Bug#1036171: debian-installer: /etc/apt/sources.list isn't populated if mirror can't be reached during installation

2023-05-16 Thread Andrew Savchenko 
Package: debian-installer
Version: 20230515
Severity: important
X-Debbugs-Cc: and...@lists.savchenko.net


# PROBLEM DESCRIPTION

User is unable to perform `apt update` right after installation.


# STEPS TO REPRODUCE

1. Start Bookworm installation and connect to a network where device is
issued non-routed IP by the DHCP server.

2. Installer will get stuck trying to fetch up-to-date packages from the
mirror.

3. Press "Cancel" and proceed with the installation as usual.

Upon boot you will find that /etc/apt/sources.list contains only the
following line:

```
deb cdrom:[Debian GNU/Linux bookworm-DI-rc2 _Bookworm_ - Official RC amd64 DVD 
Binary-1 with firmware 20230428-12:34]/ bookworm main non-free-firmware
```


# EXPECTED BEHAVIOUR

source.list contains the default remote mirror:

```
deb https://deb.debian.org/debian bookworm main contrib non-free 
non-free-firmware
```


-- System Information:
Debian Release: 12.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-7-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#981375: ITP: vivid -- `vivid` é um gerador para a variável de ambiente LS_COLORS.

2022-12-10 Thread Andrew Savchenko 

Hello Nilson,


I have the package ready to send to the Rust team.
Are you still interested in him? Do you mind if I keep it?


Please go ahead. Fingers crossed it will be accepted in Bookworm.


--
With regards,
A

Bug#993264: gita: [security] Version in stable is using unsafe YAML loader

2021-08-29 Thread Andrew Savchenko 
Package: gita
Severity: important
X-Debbugs-Cc: and...@lists.savchenko.net

Dear Maintainer,

Currently packaged version of `gita` uses unsafe `yaml.FullLoader`.

This is fixed upstream:
https://github.com/nosarthur/gita/compare/v0.12.9...v0.13.6#diff-b1d7ea073af79fb37be4b16f769ba60acb68546d0661f89c1d13b1975b5ba3aeL60-R61

Please consider either upgrading to any version >= v0.13.XX or patching
the code in Debian with `Loader=yaml.SafeLoader` / `yaml.safe_load()`


-- 
With regards,
A


-- System Information:
Debian Release: 11.0
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-8-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gita depends on:
ii  git   1:2.30.2-1
ii  python3   3.9.2-3
ii  python3-yaml  5.3.1-5

gita recommends no packages.

gita suggests no packages.

Bug#992415: pinentry-tty: Segfault as host is entering S3/S0ix

2021-08-18 Thread Andrew Savchenko 
Package: pinentry-tty
Version: 1.1.0-4
Severity: normal
X-Debbugs-Cc: and...@lists.savchenko.net

Dear Maintainer,

After issuing `systemctl suspend`, pinentry segfaults with the following
output in the dmesg:

```
kern  :info  : [Aug18 21:14] pinentry-tty[140518]: segfault at 0 ip
7f395bd5a217 sp 7ffe29e70310 error 4 in

libc-2.31.so[7f395bd0b000+14b000] kern  :info  : [  +0.11] Code: 89
23 85 c0 75 d4 e9 2b ff ff ff 0f 1f 84 00 00 00 00 00 e8 3b ad 00 00 e9
f9 fe ff ff e8 11 94 09 00 90 41 54 55 48 89 fd 53 <8b> 07 f6 c4 20 0f
85 ee 00 00 00 89 c2 81 e2 00 80 00 00 0f 84 ed
```

-- System Information:
Debian Release: 11.0
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-8-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages pinentry-tty depends on:
ii  libassuan0 2.5.3-7.1
ii  libc6  2.31-13
ii  libgpg-error0  1.38-2

pinentry-tty recommends no packages.

Versions of packages pinentry-tty suggests:
pn  pinentry-doc  

-- debconf-show failed

Bug#991539: iwd: Segfaults on AX210 unless start is delayed

2021-07-26 Thread Andrew Savchenko 
Package: iwd
Version: 1.14-3
Severity: normal
X-Debbugs-Cc: and...@lists.savchenko.net

Dear Maintainer,

iwd throws warning in the kernel ring buffer unless its start is delayed
with `ExecStartPre=ip link set wlan0 up` in `iwd.service` unit.

With the line above the warning is gone, however iwd can't be
stopped/started after the boot. `systemctl restart` works though.

