I'm starting the process of updating to new upstream.
I think that is reasonably likely to fix this. If not, I'll look into
the issue after the update.
I'm OK if moonshot-gss-eap falls out of testing for a few weeks.
--Sam
I can absolutely prepare a stable point update request for stretch.
Is there still going to be a last point release to jessie?
If so I'll look into that too; I'd definitely like to get an update in.
I'll remove it in purge.; there's another bug open effectively for that.
However, I think it is generally a good thing if the file exists.
Because of the dpkg bug we no longer install it, but I think our users
are better served by leaving the file on upgrades.
Take a look at the stretch branch of
git://git.debian.org/git/pkg-k5-afs/debian-krb5-2013.git
Shall I upload that to stable-security?
Actually, on that note, why does this bug merit a DSA?
It like the other bugs is a simple KDC crash from an authenticated
attacker.
It seems like it should be handled the same.
=== Resolution ===
The Technical Committee recognises that circumstances change in ways
that make previous resolutions no longer appropriate. In 2012, it was
resolved that the nodejs package should not provide /usr/bin/node due to
the historical conflict with the ax25-node
> "Petter" == Petter Reinholdtsen writes:
>> I think shortly after the release of buster, we can close this
>> bug and let moonshot-trust-router migrate into testing.
Petter> Did this time arrive?
Mostly.
I'm working through all the moonshot software and
Package: asterisk-opus
Version: 13.7+20161113-3
Severity: grave
Justification: renders package unusable
The asterisk package in unstable provides
asterisk-1fb7f5c06d7a2052e38d021b3d8ca151
but asterisk-opus depends on asterisk-fa819827cbff2ea35341af5458859233
It looks like this is a system that
I wonder if your nss stack is somehow caching something about the
network and the name servers and that kstart process is no longer able
to resolve KDCs.
It would be interesting to set KRB5_TRACE to a file, run kstart such
that it is failing and see what specifically is not working.
My bet is on
> "David" == David Bremner writes:
David> Philip Hands writes:
>> I presume we'd want to continue providing /usr/bin/nodejs for
>> people that have switched to using that, so that might as well
>> continue to be the name of the binary,
===BEGIN
The Technical Committee recommends that Niko Tyni be
appointed by the Debian Project Leader to the Technical Committee.
N: Recommend to Appoint Niko Tyni
F: Further Discussion
===END
I vote N>F
signature.asc
Description: PGP signature
control: severity -1 normal
Will remove this file early in buster.
> "Helmut" == Helmut Grohne writes:
Helmut> Package: libgssapi-krb5-2 Version: 1.15-1 Severity: serious
Helmut> libgssapi-krb5-2 is a shared library package and contains
Helmut> /etc/gss/mech.d/README. The latter filename does not depend
Helmut> on the
There's a new upstream for moonshot-trust-router that I believe should
work with openssl 1.1.
Realistically, I should be able to deal with moonshot-gss-eap #848680
within a month.
I think it may be more like two months to deal with both
moonshot-gss-eap and moonshot-trust-router, both of which
> "Didier" == Didier 'OdyX' Raboud writes:
Didier> For good reasons, Debian forcibly introduced a special-case
Didier> when Node.js first appeared in a stable release through only
Didier> shipping it under /usr/bin/nodejs. That forced hundreds of
Didier>
> "Thorsten" == Thorsten Glaser writes:
Thorsten> Hi,
>> * Restore /usr/bin/node following CTTE #862051 Let's try to drop
>> /usr/bin/nodejs before buster. Replaces and Conflicts
>> nodejs-legacy. Closes: #754462.
Thorsten> please do NOT completely
OK, let's give the security team some context.
RFC 2744 specifies some kind of unfortunate behavior for error
handling.
gss_init_sec_context and gss_accept_sec_context have an in/out context
parameter (pointer to pointer).
You initialize the pointed to value to null the first time through.
It
I suspect the version in experimental with work with vala 0.36, but will
confirm that.
OK, if the checksum doesn't change regularly, I can understand why the
current arrangement makes sense.
