Package: aapt
Version: 1:10.0.0+r36-10
Severity: important
Dear Maintainer,
When adb/fastboot is installed from bookworm-backports, those pull in
android-libziparchive 1:33.0.3-2~bpo12+1, which does not have the symbols that
bookworm's aapt needs to run:
$ aapt
aapt: symbol lookup error:
control: fixed 1036559 3.4.0~a1-7
Package: wnpp
Severity: normal
X-Debbugs-Cc: google-android-m2repository-instal...@packages.debian.org
Control: affects -1 + src:google-android-m2repository-installer
I intend to orphan the google-android-m2repository-installer package.
None of the current maintainers have an interest in it,
Package: apktool
Version: 2.7.0+dfsg-7
Control: tags -1 help newcomer
Upstream changed the Gradle setup to use Kotlin files (e.g. build.gradle.kts)
rather than the Groovy files (e.g. build.gradle). I spoke with upstream about
the changes to the buildsystem, they said that it was about
For the record, the module was included starting in 6.6.9-1:
$ grep -i CS35L41 /boot/config-6.6.9-amd64
CONFIG_SND_HDA_SCODEC_CS35L41=m
CONFIG_SND_HDA_SCODEC_CS35L41_I2C=m
CONFIG_SND_HDA_SCODEC_CS35L41_SPI=m
CONFIG_SND_SOC_CS35L41_LIB=m
CONFIG_SND_SOC_CS35L41=m
CONFIG_SND_SOC_CS35L41_SPI=m
Control: fixed 1036968 6.6.9-1
Control: fixed 1036968 6.6.11-1
With 6.6.11-1, the headphone jack insert detection is now working when running
on bookworm.
(2.7.0+dfsg-6+deb12u1) bookworm; urgency=medium
+
+ * Team upload.
+ * CVE-2024-21633: Prevent arbitrary file writes with malicious resource
+names. (Closes: #1060013)
+
+ -- Hans-Christoph Steiner Wed, 10 Jan 2024 20:08:30 +0100
+
apktool (2.7.0+dfsg-6) unstable; urgency=medium
* only test
Control: fixed -1 2.7.0+dfsg-7
Control: tags -1 fixed fixed-upstream security pending
This has been updated with key help from upstream:
https://github.com/iBotPeaches/Apktool/commit/087f89ebc0dd87e74c8945f074f25b51b195cb83
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,24 @@
+python-git (3.1.30-1+deb12u2) stable; urgency=high
+
+ * Team upload.
+ * Fix CVE-2023-41040: Blind local file inclusion.
+
+ -- Hans-Christoph Steiner Fri, 29 Sep 2023 20:43:31 +0200
+
+python-git (3.1.30-1+deb12u1) stable; urgency=medium
@@ -1,3 +1,17 @@
+python-git (3.1.30-1+deb12u1) stable; urgency=medium
+
+ [ Hans-Christoph Steiner ]
+ * Team upload.
+ * CVE-2023-40267: Include patch from Ubuntu (Closes: #1043503)
+
+ [ Fabian Toepfer ]
+ * SECURITY UPDATE: RCE due to improper user input validation
+- debian/patches/CVE-2023
I'm putting together 3.1.14-1+deb11u1 now for bullseye.
Looks like it is fixed in Ubuntu:
https://changelogs.ubuntu.com/changelogs/pool/universe/p/python-git/python-git_3.1.30-1ubuntu0.23.04.1/changelog
I uploaded the latest upstream version to unstable to fix it there and in
trixie. beuc uploaded 2.1.11-1+deb10u1 to buster LTS to fix it in buster. That
leaves bullseye and bookworm. Anyone have any time or plans to handle those?
I tried a quick cherry-pick test on the bullseye and
The b7afd8a4ecaca commit is now included in the upstream tag V_9_4_P1 from three
weeks ago. Is there a timeline for that being uploaded to sid? This is a
blocker for OpenSSL work (TLS Encrypted ClientHello integration with OpenSSL and
Debian).