Trace below:

kern  :warn  : [  +0.008344] [ cut here ]
kern  :warn  : [  +0.27] WARNING: CPU: 5 PID: 1384 at 
net/wireless/nl80211.c:7579 nl80211_get_reg_do+0x1f6/0x230 [cfg80211]
kern  :warn  : [  +0.00] Modules linked in: ccm pcc_cpufreq(-) 
acpi_cpufreq(-) algif_aead cbc des_generic libdes ecb algif_skcipher cmac 
sha512_ssse3 snd_soc_skl_hda_dsp(+) snd_soc_hdac_hdmi sha512_generic md4 
algif_hash snd_soc_dmic af_alg mei_hdcp mei_wdt binfmt_misc intel_rapl_msr 
x86_pkg_temp_thermal intel_powerclamp snd_hda_codec_hdmi ipt_REJECT 
nf_reject_ipv4 kvm_intel snd_hda_codec_realtek snd_hda_codec_generic nft_limit 
kvm irqbypass intel_cstate snd_sof_pci snd_sof_intel_byt snd_sof_intel_ipc 
snd_sof_intel_hda_common snd_sof_xtensa_dsp snd_sof iwlmvm snd_sof_intel_hda 
snd_soc_hdac_hda snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi 
snd_intel_dspcfg soundwire_intel soundwire_generic_allocation snd_soc_core 
mac80211 snd_compress soundwire_cadence uvcvideo snd_hda_codec 
videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 xt_limit snd_hda_core joydev 
intel_uncore serio_raw efi_pstore pcspkr libarc4 xt_addrtype videobuf2_common 
nls_ascii snd_hwdep iwlwifi iTCO_wdt xt_tcpudp soundwire_bus
kern  :warn  : [  +0.35]  intel_pmc_bxt nls_cp437 videodev 
iTCO_vendor_support wmi_bmof mei_me snd_pcm xt_conntrack ee1004 watchdog vfat 
nf_conntrack i915 cfg80211 snd_timer fat mei nf_defrag_ipv6 mc evdev 
nf_defrag_ipv4 thinkpad_acpi nft_compat nvram drm_kms_helper ledtrig_audio snd 
nft_counter processor_thermal_device ucsi_acpi cec typec_ucsi intel_rapl_common 
soundcore i2c_algo_bit intel_soc_dts_iosf typec rfkill int3403_thermal ac 
int340x_thermal_zone int3400_thermal intel_hid intel_pmc_core acpi_thermal_rel 
sparse_keymap acpi_pad acpi_tad button nf_tables drm libcrc32c nfnetlink 
pkcs8_key_parser coretemp i2c_dev fuse configfs efivarfs ip_tables x_tables 
autofs4 ext4 crc16 mbcache jbd2 crc32c_generic dm_crypt dm_mod hid_generic 
usbhid hid crc32_pclmul crc32c_intel ghash_clmulni_intel tpm_crb nvme 
aesni_intel psmouse xhci_pci libaes crypto_simd xhci_hcd nvme_core cryptd 
e1000e glue_helper t10_pi crc_t10dif thunderbolt usbcore ptp i2c_i801 tpm_tis 
pps_core tpm_tis_core i2c_smbus tpm crct10dif_generic
kern  :warn  : [  +0.43]  rng_core crct10dif_pclmul crct10dif_common 
usb_common wmi battery video
kern  :warn  : [  +0.04] CPU: 5 PID: 1384 Comm: iwd Not tainted 
5.10.0-8-amd64 #1 Debian 5.10.46-2
kern  :warn  : [  +0.01] Hardware name: LENOVO 20W0CTO1WW/20W0CTO1WW, BIOS 
N34ET40W (1.40 ) 06/25/2021
kern  :warn  : [  +0.09] RIP: 0010:nl80211_get_reg_do+0x1f6/0x230 [cfg80211]
kern  :warn  : [  +0.02] Code: 24 0c 01 00 00 00 e8 d9 b4 45 fb 85 c0 0f 84 
fc fe ff ff eb a6 48 89 ef 48 89 04 24 e8 73 10 67 fb 48 8b 04 24 e9 43 ff ff 
ff <0f> 0b 48 89 ef e8 60 10 67 fb b8 ea ff ff ff e9 2f ff ff ff b8 97
kern  :warn  : [  +0.01] RSP: 0018:b4a5808b7b60 EFLAGS: 00010202
kern  :warn  : [  +0.00] RAX:  RBX: 0001 RCX: 