It would bxe great to get asterisk-opus rebuilt though:-)
I just uploaded the jessie update after fixing the extra comma in the
changelog. I did run tests covering these security updates. I found
that some of the tests included in make check were already failing on
jessie and were still failing after this update. It looks like this may
be related to
Wait...
Is that actually even legal under RFC 1964?
Doesn't this lead to leaks for correctly written applications?
--Sam
Ah, looked at the commit.
Yeah.
This makes sense.
This is somewhat of a behavior change.
Do we want to just bring this into unstable, or do we want to backport
it to stable releases?
It seems like there is a possibility of problems in either direction.
> "Julien" == Julien Puydt writes:
Julien> Hi, Le 31/08/2017 à 13:52, Jérémy Lal a écrit :
>> How about printing a "nice" warning explaining it would be a good
>> idea to move to /usr/bin/node ? Then in next next release drop
>> the nodejs symlink.
> "Dominique" == Dominique Dumont writes:
Dominique> On Thursday, 31 August 2017 13:58:23 CEST Thorsten Glaser wrote:
>> > How about printing a "nice" warning explaining it would be a
>> good idea to > move to /usr/bin/node ?
>>
>> That will break
Hi.
d-i preseeding.
I'd be happy to work with you if we can remove that from the equation.
I'd also be interested in why DNS srv lookups aren't good enough for
you.
If I had krb5-config to do again, I probably wouldn't support adding
realms at all.
The goals of krb5-config may not be entirely
Hi.
It looks like there hasn't been much traffic on this issue in the last
couple of weeks.
My analysis is that the key technical point here is whether it's
acceptable to treat unknown devices as possible modems.
It sounds like:
1) We don't have a good white list of modems.
2) We don't have
> "Aleksander" == Aleksander Morgado writes:
>> In going forward, I think it is important to consider that
>> Modemmanager's needs and Debian's needs may be different here.
>> In the case of Modemmanager as an upstream project, it may be
>> desirable
Hi. In #877024, the TC was asked to rule on whether modemmanager should
continue to probe USB devices that might not be modems.
There's been significant involvement from upstream leading to a new
optional behavior that is less aggressive about probing unknown devices.
Would it help the
Unfortunately, krb5-config is used fairly widely by software not in
Debian.
In the past krb5 has been fairly conservative, which in this case would
mean having krb5-multidev depend on krb5-multidev-bin for a release.
If we did that we would have a solution for buster+1 to make
krb5-multidev m-a
Hi.
When I install krb5-kdc, it logs to syslog not to /var/log/krb5kdc.log.
Where in the files installed by the krb5-kdc package are you seeing
configuration to install to /var/log/krb5kdc.log.
I agree upstream configures (or in some cases recommends configuring)
things that way, but I'm not
As you can tell I did not get around to looking at this last weekend.
The US holiday ended up taking up more time than I anticipated, and then
I got sick. This week my day job is taking up all my time; hope to have
some Debian cycles next week.
--Sam
So, I'm uncomfortable making a long-term promise to support krb5-config
in a multi-arch environment.
Today, the multi-arch change is easy to work with.
However, it seems entirely reasonable that the recommended cppflags and
cflags might differ between architectures, and I don't know that I want
Thanks.
I'll take a look next week.
This looks very promising.
Unless I'm missing something, I think you've done a lot of the work
regardless of whether we want to wrap krb5-config architecture scripts
or wrap a script that calls cross-pkg-config.
Why do you want to replace krb5-config with
> "Russ" == Russ Allbery writes:
>> But how can we link this output to CC?
Russ> That's a trickier question, since I'm not sure Autoconf or
Russ> make alway exports the current compiler as the CC environment
Russ> variable in all the ways krb5-config is
control: tags -1 -patch
control: severity -1 wishlist
> "Russ" == Russ Allbery writes:
Russ> Hugh McMaster writes:
>> The packages krb5-multidev and libkrb5-dev are not multi-arch
>> installable.
>> A diff of the i386 and amd64
So, I finally got a chance to look at this.
It sounds like you're taking a significantly different approach than we
had discussed earlier.
