuntu-distro-info -d
ubuntu-distro-info: Distribution data outdated.
Please check for an update for distro-info-data. See 
/usr/share/doc/distro-info-data/README.Debian for details.

[ Tests ]
Autopkgtests passed.

Manually tested:

$ ubuntu-distro-info -df
Ubuntu 22.10 "Kinetic Kudu"

[ Risks ]
Data-only package, this will bring it up to parity with unstable.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

* Update data to 0.53:
  - Add Ubuntu 22.10, Kinetic Kudu.

[ Other info ]

Bug for the last update: #1001389
diff -Nru distro-info-data-0.51+deb11u1/debian/changelog 
distro-info-data-0.51+deb11u2/debian/changelog
--- distro-info-data-0.51+deb11u1/debian/changelog  2021-12-09 
09:40:48.0 -0400
+++ distro-info-data-0.51+deb11u2/debian/changelog  2022-04-25 
20:32:17.0 -0400
@@ -1,3 +1,10 @@
+distro-info-data (0.51+deb11u2) bullseye; urgency=medium
+
+  * Update data to 0.53:
+- Add Ubuntu 22.10, Kinetic Kudu.
+
+ -- Stefano Rivera   Mon, 25 Apr 2022 20:32:17 -0400
+
 distro-info-data (0.51+deb11u1) bullseye; urgency=medium
 
   * Update data to 0.52:
diff -Nru distro-info-data-0.51+deb11u1/ubuntu.csv 
distro-info-data-0.51+deb11u2/ubuntu.csv
--- distro-info-data-0.51+deb11u1/ubuntu.csv2021-12-09 09:40:48.0 
-0400
+++ distro-info-data-0.51+deb11u2/ubuntu.csv2022-04-25 20:32:17.0 
-0400
@@ -35,3 +35,4 @@
 21.04,Hirsute Hippo,hirsute,2020-10-22,2021-04-22,2022-01-20
 21.10,Impish Indri,impish,2021-04-22,2021-10-14,2022-07-14
 22.04 LTS,Jammy 
Jellyfish,jammy,2021-10-14,2022-04-21,2027-04-21,2027-04-21,2032-04-21
+22.10,Kinetic Kudu,kinetic,2022-04-21,2022-10-20,2023-07-20

Bug#1010193: buster-pu: package distro-info-data/0.41+deb10u5

2022-04-25 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

As usual, a distro-info-data update.

[ Reason ]

This one only has Ubuntu changes, but still worth keeping up-to-date in
stable.

   * Update data to 0.53, without new columns:
 - Add Ubuntu 22.04 LTS, Jammy Jellyfish.
 - Add Ubuntu 22.10, Kinetic Kudu.

[ Impact ]
Debian oldstable doesn't know the current development Ubuntu release:

$ ubuntu-distro-info -d
ubuntu-distro-info: Distribution data outdated.
Please check for an update for distro-info-data. See 
/usr/share/doc/distro-info-data/README.Debian for details.

Or the current LTS release:

$ ubuntu-distro-info -f --lts
Ubuntu 20.04 LTS "Focal Fossa"
$ ubuntu-distro-info -f -s
Ubuntu 21.10 "Impish Indri"

[ Tests ]
It's just a data package. There are automated tests for correctness.
The data was copied from the version uploaded to unstable.

Manually tested, and looks sane.

[ Risks ]
Negligible, it's two new entries in the Ubuntu releases table.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

- Add Ubuntu 22.04 LTS, Jammy Jellyfish.
- Add Ubuntu 22.10, Kinetic Kudu.

[ Other info ]

Last update's bug: #987372
diff -Nru distro-info-data-0.41+deb10u4/debian/changelog 
distro-info-data-0.41+deb10u5/debian/changelog
--- distro-info-data-0.41+deb10u4/debian/changelog  2021-09-17 
18:30:21.0 -0400
+++ distro-info-data-0.41+deb10u5/debian/changelog  2022-04-25 
20:18:22.0 -0400
@@ -1,3 +1,11 @@
+distro-info-data (0.41+deb10u5) buster; urgency=medium
+
+  * Update data to 0.53, without new columns:
+- Add Ubuntu 22.04 LTS, Jammy Jellyfish.
+- Add Ubuntu 22.10, Kinetic Kudu.
+
+ -- Stefano Rivera   Mon, 25 Apr 2022 20:18:22 -0400
+
 distro-info-data (0.41+deb10u4) buster; urgency=medium
 
   * Update data to 0.51, without new columns:
diff -Nru distro-info-data-0.41+deb10u4/ubuntu.csv 
distro-info-data-0.41+deb10u5/ubuntu.csv
--- distro-info-data-0.41+deb10u4/ubuntu.csv2021-09-17 18:30:21.0 
-0400
+++ distro-info-data-0.41+deb10u5/ubuntu.csv2022-04-25 20:18:22.0 
-0400
@@ -34,3 +34,5 @@
 20.10,Groovy Gorilla,groovy,2020-04-23,2020-10-22,2021-07-22
 21.04,Hirsute Hippo,hirsute,2020-10-22,2021-04-22,2022-01-20
 21.10,Impish Indri,impish,2021-04-22,2021-10-14,2022-07-14
+22.04 LTS,Jammy Jellyfish,jammy,2021-10-14,2022-04-21,2027-04-21
+22.10,Kinetic Kudu,kinetic,2022-04-21,2022-10-20,2023-07-20

Bug#1006883: bullseye-pu: package python2-pip/20.3.4-4+deb11u1

2022-03-07 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: python-...@packages.debian.org

[ Reason ]
There is a race-condition in pip querying metadata from PyPI in
parallel, e.g. for "pip list --outdated". I suspect upstream never saw
it because we were using zipimports for pip's dependencies, where they
vendor them.

The race-condition seems to be specific to their home-grown parallel
map() implementation, that has later been replaced by Python's native
map().

[ Impact ]
pip list --outdated can fail with a very obscure traceback. See
#1006150.

[ Tests ]
Manually reproduced the race, fairly frequently.
With this patch I haven't seen the race again.

[ Risks ]
Trivial change, following something upstream did in a later version,
when dropping support for older Python releases.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Use Python's native map() instead of pip's home-grown map_multithread().

[ Other info ]
N/A
diff -Nru python-pip-20.3.4/debian/changelog python-pip-20.3.4/debian/changelog
--- python-pip-20.3.4/debian/changelog  2021-07-01 16:44:29.0 -0400
+++ python-pip-20.3.4/debian/changelog  2022-03-07 11:19:24.0 -0400
@@ -1,3 +1,10 @@
+python-pip (20.3.4-4+deb11u1) bullseye; urgency=medium
+
+  * Use native map() to avoid a zipimport race in pip list --outdated.
+(Closes: #1006150)
+
+ -- Stefano Rivera   Mon, 07 Mar 2022 11:19:24 -0400
+
 python-pip (20.3.4-4) unstable; urgency=medium
 
   * No-change upload against distlib 0.3.2+really+0.3.1-0.1.
diff -Nru python-pip-20.3.4/debian/patches/native-map.patch 
python-pip-20.3.4/debian/patches/native-map.patch
--- python-pip-20.3.4/debian/patches/native-map.patch   1969-12-31 
20:00:00.0 -0400
+++ python-pip-20.3.4/debian/patches/native-map.patch   2022-03-07 
11:19:24.0 -0400
@@ -0,0 +1,33 @@
+From: Stefano Rivera 
+Date: Mon, 7 Mar 2022 11:17:31 -0400
+Subject: Use native map() instead of map_multithread()
+
+Avoids a race-condition when using zip-imported dependencies.
+
+Origin: upstream, 
https://github.com/pypa/pip/commit/0252c04a16cd93fe422cebf0b48453b559a2e404
+Bug-Debian: https://bugs.debian.org/1006150
+---
+ src/pip/_internal/commands/list.py | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/pip/_internal/commands/list.py 
b/src/pip/_internal/commands/list.py
+index 10720b2..8e63eea 100644
+--- a/src/pip/_internal/commands/list.py
 b/src/pip/_internal/commands/list.py
+@@ -20,7 +20,6 @@ from pip._internal.utils.misc import (
+ write_output,
+ )
+ from pip._internal.utils.packaging import get_installer
+-from pip._internal.utils.parallel import map_multithread
+ from pip._internal.utils.typing import MYPY_CHECK_RUNNING
+ 
+ if MYPY_CHECK_RUNNING:
+@@ -234,7 +233,7 @@ class ListCommand(IndexGroupCommand):
+ dist.latest_filetype = typ
+ return dist
+ 
+-for dist in map_multithread(latest_info, packages):
++for dist in map(latest_info, packages):
+ if dist is not None:
+ yield dist
+ 
diff -Nru python-pip-20.3.4/debian/patches/series 
python-pip-20.3.4/debian/patches/series
--- python-pip-20.3.4/debian/patches/series 2021-07-01 16:44:29.0 
-0400
+++ python-pip-20.3.4/debian/patches/series 2022-03-07 11:19:24.0 
-0400
@@ -10,3 +10,4 @@
 debug-command-for-unbundled.patch
 str-version.patch
 git-split-ascii.patch
+native-map.patch

Bug#1002620: bullseye-pu: package pypy3/7.3.5+dfsg-2+deb11u1

2021-12-25 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
An extraneous #endif in import.h makes using it impossible.

This was fixed upstream, in unstable & testing.

[ Impact ]
C extension modules that include import.h can't be built.

[ Tests ]
Autopkgtests pass, but they do not exercise import.h.

Manually confirmed the issue in the existing binary package, and
verified that the new version resolves the issue.

[ Risks ]
Trivial change in a rarely-touched file, upstream.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Remove the extra #endif.
diff -Nru pypy3-7.3.5+dfsg/debian/changelog pypy3-7.3.5+dfsg/debian/changelog
--- pypy3-7.3.5+dfsg/debian/changelog   2021-06-03 15:59:21.0 -0400
+++ pypy3-7.3.5+dfsg/debian/changelog   2021-12-25 11:54:46.0 -0400
@@ -1,3 +1,9 @@
+pypy3 (7.3.5+dfsg-2+deb11u1) bullseye; urgency=medium
+
+  * Patch: Remove extraneous #endif from import.h (Closes: #1001519)
+
+ -- Stefano Rivera   Sat, 25 Dec 2021 11:54:46 -0400
+
 pypy3 (7.3.5+dfsg-2) unstable; urgency=medium
 
   * Upload to unstable.
diff -Nru pypy3-7.3.5+dfsg/debian/patches/import-h-endif 
pypy3-7.3.5+dfsg/debian/patches/import-h-endif
--- pypy3-7.3.5+dfsg/debian/patches/import-h-endif  1969-12-31 
20:00:00.0 -0400
+++ pypy3-7.3.5+dfsg/debian/patches/import-h-endif  2021-12-25 
11:54:46.0 -0400
@@ -0,0 +1,23 @@
+From: Matti Picus 
+Date: Sat, 25 Dec 2021 11:50:49 -0400
+Subject: cpyext: typo in import.h
+
+Bug-Debian: https://bugs.debian.org/1001519
+Origin: upstream, 
https://foss.heptapod.net/pypy/pypy/-/commit/f8d0f6ad0832af43ef0cd0feabad9f0f408b0110
+---
+ pypy/module/cpyext/include/import.h | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/pypy/module/cpyext/include/import.h 
b/pypy/module/cpyext/include/import.h
+index f03457b..7460c0a 100644
+--- a/pypy/module/cpyext/include/import.h
 b/pypy/module/cpyext/include/import.h
+@@ -18,8 +18,6 @@ PyAPI_FUNC(PyObject *) PyImport_ImportModuleLevel(
+ #define PyImport_ImportModuleEx(n, g, l, f) \
+ PyImport_ImportModuleLevel(n, g, l, f, 0)
+ 
+-#endif
+-
+ #ifdef __cplusplus
+ }
+ #endif
diff -Nru pypy3-7.3.5+dfsg/debian/patches/series 
pypy3-7.3.5+dfsg/debian/patches/series
--- pypy3-7.3.5+dfsg/debian/patches/series  2021-06-03 15:59:21.0 
-0400
+++ pypy3-7.3.5+dfsg/debian/patches/series  2021-12-25 11:54:46.0 
-0400
@@ -21,3 +21,4 @@
 tkinter-import
 noise
 python3-sphinx
+import-h-endif

Bug#1001389: bullseye-pu: package distro-info-data/0.51+deb11u1

2021-12-09 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

As usual, a distro-info-data update.

[ Reason ]

This one only has Ubuntu changes, but still worth keeping up-to-date in
stable.

 * Update data to 0.52:
   - Extend Ubuntu 14.04 and 16.04 ESM out to 10 years in total.
   - Add Ubuntu 22.04 LTS, Jammy Jellyfish.

[ Impact ]
Debian stable doesn't know the current development Ubuntu release, or
ESM dates.

[ Tests ]
Autopkgtest passed.
Manually tested:
$ ubuntu-distro-info -d

[ Risks ]
Data-only package, this will bring it up to parity with unstable.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Data updates.

[ Other info ]
Uploaded to the queue.
diff -Nru distro-info-data-0.51/debian/changelog 
distro-info-data-0.51+deb11u1/debian/changelog
--- distro-info-data-0.51/debian/changelog  2021-07-23 20:41:20.0 
-0400
+++ distro-info-data-0.51+deb11u1/debian/changelog  2021-12-09 
09:40:48.0 -0400
@@ -1,3 +1,11 @@
+distro-info-data (0.51+deb11u1) bullseye; urgency=medium
+
+  * Update data to 0.52:
+- Extend Ubuntu 14.04 and 16.04 ESM out to 10 years in total.
+- Add Ubuntu 22.04 LTS, Jammy Jellyfish.
+
+ -- Stefano Rivera   Thu, 09 Dec 2021 09:40:48 -0400
+
 distro-info-data (0.51) unstable; urgency=medium
 
   * Update bullseye's release date, bookworm's creation date, and buster's EoL
diff -Nru distro-info-data-0.51/ubuntu.csv 
distro-info-data-0.51+deb11u1/ubuntu.csv
--- distro-info-data-0.51/ubuntu.csv2021-07-23 20:41:20.0 -0400
+++ distro-info-data-0.51+deb11u1/ubuntu.csv2021-12-09 09:40:48.0 
-0400
@@ -18,11 +18,11 @@
 12.10,Quantal Quetzal,quantal,2012-04-26,2012-10-18,2014-05-16
 13.04,Raring Ringtail,raring,2012-10-18,2013-04-25,2014-01-27
 13.10,Saucy Salamander,saucy,2013-04-25,2013-10-17,2014-07-17
-14.04 LTS,Trusty 
Tahr,trusty,2013-10-17,2014-04-17,2019-04-25,2019-04-25,2022-04-25
+14.04 LTS,Trusty 
Tahr,trusty,2013-10-17,2014-04-17,2019-04-25,2019-04-25,2024-04-25
 14.10,Utopic Unicorn,utopic,2014-04-17,2014-10-23,2015-07-23
 15.04,Vivid Vervet,vivid,2014-10-23,2015-04-23,2016-02-04
 15.10,Wily Werewolf,wily,2015-04-23,2015-10-22,2016-07-28
-16.04 LTS,Xenial 
Xerus,xenial,2015-10-22,2016-04-21,2021-04-21,2021-04-21,2024-04-23
+16.04 LTS,Xenial 
Xerus,xenial,2015-10-22,2016-04-21,2021-04-21,2021-04-21,2026-04-23
 16.10,Yakkety Yak,yakkety,2016-04-21,2016-10-13,2017-07-20
 17.04,Zesty Zapus,zesty,2016-10-13,2017-04-13,2018-01-13
 17.10,Artful Aardvark,artful,2017-04-13,2017-10-19,2018-07-19
@@ -34,3 +34,4 @@
 20.10,Groovy Gorilla,groovy,2020-04-23,2020-10-22,2021-07-22
 21.04,Hirsute Hippo,hirsute,2020-10-22,2021-04-22,2022-01-20
 21.10,Impish Indri,impish,2021-04-22,2021-10-14,2022-07-14
+22.04 LTS,Jammy 
Jellyfish,jammy,2021-10-14,2022-04-21,2027-04-21,2027-04-21,2032-04-21

Bug#1001388: bullseye-pu: package python-virtualenv/20.4.0+ds-2+deb11u1

2021-12-09 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

An easy bug fix in python-virtualenv on bullseye, for a bug in one of
our patches.
Already fixed in unstable, without any reported regressions.

[ Reason ]
This fails on bullseye, at the moment:
$ virtualenv -p python3 --no-setuptools testve

The patch fixes it.

[ Impact ]
While --no-setuptools is probably an unusual flag, a user filed the bug,
so it's hitting people in the real world.

[ Tests ]
Autopkgtests pass.
I manually tested the affected code.

[ Risks ]
Very minimal change.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Avoid a KeyError in python by not looking up the key unless we've
verified it's in the dict.

[ Other info ]

Uploaded to the queue.
diff -Nru python-virtualenv-20.4.0+ds/debian/changelog 
python-virtualenv-20.4.0+ds/debian/changelog
--- python-virtualenv-20.4.0+ds/debian/changelog2021-06-20 
17:31:30.0 -0400
+++ python-virtualenv-20.4.0+ds/debian/changelog2021-12-09 
09:34:08.0 -0400
@@ -1,3 +1,10 @@
+python-virtualenv (20.4.0+ds-2+deb11u1) bullseye; urgency=medium
+
+  * include-pkg_resources.patch: Avoid KeyError when building a virtualenv
+with --no-setuptools, thanks Mathieu Parent. (Closes: #994953)
+
+ -- Stefano Rivera   Thu, 09 Dec 2021 09:34:08 -0400
+
 python-virtualenv (20.4.0+ds-2) unstable; urgency=medium
 
   * Patch: Fix --upgrade-embed-wheels.
diff -Nru 
python-virtualenv-20.4.0+ds/debian/patches/include-pkg_resources.patch 
python-virtualenv-20.4.0+ds/debian/patches/include-pkg_resources.patch
--- python-virtualenv-20.4.0+ds/debian/patches/include-pkg_resources.patch  
2021-06-20 17:31:30.0 -0400
+++ python-virtualenv-20.4.0+ds/debian/patches/include-pkg_resources.patch  
2021-12-09 09:34:08.0 -0400
@@ -6,9 +6,9 @@
 Forwarded: not-needed
 Last-Update: 2021-07-20
 ---
- src/virtualenv/seed/embed/pip_invoke.py| 9 -
- src/virtualenv/seed/embed/via_app_data/via_app_data.py | 9 -
- 2 files changed, 16 insertions(+), 2 deletions(-)
+ src/virtualenv/seed/embed/pip_invoke.py|  9 -
+ src/virtualenv/seed/embed/via_app_data/via_app_data.py | 10 +-
+ 2 files changed, 17 insertions(+), 2 deletions(-)
 
 diff --git a/src/virtualenv/seed/embed/pip_invoke.py 
b/src/virtualenv/seed/embed/pip_invoke.py
 index c935c02..275330b 100644
@@ -45,7 +45,7 @@
  cmd.extend(["--find-links", str(folder)])
  yield cmd
 diff --git a/src/virtualenv/seed/embed/via_app_data/via_app_data.py 
b/src/virtualenv/seed/embed/via_app_data/via_app_data.py
-index 9a98a70..4d82594 100644
+index 9a98a70..9c879cc 100644
 --- a/src/virtualenv/seed/embed/via_app_data/via_app_data.py
 +++ b/src/virtualenv/seed/embed/via_app_data/via_app_data.py
 @@ -10,7 +10,8 @@ from threading import Lock, Thread
@@ -58,14 +58,15 @@
  from virtualenv.util.path import Path
  
  from .pip_install.copy import CopyPipInstall
-@@ -123,6 +124,12 @@ class FromAppData(BaseEmbed):
+@@ -123,6 +124,13 @@ class FromAppData(BaseEmbed):
  thread.start()
  for thread in threads:
  thread.join()
 +
 +# Debian specific: Since Debian splits out pkg_resources from
 +# setuptools, for a local virtualenv, we need to add it to the base.
-+if name_to_whl['setuptools'].path.is_relative_to(BUNDLE_FOLDER):
++if ('setuptools' in name_to_whl and
++name_to_whl['setuptools'].path.is_relative_to(BUNDLE_FOLDER)):
 +_get('pkg_resources', Version.bundle)
 +
  if fail:

Bug#996929: buster-pu: package python-virtualenv/15.1.0+ds-2

2021-10-20 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
python-virtualenv recently had a regression in buster caused by a
server-side change on pypi.org (#994952).
It started to 404 (breaking virtualenv) where it had previously returned
an empty directory listing for the pkg_resources package.

pip, setuptools, and pkg_resources are bootstrapped into virtualenvs.

pkg_resources is part of the setuptools PyPI package, upstream. But in
Debian its packaged as its own binary package, so we have some patches
in Debian to explicitly install pkg_resources.

The old behaviour is currently back on pypi.org, see
https://github.com/pypa/warehouse/issues/10081

But the fix to avoid virtualenv from depending on this empty directory
listing is very simple, so we should probably apply it.

[ Impact ]
Reliance on pypi.org serving a workaround for our virtualenv version.
Without that workaround, virtualenv fails (unless explicitly run with
--no-download)

[ Tests ]
Manually tested behaviour with and without --no-download.

[ Risks ]
Trivial patch.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
When bootstrapping setuptools and pip into the virtualenv *from PyPI*,
don't ask pip to install pkg_resources.

[ Other info ]
(Anything else the release team should know.)
diff -Nru python-virtualenv-15.1.0+ds/debian/changelog 
python-virtualenv-15.1.0+ds/debian/changelog
--- python-virtualenv-15.1.0+ds/debian/changelog2018-12-13 
11:19:35.0 -0800
+++ python-virtualenv-15.1.0+ds/debian/changelog2021-10-20 
15:48:33.0 -0700
@@ -1,3 +1,9 @@
+python-virtualenv (15.1.0+ds-2+deb10u1) buster; urgency=medium
+
+  * Avoid attempting to install pkg_resources from PyPI. (Closes: #994952)
+
+ -- Stefano Rivera   Wed, 20 Oct 2021 15:48:33 -0700
+
 python-virtualenv (15.1.0+ds-2) unstable; urgency=medium
 
   [ Vincent Bernat ]
diff -Nru python-virtualenv-15.1.0+ds/debian/patches/use-wheels.patch 
python-virtualenv-15.1.0+ds/debian/patches/use-wheels.patch
--- python-virtualenv-15.1.0+ds/debian/patches/use-wheels.patch 2018-12-13 
11:19:35.0 -0800
+++ python-virtualenv-15.1.0+ds/debian/patches/use-wheels.patch 2021-10-20 
15:48:33.0 -0700
@@ -22,8 +22,8 @@
  scripts/virtualenv  |  9 +++
  setup.py|  4 ++--
  virtualenv.egg-info/SOURCES.txt |  4 ++--
- virtualenv.py   | 52 ++---
- 4 files changed, 62 insertions(+), 7 deletions(-)
+ virtualenv.py   | 53 ++---
+ 4 files changed, 63 insertions(+), 7 deletions(-)
 
 diff --git a/scripts/virtualenv b/scripts/virtualenv
 index 418bd79..7dd0203 100644
@@ -126,7 +126,7 @@
  if cert_data is not None:
  cert_file = tempfile.NamedTemporaryFile(delete=False)
  cert_file.write(cert_data)
-@@ -928,8 +948,34 @@ def create_environment(home_dir, site_packages=False, 
clear=False,
+@@ -928,8 +948,35 @@ def create_environment(home_dir, site_packages=False, 
clear=False,
  
  to_install = []
  
@@ -157,7 +157,8 @@
 +
  if not no_setuptools:
  to_install.append('setuptools')
-+to_install.append('pkg_resources')
++if not download:
++to_install.append('pkg_resources')
  
  if not no_pip:
  to_install.append('pip')

Bug#987372: buster-pu: package distro-info-data/0.41+deb10u3 OR (distro-info/1.0~deb10u1 AND distro-info-data/0.47~deb10u1)

2021-09-17 Thread Stefano Rivera

Hi SRMs (2021.04.22_09:57:49_-0700)

Given the lack of reply here, let's stick with the minimal option.