kern  :warn  : [  +0.01] RDX: 91b671808008 RSI:  RDI: 
91b671808300
kern  :warn  : [  +0.00] RBP: 91b8db18ce00 R08: 0014 R09: 
91b6719dc014
kern  :warn  : [  +0.01] R10: 001c R11: 91b8bcda1e00 R12: 
b4a5808b7bb8
kern  :warn  : [  +0.00] R13:  R14: 91b6719dc014 R15: 
91b671808300
kern  :warn  : [  +0.01] FS:  703c998cc640() 
GS:91bcff74() knlGS:
kern  :warn  : [  +0.01] CS:  0010 DS:  ES:  CR0: 80050033
kern  :warn  : [  +0.00] CR2: 703c9968f4e0 CR3: 0003b6916002 CR4: 
00770ee0
kern  :warn  : [  +0.01] PKRU: 5554
kern  :warn  : [  +0.00] Call Trace:
kern  :warn  : [  +0.05]  ? _cond_resched+0x16/0x40
kern  :warn  : [  +0.04]  genl_family_rcv_msg_doit+0xea/0x150
kern  :warn  : [  +0.02]  genl_rcv_msg+0xde/0x1d0
kern  :warn  : [  +0.18]  ? nl80211_vendor_cmd_dump+0x5d0/0x5d0 [cfg80211]
kern  :warn  : [  +0.14]  ? nl80211_send_regdom.constprop.0+0x1a0/0x1a0 
[cfg80211]
kern  :warn  : [  +0.01]  ? genl_get_cmd+0xd0/0xd0
kern  :warn  : [  +0.00]  netlink_rcv_skb+0x50/0xf0
kern  :warn  : [  +0.01]  genl_rcv+0x24/0x40
kern  :warn  : [  +0.01]  netlink_unicast+0x201/0x2c0
kern  :warn  : [  +0.01]  netlink_sendmsg+0x243/0x480
kern  :warn  : [  +0.02]  sock_sendmsg+0x5e/0x60
kern  :warn  : [  +0.01]  __sys_sendto+0xee/0x150
kern  :warn  : [  +0.02]  __x64_sys_sendto+0x25/0x30
kern  :warn  : [

Bug#987360: swaylock: Occassional unlock without password entered

2021-05-20 Thread Andrew Savchenko 

Pelle,



Would you be able to add a stack trace?
 Here, or directly with the upstream: 
https://github.com/swaywm/swaylock/issues/181






Thanks.

Bug#869799: nginx-common: broken service if ipv6 turned off

2021-05-04 Thread Andrew Savchenko 
Package: nginx-light
Version: 1.18.0-6
Followup-For: Bug #869799
X-Debbugs-Cc: and...@lists.savchenko.net

This is still a problem for in Bullseye. Any plan to remove ipv6
directive in the default config before Debian v11 is released?

To reproduce:
1. Boot with `ipv6.disable=1`
2. Attempt to install any of the nginx packages


Thank you.

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-6-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages nginx-light depends on:
ii  iproute25.10.0-4
ii  libc6   2.31-11
ii  libcrypt1   1:4.4.18-2
pn  libnginx-mod-http-echo  
ii  libpcre32:8.39-13
ii  libssl1.1   1.1.1k-1
pn  nginx-common
ii  zlib1g  1:1.2.11.dfsg-2

nginx-light recommends no packages.

Versions of packages nginx-light suggests:
pn  nginx-doc

Bug#987758: yubioath-desktop: YubiKey with given serial not found

2021-04-28 Thread Andrew Savchenko 

Can't be reproduced after the restart :-/
Please close the bug. I have tried to do it via BTS, but to no avail.

Thank you.

Bug#987758: yubioath-desktop: YubiKey with given serial not found

2021-04-28 Thread Andrew Savchenko 
Package: yubioath-desktop
Version: 5.0.4+post1-1
Severity: important
X-Debbugs-Cc: and...@lists.savchenko.net

Dear Maintainer,

Vaguely reminds of #981804 [1]. Given that error explicitly says "with
given serial", enumeration is deriving said serial at a certain point,
but it is lost on its way to `connect_to_device()`.