What we had talked about is parsing the output of $CC. For example
asking gcc what tripple it was built for and going from there.
But what you did is assume
control: affects -1 moonshot-gss-eap
control: block -2 with -1
Hi.
I will shortly be uploading a version of moonshot-gss-eap that is happy
to build against either openssl 1.1 or openssl 1.0.
Unfortunately, it won't actually build against openssl 1.1 because
dependencies on libxmltooling-dev will
>>>>> "Cantor," == Cantor, Scott <canto...@osu.edu> writes:
Cantor,> On 10/30/17, 4:36 PM, "Pkg-shibboleth-devel on behalf of
Cantor,> Sam Hartman"
Cantor,>
<pkg-shibboleth-devel-bounces+cantor.2=osu@lists.alioth.debian.org
Like Ian, I honestly don't know what the rules are in this situation.
Wou/ld it be reasonable for him to make an NMU to experimental, and then
if there is no objection after testing to unstable?
In parallel, it seems desirable to see if any of the maintainers are
active.
--Sam
>>>>> "Benjamin" == Benjamin Kaduk <ka...@mit.edu> writes:
Benjamin> On Mon, May 07, 2018 at 05:10:27PM +0100, Ben Hutchings wrote:
>> On Mon, 2018-05-07 at 11:57 -0400, Sam Hartman wrote:
>>
>> There are basically thre
I'm returning from vacation and jumping into the middle of this.
Back in the day when I wrote the code that became k5_get_os_entropy we
viewed two cases:
* kadmind. There we're likely to sometimes be generating long-term
shared secrets, and it seemed like strong random numbers were
> "Niels" == Niels Thykier writes:
control: tags -1 -moreinfo
(I hope this supplies the info you need; obviously retag if you have
more questions.)
Niels> Hi Sam,
Niels> Thanks for the bug report.
Niels> It sounds like you rather want krb5-kdc not to start
Dear Ian:
I wanted to make you aware of a status update.
The maintainer who has been doing most of the uploads on modemmanager
stepped down after receiving my query. First, I'd like to extend my
thanks to Michael for his hard work on modemmanager in the past and all
the things he continues to
I think that until the upstream release we could just increase the
length and get a fair distance.
Hi.
I like the approach of making krb5-config not dynamic, but I'd prefer
to discover the behavior of the compiler rather than to base our
interactions on its filename.
My plan is to use the following:
CC=${CC-cc}
tripple=`$CC -print-multiarch 2>/dev/null|| ( $CC -dumpmachine | sed 's/-pc//'
> "Adrian" == Adrian Bunk writes:
Adrian> On Tue, Jan 09, 2018 at 01:23:32PM +0100, Guillem Jover wrote:
>> ... Given the background of build-profiles, I'm very much in
>> favor of introducing the equivalent usage as Gentoo USE flags,
>> which was its main
>>>>> "Hugh" == Hugh McMaster <hugh.mcmas...@outlook.com> writes:
Hugh> Hi Sam, Apologies for the delay in replying. Somehow your
Hugh> message landed in my spam folder.
Hugh> On Friday, 5 January 2018 1:44 PM, Sam Hartman wrote:
>&g
> "Adrian" == Adrian Bunk writes:
Adrian> For many use flags the only benefit is an unused library
Adrian> less on the system when the flag is disabled, and this also
Adrian> applies to the proposed nosystemd profile discussed in this
Adrian> bug.
Agreed.
I am testing a fix.
My apologies for the sloppy change.
Thanks for your additional information.
I think we have a good understanding of how this bug happens in the
case where kdc.conf and krb5.conf have conflicting realm information or
where kdc.conf does not supply the realm that the KDC is actually
serving.
My recommendation is that we look into
Hi.
A while back krb5-config received a request to support /etc/krb5.conf.d
especially for custom realm configuration that requires more than just
DNS.
It looks like the Heimdal in unstable supports krb5.conf including a
config directory. How would you feel about turning this on in the
As a FYI, I did some experiments with kvm, and I do seem to have enough
entropy to get the KDC started there.