There have been more changes since the last patch, so here's an updated
debdiff. Uploaded to buster-proposed-updates.

> [ Checklist ]
>   [x] *all* changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in stable
>   [x] the issue is verified as fixed in unstable

Still true.

Changes:

distro-info-data (0.41+deb10u4) buster; urgency=medium

  * Update data to 0.51, without new columns:
- Add estimated date for Buster EOL.
- Correct the EOL date for Debian Jessie.
- Add Debian 13 "Trixie", with a rough date.
- Add Ubuntu 21.10, Impish Indri.
- Move Ubuntu EoLs off weekends.
- Validate that Ubuntu EoLs occur during the week.
- Set bullseye's release date, bookworm's creation date, and buster's EoL
  date based on the updated planned bullseye release date.

 -- Stefano Rivera   Fri, 17 Sep 2021 15:30:21 -0700

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272
diff -Nru distro-info-data-0.41+deb10u3/debian/changelog 
distro-info-data-0.41+deb10u4/debian/changelog
--- distro-info-data-0.41+deb10u3/debian/changelog  2020-11-02 
12:44:14.0 -0800
+++ distro-info-data-0.41+deb10u4/debian/changelog  2021-09-17 
15:30:21.0 -0700
@@ -1,3 +1,17 @@
+distro-info-data (0.41+deb10u4) buster; urgency=medium
+
+  * Update data to 0.51, without new columns:
+- Add estimated date for Buster EOL.
+- Correct the EOL date for Debian Jessie.
+- Add Debian 13 "Trixie", with a rough date.
+- Add Ubuntu 21.10, Impish Indri.
+- Move Ubuntu EoLs off weekends.
+- Validate that Ubuntu EoLs occur during the week.
+- Set bullseye's release date, bookworm's creation date, and buster's EoL
+  date based on the updated planned bullseye release date.
+
+ -- Stefano Rivera   Fri, 17 Sep 2021 15:30:21 -0700
+
 distro-info-data (0.41+deb10u3) buster; urgency=medium
 
   * Update data to 0.45:
diff -Nru distro-info-data-0.41+deb10u3/debian.csv 
distro-info-data-0.41+deb10u4/debian.csv
--- distro-info-data-0.41+deb10u3/debian.csv2020-11-02 12:44:14.0 
-0800
+++ distro-info-data-0.41+deb10u4/debian.csv2021-09-17 15:30:21.0 
-0700
@@ -11,10 +11,11 @@
 5.0,Lenny,lenny,2007-04-08,2009-02-14,2012-02-06
 6.0,Squeeze,squeeze,2009-02-14,2011-02-06,2014-05-31
 7,Wheezy,wheezy,2011-02-06,2013-05-04,2016-04-26
-8,Jessie,jessie,2013-05-04,2015-04-25,2018-06-06
+8,Jessie,jessie,2013-05-04,2015-04-25,2018-06-17
 9,Stretch,stretch,2015-04-25,2017-06-17,2020-07-06
-10,Buster,buster,2017-06-17,2019-07-06
-11,Bullseye,bullseye,2019-07-06
-12,Bookworm,bookworm,2021-08-01
+10,Buster,buster,2017-06-17,2019-07-06,2022-08-14
+11,Bullseye,bullseye,2019-07-06,2021-08-14,2024-08-14
+12,Bookworm,bookworm,2021-08-14
+13,Trixie,trixie,2023-08-01
 ,Sid,sid,1993-08-16
 ,Experimental,experimental,1993-08-16
diff -Nru distro-info-data-0.41+deb10u3/ubuntu.csv 
distro-info-data-0.41+deb10u4/ubuntu.csv
--- distro-info-data-0.41+deb10u3/ubuntu.csv2020-11-02 12:44:14.0 
-0800
+++ distro-info-data-0.41+deb10u4/ubuntu.csv2021-09-17 15:30:21.0 
-0700
@@ -32,4 +32,5 @@
 19.10,Eoan Ermine,eoan,2019-04-18,2019-10-17,2020-07-17
 20.04 LTS,Focal Fossa,focal,2019-10-17,2020-04-23,2025-04-23
 20.10,Groovy Gorilla,groovy,2020-04-23,2020-10-22,2021-07-22
-21.04,Hirsute Hippo,hirsute,2020-10-22,2021-04-22,2022-01-22
+21.04,Hirsute Hippo,hirsute,2020-10-22,2021-04-22,2022-01-20
+21.10,Impish Indri,impish,2021-04-22,2021-10-14,2022-07-14
diff -Nru distro-info-data-0.41+deb10u3/validate-csv-data 
distro-info-data-0.41+deb10u4/validate-csv-data
--- distro-info-data-0.41+deb10u3/validate-csv-data 2020-11-02 
12:44:14.0 -0800
+++ distro-info-data-0.41+deb10u4/validate-csv-data 2021-09-17 
15:30:21.0 -0700
@@ -21,6 +21,7 @@
 import optparse
 import os
 import sys
+from datetime import date
 
 _COLUMNS = {
 "debian": ("version", "codename", "series", "created", "release", "eol"),
@@ -121,6 +122,17 @@
"to the given date in column `%s'")
 error(filename, csvreader.line_num, msg, date1, date2)
 failures += 1
+# Check that Ubuntu EOL lands on a weekday
+if distro == 'ubuntu':
+for column, eol_date in row.items():
+if not column.startswith('eol'):
+continue
+if not eol_date:
+continue
+if eol_date.weekday() > 5 and eol_date >= date(2021, 1, 1):
+msg = '%s for %s lands on a weekend (%s)'
+error(filename, csvreader.line_num, msg, column,
+  row['codename'], date)
 
 return failures == 0

Bug#991560: unblock: six/1.16.0-2

2021-07-27 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: cjwat...@debian.org

Please unblock package six

six (1.16.0-2) unstable; urgency=medium

  * Team upload.

  [ Andreas Beckmann ]
  * python-six/python3-six: Copy Breaks: python (<< 2.7.18),
python-minimal (<< 2.7.18), libpython-stdlib (<< 2.7.18),
python-iso8601 (<< 0.1.12-2~), python-pbr (<< 5.4.5) from python2.7 to
ensure removal of the unversioned python packages (and some persisting
obsolete Python 2 module packages) on upgrades from buster. In some
upgrade scenarios (mostly involving openstack packages) these Breaks in
python2.7 were ineffective because the unversioned python packages got
higher scores than python2.7. python-six/python3-six are usually very
high scoring Python module packages in these cases, making them ideal
candidates for such copies of the Breaks.  (Closes: #991433)

[ Reason ]
Smoother python 2 -> 3 upgrades.

[ Impact ]
Users upgrading from buster could be left using a removed python 2
stack, rather than being upgraded to python 3.

[ Tests ]
Verified that they upgrade from buster without issue.

[ Risks ]
Adds breaks only.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock six/1.16.0-2
diff -Nru six-1.16.0/debian/changelog six-1.16.0/debian/changelog
--- six-1.16.0/debian/changelog 2021-05-09 06:40:54.0 -0400
+++ six-1.16.0/debian/changelog 2021-07-27 11:44:18.0 -0400
@@ -1,3 +1,21 @@
+six (1.16.0-2) unstable; urgency=medium
+
+  * Team upload.
+
+  [ Andreas Beckmann ]
+  * python-six/python3-six: Copy Breaks: python (<< 2.7.18),
+python-minimal (<< 2.7.18), libpython-stdlib (<< 2.7.18),
+python-iso8601 (<< 0.1.12-2~), python-pbr (<< 5.4.5) from python2.7 to
+ensure removal of the unversioned python packages (and some persisting
+obsolete Python 2 module packages) on upgrades from buster. In some
+upgrade scenarios (mostly involving openstack packages) these Breaks in
+python2.7 were ineffective because the unversioned python packages got
+higher scores than python2.7. python-six/python3-six are usually very
+high scoring Python module packages in these cases, making them ideal
+candidates for such copies of the Breaks.  (Closes: #991433)
+
+ -- Stefano Rivera   Tue, 27 Jul 2021 11:44:18 -0400
+
 six (1.16.0-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru six-1.16.0/debian/control six-1.16.0/debian/control
--- six-1.16.0/debian/control   2021-05-09 06:40:54.0 -0400
+++ six-1.16.0/debian/control   2021-07-27 11:44:18.0 -0400
@@ -26,6 +26,11 @@
 Multi-Arch: foreign
 Depends: ${misc:Depends},
  ${python:Depends},
+Breaks: python (<< 2.7.18),
+python-minimal (<< 2.7.18),
+libpython-stdlib (<< 2.7.18),
+python-iso8601 (<< 0.1.12-2~),
+python-pbr (<< 5.4.5),
 Description: Python 2 and 3 compatibility library (Python 2 interface)
  Six is a Python 2 and 3 compatibility library. It provides utility
  functions for smoothing over the differences between the Python versions
@@ -40,6 +45,9 @@
 Multi-Arch: foreign
 Depends: ${misc:Depends},
  ${python3:Depends},
+Breaks: python (<< 2.7.18),
+python-minimal (<< 2.7.18),
+libpython-stdlib (<< 2.7.18),
 Description: Python 2 and 3 compatibility library (Python 3 interface)
  Six is a Python 2 and 3 compatibility library. It provides utility
  functions for smoothing over the differences between the Python versions
diff -Nru six-1.16.0/debian/.gitignore six-1.16.0/debian/.gitignore
--- six-1.16.0/debian/.gitignore2021-05-09 06:40:54.0 -0400
+++ six-1.16.0/debian/.gitignore1969-12-31 20:00:00.0 -0400
@@ -1 +0,0 @@
-/files

Bug#991454: unblock: distro-info-data/0.51

2021-07-23 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package distro-info-data

 distro-info-data (0.51) unstable; urgency=medium

   * Update bullseye's release date, bookworm's creation date, and buster's EoL
 date based on the updated planned bullseye release date.

[ Reason ]
The bullseye tentative release date got finalized, to 2 weeks later.

[ Impact ]
Incorrect data from distro-info.

[ Tests ]
Manually tested around the release date, things seem correct.
Automated tests verify that the format is sane.

[ Risks ]
Data-only package.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock distro-info-data/0.51
diff -Nru distro-info-data-0.50/debian/changelog 
distro-info-data-0.51/debian/changelog
--- distro-info-data-0.50/debian/changelog  2021-06-17 11:01:52.0 
-0400
+++ distro-info-data-0.51/debian/changelog  2021-07-23 20:41:20.0 
-0400
@@ -1,3 +1,10 @@
+distro-info-data (0.51) unstable; urgency=medium
+
+  * Update bullseye's release date, bookworm's creation date, and buster's EoL
+date based on the updated planned bullseye release date.
+
+ -- Stefano Rivera   Fri, 23 Jul 2021 20:41:20 -0400
+
 distro-info-data (0.50) unstable; urgency=medium
 
   * Update buster's EOL day to bullseye's (tentative) release date +1y.
diff -Nru distro-info-data-0.50/debian.csv distro-info-data-0.51/debian.csv
--- distro-info-data-0.50/debian.csv2021-06-17 11:01:52.0 -0400
+++ distro-info-data-0.51/debian.csv2021-07-23 20:41:20.0 -0400
@@ -13,9 +13,9 @@
 7,Wheezy,wheezy,2011-02-06,2013-05-04,2016-04-26,2018-05-31,2020-06-30
 8,Jessie,jessie,2013-05-04,2015-04-25,2018-06-17,2020-06-30,2022-06-30
 9,Stretch,stretch,2015-04-25,2017-06-17,2020-07-06,2022-06-30,2024-06-30
-10,Buster,buster,2017-06-17,2019-07-06,2022-07-31,2024-06-30,2026-06-30
-11,Bullseye,bullseye,2019-07-06,2021-07-31,2024-07-31
-12,Bookworm,bookworm,2021-07-31
+10,Buster,buster,2017-06-17,2019-07-06,2022-08-14,2024-06-30,2026-06-30
+11,Bullseye,bullseye,2019-07-06,2021-08-14,2024-08-14
+12,Bookworm,bookworm,2021-08-14
 13,Trixie,trixie,2023-08-01
 ,Sid,sid,1993-08-16
 ,Experimental,experimental,1993-08-16

Bug#990812: unblock: python-authlib/0.15.4-1

2021-07-07 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package python-authlib

[ Reason ]
Upstream made a security point release. No CVE.

[ Impact ]
Security vulnerability.

[ Tests ]
Added a unit test to cover the issue.

Package builds and tests pass.

[ Risks ]
Tiny diff, looks good.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock python-authlib/0.15.4-1
diff -Nru python-authlib-0.15.3/authlib/consts.py 
python-authlib-0.15.4/authlib/consts.py
--- python-authlib-0.15.3/authlib/consts.py 2021-01-15 09:51:55.0 
-0400
+++ python-authlib-0.15.4/authlib/consts.py 2021-06-05 03:07:38.0 
-0400
@@ -1,5 +1,5 @@
 name = 'Authlib'
-version = '0.15.3'
+version = '0.15.4'
 author = 'Hsiaoming Yang '
 homepage = 'https://authlib.org/'
 default_user_agent = '{}/{} (+{})'.format(name, version, homepage)
diff -Nru python-authlib-0.15.3/authlib/jose/rfc7519/claims.py 
python-authlib-0.15.4/authlib/jose/rfc7519/claims.py
--- python-authlib-0.15.3/authlib/jose/rfc7519/claims.py2021-01-15 
09:51:55.0 -0400
+++ python-authlib-0.15.4/authlib/jose/rfc7519/claims.py2021-06-05 
03:07:38.0 -0400
@@ -58,10 +58,10 @@
 
 def _validate_claim_value(self, claim_name):
 option = self.options.get(claim_name)
-value = self.get(claim_name)
-if not option or not value:
+if not option:
 return
 
+value = self.get(claim_name)
 option_value = option.get('value')
 if option_value and value != option_value:
 raise InvalidClaimError(claim_name)
diff -Nru python-authlib-0.15.3/debian/changelog 
python-authlib-0.15.4/debian/changelog
--- python-authlib-0.15.3/debian/changelog  2021-01-20 14:21:23.0 
-0400
+++ python-authlib-0.15.4/debian/changelog  2021-07-07 19:32:08.0 
-0400
@@ -1,3 +1,9 @@
+python-authlib (0.15.4-1) unstable; urgency=medium
+
+  * New upstream point release, fixing a security issue.
+
+ -- Stefano Rivera   Wed, 07 Jul 2021 19:32:08 -0400
+
 python-authlib (0.15.3-1) unstable; urgency=medium
 
   [ Stefano Rivera ]
diff -Nru python-authlib-0.15.3/tests/core/test_jose/test_jwt.py 
python-authlib-0.15.4/tests/core/test_jose/test_jwt.py
--- python-authlib-0.15.3/tests/core/test_jose/test_jwt.py  2021-01-15 
09:51:55.0 -0400
+++ python-authlib-0.15.4/tests/core/test_jose/test_jwt.py  2021-06-05 
03:07:38.0 -0400
@@ -73,6 +73,20 @@
 claims.validate,
 )
 
+def test_validate_expected_issuer_received_None(self):
+id_token = jwt.encode({'alg': 'HS256'}, {'iss': None, 'sub': None}, 
'k')
+claims_options = {
+'iss': {
+'essential': True,
+'values': ['foo']
+}
+}
+claims = jwt.decode(id_token, 'k', claims_options=claims_options)
+self.assertRaises(
+errors.InvalidClaimError,
+claims.validate
+)
+
 def test_validate_aud(self):
 id_token = jwt.encode({'alg': 'HS256'}, {'aud': 'foo'}, 'k')
 claims_options = {

Bug#990416: unblock: python-pip/20.3.4-3

2021-07-01 Thread Stefano Rivera

Control: retitle -1 unblock: python-pip/20.3.4-4

Changes:
 python-pip (20.3.4-4) unstable; urgency=medium
 .
   * No-change upload against distlib 0.3.2+really+0.3.1-0.1.

See #990549.

unblock python-pip/20.3.4-4

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272

Bug#990416: unblock: python-pip/20.3.4-3

2021-07-01 Thread Stefano Rivera

Hrm, the original email got truncated at a "." line. Sounds like some
broken SMTP thing somewhere...

Please unblock package python-pip

python-pip (20.3.4-3) unstable; urgency=medium

  * Modify hands-off-system-packages.patch to act correctly under PyPy3, which
shares dist-packages with cPython, but has a different sys.prefix.

[ Reason ]
PyPy and cPython on Debian share a common dist-packages directory
(/usr/lib/python3/dist-packages). However, not everything in there is
importable in PyPy. Generally C extensions are only built against
cPython.

So, users wanting to use numpy, for example, would pip install it.
However, unless one is very careful, pip will uninstall the numpy from
dist-packages, which should be managed by apt, not pip.

Pip has a patch to avoid this, but it wasn't working correctly under
PyPy, because it assumed sys.prefix == /usr.
This upload hard-codes prefix in the patch, making pip refuse to remove
files from dist-packages, when run under cPython or PyPy.

Bug describing this: https://salsa.debian.org/debian/pypy/-/issues/2

[ Impact ]
Users can fairly easily break their python3-* packages, by using pip as
root, to install modules for pypy3.

[ Tests ]
Manually tested installing & upgrading modules with pip under cpython
and pypy3.

[ Risks ]
Change is a noop on cpython, and fixes a bug on PyPy.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock python-pip/20.3.4-3
diff -Nru python-pip-20.3.4/debian/changelog python-pip-20.3.4/debian/changelog
--- python-pip-20.3.4/debian/changelog  2021-05-12 08:39:26.0 -0400
+++ python-pip-20.3.4/debian/changelog  2021-06-28 12:20:17.0 -0400
@@ -1,3 +1,10 @@
+python-pip (20.3.4-3) unstable; urgency=medium
+
+  * Modify hands-off-system-packages.patch to act correctly under PyPy3, which
+shares dist-packages with cPython, but has a different sys.prefix.
+
+ -- Stefano Rivera   Mon, 28 Jun 2021 12:20:17 -0400
+
 python-pip (20.3.4-2) unstable; urgency=medium
 
   * Add myself to uploaders.
diff -Nru 
python-pip-20.3.4/debian/patches/debian-python2.7-sysconfig-workaround.patch 
python-pip-20.3.4/debian/patches/debian-python2.7-sysconfig-workaround.patch
--- 
python-pip-20.3.4/debian/patches/debian-python2.7-sysconfig-workaround.patch
2021-05-12 08:39:26.0 -0400
+++ 
python-pip-20.3.4/debian/patches/debian-python2.7-sysconfig-workaround.patch
2021-06-28 12:20:17.0 -0400
@@ -37,10 +37,10 @@
  # Use getusersitepackages if this is present, as it ensures that the
  # value is initialised properly.
 diff --git a/src/pip/_internal/utils/misc.py b/src/pip/_internal/utils/misc.py
-index 706937d..ebe5f29 100644
+index 459312f..b8795cc 100644
 --- a/src/pip/_internal/utils/misc.py
 +++ b/src/pip/_internal/utils/misc.py
-@@ -429,11 +429,7 @@ def dist_is_editable(dist):
+@@ -430,11 +430,7 @@ def dist_is_editable(dist):
  """
  Return True if given Distribution is an editable install.
  """
diff -Nru python-pip-20.3.4/debian/patches/hands-off-system-packages.patch 
python-pip-20.3.4/debian/patches/hands-off-system-packages.patch
--- python-pip-20.3.4/debian/patches/hands-off-system-packages.patch
2021-05-12 08:39:26.0 -0400
+++ python-pip-20.3.4/debian/patches/hands-off-system-packages.patch
2021-06-28 12:20:17.0 -0400
@@ -15,14 +15,14 @@
 
 Patch-Name: hands-off-system-packages.patch
 ---
- src/pip/_internal/utils/misc.py | 36 +++-
- 1 file changed, 27 insertions(+), 9 deletions(-)
+ src/pip/_internal/utils/misc.py | 37 -
+ 1 file changed, 28 insertions(+), 9 deletions(-)
 
 diff --git a/src/pip/_internal/utils/misc.py b/src/pip/_internal/utils/misc.py
-index 4fb64d2..706937d 100644
+index 4fb64d2..459312f 100644
 --- a/src/pip/_internal/utils/misc.py
 +++ b/src/pip/_internal/utils/misc.py
-@@ -365,25 +365,43 @@ def renames(old, new):
+@@ -365,25 +365,44 @@ def renames(old, new):
  def is_local(path):
  # type: (str) -> bool
  """
@@ -48,7 +48,8 @@
 -return path.startswith(normalize_path(sys.prefix))
 +
 +path = normalize_path(path)
-+prefix = normalize_path(sys.prefix)
++# Hard-coded becouse PyPy uses a different sys.prefix on Debian
++prefix = '/usr'
 +
 +if running_under_virtualenv():
 +return path.startswith(normalize_path(sys.prefix))

Bug#990549: unblock: distlib/0.3.2+really+0.3.1-0.1

2021-07-01 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: d...@debian.org
Control: block 990416 with -1

Please unblock package distlib.

[ Reason ]

To migrate python-pip (#990416) which bundles distlib, I need distlib to
migrate. A new upstream point-release had been uploaded to unstable, so
I've reverted it (with Matthias' consent):

distlib (0.3.2+really+0.3.1-0.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Revert to 0.3.1 for Debian bullseye.

 -- Stefano Rivera   Thu, 01 Jul 2021 13:40:03 -0400

distlib (0.3.2-1) unstable; urgency=medium

  * New upstream version.

 -- Matthias Klose   Mon, 21 Jun 2021 10:28:59 +0200

[ Impact ]
This is a noop change.

[ Tests ]
Package builds and autopkgtests pass.

[ Risks ]
This is a noop change.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock distlib/0.3.2+really+0.3.1-0.1
diff -Nru distlib-0.3.1/debian/changelog 
distlib-0.3.2+really+0.3.1/debian/changelog
--- distlib-0.3.1/debian/changelog  2020-07-17 04:20:12.0 -0400
+++ distlib-0.3.2+really+0.3.1/debian/changelog 2021-07-01 13:40:03.0 
-0400
@@ -1,3 +1,16 @@
+distlib (0.3.2+really+0.3.1-0.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Revert to 0.3.1 for Debian bullseye.
+
+ -- Stefano Rivera   Thu, 01 Jul 2021 13:40:03 -0400
+
+distlib (0.3.2-1) unstable; urgency=medium
+
+  * New upstream version.
+
+ -- Matthias Klose   Mon, 21 Jun 2021 10:28:59 +0200
+
 distlib (0.3.1-1) unstable; urgency=medium
 
   * New upstream version.

Bug#989881: [pre-approval] unblock: python-urllib3/1.26.5-1

2021-06-29 Thread Stefano Rivera

Control: block 990416 with -1

> I'm really sorry unfortunately I made a stupid error, I used `dch -r
> experimental` but it's the wrong syntax and I even did not noticed the URL of
> http://debomatic-amd64.debian.net/distribution#unstable/python-urllib3/1.26.5-1~exp1/buildlog
> because I clicked on the label in the home page... so I unfortunately upload
> urllib3 to unstable :( Yes with the ~exp1...

I was going to ask you to ping me if this unblock was approved, so we
could do a new python-pip upload, bundling this urllib3 in it.
But now I don't need to :)

I have an upload pending unblock that built against
python-urllib3/1.26.5-1~exp1 in bug 990416.

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272

Bug#990297: unblock: pyyaml/5.3.1-5

2021-06-24 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: a...@debian.org

Please unblock package pyyaml

 pyyaml (5.3.1-5) unstable; urgency=medium
 .
   * Team upload.
 .
   [ Andreas Beckmann ]
   * python3-yaml: Copy Breaks: python (<< 2.7.18), python-minimal (<< 2.7.18),
 libpython-stdlib (<< 2.7.18) from python2.7 and add
 Breaks: python-yaml (<< 5.3.1-2) for smoother upgrades from buster.
 In some upgrade scenarios (mostly involving ros-* packages) these Breaks
 in python2.7 were ineffective because the unversioned python packages got
 higher scores. Copying the Breaks to python3-yaml which is the first
 python package scoring higher than the to-be-removed packages solves these
 issues.  (Closes: #989930)

[ Reason ]
Improve upgrades from buster.

[ Impact ]
More manual package upgrades and cleanup required, without this patch.