The sound works with Ubuntu 22.04. This laptop family (Dell XPS) is listed as
supported by Ubuntu on their site. It is the same hardware as the Dell XPS 13 Plus:
https://ubuntu.com/certified/202112-29802
The Ubuntu/jammy 22.04 kernel includes this same list of modules as listed in
Package: src:linux
Version: 6.3.2-1~exp1
Severity: important
Dear Maintainer,
I installed Debian on a Dell XPS 17 9720:
https://wiki.debian.org/InstallingDebianOn/Dell/XPS%2017%209720
The audio output works, but there are a number of problems:
* Headphone plug detection does not work at
control: found 1036559 3.4.0~a1-6
Package: androguard
Version: 3.4.0~a1-1
Severity: important
Dear Maintainer,
androguard fails to parse some valid APKs, failing with:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/androguard/core/bytecodes/apk.py", line
1556, in get_android_resources
return
I just tried this today, and it fails to download. It tries to get version
12.0.4.
Package: v2ray
From https://lists.debian.org/debian-legal/2023/02/msg4.html
V2Fly project provides a geoip data file in https://github.com/v2fly/geoip. The
license is declared as CC-BY-SA-4.0 but it uses the data from GeoLite2, which is
licensed under an EULA
Turns out the provider has a custom initrd that does the /lib/modules mount. I
don't know how common this is for VPS providers. Could the "Probably this
system is using User Mode Linux." prompt check if /lib/modules is in /etc/fstab,
and if not, offer a different suggestion, e.g. something
Marco d'Itri:
On Apr 13, Hans-Christoph Steiner wrote:
Well, I'm a Debian user since 1998 and I know Debian, but I don't know Xen
or how that /lib/modules mount even got there. I suppose it could be solved
via documentation, but I don't know how to fix this, so I have a production
server
Marco d'Itri:
Control: severity -1 normal
On Apr 13, Hans-Christoph Steiner wrote:
I have some VPSes which are based on Xen, so the kernel comes from the host,
and the VPS has no kernel installed. /lib/modules is mounted but not via
/etc/fstab. When trying to upgrade from bullseye
Package: usrmerge
Version: 25
Severity: serious
I have some VPSes which are based on Xen, so the kernel comes from the host, and
the VPS has no kernel installed. /lib/modules is mounted but not via
/etc/fstab. When trying to upgrade from bullseye to bookworm, I get:
Preparing to unpack
Paul Gevers:
Hi,
On 20-03-2023 17:16, Hans-Christoph Steiner wrote:
I haven't really ever been able to troubleshoot it. I don't have access to a
s390x box. And:
~ $ ssh zelenka.debian.org
ssh: connect to host zelenka.debian.org port 22: Connection timed out
~ $
That's the only
/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+apktool (2.7.0+dfsg-6) unstable; urgency=medium
+
+ * only test APK build on arches with aapt that can do it
+
+ -- Hans-Christoph Steiner Tue, 21 Mar 2023 09:41:45 +0100
+
+apktool (2.7.0+dfsg-5) unstable; urgency=medium
+
+ * fix broken
/debian/changelog
@@ -1,3 +1,9 @@
+apktool (2.7.0+dfsg-5) unstable; urgency=medium
+
+ * fix broken symlink to commons-text.jar (Closes: #1033226)
+
+ -- Hans-Christoph Steiner Mon, 20 Mar 2023 14:00:20 +0100
+
apktool (2.7.0+dfsg-4) unstable; urgency=medium
* fix arch detection for Depends
Package: apktool
Version: 2.7.0+dfsg-4
Severity: important
$ apktool build org.sajeg.fallingblocks_3
I: Using Apktool 2.7.0-dirty
Exception in thread "main" java.lang.NoClassDefFoundError:
org/apache/commons/text/StringEscapeUtils
at
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package: fdroidserver
It is blocked due to a autopkgtest failure only on s390x, this failure is not a
regression. Since bullseye, we have fixed the issues in fdroidserver
I've filed a bug upstream and am working through some debugging there:
https://gitlab.freedesktop.org/pipewire/pipewire/-/issues/3086
Package: pipewire
Version: 0.3.67-1
Severity: important
Dear Maintainer,
On a Dell XPS 17 9720
(https://wiki.debian.org/InstallingDebianOn/Dell/XPS%2017%209720) I'm
running bookworm. I try to keep the install as plain and default as
possible. The audio output and input was working at the
Package: emacs-gtk
Version: 1:28.2+1-10
Severity: important
Dear Maintainer,
* What led up to the situation?