I have not played with Xen recently. It's a bit harder to set that up,
and I'm unsurprised that might be more tricky to get randomness with
than kvm.
My last query on this issue proposed a way forward: installing a
conffile.
I never received a reply.
If I have not received a reply by the next time I triage bugs, I'll
close this.
Hi.
Mostly for the slapd maintainer.
Currently krb5-kdc-ldap ships an OpenLDAP schema file for the Kerberos
schema.
I just noticed that we don't ship the ldif file for the newer format
slapd config and will be fixing that in my next upload.
Currently in order to take advantage of either, the
control: retitle -1 Database ends up in wrong location if krb5.conf an
kdc.conf differ
control: severity -1 normal
control: tags -1 -moreinfo
I reread the long bug log.
We were never able to reproduce the user's problem.
However, the closest we were able to get is that if krb5.conf and
>>>>> "Ryan" == Ryan Tandy writes:
Ryan> Hi Sam,
Ryan> On Mon, Jul 16, 2018 at 05:02:34PM -0400, Sam Hartman wrote:
>> Mostly for the slapd maintainer. Currently krb5-kdc-ldap ships
>> an OpenLDAP schema file for the Kerberos schema
>>>>> "Brian" == Brian May writes:
Brian> Sam Hartman writes:
>> A while back krb5-config received a request to support
>> /etc/krb5.conf.d especially for custom realm configuration that
>> requires more than just DNS.
&g
control: tags -1 help
Apologies for the long delay.
It looks like the problem here is in fact DNS.
It sounds like the k5start process cannot look up the IP of the KDC even
after the network comes back.
Other processes like dig function, but those processes are not making
periodic requests of
> "Ryan" == Ryan Tandy writes:
Ryan> I had not, actually. Assuming our default slapd configuration,
Ryan> adding a schema is just:
Ryan> ldapadd -H ldapi:// -Y EXTERNAL -f /path/to/schema.ldif
Ah, looking back at my notes, you're right. Adding the schema was easy.
The hard
I think we should add a recommends or suggests relationship. I'm
reluctant to add a hard dependency. There are two issues. The first is
that it pulls in code for people who don't need it; that's minor. The
second issue is that krb5-k5tls is GPL-incompatible at least as we build
it because it
this approach seems a bit strange.
Why would we want a package specific build profile rather than excluding
glib from a stage1 build of libverto.
Also, note that I'm about to update to a new version of libverto and
start building for libevent.
I wonder if for bootstrapping we want to pick one
So, in general, I think picking a single event backend should be fine.
Most applications work with all event backends; krb5 certainly does.
I'm fairly uncomfortable with the idea of using an extension package
namespace here though because it seems like you'll need to break this
cycle on every
control: tags -1 moreinfo
control: severity -1 normal
Hi. Your bug is a little short on details, and I was not able to
reproduce. I took a new sid chroot, added i386 as an architecture, and
installed libkrb5support0:i386 by
apt install libkrb5support0:i386
I ended up with krb5 1.16.1-1 and
Actually directly switching on vendor seems fairly bad.
However, to the extent that downstream changes can be encapsulated into
options/deltas that someone might want, I think it may often be
reasonable to carry the delta in Debian.
So imagine that Ubuntu and several other downstreams care more
> "Ian" == Ian Jackson writes:
Ian> * If the maintainer has no particular reason to diverge the
Ian> right answer is usually to fail the postinst with init systems
Ian> that do not provide service supervision; but to not fail the
Ian> postinst with ones that do. (I think
>>>>> "Wouter" == Wouter Verhelst writes:
Wouter> On Fri, Oct 05, 2018 at 08:40:03AM -0400, Sam Hartman wrote:
>> That said, even there there are tradeoffs. As an example, Ubuntu
>> tries to use unmodified Debian source packages wher
> "Simon" == Simon McVittie writes:
Simon> the error path is most important were packages that provide a
Simon> system-level API to other packages, so their failures are
Simon> likely to cause other packages to fail to configure (such as
Simon> local DNS caches and
> "Wouter" == Wouter Verhelst writes:
Wouter> But in the general case, I feel that downstream packaging
Wouter> changes belong downstream, not in Debian; therefore it is
Wouter> best to recommend that, in the general case, packages in
Wouter> Debian do not switch on
> "Adrian" == Adrian Bunk writes:
latest upgrade of libkrb5-3 (1.16.1-1 -> 1.16.2-1)
>> automount starts but dies immediately after accessing a
>> automounter point.