[ Tests ]

From #989930:
> I've run a lot of upgrade tests and the results look very promising that
> we can improve the number of clean upgrade paths with this patch.

From my PoV, the change seems safe enough. Built and test-installed.

[ Risks ]
Dependency-only change.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock pyyaml/5.3.1-5
diff -Nru pyyaml-5.3.1/debian/changelog pyyaml-5.3.1/debian/changelog
--- pyyaml-5.3.1/debian/changelog   2021-05-21 11:11:00.0 -0400
+++ pyyaml-5.3.1/debian/changelog   2021-06-24 19:02:58.0 -0400
@@ -1,3 +1,19 @@
+pyyaml (5.3.1-5) unstable; urgency=medium
+
+  * Team upload.
+
+  [ Andreas Beckmann ]
+  * python3-yaml: Copy Breaks: python (<< 2.7.18), python-minimal (<< 2.7.18),
+libpython-stdlib (<< 2.7.18) from python2.7 and add
+Breaks: python-yaml (<< 5.3.1-2) for smoother upgrades from buster.
+In some upgrade scenarios (mostly involving ros-* packages) these Breaks
+in python2.7 were ineffective because the unversioned python packages got
+higher scores. Copying the Breaks to python3-yaml which is the first
+python package scoring higher than the to-be-removed packages solves these
+issues.  (Closes: #989930)
+
+ -- Stefano Rivera   Thu, 24 Jun 2021 19:02:58 -0400
+
 pyyaml (5.3.1-4) unstable; urgency=medium
 
   * Team upload.
diff -Nru pyyaml-5.3.1/debian/control pyyaml-5.3.1/debian/control
--- pyyaml-5.3.1/debian/control 2021-05-21 11:11:00.0 -0400
+++ pyyaml-5.3.1/debian/control 2021-06-24 19:02:58.0 -0400
@@ -15,6 +15,11 @@
 Architecture: any
 Multi-Arch: allowed
 Depends: ${python3:Depends}, ${shlibs:Depends}, ${misc:Depends}
+Breaks:
+ python (<< 2.7.18),
+ python-minimal (<< 2.7.18),
+ libpython-stdlib (<< 2.7.18),
+ python-yaml (<< 5.3.1-2),
 Description: YAML parser and emitter for Python3
  Python3-yaml is a complete YAML 1.1 parser and emitter for Python3.  It can
  parse all examples from the specification. The parsing algorithm is simple

Bug#990111: unblock: python-virtualenv/20.4.0+ds-2

2021-06-20 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package python-virtualenv

 python-virtualenv (20.4.0+ds-2) unstable; urgency=medium
 .
   * Patch: Fix --upgrade-embed-wheels.
   * Replace the pkg_resources addition part of
 debian_update_for_available_wheels.patch with include-pkg_resources.patch
 which will only include pkg_resources when using Debian's bundled
 setuptools wheel. (Closes: #976796)

[ Reason ]
The --upgrade-embed-wheels option was not working at all, it would
crash, if you attempted to use it. This was fixed upstream later in
20.4.x, so cherry-picked that trivial patch.

Relatedly, we got to the bottom of #976796, which was caused by upgraded
wheels, which would include pkg_resources in the setuptools wheel
(Debian splits it into its own binary package). This could cause a race
on unpacking, crashing.

[ Impact ]
If a user has an upgraded virtualenv wheel cache, then virtualenv
becomes unreliable, due to a race (two threads unpacking the target
files).

[ Tests ]
Manually tested 4 variants:
--seeder pip before and after --upgrade-embed-wheels
--seeder app-data and after --upgrade-embed-wheels

Autopkgtests verify that the basic functionality is unaffected.

[ Risks ]
The changes are relatively straightforward, and should improve
robustness.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock python-virtualenv/20.4.0+ds-2
diff -Nru python-virtualenv-20.4.0+ds/debian/changelog 
python-virtualenv-20.4.0+ds/debian/changelog
--- python-virtualenv-20.4.0+ds/debian/changelog2021-01-22 
23:40:18.0 -0400
+++ python-virtualenv-20.4.0+ds/debian/changelog2021-06-20 
17:31:30.0 -0400
@@ -1,3 +1,13 @@
+python-virtualenv (20.4.0+ds-2) unstable; urgency=medium
+
+  * Patch: Fix --upgrade-embed-wheels.
+  * Replace the pkg_resources addition part of
+debian_update_for_available_wheels.patch with include-pkg_resources.patch
+which will only include pkg_resources when using Debian's bundled
+setuptools wheel. (Closes: #976796)
+
+ -- Stefano Rivera   Sun, 20 Jun 2021 17:31:30 -0400
+
 python-virtualenv (20.4.0+ds-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru 
python-virtualenv-20.4.0+ds/debian/patches/debian_update_for_available_wheels.patch
 
python-virtualenv-20.4.0+ds/debian/patches/debian_update_for_available_wheels.patch
--- 
python-virtualenv-20.4.0+ds/debian/patches/debian_update_for_available_wheels.patch
 2021-01-22 23:40:18.0 -0400
+++ 
python-virtualenv-20.4.0+ds/debian/patches/debian_update_for_available_wheels.patch
 2021-06-20 17:31:30.0 -0400
@@ -1,42 +1,17 @@
-From: Debian Python Modules Team
- 
-Date: Sat, 21 Mar 2020 03:16:18 -0400
+From: Scott Kitterman 
+Date: Sun, 20 Jun 2021 13:49:30 -0400
 Subject: Update base embed to include pip provided wheels for --no-download
 
 Generate wheel lists and attributes for base install to match pip wheel
 versions and add pkg_resources to the base install for no download.
 
-Author: Scott Kitterman 
 Origin: vendor
 Forwarded: not-needed
 Last-Update: 2020-07-15
 ---
- src/virtualenv/seed/embed/base_embed.py  |  7 ++-
  src/virtualenv/seed/wheels/embed/__init__.py | 15 +++
- 2 files changed, 21 insertions(+), 1 deletion(-)
+ 1 file changed, 15 insertions(+)
 
-diff --git a/src/virtualenv/seed/embed/base_embed.py 
b/src/virtualenv/seed/embed/base_embed.py
-index c794e83..bc9cec8 100644
 a/src/virtualenv/seed/embed/base_embed.py
-+++ b/src/virtualenv/seed/embed/base_embed.py
-@@ -43,11 +43,16 @@ class BaseEmbed(Seeder):
- }
- 
- def distribution_to_versions(self):
--return {
-+dv = {
- distribution: getattr(self, "{}_version".format(distribution))
- for distribution in self.distributions()
- if getattr(self, "no_{}".format(distribution)) is False
- }
-+# Debian specific: Since Debian splits out pkg_resources from
-+# setuptools, for a local virtualenv, we need to add it to the base.
-+if not self.download:
-+dv['pkg_resources'] = None
-+return dv
- 
- @classmethod
- def add_parser_arguments(cls, parser, interpreter, app_data):
 diff --git a/src/virtualenv/seed/wheels/embed/__init__.py 
b/src/virtualenv/seed/wheels/embed/__init__.py
 index f63ec1d..4c1a4a7 100644
 --- a/src/virtualenv/seed/wheels/embed/__init__.py
diff -Nru 
python-virtualenv-20.4.0+ds/debian/patches/disable-periodic-update.patch 
python-virtualenv-20.4.0+ds/debian/patches/disable-periodic-update.patch
--- python-virtualenv-20.4.0+ds/debian/patches/disable-periodic-update.patch
2021-01-22 23:40:18.0 -0400
+++ python-virtualenv-20.4.0+ds/debian/patches/disable-periodic-update.patch
2021-06-20 17:31:30.0 -0400
@

Bug#990036: unblock: xdot/1.2-2

2021-06-18 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package xdot

[ Reason ]
Fixing a (non-filed) RC bug - missing dependency on numpy.
https://github.com/zim-desktop-wiki/zim-desktop-wiki/issues/1496

[ Impact ]
The package may not be usable, if the user doesn't have numpy installed,
already.

[ Tests ]
No automated tests.

Manually tested that the package is still installable, and works.

[ Risks ]
Trivial change.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock xdot/1.2-2
diff -Nru xdot-1.2/debian/changelog xdot-1.2/debian/changelog
--- xdot-1.2/debian/changelog   2020-11-23 16:08:19.0 -0400
+++ xdot-1.2/debian/changelog   2021-06-18 10:01:16.0 -0400
@@ -1,3 +1,9 @@
+xdot (1.2-2) unstable; urgency=medium
+
+  * Add missing dependency on python3-numpy, introduced in 1.2.
+
+ -- Stefano Rivera   Fri, 18 Jun 2021 10:01:16 -0400
+
 xdot (1.2-1) unstable; urgency=low
 
   [ Stefano Rivera ]
diff -Nru xdot-1.2/debian/control xdot-1.2/debian/control
--- xdot-1.2/debian/control 2020-11-23 16:08:19.0 -0400
+++ xdot-1.2/debian/control 2021-06-18 10:01:16.0 -0400
@@ -22,6 +22,7 @@
  graphviz,
  python3-gi,
  python3-gi-cairo,
+ python3-numpy,
  ${misc:Depends},
  ${python3:Depends}
 Description: interactive viewer for Graphviz dot files

Bug#989864: unblock: distro-info-data/0.48

2021-06-14 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: bdr...@debian.org

Please unblock package distro-info-data

distro-info-data (0.48) unstable; urgency=medium

  * Correct typo in changelog.
  * Set a release date for Debian bullseye (and bookworm creation), based on
the release team's tentative estimate.

[ Reason ]
We've got a tentative release date, let's roll with it.
If we slip, we can do a follow-up upload.

[ Impact ]
Bullseye will ship with distro-info that doesn't know the current
development release.

[ Tests ]
Data package. With some sanity-check tests.

[ Risks ]
Just a data package.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock distro-info-data/0.48
diff -Nru distro-info-data-0.47/debian/changelog 
distro-info-data-0.48/debian/changelog
--- distro-info-data-0.47/debian/changelog  2021-04-22 10:30:18.0 
-0400
+++ distro-info-data-0.48/debian/changelog  2021-06-14 17:47:09.0 
-0400
@@ -1,6 +1,14 @@
+distro-info-data (0.48) unstable; urgency=medium
+
+  * Correct typo in changelog.
+  * Set a release date for Debian bullseye (and bookworm creation), based on
+the release team's tentative estimate.
+
+ -- Stefano Rivera   Mon, 14 Jun 2021 17:47:09 -0400
+
 distro-info-data (0.47) unstable; urgency=medium
 
-  * Add Ubuntu 21.04, Impish Indri.
+  * Add Ubuntu 21.10, Impish Indri.
 
  -- Stefano Rivera   Thu, 22 Apr 2021 10:30:18 -0400
 
diff -Nru distro-info-data-0.47/debian.csv distro-info-data-0.48/debian.csv
--- distro-info-data-0.47/debian.csv2021-04-22 10:30:18.0 -0400
+++ distro-info-data-0.48/debian.csv2021-06-14 17:47:09.0 -0400
@@ -14,8 +14,8 @@
 8,Jessie,jessie,2013-05-04,2015-04-25,2018-06-17,2020-06-30,2022-06-30
 9,Stretch,stretch,2015-04-25,2017-06-17,2020-07-06,2022-06-30
 10,Buster,buster,2017-06-17,2019-07-06,2022-07-06,2024-06-30
-11,Bullseye,bullseye,2019-07-06
-12,Bookworm,bookworm,2021-08-01
+11,Bullseye,bullseye,2019-07-06,2021-07-31,2024-07-31
+12,Bookworm,bookworm,2021-07-31
 13,Trixie,trixie,2023-08-01
 ,Sid,sid,1993-08-16
 ,Experimental,experimental,1993-08-16

Bug#989216: unblock: python-ddt/1.4.1-2.1

2021-05-28 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-CC: Thomas Goirand 

Please unblock package python-ddt

Changes:
 python-ddt (1.4.1-2.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Patch: Support pyyaml's security patch in 5.3.1-4 (from 5.4 upstream).
 (Closes: #989009)

[ Reason ]
Updated python-ddt to build-against pyyaml's recent security update
(#988926)

[ Impact ]
Fixes FTBFS with the new pyyaml.

[ Tests ]
The affected code is the test suite.

[ Risks ]
Change is from upstream, affecting only unit tests, so negligible.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock python-ddt/1.4.1-2.1
diff -Nru python-ddt-1.4.1/debian/changelog python-ddt-1.4.1/debian/changelog
--- python-ddt-1.4.1/debian/changelog   2020-10-14 04:11:28.0 -0400
+++ python-ddt-1.4.1/debian/changelog   2021-05-23 11:51:10.0 -0400
@@ -1,3 +1,11 @@
+python-ddt (1.4.1-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Patch: Support pyyaml's security patch in 5.3.1-4 (from 5.4 upstream).
+(Closes: #989009)
+
+ -- Stefano Rivera   Sun, 23 May 2021 11:51:10 -0400
+
 python-ddt (1.4.1-2) unstable; urgency=medium
 
   * Uploading to unstable.
diff -Nru python-ddt-1.4.1/debian/patches/pyyaml-unsafeloader.patch 
python-ddt-1.4.1/debian/patches/pyyaml-unsafeloader.patch
--- python-ddt-1.4.1/debian/patches/pyyaml-unsafeloader.patch   1969-12-31 
20:00:00.0 -0400
+++ python-ddt-1.4.1/debian/patches/pyyaml-unsafeloader.patch   2021-05-23 
11:50:57.0 -0400
@@ -0,0 +1,56 @@
+From 97f0a2315736e50f1b34a015447cd751da66ecb6 Mon Sep 17 00:00:00 2001
+From: Dirk Mueller 
+Date: Mon, 25 Jan 2021 22:49:04 +0100
+Subject: [PATCH] Use Yaml's UnsafeLoader for Python embedding tests
+
+In newer PyYAML versions the default FullLoader has
+python/object/* integration removed. One has to use
+UnsafeLoader instead. see this issue for details:
+
+https://github.com/yaml/pyyaml/issues/321
+Bug-Debian: https://bugs.debian.org/989009
+---
+ test/test_example.py|  2 +-
+ test/test_functional.py | 10 +-
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/test/test_example.py
 b/test/test_example.py
+@@ -151,7 +151,7 @@
+ 
+ @ddt
+ class YamlOnlyTestCase(unittest.TestCase):
+-@file_data('data/test_custom_yaml_loader.yaml', yaml.FullLoader)
++@file_data('data/test_custom_yaml_loader.yaml', yaml.UnsafeLoader)
+ def test_custom_yaml_loader(self, instance, expected):
+ """Test with yaml tags to create specific classes to compare"""
+ self.assertEqual(expected, instance)
+--- a/test/test_functional.py
 b/test/test_functional.py
+@@ -427,7 +427,7 @@
+ loader allowing python tags is passed.
+ """
+ 
+-from yaml import FullLoader
++from yaml import UnsafeLoader
+ from yaml.constructor import ConstructorError
+ 
+ def str_to_type(class_name):
+@@ -444,13 +444,13 @@
+ raise AssertionError()
+ 
+ @ddt
+-class YamlFullLoaderTest(object):
+-@file_data('data/test_functional_custom_tags.yaml', FullLoader)
++class YamlUnsafeLoaderTest(object):
++@file_data('data/test_functional_custom_tags.yaml', UnsafeLoader)
+ def test_cls_is_instance(self, instance, expected):
+ assert isinstance(instance, str_to_type(expected))
+ 
+-tests = list(filter(_is_test, YamlFullLoaderTest.__dict__))
+-obj = YamlFullLoaderTest()
++tests = list(filter(_is_test, YamlUnsafeLoaderTest.__dict__))
++obj = YamlUnsafeLoaderTest()
+ 
+ if not tests:
+ raise AssertionError('No tests have been found.')
diff -Nru python-ddt-1.4.1/debian/patches/series 
python-ddt-1.4.1/debian/patches/series
--- python-ddt-1.4.1/debian/patches/series  1969-12-31 20:00:00.0 
-0400
+++ python-ddt-1.4.1/debian/patches/series  2021-05-23 11:50:33.0 
-0400
@@ -0,0 +1 @@
+pyyaml-unsafeloader.patch

Bug#988967: unblock: mercurial/5.6.1-3

2021-05-24 Thread Stefano Rivera

Control: retitle -1 unblock: mercurial/5.6.1-4

Made one more change to get a build on mips64el:

mercurial (5.6.1-4) unstable; urgency=medium

  * Revert -mno-lra workaround on mips64el, #871514 was fixed. Fixes
occasional FTBFS on mips64el.

 -- Stefano Rivera   Sun, 23 May 2021 08:37:06 -0400

It has now built on all release architectures.

diff --git a/debian/rules b/debian/rules
index 49272a8e..d6a5d5bc 100755
--- a/debian/rules
+++ b/debian/rules
@@ -10,10 +10,6 @@
 PYVERS=$(shell py3versions -vs)
 PYVER_DEFAULT=$(shell py3versions -vd)
 include /usr/share/dpkg/architecture.mk
-ifeq ($(DEB_HOST_ARCH),mips64el)
-# Work around #871514
-export DEB_CFLAGS_MAINT_APPEND = -mno-lra
-endif
 
 override_dh_python3:
dh_python3 --shebang=/usr/bin/python3

unblock mercurial/5.6.1-4

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272

Bug#988967: unblock: mercurial/5.6.1-3

2021-05-21 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: Tristan Seligmann , Julien Cristau 


Please unblock package mercurial

mercurial (5.6.1-3) unstable; urgency=medium

  * Team upload.

  [ Helmut Grohne ]
  * Annotate test dependencies  (closes: #980337).

  [ Stefano Rivera ]
  * python-3.9.2.patch: Use "&" instead of ";" as query string separator
in test-archive.t to fix FTBFS with Python 3.9.2, which changed its
urllib.parse.parse_qsl() behavior to only accept "&" as a separator by
default. (closes: #986514)

 -- Stefano Rivera   Fri, 21 May 2021 12:06:47 -0400

[ Reason ]
Fixes FTBFS with Python 3.9.2+. See #986514

[ Impact ]
FTBFS + autopkgtest failure.

[ Tests ]
It's a test change (and marking dependencies )

[ Risks ]
Patch is from upstream, and Ubuntu has carried it for a month, without
issue.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock mercurial/5.6.1-3
diff -Nru mercurial-5.6.1/debian/changelog mercurial-5.6.1/debian/changelog
--- mercurial-5.6.1/debian/changelog2021-02-01 12:47:09.0 -0400
+++ mercurial-5.6.1/debian/changelog2021-05-21 12:06:47.0 -0400
@@ -1,3 +1,18 @@
+mercurial (5.6.1-3) unstable; urgency=medium
+
+  * Team upload.
+
+  [ Helmut Grohne ]
+  * Annotate test dependencies  (closes: #980337).
+
+  [ Stefano Rivera ]
+  * python-3.9.2.patch: Use "&" instead of ";" as query string separator
+in test-archive.t to fix FTBFS with Python 3.9.2, which changed its
+urllib.parse.parse_qsl() behavior to only accept "&" as a separator by
+default. (closes: #986514)
+
+ -- Stefano Rivera   Fri, 21 May 2021 12:06:47 -0400
+
 mercurial (5.6.1-2) unstable; urgency=medium
 
   * tests: make test-subrepo-git.t compatible with git's master->main
diff -Nru mercurial-5.6.1/debian/control mercurial-5.6.1/debian/control
--- mercurial-5.6.1/debian/control  2021-02-01 12:39:12.0 -0400
+++ mercurial-5.6.1/debian/control  2021-05-21 12:06:47.0 -0400
@@ -10,14 +10,14 @@
  debhelper-compat (= 13),
  dh-python,
  gettext,
- netbase,
- patchutils (>= 0.2.25),
+ netbase ,
+ patchutils (>= 0.2.25) ,
  python3-all-dev,
  python3-docutils,
  python3-roman,
- rename,
- unzip,
- zip,
+ rename ,
+ unzip ,
+ zip ,
  less ,
 Standards-Version: 4.5.0
 Homepage: https://www.mercurial-scm.org/
diff -Nru mercurial-5.6.1/debian/patches/python-3.9.2.patch 
mercurial-5.6.1/debian/patches/python-3.9.2.patch
--- mercurial-5.6.1/debian/patches/python-3.9.2.patch   1969-12-31 
20:00:00.0 -0400
+++ mercurial-5.6.1/debian/patches/python-3.9.2.patch   2021-05-21 
12:06:47.0 -0400
@@ -0,0 +1,34 @@
+From: Martin von Zweigbergk 
+Date: Fri, 21 May 2021 12:03:33 -0400
+Subject: tests: make test-archive.t pass on py3.9 (issue6504)
+
+Something got stricter at parsing URL query parameters and now the
+parameters need to be separated by "&"; ";" is no longer allowed. See
+issue6504 for details.
+
+Differential Revision: https://phab.mercurial-scm.org/D10472
+
+Origin: upstream, https://www.mercurial-scm.org/repo/hg/rev/dc8976cc3a6e
+Bug-Debian: https://bugs.debian.org/986514
+Bug-upstream: https://bz.mercurial-scm.org/show_bug.cgi?id=6504
+---
+ tests/test-archive.t | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/test-archive.t b/tests/test-archive.t
+index 606c9e2..384a04a 100644
+--- a/tests/test-archive.t
 b/tests/test-archive.t
+@@ -334,10 +334,10 @@ invalid arch type should give 404
+   > pass
+   > if len(sys.argv) <= 3:
+   > node, archive = sys.argv[1:]
+-  > requeststr = 'cmd=archive;node=%s;type=%s' % (node, archive)
++  > requeststr = 'cmd=archive=%s=%s' % (node, archive)
+   > else:
+   > node, archive, file = sys.argv[1:]
+-  > requeststr = 'cmd=archive;node=%s;type=%s;file=%s' % (node, archive, 
file)
++  > requeststr = 'cmd=archive=%s=%s=%s' % (node, archive, 
file)
+   > try:
+   > stdout = sys.stdout.buffer
+   > except AttributeError:
diff -Nru mercurial-5.6.1/debian/patches/series 
mercurial-5.6.1/debian/patches/series
--- mercurial-5.6.1/debian/patches/series   2021-02-01 12:46:24.0 
-0400
+++ mercurial-5.6.1/debian/patches/series   2021-05-21 12:06:47.0 
-0400
@@ -4,3 +4,4 @@
 deb_specific__optional-dependencies
 deb_specific__disable_libdir_replacement.patch
 0005-Tolerate-SIGINT-getting-the-kill-in-test-stdio.py.patch
+python-3.9.2.patch

Bug#988961: unblock: python-libnacl/1.7.2-3

2021-05-21 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: Colin Watson 

Please unblock package python-libnacl

python-libnacl (1.7.2-3) unstable; urgency=medium

  * Team upload.
  * Patch: Fix crypto_kdf_derive_from_key() on 32-bit platforms.
(Closes: #988102)

 -- Stefano Rivera   Fri, 21 May 2021 16:35:48 -0400

[ Reason ]
Fixes a crash on 32bit platforms.

[ Impact ]
libnacl's KDF is broken on 32bit platforms.

[ Tests ]
The test suite covers the affected code. Test-built (running the test
suite) on i386 and armhf.

[ Risks ]
Trivial change.