Setting bug to "important" as it breaks core functionality of the
package. Debug log below:

```
Got library name:  
"/usr/lib/x86_64-linux-gnu/qt5/qml/io/thp/pyotherside/libpyothersideplugin.so"
2021-04-29T13:12:02+0930 INFO [ykman.logging_setup.setup:74] Initialized 
logging for level: DEBUG
2021-04-29T13:12:02+0930 INFO [ykman.logging_setup.setup:75] Running ykman 
version: 4.0.0a1
2021-04-29T13:12:02+0930 DEBUG [ykman.logging_setup.log_sys_info:46] Python: 
3.9.2 (default, Feb 28 2021, 17:03:44)
[GCC 10.2.1 20210110]
2021-04-29T13:12:02+0930 DEBUG [ykman.logging_setup.log_sys_info:47] Platform: 
linux
2021-04-29T13:12:02+0930 DEBUG [ykman.logging_setup.log_sys_info:54] Running as 
admin: True
2021-04-29T13:12:03+0930 DEBUG [fido2.hid.linux.list_descriptors:72] Found CTAP 
device: /dev/hidraw5
2021-04-29T13:12:03+0930 DEBUG [fido2.hid.linux.list_descriptors:72] Found CTAP 
device: /dev/hidraw1
2021-04-29T13:12:03+0930 DEBUG [yubikit.core.otp.send_and_receive:160] SEND: 
136b5b00
2021-04-29T13:12:03+0930 DEBUG [yubikit.core.otp.send_and_receive:164] RECV: 
0b
2021-04-29T13:12:03+0930 DEBUG [ykman.device.read_info:380] Read info: 
DeviceInfo(config=DeviceConfig(enabled_capabilities={: 
}, auto_eject_timeout=0, 
challenge_response_timeout=0, device_flags=), serial=111, 
version=Version(major=4, minor=3, patch=7), form_factor=, supported_capabilities={: 
}, is_locked=False)
2021-04-29T13:12:03+0930 DEBUG [yubikit.core.otp.send_and_receive:160] SEND: 
136b5b00
2021-04-29T13:12:03+0930 DEBUG [yubikit.core.otp.send_and_receive:164] RECV: 
0f
2021-04-29T13:12:03+0930 DEBUG [ykman.device.read_info:380] Read info: 
DeviceInfo(config=DeviceConfig(enabled_capabilities={: 
}, auto_eject_timeout=0, 
challenge_response_timeout=0, device_flags=), serial=222, 
version=Version(major=4, minor=3, patch=4), form_factor=, supported_capabilities={: 
}, is_locked=False)
2021-04-29T13:12:03+0930 DEBUG [fido2.hid.linux.list_descriptors:72] Found CTAP 
device: /dev/hidraw5
2021-04-29T13:12:03+0930 DEBUG [fido2.hid.linux.list_descriptors:72] Found CTAP 
device: /dev/hidraw1
2021-04-29T13:12:03+0930 ERROR [yubikey.wrapped:152] Uncaught exception
Traceback (most recent call last):
  File "qrc:///py/yubikey.py", line 135, in wrapped
return f(*args, **kwargs)
  File "qrc:///py/yubikey.py", line 350, in refresh_devices
self._devices = self._get_devices(otp_mode)
  File "qrc:///py/yubikey.py", line 277, in _get_devices
with connect_to_device(info.serial, [SmartCardConnection])[
  File "/usr/lib/python3/dist-packages/ykman/device.py", line 182, in 
connect_to_device
raise ValueError("YubiKey with given serial not found")
ValueError: YubiKey with given serial not found
qml: refreshing devices failed: YubiKey with given serial not found
```

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-6-amd64 (SMP w/12 CPU threads)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages yubioath-desktop depends on:
ii  libc6  2.31-11
ii  libgcc-s1  10.2.1-6
ii  libqt5core5a   5.15.2+dfsg-5
ii  libqt5gui5 5.15.2+dfsg-5
ii  libqt5qml5 5.15.2+dfsg-5
ii  libqt5quick5   5.15.2+dfsg-5
ii  libqt5quickcontrols2-5 5.15.2+dfsg-2
ii  libqt5widgets5 5.15.2+dfsg-5
ii  libstdc++6 10.2.1-6
ii  pcscd  1.9.1-1
ii  python3-yubikey-manager4.0.0~a1-4
ii  qml-module-io-thp-pyotherside  1.5.9-2+b3
ii  qml-module-qt-labs-platform5.15.2+dfsg-2
ii  qml-module-qt-labs-settings5.15.2+dfsg-5
ii  qml-module-qtquick-controls5.15.2-2
ii  qml-module-qtquick-controls2   5.15.2+dfsg-2
ii  qml-module-qtquick-dialogs 5.15.2-2

yubioath-desktop recommends no packages.

yubioath-desktop suggests no packages.

-- debconf-show failed

Bug#925134: grub-efi-amd64-signed: doesn't mount cryptodisk

2021-04-08 Thread Andrew Savchenko 
For what it's worth, I am unable to reproduce it on the latest weekly build of 
Bullseye. Paolo, are you OK for this bug to be closed?


-- 
Regards,
A

Bug#986354: Re[2]: Bug#986354: hardening-runtime breaks upowerd which affects default installation

2021-04-04 Thread Andrew Savchenko 
Hello Yves-Alexis,

Sunday, April 4, 2021, 6:09:22 PM, you wrote:

> Hi, could you detail which permissions and from where? I'm aware of the issue
> with user namespaces but not from the permissions.