>>
>> Automount is configured to authenticate via GSSAPI using system
>> keytab. After the GSSAPI
I'd value the autofs configuration much more than the directory setup
instructions.
I have no desire to go install centos7 to debug a Debian bug:-) and have
some familiarity with setting up LDAP.
What I don't have is familiarity configuring autofs.
package: emacspeak
severity: important
tags: patch
version: 47.0+dfsg-6
Hi. several of the key eterm commands don't speak.
I'm opening a bug that I already have a patch for; expect a merge
request shortly.
, because that is an arch
+all package with no ABI dependencies. We don't want shared library
+dependencies on an arch all package because it breaks the ability to
+do binary NMUs for library transitions, Closes: #877469
+
+ -- Sam Hartman Tue, 11 Dec 2018 08:50:44 -0500
+
node
>>>>> "Sebastian" == Sebastian Andrzej Siewior writes:
Sebastian> On 2018-12-11 18:26:24 [-0500], Sam Hartman wrote:
>> Fixing moonshot-gss-eap and getting a new moonshot-ui is next up
>> for me for Debian weekend tasks.
Sebastian> This
Fixing moonshot-gss-eap and getting a new moonshot-ui is next up for me
for Debian weekend tasks.
package: minissdpd
version: 1.5.20180223-3
Hi. Minissdpd got pulled in on an upgrade from stretch to buster by
something--I haven't bothered to check why. I have my debconf priority
set to medium and I got asked whether I wanted to start minissdpd
automatically.
That's fine: I asked for more
Don't wait for me on shibboleth-resolver or moonshot-gss-eap to file the
removal requests.
They are both basically broken in unstable, so there's no reason to
block.
Built fine I have not yet tested against moonshot
On December 3, 2018 8:52:10 AM EST, "Cantor, Scott" wrote:
>On 12/1/18, 4:48 AM, "Pkg-shibboleth-devel on behalf of wf...@niif.hu"
>on behalf of wf...@niif.hu> wrote:
>
>> Please let me know if you need any help; for example I can see that
>>
package: csound
version: 1:6.12.2~dfsg-1
severity: important
justification: Regression over stretch with insidious and
hard-to-diagnose consequences
I noticed that my orchestras were failing on several sound files after
upgrading to buster, and tracked it down to some cases of filenames
being
package: csound
version: 1:6.12.2~dfsg-1
I was experiencing strange failures with orchestras with csound 6.12 and
eventually I've tracked it down to the zir opcode to read a value from
zk-space at i-time.
It's fairly basic: the zir.csd from the csound examples fails to print
out anything in the
Hi.
I am not sure how I managed to produce the binary package for amd64. I
*thought* that I used sbuild in a clean sid chroot to do so, but it's
quite clear from trying to reproduce that that I failed. I'm somewhat
baffled because my work flow makes it hard for something not coming out
of
I'm working on porting moonshot-ui from gnome-keyring to libsecret.
It's somewhat involved because upstream needs to support both
interfaces--they have a long tail of operating systems they need to work
on. Also, the existing code could use some refactoring to be cleaner.
I'm probably 70% of
So what's happening here is that a k5_mutex_lock is getting an invalid
argument error calling a series of wrappers that basically all boil
down to pthread_mutex_lock.
So, basically somehow pthread_mutex_lock is getting passed a bad mutex.
This appears to be happening in the credentials cache
package: freeradius
tags: security
version: 3.0.17+dfsg-1
severity: important
justification: Inappropriately broad default authorization
The debian freeradius package changes the default eap configuration to
use the default list of Debian certification authorities as the default
CAs for verifying
package: freeradius
severity: important
version: 3.0.17+dfsg-1
justification: regression that totally breaks connectivity
tags: upstream
I've cc'd Kurt because he requested openssl 1.3 test results a while
back.