Patch is carried by Gentoo, too.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock python-libnacl/1.7.2-3
diff -Nru python-libnacl-1.7.2/debian/changelog 
python-libnacl-1.7.2/debian/changelog
--- python-libnacl-1.7.2/debian/changelog   2020-11-14 08:40:57.0 
-0400
+++ python-libnacl-1.7.2/debian/changelog   2021-05-21 16:35:48.0 
-0400
@@ -1,3 +1,11 @@
+python-libnacl (1.7.2-3) unstable; urgency=medium
+
+  * Team upload.
+  * Patch: Fix crypto_kdf_derive_from_key() on 32-bit platforms.
+(Closes: #988102)
+
+ -- Stefano Rivera   Fri, 21 May 2021 16:35:48 -0400
+
 python-libnacl (1.7.2-2) unstable; urgency=medium
 
   * Add Breaks: python3-duniterpy (<< 0.60.1) (see #974655).
diff -Nru python-libnacl-1.7.2/debian/.gitignore 
python-libnacl-1.7.2/debian/.gitignore
--- python-libnacl-1.7.2/debian/.gitignore  2020-11-14 08:40:57.0 
-0400
+++ python-libnacl-1.7.2/debian/.gitignore  1969-12-31 20:00:00.0 
-0400
@@ -1,6 +0,0 @@
-*.debhelper*
-*.substvars
-debhelper-build-stamp
-files
-python-libnacl
-python3-libnacl
diff -Nru python-libnacl-1.7.2/debian/patches/32bit-kdf.patch 
python-libnacl-1.7.2/debian/patches/32bit-kdf.patch
--- python-libnacl-1.7.2/debian/patches/32bit-kdf.patch 1969-12-31 
20:00:00.0 -0400
+++ python-libnacl-1.7.2/debian/patches/32bit-kdf.patch 2021-05-21 
16:35:48.0 -0400
@@ -0,0 +1,24 @@
+From: =?utf-8?b?TWljaGHFgiBHw7Nybnk=?= 
+Date: Fri, 21 May 2021 16:25:27 -0400
+Subject: Fix crypto_kdf_derive_from_key() on 32-bit platforms
+
+Bug-Upstream: https://github.com/saltstack/libnacl/issues/126
+Bug-Debian: https://bugs.debian.org/988102
+Forwarded: https://github.com/saltstack/libnacl/pull/130
+---
+ libnacl/__init__.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libnacl/__init__.py b/libnacl/__init__.py
+index 98a53d9..f799b23 100644
+--- a/libnacl/__init__.py
 b/libnacl/__init__.py
+@@ -1195,7 +1195,7 @@ def crypto_kdf_derive_from_key(subkey_size, subkey_id, 
context, master_key):
+ """
+ size = int(subkey_size)
+ buf = ctypes.create_string_buffer(size)
+-nacl.crypto_kdf_derive_from_key(buf, subkey_size, subkey_id, context, 
master_key)
++nacl.crypto_kdf_derive_from_key(buf, subkey_size, 
ctypes.c_ulonglong(subkey_id), context, master_key)
+ return buf.raw
+ 
+ 
diff -Nru python-libnacl-1.7.2/debian/patches/series 
python-libnacl-1.7.2/debian/patches/series
--- python-libnacl-1.7.2/debian/patches/series  1969-12-31 20:00:00.0 
-0400
+++ python-libnacl-1.7.2/debian/patches/series  2021-05-21 16:35:48.0 
-0400
@@ -0,0 +1 @@
+32bit-kdf.patch

Bug#988960: unblock: eclipse-titan/7.2.0-1.1

2021-05-21 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: Gergely Pilisi 

Please unblock package eclipse-titan

eclipse-titan (7.2.0-1.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Re-instate the --no-parallel option, fixing FTBFS on multi-core machines.
(Closes: #987646)

 -- Stefano Rivera   Fri, 21 May 2021 14:58:09 -0400

[ Reason ]
Fixes FTBFS.

[ Impact ]
Expecting auto-removal, if not granted.

[ Tests ]
FTBFS without this change, for me. Doesn't with it.

[ Risks ]
Nothing significant.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock eclipse-titan/7.2.0-1.1
diff -Nru eclipse-titan-7.2.0/debian/changelog 
eclipse-titan-7.2.0/debian/changelog
--- eclipse-titan-7.2.0/debian/changelog2021-02-16 05:25:17.0 
-0400
+++ eclipse-titan-7.2.0/debian/changelog2021-05-21 14:58:09.0 
-0400
@@ -1,3 +1,11 @@
+eclipse-titan (7.2.0-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Re-instate the --no-parallel option, fixing FTBFS on multi-core machines.
+(Closes: #987646)
+
+ -- Stefano Rivera   Fri, 21 May 2021 14:58:09 -0400
+
 eclipse-titan (7.2.0-1) unstable; urgency=medium
 
   * New release.
diff -Nru eclipse-titan-7.2.0/debian/rules eclipse-titan-7.2.0/debian/rules
--- eclipse-titan-7.2.0/debian/rules2021-02-16 05:20:17.0 -0400
+++ eclipse-titan-7.2.0/debian/rules2021-05-21 14:48:25.0 -0400
@@ -3,7 +3,7 @@
 export DEB_BUILD_MAINT_OPTIONS=hardening=+all
 
 %:
-   dh $@ --verbose
+   dh $@ --verbose --no-parallel
 
 override_dh_shlibdeps:
dh_shlibdeps -l$(CURDIR)/Install/lib

Bug#988957: unblock: pydantic/1.7.4-1

2021-05-21 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: Michael Banck 

Please unblock package pydantic

pydantic (1.7.4-1) unstable; urgency=medium

  * Team upload.
  * New upstream point release.
- Fixes CVE-2021-29510: Date and datetime parsing could cause an infinite
  loop by passing either 'infinity' or float('inf') (Closes: #988480)
  * Update watch file to version 4 with current uscan(1) recommended regex.

 -- Stefano Rivera   Fri, 21 May 2021 16:05:17 -0400

[ Reason ]
New upstream point release, with (only) a security fix (DoS).

[ Impact ]
Without this patch, pydantic can be DoSed with "infinity" as a
timestamp.

[ Tests ]
Upstream unit test suite runs during the package build.
There are unit tests for the changes in this release.

[ Risks ]
Upstream maintains support branches, and provided this point release. So
we're not relying on any untested patches.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock pydantic/1.7.4-1
diff -Nru pydantic-1.7.3/debian/changelog pydantic-1.7.4/debian/changelog
--- pydantic-1.7.3/debian/changelog 2021-01-08 03:31:43.0 -0400
+++ pydantic-1.7.4/debian/changelog 2021-05-21 16:05:17.0 -0400
@@ -1,3 +1,13 @@
+pydantic (1.7.4-1) unstable; urgency=medium
+
+  * Team upload.
+  * New upstream point release.
+- Fixes CVE-2021-29510: Date and datetime parsing could cause an infinite
+  loop by passing either 'infinity' or float('inf') (Closes: #988480)
+  * Update watch file to version 4 with current uscan(1) recommended regex.
+
+ -- Stefano Rivera   Fri, 21 May 2021 16:05:17 -0400
+
 pydantic (1.7.3-1) unstable; urgency=medium
 
   [ Sandro Tosi ]
diff -Nru pydantic-1.7.3/debian/watch pydantic-1.7.4/debian/watch
--- pydantic-1.7.3/debian/watch 2021-01-08 03:31:43.0 -0400
+++ pydantic-1.7.4/debian/watch 2021-05-21 16:05:17.0 -0400
@@ -1,2 +1,4 @@
-version=3
-https://github.com/samuelcolvin/pydantic/releases .*/archive/v([\d.]+)\.tar\.gz
+version=4
+opts="filenamemangle=s%(?:.*?)?v?(\d[\d.]*)\.tar\.gz%@PACKAGE@-$1.tar.gz%" \
+https://github.com/samuelcolvin/pydantic/releases \
+(?:.*?/)?v?(\d[\d.]*)\.tar\.gz
diff -Nru pydantic-1.7.3/.github/workflows/ci.yml 
pydantic-1.7.4/.github/workflows/ci.yml
--- pydantic-1.7.3/.github/workflows/ci.yml 2020-11-30 19:33:24.0 
-0400
+++ pydantic-1.7.4/.github/workflows/ci.yml 2021-05-11 15:04:58.0 
-0400
@@ -80,20 +80,20 @@
 COMPILED: yes
 DEPS: yes
 
-- name: uninstall deps
-  run: pip uninstall -y cython email-validator typing-extensions devtools 
python-dotenv
-
-- name: test compiled without deps
-  run: make test
-
-- run: coverage xml
-- uses: codecov/codecov-action@v1.0.14
-  with:
-file: ./coverage.xml
-env_vars: COMPILED,DEPS,PYTHON,OS
-  env:
-COMPILED: yes
-DEPS: no
+#- name: uninstall deps
+#  run: pip uninstall -y cython email-validator typing-extensions devtools 
python-dotenv
+#
+#- name: test compiled without deps
+#  run: make test
+#
+#- run: coverage xml
+#- uses: codecov/codecov-action@v1.0.14
+#  with:
+#file: ./coverage.xml
+#env_vars: COMPILED,DEPS,PYTHON,OS
+#  env:
+#COMPILED: yes
+#DEPS: no
 
 - name: remove compiled binaries
   run: |
@@ -159,11 +159,12 @@
   with:
 python-version: '3.7'
 
-- name: install
-  run: make install-testing
-
-- name: test
-  run: make test-fastapi
+- run: echo "skip fastapi for now"
+#- name: install
+#  run: make install-testing
+#
+#- name: test
+#  run: make test-fastapi
 
   benchmark:
 name: run benchmarks
diff -Nru pydantic-1.7.3/HISTORY.md pydantic-1.7.4/HISTORY.md
--- pydantic-1.7.3/HISTORY.md   2020-11-30 19:33:24.0 -0400
+++ pydantic-1.7.4/HISTORY.md   2021-05-11 15:04:58.0 -0400
@@ -1,3 +1,9 @@
+## v1.7.4 (2021-05-11)
+
+* **Security fix:** Fix `date` and `datetime` parsing so passing either 
`'infinity'` or `float('inf')` 
+  (or their negative values) does not cause an infinite loop,
+  See security advisory 
[CVE-2021-29510](https://github.com/samuelcolvin/pydantic/security/advisories/GHSA-5jqp-qgf6-3pvh)
+
 ## v1.7.3 (2020-11-30)
 
 Thank you to pydantic's sponsors:
diff -Nru pydantic-1.7.3/pydantic/datetime_parse.py 
pydantic-1.7.4/pydantic/datetime_parse.py
--- pydantic-1.7.3/pydantic/datetime_parse.py   2020-11-30 19:33:24.0 
-0400
+++ pydantic-1.7.4/pydantic/datetime_parse.py   2021-05-11 15:04:58.0 
-0400
@@ -58,6 +58,8 @@
 # if greater than this, the number is in ms, if less than or equal it's in 
seconds
 # (in seconds this is 11th October 2603, in ms it's 20th August 1970)
 MS_WATERSHED = int(2e10)
+# slightl

Bug#988939: unblock: whipper/0.9.0-7

2021-05-21 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: Krzysztof Krzyżaniak (eloy) 

Please unblock package whipper

Adds a couple of missing dependencies, and fixes up a stale description
talking about Python 2.7.

[ Reason ]
Fixes RC bugs for missing dependencies.

[ Impact ]
Without this, I'd expect auto-removal :)

[ Tests ]
Checked that the package installs and runs --help, which it didn't
before.

[ Risks ]
Changes are trivial.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
Changelog is kinda weird, but I was mostly just sponsoring an upload for
a DD, so shrug.

unblock whipper/0.9.0-7
diff -Nru whipper-0.9.0/debian/changelog whipper-0.9.0/debian/changelog
--- whipper-0.9.0/debian/changelog  2020-05-29 02:17:36.0 -0400
+++ whipper-0.9.0/debian/changelog  2021-04-27 08:22:21.0 -0400
@@ -1,3 +1,26 @@
+whipper (0.9.0-7) unstable; urgency=medium
+
+  [ Krzysztof Krzyżaniak (eloy) ]
+  * control: Update dependencies, added flac package (Closes: #978166)
+
+  [ Stefano Rivera ]
+  * Depend on python3-distutils, it's used at runtime (Closes: #971628)
+
+ -- Krzysztof Krzyżaniak (eloy)   Tue, 27 Apr 2021 14:22:21 
+0200
+
+whipper (0.9.0-6) unstable; urgency=medium
+
+  * Non maintainer upload by the Reproducible Builds team.
+  * No source change upload to rebuild on buildd with .buildinfo files.
+
+ -- Krzysztof Krzyżaniak (eloy)   Fri, 01 Jan 2021 22:04:03 
+0100
+
+whipper (0.9.0-5) unstable; urgency=medium
+
+  * control: Update description (closes: #968880)
+
+ -- Krzysztof Krzyżaniak (eloy)   Sun, 23 Aug 2020 13:39:11 
+0200
+
 whipper (0.9.0-4) unstable; urgency=medium
 
   * control: Add cdrdao to depends. (Closes: #961758)
diff -Nru whipper-0.9.0/debian/control whipper-0.9.0/debian/control
--- whipper-0.9.0/debian/control2020-05-29 02:05:48.0 -0400
+++ whipper-0.9.0/debian/control2021-04-27 08:22:21.0 -0400
@@ -22,6 +22,7 @@
 Depends: ${python3:Depends},
   ${shlibs:Depends},
   ${misc:Depends},
+  python3-distutils,
   python3-musicbrainzngs,
   python3-cdio,
   python3-requests,
@@ -31,8 +32,9 @@
   sox,
   cd-paranoia,
   cdrdao,
-Description: CD-DA ripper based
- Whipper is a Python 2.7 CD-DA ripper based on the morituri project
+  flac
+Description: CD ripping utility focusing on accuracy over speed
+ Whipper is a Python CD-DA ripper based on the morituri project
  (CDDA ripper for *nix systems aiming for accuracy over speed). It enhances
  morituri which development seems to have halted merging old ignored pull
  requests, improving it with bugfixes and new features.

Bug#988926: unblock: pyyaml/5.3.1-4

2021-05-21 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: Scott Kitterman , Michael Hudson-Doyle 


Please unblock package pyyaml

pyyaml (5.3.1-4) unstable; urgency=medium

  * Team upload.

  [ Debian Janitor ]
  * Apply multi-arch hints.
+ python3-yaml-dbg: Add Multi-Arch: same.

  [ Stefano Rivera ]
  * Resolve CVE-2020-14343, more trivial RCEs in .load() and FullLoader.
(Closes: #966233)

 -- Stefano Rivera   Fri, 21 May 2021 11:11:00 -0400

[ Reason ]
Fixes a security issue (#966233, CVE-2020-14343).

Not expecting it to be 100% secure, that requires more significant API
changes, but at least it's a bit better.
https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation

[ Impact ]
Known RCE risk in a parsing library.

[ Tests ]
Manually tested that the example exploits are mitigated.

[ Risks ]
Haven't checked reverse-dependencies (there are a lot of them) for
breakage.

Ubuntu has carried this patch for a month, with no known issues.

I saw one issue mentioned on github, but that doesn't trigger an FTBFS
for us (no build-dep on pyyaml): 
https://github.com/networkx/networkx/issues/4569

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock pyyaml/5.3.1-4
diff -Nru pyyaml-5.3.1/debian/changelog pyyaml-5.3.1/debian/changelog
--- pyyaml-5.3.1/debian/changelog   2020-10-22 19:33:33.0 -0400
+++ pyyaml-5.3.1/debian/changelog   2021-05-21 11:11:00.0 -0400
@@ -1,3 +1,17 @@
+pyyaml (5.3.1-4) unstable; urgency=medium
+
+  * Team upload.
+
+  [ Debian Janitor ]
+  * Apply multi-arch hints.
++ python3-yaml-dbg: Add Multi-Arch: same.
+
+  [ Stefano Rivera ]
+  * Resolve CVE-2020-14343, more trivial RCEs in .load() and FullLoader.
+(Closes: #966233)
+
+ -- Stefano Rivera   Fri, 21 May 2021 11:11:00 -0400
+
 pyyaml (5.3.1-3) unstable; urgency=medium
 
   [ Ondřej Nový ]
diff -Nru pyyaml-5.3.1/debian/control pyyaml-5.3.1/debian/control
--- pyyaml-5.3.1/debian/control 2020-10-22 19:33:33.0 -0400
+++ pyyaml-5.3.1/debian/control 2021-05-21 11:11:00.0 -0400
@@ -25,6 +25,7 @@
 Section: debug
 Architecture: any
 Depends: python3-yaml (= ${binary:Version}), python3-dbg, ${shlibs:Depends}, 
${misc:Depends}
+Multi-Arch: same
 Description: YAML parser and emitter for Python3 (debug build)
  Python3-yaml is a complete YAML 1.1 parser and emitter for Python3.  It can
  parse all examples from the specification. The parsing algorithm is simple
diff -Nru pyyaml-5.3.1/debian/patches/cve-2020-14343.patch 
pyyaml-5.3.1/debian/patches/cve-2020-14343.patch
--- pyyaml-5.3.1/debian/patches/cve-2020-14343.patch1969-12-31 
20:00:00.0 -0400
+++ pyyaml-5.3.1/debian/patches/cve-2020-14343.patch2021-05-21 
11:11:00.0 -0400
@@ -0,0 +1,127 @@
+From: =?utf-8?q?Ingy_d=C3=B6t_Net?= 
+Date: Sat, 9 Jan 2021 10:53:23 -0500
+Subject: Fix for CVE-2020-14343
+
+Per suggestion https://github.com/yaml/pyyaml/issues/420#issuecomment-663888344
+move a few constructors from full_load to unsafe_load.
+
+Bug-Debian: https://bugs.debian.org/966233
+Bug-Upstream: https://github.com/yaml/pyyaml/issues/420
+Origin: upstream, 
https://github.com/yaml/pyyaml/commit/a001f2782501ad2d24986959f0239a354675f9dc
+---
+ lib/yaml/constructor.py  | 24 
+ lib3/yaml/constructor.py | 24 
+ tests/lib/test_recursive.py  |  2 +-
+ tests/lib3/test_recursive.py |  2 +-
+ 4 files changed, 26 insertions(+), 26 deletions(-)
+
+diff --git a/lib/yaml/constructor.py b/lib/yaml/constructor.py
+index 794681c..c42ee34 100644
+--- a/lib/yaml/constructor.py
 b/lib/yaml/constructor.py
+@@ -722,18 +722,6 @@ FullConstructor.add_multi_constructor(
+ u'tag:yaml.org,2002:python/name:',
+ FullConstructor.construct_python_name)
+ 
+-FullConstructor.add_multi_constructor(
+-u'tag:yaml.org,2002:python/module:',
+-FullConstructor.construct_python_module)
+-
+-FullConstructor.add_multi_constructor(
+-u'tag:yaml.org,2002:python/object:',
+-FullConstructor.construct_python_object)
+-
+-FullConstructor.add_multi_constructor(
+-u'tag:yaml.org,2002:python/object/new:',
+-FullConstructor.construct_python_object_new)
+-
+ class UnsafeConstructor(FullConstructor):
+ 
+ def find_python_module(self, name, mark):
+@@ -750,6 +738,18 @@ class UnsafeConstructor(FullConstructor):
+ return super(UnsafeConstructor, self).set_python_instance_state(
+ instance, state, unsafe=True)
+ 
++UnsafeConstructor.add_multi_constructor(
++u'tag:yaml.org,2002:python/module:',
++UnsafeConstructor.construct_python_module)
++
++UnsafeConstructor.add_multi_constructor(
++u'tag:yaml.org,2002:python/object:',
++UnsafeConstructor.construct_python_object)
++
++UnsafeConstructor.add_multi_constructor(
++u'tag:yaml.org,2002:python/object

Bug#988628: unblock: six/1.16.0-1

2021-05-16 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: cjwat...@debian.org
Control: block 988418 with -1

Please unblock package six

There is a new six in unstable that python-pip built against, it needs
to migrate for pip to be able to.

[ Reason ]
New upstream release, with minor improvement for Python 3.10.

[ Impact ]
python-pip won't migrate (#988418).

[ Tests ]
Upstream tests are run at build. But the changed code isn't covered by
any new tests.

[ Risks ]
Minimal changes in a very stable library.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock six/1.16.0-1
diff -Nru six-1.15.0/CHANGES six-1.16.0/CHANGES
--- six-1.15.0/CHANGES  2020-05-21 11:25:33.0 -0400
+++ six-1.16.0/CHANGES  2021-05-05 10:17:58.0 -0400
@@ -3,6 +3,12 @@
 
 This file lists the changes in each six version.
 
+1.16.0
+--
+
+- Pull request #343, issue #341, pull request #349: Port _SixMetaPathImporter 
to
+  Python 3.10.
+
 1.15.0
 --
 
@@ -100,7 +106,7 @@
 
 - Issue #98: Fix `six.moves` race condition in multi-threaded code.
 
-- Pull request #51: Add `six.view(keys|values|itmes)`, which provide dictionary
+- Pull request #51: Add `six.view(keys|values|items)`, which provide dictionary
   views on Python 2.7+.
 
 - Issue #112: `six.moves.reload_module` now uses the importlib module on
@@ -227,7 +233,7 @@
 - Issue #40: Add import mapping for the Python 2 gdbm module.
 
 - Issue #35: On Python versions less than 2.7, print_ now encodes unicode
-  strings when outputing to standard streams. (Python 2.7 handles this
+  strings when outputting to standard streams. (Python 2.7 handles this
   automatically.)
 
 1.4.1
diff -Nru six-1.15.0/debian/changelog six-1.16.0/debian/changelog
--- six-1.15.0/debian/changelog 2020-11-09 20:16:45.0 -0400
+++ six-1.16.0/debian/changelog 2021-05-09 06:40:54.0 -0400
@@ -1,3 +1,9 @@
+six (1.16.0-1) unstable; urgency=medium
+
+  * New upstream release.
+
+ -- Colin Watson   Sun, 09 May 2021 11:40:54 +0100
+
 six (1.15.0-2) unstable; urgency=medium
 
   [ Ondřej Nový ]
diff -Nru six-1.15.0/PKG-INFO six-1.16.0/PKG-INFO
--- six-1.15.0/PKG-INFO 2020-05-21 11:25:53.508234700 -0400
+++ six-1.16.0/PKG-INFO 2021-05-05 10:18:16.777235000 -0400
@@ -1,6 +1,6 @@
 Metadata-Version: 1.2
 Name: six
-Version: 1.15.0
+Version: 1.16.0
 Summary: Python 2 and 3 compatibility utilities
 Home-page: https://github.com/benjaminp/six
 Author: Benjamin Peterson
diff -Nru six-1.15.0/six.egg-info/PKG-INFO six-1.16.0/six.egg-info/PKG-INFO
--- six-1.15.0/six.egg-info/PKG-INFO2020-05-21 11:25:53.0 -0400
+++ six-1.16.0/six.egg-info/PKG-INFO2021-05-05 10:18:16.0 -0400
@@ -1,6 +1,6 @@
 Metadata-Version: 1.2
 Name: six
-Version: 1.15.0
+Version: 1.16.0
 Summary: Python 2 and 3 compatibility utilities
 Home-page: https://github.com/benjaminp/six
 Author: Benjamin Peterson
diff -Nru six-1.15.0/six.py six-1.16.0/six.py
--- six-1.15.0/six.py   2020-05-21 11:25:33.0 -0400
+++ six-1.16.0/six.py   2021-05-05 10:17:58.0 -0400
@@ -29,7 +29,7 @@
 import types
 
 __author__ = "Benjamin Peterson "
-__version__ = "1.15.0"
+__version__ = "1.16.0"
 
 
 # Useful for very coarse version differentiation.
@@ -71,6 +71,11 @@
 MAXSIZE = int((1 << 63) - 1)
 del X
 
+if PY34:
+from importlib.util import spec_from_loader
+else:
+spec_from_loader = None
+
 
 def _add_doc(func, doc):
 """Add documentation to a function."""
@@ -186,6 +191,11 @@
 return self
 return None
 
+def find_spec(self, fullname, path, target=None):
+if fullname in self.known_modules:
+return spec_from_loader(fullname, self)
+return None
+
 def __get_module(self, fullname):
 try:
 return self.known_modules[fullname]
@@ -223,6 +233,12 @@
 return None
 get_source = get_code  # same as get_code
 
+def create_module(self, spec):
+return self.load_module(spec.name)
+
+def exec_module(self, module):
+pass
+
 _importer = _SixMetaPathImporter(__name__)

Bug#988418: unblock: python-pip/20.3.4-2

2021-05-12 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package python-pip

[ Reason ]
Pick up the security fix from #988399.

Apply another security update to pip itself. This has no CVE (yet?).

Also included: Minor improvements to autopkgtests, making them more
rugged and the result logs more readable.

[ Impact ]
A known security issue.

[ Tests ]
The package has basic autopkgtest coverage that ensures pip broadly
functions.

The affected code isn't covered by tests, but has been part of 2
upstream releases, without needing to be touched again.