Indeed, user namespaces were to blame.

> There's already a small warning in the package long description, do you have
> something specific in mind? Could you propose a wording?

```
WARNING!

This package sets restrictive permissions on a number of directories.

While this is beneficial to the system security, it might lead to situation
where an application is unable to access a certain path.

Please use `reportbug` shall you encounter any.
``` 


-- 
Regards,
A

Bug#986358: Re[2]: Bug#986358: hardening-runtime: Restrictions on /etc/pam.d/ break X screensavers

2021-04-04 Thread Andrew Savchenko 
Hello Yves-Alexis,

Sunday, April 4, 2021, 7:35:46 PM, you wrote:

> statoverride in hardening-runtime were added by Topi Miettinen so I'm adding
> him in the loop for comments.

For the screensavers specifically, I have narrowed it down to /etc/pam.d only.
chmod'ing it to the default 0755 fixes the issue.

There might be more dragons though as this is somewhat similar to openSUSE:
https://github.com/openSUSE/permissions/blob/master/profiles/permissions.paranoid


-- 
Regards,
A

Bug#986358: hardening-runtime: Restrictions on /etc/pam.d/ break X screensavers

2021-04-04 Thread Andrew Savchenko 
Package: hardening-runtime
Version: 2
Severity: important
X-Debbugs-Cc: and...@savchenko.net

Dear Maintainer,

Restricting permissions on /etc/pam.d to 0700 while the folder is owned
by `root:root` leads to xscreensaver, mate-screensaver and others being
unable to authenticate a user.

Perhaps worth adding a warning or making this optional?


Thank you.

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-5-amd64 (SMP w/12 CPU threads)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#986354: hardening-runtime breaks upowerd which affects default installation

2021-04-04 Thread Andrew Savchenko 
Package: hardening-runtime
Version: 2
Severity: important
X-Debbugs-Cc: and...@lists.savchenko.net

Dear Maintainer,

Installing this package leads to dpkg-overrides setting permissions in a
way that upowerd is unable to start under a non-root account.

This breaks default installation where DE is using UPower service: Gnome,
Mate and potentially some others.

Please consider adding a conditional or a warning prior to installation.
Tested on fully-updated Bullseye.


-- System Information:
Debian Release: bullseye/sid
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-5-amd64 (SMP w/12 CPU threads)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#983654: ansible: Unblock Ansible migration in Testing (2.9.16 --> 2.10.7)

2021-02-27 Thread Andrew Savchenko 
Package: ansible
Version: 2.9.16+dfsg-1.1
Severity: wishlist
X-Debbugs-Cc: and...@lists.savchenko.net, hlieber...@debian.org

Dear Maintainers,

Migration from 2.9.X to 2.10.X is currently blocked by
`ansible-mitogen`. Upstream of the latter hasn't produced any official
releases since November 2019. While there are two RC versions
contributed by the community members [1], none are marked as official
and Issue Tracker still sees a fair amount of bugs [2] submitted against
those.

I propose to unblock migration manually and allow 2.10.X in Bullseye as
2.9.X has EOL in December this year [3].


[1] https://github.com/mitogen-hq/mitogen/releases
[2] https://github.com/mitogen-hq/mitogen/issues
[3] https://access.redhat.com/support/policy/updates/ansible-engine


-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-3-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ansible depends on:
ii  openssh-client1:8.4p1-4
ii  python3   3.9.1-1
ii  python3-cryptography  3.3.2-1
ii  python3-distutils 3.9.1-2
ii  python3-dnspython 2.0.0-1
ii  python3-httplib2  0.18.1-3
ii  python3-jinja22.11.2-1
ii  python3-netaddr   0.7.19-4
ii  python3-paramiko  2.7.2-1
ii  python3-yaml  5.3.1-3+b1

Versions of packages ansible recommends:
ii  python3-argcomplete  1.8.1-1.4
ii  python3-jmespath 0.10.0-1
ii  python3-kerberos 1.1.14-3.1+b3
ii  python3-libcloud 3.2.0-2
ii  python3-selinux  3.1-3
ii  python3-winrm0.3.0-2
ii  python3-xmltodict0.12.0-2

Versions of packages ansible suggests:
pn  cowsay   
pn  sshpass  

-- no debconf information

Bug#983500: syncthing: Version packaged in testing is outdated, consider synchronising with upstream

2021-02-24 Thread Andrew Savchenko 
Package: syncthing
Version: 1.12.1~ds1-2
Severity: wishlist
Tags: upstream
X-Debbugs-Cc: and...@lists.savchenko.net

Dear Maintainers,

In Testing, currently packaged version is 1.12.1 while stable upstream
is at 1.13.1 with 1.14.0 scheduled for 2nd of March (5 days from now).