I've been editing Python in emacs for over a decade. I'm working on
fdroidserver right now, an old Python code base.
* What exactly did you do (or not do) that was effective
I'm having the same problem on bookworm, for me, I'm using the default eog
viewer. There is a new upstream version of libheif available (v1.15.1), there
is still time to upload that to bookworm. I'm a DD and I could do an NMU if
that is helpful
Package: python3-magic
Version: 2:0.4.26-3
Severity: normal
Dear Maintainer,
There is a new bugfix version available from upstream. It would be
nice to have that in bookworm, and there is still time before the hard
freeze if it is uploaded now. I can contribute there if that is
needed to make
Control: severity -1 wishlist
Upstream only uses and maintains the `fdroid build` command out of git. If
someone wants change that, they should contribute upstream.
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
Please remove the source package django-hvad and all its binary packages from
bookworm and sid.
There have been no new commits upstream in 6 years, and this no longer works
with the version of
Looks like doclava would need to be ported to use the API that replaces
com.sun.javadoc:
https://docs.oracle.com/en/java/javase/11/docs/api/jdk.javadoc/jdk/javadoc/doclet/package-summary.html#migration
If someone does the migration, I can take care of the packaging updates.
Roger, it is great to see your progress on android-platform-tools. Are you
thinking of trying to get it into bookworm? If so, let me know how I can help.
It would be really valuable to have there, but I don't know how much work it'll be.
Doclava, which does not work with Java newer than 11. Upstream still builds it
with java8. As in Android 13 still uses java8 in the build. Is there any hope?
Hey aliasarmor,
It would be great to have you as the package maintainer! I'm a Debian Developer
and can mentor you through the process. The first step is to get it building on
Debian unstable. Then get it building with only packages from Debian. Looks
like lamby started that process
Package: ruby-loofah
Version: 2.19.0-1
Severity: serious
control: affects -1 ruby-loofah/2.1.0
control: affects -1 ruby-loofah/2.7.0+dfsg-1
control: tags -1 fixed-upstream security help
An XSS issue has been discovered in Loofah:
It looks like it is not conflicting with pulseaudio. I tried these steps and
I'm still have only "Dummy Output". I have not restarted though
hans@delbin:~$ systemctl --user daemon-reload
hans@delbin:~$ systemctl --user --now disable pulseaudio.service
pulseaudio.socket
hans@delbin:~$
You can ping me on IRC (_hc) or matrix (@eighthave:matrix.org) if you want to
try it interactively. pulseaudio was not running as far as I could tell.
root@delbin:~# service pulseaudio-enable-autospawn status
○ pulseaudio-enable-autospawn.service
Loaded: masked (Reason: Unit
Package: pipewire
Version: 0.3.61-1
Severity: important
Dear Maintainer,
I'm running a plain, default install of bookworm that was upgraded
from bullseye. Audio output worked under bullseye, and at first under
bookworm. Then an upgrade broke the audio. Now, the only audio
device available
Package: pulseaudio
Version: 15.0+dfsg1-4+b1
Severity: important
Dear Maintainer,
I installed bullseye on a Asus Chromebook Flip C536E (delbin-xhvi),
then upgraded it to Debian/testing to get more things working. Almost
everything is working well in bookworm, there are just some audio
issues.