While writing automated tests for moonshot-gss-eap, I discovered that
by default
control: forwarded -1
https://github.com/FreeRADIUS/freeradius-server/issues/2385
I'll try to get a patch for this if we don't hear something interesting
from upstream soon.
I think I'm in a better position than most in Debian to write such a
patch.
However I'm fairly busy.
control: tags -1 help
> "Michael" == Michael Stapelberg writes:
Michael>Can you send a patch please? Its been like
Michael> that since before I touched the package.
My suspicion is that it's removing parts of a patch. In fact, it looks
like most of what's needed is to remove
index 84a4831..72a6859 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+csound (1:6.12.2~dfsg-3.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix diskgrain, syncgrain and syncloop when sample rate of sample
+differs from orchestra, Closes: #924260
+
+ -- Sam
Package: dgit
Version: 8.3
Severity: important
Dear Maintainer,
Someone wrote in a forum that I can't quote here something along the
lines of it should be a bug for any Debian package to accept a
short-form GPG keyid. I agree.
Dgit still accepts short-form keyids (and it doesn't look like
I apologize for dropping the ball on this so long.
It looks like there is a 0.3.0 release of verto, which was folded into
krb5.
However, It looks like there's not an upstream tarball on github for
anything past 0.2.6.
Because I dropped the ball so much I'm under tight time pressure to get
an
Sigh.
I'm just confused.
Got the 0.3.0 tar ball fine.
>>>>> "Robbie" == Robbie Harwood writes:
Robbie> Sam Hartman writes:
>> I apologize for dropping the ball on this so long. It looks like
>> there is a 0.3.0 release of verto, which was folded into krb5.
>> However, It looks
I don't know about official policy, but I think you could make your bug
not RC by detecting whether the current system can support the package
in some reasonable wail and failing more gracefully than with SIGILL.
It's not a requirement that all packages work on all systems.
Open-vm-tools doesn't
Status is that I didn't find the time to get moonshot-trust-router dealt
with before buster and so I had deprioritized it.
There is in fact a new upstream, and it does fix the issue.
Blocking on moonshot-trust-router is silly: no one wants the version in
unstable anyway.
Is it possible to remove
package: csound
severity: important
justification: Stretch regression with no work around without code
changes
version: 1:6.12.2~dfsg-3
tags: patch, fixed-upstream, upstream
Hi. In https://github.com/csound/csound/issues/1119
I reported an issue.
In stretch, if you want to deal with a file that
(1:6.12.2~dfsg-3.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix diskgrain, syncgrain and syncloop when sample rate of sample
+differs from orchestra, Closes: 924260
+
+ -- Sam Hartman Thu, 21 Mar 2019 10:31:29 -0400
+
csound (1:6.12.2~dfsg-3) unstable; urgency=medium
> "Alex" == Alex Bennée writes:
Alex> Hi,
Alex> The following bug has come up and we would like some input
Alex> from the multiarch and cross developers on how best to handle
Alex> this case.
Alex> In an ideal world all cross compilers would be available on
Alex>
I don't know.
As I said in my mail I'm not even sure there's a problem here.
Let me give a bit of background here.
Ian and I had what I thought was a really exciting call about git and
source packages and stuff.
It sounded like Ian hopes we'll some day get rid of patches-unapplied
data models
control: severity -1 serious
justification: libvirtd upgrades from stretch to buster break causing
apt to fail and requiring the admin to get the systemd units into a
consistent state before things can continue
Unfortunately based on discussion so far this is a complex bug to fix.
Ubuntu's
Guido let me know if you need any help or prod me on IRC if I'm needed.
Will certainly test the result, but if you get stuck would be happy to
spend time on this.
>>>>> "Guido" == Guido Günther writes:
Guido> Hi,
Guido> On Mon, Apr 15, 2019 at 02:38:27PM -0400, Sam Hartman wrote:
>> control: severity -1 serious
>>
>> justification: libvirtd upgrades from stretch to buster break
>
801 - 900 of 1322 matches
Mail list logo