Versions 1.13 and 1.14 offer substantial amount of improvements, too
many to list them all. I have picked only some notable ones:

- #7165: Connections aren't actually closed when closing a protocol connection
- #7005: panic: nil pointer dereference because (*db.Lowlevel)getMetaAndCheck() 
returns nil
- #7076: File not detected due to watching reporting events on old, deleted path
- #7231: panic: deadlock detected at fmut
- #5426: Old device removed from introducer isn't removable from other devices
- #7267: GUI log tailing is broken if closed when scrolled up
- #7280: Stopped folder not synchronizing after a rescan
- #7273: Data requests block adding new folder
- #7268: Data requests block each other, and some API requests, due to casefs 
lock contention
- #4224: Editable default values for folders, devices 
- #5187: Remove pending folders if remote device no longer announces them
- #7270: Data requests block API requests that also touch the filesystem

Most importantly, v1.14 introduces concept of "Untrusted device" where
several clients can exchange data with sync-server in the middle has no
visibility into cleartext. It also obfuscates directory structure and
file names.

More details here: 
https://docs.syncthing.net/branch/untrusted/html/users/untrusted.html

Would it be possible to have v1.14.0 packaged in Bullseye?


Thank you.


-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-3-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages syncthing depends on:
ii  libc6  2.31-9

syncthing recommends no packages.

syncthing suggests no packages.

-- no debconf information

Bug#982157: python3-yubikey-manager: Upgrade to 4.0.0~a1-1 breaks yubioath-desktop

2021-02-06 Thread Andrew Savchenko 
Package: python3-yubikey-manager
Version: 4.0.0~a1-1
Severity: important
X-Debbugs-Cc: and...@lists.savchenko.net

Dear Maintainer,

I have updated a Bullseye installation yesterday and among others
`python3-yubikey-manager` was upgraded from 3.1.1-3 to 4.0.0~a1-1.

This renders `yubioath-desktop` 5.0.4-2 unusable as it fails to see any
of the Yubikeys connected to the system.

I have tried downgrading manually, but to no avail:
```
apt install python3-yubikey-manager=3.1.1-3
E: Version '3.1.1-3' for 'python3-yubikey-manager' was not found
```
Attaching the error log from `yubioath-desktop`.


-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-3-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages python3-yubikey-manager depends on:
ii  python3-ykman  4.0.0~a1-1

python3-yubikey-manager recommends no packages.

python3-yubikey-manager suggests no packages.

-- no debconf information
Got library name:  
"/usr/lib/x86_64-linux-gnu/qt5/qml/io/thp/pyotherside/libpyothersideplugin.so"
"PyOtherSide error: Traceback (most recent call last):\n\n  File 
\"qrc:///py/yubikey.py\", line 12, in \nfrom ykman.descriptor 
import (\n\nModuleNotFoundError: No module named 'ykman.descriptor'\n"
Unhandled PyOtherSide error: Cannot import module: yubikey (Traceback (most 
recent call last):

  File "qrc:///py/yubikey.py", line 12, in 
from ykman.descriptor import (

ModuleNotFoundError: No module named 'ykman.descriptor'
)
"PyOtherSide error: Traceback (most recent call last):\n\n  File \"\", 
line 1, in \n\nNameError: name 'yubikey' is not defined\n"
Unhandled PyOtherSide error: Function not found: 'yubikey.init_with_logging' 
(Traceback (most recent call last):

  File "", line 1, in 

NameError: name 'yubikey' is not defined
)
"PyOtherSide error: Traceback (most recent call last):\n\n  File \"\", 
line 1, in \n\nNameError: name 'yubikey' is not defined\n"
Unhandled PyOtherSide error: Function not found: 
'yubikey.controller.check_descriptors' (Traceback (most recent call last):

  File "", line 1, in 

NameError: name 'yubikey' is not defined
)
qml: TypeError: Cannot read property 'success' of undefined undefined
"PyOtherSide error: Traceback (most recent call last):\n\n  File \"\", 
line 1, in \n\nNameError: name 'yubikey' is not defined\n"
Unhandled PyOtherSide error: Function not found: 
'yubikey.controller.get_connected_readers' (Traceback (most recent call last):

  File "", line 1, in 

NameError: name 'yubikey' is not defined
)
qml: TypeError: Cannot read property 'success' of undefined undefined
"PyOtherSide error: Traceback (most recent call last):\n\n  File \"\", 
line 1, in \n\nNameError: name 'yubikey' is not defined\n"
Unhandled PyOtherSide error: Function not found: 
'yubikey.controller.check_descriptors' (Traceback (most recent call last):