Control: fixed 1012451 31.0.2
That was exactly what I was asking, thanks for the testing. My guess is that
upstream has fixed this in newer releases. There is work underway to update
this package. Plus there is a newer version available in bullseye-backports:
31.0.2-1~bpo11+1: all
Thanks for mapping it out. Do you have any contact to upstream? If so, could
you request the new release? I can update the package.
Emmanuel Kasper:
Hi
I took some time to revisit this bug in regards to vagrant libvirt developments.
I see vagrant-libvirt upstream has merged in virtio-scsi
Aloïs and Dmitry have done some work towards packaging this:
https://salsa.debian.org/go-team/packages/go-ipfs
here's an upstream issue with more info:
https://github.com/containers/podman/issues/5443#issuecomment-599415883
I got the same thing. I installed dbus-user-session and rebooted, then this
error message went away and things worked.
and another: https://github.com/containers/podman/issues/5906
Thanks for the ongoing maintenance of buildbot! F-Droid is in the process of
moving to buildbot. We generally try to maintain all of our systems using
Debian packages, so we might be able to contribute to getting those JS deps in
Debian. Is there a quick way to find out the list of what's
> Nilson is already working on this package at
https://salsa.debian.org/nilsonfsilva/minisign.
> Is there a reason for creating that repo when you do not own the ITP? Do you
want to sponsor Nilson?
Sorry, I didn't mean to step on anyone's toes. I'd be very happy if Nilson
wants to be the
https://salsa.debian.org/debian/minisign
https://salsa.debian.org/python-team/packages/black/-/merge_requests/5
Thanks for the detailed bug report. Have you tried using the Google binaries?
Does this also happen there? IIRC upstream fixed some bugs related to
smartcards in recent releases.
Package: ftp.debian.org
Severity: normal
Please remove transifex-client source and binary packages from unstable and
testing. Upstream has sunsetted it and no longer supports it.
*
https://community.transifex.com/t/postponing-api-2-0-2-5-and-transifex-client-sunset-date/2759
*
There is also discussion about making the official Debian Docker images use
HTTPS:
https://github.com/debuerreotype/docker-debian-artifacts/issues/15
Another step towards this goal: the official Debian Vagrant images will default
to HTTPS:
https://salsa.debian.org/cloud-team/debian-vagrant-images/-/merge_requests/15
There are already many Debian mirrors that support HTTPS, not just CDNs. Here's
a script to find HTTPS mirrors
Package: general
Severity: wishlist
Since the beginning of F-Droid, we have required that official package repos and
mirrors use HTTPS. We have encouraged all of them to have HTTPS. I think
Debian should do the same. There are already very many Debian mirrors that do
support HTTPS,
Right, this is an ongoing, incomplete migration. Anything that is built in
android-platform-tools should be removed from android-platform-system-core or
any other android-platform-* packages. We welcome contributions there!
> - you add to your pull request a change of the virtualized disk
> controller from virtio-blk to virtio-scsi and to the default libvirt
> vagrantfile the "unmap" option so that deletion of blocks in the guest
> are propagated om host storage
I looked into this a bit more. These feature weren't
Emmanuel Kasper:
I did some testing around
https://salsa.debian.org/cloud-team/debian-vagrant-images/-/tree/1TBv2
(not merged in master yet) and I am still reluctant to merge the branch.
I am OK to bump the default disk size to something like 40GB but not to 1TB.
The problem with the disk
As discussed in #debian-ftp
It seems that based on the box's iptables, the blocking is coming from the
hoster (Brown University), not the machine itself. One potential solution is
moving the web pages off that box to a public webserver. That would also
improve the security profile of that
Package: ftp.debian.org
I've recently noticed that https://ftp-master.debian.org/ is not accessible over
tor. I get "The connection has timed out. The server at ftp-master.debian.org
is taking too long to respond." in the same browser where everything else is
responsive.