[ Risks ]
pip is virtually a leaf package.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock python-pip/20.3.4-2
diff -Nru python-pip-20.3.4/debian/changelog python-pip-20.3.4/debian/changelog
--- python-pip-20.3.4/debian/changelog  2021-03-01 17:03:20.0 -0400
+++ python-pip-20.3.4/debian/changelog  2021-05-12 08:39:26.0 -0400
@@ -1,3 +1,14 @@
+python-pip (20.3.4-2) unstable; urgency=medium
+
+  * Add myself to uploaders.
+  * Mark autopkgtests that use PyPI as needs-internet.
+  * Mark autopkgtests that use PyPI as allow-stderr. Retried http requests,
+common in Ubuntu CI, will result in logging to stderr. set -e to catch
+real errors.
+  * Security: Don't split git references on unicode separators.
+
+ -- Stefano Rivera   Wed, 12 May 2021 08:39:26 -0400
+
 python-pip (20.3.4-1) unstable; urgency=medium
 
   [ Stefano Rivera ]
diff -Nru python-pip-20.3.4/debian/control python-pip-20.3.4/debian/control
--- python-pip-20.3.4/debian/control2021-03-01 17:03:20.0 -0400
+++ python-pip-20.3.4/debian/control2021-05-12 08:39:26.0 -0400
@@ -4,6 +4,7 @@
 Maintainer: Debian Python Team 
 Uploaders: Carl Chenet ,
Scott Kitterman ,
+   Stefano Rivera 
 Homepage: https://pip.pypa.io/en/stable/
 Build-Depends: debhelper-compat (= 11),
dh-python,
diff -Nru python-pip-20.3.4/debian/patches/git-split-ascii.patch 
python-pip-20.3.4/debian/patches/git-split-ascii.patch
--- python-pip-20.3.4/debian/patches/git-split-ascii.patch  1969-12-31 
20:00:00.0 -0400
+++ python-pip-20.3.4/debian/patches/git-split-ascii.patch  2021-05-12 
08:39:26.0 -0400
@@ -0,0 +1,40 @@
+From: Pradyun Gedam 
+Date: Tue, 11 May 2021 20:04:10 -0400
+Subject: Security: Don't split git references on unicode separators
+
+Previously, maliciously formatted tags could be used to hijack a
+commit-based pin. Using the fact that the split here allowed for
+all of unicode's whitespace characters as separators -- which git allows
+as a part of a tag name -- it is possible to force a different revision
+to be installed; if an attacker gains access to the repository.
+
+This change stops splitting the string on unicode characters, by forcing
+the splits to happen on newlines and ASCII spaces.
+
+Origin: upstream, https://github.com/pypa/pip/pull/9827
+---
+ src/pip/_internal/vcs/git.py | 10 --
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py
+index 565961a..4423a91 100644
+--- a/src/pip/_internal/vcs/git.py
 b/src/pip/_internal/vcs/git.py
+@@ -149,9 +149,15 @@ class Git(VersionControl):
+ on_returncode='ignore',
+ )
+ refs = {}
+-for line in output.strip().splitlines():
++# NOTE: We do not use splitlines here since that would split on other
++#   unicode separators, which can be maliciously used to install a
++#   different revision.
++for line in output.strip().split("\n"):
++line = line.rstrip("\r")
++if not line:
++continue
+ try:
+-sha, ref = line.split()
++sha, ref = line.split(" ", maxsplit=2)
+ except ValueError:
+ # Include the offending line to simplify troubleshooting if
+ # this error ever occurs.
diff -Nru python-pip-20.3.4/debian/patches/series 
python-pip-20.3.4/debian/patches/series
--- python-pip-20.3.4/debian/patches/series 2021-03-01 17:03:20.0 
-0400
+++ python-pip-20.3.4/debian/patches/series 2021-05-12 08:39:26.0 
-0400
@@ -9,3 +9,4 @@
 debian-python2.7-sysconfig-workaround.patch
 debug-command-for-unbundled.patch
 str-version.patch
+git-split-ascii.patch
diff -Nru python-pip-20.3.4/debian/tests/control 
python-pip-20.3.4/debian/tests/control
--- python-pip-20.3.4/debian/tests/control  2021-03-01 17:03:20.0 
-0400
+++ python-pip-20.3.4/debian/tests/control  2021-05-12 08:39:26.0 
-0400
@@ -1,8 +1,8 @@
 Tests: pip3-root.sh
-Restrictions: breaks-testbed, needs-root
+Restrictions: allow-stderr, breaks-testbed, needs-internet, nee

Bug#988399: unblock: python-urllib3/1.26.4-1

2021-05-11 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: er...@debian.org

Please unblock package python-urllib3

This is a upstream point release, that fixes a security issue
(CVE-2021-28363).

All the changes are either inconsequential documentation noise or
targeted bug fixes.

The diff is small enough that I'll immediately upload to unstable.

[ Reason ]
Pick up an upstream security fix, and bug fixes in a point release.

[ Impact ]
Known security issue.

[ Tests ]
Upstream unit test suite covers the changes.

[ Risks ]
Minimal. It's a popular Python package, the point release is over a
month old and hasn't had regressions reported.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
I'll follow-up with a security update to pip that will update its
bundled urllib3.

unblock python-urllib3/1.26.4-1
diff -Nru python-urllib3-1.26.2/CHANGES.rst python-urllib3-1.26.4/CHANGES.rst
--- python-urllib3-1.26.2/CHANGES.rst   2020-11-12 18:16:30.0 -0400
+++ python-urllib3-1.26.4/CHANGES.rst   2021-03-15 11:03:47.0 -0400
@@ -1,6 +1,23 @@
 Changes
 ===
 
+1.26.4 (2021-03-15)
+---
+
+* Changed behavior of the default ``SSLContext`` when connecting to HTTPS proxy
+  during HTTPS requests. The default ``SSLContext`` now sets 
``check_hostname=True``.
+
+
+1.26.3 (2021-01-26)
+---
+
+* Fixed bytes and string comparison issue with headers (Pull #2141)
+
+* Changed ``ProxySchemeUnknown`` error message to be
+  more actionable if the user supplies a proxy URL without
+  a scheme. (Pull #2107)
+
+
 1.26.2 (2020-11-12)
 ---
 
diff -Nru python-urllib3-1.26.2/debian/changelog 
python-urllib3-1.26.4/debian/changelog
--- python-urllib3-1.26.2/debian/changelog  2020-12-30 21:22:32.0 
-0400
+++ python-urllib3-1.26.4/debian/changelog  2021-05-11 20:30:00.0 
-0400
@@ -1,3 +1,12 @@
+python-urllib3 (1.26.4-1) unstable; urgency=medium
+
+  * Team upload.
+  * New upstream release.
+- Enforces certificate validation in some cases involving HTTPS to HTTPS
+  proxies CVE-2021-28363.
+
+ -- Stefano Rivera   Tue, 11 May 2021 20:30:00 -0400
+
 python-urllib3 (1.26.2-1) unstable; urgency=medium
 
   * New upstream version 1.26.2
diff -Nru 
python-urllib3-1.26.2/debian/patches/01_do-not-use-embedded-python-six.patch 
python-urllib3-1.26.4/debian/patches/01_do-not-use-embedded-python-six.patch
--- 
python-urllib3-1.26.2/debian/patches/01_do-not-use-embedded-python-six.patch
2020-12-30 21:22:32.0 -0400
+++ 
python-urllib3-1.26.4/debian/patches/01_do-not-use-embedded-python-six.patch
2021-05-11 20:30:00.0 -0400
@@ -76,7 +76,7 @@
  __all__ = ["RecentlyUsedContainer", "HTTPHeaderDict"]
  
 diff --git a/src/urllib3/connection.py b/src/urllib3/connection.py
-index 660d679..826f8d7 100644
+index 45580b7..1cddda4 100644
 --- a/src/urllib3/connection.py
 +++ b/src/urllib3/connection.py
 @@ -9,9 +9,9 @@ import warnings
@@ -160,7 +160,7 @@
  __all__ = ["inject_into_urllib3", "extract_from_urllib3"]
  
 diff --git a/src/urllib3/exceptions.py b/src/urllib3/exceptions.py
-index d69958d..31a779b 100644
+index cba6f3f..053758e 100644
 --- a/src/urllib3/exceptions.py
 +++ b/src/urllib3/exceptions.py
 @@ -1,6 +1,6 @@
@@ -294,7 +294,7 @@
  
  def is_fp_closed(obj):
 diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
-index ee51f92..8c275a8 100644
+index d25a41b..e11f585 100644
 --- a/src/urllib3/util/retry.py
 +++ b/src/urllib3/util/retry.py
 @@ -17,7 +17,7 @@ from ..exceptions import (
diff -Nru python-urllib3-1.26.2/docs/conf.py python-urllib3-1.26.4/docs/conf.py
--- python-urllib3-1.26.2/docs/conf.py  2020-11-12 18:16:30.0 -0400
+++ python-urllib3-1.26.4/docs/conf.py  2021-03-15 11:03:47.0 -0400
@@ -78,8 +78,8 @@
 html_theme_options = {
 "announcement": """
 https://opencollective.com/urllib3\;>
-Sponsor urllib3 v2.0 
on Open Collective
+   href=\"https://github.com/sponsors/urllib3\;>
+Support urllib3 on 
GitHub Sponsors
 
 """,
 "sidebar_hide_name": True,
diff -Nru python-urllib3-1.26.2/docs/sponsors.rst 
python-urllib3-1.26.4/docs/sponsors.rst
--- python-urllib3-1.26.2/docs/sponsors.rst 2020-11-12 18:16:30.0 
-0400
+++ python-urllib3-1.26.4/docs/sponsors.rst 2021-03-15 11:03:33.0 
-0400
@@ -15,7 +15,7 @@
 
`Get in contact <mailto:sethmichaellar...@gmail.com>`_ for additional
details on sponsorship and perks before making a contribution
-   through `Open Collective <https://opencollective.com/urllib3>`_ if you have 
questions.
+   through `GitHub Sponsors <https://github.com/sponsors/urllib3

Bug#987957: unblock: pypy/7.3.3+dfsg-2 pypy3/7.3.3+dfsg-4

2021-05-02 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock packages pypy & pypy3:

 pypy (7.3.3+dfsg-2) unstable; urgency=medium
 .
   * Move pypy dependencies to Pre-Depends, as the pypy binary is used in
 package maintainer scripts. (Closes: #987213)

 pypy3 (7.3.3+dfsg-4) unstable; urgency=medium
 .
   * Move pypy3 dependencies to Pre-Depends, as the pypy3 binary is used in
 package maintainer scripts. (Closes: #987908)
   * Remove pydoc getfile feature. (CVE-2021-3426)
   * security: Restrict ftplib PASV hosts (no CVE assigned).

[ Reason ]

Promoting pypy dependencies from Depends to Pre-Depends, so that
reverse-dependencies maintainer script execution is delayed until pypy's
dependencies are in in place. (See: #987213)

pypy3 (not a key package) gets the same patch, and a couple of security
updates from upstream hg.

[ Impact ]
Upgrades of pypy libraries from buster to bullseye may fail, without
this patch.

[ Tests ]
autopkgtests verify the broad functionality of the language. piuparts
testing will be the best way to see that upgrading is now reliable.

[ Risks ]
Increasing Pre-Depends isn't ideal, and some of these libraries aren't
needed for pypycompile/pypy3compile to run. But manually splitting the
Pre-Depends and Depends risks more complexity and mistakes in the
future.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [ ] attach debdiff against the package in testing

unblock pypy/7.3.3+dfsg-2
unblock pypy3/7.3.3+dfsg-4

SR
diff -Nru pypy3-7.3.3+dfsg/debian/changelog pypy3-7.3.3+dfsg/debian/changelog
--- pypy3-7.3.3+dfsg/debian/changelog   2021-02-25 14:55:51.0 -0400
+++ pypy3-7.3.3+dfsg/debian/changelog   2021-05-02 12:34:45.0 -0400
@@ -1,3 +1,12 @@
+pypy3 (7.3.3+dfsg-4) unstable; urgency=medium
+
+  * Move pypy3 dependencies to Pre-Depends, as the pypy3 binary is used in
+package maintainer scripts. (Closes: #987908)
+  * Remove pydoc getfile feature. (CVE-2021-3426)
+  * security: Restrict ftplib PASV hosts (no CVE assigned).
+
+ -- Stefano Rivera   Sun, 02 May 2021 12:34:45 -0400
+
 pypy3 (7.3.3+dfsg-3) unstable; urgency=medium
 
   * Patch: CVE-2021-23336: Only use '&' as a query string separator.
diff -Nru pypy3-7.3.3+dfsg/debian/control pypy3-7.3.3+dfsg/debian/control
--- pypy3-7.3.3+dfsg/debian/control 2021-02-25 14:55:51.0 -0400
+++ pypy3-7.3.3+dfsg/debian/control 2021-05-02 12:34:45.0 -0400
@@ -36,11 +36,15 @@
 
 Package: pypy3
 Architecture: any
-Depends: pypy3-lib (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends}
+Depends: ${misc:Depends}
 Breaks: pypy3-dev (<< ${source:Version})
 Provides: ${pypy3-abi}
 Suggests: pypy3-doc, pypy3-tk (= ${binary:Version})
-Pre-Depends: dpkg (>= 1.15.6~), ${misc:Pre-Depends}
+Pre-Depends:
+ dpkg (>= 1.15.6~),
+ pypy3-lib (= ${binary:Version}),
+ ${misc:Pre-Depends},
+ ${shlibs:Pre-Depends}
 Description: fast alternative implementation of Python 3.x - PyPy interpreter
  PyPy is a fast, compliant alternative implementation of the Python language
  (3.x). It has several advantages and distinct features:
diff -Nru pypy3-7.3.3+dfsg/debian/patches/cve-2021-3426 
pypy3-7.3.3+dfsg/debian/patches/cve-2021-3426
--- pypy3-7.3.3+dfsg/debian/patches/cve-2021-3426   1969-12-31 
20:00:00.0 -0400
+++ pypy3-7.3.3+dfsg/debian/patches/cve-2021-3426   2021-05-02 
12:34:45.0 -0400
@@ -0,0 +1,77 @@
+From: Matti Picus 
+Date: Sun, 2 May 2021 10:57:58 -0400
+Subject: Stdlib: Remove the pydoc getfile feature (bpo 42988) (CVE-2021-3426)
+
+Bug-cPython: https://bugs.python.org/issue42988
+Origin: upstream, 
https://foss.heptapod.net/pypy/pypy/-/commit/f66a96388f8a0ba125005d5d524a31dfd3878a18
+---
+ lib-python/3/pydoc.py   | 18 --
+ lib-python/3/test/test_pydoc.py |  6 --
+ 2 files changed, 24 deletions(-)
+
+diff --git a/lib-python/3/pydoc.py b/lib-python/3/pydoc.py
+index b521a55..5247ef9 100644
+--- a/lib-python/3/pydoc.py
 b/lib-python/3/pydoc.py
+@@ -2312,9 +2312,6 @@ def _url_handler(url, content_type="text/html"):
+ %s%s%s
+ ''' % (title, css_link, html_navbar(), contents)
+ 
+-def filelink(self, url, path):
+-return '%s' % (url, path)
+-
+ 
+ html = _HTMLDoc()
+ 
+@@ -2400,19 +2397,6 @@ def _url_handler(url, content_type="text/html"):
+ 'key = %s' % key, '#ff', '#ee77aa', ''.join(results))
+ return 'Search Results', contents
+ 
+-def html_getfile(path):
+-"""Get and display a source file listing safely."""
+-path = urllib.parse.unquote(path)
+-with tokenize.open(path) as fp:
+-lines = html.escape(fp.read())
+-body = '%s' % lines
+-heading = html.heading(
+-'File Listing',
+-'#ff', '#7799ee')
+-contents = heading +

Bug#987411: unblock: soupsieve/2.2.1-1

2021-04-23 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package soupsieve

New upstream point release fixing a single bug, fairly minimally.

[ Reason ]
Fixes: https://github.com/facelessuser/soupsieve/issues/216

[ Impact ]
Unable to parse documents with an XML namespace named "self".

[ Tests ]
The package has good test suite coverage, which is run at build time and
in autopkgtests.

[ Risks ]
The change is pretty straightforward, and makes the code a little
simpler (passing a dict instead of kwargs).

This is a key package. The new version has already aged for 25 days.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock soupsieve/2.2.1-1
diff -Nru soupsieve-2.2/debian/changelog soupsieve-2.2.1/debian/changelog
--- soupsieve-2.2/debian/changelog  2021-02-11 17:00:48.0 -0400
+++ soupsieve-2.2.1/debian/changelog2021-03-28 14:15:20.0 -0400
@@ -1,3 +1,9 @@
+soupsieve (2.2.1-1) unstable; urgency=medium
+
+  * New upstream point release.
+
+ -- Stefano Rivera   Sun, 28 Mar 2021 11:15:20 -0700
+
 soupsieve (2.2-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru soupsieve-2.2/docs/src/markdown/about/changelog.md 
soupsieve-2.2.1/docs/src/markdown/about/changelog.md
--- soupsieve-2.2/docs/src/markdown/about/changelog.md  2021-02-09 
15:57:00.0 -0400
+++ soupsieve-2.2.1/docs/src/markdown/about/changelog.md2021-03-19 
00:59:26.0 -0400
@@ -1,5 +1,9 @@
 # Changelog
 
+## 2.2.1
+
+- **FIX**: Fix an issue with namespaces when one of the keys is `self`.
+
 ## 2.2
 
 - **NEW**: `:link` and `:any-link` no longer include `#!html ` due to a 
change in the level 4 selector
diff -Nru soupsieve-2.2/docs/src/markdown/selectors/pseudo-classes.md 
soupsieve-2.2.1/docs/src/markdown/selectors/pseudo-classes.md
--- soupsieve-2.2/docs/src/markdown/selectors/pseudo-classes.md 2021-02-09 
15:57:00.0 -0400
+++ soupsieve-2.2.1/docs/src/markdown/selectors/pseudo-classes.md   
2021-03-19 00:59:26.0 -0400
@@ -867,7 +867,7 @@
 Level 4 CSS adds the additional pattern in the form `an+b of S` where `S` 
represents a selector list. `an+b` can
 also be substituted with `even` or `odd`.
 
-Wen using the pattern `an+b of S`, the pattern will select elements from a 
sub-group of sibling elements that all
+When using the pattern `an+b of S`, the pattern will select elements from 
a sub-group of sibling elements that all
 match the selector list (`[of S]?`), based on their position within that 
sub-group, using the pattern `an+b`, for
 every positive integer or zero value of `n`. The index of the first 
element is `1`. The values `a` and `b` must both
 be integers.
@@ -961,7 +961,7 @@
 Level 4 CSS adds the additional pattern in the form `an+b of S` where `S` 
represents a selector list. `an+b` can
 also be substituted with `even` or `odd`.
 
-Wen using the pattern `an+b of S`, the pattern will select elements from a 
sub-group of sibling elements that all
+When using the pattern `an+b of S`, the pattern will select elements from 
a sub-group of sibling elements that all
 match the selector list (`[of S]?`), based on their position within that 
sub-group, using the pattern `an+b`, for
 every positive integer or zero value of `n`. The index of the first 
element is `1`. The values `a` and `b` must both
 be integers. Elements will be counted from the end.
diff -Nru soupsieve-2.2/PKG-INFO soupsieve-2.2.1/PKG-INFO
--- soupsieve-2.2/PKG-INFO  2021-02-09 15:57:13.208084600 -0400
+++ soupsieve-2.2.1/PKG-INFO2021-03-19 00:59:30.715582600 -0400
@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: soupsieve
-Version: 2.2
+Version: 2.2.1
 Summary: A modern CSS selector implementation for Beautiful Soup.
 Home-page: https://github.com/facelessuser/soupsieve
 Author: Isaac Muse
diff -Nru soupsieve-2.2/requirements/docs.txt 
soupsieve-2.2.1/requirements/docs.txt
--- soupsieve-2.2/requirements/docs.txt 2021-02-09 15:57:00.0 -0400
+++ soupsieve-2.2.1/requirements/docs.txt   2021-03-19 00:59:26.0 
-0400
@@ -1,4 +1,4 @@
-mkdocs_pymdownx_material_extras==1.1.3
+mkdocs_pymdownx_material_extras==1.2.2
 mkdocs-git-revision-date-localized-plugin
 mkdocs-minify-plugin
 pyspelling
diff -Nru soupsieve-2.2/soupsieve/css_types.py 
soupsieve-2.2.1/soupsieve/css_types.py
--- soupsieve-2.2/soupsieve/css_types.py2021-02-09 15:57:00.0 
-0400
+++ soupsieve-2.2.1/soupsieve/css_types.py  2021-03-19 00:59:26.0 
-0400
@@ -89,10 +89,10 @@
 class ImmutableDict(Mapping):
 """Hashable, immutable dictionary."""
 
-def __init__(self, *args, **kwargs):
+def __init__(self, arg):
 """Initialize."""
 
-arg = args[0] if

Bug#987372: buster-pu: package distro-info-data/0.41+deb10u3 OR (distro-info/1.0~deb10u1 AND distro-info-data/0.47~deb10u1)

2021-04-22 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: bdr...@debian.org

There's a new Ubuntu release, so it's time to upload a distro-info-data
update for buster. I missed 0.46, but there was nothing urgent in it.
The changes in unstable since the last update are:

distro-info-data (0.47) unstable; urgency=medium

  * Add Ubuntu 21.04, Impish Indri.

 -- Stefano Rivera   Thu, 22 Apr 2021 10:30:18 -0400

distro-info-data (0.46) unstable; urgency=medium

  * Add "eol-server" dates matching "eol", for LTS releases, as there hasn't
been a distinction between the two, for a while.
(Closes: #922090, LP: #1814976).
  * Add "eol-esm" column: EOL for Ubuntu Extended Security Maintenance support.
(LP: #1808038)
  * Drop ancient Replaces: distro-info (<< 0.3~). No longer needed.
  * Add "eol-lts" for Debian LTS (Closes: #782685)
  * Add estimated dates for Buster EOL and Buster LTS EOL.
  * Publish the data to GitLab pages. (Closes: #973904)
  * Bump Standards-Version to 4.5.1, no changes needed.
  * Bump copyright years.
  * Correct the EOL date for Debian Jessie.
  * Add Debian 13 "Trixie", with a rough date.
  * Add "up-to-date" testing tool.
  * Add an autopkgtest, running the validation and up-to-date tests.
  * "black" Python.
  * Add "eol-elts" for Debian ELTS.
  * Tweak eol and eol-esm dates, by a couple of days, for Ubuntu 6.10, 9.10,
    10.04, 12.04, 15.04, 15.10, 19.04 to match announced EOL dates.

 -- Stefano Rivera   Fri, 29 Jan 2021 13:41:20 -0700

[ Reason ]
I want to update distro-info-data, so that it knows about the current
Ubuntu development release, and future Debian releases.

[ Impact ]
Currently on a Buster system:
$ ubuntu-distro-info --devel
ubuntu-distro-info: Distribution data outdated.
Please check for an update for distro-info-data. See 
/usr/share/doc/distro-info-data/README.Debian for details.

With this change:
$ ubuntu-distro-info --devel
impish

[ Tests ]
distro-info-data is just a data package. There are automated tests for
correctness and freshness.

distro-info has automated unit and integration tests.

[ Risks ]
The intention for distro-info and distro-info-data was that the data
could always be trivially backported to stable releases, however this
time there are a few changes there that make this a non-trivial update.
They got batched together, because once you're breaking the world, you
may as well do it properly:

1. New columns. distro-info didn't support unknown columns in the CSV
   data until 1.0.
2. Date corrections. distro-info used historical dates in the test
   suite, so changes break build time tests and autopkgtests.

So, I offer you two choices:
1. We backport distro-info-data 0.47 and distro-info 1.0 to buster.
   Bringing new features, and simplified unmodified backport data
   updates in the future.
   * distro-info_1.0~deb10u1.debdiff
   * distro-info-data_0.47~deb10u1.debdiff
2. We cherry-pick the important changes in distro-info-data (excluding
   those historical date corrections that break tests, and new columns).
   Future updates for buster will have to continue to do this.
   * distro-info-data_0.41+deb10u4.debdiff

With the backport approach:
Users will need to install 2 updates together:
distro-info Depends: distro-info-data (>= 0.46~)
distro-info-data Breaks: distro-info (<< 1.0~)

Other code that interprets distro-info-data directly may be surprised
by new columns. All reverse-dependencies in the archive have been
checked, and won't be affected.