  File "", line 1, in 

NameError: name 'yubikey' is not defined
)
"PyOtherSide error: Traceback (most recent call last):\n\n  File \"\", 
line 1, in \n\nNameError: name 'yubikey' is not defined\n"
Unhandled PyOtherSide error: Function not found: 
'yubikey.controller.get_connected_readers' (Traceback (most recent call last):

  File "", line 1, in 

NameError: name 'yubikey' is not defined
)
qml: TypeError: Cannot read property 'success' of undefined undefined
qml: TypeError: Cannot read property 'success' of undefined undefined
"PyOtherSide error: Traceback (most recent call last):\n\n  File \"\", 
line 1, in \n\nNameError: name 'yubikey' is not defined\n"
Unhandled PyOtherSide error: Function not found: 
'yubikey.controller.check_descriptors' (Traceback (most recent call last):

  File "", line 1, in 

NameError: name 'yubikey' is not defined
)
"PyOtherSide error: Traceback (most recent call last):\n\n  File \"\", 
line 1, in \n\nNameError: name 'yubikey' is not defined\n"
qml: TypeError: Cannot read property 'success' of undefined undefined
Unhandled PyOtherSide error: Function not found: 
'yubikey.controller.get_connected_readers' (Traceback (most recent call last):

  File "", line 1, in 

NameError: name 'yubikey' is not defined
)
qml: TypeError: Cannot read property 'success' of undefined undefined
"PyOtherSide error: Traceback (most recent call last):\n\n  File \"\", 
line 1, in \n\nNameError: name 'yubikey' is not defined\n"
Unhandled PyOtherSide error: Function not found: 
'yubikey.controller.check_descriptors' (Traceback (most recent call last):

  File "", line 1, in 

NameError: name 'yubikey' is not defined
)
"PyOtherSide error: Traceback (most recent call last):\n\n  File \"\", 
line 1, in \n\nNameError: name 'yubikey' is not defined\n"
Unhandled PyOtherSide error: Function not found: 
'yubikey.controller.get_connected_readers'

Bug#981375: ITP: vivid -- `vivid` is a generator for the LS_COLORS environment variable.

2021-01-30 Thread Andrew Savchenko 
Package: wnpp
Severity: wishlist
Owner: Andrew Savchenko 
X-Debbugs-Cc: debian-de...@lists.debian.org, and...@savchenko.net

* Package name: vivid
  Version : 0.6.0
  Upstream Author : David Peter 
* URL : https://github.com/sharkdp/vivid
* License : MIT
  Programming Lang: Rust
  Description : `vivid` is a generator for the LS_COLORS environment 
variable.

Vivid generates LS_COLORS from human-readable XML file.
It supports styling per file extension, type or both.

It compiles and works as expected on Bullseye (rustc 1.48.0).
I offer to maintain it unless there is someone who would like to take over.

Author has agreed for it to be included in Debian: 
https://github.com/sharkdp/vivid/issues/55

Bug#977696: pulseaudio: Pulseaudio 13.0.5 fails on Bullseye (permissions, cookie)

2020-12-18 Thread Andrew Savchenko 
Package: pulseaudio
Version: 13.0-5
Severity: normal
X-Debbugs-Cc: and...@lists.savchenko.net

Dear Maintainer,

1. What led up to the situation?

   `apt install pulseaudio` over the minimal installation of Bullseye
   alpha 3.

2. What exactly did you do (or not do) that was effective (or ineffective)?

   Updated all packages, no changes to the pulseaudio config.
   `*-firmware-*` packages are installed, including "non-free" ones.

3. What was the outcome of this action?

   `pactl` and others are unable to communicate with Pulseaudio.
   Please refer to the https://paste.debian.net/1177551/

4. What outcome did you expect instead?

   Pulseaudio works out of the box.
   

-- Package-specific info:
File '/etc/default/pulseaudio' does not exist


-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.9.0-4-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages pulseaudio depends on:
ii  adduser  3.118
ii  init-system-helpers  1.59
ii  libasound2   1.2.4-1
ii  libasound2-plugins   1.2.2-2
ii  libc62.31-5
ii  libcap2  1:2.44-1
ii  libdbus-1-3  1.12.20-1
ii  libgcc-s110.2.1-1
ii  libice6  2:1.0.10-1
ii  libltdl7 2.4.6-14
ii  liborc-0.4-0 1:0.4.32-1
ii  libpulse013.0-5
ii  libsm6   2:1.2.3-1
ii  libsndfile1  1.0.28-8
ii  libsoxr0 0.1.3-4
ii  libspeexdsp1 1.2~rc1.2-1.1
ii  libstdc++6   10.2.1-1
ii  libsystemd0  247.1-3
ii  libtdb1  1.4.3-1+b1
ii  libudev1 247.1-3
ii  libwebrtc-audio-processing1  0.3-1+b1
ii  libx11-6 2:1.6.12-1
ii  libx11-xcb1  2:1.6.12-1
ii  libxcb1  1.14-2
ii  libxtst6 2:1.2.3-1
ii  lsb-base 11.1.0
ii  pulseaudio-utils 13.0-5