Curl says:
$
Package: wnpp
Severity: wishlist
* Package name: sdkmanager
Version : 0.4.1
Upstream Author : Hans-Christoph Steiner
* URL : https://gitlab.com/fdroid/sdkmanager
* License : AGPLv3
Programming Lang: Python
Package source :
https://salsa.debian.org/python
Great to hear that pipelining is already in use! I guess HTTPS plus pipelining
could mean that file size is no longer reliably readable for the network
observer. I've never profiles TLS and pipelining to know if there are still
visible signatures that would let the network observer find the
I fully support the idea that HTTPS should become the default for apt repos.
From what I gather, the open question is how best to handle auto-apt-proxy
configuration. There seems to be a number of reasonable proposals:
* Make auto-apt-proxy set "Acquire::https::Verify-Peer false;"
*
Package: apt
Version: 2.3.13
Severity: wishlist
apt should pad its TLS connections to obscure the size of the downloaded files
from network observers. Right now, an attacker could build an index of all
package sizes, then track the size of HTTPS streams to Debian mirrors, and from
that, be
synced dirs are difficult to manage when the use case is security-sensitive. In
F-Droid production, they are only used during box creation. Then production
builds do not use them. Also, some Android app builds are literally bigger than
20GB, and running the build in the synced folder
Android AAR files are closely related to APKs in how they are structured. They
are both ZIPs, JARs, and have some standard Android files. I have a repro case
for this bug with AARs. All the files should be available here:
https://share.mayfirst.org/s/nsEjNBE3EgfNYJe
The diffoscope HTML
I think at least one of the F-Droid contributors could find some time to
contribute to the Debian images if we have direction on what kind of solution
you'd accept here. Sounds like you've provided some ideas already.
Looks like VMDK is still not resizable, but it is possible to convert to
Package: cloud.debian.org
The Vagrant guidelines say:
"you should create a dynamically resizing drive with a large maximum size. This
causes the actual footprint of the drive to be small initially, but to
dynamically grow towards the max size as disk space is needed, providing the
most
I don't have one of the APKs still, but these should be close:
https://f-droid.org/repo/org.torproject.torservices_2001.apk
https://f-droid.org/repo/org.torproject.torservices_2002.apk
https://f-droid.org/repo/org.torproject.torservices_2003.apk
Package: diffoscope
Version: 172~bpo10+1
Severity: important
APKs (Android app files) often contain Linux ELF shared library files, e.g.
lib/arm64-v8a/libtor.so. These are only compared using a binary diff, but they
should use the shared library comparison. The output looks like:
├──
Package: xkb-data
Version: 2.29-2
Followup-For: Bug #855422
X-Debbugs-Cc: h...@eds.org
Dear Maintainer,
I just installed bullseye on Toshiba Chromebook 2 CB35. Basically everything
just worked, except that the media keys output F-key codes. All Chromebooks
only have media keys, there are no
Package: ftp.debian.org
Severity: normal
When doing some work surverying licenses in Debian, I found these errors:
404 Client Error: Not Found:
https://metadata.ftp-master.debian.org/changelogs/main/p/php-psr-log/php-psr-
log_1.0.0-2_copyright
403 Client Error: Forbidden:
Package: diffoscope
Version: 168~bpo10+1
Severity: important
Dear Maintainer,
I downloaded the job artifact files from two related GitLab CI jobs and
compared them:
https://gitlab.com/guardianproject/tor-android/-/jobs/1231242475/artifacts/download
@@ -1,3 +1,9 @@
+fdroidserver (2.0.1-1) unstable; urgency=medium
+
+ * New upstream version 2.0.1
+
+ -- Hans-Christoph Steiner Tue, 09 Mar 2021 18:26:20 +0100
+
fdroidserver (2.0-1) unstable; urgency=medium
* New upstream version 2.0
diff -Nru fdroidserver-2.0/examples/fdroid_fetchsrclibs.py
Package: fdroidserver
Version: 2.0-1
Severity: important
Control: forwarded -1 https://gitlab.com/fdroid/fdroidserver/-/issues/344
`fdroid update` is extracting and publishing the drawable XML file as
the app's icon. This file on its own cannot be displayed. Sometimes,
`fdroid update` chooses
Package: apksigner
Version: 30.0.3-3~bpo10+1
Severity: important
Dear Maintainer,
When running `apksigner lineage -h` or `apksigner rotate -h`, it just
immediately crashes with no output. Other help strings work.