With the cherry-pick approach:
Negligible risk to users, it's a new entry in the Debian & Ubuntu
releases tables, and EOL updates for Jessie and Buster (guessed).

Future updates will have to continue to cherry-pick, which means
they won't be tested as well as straight backports.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

backport approach:

distro-info-data (0.47~deb10u1) buster; urgency=medium

  * Backport 0.47 to buster. Highlights:
- Add "eol-esm" for Ubuntu Extended Security Maintenance support.
- Add "eol-lts" for Debian LTS (Closes: #782685)
- Add "eol-elts" for Debian ELTS.
- Add estimated dates for Buster EOL and Buster LTS EOL.
- Add Debian 13 "Trixie", with a rough date.
- Correct the EOL date for Debian Jessie.
- Tweak eol and eol-esm dates, by a couple of days, for Ubuntu 6.10, 
9.10,
  10.04, 12.04, 15.04, 15.10, 19.04 to match announced EOL dates.
- Add Ubuntu 21.04, Impish Indri.

-- Stefano Rivera   Thu, 22 Apr 2021 11:46:22 -0400

distro-info-data (0.

Bug#987367: unblock: distro-info-data/0.47

2021-04-22 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package distro-info-data

Only change is:
* Add Ubuntu 21.04, Impish Indri.

When we get a release date for Bullseye, I'll want to ship another
upload with it, too.

[ Reason ]
The new Ubuntu codename is now known.

[ Impact ]
Without this update, ubuntu-distro-info will report "Distribution data
outdated."

[ Tests ]
There are automated tests, but not covering this specific new line of
data.

Manually tested by Ubuntu people in:
https://bugs.launchpad.net/ubuntu/+source/distro-info-data/+bug/1925484

[ Risks ]
Minimal, we do this every 6 months.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock distro-info-data/0.47
diff -Nru distro-info-data-0.46/debian/changelog 
distro-info-data-0.47/debian/changelog
--- distro-info-data-0.46/debian/changelog  2021-01-29 16:41:20.0 
-0400
+++ distro-info-data-0.47/debian/changelog  2021-04-22 10:30:18.0 
-0400
@@ -1,3 +1,9 @@
+distro-info-data (0.47) unstable; urgency=medium
+
+  * Add Ubuntu 21.04, Impish Indri.
+
+ -- Stefano Rivera   Thu, 22 Apr 2021 10:30:18 -0400
+
 distro-info-data (0.46) unstable; urgency=medium
 
   * Add "eol-server" dates matching "eol", for LTS releases, as there hasn't
diff -Nru distro-info-data-0.46/ubuntu.csv distro-info-data-0.47/ubuntu.csv
--- distro-info-data-0.46/ubuntu.csv2021-01-29 16:41:20.0 -0400
+++ distro-info-data-0.47/ubuntu.csv2021-04-22 10:30:18.0 -0400
@@ -33,3 +33,4 @@
 20.04 LTS,Focal 
Fossa,focal,2019-10-17,2020-04-23,2025-04-23,2025-04-23,2030-04-23
 20.10,Groovy Gorilla,groovy,2020-04-23,2020-10-22,2021-07-22
 21.04,Hirsute Hippo,hirsute,2020-10-22,2021-04-22,2022-01-22
+21.10,Impish Indri,impish,2021-04-22,2021-10-14,2022-07-14

Bug#983499: unblock: python3-defaults/3.9.2~rc1-1, python3.9/3.9.2~rc1-1

2021-02-24 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: d...@debian.org

Please unblock package python3-defaults and python3.9

Adding a new binary package, -full, to both source packages. Both are
currently in binNEW.

Sorry, should have probably filed this a couple of weeks ago. Once we
saw this coming.

[ Reason ]

The reason for this change is laid out in
https://lists.debian.org/debian-python/2021/02/msg00035.html

TL;DR: Debian heard of some upstream Python grumpyness about our
standard library splits, recently. This is all very badly timed for the
freeze.

Including a python3-full and python3.x-full packages, that Depends on
the entire stdlib, is a compromise position to help them to support
Python users on Debian (and derivative) platforms.
These packages would be dependency-only packages, and only directly
installed by end-users, not used as a dependency of other packages.

We intend to try to backport this to stable releases too.

[ Impact ]

Impact, if this isn't granted, is continuation of status-quo.
We'd probably attempt to add it in a point release.

[ Tests ]

Not relevant.

[ Risks ]

While the source packages at question are core to the system, this is
just the addition of leaf packages.

[ Checklist ]

unblock python3-defaults/3.9.2~rc1-1
unblock python3.9/3.9.2~rc1-1
diff --git a/.gitignore b/.gitignore
index 1f20116..0717416 100644
--- a/.gitignore
+++ b/.gitignore
@@ -22,6 +22,7 @@ debian/python3-dbg
 debian/python3-dev
 debian/python3-doc
 debian/python3-examples
+debian/python3-full
 debian/python3-minimal
 debian/python3-venv
 
diff --git a/debian/changelog b/debian/changelog
index 19ee73a..f360209 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+python3-defaults (3.9.2~rc1-1) experimental; urgency=medium
+
+  * Bump version to 3.9.2 rc1.
+
+  [ Stefano Rivera ]
+  * Improve package descriptions, describing venv, stdlib, and lib2to3 package
+contents.
+
+  [ Matthias Klose ]
+  * Build a python3-full package.
+
+ -- Matthias Klose   Thu, 18 Feb 2021 12:16:46 +0100
+
 python3-defaults (3.9.1-1) unstable; urgency=medium
 
   * Bump version to 3.9.1.
diff --git a/debian/control b/debian/control
index 59ed6f6..0087ed5 100644
--- a/debian/control
+++ b/debian/control
@@ -39,13 +39,19 @@ Architecture: any
 Multi-Arch: allowed
 Depends: python3.9-venv (>= 3.9.1-1~), python3 (= ${binary:Version}),
   python3-distutils (>= 3.9.1-1~), ${misc:Depends}
-Description: pyvenv-3 binary for python3 (default python3 version)
- Python, the high-level, interactive object oriented language,
- includes an extensive class library with lots of goodies for
- network programming, system administration, sounds and graphics.
+Description: venv module for python3 (default python3 version)
+ This package contains the venv module for the Python language (default python3
+ version).
+ .
+ The venv module provides support for creating lightweight "virtual
+ environments" with their own site directories, optionally isolated from system
+ site directories. Each virtual environment has its own Python binary (which
+ matches the version of the binary that was used to create this environment)
+ and can have its own independent set of installed Python packages in its site
+ directories.
  .
  This package is a dependency package, which depends on Debian's default
- Python 3 version (currently v3.9).
+ Python 3 version's venv module (currently v3.9).
 
 Package: python3-minimal
 Architecture: any
@@ -68,7 +74,7 @@ Description: examples for the Python language (default 
version)
  the upstream Python distribution.
  .
  This package is a dependency package, which depends on Debian's default
- Python 3 version (currently v3.9).
+ Python 3 version's examples (currently v3.9).
 
 Package: python3-dev
 Architecture: any
@@ -83,7 +89,7 @@ Description: header files and a static library for Python 
(default)
  in applications.
  .
  This package is a dependency package, which depends on Debian's default
- Python 3 version (currently v3.9).
+ Python 3 version's headers (currently v3.9).
 
 Package: libpython3-dev
 Architecture: any
@@ -98,19 +104,18 @@ Description: header files and a static library for Python 
(default)
  in applications.
  .
  This package is a dependency package, which depends on Debian's default
- Python 3 version (currently v3.9).
+ Python 3 version's headers (currently v3.9).
 
 Package: libpython3-stdlib
 Architecture: any
 Multi-Arch: same
 Depends: libpython3.9-stdlib (>= 3.9.1-1~), ${misc:Depends}
 Description: interactive high-level object-oriented language (default python3 
version)
- Python, the high-level, interactive object oriented language,
- includes an extensive class library with lots of goodies for
- network programming, system administration, sounds and graphics.
+ This package contains the majority of the standard library for the Python
+ language (default python3 version).

Bug#973672: transition: re2

2020-11-02 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Public ABI Breakage:

The implementation of RE2::Arg was changed from preprocessor macros to
C++ templates. It remains API-compatible, though.

Reverse Dependencies:

$ grep ^Status: *.build
chromium_amd64.build:Status: successful
clickhouse_amd64.build:Status: attempted
dnsdist_amd64.build:Status: successful
effcee_amd64.build:Status: successful
libphonenumber_amd64.build:Status: successful
libpog_amd64.build:Status: successful
libre-engine-re2-perl_amd64.build:Status: successful
node-re2_amd64.build:Status: successful
qtwebengine-opensource-src_amd64.build:Status: successful
re2_20201101+dfsg-1_amd64.build:Status: successful
re2_20201101+dfsg-1_i386.build:Status: successful
ruby-re2_amd64.build:Status: successful

clickhouse FTBFS (#966439) is caused by GCC 10 and unrelated.

Ben file:

title = "re2";
is_affected = .depends ~ "libre2-8" | .depends ~ "libre2-9";
is_good = .depends ~ "libre2-9";
is_bad = .depends ~ "libre2-8";

The automatically generated ben files are usually correct.

SR

Bug#973655: buster-pu: package distro-info-data/0.41+deb10u3

2020-11-02 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]

I want to update distro-info-data, so that it knows about the current
Ubuntu development release.

[ Impact ]

Currently on a Buster system:
$ ubuntu-distro-info --devel
ubuntu-distro-info: Distribution data outdated.
Please check for an update for distro-info-data. See 
/usr/share/doc/distro-info-data/README.Debian for details.

With this change:
$ ubuntu-distro-info --devel
hirsute

[ Tests ]

It's just a data package. There are automated tests for correctness.
The data was copied from the version uploaded to unstable.

[ Risks ]

Negligible, it's a new entry in the Ubuntu releases table.

[ Checklist ]

  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

  * Update data to 0.45:
- Add Ubuntu 21.04, Hirsute Hippo.

[ Other info ]

Last update's bug: #958714

[ Debdiff ]

diff -Nru distro-info-data-0.41+deb10u2/debian/changelog 
distro-info-data-0.41+deb10u3/debian/changelog
--- distro-info-data-0.41+deb10u2/debian/changelog  2020-04-24 
09:24:59.0 -0700
+++ distro-info-data-0.41+deb10u3/debian/changelog  2020-11-02 
12:44:14.0 -0800
@@ -1,3 +1,10 @@
+distro-info-data (0.41+deb10u3) buster; urgency=medium
+
+  * Update data to 0.45:
+- Add Ubuntu 21.04, Hirsute Hippo.
+
+ -- Stefano Rivera   Mon, 02 Nov 2020 12:44:14 -0800
+
 distro-info-data (0.41+deb10u2) buster; urgency=medium
 
   * Update data to 0.44:
diff -Nru distro-info-data-0.41+deb10u2/ubuntu.csv 
distro-info-data-0.41+deb10u3/ubuntu.csv
--- distro-info-data-0.41+deb10u2/ubuntu.csv2020-04-24 09:24:59.0 
-0700
+++ distro-info-data-0.41+deb10u3/ubuntu.csv2020-11-02 12:44:14.0 
-0800
@@ -32,3 +32,4 @@
 19.10,Eoan Ermine,eoan,2019-04-18,2019-10-17,2020-07-17
 20.04 LTS,Focal Fossa,focal,2019-10-17,2020-04-23,2025-04-23
 20.10,Groovy Gorilla,groovy,2020-04-23,2020-10-22,2021-07-22
+21.04,Hirsute Hippo,hirsute,2020-10-22,2021-04-22,2022-01-22

SR

Bug#947351: cloud-init 20.2-2~deb10u1 flagged for acceptance

2020-08-18 Thread Stefano Rivera

Hi Adam (2020.07.09_13:19:23_-0700)
> The upload referenced by this bug report has been flagged for acceptance into 
> the proposed-updates queue for Debian buster.

FWIW, this update included a change that broke the Debian images for at
least one hosting provider.

We noticed when provisioning a Debian 10.5 image on Hetzner Cloud, that
no Ethernet interfaces where being configured.

Hetzner had "include /etc/network/interfaces.d/*.cfg" in their
/etc/network/interfaces.

Before 19.2 cloud-init wrote /etc/network/interfaces.d/50-cloud-init.cfg
After 19.2 cloud-init wrote /etc/network/interfaces.d/50-cloud-init
Relevant upstream commit: 
https://github.com/canonical/cloud-init/commit/a6faf3acef02bd8cd4d46ac9efeebf24b3f21d81

This doesn't break Debian installs that had the default
/etc/network/interfaces. But if it caused a regression for one provider,
it probably caused regressions for others too.

Not sure what the right approach in Debian is, here. Whether there
should be a new bug filed against cloud-init in stable?

We filed Hetzner Ticket#2020081703000394 with these details so they
could fix their images.

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272

Bug#965023: transition: re2

2020-07-14 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Public ABI Breakage:
An entry was inserted into an enum, rather than appended to the end.

Public API Breakage:
None

Reverse Dependencies:
* dnsdist seems to have had uninstallable Build-Dependencies, in my testing
  yesterday, but built fine on the 5th.
* Everything else builds without error.

Ben file:

title = "re2";
is_affected = .depends ~ "libre2-7" | .depends ~ "libre2-8";
is_good = .depends ~ "libre2-8";
is_bad = .depends ~ "libre2-7";

https://release.debian.org/transitions/html/auto-re2.html LGTM

SR

Bug#960360: transition: re2

2020-05-11 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Public ABI Breakage:
Types changed from maps to vectors in a couple of functions. Nothing in
Debian uses them.

Public API Breakage:
The deprecated RE2::Options::set_utf8 and RE2::Options::utf8 helper
functions were removed from re2.h.

https://github.com/google/re2/commit/58141dc9c92189ed8d046f494f5e034d5db91bea
https://github.com/google/re2/commit/ac65d4531798ffc9bf807d1f7c09efb0eec70480

Reverse Dependencies:
* Updated ruby-re2 to 1.2.0 to support this.
* Chromium needs a patch:
  
https://github.com/chromium/chromium/commit/ede390a0b18e4565abf8ac1e1ff717e1d43fc320
* Others build without error.

Ben file:

title = "re2";
is_affected = .depends ~ "libre2-6" | .depends ~ "libre2-7";
is_good = .depends ~ "libre2-7";
is_bad = .depends ~ "libre2-6";

https://release.debian.org/transitions/html/auto-re2.html LGTM

SR

Bug#958714: buster-pu: package distro-info-data/0.41+deb10u2

2020-04-24 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I want to update distro-info-data, so that it knows about the current
Ubuntu development release. While I'm here, I can make a guess at
Stretch's EoL based on Buster's release date. If we get a better date,
we should update it.

Test cases:
$ ubuntu-distro-info --devel
groovy
$ debian-distro-info --date=2020-08-01 --supported
buster
bullseye
sid
experimental

(Yeah it doesn't know about LTS yet. That's
https://salsa.debian.org/debian/distro-info-data/merge_requests/2 which I must
just merge)

Debdiff (uploaded):

diff --git a/debian.csv b/debian.csv
index 78abfed..d20aabf 100644
--- a/debian.csv
+++ b/debian.csv
@@ -12,7 +12,7 @@ version,codename,series,created,release,eol
 6.0,Squeeze,squeeze,2009-02-14,2011-02-06,2014-05-31
 7,Wheezy,wheezy,2011-02-06,2013-05-04,2016-04-26
 8,Jessie,jessie,2013-05-04,2015-04-25,2018-06-06
-9,Stretch,stretch,2015-04-25,2017-06-17
+9,Stretch,stretch,2015-04-25,2017-06-17,2020-07-06
 10,Buster,buster,2017-06-17,2019-07-06
 11,Bullseye,bullseye,2019-07-06
 12,Bookworm,bookworm,2021-08-01
diff --git a/debian/changelog b/debian/changelog
index 8088798..b22e04e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+distro-info-data (0.41+deb10u2) buster; urgency=medium
+
+  * Update data to 0.44:
+- Add Ubuntu 20.10, Groovy Gorilla.
+- Add a guessed EOL date for Debian Stretch.
+
+ -- Stefano Rivera   Fri, 24 Apr 2020 09:24:59 -0700
+
 distro-info-data (0.41+deb10u1) buster; urgency=medium
 
   [ Stefano Rivera ]
diff --git a/ubuntu.csv b/ubuntu.csv
index 08d442f..0236239 100644
--- a/ubuntu.csv
+++ b/ubuntu.csv
@@ -31,3 +31,4 @@ version,codename,series,created,release,eol,eol-server
 19.04,Disco Dingo,disco,2018-10-18,2019-04-18,2020-01-18
 19.10,Eoan Ermine,eoan,2019-04-18,2019-10-17,2020-07-17
 20.04 LTS,Focal Fossa,focal,2019-10-17,2020-04-23,2025-04-23
+20.10,Groovy Gorilla,groovy,2020-04-23,2020-10-22,2021-07-22

Bug#954288: transition: re2

2020-03-19 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

C++. Lots of ABI breakage...

Class members were reorganised, and mutability changed.
Upstream chose to SONAME bump.

https://github.com/google/re2/issues/243

In other news: Upstream is finally taking ownership of their soname \o/

https://release.debian.org/transitions/html/auto-re2.html looks good.

I test built all of the rev-deps (on March 3rd) and they all built,
except for clickhouse (known FTBFS: #950983).

Ben file:

title = "re2";
is_affected = .depends ~ "libre2-5" | .depends ~ "libre2-6";
is_good = .depends ~ "libre2-6";
is_bad = .depends ~ "libre2-5";


-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.4.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_ZA.UTF-8, LC_CTYPE=en_ZA.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_ZA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#931659: transition: rm python2

2019-07-23 Thread Stefano Rivera

The current regex is using \bpython, which matches dh-python.

I suggest this patch, using \s instead.

Gets us down to 3455/4057.

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272
diff --git a/config/ongoing/python2-rm.ben b/config/ongoing/python2-rm.ben
index ca4b33d..60d928c 100644
--- a/config/ongoing/python2-rm.ben
+++ b/config/ongoing/python2-rm.ben
@@ -1,6 +1,6 @@
 title = "python2-rm";
 notes = "Python 2 removal tracker (#931659)";
-is_affected = .depends ~ /\b(python|python-minimal|python-dev|libpython-dev|libpython-stdlib|python-doc|python-dbg|libpython-dbg|python-all|python-all-dev|python-all-dbg|libpython-all-dev|libpython-all-dbg|python2|python2-minimal|python2-dev|libpython2-dev|libpython2-stdlib|python2-doc|python2-dbg|libpython2-dbg|python2.7|libpython2.7-stdlib|python2.7-minimal|libpython2.7-minimal|libpython2.7|python2.7-examples|python2.7-dev|libpython2.7-dev|libpython2.7-testsuite|idle-python2.7|python2.7-doc|python2.7-dbg|libpython2.7-dbg)\b/ | .build-depends ~ /\b(python|python-minimal|python-dev|libpython-dev|libpython-stdlib|python-doc|python-dbg|libpython-dbg|python-all|python-all-dev|python-all-dbg|libpython-all-dev|libpython-all-dbg|python2|python2-minimal|python2-dev|libpython2-dev|libpython2-stdlib|python2-doc|python2-dbg|libpython2-dbg|python2.7|libpython2.7-stdlib|python2.7-minimal|libpython2.7-minimal|libpython2.7|python2.7-examples|python2.7-dev|libpython2.7-dev|libpython2.7-testsuite|idle-python2.7|python2.7-doc|python2.7-dbg|libpython2.7-dbg)\b/;
-is_bad = .depends ~ /\b(python|python-minimal|python-dev|libpython-dev|libpython-stdlib|python-doc|python-dbg|libpython-dbg|python-all|python-all-dev|python-all-dbg|libpython-all-dev|libpython-all-dbg|python2|python2-minimal|python2-dev|libpython2-dev|libpython2-stdlib|python2-doc|python2-dbg|libpython2-dbg|python2.7|libpython2.7-stdlib|python2.7-minimal|libpython2.7-minimal|libpython2.7|python2.7-examples|python2.7-dev|libpython2.7-dev|libpython2.7-testsuite|idle-python2.7|python2.7-doc|python2.7-dbg|libpython2.7-dbg)\b/ | .build-depends ~ /\b(python|python-minimal|python-dev|libpython-dev|libpython-stdlib|python-doc|python-dbg|libpython-dbg|python-all|python-all-dev|python-all-dbg|libpython-all-dev|libpython-all-dbg|python2|python2-minimal|python2-dev|libpython2-dev|libpython2-stdlib|python2-doc|python2-dbg|libpython2-dbg|python2.7|libpython2.7-stdlib|python2.7-minimal|libpython2.7-minimal|libpython2.7|python2.7-examples|python2.7-dev|libpython2.7-dev|libpython2.7-testsuite|idle-python2.7|python2.7-doc|python2.7-dbg|libpython2.7-dbg)\b/;
+is_affected = .depends ~ /\s(python|python-minimal|python-dev|libpython-dev|libpython-stdlib|python-doc|python-dbg|libpython-dbg|python-all|python-all-dev|python-all-dbg|libpython-all-dev|libpython-all-dbg|python2|python2-minimal|python2-dev|libpython2-dev|libpython2-stdlib|python2-doc|python2-dbg|libpython2-dbg|python2.7|libpython2.7-stdlib|python2.7-minimal|libpython2.7-minimal|libpython2.7|python2.7-examples|python2.7-dev|libpython2.7-dev|libpython2.7-testsuite|idle-python2.7|python2.7-doc|python2.7-dbg|libpython2.7-dbg)\b/ | .build-depends ~ /\s(python|python-minimal|python-dev|libpython-dev|libpython-stdlib|python-doc|python-dbg|libpython-dbg|python-all|python-all-dev|python-all-dbg|libpython-all-dev|libpython-all-dbg|python2|python2-minimal|python2-dev|libpython2-dev|libpython2-stdlib|python2-doc|python2-dbg|libpython2-dbg|python2.7|libpython2.7-stdlib|python2.7-minimal|libpython2.7-minimal|libpython2.7|python2.7-examples|python2.7-dev|libpython2.7-dev|libpython2.7-testsuite|idle-python2.7|python2.7-doc|python2.7-dbg|libpython2.7-dbg)\b/;
+is_bad = .depends ~ /\s(python|python-minimal|python-dev|libpython-dev|libpython-stdlib|python-doc|python-dbg|libpython-dbg|python-all|python-all-dev|python-all-dbg|libpython-all-dev|libpython-all-dbg|python2|python2-minimal|python2-dev|libpython2-dev|libpython2-stdlib|python2-doc|python2-dbg|libpython2-dbg|python2.7|libpython2.7-stdlib|python2.7-minimal|libpython2.7-minimal|libpython2.7|python2.7-examples|python2.7-dev|libpython2.7-dev|libpython2.7-testsuite|idle-python2.7|python2.7-doc|python2.7-dbg|libpython2.7-dbg)\b/ | .build-depends ~ /\s(python|python-minimal|python-dev|libpython-dev|libpython-stdlib|python-doc|python-dbg|libpython-dbg|python-all|python-all-dev|python-all-dbg|libpython-all-dev|libpython-all-dbg|python2|python2-minimal|python2-dev|libpython2-dev|libpython2-stdlib|python2-doc|python2-dbg|libpython2-dbg|python2.7|libpython2.7-stdlib|python2.7-minimal|libpython2.7-minimal|libpython2.7|python2.7-examples|python2.7-dev|libpython2.7-dev|libpython2.7-testsuite|idle-python2.7|python2.7-doc|python2.7-dbg|libpython2.7-dbg)\b/;
 is_good = .depends ~ "''";

Bug#930536: unblock: distro-info-data/0.41

2019-06-14 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package distro-info-data

This is a pure-data package, tracking Debian and Ubuntu releases. As the
release date is now known, it needs an update.