Versions of packages pulseaudio recommends:
ii  dbus-user-session1.12.20-1
ii  libpam-systemd [logind]  247.1-3
ii  rtkit0.13-4

Versions of packages pulseaudio suggests:
pn  paman
pn  paprefs  
pn  pavucontrol  
pn  pavumeter
ii  udev 247.1-3

-- no debconf information
# This file is part of PulseAudio.
#
# PulseAudio is free software; you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# PulseAudio is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with PulseAudio; if not, see .

## Configuration file for PulseAudio clients. See pulse-client.conf(5) for
## more information. Default values are commented out.  Use either ; or # for
## commenting.

; default-sink =
; default-source =
; default-server =
; default-dbus-server =

; autospawn = yes
; daemon-binary = /usr/bin/pulseaudio
; extra-arguments = --log-target=syslog

; cookie-file =

; enable-shm = yes
; shm-size-bytes = 0 # setting this 0 will use the system-default, usually 64 
MiB

; auto-connect-localhost = no
; auto-connect-display = no
# This file is part of PulseAudio.
#
# PulseAudio is free software; you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# PulseAudio is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with PulseAudio; if not, see .

## Configuration file for the PulseAudio daemon. See pulse-daemon.conf(5) for
## more information. Default values are commented out.  Use either ; or # for
## commenting.

; daemonize = no
; fail = yes
; allow-module-loading = yes
; allow-exit = yes
; use-pid-file = yes
; system-instance = no
; local-server-type = user
; enable-shm = yes
; enable-memfd = yes
; shm-size-bytes = 0 # setting this 0 will use the system-default, usually 64 
MiB
; lock-memory

Bug#972186: systemd-analyze

2020-10-13 Thread Andrew Savchenko 
Package: systemd
Version: 241-7~deb10u4
Tags: security, buster, bullseye
Severity: wishlist


Dear Maintainers,

Among others, /usr/bin/systemd-analyze can be called with "security" parameter 
which shows sandboxing settings of the loaded units on the scale from 0 to 10.

On Debian v10.6 vast majority of the services are reported as "unsafe" with 
exposure score >9. This includes sshd, unattended-upgrades and others.

Is there a plan to improve situation for Bullseye? I think maintainers of
Whonix project, which is based on Debian, are using it for some services they 
ship in addition to base (sdwdate, onion-grater, etc).

References:
[1] https://forums.whonix.org/t/systemd-analyze-security/10395
[2] https://www.ctrl.blog/entry/systemd-opensmtpd-hardening.html
[3] 
https://forums.whonix.org/t/system-wide-sandboxing-framework-sandbox-app-launcher/9008


-- 
With regards,
A

Bug#961076: NXNS Attack (CVE-2020-12667)

2020-10-13 Thread Andrew Savchenko 
Dear Maintainers,

Is there still a plan to backport a fix for CVE-2020-12667 into Buster?

Looking at the changelog [1], there is nothing that indicates it is already 
fixed.

[1] 
https://metadata.ftp-master.debian.org/changelogs//main/k/knot-resolver/knot-resolver_3.2.1-3_changelog


-- 
With regards,
A

Bug#712451: [pkg-apparmor] Bug#712451: Please support AppArmor network rules

2020-10-01 Thread Andrew Savchenko 
Greetings,

As AppArmor v3.0 is now released[1], is there a chance that network, dbus and
sockets will be supported in Bullseye?

[1] https://lists.ubuntu.com/archives/apparmor/2020-October/012183.html


-- 
Regards,
A

Bug#927689: pandoc: Package newer version available upstream

2019-04-21 Thread Andrew Savchenko 
Package: pandoc
Version: 2.7.2-1
Severity: wishlist

Dear Maintainer,

<- What led up to the situation?
-> Unavailability of the newer Pandoc version in Debian repository

<- What exactly did you do (or not do) that was effective (or ineffective)?
-> Searched stable and backports for the newer (2.7.X) version

<- What was the outcome of this action?
-> No suitable version found

<- What outcome did you expect instead?
-> Find newer version(s) readily available at upstream

-- System Information:
Debian Release: 9.8
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)