-- System Information:
Debian Release: 10.8
APT prefers stable-updates
APT
Package: cowbuilder
Version: 0.88
Severity: normal
Tags: patch
Tags: patch
Dear Maintainer,
I've been using cowbuilder a long time. I recently noticed that I had
~20gigs of stuff in /var/cache/pbuilder/build:
.../pbuilder/build $ ls -ld cow.[02-9]*
drwxr-xr-x 23 root root 4096 Dez 29 17:06
Oh yeah, I guess so, if you think it'll be stable enough. I'm new to buildbot
actually, but I'm currently moving F-Droid over to it, and we try to use
everything out of Debian.
Package: buildbot
Hey Robin,
Thanks for your work maintaining builbot in Debian! Since the window is closing
fast on getting updates into bullseye, I wanted to ask you whether you can
upload the v2.10.2 release soon?
.hc
Great! Then it sounds like it should be included. It is a Python Team package
and the source code is on salsa, so feel free to go ahead and upload.
Do the tests pass with this patch?
This time in android-sdk-meta. The tests Depends: adb and android-tools-adb,
both of which are not in ppc64el:
https://salsa.debian.org/android-tools-team/android-sdk-meta/-/blob/master/debian/tests/control
Thorsten Glaser:
Hans-Christoph Steiner dixit:
Right now, we can only commit to supporting the arches that upstream supports
(amd64 and arm64), so I'm downgrading the severity.
It’d be the same if you’d install either of these, it’s *not*
an architecture-specific problem.
I could never
Control: severity -1 normal
Right now, we can only commit to supporting the arches that upstream supports
(amd64 and arm64), so I'm downgrading the severity.
I could never wrap my head around the Multi-Arch: stuff. I would accept a merge
request on salsa for this, if it passes in
can't reproduce
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: britney
android-platform-art as this in debian/tests/control:
https://salsa.debian.org/android-tools-team/android-platform-art/-/blob/master/debian/tests/control
Tests: dexdump-dexlist
Control: reopen -1
Control: reassign -1 aapt
Control: merge 977023 977912
This is due to aapt's linking error. The fdroidserver tests rely on aapt.
Control: fixed -1 1:10.0.0+r36-1
Control: fixed -1 1:10.0.0+r36-2
Control: fixed -1 1:10.0.0+r36-3
Control: fixed -1 1:10.0.0+r36-4
Control: tags -1 pending confirmed
This is also confirmed by CI:
https://salsa.debian.org/android-tools-team/android-platform-system-core/-/jobs/1310262
Testing a fix here:
https://salsa.debian.org/eighthave/android-platform-system-core/-/jobs/1314158
Control: tags -1 help confirmed
In Python 3.9, the plistlib was changed to no longer have the internal
data structure plistlib.Data, which biplist relied on. Here's a
potential fix:
https://github.com/unified-font-object/ufoNormalizer/pull/74/files
Package: ftp.debian.org
Severity: normal
Please remove nitrotool from sid. Right after I uploaded the initial
package to sid, upstream changed the name to hsmwiz, which is already
in testing.
Control: fixed -1 1.6.1-2
I can't reproduce this, perhaps it was fixed by the upgrade to Python
3.9. For example:
https://salsa.debian.org/python-team/packages/pyasn/-/pipelines/214872
Control: severity -1 normal
This is still a problem with many sources, and it is really difficult to
work around once the whole Files-Excluded stuff is setup. I think at
the very least, mk-origtargz should have an option to try Chirayu's
approach of using unpacking then rm.
Here's
1 - 100 of 737 matches
Mail list logo