Since the last update, the most recent Ubuntu release has also received
an animal name, so that is included, too.

unblock distro-info-data/0.41

Thanks,

SR

diff -Nru distro-info-data-0.40/debian/changelog 
distro-info-data-0.41/debian/changelog
--- distro-info-data-0.40/debian/changelog  2019-04-23 12:14:38.0 
-0700
+++ distro-info-data-0.41/debian/changelog  2019-06-14 10:50:04.0 
-0700
@@ -1,3 +1,11 @@
+distro-info-data (0.41) unstable; urgency=medium
+
+  * Add final animal name for Ubuntu 19.10 Eoan Ermine.
+  * Set release date for Buster (and matching creation date for Bullseye).
+It has been announced.
+
+ -- Stefano Rivera   Fri, 14 Jun 2019 10:50:04 -0700
+
 distro-info-data (0.40) unstable; urgency=medium
 
   * Correct EOL date for trusty. (LP: #1825553)
diff -Nru distro-info-data-0.40/debian.csv distro-info-data-0.41/debian.csv
--- distro-info-data-0.40/debian.csv2019-04-23 12:14:38.0 -0700
+++ distro-info-data-0.41/debian.csv2019-06-14 10:50:04.0 -0700
@@ -13,8 +13,8 @@
 7,Wheezy,wheezy,2011-02-06,2013-05-04,2016-04-26
 8,Jessie,jessie,2013-05-04,2015-04-25,2018-06-06
 9,Stretch,stretch,2015-04-25,2017-06-17
-10,Buster,buster,2017-06-17
-11,Bullseye,bullseye,2019-08-01
+10,Buster,buster,2017-06-17,2019-07-06
+11,Bullseye,bullseye,2019-07-06
 12,Bookworm,bookworm,2021-08-01
 ,Sid,sid,1993-08-16
 ,Experimental,experimental,1993-08-16
diff -Nru distro-info-data-0.40/ubuntu.csv distro-info-data-0.41/ubuntu.csv
--- distro-info-data-0.40/ubuntu.csv2019-04-23 12:14:38.0 -0700
+++ distro-info-data-0.41/ubuntu.csv2019-06-14 10:50:04.0 -0700
@@ -29,4 +29,4 @@
 18.04 LTS,Bionic Beaver,bionic,2017-10-19,2018-04-26,2023-04-26
 18.10,Cosmic Cuttlefish,cosmic,2018-04-26,2018-10-18,2019-07-18
 19.04,Disco Dingo,disco,2018-10-18,2019-04-18,2020-01-18
-19.10,Eoan EANIMAL,eoan,2019-04-18,2019-10-17,2020-07-17
+19.10,Eoan Ermine,eoan,2019-04-18,2019-10-17,2020-07-17

Bug#927819: unblock: distro-info-data/0.40

2019-04-23 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package distro-info-data

This is a pure data package.

This upload contains two updates to Ubuntu data:
1. Ubuntu 19.04 has released, and we have a provisional entry for 19.10.
   There is no animal name for it, yet. But no idea when we're going to
   get that.
2. Correction to the Ubuntu 14.04 EOL.
(and a noop standards-version update)

The package is pointless without up-to-date data.

When we have an idea of the Buster release date, we'll probably want to
do another upload. That could be a post-release SPU, if absolutely
necessary.

unblock distro-info-data/0.40
diff --git a/debian/changelog b/debian/changelog
index a3645af..5433f38 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+distro-info-data (0.40) unstable; urgency=medium
+
+  * Correct EOL date for trusty. (LP: #1825553)
+  * Add Ubuntu 19.10, with a provisional animal name. (LP: #1825379)
+  * Bump Standards-Version to 4.3.0, no changes needed.
+
+ -- Stefano Rivera   Tue, 23 Apr 2019 12:14:38 -0700
+
 distro-info-data (0.39) unstable; urgency=medium
 
   * Add Ubuntu 19.04 Disco Dingo. (LP: #1800656)
diff --git a/debian/control b/debian/control
index 8505040..095e4c2 100644
--- a/debian/control
+++ b/debian/control
@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: Benjamin Drung 
 Uploaders: Stefano Rivera 
 Build-Depends: debhelper (>= 9), python
-Standards-Version: 4.1.4
+Standards-Version: 4.3.0
 Vcs-Git: https://salsa.debian.org/debian/distro-info-data.git
 Vcs-Browser: https://salsa.debian.org/debian/distro-info-data
 Rules-Requires-Root: no
diff --git a/ubuntu.csv b/ubuntu.csv
index 1fb41a2..f35a640 100644
--- a/ubuntu.csv
+++ b/ubuntu.csv
@@ -18,7 +18,7 @@ version,codename,series,created,release,eol,eol-server
 12.10,Quantal Quetzal,quantal,2012-04-26,2012-10-18,2014-05-16
 13.04,Raring Ringtail,raring,2012-10-18,2013-04-25,2014-01-27
 13.10,Saucy Salamander,saucy,2013-04-25,2013-10-17,2014-07-17
-14.04 LTS,Trusty Tahr,trusty,2013-10-17,2014-04-17,2019-04-17
+14.04 LTS,Trusty Tahr,trusty,2013-10-17,2014-04-17,2019-04-25
 14.10,Utopic Unicorn,utopic,2014-04-17,2014-10-23,2015-07-23
 15.04,Vivid Vervet,vivid,2014-10-23,2015-04-23,2016-01-23
 15.10,Wily Werewolf,wily,2015-04-23,2015-10-22,2016-07-22
@@ -29,3 +29,4 @@ version,codename,series,created,release,eol,eol-server
 18.04 LTS,Bionic Beaver,bionic,2017-10-19,2018-04-26,2023-04-26
 18.10,Cosmic Cuttlefish,cosmic,2018-04-26,2018-10-18,2019-07-18
 19.04,Disco Dingo,disco,2018-10-18,2019-04-18,2020-01-18
+19.10,Eoan EANIMAL,eoan,2019-04-18,2019-10-17,2020-07-17

Bug#925461: unblock: pypy/7.0.0+dfsg-3, backports.functools-lru-cache/1.5-3

2019-03-25 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock pypy & backports.functools-lru-cache.

A relatively last-minute feature in pypy was namespace package support
(#920899).  Unfortunately the path I picked isn't what dh_pypy (in
dh-python) implemented, and I think Piotr's rationale for that was
reasonable. But I didn't notice the incompatibility until after the
freeze.

So, #924676 and #924677.

debdiffs attached.

unblock pypy/7.0.0+dfsg-3
unblock backports.functools-lru-cache/1.5-3

Thanks,

SR
diff -Nru pypy-7.0.0+dfsg/debian/changelog pypy-7.0.0+dfsg/debian/changelog
--- pypy-7.0.0+dfsg/debian/changelog2019-02-12 17:41:21.0 -0500
+++ pypy-7.0.0+dfsg/debian/changelog2019-03-24 11:07:07.0 -0400
@@ -1,3 +1,12 @@
+pypy (7.0.0+dfsg-3) unstable; urgency=medium
+
+  * Update watch file regex, upstream calls it pypy2.7 now.
+  * pypycompile and pypyclean now read namespaces from /usr/share/pypy/ns
+(following dh_pypy). (Closes: #924676)
+- Breaks old pypy-backports.functools-lru-cache, using the old location.
+
+ -- Stefano Rivera   Sun, 24 Mar 2019 11:07:07 -0400
+
 pypy (7.0.0+dfsg-2) unstable; urgency=medium
 
   * Remove dh_builddeb override, no longer necessary.
diff -Nru pypy-7.0.0+dfsg/debian/control pypy-7.0.0+dfsg/debian/control
--- pypy-7.0.0+dfsg/debian/control  2019-02-12 17:41:21.0 -0500
+++ pypy-7.0.0+dfsg/debian/control  2019-03-24 11:07:07.0 -0400
@@ -18,8 +18,8 @@
  procps,
  pypy [any-amd64 any-i386 armhf ppc64 ppc64el s390x] ,
  python (>= 2.6.6-11~),
- python-pycparser,
  python-docutils,
+ python-pycparser,
  python-sphinx (>= 1.0.7+dfsg),
  python2.7-dev,
  tcl-dev,
@@ -36,7 +36,9 @@
 Package: pypy
 Architecture: any
 Depends: pypy-lib (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends}
-Breaks: pypy-dev (<< ${source:Version})
+Breaks:
+ pypy-backports.functools-lru-cache (<< 1.5-3~),
+ pypy-dev (<< ${source:Version})
 Provides: ${pypy-abi}
 Suggests: pypy-doc, pypy-tk (= ${binary:Version})
 Pre-Depends: dpkg (>= 1.15.6~), ${misc:Pre-Depends}
diff -Nru pypy-7.0.0+dfsg/debian/copyright pypy-7.0.0+dfsg/debian/copyright
--- pypy-7.0.0+dfsg/debian/copyright2019-02-12 17:41:21.0 -0500
+++ pypy-7.0.0+dfsg/debian/copyright2019-03-24 11:07:07.0 -0400
@@ -206,7 +206,7 @@
   Floris Bruynooghe
   Christopher Pope
   Tristan Arthur
-  Christian Tismer 
+  Christian Tismer
   Dan Stromberg
   Carl Meyer
   Florin Papa
diff -Nru pypy-7.0.0+dfsg/debian/pypy.dirs pypy-7.0.0+dfsg/debian/pypy.dirs
--- pypy-7.0.0+dfsg/debian/pypy.dirs2019-02-12 17:41:21.0 -0500
+++ pypy-7.0.0+dfsg/debian/pypy.dirs2019-03-24 11:07:07.0 -0400
@@ -1,2 +1,2 @@
+/usr/share/pypy/ns
 /usr/local/lib/pypy2.7/dist-packages
-/usr/lib/pypy/ns
diff -Nru pypy-7.0.0+dfsg/debian/pypy.install 
pypy-7.0.0+dfsg/debian/pypy.install
--- pypy-7.0.0+dfsg/debian/pypy.install 2019-02-12 17:41:21.0 -0500
+++ pypy-7.0.0+dfsg/debian/pypy.install 2019-03-24 11:07:07.0 -0400
@@ -2,5 +2,5 @@
 debian/scripts/pypycompile/usr/bin
 include/pypy_*.h  /usr/lib/pypy/include
 lib_pypy/_*_cffi.*.so /usr/lib/pypy/lib_pypy
-pypy/goal/pypy-c  /usr/lib/pypy/bin
 pypy/goal/libpypy-c.so/usr/lib/pypy/bin
+pypy/goal/pypy-c  /usr/lib/pypy/bin
diff -Nru pypy-7.0.0+dfsg/debian/pypy.links pypy-7.0.0+dfsg/debian/pypy.links
--- pypy-7.0.0+dfsg/debian/pypy.links   2019-02-12 17:41:21.0 -0500
+++ pypy-7.0.0+dfsg/debian/pypy.links   2019-03-24 11:07:07.0 -0400
@@ -1,2 +1,2 @@
-/usr/lib/pypy/bin/pypy-c /usr/bin/pypy
 /usr/lib/pypy/bin/libpypy-c.so /usr/lib/libpypy-c.so
+/usr/lib/pypy/bin/pypy-c /usr/bin/pypy
diff -Nru pypy-7.0.0+dfsg/debian/scripts/pypyclean 
pypy-7.0.0+dfsg/debian/scripts/pypyclean
--- pypy-7.0.0+dfsg/debian/scripts/pypyclean2019-02-12 17:41:21.0 
-0500
+++ pypy-7.0.0+dfsg/debian/scripts/pypyclean2019-03-24 11:07:07.0 
-0400
@@ -31,7 +31,7 @@
 
 def installed_namespaces():
 '''Return a dictionary of package: frozenset(namespaces)'''
-ns_dir = '/usr/lib/pypy/ns'
+ns_dir = '/usr/share/pypy/ns'
 ns_by_pkg = {}
 for pkg in os.listdir(ns_dir):
 ns_file = os.path.join(ns_dir, pkg)
diff -Nru pypy-7.0.0+dfsg/debian/scripts/pypycompile 
pypy-7.0.0+dfsg/debian/scripts/pypycompile
--- pypy-7.0.0+dfsg/debian/scripts/pypycompile  2019-02-12 17:41:21.0 
-0500
+++ pypy-7.0.0+dfsg/debian/scripts/pypycompile  2019-03-24 11:07:07.0 
-0400
@@ -45,7 +45,7 @@
 '''Iterate through a package's ns file.
 Create all necessary__init__.pys, and yield them.
 '''
-ns_file = os.path.join('/usr/lib/pypy/ns', package)
+ns_file = os.path.join('/usr/share/pypy/ns', package)
 if not os.path.exists(ns_file):
 return
 with open(ns_file) as f:
diff -Nru py

Bug#922300: unblock: chef/13.8.7-3, ohai/13.8.0-1

2019-02-27 Thread Stefano Rivera

Hi Release Team:
> unblock chef/13.8.7-3
> unstable ohai/13.8.0-1
> OR
> remove ruby-cheffish/13.1.0-2

I have a couple of packages that are part of the part of the chef stack
and some were pulled out with it, through no fault of their own.


So, I'd add to that, a

unblock foodcritic/13.1.1-2
unblock ruby-knife-acl/1.0.3-2

Neither of those are critical to the maintenance of ci.debian.org, but
they are of use to people managing Cheffed infrastructure, and don't
have particularly high popcon or bug numbers.

OR

If we don't unblock the chef stack, can we also:

remove chef-zero/13.1.0-2

It seems silly to keep it in the release, without chef.

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272

Bug#918501: transition: re2

2019-01-10 Thread Stefano Rivera

Hi Emilio (2019.01.07_10:32:43_-0800)
> Thanks, uploaded.

I see dnsdist failed to binnmu on i386. I suspect this is a
transient/intermittent test failure - it builds for me locally.

Try a give-back?

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272

Bug#918501: transition: re2

2019-01-07 Thread Stefano Rivera

Hi Emilio (2019.01.07_19:05:02_+0200)
> Go ahead.

Thanks, uploaded.

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272

Bug#918501: transition: re2

2019-01-06 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

re2 is a C++ regex library, requiring about a transition a year, for
various symbol changes.

Only 6 reverse dependencies in testing.
The automated ben file looks fine:
https://release.debian.org/transitions/html/auto-re2.html

I've uploaded to experimental and test-built all of the reverse-deps. No
regressions in amd64 buildability of them. Everything that's in testing
rebuilt without patching.

Still waiting for some MIPS*el builds, but those could take weeks... And
not expecting any new FTBFS - I've test-built them on the porterbox.

reportbug ben file:

title = "re3";
is_affected = .depends ~ "libre2-4" | .depends ~ "libre2-5";
is_good = .depends ~ "libre2-5";
is_bad = .depends ~ "libre2-4";

SR

Bug#891185: transition: re2

2018-02-22 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Hi, re2 is C++ and likes to have transitions. Not many reverse-deps,
though :)

It's in experimental.

I've test built the reverse-depends, and didn't see any new failures. I
can't get chromium-browser to build before or after the transition, but
presumably it's fine, Google would be targeting the latest re2 anyway.

Reportbug Ben file:

title = "re2";
is_affected = .depends ~ "libre2-3" | .depends ~ "libre2-4";
is_good = .depends ~ "libre2-4";
is_bad = .depends ~ "libre2-3";

https://release.debian.org/transitions/html/auto-re2.html Looks good,
though.

SR

Bug#864076: unblock: distro-info-data/0.36

2017-06-03 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package distro-info-data

This is a pre-upload unblock request for distro-info-data, now that the
Jessie release date has been announced.

While I was here, I realised that we didn't have EOL dates for Jessie or
Wheezy yet :( We have a long-standing bug of not including LTS dates
(#782685) so I've maintained the status-quo and did that for these two
as well. Alternatively, I could just extend the support dates out to
include LTS, but that seems like another bad idea :/

So, are you OK with this patch-set, and would you consider allowing it
in, for Stretch?

unblock distro-info-data/0.36

Thanks,

SR

diff --git a/debian.csv b/debian.csv
index c1f0962..b476031 100644
--- a/debian.csv
+++ b/debian.csv
@@ -10,10 +10,10 @@ version,codename,series,created,release,eol
 4.0,Etch,etch,2005-06-06,2007-04-08,2010-02-15
 5.0,Lenny,lenny,2007-04-08,2009-02-14,2012-02-06
 6.0,Squeeze,squeeze,2009-02-14,2011-02-06,2014-05-31
-7,Wheezy,wheezy,2011-02-06,2013-05-04
-8,Jessie,jessie,2013-05-04,2015-04-25
-9,Stretch,stretch,2015-04-25
-10,Buster,buster,2018-07-01
+7,Wheezy,wheezy,2011-02-06,2013-05-04,2016-04-26
+8,Jessie,jessie,2013-05-04,2015-04-25,2018-06-06
+9,Stretch,stretch,2015-04-25,2017-06-17
+10,Buster,buster,2017-06-17
 11,Bullseye,bullseye,2020-11-05
 ,Sid,sid,1993-08-16
 ,Experimental,experimental,1993-08-16
diff --git a/debian/changelog b/debian/changelog
index cec721c..130df23 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+distro-info-data (0.36) UNRELEASED; urgency=medium
+
+  * Set EOL date for Debian Wheezy. This excludes LTS, which we haven't
+supported in distro-info yet, for Debian, but matches what we did for
+Squeeze.
+  * Set (provisional) EOL date for Debian Jessie.
+  * Set release date for Stretch (and matching creation date for Buster). It
+has been announced.
+
+ -- Stefano Rivera <stefa...@debian.org>  Sat, 03 Jun 2017 18:07:40 -0700
+
 distro-info-data (0.35) unstable; urgency=medium
 
   * Correct Ubuntu Zesty release date.

Bug#860864: unblock: distro-info-data/0.35

2017-04-20 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package distro-info-data

Ubuntu 17.04 has now released, and we need to add 17.10.

Of course there will still need to be one more update of
distro-info-data once stretch has a release date (that could be after
the release).

unblock distro-info-data/0.35

Thanks,

SR
diff -Nru distro-info-data-0.33/debian/changelog 
distro-info-data-0.35/debian/changelog
--- distro-info-data-0.33/debian/changelog  2017-01-15 15:53:52.0 
-0800
+++ distro-info-data-0.35/debian/changelog  2017-04-20 19:43:47.0 
-0700
@@ -1,3 +1,15 @@
+distro-info-data (0.35) unstable; urgency=medium
+
+  * Correct Ubuntu Zesty release date.
+
+ -- Stefano Rivera <stefa...@debian.org>  Thu, 20 Apr 2017 19:43:47 -0700
+
+distro-info-data (0.34) unstable; urgency=medium
+
+  * Add Ubuntu 17.10, Artful Aardvark.
+
+ -- Stefano Rivera <stefa...@debian.org>  Thu, 20 Apr 2017 16:42:23 -0700
+
 distro-info-data (0.33) unstable; urgency=medium
 
   * Add Debian 11 codename (with provisional creation date) (Closes: #851447)
diff -Nru distro-info-data-0.33/ubuntu.csv distro-info-data-0.35/ubuntu.csv
--- distro-info-data-0.33/ubuntu.csv2016-10-21 15:48:30.0 -0700
+++ distro-info-data-0.35/ubuntu.csv2017-04-20 19:43:47.0 -0700
@@ -24,4 +24,5 @@
 15.10,Wily Werewolf,wily,2015-04-23,2015-10-22,2016-07-22
 16.04 LTS,Xenial Xerus,xenial,2015-10-22,2016-04-21,2021-04-21
 16.10,Yakkety Yak,yakkety,2016-04-21,2016-10-13,2017-07-20
-17.04,Zesty Zapus,zesty,2016-10-13,2017-04-20,2018-01-25
+17.04,Zesty Zapus,zesty,2016-10-13,2017-04-13,2018-01-25
+17.10,Artful Aardvark,artful,2017-04-13,2017-10-19,2018-07-19

Bug#855555: unblock: hdmi2usb-fx2-firmware/0.0.0~git20151225-1

2017-02-20 Thread Stefano Rivera

Control: tags -1 - moreinfo

> How soon can we have confirmed whether this upload fixes the issue with
> Numato Opsis boards?  If we unblock this, I would like to know it at
> least fixes the issue we are unblocking it for.

It works. I confirmed this yesterday, and with the package, as built in
the archive, this morning.

Thanks CarlFK for hooking up an Opsis for me :)

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272

Bug#855555: unblock: hdmi2usb-fx2-firmware/0.0.0~git20151225-1

2017-02-19 Thread Stefano Rivera

2 @@ install:
   - # Install sdcc
   - sudo apt-get install --force-yes -y sdcc
   - sdcc --version
+  - # doxygen & rubber are needed for generating the documentation
+  - sudo apt-get install -y doxygen rubber
 
 script:
   - make
+  - make docs
+
+after_success:
+  - ./.travis-push-docs.sh
diff --git a/debian/changelog b/debian/changelog
index 3541a3a..82797f3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,12 @@
-hdmi2usb-fx2-firmware (0.0.0~git20151018-1) unstable; urgency=low
+hdmi2usb-fx2-firmware (0.0.0~git20151225-1) UNRELEASED; urgency=low
+
+  * New upstream release (different git branch)
+- Should actually build a working uart firmware for the opsis.
+  (Closes: #855548)
+
+ -- Stefano Rivera <stefa...@debian.org>  Mon, 28 Nov 2016 23:35:19 -0800
+
+hdmi2usb-fx2-firmware (0.0.0~git20151128-1) unstable; urgency=low
 
   * Initial upload. (Closes: #796769)
 
diff --git a/debian/rules b/debian/rules
index c4f2158..152525d 100755
--- a/debian/rules
+++ b/debian/rules
@@ -4,12 +4,13 @@
 	dh $@
 
 VER=$(shell dpkg-parsechangelog | sed -rne 's/^Version: (.+)-.*/\1/p')
+BRANCH=opsis-uart-with-eeprom-serialno
 get-packaged-orig-source:
-	git clone https://github.com/mithro/fx2lib -b cdc-usb-serialno-from-eeprom
+	git clone https://github.com/mithro/fx2lib -b $(BRANCH)
 	set -xe; \
 		GIT_DATE=$$(dpkg-parsechangelog | sed -rne 's/^Version: .*\~git()(..)(..)-.*/\1-\2-\3 00:00:00 UTC/p'); \
 		cd fx2lib; \
-		GIT_COMMIT=$$(git rev-list -n1 --until="$$GIT_DATE" cdc-usb-serialno-from-eeprom); \
+		GIT_COMMIT=$$(git rev-list -n1 --until="$$GIT_DATE" $(BRANCH)); \
 		git archive $$GIT_COMMIT --prefix=hdmi2usb-fx2-firmware_$(VER).orig/ \
 			-o ../hdmi2usb-fx2-firmware_$(VER).orig.tar
 	xz -f hdmi2usb-fx2-firmware_$(VER).orig.tar
diff --git a/examples/cdc/Makefile b/examples/cdc/Makefile
index 57cb825..e9b579c 100644
--- a/examples/cdc/Makefile
+++ b/examples/cdc/Makefile
@@ -1,4 +1,4 @@
-DIRS=to-uart
+DIRS=loopback to-uart
  
 .PHONY: dirs $(DIRS) clean
  
diff --git a/examples/cdc/common/dscr.a51 b/examples/cdc/common/dscr.a51
index 285d9f9..533d5ec 100644
--- a/examples/cdc/common/dscr.a51
+++ b/examples/cdc/common/dscr.a51
@@ -42,7 +42,8 @@ ENDPOINT_TYPE_ISO=1
 ENDPOINT_TYPE_BULK=2
 ENDPOINT_TYPE_INT=3
 
-.globl	_dev_dscr, _dev_qual_dscr, _highspd_dscr, _fullspd_dscr, _dev_strings, _dev_strings_end, _dev_serial
+.globl	_dev_dscr, _dev_qual_dscr, _highspd_dscr, _fullspd_dscr, _dev_strings, _dev_strings_end
+.globl	_dev_serial
 ; These need to be in code memory.  If
 ; they aren't you'll have to manully copy them somewhere
 ; in code memory otherwise SUDPTRH:L don't work right
@@ -57,9 +58,9 @@ _dev_dscr:
 	.db 0x00  ; 5 bDeviceSubclass 1 Subclass code
 	.db 0x00  ; 6 bDeviceProtocol 1 Protocol Code
 	.db 64; 7 bMaxPacketSize0 1 Maximum packet size for endpoint zero
-	.dw 0xB404; 8 idVendor 2 Vendor ID
-	.dw 0x0410; 10 idProduct 2 Product ID
-	.dw 0x0100; 12 bcdDevice 2 Device release number (BCD)
+	.dw 0x192A; 8 idVendor 2 Vendor ID
+	.dw 0x4154; 10 idProduct 2 Product ID
+	.dw 0x0300; 12 bcdDevice 2 Device release number (BCD)
 	.db 1 ; 14 iManufacturer 1 Index of string descriptor for the manufacturer
 	.db 2 ; 15 iProduct 1 Index of string descriptor for the product
 	.db 3 ; 16 iSerialNumber 1 Index of string descriptor for the serial number
@@ -107,7 +108,7 @@ highspd_dscr_end:
 	.db 0x02 ; Interface class
 	.db 0x02 ; Interface sub class
 	.db 0x01 ; Interface protocol code class
-	.db 0x00 ; Interface descriptor string index
+	.db 0; Interface descriptor string index
 
 	;; CDC Header Functional Descriptor
 	.db 0x05 ; Descriptor Size in Bytes (5)
@@ -154,7 +155,7 @@ highspd_dscr_end:
 	.db 0x0A ; Interface class
 	.db 0x00 ; Interface sub class
 	.db 0x00 ; Interface protocol code class
-	.db 0x00 ; Interface descriptor string index
+	.db 0; Interface descriptor string index
 
 ; endpoint 2 out
 	.db DSCR_ENDPOINT_LEN; Descriptor length
@@ -195,15 +196,15 @@ fullspd_dscr_end:
 ; NOTE the default TRM actually has more alt interfaces
 ; but you can add them back in if you need them.
 ; here, we just use the default alt setting 1 from the trm
-	.db	DSCR_INTERFACE_LEN
-	.db	DSCR_INTERFACE_TYPE
-	.db	0 ; index
-	.db	0 ; alt setting idx
-	.db	2 ; n endpoints
-	.db	0x2			 ; class
-	.db	0x2
-	.db	0x1
-	.db	3	 ; string index
+	.db DSCR_INTERFACE_LEN
+	.db DSCR_INTERFACE_TYPE
+	.db

Bug#834545: transition: re2

2016-09-02 Thread Stefano Rivera

Hi Emilio (2016.08.31_00:35:21_+0200)
> > Would you mind if I held back for the next release, due on the 1st?

So, that is staged in git and ready to go.

It will require a 1-line patch to ocaml-re2 (inserting an std::), and
ruby-re2 should be binnmuable.

chromium-browser, libphonenumber, and hhvm all have unrelated FTBFSs at
the moment.

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272

Bug#834545: transition: re2

2016-08-30 Thread Stefano Rivera

Hi Emilio (2016.08.31_00:35:21_+0200)
> > Would you mind if I held back for the next release, due on the 1st?
> 
> 1st of September?
> 
> That'd be fine.

Yep. Upstream does monthly snapshots, rather than releases. And seem to
be moving rather fast atm.

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272

Bug#834545: transition: re2

2016-08-30 Thread Stefano Rivera

Hi Emilio (2016.08.29_09:58:46_+0200)
> Go ahead.

Would you mind if I held back for the next release, due on the 1st?

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272

Bug#834545: transition: re2

2016-08-16 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

It's already in experimental, where it has built on all release
architectures, so:

Ben file: https://release.debian.org/transitions/html/auto-re2.html

Only two reverse dependencies, which build on amd64. So, should be a
trivial binNMU transition.

SR

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (900, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_ZA.UTF-8, LC_CTYPE=en_ZA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#814930: jessie-pu: package hplip/3.15.11+repack0-1

2016-02-23 Thread Stefano Rivera

 
 ui4/pqdiagdialog_base.py|4 
 ui4/printdialog.py  |  155 --
 ui4/printdialog_base.py |6 
 ui4/printernamecombobox.py  |9 
 ui4/printsettingsdialog.py  |   10 
 ui4/printsettingsdialog_base.py |4 
 ui4/printsettingstoolbox.py |  167 +-
 ui4/printtestpagedialog.py  |   14 
 ui4/printtestpagedialog_base.py |4 
 ui4/queuesconf.py   |8 
 ui4/readonlyradiobutton.py  |2 
 ui4/sendfaxdialog.py|  110 -
 ui4/sendfaxdialog_base.py   |4 
 ui4/settingsdialog.py   |9 
 ui4/settingsdialog_base.py  |4 
 ui4/setupdialog.py  |  215 ++-
 ui4/setupdialog_base.py |   51 
 ui4/systemtray.py   |   68 -
 ui4/systrayframe.py |   18 
 ui4/ui_utils.py |  247 ++--
 ui4/upgradedialog.py|8 
 ui4/wifisetupdialog.py  |   83 -
 ui4/wifisetupdialog_base.py |2 
 uninstall.py|8 
 unload.py   |  179 +--
 upgrade.py  |   46 
 wificonfig.py   |   14 
 241 files changed, 8496 insertions(+), 6187 deletions(-)

This was mostly putting a feeler out, as Didier thought you may be interested
in a stable update, that supported new hardware. It seems to not be the
case, so maybe I should just do a backport.

I'm not particularly invested in this. I just made a backport that is
probably useful to others, and am trying to find the right place to put
it.

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272

Bug#814930: jessie-pu: package hplip/3.15.11+repack0-1

2016-02-16 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

I asked the printing people how they felt about an backport of hplip,
and OdyX suggested [0]:

> As far as I remember (but could never take the time to actively
> check), the Debian Stable Managers were open to update packages in
> Stable for hardware support (and "new HP Printer" would qualify). I
> haven't checked the hplip code to see whether a full new upstream
> release would make sense over backporting specific parts though.

> tl;dr: I'd check with the SRMs first.

How would you feel about a wholesale backport of hplip, to stable?

No debdiff attached, because it's scary huge. Not even a diffstat,
because:

> 4362 files changed, 1703256 insertions(+), 17230 deletions(-)

[0]: https://lists.debian.org/3588455.xzku8qg...@odyx.org

SR

Bug#746946: wheezy-pu: package distro-info-data/0.23~deb7u1

2015-04-16 Thread Stefano Rivera

Hi Raphael (2015.04.16_11:00:58_+0200)
 FWIW, Debian 6 Squeeze is supported for at least 5 years (i.e. 2016-02-06) and
 most likely until Wheezy is no longer supported (i.e. 2016-04-24).
 
 cf http://wiki.debian.org/LTS

We could hack that in, but we should really support LTS separately. This
is #782685.

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150416164917.ga3...@bach.rivera.co.za

Bug#782668: unblock: distro-info-data/0.25

2015-04-15 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Would you accept this into jessie at this late date? It should have
probably been submitted 2 weeks ago. Mea culpa.

There is probably going to be another update, next month, when Ubuntu
15.10 is added. But that's less important for our users.

This would be the diff against jessie:

diff --git a/debian.csv b/debian.csv
index 2c8a00c..adac206 100644
--- a/debian.csv
+++ b/debian.csv
@@ -11,6 +11,8 @@ version,codename,series,created,release,eol
 5.0,Lenny,lenny,2007-04-08,2009-02-14,2012-02-06
 6.0,Squeeze,squeeze,2009-02-14,2011-02-06,2014-05-31
 7,Wheezy,wheezy,2011-02-06,2013-05-04
-8,Jessie,jessie,2013-05-04
+8,Jessie,jessie,2013-05-04,2015-04-25
+9,Stretch,stretch,2015-04-25
+10,Buster,buster,2018-07-01
 ,Sid,sid,1993-08-16
 ,Experimental,experimental,1993-08-16
diff --git a/debian/changelog b/debian/changelog
index f1a8d14..43fd29c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+distro-info-data (0.25) UNRELEASED; urgency=medium
+
+  * Update Debian 9 target release date.
+
+ -- Stefano Rivera stefa...@debian.org  Wed, 15 Apr 2015 16:16:37 -0400
+
+distro-info-data (0.24) unstable; urgency=medium
+
+  * Add Debian 9 and 10 codenames (with provisional creation dates)
+
+ -- Benjamin Drung bdr...@debian.org  Mon, 10 Nov 2014 12:36:20 +0100
+
 distro-info-data (0.23) unstable; urgency=medium
 
   [ Colin Watson ]


unblock distro-info-data/0.25

-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (900, 'testing'), (800, 'unstable'), (100, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_ZA.utf8, LC_CTYPE=en_ZA.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150415203005.ga5...@purcell.lan

Bug#782668: unblock: distro-info-data/0.25

2015-04-15 Thread Stefano Rivera

Hi Niels (2015.04.15_22:39:29_+0200)
 Ack, please go ahead.  However, please ensure this is in unstable before
 the 9:52 UTC dinstall tomorrow (the 15th of April).

Thanks. Uploaded and accepted.

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150415213935.gc3...@bach.rivera.co.za

Bug#746946: wheezy-pu: package distro-info-data/0.23~deb7u1

2015-04-15 Thread Stefano Rivera

Hi Adam (2015.03.28_21:09:54_+0200)
 Argh, this somehow fell through the cracks again. :-(

And then I put this off for two weeks, and it's now out of date.

New revision, including the 8.0 change, but not 7.0, as discussed. Based
on #782668:

diff -Nru distro-info-data-0.17~deb7u1/debian/changelog 
distro-info-data-0.26~deb7u1/debian/changelog
--- distro-info-data-0.17~deb7u1/debian/changelog   2013-10-21 
11:13:46.0 -0400
+++ distro-info-data-0.26~deb7u1/debian/changelog   2015-04-15 
18:35:51.0 -0400
@@ -1,3 +1,16 @@
+distro-info-data (0.26~deb7u1) stable; urgency=medium
+
+  * Backport updates up to 0.26:
+- Correct EOL date of Debian 6.0 Squeeze to 2014-05-31.
+- Correct Debian 8 version (was 8.0).
+- Update EOL date of Ubuntu 12.10 Quantal Quetzal to 2014-05-16.
+- Update EOL date of Ubuntu 13.04 Raring Ringtai to 2014-01-27.
+- Add Ubuntu 14.10, Utopic Unicorn.
+- Add Ubuntu 15.04, Vivid Vervet.
+- Add Debian 9 and 10 codenames (with provisional creation dates).
+
+ -- Stefano Rivera stefa...@debian.org  Sun, 26 Oct 2014 14:14:45 -0700
+
 distro-info-data (0.17~deb7u1) stable; urgency=low
 
   * Add Ubuntu 14.04, Trusty Tahr. (Closes: #726696, 727020)
diff -Nru distro-info-data-0.17~deb7u1/debian.csv 
distro-info-data-0.26~deb7u1/debian.csv
--- distro-info-data-0.17~deb7u1/debian.csv 2013-10-21 10:58:51.0 
-0400
+++ distro-info-data-0.26~deb7u1/debian.csv 2015-04-15 18:29:12.0 
-0400
@@ -9,8 +9,10 @@
 3.1,Sarge,sarge,2002-07-19,2005-06-06,2008-03-30
 4.0,Etch,etch,2005-06-06,2007-04-08,2010-02-15
 5.0,Lenny,lenny,2007-04-08,2009-02-14,2012-02-06
-6.0,Squeeze,squeeze,2009-02-14,2011-02-06,2014-05-04
+6.0,Squeeze,squeeze,2009-02-14,2011-02-06,2014-05-31
 7.0,Wheezy,wheezy,2011-02-06,2013-05-04
-8.0,Jessie,jessie,2013-05-04
+8,Jessie,jessie,2013-05-04,2015-04-25
+9,Stretch,stretch,2015-04-25
+10,Buster,buster,2018-07-01
 ,Sid,sid,1993-08-16
 ,Experimental,experimental,1993-08-16
diff -Nru distro-info-data-0.17~deb7u1/ubuntu.csv 
distro-info-data-0.26~deb7u1/ubuntu.csv
--- distro-info-data-0.17~deb7u1/ubuntu.csv 2013-10-21 10:58:51.0 
-0400
+++ distro-info-data-0.26~deb7u1/ubuntu.csv 2015-04-15 18:29:34.0 
-0400
@@ -15,7 +15,9 @@
 11.04,Natty Narwhal,natty,2010-10-10,2011-04-28,2012-10-28
 11.10,Oneiric Ocelot,oneiric,2011-04-28,2011-10-13,2013-05-09
 12.04 LTS,Precise Pangolin,precise,2011-10-13,2012-04-26,2017-04-26
-12.10,Quantal Quetzal,quantal,2012-04-26,2012-10-18,2014-04-18
-13.04,Raring Ringtail,raring,2012-10-18,2013-04-25,2014-01-25
+12.10,Quantal Quetzal,quantal,2012-04-26,2012-10-18,2014-05-16
+13.04,Raring Ringtail,raring,2012-10-18,2013-04-25,2014-01-27
 13.10,Saucy Salamander,saucy,2013-04-25,2013-10-17,2014-07-17
 14.04 LTS,Trusty Tahr,trusty,2013-10-17,2014-04-17,2019-04-17
+14.10,Utopic Unicorn,utopic,2014-04-17,2014-10-23,2015-07-23
+15.04,Vivid Vervet,vivid,2014-10-23,2015-04-23,2016-01-23

Apologies for the age of this bug. I get lazy sometimes.

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150415224907.ga3...@bach.rivera.co.za

Bug#782668: unblock: distro-info-data/0.25

2015-04-15 Thread Stefano Rivera

Control: tags -1 - moreinfo confirmed
Control: retitle -1 unblock: distro-info-data/0.26

 Ack, please go ahead.  However, please ensure this is in unstable before
 the 9:52 UTC dinstall tomorrow (the 15th of April).

Oof. I've just noticed that the Ubuntu Vivid Vervet release date moved a
week forward.

So I uploaded 0.26 with:

--- distro-info-data-0.25/debian/changelog  2015-04-15 16:41:29.0 
-0400
+++ distro-info-data-0.26/debian/changelog  2015-04-15 18:07:34.0 
-0400
@@ -1,3 +1,9 @@
+distro-info-data (0.26) unstable; urgency=medium
+
+  * Update Ubuntu 15.04, Vivid Vervet release date.
+
+ -- Stefano Rivera stefa...@debian.org  Wed, 15 Apr 2015 18:03:41 -0400
+
 distro-info-data (0.25) unstable; urgency=medium
 
   * Update Debian 9 target release date.
diff -Nru distro-info-data-0.25/ubuntu.csv distro-info-data-0.26/ubuntu.csv
--- distro-info-data-0.25/ubuntu.csv2015-04-15 16:41:29.0 -0400
+++ distro-info-data-0.26/ubuntu.csv2015-04-15 18:07:34.0 -0400
@@ -20,4 +20,4 @@
 13.10,Saucy Salamander,saucy,2013-04-25,2013-10-17,2014-07-17
 14.04 LTS,Trusty Tahr,trusty,2013-10-17,2014-04-17,2019-04-17
 14.10,Utopic Unicorn,utopic,2014-04-17,2014-10-23,2015-07-23
-15.04,Vivid Vervet,vivid,2014-10-23,2015-04-30,2016-01-30
+15.04,Vivid Vervet,vivid,2014-10-23,2015-04-23,2016-01-23

I assume given 0.25 was approved this is likely approved too, and an immediate
upload is the best approach here.

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150415221832.gd3...@bach.rivera.co.za

Bug#780169: jessie-pu: package youtube-dl/2014.08.05-1jessie0.1

2015-03-10 Thread Stefano Rivera

Control: tags -1 - moreinfo

 Please use 2014.08.05-1+deb8u1 as version number.

Lintian doesn't think that's correct for an NMU, but using it anyway.

Also, submitted a patch to developers-reference #768426.

 and jessie as a distribution (instead of testing).

Submitted #780243 (with a patch) to developers-reference.

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150311044856.ge3...@bach.rivera.co.za

Bug#780169: jessie-pu: package youtube-dl/2014.08.05-1jessie0.1

2015-03-09 Thread Stefano Rivera

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

youtube-dl 2014.08.05-1 requires SSLv3 in https requests, and doesn't use
protocol negotiation. See #780059. This, besides being bad, and not very
future-proof has caused complete incompatibility with Python 2.7.9,
which dropped the PROTOCOL_SSLv3 attribute from the ssl module.

This bug has been fixed, by the upstream, in unstable. But at this point
in the freeze, I doubt you'd consider letting the latest upstream
version migrate to testing.

So, please consider this t-p-u upload:

diff -Nru youtube-dl-2014.08.05/debian/changelog 
youtube-dl-2014.08.05/debian/changelog
--- youtube-dl-2014.08.05/debian/changelog  2014-08-06 11:43:31.0 
-0700
+++ youtube-dl-2014.08.05/debian/changelog  2015-03-09 17:15:30.0 
-0700
@@ -1,3 +1,11 @@
+youtube-dl (2014.08.05-1jessie0.1) testing; urgency=medium
+
+  * Non-maintainer upload.
+  * Use SSL protocol negotiation, rather than requiring SSLv3 (which is no
+longer supported in python 2.7.9). Closes: #780059.
+
+ -- Stefano Rivera stefa...@debian.org  Mon, 09 Mar 2015 17:14:45 -0700
+
 youtube-dl (2014.08.05-1) unstable; urgency=medium
 
   * Imported Upstream version 2014.08.05.
diff -Nru youtube-dl-2014.08.05/debian/patches/no-sslv3 
youtube-dl-2014.08.05/debian/patches/no-sslv3
--- youtube-dl-2014.08.05/debian/patches/no-sslv3   1969-12-31 
16:00:00.0 -0800
+++ youtube-dl-2014.08.05/debian/patches/no-sslv3   2015-03-09 
17:09:54.0 -0700
@@ -0,0 +1,34 @@
+Description: Support Python 2.7.9, which removed PROTOCOL_SSLv3
+ In fact, don't try to force an SSL version at all. Debian OpenSSL doesn't
+ support insecure versions.
+ Upstream use Python's default SSL handshake since
+ 
https://github.com/rg3/youtube-dl/commit/0db261ba567cb5370455d67c4398e11e5e2119f8
+ And switches to TLSv1 in legacy paths in
+ 
https://github.com/rg3/youtube-dl/commit/d79323136fabc2cd72afc7c124e17797e32df514
+Author: Stefano Rivera stefa...@debian.org
+Bug-Debian: https://bugs.debian.org/780059
+Forwarded: not-needed
+Last-Update: 2015-03-08
+
+--- a/youtube_dl/utils.py
 b/youtube_dl/utils.py
+@@ -588,17 +588,14 @@
+ if getattr(self, '_tunnel_host', False):
+ self.sock = sock
+ self._tunnel()
+-try:
+-self.sock = ssl.wrap_socket(sock, self.key_file, 
self.cert_file, ssl_version=ssl.PROTOCOL_SSLv3)
+-except ssl.SSLError:
+-self.sock = ssl.wrap_socket(sock, self.key_file, 
self.cert_file, ssl_version=ssl.PROTOCOL_SSLv23)
++self.sock = ssl.wrap_socket(sock, self.key_file, 
self.cert_file, ssl_version=ssl.PROTOCOL_SSLv23)
+ 
+ class HTTPSHandlerV3(compat_urllib_request.HTTPSHandler):
+ def https_open(self, req):
+ return self.do_open(HTTPSConnectionV3, req)
+ return HTTPSHandlerV3(**kwargs)
+ else:
+-context = ssl.SSLContext(ssl.PROTOCOL_SSLv3)
++context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+ context.verify_mode = (ssl.CERT_NONE
+if opts_no_check_certificate
+else ssl.CERT_REQUIRED)
diff -Nru youtube-dl-2014.08.05/debian/patches/series 
youtube-dl-2014.08.05/debian/patches/series
--- youtube-dl-2014.08.05/debian/patches/series 1969-12-31 16:00:00.0 
-0800
+++ youtube-dl-2014.08.05/debian/patches/series 2015-03-08 13:43:36.0 
-0700
@@ -0,0 +1 @@
+no-sslv3


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150310002458.ga27...@purcell.lan

Bug#746946: wheezy-pu: package distro-info-data/0.23~deb7u1

2015-01-07 Thread Stefano Rivera

Hi Adam (2015.01.06_22:11:55_+0200)
 To summarise discussions from IRC, Julien pointed out that there are a
 number of other places where we still refer to Wheezy as 7.0, including
 the Release Notes and debian-installer-netboot-images. Combined with the
 fact that this would be a change in stable, I think we should leave the
 Wheezy package as-is in terms of referring to Wheezy as 7.0.

Does that apply to only Wheezy, or Jessie too?

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150108041908.gw3...@bach.rivera.co.za

Bug#746946: wheezy-pu: package distro-info-data/0.23~deb7u1

2015-01-05 Thread Stefano Rivera

Hi Adam (2015.01.02_18:49:41_+0200)
 Apologies for the delay in getting back to you regarding this. I think
 when I previously looked at the request I assumed that we meant the
 maintainers, rather than also the Release Team.

It meant everyone. But the RT have the final say, so mostly you :)

I also canvassed Benjamin's vote, and he thinks we should do 7.0 - 7.

He also thinks we should roll in 0.24 changes (Debian 9 + 10) but I
think that should get into testing first, and he hasn't done anything to
make that happen...

 I agree that 7.0 is wrong, although it does always worry me changing
 stuff like this. If it's unlikely to have been used, maybe just an
 explicit mention somewhere obvious would suffice, so that people notice
 and can amend things if they are relying on it?

How obvious? A NEWS.Debian entry?

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272


signature.asc
Description: Digital signature

Bug#746946: wheezy-pu: package distro-info-data/0.23~deb7u1

2014-12-28 Thread Stefano Rivera

Hi 746946 (2014.11.01_03:02:58_+0200)
 We still need to make a decision on this bit. I've left that patch in,
 for now.

Ping?

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  H: +27 21 461 1230 C: +27 72 419 8559


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20141228115425.ga27...@purcell.lan

Bug#771148: (pre-upload) unblock: pypy/2.4.0+dfsg-2

2014-12-13 Thread Stefano Rivera

Control: tags -1 - moreinfo

 As you noted on irc, it still fails after 3 attempts, so a new upload is
 probably necessary. Please remove the moreinfo tag once the mipsel issue is
 resolved.

Another (pair of) give-backs resolved it.

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20141213195913.gc3...@bach.rivera.co.za

Bug#771148: (pre-upload) unblock: pypy/2.4.0+dfsg-2

2014-12-08 Thread Stefano Rivera

Hi Dejan (2014.12.05_16:39:01_+0200)
 I have tried to build pypy on a few different boards.

 On boradcom (mipsel) and cavium (mipsel),
 pypy was built successfully.

 On cavium (mips), build is still in progress.
 But it seems that it will pass as well.

 On lemote-3a-itx-a1101 (mipsel),
 build was successfully finished.

Thanks for the testing. It sounds like we should continue retrying this.

 I had noticed that on mipsel-manda-02.debian.org
 it was used parallel=5
  DEB_BUILD_OPTIONS=parallel=5.
 I am not sure if this is related with
 build failure but I will try it on lemote 3A again,
 with this option.

The failure was during translation, which is not parallel. The only part
of the pypy build that parallelises is the compilation, which I've never
known to cause trouble.

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20141208223138.ga3...@bach.rivera.co.za

Bug#771148: (pre-upload) unblock: pypy/2.4.0+dfsg-2

2014-12-03 Thread Stefano Rivera

Hi Ivo (2014.11.30_01:13:20_+0200)
   Accepted, and built everywhere. But we had an FTBFS on mipsel (SIGILL).
   I can't reproduce it on edar (the porterbox). My build there hasn't
   finished, but it's got a lot further.
 
 As you noted on irc, it still fails after 3 attempts, so a new upload is
 probably necessary. Please remove the moreinfo tag once the mipsel issue is
 resolved.

The porterbox build finished, without any trouble at all.

So, I can't reproduce the problem, without help from porters who have
access to hardware that behaves like mipsel-manda-02.

Either I need help from porters, or we should keep giving it back until
it hits another buildd, or I should upload the binaries I built on eder
(ick).

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272


signature.asc
Description: Digital signature

1 2 >

1 - 100 of 129 matches

Mail list logo